PROFIBUS-DP/PA - Institutt for teknisk kybernetikk, NTNU · PROFIBUS-DP/PA ProfiSafe, Profile for Failsafe Technology, V1.0 P r o f i S a f e Document No. 740257 ... Gerd Lausberg

PROFIBUS-DP/PAProfiSafe, Profile for Failsafe Technology, V1.0

P r o f i S a f e

Document No. 740257

Members of the working group : phone

Eric Dönges TU München 089-289-23590

Uwe Gräff Festo AG 0711-347-4184

Heinz-Theo Hannen Hima GmbH & Co. KG 06202-709-286

Torsten Kühn Klöckner Moeller GmbH 0228-602-1811

Gerd Lausberg Schmersal GmbH & Co. 0202-6474-250

Dr. Thomas Laux Wago Kontakttechnik GmbH 0571-887-464/345

Dr. Wolfgang Stripf Siemens AG 0721-595-3046

Working group chairman:

Herbert Barthel Siemens AG 0911-895-3677

PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm

_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 2

ProfiSafe-Profil-100e.doc

Contents

1 MOTIVATION.............................................................................................................................................. 5

1.1 TERMINOLOGY ......................................................................................................................................... 5

2 INTRODUCTION......................................................................................................................................... 8

2.1 POSSIBLE APPLICATION AREAS OF THE SAFETY PROFILE......................................................................... 82.2 REQUIREMENTS PLACED UPON THE SAFETY PROFILE.............................................................................. 82.3 PRINCIPLE OF SAFE COMMUNICATIONS ( GRAY CHANNEL ) .................................................................... 82.4 THE SAFETY PROFILE............................................................................................................................... 92.5 APPLICATION ......................................................................................................................................... 10

3 BASICS OF THE SAFETY PROFILE ..................................................................................................... 11

3.1 SYSTEM CHARACTERISTICS ................................................................................................................... 113.2 MASTER-SLAVE OPERATION IN PROFIBUS-DP ................................................................................... 113.3 BUS STRUCTURES .................................................................................................................................. 113.4 DELIMITATION OF THE BUS COMPONENTS ............................................................................................. 123.5 DELIMITATION OF THE COMMUNICATION FUNCTIONS ........................................................................... 133.6 RISK CONSIDERATION............................................................................................................................ 133.7 RELEVANT STANDARDS AND DIRECTIVES.............................................................................................. 143.8 ERROR CASES THAT SHALL BE MASTERED ........................................................................................... 15

4 FUNCTIONAL PRINCIPLE OF SAFE COMMUNICATION.............................................................. 16

4.1 F MESSAGE STRUCTURE ........................................................................................................................ 164.1.1 F Process Data.............................................................................................................................. 174.1.2 Status/Control Byte........................................................................................................................ 184.1.3 Consecutive Number...................................................................................................................... 194.1.4 CRC Signature............................................................................................................................... 204.1.5 Appended Standard User Data...................................................................................................... 20

4.2 REGULAR F COMMUNICATION ............................................................................................................... 214.2.1 Operational Behavior of F Host and F Slave................................................................................ 214.2.2 State Diagrams.............................................................................................................................. 24

4.3 REACTION IN THE EVENT OF A MALFUNCTION....................................................................................... 304.3.1 Repetition ...................................................................................................................................... 304.3.2 Loss ............................................................................................................................................... 304.3.3 Insertion ........................................................................................................................................ 304.3.4 Incorrect Sequence........................................................................................................................ 304.3.5 Corruption of F Message Data...................................................................................................... 304.3.6 Delay ............................................................................................................................................. 304.3.7 Interconnecting Safety-Relevant and Standard Messages (Masquerade) .................................... 31

4.4 F PARAMETER STRUCTURE .................................................................................................................... 314.4.1 F_Device ( ProfiSafe Participant )................................................................................................ 324.4.2 F_Source/Destination_Address ( Codename, Password )............................................................. 324.4.3 F_WD_Time ( F Watchdog Time ) ................................................................................................ 324.4.4 F_Prm_Flag ( Parameters for the Profile Management )............................................................. 324.4.5 F_Check_SeqNr ( Consecutive Number in the CRC2 ) ................................................................. 324.4.6 F_Check_iPar ( CRC1 including i-Parameters ) .......................................................................... 324.4.7 F_SIL (SIL Stage).......................................................................................................................... 334.4.8 F_CRC_Length (Length of the CRC2 Key) ................................................................................... 334.4.9 F_Par_CRC ( CRC1 across F-Parameters )................................................................................. 334.4.10 Structure of the F Parameter Block (Prm telegram) .................................................................... 344.4.11 F Data Fraction ............................................................................................................................ 344.4.12 i-Parameter (individual F-Device Parameters) ............................................................................ 34

4.5 F-PARAMETRIZATION............................................................................................................................. 354.5.1 F-Parametrization Tools ............................................................................................................... 354.5.2 GSD Structure ............................................................................................................................... 364.5.3 F-Parameter Assignment Paths..................................................................................................... 37




4.6 F-STARTUP COORDINATION ................................................................................................................... 384.6.1 Standard Startup (F Slave State Machine) .................................................................................... 394.6.2 Parameter Assignment Deblocking ............................................................................................... 394.6.3 Interaction Diagrams for Parameter Assignments........................................................................ 40

4.7 SAFE ALARM GENERATION .................................................................................................................... 414.8 DIAGNOSIS ............................................................................................................................................. 424.9 F MODULE COMMISSIONING / REPAIR BEHAVIOR.................................................................................. 424.10 REACTION TIMES ................................................................................................................................... 424.11 PROBABILISTIC CONSIDERATIONS.......................................................................................................... 43

4.11.1 Calculations .................................................................................................................................. 434.11.2 Operational Reliability of the Standard Profibus Components..................................................... 474.11.3 Practical Bit Error Rates of the Profibus...................................................................................... 47

5 USING THE PROFIBUS STANDARD..................................................................................................... 48

5.1 PROFIBUS LAYERS 1 AND 2 ................................................................................................................ 485.2 PROFIBUS DP...................................................................................................................................... 485.3 DEFINITION OF THE "GRAY" CHANNEL .................................................................................................. 485.4 STANDARD EMC REQUIREMENTS OF THE PROFIBUS ............................................................................. 48

5.4.1 CE Mark ........................................................................................................................................ 485.4.2 Noise Emission .............................................................................................................................. 485.4.3 Noise Immunity.............................................................................................................................. 485.4.4 On Long Signal Cables >10m....................................................................................................... 485.4.5 Static Discharge ............................................................................................................................ 495.4.6 High-Frequency Irradiation.......................................................................................................... 495.4.7 HF-Induced Current on Cables and Cable Shields....................................................................... 495.4.8 Power Supply................................................................................................................................. 495.4.9 Voltage Dips.................................................................................................................................. 495.4.10 Voltage Interruption ...................................................................................................................... 495.4.11 Definition of the Malfunction ........................................................................................................ 49

5.5 STANDARD INSTALLATION GUIDELINES FOR PROFIBUS ......................................................................... 49

6 APPENDIX .................................................................................................................................................. 50

6.1 MEASURES AGAINST FAILURES BEFORE CRC2 CALCULATIONS ............................................................ 506.2 CRC CALCULATION.............................................................................................................................. 516.3 SAMPLE GSD FILE FOR A MODULAR F SLAVE ....................................................................................... 536.4 APPLICABLE DOCUMENTS...................................................................................................................... 566.5 ABBREVIATIONS..................................................................................................................................... 56

Figure 2-1 F layer architecture .............................................................................................................................. 9Figure 2-2 Message model for safety-relevant data .............................................................................................. 9Figure 3-1 Typical system configuration ............................................................................................................ 11Figure 3-2 Bus structure...................................................................................................................................... 12Figure 3-3 Entire safety function......................................................................................................................... 12Figure 3-4 Risk consideration according IEC 61508 .......................................................................................... 13Figure 3-5 Profibus-DP, proportional risk........................................................................................................... 13Figure 4-1 Error mastering measures .................................................................................................................. 16Figure 4-2 DP frame structure (Process Data) .................................................................................................... 16Figure 4-3 Complete F message structure ........................................................................................................... 17Figure 4-4 Modular slave with two F modules.................................................................................................... 18Figure 4-5 Embedding the F I/O data of compact and modular slaves ............................................................. 18Figure 4-6 Status byte ......................................................................................................................................... 18Figure 4-7 Control byte ....................................................................................................................................... 19Figure 4-8 Consecutive number function ............................................................................................................ 19Figure 4-9 CRC generation ................................................................................................................................. 20




Figure 4-10 F communication structure .............................................................................................................. 21Figure 4-11 F User Interfaces of F driver instances ............................................................................................ 21Figure 4-12 Monitoring the message transit time F-CPU ↔ F output ............................................................... 22Figure 4-13 Monitoring the message transit time F input ↔ F-CPU................................................................. 24Figure 4-14 Interaction F host / F slave during start-up ...................................................................................... 24Figure 4-15 Interaction F host / F slave during Host Power Off → On .............................................................. 25Figure 4-16 Interaction F host / F slave with delayed Power On ........................................................................ 25Figure 4-17 Interaction F host / F slave during Slave Power Off → On ............................................................. 26Figure 4-18 F host states during interactions with the F slave ............................................................................ 27Figure 4-19 F output (input) slave states............................................................................................................. 28Figure 4-20 Interaction F host / F slave while host recognizes CRC failure....................................................... 29Figure 4-21 Interaction F host / F slave while slave recognizes CRC failure ..................................................... 29Figure 4-22 F parameter data and CRC............................................................................................................... 30Figure 4-23 F_Prm telegram ............................................................................................................................... 34Figure 4-24 Safety of individual device parameters............................................................................................ 35Figure 4-25 Dynamic i-parameter sets ................................................................................................................ 35Figure 4-26 Standard device parameter in Profibus ............................................................................................ 36Figure 4-27 F-parameter assignment for simple F slaves.................................................................................... 37Figure 4-28 F-parameter assignment for complex F slaves................................................................................. 38Figure 4-29 Startup coordination with F parameters........................................................................................... 39Figure 4-30 Parameter assignment deblocking by the F host.............................................................................. 39Figure 4-31 Assigning "static" i-parameter from F host ..................................................................................... 40Figure 4-32 Assigning "dynamic" i-parameter from operator level .................................................................... 41Figure 4-33 Reaction times ................................................................................................................................. 42Figure 4-34 Residual error rates.......................................................................................................................... 43Figure 4-35 Monitoring of corrupted messages .................................................................................................. 47Figure 6-1 Typical procedure of a cyclic redundancy check............................................................................... 51Figure 6-2 Using a CRC table for generating the signature ................................................................................ 51




1 MotivationThe PROFIBUS, EN 50170, [8], field bus standard, which is the successor of the national DIN 19245, [1]through [3], standard, covers a wide range of communications applications in the automation hierarchy:

From I&C via control down to field level.

By simplifications and restriction to the two lowest layers of the ISO/OSI model, the specific requirements ofindustrial communications (such as short messages, deterministic, and high performance) were taken into ac-count. The Profibus version for distributed I/O has gained particular importance in this context. Using a hybridaccess procedure of master/slave and/or token principles, the base Profibus functions are employed here for thecyclic data exchange between peripherals and processing units.

While automation solutions with distributed I/O gained widely acceptance through Profibus DP, failsafe appli-cations were still relying on a second layer of conventional electrical techniques or special busses thus limitingthe seemless engineering and interoperability. Additionally modern failsafe devices could not be fueled up asneeded due to missing system support. It is the purpose of these Profibus directives to provide the correspondingenabling technologies.

The specific utilization of the communication functions by specific groups of participants is called a profile. Aprofile is a set of rules and definitions that are valid within a user or a field device group. The DP Safety Profile,in short ProfiSafe, describes the communications between failsafe peripherals and failsafe controllers. It is basedon the requirements of the standards for safety-oriented applications and the experience of the PLC users andPLC manufacturers community. The DP Safety Profile be certified by TÜV and BIA (Institute for labor safety ofthe mutual indemnity association). Since the PA variation of the Profibus DP merely defines a different trans-mission technique, while the higher protocol layers are identical, the DP Safety Profile also applies to the Pro-fibus PA.

The working group for producing this DP Safety Profile was founded by the PNO advisory board (PNO = PRO-FIBUS user organization e.V.). The DP Safety Profile is published as a suggestion of a PNO Directive. It is re-stricted exclusively to the description of the mechanisms that are required for safe communication, and their pa-rameter assignments. The additional measures that are required in the terminal equipment (host/PLC or fielddevice) to make it safe are not described here because they are irrelevant to "open" safe communications.Albeit the measures for a safe connection of the AS-I bus are discussed in the working group, they will not bedescribed in this profile.

In the following text, the terms "safety-oriented", "safety-relevant" and "failsafe" will be used equally, and beabbreviated by the letter "F".

Chapters 1 through 3 give a general introduction into the requirements and basics of safe communications thatare relevant to this profile. Chapter 4 discusses the solution principles in detail. Chapter 5 describes the validProfibus boundary conditions. The calculations and sources used for deriving the profile are specified in Chapter6.

1.1 Terminology

Bit information Encoded binary information without a technical unit.

Codename for sender and recipient This code is usually within the address space of a F communication de-vice an unambiguous source-destination parameter that is used as a"password" between the F communication partners.

Configuration Defining the standard communication between the units and defining thespecific device parameters.

Configuration (FailSafe) Defining the F-communication between the F-units and defining the spe-cific F-device parameters.

Consecutive number Consecutive count that is transferred from the sender to the recipient thatis monitored there with respect to the sequence (increment 1) and the in-terval to the next value. Also known as heartbeat..

Control bits Bits that are used for triggering control functions. In contrast to bits that




represent a data item (such as a numeric value).

Cycle Interval at which a list of instruction is repetitively and continuouslyexecuted.

Driver Software module used for abstracting the hardware with respect to theremaining software.

EMC Electro-magnetic compatibility: electro-magnetic "Worst Case"-boundary conditions for the normal utilization of the ProfiSafe profile.See Profibus standards.

Encapsulated (closed) system Conducted electrical or optical message transfer, radio, infrared, butwithout public data transmission and with the following characteristics:- authorized access only- known maximum number of communicating partners ("F" and

standard)- transmission media is known and well defined

Error Errors are static conditions that exist throughout the product lifecycle,and are inherent characteristics of the system.

Failsafe (F-...) Ability of a system that by adequate technical or organizational measuresprevents from hazards either deterministically or by reducing the risk toa tolerable measure.

Failsafe values If the system is triggered to a failsafe state it uses failsafe values insteadof process data.

F-Driver Software that administers safe messages within F-Hosts and F-Slavesaccording to the ProfiSafe directives

Failure (states) The nonperformance of a system to achieve its intended function withinits performance constraints. Failures are events that occur and somepoint in time, leading to a failed condition (state).

Fault A fault is an unsatisfactory system condition. Thus, failure states and er-rors are different kinds of faults.

Fault reaction Fault reaction basically means indicating a communication malfunctionby setting the fault bits in the status byte and- within F-Output: Shutting down the outputs, and/or automatic

safe reaction of the actuator unit.- within F-CPU: Corresponding user program reaction possible;

F-I/O-Data be set to default values.- within F-Input: Sets only fault bits in the F status byte; F-I/O-

Data be set to default values.

Frame (Telegram) Data unit that is transported on layer 2 of the ISO/OSI model [9].

Function block Self-contained program part that possesses a specific functionality.

"gray channel" Single-channel standard Profibus communication facility that is used bythe ProfiSafe failsafe profile (F-Driver).

Hazard A state or set of conditions of a system that, together with other condi-tions in the environment of the system will inevitably lead to an accident.

Host Information processing unit that is able to perform the F profile mecha-nisms, and services the "gray" channel. This is usually a PLC or an IPCwith an adequate operating system.

i-parameter Individual F device parameters, e.g. detection zone coordinates of a la-ser scanner.

I/O module Addressable sub I/O unit in a DP slave.




Master Active communication partner that triggers the slave for information ex-change.

Message (packet or TPDU) Due to the missing higher layers ( >2 ) of the ISO/OSI model in Pro-fibus, the process data including safety and control information within aframe corresponds to the transported message [9].

PES Programmable electronic safety-related system

Process data Here: The data in a message that is required for process control.

Profile Specific utilization of the communication functions by specific usergroups.

Reaction time The time between the "electrical" recognition of an emergency requestand the "electrical" initiation of a safety reaction. The response time con-sists of several time segments, including the bus transfer time.

Reliability Reliability can be specified as the mean number of failures in a giventime (failure rate λ), or as the mean time between failures (MTBF) foritems which are repairable or as mean time to failure (MTTF) for itemswhich are not repairable. For repairable items, it is often assumed thatfailures occur at a constant rate, in which case the failure rate λ = 1/MTBF. The reliability of components usually is measured in FIT (= onefailure in 109 device-hours) during its operating stage after the infantmortality stage and before the wear-out stage ("bathtub" curve).

Risk A combination of the likelihood of an accident and the severity of thepotential consequences

Scan rate Time between any two read processes on input signals.

Shared I/O Several Hosts/PLCs access the same inputs and outputs. Common utili-zation of inputs is less problematic than sharing outputs.

Slave Passive communication partner that is usually triggered by the master forexchanging information.




2 Introduction

2.1 Possible Application Areas of the Safety Profile

• Manufacturing industry

• rapid protection of personnel and machines, such as• emergency stop functions• light gates• guard doors• scanners• drives with integrated safety

• Process industry• Fuel engineering• Public transport, such as cable railways

2.2 Requirements Placed Upon the Safety Profile

• Independence between safety-relevant communication and standard communicationUsing standard devices and "safe devices" at the same DP system shall be possible!

• Suitable for safety level SIL3 (IEC61508), AK6 (DIN V 19250); control category 4 (EN 954-1)

• Satisfying the safety requirements in a single-channel communication system → redundancy only for in-creased reliability

• Any DP master or "links" can be used

• DP masters, ASICs, links, couplers, ... shall remain unmodified (gray channel) → security functions aboveOSI layer 7 (i.e. profile, no DP protocol changes or enhancements).

• Environmental conditions according to Profibus requirements.

• The implementation of the safe transmission function shall be restricted to the communication end device(CPU / host – slave and/or I/O module).

• The security profile shall not reduce the permitted number of devices (restrictions may occur during map-ping in case of PA).

• There is always a 1:1 communication relationship between the F devices.

• The transmission duration times be monitored

2.3 Principle of Safe Communications ( Gray Channel )

ProfiSafe’s way of safe communication is based on the experience made in the railway signaling technique as ithas been laid down in the European Standard prEN 50159-1 "Railway Aplications: Requirements for Safety-Related Communication in Closed Transmission Systems" [5].On this basis, safe communication is performed by

• a standard transmission system (here: Profibus-DP)• and additional safety transmission functions as a profile on this standard transmission system.

The standard transmission system includes the entire hardware of the transmission system and the related proto-col functions (i.e. OSI layers 1, 2 and 7 according to figure 2-1).

Safety applications and standard applications are sharing the same standard Profibus DP communication sys-tems at the same time.

The safe transmission function comprises all measures to deterministically discover all possible faults / hazardsthat could be infiltrated by the standard transmission system or to keep the residual error (fault) probabilityunder a certain limit. This includes• random malfunctions, e.g. due to EMI impact on the transmission channel• failures / faults of the standard hardware• systematic malfunctions of components within the standard hardware and software




StandardInput/Output

StandardLogic

Operation

1

2

7

1

2

7

1

2

7

1

2

7

1

2

7

"Gray Channel": ASICs, wires, links, etc. are not safety relevant components

ProfiSafe: the safety relevant Profibus profile comprises: addressing, watch-dog timing, sequencing, signatures, etc.

The safe I/O and safe logic controller functions are safety relevant but not part of the ProfiSafe profile

Safety-Input

SafetyLogic

Operation

SafetyOutput

Safety-LayerSafety-LayerSafety-Layer

e.g. Diagnostics

Not safety related functions, e.g. diagnostics

Figure 2-1 F layer architecture

This principle delimits the certification effort to the "safe transmission functions". The "standard transmissionsystem" does not need any additional certification.

Transmission is performed via electrical or optical conductors. Permissible topologies and transmission featuresof the standard transmission system, and the components of the "gray" channel are described in Chapter 5.3.

2.4 The Safety Profile

Figure 2-2 shows the model of the complete message structure on the transmission medium [5]. The F profile is"embedded" in the DP transmission protocol (layer 7) and in the transmission code (layer 2), and defines thelayers "safety procedures" and "safety code".

user dataof safety process

transmission code (message)

transmission protocol (Profibus)

safety code, e.g. CRC

safety procedures(e.g. source identifier) F-Profile

Figure 2-2 Message model for safety-relevant data




2.5 Application

Host – field device The F profile describes the F communication between safety-oriented units via the PRO-FIBUS-DP/PA. The method described in this profile permits a "safe" field device to cycli-cally exchange safety-relevant data with a "safe" CPU (host).

Host - Host Not included in the first version of this profile description.

Field device – fielddevice (cross co-munication)

The ProfiSafe principle will cover this operational mode also. There will be little exten-sions like e.g. additional process data within an acknowledgment message. The details willnot be included in the first version of this profile description.

Failsafe sharedinputs

Multi-master operation of safe CPUs/Hosts with safe I/O is permitted, "Failsafe SharedInputs" is not (not included in the first version of this profile).

Dynamic configu-ration

In particular in the field of robots, there may be two or more automation subunits that willonly be activated when they are "docked". This is also possible in the safety field.

Othersafe busses

Exchanging safe information with other "safe" bus systems is possible if a correspondingF gateway behaves like a safe Profibus slave.

EMC field Same as standard Profibus




3 Basics of the Safety Profile

3.1 System Characteristics

Profibus DP

Monitoring DeviceDP-Master (class 2)

F-Host/F-PLCDP-Master (class 1)

F-I/ODP-Slave

Standard-Host/PLCDP-Master (class 1)

F-DeviceDP-Slave

F-Field DevicePA-Slave

DP/PA

Repeater

segment A

segment B

F-Gateway

other safebus systems

Standard-I/ODP-Slave

failsafe and standard users are sharing the same bus

Master-Slave-mapping

Standard-I/ODP-Slave

Figure 3-1 Typical system configuration

The system configuration shown in the figure above characterizes a typical structure of interconnectedhosts/PCs, safety-oriented hosts/PLCs, distributed I/O's, field devices, safety-oriented field devices and moni-toring units on the Profibus-DP/PA. In this structure (blue dotted line in figure 3-1), a safety-oriented host/PLCcontrols, via the Profibus-DP master, several subordinate safety-oriented and non-safety-oriented Profibus-DPslave units/modules. The encapsulated (closed) transmission system may extend across several segments that areinterconnected via repeaters.The connection to other safe bus systems via F gateways is not discussed in this Profibus profile description.

3.2 Master-Slave Operation in PROFIBUS-DP

The PLC/IPC is the host in a PROFIBUS-DP system. The related DP master is in a stand-alone module or it is asubunit of the host. The I/O stations are slaves. The master (PLC) addresses each slave (I/O module) once in aDP cycle. In this process, a fixed number of output bytes is sent to the slave or the slave reads a fixed number ofinput bytes respectively.

3.3 Bus Structures

In contrast to the typical system configuration, Figure 3-2 shows the possible bus structure (i.e. how far the Fprofile extents into the individual units). A standard DP slave, for example, can accommodate a safe F modulefor the connection of an emergency stop pushbutton. Multi-master operation of safe hosts is permitted, "FailsafeShared Inputs" (not included in the first version of this profile) are not. A mix of F host and standard host is pos-sible.




optionalSafety-CPU

Safety-CPU

DP-Ma-ster

DP-Ma-ster

PG/ES withsecure access,e.g. firewall

DP: encapsulated (closed) transmission system acc. EN50159-1

DP-PA-Link resp.Coupling

PA

F-PA-Field

Device

F-DP-Slave

StandardDP-Slave

TCP/IP

F-Module

Figure 3-2 Bus structure

It is within the user’s responsibility to employ adequate organizational and/or technical measures (e.g. call-back,firewall, etc.) to ensure that unauthorized access from the connected programming and/or engineering stationscannot jeopardize safe operation. These devices are not usually participants in a safe operation.

3.4 Delimitation of the Bus Components

The entire safety function shall be considered for the acceptance of the system.

Logical Operation Bin. O Actuator

Inspection of the complete safety function of control loops according to IEC 61508:

Sensor Bin. IAnal. I

The whole path is safety relevant:

Scan safe Information

Process safe information

Initiatesafe reaction

safe transmission

safe transmission

Figure 3-3 Entire safety function

The units "safety-oriented input", "safety-oriented logic processing", and "safety-oriented output" are not in-cluded in the discussion of the F profile.




We only define the measures that implement the F communication in the individual communication end points.

The F profile ensures the protection of the data between the peripheral F modules and/or safe directly connectedsensors/actuators/F-PA units and the F-CPU. There are no additional requirements placed upon the componentsDP master, DP slave, PA master, DP/PA link. They belong to the "gray channel".

This means:a) not safety-relevant are: ASICs, bus drivers, lines, repeaters, links, and the slave interface of modular slaves

(see definition "gray channel").b) safety-relevant are: Safety profile, F watchdog functions, F addressing, F parameters, peripheral F modules,

and/or safe field devices.

3.5 Delimitation of the Communication Functions

The F profile only supports the cyclic service (DP).

Acyclic services are used for communicating non-safety-relevant data.Parts of the slave parametrization are safety-relevant, and are protected via the cyclic service.

3.6 Risk Consideration

EUCrisk

EUCrisk

Tolerablerisk

Tolerablerisk

Residualrisk

Residualrisk

Necessary risk reduction

Actual risk reduction

Risk reduction achieved by all safety-relatedsystems and external risk reduction facilitiesRisk reduction achieved by all safety-relatedsystems and external risk reduction facilities

from IEC 61508:

Partial risk coveredby other technology

safety-related systems(e.g. mechanical)

Partial risk coveredby E/E/PE

safety-relatedsystems

Partial risk coveredby external risk

reduction facilities(e.g. organizational)

Increasingrisk

Figure 3-4 Risk consideration according IEC 61508

Logical Operations Bin. O AktuatorSensor Bin. IAnal. I

15 %

1 % 1 %

Figure 3-5 Profibus-DP, proportional risk




The risk reduction of a facility is achieved via a safety function provided by a safety-oriented electrical/electronic /programmable electronic system (E/E/PES) with a certain residual error probability (Safety Integ-rity). The contribution of the Profibus-DP to this residual error probability may be 1%. This means that the re-sidual error probability of the DP bus, in conjunction with the ProfiSafe profile, shall be 100 times "better" thanit is required in SIL3, for example.

Thus, the residual error probability of the other components involved in the safety control loop results as 99/100of the value that is required in SIL. This assessment deals with balancing the individual implementation efforts.

According to [6], the following bit error probability values are valid for transmission systems including bus driv-ers ( this chart originates from Dieter Conrad's book, "Datenkommunikation", 3rd edition).

Bit error probability p Transmission system

>10-3 Radio link

10-4 Unshielded telephone cable

10-5 shielded, "twisted-pair" telephone cable

10-6 - 10-7 Digital telephone cable of Deutsche Telekom (ISDN)

10-9 Coaxial cable in locally delimited applications

10-12 Fiber optics cable transmission

Thus, the typical error frequency (bit error probability) on the shielded DP cable is less than or equal to 10-5. Thecalculation of the profile, however, is based on the bit error rate of the "gray channel". The Hamming distance ofthe standard Profibus protocol is 4; this does not influence safe communication, however.According to IEC 61508 [5], the following residual error rate values are permitted in the individual SIL stages:

SIL Probability of a hazardous error per hour in uninterrupted operation mode

3 >10-8 .....<10-7

2 ≥10-7 .....<10-6

1 ≥10-6 .....<10-5

Thus, the required residual error rate of <10-9 /h results for the entire equipment within the range of the Profi-Safe profile for SIL3.

3.7 Relevant Standards and Directives

• General standards for systems with safety responsibility- IEC 61508 Base standard for safety-relevant electronic / programmable electronic systems- DIN V VDE 801 A1

• Principle of safe communication- prEN 50159-1/2 "Railway applications: Requirements for Safety-Related Communication in Closed /

Open Transmission Systems"

• Process engineering (chemistry, petrol)- IEC 61511 "... Safety instrumented Systems for the Process Industry"- VDI/VDE 2180 "Protection of process-engineering plants using process control means).- DIN V 19251 Instrumentation and control – MSR protective equipment, requirements and measures re-

lated to the safe function

• Fuel systems- prEN50156 "Electrical equipment of fuel systems ..." (burner control)

• Machine safety- EN / IEC 60204-1"Electrical equipment of industrial machines "




- EN 60954-1 "Safety-related controller components"

• Position document- DKE-AK 226.03 dated 04-Jun-98 [4]

3.8 Error Cases That Shall Be Mastered

According to [4], the following transmission errors exist:

• Repetition• Loss• Insertion• Incorrect sequence• Corrupted process data• Delay• Interconnecting safety-relevant and standard messages (masquerade)• Erroneous addressing (double-, wrong-)

It is within the responsibility of the profile that is described here, to provide additional safety measures over andabove the means that already exist in Profibus that permit the necessary residual error rate to be reached.




4 Functional Principle of Safe CommunicationThe above-mentioned measures for mastering failures that shall be taken are a significant component of the Fprofile. Due to the existing protective functions of the standard Profibus, only a selection of the measures listedin the position document DKE-AK 226.03, [4] is required. The measures shall be taken and monitored withinone FailSafe unit.

Failure:

Measure: ConsecutiveNumber

Time expec-tation with

acknowledge

Codename for sender and

recipient

DataProtection

Repetition

Loss

Insertion

Incorrect Sequence

Corrupted Data

Delay

Interconnecting of F- andStandard Messages (Masquerade),incl. wrong- unddouble addressing

XXXX

XX

X X

Excerpt from table of the position paper DKE-AK 226.03

X

XX X

Figure 4-1 Error mastering measures

4.1 F Message Structure

S S S S S S

Standard Message

SD LE LEr SD DA SA FC FCS ED

68H ... ... 68H .... .... ... ..... 16H

Synctime

33 TBit

Data Unit = Standard-or Failsafe-Process Data

1.......244 Bytes

TBit = Clock-Bit = 1 / BaudrateSD = Start Delimiter (here SD2, var. data length)LE = Length of Process DataLEr = Repetition of Length; no check in FCSDA = Destination Address SA = Source AddressFC = Function Code (Message type)

LE

Data Unit = Process Data, for Failsafe Process Data also, max. 244 Bytes

FCS = Frame Checking Sequence (across data within LE)

ED = End DelimiterSB = Start-BitZB0...7 = Character-BitPB = (even) Parity BitEB = Stop-Bit

SB ZB0

ZB1

ZB2

ZB3

ZB4

ZB5

ZB6

ZB7

PB EB

1 Cell = 11 Bit

Figure 4-2 DP frame structure (Process Data)




Figure 4-2 shows the frame structure of the single-channel PROFIBUS-DP communication that contains the Fprocess data within its data unit as well as the basic Profibus safety measures via Parity and Frame CheckingSequence.

S S S S S S

Standard Message Frame

max. 244 Bytes DP process data

F Process Data Status /Control Byte

CRC2ConsecutiveNumber

acrossF Proc. Data

andF-Parameter

sourcebased counter

Max. 12 resp. 122 Bytes 1 Byte 2 / 4 Bytes *)1 Byte

StandardProcess Data

240 / 238 - F Data

*) 2 Bytes for max. 12 Bytes F data.; 4 Bytes for max. 122 Bytes F data.

Figure 4-3 Complete F message structure

A maximum of 128 bytes out of the maximum possible 244 bytes can be used for F process data. This is due tothe limitation of the data consistency to a maximum of 64 words in the case of Profibus-DP (a maximum of 64words can consistently be exchanged at any one time between the host and the bus master). CRC generation,however, requires a contiguous data area.

Two operational modes can be chosen by parametrization: few F process data up to 12 Bytes together with 16Bit CRC2 (2 Bytes) and F process data up to 122 Bytes together with 32 Bit CRC2 (4 Bytes).

In addition, 4 bytes in total are required for the status/control byte, 1 byte for the consecutive number, and 2 to 4bytes for the CRC2 code.

The F profile permits standard process data to be appended to the F message segment (F slaves only). In thiscase, the F slave needs one codename (F source-destination relationship) for the F process data area and anotherone for the standard process data area.The F modules in a modular slave only know F process data.

The following sections give a detailed description of the components of the F data structure.

4.1.1 F Process Data

The data of the safe I/O peripherals is accommodated in this frame section. The code corresponds to the one ofthe standard Profibus. In the case of only a few F process data up to 12 Bytes one should for performance rea-sons choose 16 Bit CRC by parametrization.

The appended standard process data is used, for example, in gateways to other safe field buses in order to be ableto include standard I/O data in the transport via a single slave address.

Besides the compact slaves, there are modular slaves with F and standard I/O units and subaddresses. TheirProfibus head-end station, that is considered as a part of the "gray channel", is used for agreeing the structure ofa "modular" message frame via the parametrization. In this case, F module process data may also be a part of theframe. The amount of data corresponds to the net amount of data in Profibus DP minus 4 or 6 Bytes respec-tively. That means for a head-end station with m F modules a reduction of m times 4 or 6 Bytes respectively.




Process DataModular Slave

Σ = 244 Bytes

Head I/O I/O I/O I/O I/O

F

Slot 1 2 3 4 5Cfg-ID 1 2 3 4 5Module 1 2 3 4 5

F 4/64/6

slot 1slot 2slot 3slot 4slot 5

Figure 4-4 Modular slave with two F modules

Configuration supposes Slot = Cfg-ID = Module.

S S S S S

standard messageF-I/O data

completeF message

status /control

byte

CRC-signature

consecutive number

"appended" standard data

acknowledgmentmessage

M M

standard module dataF-I/O data

complete F message

status /controlbyte

CRC-signature

consecutive number

max.244 Bytes

M

standard messageof a modular Slave

Figure 4-5 Embedding the F I/O data of compact and modular slaves

4.1.2 Status/Control Byte

Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0

tbd res res Failsafevalues (FV)activated

Communicationfailure:WD-timeout

Communicationfailure:CRC orconsecutivenumber

Failure existsin F slave orF module

F slave has newi-parameter val-ues assigned

Figure 4-6 Status byte

The status byte is contained in each slave frame.

Bit 0 is set when the F slave has new parameter values assigned.Bit 1 is set for at least two (2) message cycles, if there is a malfunction in the F slave itself.Bit 2 is set if the F slave is recognizing a F communication failure, i.e. if the consecutive number is wrong or the

data integrity is violated (CRC). This bit information enables the F host to count all erroneous messageswithin a defined time period T and to trigger a configured safe state of the system if the number exceeds acertain limit (maximum residual failure rate). See also chap. 4.11.1.




Bit 3 is set if the F slave is recognizing a F communication failure, i.e. if the watch dog time in the F slave isexceeded.

Bit 4 is set if the F input slave is sending failsafe values (FV) or the F output slave set FVs respectively.Bit 5,6 are reserved (res).Bit 7 can be defined according to the manufacturer requirements (tbd).

Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0

tbd tbd res res res res res i-parameter as-signment de-blocked

Figure 4-7 Control byte

The control byte is sent with each DP master message frame.

Bit 0 is set if a parametrization request is detected or a F slave needs new i-parameters. In this case the systemuses the failsafe values (FV).

Bits 1 to 5 are reserved (res).Bits 6,7 can be defined according to the manufacturer requirements (tbd).

4.1.3 Consecutive Number

The consecutive number is used for monitoring the "life" of the sender and the communication link by the re-cipient. It is used in an acknowledgment mechanism for monitoring the propagation times between sender andrecipient.

The value "0" is reserved for the first run. Thus, the consecutive number counts in cyclic mode from 1... 255,wrapping over back to 1 at the end.

F process data control byte

CRC2consecutivenumber

acrossF proc. data,control byte,F parameter

counterwithinF host

max. 12 / 122 Bytes 1 Byte 2 / 4 Bytes1 Byte

statusbyte

CRC2consecutivenumber

taken fromF host

1 Byte 2 / 4 Bytes1 Byte

F host message to F output slave

output data ...

Acknowledge: F output slave to F host

CRC2

1 Byte 2 / 4 Bytes1 Byte

...

CRC2

max. 12 / 122 Bytes 1 Byte 2 / 4 Bytes1 Byte

input data

F host message to F input slave Acknowledge: F input slave to F host

*)

*) in mixed I/O slaves the acknowledge may contain F process data also

acrossstatus byte

andF parameter

control byte

consecutivenumber

counterwithinF host

acrosscontrol byte

andF parameter

F process data status byte

consecutivenumber

taken fromF host

acrossF proc. data,status byte,F parameter

Figure 4-8 Consecutive number function




4.1.4 CRC Signature

Once the F parameters (source-destination relationship or codename, SIL, watch dog times, etc.) have beenloaded, these identical parameters are employed in an identical procedure in the source and in the target for pro-ducing CRC1 keys (CRC1). The CRC1 key, the failsafe process data, and the status or control byte are used forproducing another 2-byte / 4-byte CRC2 key (CRC2) in the source. The CRC1 key provides the initial value forthe calculation of CRC2 that is transferred cyclically. In the target, the identical CRC key is generated and thekeys are compared. The subsequent cyclic transfer only requires one CRC2 key comparison (that can be donevery rapidly).

F process data status /control byte CRC2

acrossF proc. data,

status/control,i-Parameter,

SIL,WD-time,

source-dest.

max. 12 / 122 Bytes 1 Byte 2 / 4 Bytes

source anddestination rel.

identicalindividuali device

parameters(CRC3)

individuali device

parameters(CRC3)

F CPU (Host)F Slave

2 bytesCRC1

across F-Parameter=

"constant" portion

"variable" portion:F process data

within destination:

1. CRC2 comparision2. diagnostics in case of discrepancy

CRC1

consecutivenumber

sourcebased counter

1 Byte

optional:not coveredby CRC2

SIL WD_TimeSIL WD_Time

provides initialvalue for CRC2

*)*)*) including i parameters is optional

source anddestination rel.

Figure 4-9 CRC generation

The CRC1 recalculations shall be executed once a day, i.e. within 24 h (maximum cycle time of self testing).

4.1.5 Appended Standard User Data

With F slaves, the F profile permits standard user data to be appended to the F message part until the maximumframe length is reached. In this case, the F slave requires one codename (F source-destination relationship) forthe F process data area and one for the standard process data area.

The appended standard process data is used, for example, in F gateways to other safe field buses in order to beable to include standard I/O data in the transport via a single slave address.

F modules in modular slaves only know F process data.




4.2 Regular F Communication

The following chapters are dealing with the "dynamics" of the ProfiSafe profile. First of all the start-up and cy-clic behavior, later on the failure reactions.

4.2.1 Operational Behavior of F Host and F Slave

Figure 4-10 shows that each F input and each F output requires a F message frame management (F driver) inorder to handle the ProfiSafe profile. The corresponding F host (F CPU) operates with an instance of a F mes-sage management (F driver) for each F input or F output respectively. The whole standard Profibus communica-tion equipment between F drivers belongs to the "gray channel". The arrows are indicating the cyclic data trans-port between the F drivers: the safety addenda (consecutive number, CRC, status/control byte) are transferred inaddition to the F process data from the F input to the F CPU. As an acknowledgment, the F input merely receivesthe safety addenda (safety code).

F input F outputF CPU

F-driver

safety code

process data+

safety code

"profile administration"

Preconditions for an encapsulated transmission system:

n authorized access only

n known maximum number of communicating peers (F and standard)

n transmission media is known and well defined

additional measuresin a device in orderto achieve a requiredSIL. E.g. for SIL3 asecond micropro-cessor and comparefacilities

F-driver

inputdata Failsafe

controlprogram

usingF user

interface

outputdata

DP master DP master

DP slave DP slave

F-driver

F-driver

Figure 4-10 F communication structure

Accordingly, the F output receives the safety addenda in addition to the F process data, and uses it for acknowl-edgment.

F driver instancesfor outputs

FV activated

Fault

Output values(process or failsafe (FV))

operatoracknowledgment (OA)

via parametrization:each codename *) initiatesan instance

*) codename = F host - slave 1:1 relationship

F driver instancesfor inputs

FV activated

Fault

Input values(process or failsafe (FV))

operatoracknowledgment (OA)

via parametrization:each codename *) initiatesan instance

generalrelease

Figure 4-11 F User Interfaces of F driver instances




Message frame management and F parametrization of F host and F peripherals are tasks of the F drivers withinthe F CPU and the F slaves. Figure 4-11 shows the user interface at the failsafe control program level. There areseveral signals available to the programmer to manipulate failsafe processes according to the standards.

Codename The F host – slave 1:1 relationship parameter (4 Bytes) initiates an instance incl.CRC1

Operator Acknowledg-ment OA

In changing this signal from 0 to 1 the user is able to release a safety function after afault reaction (failsafe control loop specific) via a F control program (type: boolean).

FV activated This signal is available to F control programs and indicates that the outputs are set tofailsafe values and the inputs are sending failsafe values due to a fault recognized byF host or F slave (type: boolean).

Fault This signal is available to F control programs and indicates that the F host or F slaverecognized any of these failures: timeout, CRC, consecutive Nr., slave malfunction(type: boolean). In any of these cases outputs are set to failsafe values and inputs aresending failsafe values as long as faults are recognized until the OA signal will re-lease the safety function.

General release This signal is available to F control programs (type: boolean). Usage of any processvalues instead of failsafe values only is possible if this signal turns from 0 to 1. Canbe used for a general release of the safety system after startup.

Output and input values During normal operation these are user defined process values.

The following figure 4-11 demonstrates how the F driver is using the underlying PROFIBUS-DP communica-tions and some timing definitions. Meaning of the short arrows: in Profibus-DP, the DP master sends the framemore frequently to the slave than it receives it from the host (F-CPU).

F CPU F Output

timemonitor

timemonitor

timemonitor

timemonitor

consec. Nr. = n

consec. Nr. = n+1

consec. Nr. = n+2

consec. Nr. = n

consec. Nr. = n+1

CPUcycletime

CPUcycletime

DPcycletime

Figure 4-12 Monitoring the message transit time F-CPU ↔ F output

The main features of the operational behavior are listed below:

Startup(synchronization)

To synchronize after a cold restart, new parametrization, or timeout of F input/F out-put, the F driver starts with the consecutive number "0". Next, the F-CPU incrementsthe consecutive number in each call modulo 256, skipping the value 0. At the latestbefore the monitoring time is about to expire, F input/F output expects a message witha consecutive number that is incremented by 1. A F output does not supply any proc-ess value after it has received a consecutive number of 0.

F protocol cycle F input/F output sends a F message frame with the same consecutive number (F proto-




col cycle) to acknowledge the reception of a F message from the F-CPU.

The F-CPU cycle shall not exceed the F protocol cycle (it may be shorter).

Time monitor(watch dog)

Arrival of a new correct message frame at the F device within the watchdog time ismonitored. This verification can be performed as often as necessary, but at least once atthe end of the monitoring time interval. It is permitted and tolerated that one incorrectmessage frame (with faulty CRC code or where the consecutive number has been in-cremented by more than 1) arrives before a new correct frame is received. This meansthat this does not lead to a safe state error reaction. When the watchdog time expires,the related recipient switches over to a safe state.

The slowest Profibus DP cycle time may not be longer than half the monitoring time.The F-CPU cycle may be shorter than the monitoring time.

Monitoring the con-secutive number

A new correct message frame is characterized by the fact that at least the consecutivenumber has been incremented by 1 and that either the entire rest of the F frame part isunchanged or has been changed faultlessly. This means that an incorrect change of theconsecutive number by +1 is not recognized at once, but only after another DP cycle orF protocol cycle. This will then lead to a fault reaction.

Assuming two simultaneous faults, i.e. "failure of the F-CPU" and "incorrect incre-menting" of the consecutive number is not realistic. Neither is the case of simultaneousfailures where a smart device in the gray channel continuously increments the con-secutive number by +1 while the F-CPU has failed.

The simultaneous case "safety-oriented request" and "incorrect incrementing" of theconsecutive number by +1 is discovered immediately with the request message andleads to the described fault reactions.

Frame repetition A complete message frame repetition in the event that a new correct message frame hasnot been received inside the watchdog time interval is not supported.

SIL monitor Every corrupted message (CRC and consecutive Nr. failure) will be counted during aconfigurable monitor time period. The failsafe values are set whenever more thanone such failure occured. The cases, where CRC=0 and the consecutive Nr.=0, shallnot be counted, they cause the setting of the failsafe values instead.

The monitor time period T is a constant value with the dimension hour (h), that resultsfrom the requested SIL and the configured CRC length (see chap. 4.11.1):

SIL CRC Length of process data Time period (h)

3 16 Bit < 16 Bytes 10

2 16 Bit < 16 Bytes 1

3 32 Bit < 128 Bytes 0.1

Monitor time period(T)

2 32 Bit < 128 Bytes 0.01




F input F CPU

timemonitor

timemonitor

consec. Nr. = m

consec. Nr. = m+1

consec. Nr. = m+2

consec. Nr. = m

consec. Nr. = m+1

timemonitor

timemonitor

Figure 4-13 Monitoring the message transit time F input ↔ F-CPU

4.2.2 State Diagrams

The following chapter demonstrates the operational behavior of F host and F slave by means of interaction andstate diagrams.

The figures show the interaction messages of F host and F slave during start-up phase. Three phases are covered:both partners during start-up, host temporarily switches power off or slave temporarily switches power off whileits partner is still operating. The following figures are informing about the states and the correspondingtransitions. The states the respective F system is passing through are represented by numbers within circles.

HostPower On

SlavePower On

2

3

4

6

7

failsafe values (FV), Nr.=0

FV, Nr.=0

:

22

1x=0

x=x+1

21

25

23

23

x=x+1

:

20initial values = 0 *)

PV (for output slaves), Nr.=1

PV (for input slaves), Nr.=1

switch from failsafe values (FV) to process values(PV) after 3 message cycles (slave responsibility) *) Profibus DP behavior

5 24

Output:

FV

FV

FV

25

PV (output), Nr.=2 245

6

7

PV (input), Nr.=2 23 FV

PV (output), Nr.=3 5

25

24

PV6PV (input), Nr.=3

23

x=x+1

x=FF

Figure 4-14 Interaction F host / F slave during start-up




Hostpower off → on

Slaveoperating

2

3

4

9

10

FV (input); Status=timeout, cons.Nr., Nr.=0

FV, Nr.=0

FV (output), Nr.=1

PV (input), Nr.=1

:

1x=0

x=x+1

x=x+1

:switch from failsafe values (FV) to process values (PV)after 3 message cycles (slave responsibility)

FV; Nr.=n ; Status=timeout

6

PV, Nr.=2OA=1

26

27

24

22

27

21

22

23

21

25

23

24

Output:

FV

FV

FV

FV

FV.PV

8

5

slaverecognizes

timeout

Figure 4-15 Interaction F host / F slave during Host Power Off → On

Hostoperating

Slavedelayed power on

3



:

20

:

OA=1

9power on

9

9

8

8

10FV, Nr.=n+1

6

PV, Nr.=n+2

25

x=x+1

x=x+1

x=x+1

x=x+1

x=x+1 FV, Nr.=2

FV (output), Nr.=n

hostrecognizestimeout

switch from failsafe values to process valuesafter 3 message cycles

x=n

FV (input), Status=cons. Nr.,Nr.=n

PV (input), Nr.=n+1

10

Output:

FV

FV

FV

FV

FVPV (input), Nr.=n+2

7 PV, Nr.=n+3

FV.PV

x=x+1

8


8

9

5

5

hostrecognizestimeout 21

2227

21

2322

24

23

2425

23

21

Figure 4-16 Interaction F host / F slave with delayed Power On




Hostoperating

Slavepower off → on

6

process values (PV), Nr.=n

failsafe values (FV), Nr.=n+1

:

25

5

23

24

20

:

OA=1

power off

9power on

9

9

8

8

10FV, Nr.=n+4

6

PV, Nr.=n+5

25

x=x+1

x=x+1

x=x+1

x=x+1

x=x+1 FV, Nr.=n+2

FV (output), Nr.=n+3

11



x=n

FV (input), Status=cons. Nr.,Nr.=n+3

PV (input), Nr.=n+4

10

Output:

PV

FV

FV

FV

FVPV (input), Nr.=n+5

7 PV, Nr.=n+6

FV.PV

x=x+1

8


8

9

5

5

hostrecognizestimeout 21

2227

21

2322

24

23

2425

23

Figure 4-17 Interaction F host / F slave during Slave Power Off → On




Legend:- consecutive Nr. x: after 255 wrap over back to 1 - slave failure: Status Bit 1=1- CRC, cons.Nr.: Status Bit 2=1- timeout: Status Bit 3=1: slave reports timeout to host- Host Timeout: host recognizes local timeout while awaiting slave acknowledgment- store faults: persistent fault storage within host only (no slave persistence required)- >> receive: consecutive Nr. changed- << send: data ready for transport- Ack: acknowledgment- failsafe values: used instead of process values in case of hazardous event - initial values: Status / Control Bits=0 during startup - process values: values used in normal operation- OA: operator acknowledgment (user-IF)- user-IF: signals available at PLC program level

*) to cover Power Off settling time within the whole system

1 Power On

2 Message prepared8 Message prepared

11 Wait 5 s *)

7 Slave Ack checked

9 Await Slave Ack

6 Await Slave Ack

3 Await Slave Ack

10 Slave Ack checked

5 Message prepared

4 Slave Ack checked

indicate to user-IF

use failsafe values,set Control Byte,Nr.=x

use process values,set Control Byte,Nr.=x

parametrization okconfiguration okfaults checkedinitial values=0

ignore initial values

( x=x+1 )OA=0

use failsafe values,set Control Byte,store faults,Nr.=x

(get process values),get Status Byte,

Host Timeout; ( x=x+1 )

>> receive

Host Timeout; ( x=x+1 ) >> receive

<< send

ok; ( x=x+1 )

OA=1

slave failure, timeout, CRC, cons.Nr.; Nr.=0; ( x=x+1 )

Nr.><0; ( x=0 )

ok, Nr.=0; ( x=x+1 )

faults before / during PowerOff; ( x=1 )

<< send

>> receive

Host Timeout; ( x=x+1 )

<< send

slave failure, timeout, CRC, cons.Nr.; ( x=x+1 )

ok; ( x=x+1 )

no fault before PowerOff; ( x=0 )

startup cycles

normal operation cycles

failure remedy cyclesIII

I

II

IIII

II

Figure 4-18 F host states during interactions with the F slave




20 Power On

21 Await Message

22 Message checked

23 Ack prepared

27 Ack prepared 26 Set FV (Use FV)

Nr.=x+1?Nr.=0 or 1 permittedafter FF

set (get) process values,set failsafe values for first 3 ok-cycles *),set Status Bits 2 and 3=0

Legend:- ( ) operations valid for input slave only- __ operations valid for output slave only- consecutive Nr. x: after 255 wrap over back to 1 - slave failure: Status Bit 1=1: slave reports internal failure- CRC, cons.Nr.: Status Bit 2=1; slave reports CRC, cons.Nr. failure to host - Slave Timeout: slave recognizes local timeout while awaiting host-acknowledgment

Status Bit 3=1: slave reports timeout failure to host- >> receive: consecutive Nr. changed- << send: data ready for transport- Ack: acknowledgment- failsafe values: (FV) used instead of process values in case of hazardous event - initial values: any F-message values=0 during startup (PROFIBUS-PDU) - process values: (PV) values used in normal operation- OA: operator acknowledgment (user-IF)- user-IF: signals available at PLC program level

*) failsafe values shall be used during slave hardware failure and/orduring the first three (3) cycles of normal operation (output slave only)**) watch dog timer started after first message

<< send

use current consec. Nr.set Status Byte

start-up test ok set (use) failsafe valuesparametrization ok Status Bit 3=1, Slave Timeoutconfiguration ok x =FFinitial values = 0

24 Await Message

<< send

25 Message checked

Nr.=x+1?

CRC, consec. Nr.

ok

ok

CRC, cons.Nr.



Slave Timeout

>> receive

>> receive

timeout **)

startup / failure cycles

normal operation cycles

I

II

I

II

Figure 4-19 F output (input) slave states

After Power On the output slave is setting "0". Immediately after F parametrization it is setting failsafe values.

After Power On the input slave is sending "0". Immediately after F parametrization it is sending process values.




Host Slave

7

9

6

Nr.=n

failsafe values (FV); Nr.=n+1

PV; Nr.=n+1

:

7

Nr.=n

10

:

OA=1

CRCfailure

process values (PV); Nr.=n+2

x=n

x=x+1

x=x+1

PV; Nr.=n+3

Nr.=n+2

7

5x=x+1

5

6

8

5

25

23

24

25

23

24

25

23

24

24

Output:

PV

FV

FV

.

.PV

Figure 4-20 Interaction F host / F slave while host recognizes CRC failure

Host Slave

process values (PV), Nr.=n

PV (input), Nr.=n

FV (output), Nr.=n+2

FV; Status=CRC failure, Nr.=n+1

25

23

25

2627

25

21

:

25

5

6

7

x=n

6

7

x=x+1

8

9

x=x+1

PV (output), Nr.=n+1

OA=1x=x+1


66

7

6

x=x+1

PV (input), Nr.=n+3


:

CRC failure

10

24

PV (input), Nr.=n+2

7

5

5

5

24

22

23

24

23

24

Output:

PV

FV

FV

FV

23 FV

.PV


Figure 4-21 Interaction F host / F slave while slave recognizes CRC failure




4.3 Reaction in the Event of a Malfunction

4.3.1 Repetition

Quote: "The malfunction of a bus device causes old and obsolete messages to be repeated at the wrong time sothat a recipient would dangerously be disturbed (e.g. guard door is reported closed albeit it has already beenopened)."

Remedial action: The data in DP mode is transferred cyclically. Thus, an incorrect message that is inserted oncewill immediately be overwritten by a correct message. The thereby possible delay of an emergency request canbe one watch dog time.

4.3.2 Loss

Quote: "The malfunction of a bus device deletes a message (e.g. request for "safe operational stop")."

Remedial action: Lost information will be discovered by the stringently incrementation and surveillance of theconsecutive number.

4.3.3 Insertion

Quote: "The malfunction of a bus device inserts a message (e.g. deselection of the "safe operational stop")."

Remedial action: Due to the stringently sequential expectation of the consecutive number, the recipient will dis-cover an inserted message.

4.3.4 Incorrect Sequence

Quote: "The malfunction of a bus device modifies the message sequence. Example: Prior to initiating the safeoperational stop you want to select the safely reduced velocity. The machine will be running instead of beingstopped when these messages are confused."

Remedial action: Due to the stringently sequential expectation of the consecutive number, the recipient will dis-cover any incorrect sequence.

4.3.5 Corruption of F Message Data

Quote: "The malfunction of a bus device or the transmission link corrupts messages."

Remedial action: The CRC2 code discovers a corruption of the data between sender and recipient.

F parameter data DP net dataF user data status/

control byteCRC2

F parameter: F source-destination relationship,F WD time, etc.

acrossF process data andF parameters

m bytes 1 byte 2 / 4 bytes

Figure 4-22 F parameter data and CRC

The CRC2 code is generated across the F parameters (including F source-destination relationship) and across theF process data and the control/status byte. The source-destination relationship of F-CPU and F slave is defined inthe configuration, and retentively stored.

After a repair, the F address of a F device be restored / adjusted before F operation is resumed.

4.3.6 Delay

Quote: "1. The operational data exchange exceeds the capacity of the communication link. 2. A bus devicecauses an overload situation by simulating incorrect messages so that a service that belongs to the message isdelayed or prevented."




Remedial action:

• Consecutive number in the sender data and in the acknowledgment data.• Watchdog time in the respective recipient (watchdog time for F communication).

The watchdog time is a part of the whole safety time of the safety control loop. The total time guaranteed by thePES is the sum of the following time segments:

+ input delay of the F input slave (operation time)+ watchdog time "F communication": F input ↔ F-CPU+ Scan rate or execution time in the F-CPU+ watchdog time "F communication": F-CPU ↔ F input+ output delay of the F output slave (operation time)

The ProfiSafe DP profile defines the meaning of the "F communication" watchdog time.

4.3.7 Interconnecting Safety-Relevant and Standard Messages (Masquerade)

Quote: " The malfunction of a bus device causes safety-relevant messages and non-safety-relevant messages tobe mixed".

Remedial action: The data comes from the correct sender or go to the correct recipient [authenticity]. This isguaranteed by the CRC2 signature across the F parameters (which includes the F source-destination relation-ship).

Principle of safe addressing:

a) Detecting the interconnection of safety-relevant and non-safety-relevant messages is guaranteed by the factthat a standard device is not capable of creating a F message frame with the correct CRC2 and the correctconsecutive number.

b) Detecting data from a different sender or for a different recipient is guaranteed by the fact that the F senderthat belongs to the F source-destination relationship (codename) is the only one that generates exactly thematching CRC key that is expected by the F receiver. At the same time, the recipient employs this CRC keyfor implicitly checking the authenticity of the F sender address (since it was included in the CRC).

c) A retentive selection of the F address in the individual devices can be achieved through one of the followingmethods:- Coding switch in the unit (the F slave address of compact slaves, for example)- A one-time device parametrization by software that requires to be checked whether the correct device

has been addressed. This shall be repeated when a unit is replaced.- By address mechanisms that are independent of Profibus-DP addressing.

Sabotage is not assumed.

4.4 F Parameter Structure

The parameter values of the Profibus devices on the "gray channel" are assigned according to the Profibus stan-dard description, i.e. via GSD files from the Class 1 Profibus master (cyclic) or, with Profibus-PA, via DDL andclass 2 master (acyclic). The F parameters that are additionally required for the F profile can be loaded via sev-eral alternative parametrization ways.Here is an overview:

• F_Device Identification telling that the unit supports ProfiSafe (corresponds to command byte)• F_S/D_Address "Code word" between sender and recipient• F_WD_Time Watchdog time in the F unit (default in GSD: operation time of a F slave)• F_Prm_Flag Parameter word containing several parameters for the profile management• F_Check_SeqNr Including the consecutive number into the CRC2• F_Check_iPar Including individual F device parameter into the CRC1• F_SIL Check: configured = employed F device ?• F_CRC_Length CRC2 length• F_Par_CRC CRC1 across the F parameters




4.4.1 F_Device ( ProfiSafe Participant )

This parameter marks a unit as a F device that supports the ProfiSafe profile. It can also be used for distinguish-ing between safety-oriented and non-safety-oriented units. This parameter has to be distributed to the F compo-nent during startup. It corresponds to the command byte in the Prm-telegram.

4.4.2 F_Source/Destination_Address ( Codename, Password )

The addresses of the F components of a safety control loop F input, F-CPU and F output shall be unambiguous.Locally, each F device has the configured source-destination relationship of the safe communication link with itspartner. It is retentively stored in the F devices, is a part of the F parameter set, and, consequently, is cyclicallychecked by the F profile. The F_S/D_Address parameters are logic address designations that can freely but un-ambiguously be assigned and are allocated to the Profibus addresses during the configuration (see chap. 4.3.7).The addresses 0 and 0FFFFh be excluded.The parameter consists of two parts: F module/slave and F host: each Unsigned 16

4.4.3 F_WD_Time ( F Watchdog Time )

Locally, each F device maintains a configured F watchdog time for each source-destination relationship. Thedevice starts this timer whenever it sends a safe message frame.The F watchdog time consists of at least four times the slowest DP cycle time (that results from the worst-casecalculations of the entire configuration) plus two times the slower scan rate of the combination of the relatedsender and recipient. The configured value overwrites the default value within the GSD.It is encoded as follows: Unsigned 16; time base 1ms.Remark: a manufacturer of a F device assigns the device operation time (scan rate) to the default value of theparameter F_WD_Time. An engineering tool will then be able to propose the necessary F watch dog times and tocalculate the overall reaction times.

4.4.4 F_Prm_Flag ( Parameters for the Profile Management )

The chapters 4.4.5 up to 4.4.8 are describing the details of the F_Prm_Flag parameter word. It has the followingstructure:

15 14 13... 6 5 4 3 2 1 0↑___ ____ F_Check_SeqNr

↑___ ____ ____ F_Check_iPar↑___ ↑___ ____ ____ ____ F_SIL

↑___ ↑___ ____ ____ ____ ____ ____ F_CRC_Length↑___ ↑___ ____ ____ ____ ____ ____ ____ ____ reserved

↑___ ↑___ ____ ____ ____ ____ ____ ____ ____ ____ ____ Version No. of F parameter set

4.4.5 F_Check_SeqNr ( Consecutive Number in the CRC2 )

This parameter defines whether or not the consecutive number shall be included in the CRC2 key. The parameteris distributed to the F component during startup.It is encoded as follows: bit 0 of the parameter word "F_Prm_Flag"

15.... 6 5 4 3 2 1 0

0 = No check1 = check

4.4.6 F_Check_iPar ( CRC1 including i-Parameters )

This parameter defines whether or not the CRC3 of individual device parameters shall be included in the cyclicCRC2 key (see chap. 4.4.9). If "check" is selected, CRC1 is generated across the F-parameters first and thenacross the i-parameters including its CRC3. The parameter is distributed to the F component during startup.




It is encoded as follows: bit 1 of the parameter word "F_Prm_Flag".

15.... 6 5 4 3 2 1 0

0 = No check1 = check

4.4.7 F_SIL (SIL Stage)

The F profile permits parallel operation of standard communication and safety-relevant communication. In thesafety-relevant case, risk-related safety circuits with different SIL (Safety-Integrity-Level) stages are distin-guished. The F devices are able to use this locally available information for checking the agreement between theSIL stage and the partner. If the configured SIL stage is higher that the one in the connected F unit, the "devicefailure" status bit is set and a safe state reaction is triggered. There are four different stages: 1,2,3,4.It is encoded as follows: Bits 2 and 3 of the parameter word "F_Prm_Flag".

15... 6 5 4 3 2 1 0

0 0 = SIL10 1 = SIL21 0 = SIL31 1 = SIL4

4.4.8 F_CRC_Length (Length of the CRC2 Key)

Depending on the length of the F process data (12 or 122 bytes) and the SIL stage, a CRC of 2, or 4 bytes is re-quired. This parameter transfers the expected length of the CRC2 key in the F message frame to the F compo-nent. The parameter depends on the slave/module and is distributed to the F components during startup.It is encoded as follows: Bits 4 and 5 of the parameter word "F_Prm_Flag".

15... 6 5 4 3 2 1 0

0 0 = reserved0 1 = 2 Byte CRC1 0 = 4 Byte CRC1 1 = reserved

4.4.9 F_Par_CRC ( CRC1 across F-Parameters )

This CRC1 key is generated by the engineering tool across the F-parameters. The initial value for CRC1 is 0.The same 16 Bit CRC polynomial is used (14EABh). CRC1 is the initial value for cyclic CRC2 computation.In case of 32 Bit CRC polynomial (1F4ACFB13h) the initial value for CRC2 calculations is "0000xxxx", wherexxxx=CRC1.It is encoded as: Unsigned 16.




4.4.10 Structure of the F Parameter Block (Prm telegram)

Block within Standard Prm Telegram

Block-Length

Command = 0x05

Slot

Specifier

F_Source_Add

F_Dest_Add

F_WD_Time

F_Prm_Flag

F_Par_CRC (=CRC1)

14 - 234

F_Parameter/F-Device

0 oder Slot des F-Moduls

0

Unsigned 16

Unsigned 16

Unsigned 16

Unsigned 16

Unsigned 16

F_Prm-Block

F_Parameter

End_F_Prm-Block

Figure 4-23 F_Prm telegram

The figure shows the structure of the F parameter block within a standard Profibus Prm-Telegram. The byte or-dering is according to standard Profibus. The following applies to modular slaves: For each F module, aF_Prm_Block is inserted in the Prm-Telegram. The allocation to the module can be established on the basis ofthe slot number.

4.4.11 F Data Fraction

Standard process data can be appended to a F message frame. For compact F slaves, this is achieved by allocat-ing a separate module identification. F modules in modular slaves are not able to support this mechanism.

4.4.12 i-Parameter (individual F-Device Parameters)

F peripherals are increasingly provided with smart functions that require extensive parameter values to be as-signed. In particular in the event of a device replacement it is expedient to load these parameters directly via thebus on the standard path. These parameter records usually exceed the range of the GSD data (a laser scannerwith approximately 1 kB per protection zone leads to an overall quantity of up to 90kB ) and so the ProfiSafedirectives provide additional mechanisms.

The following figure shows a proposal for the protection of large amounts of individual F device parameters.The F source/destination relationship (codename) allows checking of delivery to the configured recipient and theCRC keys allow checking of the i-parameter integrity using the same CRC polynomial like with the F-parameters (14EABh). A special procedure shall be used for ensuring the data integrity between the i-parameterswithin the destination and within the source. See section "CRC Signature".

The requirements for more flexibility in today's manufacturing areas can be solved by recipe programs via pro-gram controlled dynamic i-parameter assignments. Thus several different sets of e.g. coordinates for detectionzones of laser scanners ("blanking") can be assigned one after the other (Fig. 4-25). The identification number ofthe actual i-parameter set shall be communicated cyclically within the F process data.

The F host system should provide mechanisms ("read data set") to acquire e.g. detection zone coordinates viateach-in into the F host itself or into an engineering tool.




source destination addressnumber of data setsident Nr. of the i-parameter (e.g. detect. zone)

i-parameter

2-byte-CRC across data set n

i-Parameter

2-byte-CRC across data set n+1

i-Parameter

2-byte-total-CRC = CRC3

data set n+1

data set n

data set n+m

max. 8 data sets à 244 bytes,with PA à max. 40 bytes recomm.

Figure 4-24 Safety of individual device parameters

GSD1..

GSD n

Engineering Tool

DP-Master

F-Host / PLC

Prm + DPV1, C1 (data sets)

F-Parameter(SIL, WD_time, etc.)

i-Parameter(individual device

parameter)

GSD

F user programm(IEC 1131-3)

detectionzone 2(DBy)

detectionzone 1(DBx)

System-API:"Write_Data"

Acquiring of i-parametervia teach-in possible

Figure 4-25 Dynamic i-parameter sets

4.5 F-Parametrization

ProfiSafe provides scaled methodes for i-parameter supply of F devices because of the different handlings offield devices within the manufacturing and the process industries.

4.5.1 F-Parametrization Tools

The discussion of use cases yielded the following F system requirements and resulting subsets for integratedrespectively separate F parameter assignment tools:




1. Swift unit replacement and automatic reparametrization are mandatory in manufacturing industries. Not allcustomers will accept memory cards that contain the parameters. They request adequate programming fa-cilities at the parametrization tool, or the customer shall put the equipment on the desk for parameter valueassignment.

2. Individual parametrization software for each manufacturer or unit cannot be accepted. Parameter value pro-files and/or templates shall be defined for each device class, and be certified by the PNO. For more complexand special parameters, the general-purpose parametrization tool shall provide a "plug-in" interface for thedevice manufacturers that permits the specific (e.g. graphical) acquisition of the device parameters. How-ever, these parameters shall be supplied to the general-purpose parametrization tool in a standardized form(GSD, DDL, XML?). See Figure 4-26.

3. A F parametrization tool shall be able to calculate worst case reaction times of safety control loops.4. A general-purpose parametrization tool on the Profibus shall be able to load parameters across network hier-

archies into a host (manufacturing industries) and/or into field devices (process industries). This requires aseparate user interface to exist. A "service interface" shall be provided for tooling machine or plant manu-facturers for their own visualization software invoking basic Profibus/ProfiSafe service functions.

5. All parameters shall be available from a common archive. It shall be possible to lock accidental incorrectloading of parameters by service personnel.

6. Four different roles can be seen and the corresponding access locking (e.g. by passwords) is required:– Operator– Service (unit replacement)– Authorized customer (program modifications)– Device manufacturer (device data that is only accessible to the manufacturer provide information aboutunauthorized utilization and unjustified claims of recourse)

7. A change log shall record each and every change in program and parameter value assignment.Remark: It is mandatory to take the appropriate measures against all kinds of faults during acquisition, manipu-lation and transport of the F- and i-parameters. It is not the task of the ProfiSafe directives to provide a completelist of measures and their assessment. Please see the appendix 6.1 for further hints.

GSD

DDL

Interpreter from PNO

COM-SS,ActiveX

COM-SS,ActiveX

DTM

Device TypeManager

Type Instancies/Proxies

Field Device Tool

XML(Internet)

Figure 4-26 Standard device parameter in Profibus

4.5.2 GSD Structure

Essentially there is only one additional keyword "F_Device_Supp" necessary within a GSD structure. Thiskeyword needs to be inserted twice in the GSD file of a compact or modular F slave:

- first as a general keyword to distinguish a safety related slave from a standard slave.- additionally in each F modul.




With the help of this keyword a special F configuration modul (F control) inside the engineering tool may belaunched.

ProfiSafe recommends the usage of the keyword "Prm_Structure_Supp" in order to indicate that the F slave isexpecting a block structure within a F-Prm-Telegram (details to be published by other working groups).The structure of a typical GSD file for a F device can be seen in appendix 6.3. There is a special agreement forthe F parameter "F_WD_Time". Since this parameter is contained in the Prm-block of a F module and isdescribed by a default value and a range, this default value is defined as the operation time of the F slave. The Fconfiguration tool can use the value as the basis for the calculation of the F watch dog time and over all reactiontime. The manufacturer of a F device is usually the provider of the default value via the corresponding GSD file.Excerpt from the GSD file of a F device:; User_Prm_Data-Definition 8ExtUserPrmData=8 "F_WD_Time" ; reference number 8Unsigned16 3 0-65535 ; time base=1ms; default (operation time)=3ms; max=65.5sEndExtUserPrmDataEnd of excerpt from GSD file...

4.5.3 F-Parameter Assignment Paths

GSD1..

GSD n

engineering tool completesF parameter,e.g. F_WD_Time

DP-Master

F-Host

Prm-Telegram


GSD

Domain:

ProfibusStandard

HostManufacturer

ProfibusStandard

F param.F-driver

F-Address

F-Address

Figure 4-27 F-parameter assignment for simple F slaves

Simple slaves can be supplied via the standard Prm-Telegram path described in the following chapters. The totalamount of F parameters hereby can not exceed the upper limit of 234 bytes.




e.g.RS232

GSD1..

GSD n

Engineering Tool

DP-Master

F-Host / PLC

GSD..

DDL

univ.parameter assignment toolwith service-IFfor visuali-zation-SW

DPV1, C2 (data sets)

Prm + DPV1, C1 (data sets)

App1, App2, ..App n


i-Parameter(individual

device parameter)

GSD

Plug-In-SW,e.g. graphicalacquisitionofcoordinates

Change log

Prm

Figure 4-28 F-parameter assignment for complex F slaves

For complex devices a decision shall be made whether an automatic startup assignment is requested or a separateassignment from a parametrization tool. In each case the F host shall deblock the assignment (see chap. 4.5.4),that is only permitted, if there is no hazardous process state.

Basically, two ways are possible:

• Startup parameter value assignment from a class 1 (cyclic or acyclic) Profibus master• Startup parameter value assignment by a class 2 master (acyclic through, e.g. PG/ES or PC)

4.6 F-Startup Coordination

The F-startup that is embedded into the Profibus standard startup is described here.




4.6.1 Standard Startup (F Slave State Machine)

F-Slave incl. DP-Slave

Wait_Prm

entry: Set_Slave_Addon Telegram: Slave_Diagon Telegram: Get_Cfg

Power_On

Wait_Cfg

entry: Set_Parameteron Telegram: Slave_Diagon Telegram: Get_Cfg

Set_Prm

Data_Exch

entry: Chk_Cfgon Telegram: Write_Dataon Telegram: Read_Dataon Telegram: Slave_Diagon Telegram: Get_Cfgon Telegram: Commandon Telegram: Global_Cntrl

Mandatory telegram:Slave_Diag

Prm-Telegram incl. F-Parameter

1. Config.-Telegram defines the In-/Output bytes2. Diagnostic request (here the F slave may request new param. assignment)3. Cyclic operation

i-parameter assignm. via Write_Data / Read_Data

Chk_Cfg

Set_Prm --> not ok

Chk_Cfg --> not ok

F-Slave state 20: ready(see fig 4-15 and 4-17)

Figure 4-29 Startup coordination with F parameters

After Power-On a F slave switches into the state "Wait_Prm" where it is possible to assign an address bysoftware. The transition into the state "Wait_Cfg" is initiated by a Prm-Telegram "Set Parameter" that in our casecontains the F parameter also. By means of a "Chk_Cfg" telegram the F DP slave receives the information howto configure the Inputs and Outputs and with successful assignment it transits to state "Data_Exch" and waits forcyclic data exchange with its DP master. Within each of the states status requests are permitted at any time ("onTelegram" = per telegram request "Slave_Diag" ) [10].

4.6.2 Parameter Assignment Deblocking

Due to a diagnosis message of the F slave that needs additional i-parameters or per external request the F hostsets bit 0 ("parameter assignment deblocked") within the control byte of its next message. The F slave receivesthen via Write-Data-commands data set by data set the i-parameters and acknowledges at the end by setting bit 0("F slave has new i-parameter values assigned") within the status byte of its next message.

Remark: Deblocking is only permitted, if there is no hazardous process state.

F-Modul:

F-CPU/Host:

acknow-ledged

assignment

assignmentdeblockedre-

quest

assigned andinitialized

synchronized; cyclic safe operation

Figure 4-30 Parameter assignment deblocking by the F host




4.6.3 Interaction Diagrams for Parameter Assignments

Engineering Tool : S1

F-Host : S2

DP-Master : S3

F-Slave incl. DP-Slave : S4

parameter inGSD fileF-parameter;i-parameter asdata sets with CRC3;"global" CRC1

1:

2: DP-Master supply

Prm-data withCRC1;Config-Data

Addressesadjusted:F + standard

3: memory managem.4: F-Host supply

F driver data;i-parameter

5: Prm-Telegram

6: Config-Telegram

with F-parameterblock incl. CRC1

7: Slave_Diag: i-parameter missing

8: i-par. assignm. deblocked (control byte)

9: F-acknowledgem. with CRC2

10: i-parameter: write data set n

11: i-parameter: read data set n (opt.)

12: i-parameter acknowledgm. (status byte)

i-par. assignment;i-parameter stored inF host

13: F message with CRC2

14: F acknowledgm. with CRC2cyclic operation

additional datasets up to n+m

assignment locking viacontrol byte

Figure 4-31 Assigning "static" i-parameter from F host




Engineering-Tool : S1

F-Host : S2

DP-Master : S3

F-Slave incl. DP-Slave : S4

1:

parameters inGSD file;F-parameter with CRC1 2: DP-Master supply

Prm data withCRC1;Config data

3: memory management4: F-Host supply

F driver data;


8: i-parameter: read data set n

addressesadjusted:F + standard

initial parameterassignment:i-parameter withCRC3;teach-in viaread back

F-parameter block with CRC1

startupProfibus-DP

cyclicoperation


15: i-parameter: read data set n

new i-parameterassignment :i-parameter withCRC3;

assignmentlocking via control byte

17: F message via CRC2

assignmentlocking viacontrol byte

18: F acknowledgement with CRC2cyclicoperation



16: i-par. acknowledgem. (status byte)

5: Prm-Telegram

6: Config-Telegram

9: F message with CRC2

10: F acknowledement with CRC2

11: i-par. ext. request

12: i-par. assignm. deblocked (control byte)

13: F acknowledgement with CRC2

Figure 4-32 Assigning "dynamic" i-parameter from operator level

4.7 Safe Alarm Generation

Due to swift polling in the user program, the speed of determining modifications of the F process data and theCRC is satisfactory.There is no safety-related utilization of the alarm of the Profibus protocol.




4.8 Diagnosis

The safe diagnosis of F slave and communication failures is possible via the status byte. The F host providesmeans to count the number of reported erronuous communication messages during configurable time periods. Ifconfigurable upper limits are exceeded the safe control loop switches to a safe state. The F host supports moni-toring of the number of reported erronuous communication messages.

Every standard diagnostic option of standard Profibus is possible.

4.9 F Module Commissioning / Repair Behavior

F modules can be replaced while the system is running. Restart of the corresponding safety control loop is onlypermitted, if there is no hazardous process state.

4.10 Reaction Times

The time between the "electrical" recognition of an emergency request and the "electrical" initiation of the safetyreaction is relevant in safety technique. This response time consists of several individual time values includingthe bus transfer times.

InputModule

DP-Master F-CPU DP-Master DP-SlaveDP-Slave

1 ms 2 ms 5 ms 2 ms 1 ms

Constraints:

(1ms + 2ms + 5ms + 2ms + 1ms) x 2 = 22 ms

OutputModule

n e.g. station failure / station recovery / acyclic services

n 1 operator panel / 1 programmer / 1 repetition

n 10 slaves à 18 Byte Input + 18 Byte Output (2 may fail)

n 12 Mbaud

n 720 Input + 720 Output

n 240 F-Input + 240 F-Output

Figure 4-33 Reaction times

+ input delay of the F input slave (operation time)+ watchdog time "F communication": F input ↔ F-CPU+ Scan rate or execution time in the F-CPU+ watchdog time "F communication": F-CPU ↔ F input+ output delay of the F output slave (operation time)

Compared with the standard, the safety profile requires additional execution time (F driver). The fact that a stan-dard slave can extend the DP cycle time in the event of a failure shall also be taken into account.

DESINA requirement: 5 ms "single" bus transfer time is achieved .




4.11 Probabilistic Considerations

4.11.1 Calculations

BitErrorRate

ResidualErrorRate

calculated for:input bytes of the slave = 10output bytes of the slave = 10cycle time = 2ms

Legend:

assumed max.bit error rate of Profibus = 10

-4

from: IEC 870-5-1

Figure 4-34 Residual error rates

To EN50159-1 and IEC61508, the following applies to SIL3:

hRRRRTCEMIHWDP

/10 9−<++=The three terms are calculated as follows:

USHWSHWFHW PxxfailureHardwareR ⋅⋅+⋅=− )21()( λλ

HWFλ = failure probability of the HW of the 2 currently communicating F devices

HWSλ = failure probability of the HW of the max. 120 currently not communicating devices 1x = fraction (0...1) of the hazardous faults in the involved components 2x = fraction (0...1) of the hazardous faults by the components that are not involved

USP = max. residual error probability for 16/32-bit CRC, at a bit error rate of 0 ...0,5

See chapter 4.11.2 "Operational Reliability of the Standard Profibus Components".

USUBWEMI PPfimpactEMIR ⋅⋅=− )(

Wf = Frequency of corrupted messages on the transmission system

UBP = Residual error probability for Profibus-DP at a bit error rate of 10-4 (EN60870-5-1)

USP = max. residual error probability for 16/32-bit CRC, at a bit error rate of 0 ...0,5




To EN50159-1 this term is valid, if safety code (ProfiSafeCode) and transmission code (BusCode) areindependent. The probabilities of both data integrity check mechanisms, parity and frame checking sequencefrom standard Profibus (HD=4) and CRC from ProfiSafe can be treated as independent since computersimulations did not show any significant "filter gaps".

Furthermore according to EN50159-1 the "properness" of the used CRC polynomials has to be proven. Thisrequires calculation of the residual error rate (Pue) as a function of the bit error rate (epsilon) for a givenpolynomial, here for the 16 bit version (14EABh), as well as for the 32 bit version (1F4ACFB13h).A polynomial will be assessed "proper" if there is no significant "humpback" curve with increasing bit error rate,i.e. if it rises monotonously.

The following figures are showing the diagrams for the 16 Bit polynomial:

Properness for 4 Bytes of data:

0.00001 0.0001 0.001 0.01 0.1epsilon1. ´ 10 - 29

1. ´ 10 - 24

1. ´ 10 - 19

1. ´ 10 - 14

1. ´ 10 - 9

Pue g=16̂ 1̂4eab , n=32


0.00001 0.0001 0.001 0.01 0.1epsilon1.´ 10- 27

1.´ 10- 23

1.´ 10- 19

1.´ 10- 15

1.´ 10- 11

1.´ 10- 7

Pue g=16^^14eab, n=64





0.00001 0.0001 0.001 0.01 0.1epsilon1. ´ 10 - 26

1. ´ 10 - 22

1. ´ 10 - 18

1. ´ 10 - 14

1. ´ 10 - 10

1. ´ 10 - 6

Pue g=16̂ 1̂4eab , n=96


0.00001 0.0001 0.001 0.01 0.1epsilon1.´10 -25

1. ´ 10-21

1. ´ 10-17

1. ´ 10-13

1. ´ 10-9

0.00001

Pue g= 16̂ 1̂4eab , n= 128

In contrast a polynomial (199999331h) with worse Properness:

0.0005 0.001 0.005 0.01 0.05 0.1epsilon

1. ´ 10- 12

1. ´ 10- 11

1. ´ 10- 10

1. ´ 10 - 9

Pue g=16̂ 1̂99999331 , n=1056




The following figures are showing the diagrams for the 32 Bit polynomial:


0.00001 0.0001 0.001 0.01 0.1epsilon1. ´ 10 - 27

1. ´ 10 - 24

1. ´ 10 - 21

1. ´ 10 - 18

1. ´ 10 - 15

1. ´ 10 - 12

Pue g=16̂ 1̂f4acfb13 , n=416


0.00001 0.0001 0.001 0.01 0.1epsilon1. ´ 10 - 24

1. ´ 10 - 21

1. ´ 10 - 18

1. ´ 10 - 15

1. ´ 10 - 12

Pue g=16̂ 1̂f4acfb13 , n=1056

The third term covers the possible failures of the safety mechanisms (parity and frame checking sequence)within the Profibus-ASIC.

( ) TktypPureoncodefailTransmissiR USTC /1)( 2 ⋅⋅=

:2k only one out of 10,000 HW failures creates a fault of the Profibus safety mechanisms (parity and

frame checking sequence) on the ASIC that passes unrecognized, i.e. 42 101 −⋅=k will be used for the

estimates.




:T monitored time period wherein a welldefined maximum number of corrupted messages on thetransmission system shall not exceed without the system switching into a safe state.

The reflections about T lead directly to Fig. 4-32. The combination of the bus failure causes provides a (fictive)frequency of corrupted messages on the Profibus transmission system. The standard safety mechanisms of theProfibus (1. Filter) are recognizing every failure up to HD=4, thus only special bit patterns HD>4 are reachingthe ProfiSafe safety mechanisms. For the number of unrecognized corrupted messages the worst case value of

n−2 shall not be taken (n=16, bzw 32), since the overall frequency of corrupted messages on the bus iscontinuously monitored.

1. FilterBusCode: PUB (typ)

fw

HD≥1

HD≥4-Bit-failures

2. FilterProfiSafeCode:

1-C

C (very little)

"raw" channel, BusCode failed

HW-failures

EMI

other

frequency ofcorruptedmessages

special bit patterns

statistical bit patterns

(<2-n)

PUS (typ)

"time period": T h

recognized corrupted messages from every participant

safestate

within F-Host

PUS

Figure 4-35 Monitoring of corrupted messages

If the safety mechanisms within the standard Profibus ASIC are failing (very little probability), then corruptedmessages with statistical bit patterns are reaching the ProfiSafe safety mechanisms. In this case the morefavourable value )(typPUS can be used for the estimate:

{ } { } EMIUSUSUBUSUSUBw RtypPPtypPTtypPPtypPf ≤+⋅=+⋅⋅ )()(/1)()(

The ProfiSafe profile allows simple monitoring of every corrupted message within the F host via the status bytewithin the acknowledgment of a F slave.

4.11.2 Operational Reliability of the Standard Profibus Components

In thousands of field applications, the Profibus has proven its reliability. Thus, it is obvious to determine practi-cal base security of the Profibus to keep the effort required for the additional security layer as small as possible.Currently, this data is provided by return goods statistics that go down to component level. Components that areintegrated into a "gray" channel are included (i.e. from the host down to the safety equipment in the slave).Information about the operational reliability can be found in Chapter 502.2 of DIN V VDE 0801 A1.

4.11.3 Practical Bit Error Rates of the Profibus

In order to support the stochastic considerations, the bit error rates of the Profibus as they are quoted in the lit-erature shall be measured in practical examples. Besides cables and driver blocks, the data transmission proce-dure also plays a role. With Profibus-DP, this is RS485 and NRZ encoding; with Profibus-PA it is IEC1158-2and Manchester-II encoding.




5 Using the PROFIBUS STANDARD

5.1 PROFIBUS Layers 1 and 2

The F profile is based on the Profibus services and specifications to EN 50170 Volume 2, that are required forProfibus-DP applications. The F profile does not require any additional layer 2 services.

5.2 PROFIBUS DP

PROFIBUS-DP to EN 50170 Volume 2 requires the base range (startup, cyclic transfer, and watchdog). Consis-tent transfer with a minimum of one F message frame byte shall be possible.

5.3 Definition of the "Gray" Channel

Here, the maximum topological structures as they are defined in the standard are used as the basis. For example,a maximum of three repeaters is currently permitted. Increasing this limit may be possible if more favorablefailure rates of the F overall system will result in the course of the profile definition.

Any baud rate is permitted.

5.4 Standard EMC Requirements of the Profibus

5.4.1 CE Mark

All electrical devices that are put on the market and can generally be purchased shall carry the CE mark. A pre-requisite of the CE mark is the conformity with the ENs that shall be declared by the company who launches theelectrical device. An additional prerequisite is the conformity with the corresponding product standards duringthe development phase.The EMC Directive affects all units, systems and plants that contain electrical or electronic components.

Applications:

Industry Separation from the public low-voltage mains by separate transformer.

Residential areas, office, Electrical energy is taken from the public low-voltage mainslight industry

Requirements Limitation of the noise radiation and definition of the noise immunityof conducted and irradiated interference

Responsible Manufacturer, importer, distributor

Mark CE

Standards:

Industry EN 50082-2 Basic specification noise immunity, March 1995

Wohnbereich EN 50082-1 Basic specification noise immunity, August 1997

5.4.2 Noise Emission

Not relevant with ProfiSafe.

5.4.3 Noise Immunity

Below, only the noise immunity characteristics for industrial applications are shown because they represent themost severe requirements.See Chapter 5.4.11 for a definition of the assessment criteria.

5.4.4 On Long Signal Cables >10m

Long bus cables. Also laid together with process cables.Test according to IEC 61000-4-4 , 1995 "Electrical fast transient/burst immunity test" ( Burst )




Test according to IEC 61000-4-5 , 1995 "Surge immunity test"

5.4.5 Static Discharge

Test according to IEC 61000-4-2 , 1995 "Electrostatic discharge immunity test"

5.4.6 High-Frequency Irradiation

Test according to EN 61000-4-3, 1996 "Radiated Electromagnetic Field Requirements"Test according to ENV 50204, 1995 "Radiated electromagnetic field from digital radio telephones Immunitytest"

5.4.7 HF-Induced Current on Cables and Cable Shields

Test according to ENV 50141, 1993 "Immunity to conducted disturbances induced by RF fields" ( correspondsto IEC 61000-4-6 ) and to NAMUR draft May 1998

5.4.8 Power Supply

Test according to EN 61000-4-11, 1994

5.4.9 Voltage Dips

Reduction by Duration Assessment criterion30 % 10 ms B60 % 100 ms CSudden voltage change at zero crossing

5.4.10 Voltage Interruption

Reduction by Duration Assessment criterion> 95 % 5000 ms CSudden voltage change at zero crossing

5.4.11 Definition of the Malfunction

Reaction of the test object in its performance characteristic (function): Interpretation of "B" in F areas: Thespecified reaction denotes a fault reaction to a safe state; the communication functions remain working correctly.Usually after manual deblocking and a safety delay time the system returns to normal operation. The latter also ispossible automatically with special applications in process industries.

Assessment criterionA B B B Cfor interference

Functionunit

Continuous inter-ference (HF irra-diation, HF-induced current,magnetic field)

Transient inter-ference (Burst,ESD) on the bus

Surge on powersupply, not onthe fieldbus

Voltage inter-ruption inside thepermissible du-ration

Voltage interrup-tion outside thepermissible dura-tion

Safetyequipmentwith Pro-fiSafe

no impairment Fault reaction toa configuredsafe state

Fault reactionto a configuredsafe state

Fault reaction toa configured safestate

Fault reaction to aconfigured safestate; completerestart

5.5 Standard Installation Guidelines for Profibus

Necessary prerequisite for ProfiSafe communications is the observance of theInstallation Guidelines for Profibus-DP/FMS, V1.0September 1998, Order Nr. 2.112During design phase of a F slave the appropriate standards regarding excess voltage and electric shock protectionshall be observed.




6 Appendix

6.1 Measures against Failures before CRC2 Calculations

Failures may occur during acquisition and processing of individual device parameters. These aspects are notwithin the scope of this profile description but the main failure root causes and the appropriate remedialmeasures are mentioned.

Parameterintegrity

Addressing failures Parametrization atthe wrong point intime

Wrong sequence ofthe i-parameters

Authorized access to theF device (slave or host)

partially X

Address switches in fielddevices; unambiguousaddresses

X

Complete functionaltesting

X X X

Teach-In; Self-Learning X X XRead-Back of the i-parameters from the fielddevice via diverse path

X partially X

Read-Back of the i-parameters via a diversepath from F-host, thatgenerates CRC2 across i-parameters also

X partially X

Diverse processing of thei-parameters (Acquisitionand Test)

X partially X

Failsafe configuration ofthe i-parameters orfailsafe engineering tool

X partially X X

Version management ofGSD type file and Fdevice

X

For end-users a similar catalogue of failure / remedial measures shall be generated and processed.




6.2 CRC Calculation

This procedure detects 99.9985% of all errors that result from data modifications. It also discovers sequentialerrors because the signature check takes the sequence of the words into account.For the 16-bit CRC code, the value 14EABh is used as the generator polynomial. The number of data bits maybe odd or even. The value that is generated after the last byte corresponds to the transferred CRC code.

procedure crc16(x: Byte; var r: word);{ CRC – Pascal, using division procedure

with every procedure call one Byte x will be operated;CRC value: r contains the 16 Bit of the CRC;The CRC value r(x) = CRC value of the F-parametersbe initialized before the first call of a CRC calculation;Generator polynomial = 4eab hex }

constg = $4eab;

vari: byte;

beginfor i := 1 to 8 dobegin

if ( r and $8000) = 0 thenbegin

if (x and $80) = 0 then r := r shl 1 else r:= (r shl 1) xor 1;

endelsebegin

if (x and $80) = 0 then r := (r shl 1) xor g else r:= (r shl 1) xor g xor 1;

end;x := x shl 1;

end;end;

Figure 6-1 Typical procedure of a cyclic redundancy check

Runtime-optimized variantThe runtime-optimized variant for the calculation of the CRC code requires slightly more memory space, and isdescribed below.The following figure shows the signature generation using a CRC table:

16-Bit signature of 0 (= 0h)16-Bit signature of 1 (= 04EABh)16-Bit signature of 2 (= 09D56h)

.

.

.16-Bit signature of n

.

.

.16-Bit signature of 25316-Bit signature of 25416-Bit signature of 255 (= 0C4B3h)

new signature Lnew signature H

old signature L

n = (old signature H) XOR (act. Byte)

table valueH L

act. Byteold signature H

4.3.

2.

1.

CRC-Table (16Bit, 256 elements):

+

+

Figure 6-2 Using a CRC table for generating the signature

Explanation:




The values 0-255 that are encoded using the generator polynomial (here: 14EABh) are specified in the word-structured CRC table.1. First, the current byte is EXORed with the high part of the signature register.2. The result is used as an offset to the table. The signature is read from the table.3. The high byte of the word from the table is EXORed with the low byte of the old signature. The result is the

new byte of the signature.4. The low byte of the word from the table is the new low byte of the signature.These operations are only performed once for a byte.The corresponding formula for the 16 Bit CRC calculations is: r = crctab16[(r >> 8) ^ *q++] ^ (r << 8)And its corresponding table:

00000 04EAB 09D56 0D3FD 07407 03AAC 0E951 0A7FA 0E80E 0A6A5 07558 03BF3 09C09 0D2A2 0015F 04FF4

09EB7 0D01C 003E1 04D4A 0EAB0 0A41B 077E6 0394D 076B9 03812 0EBEF 0A544 002BE 04C15 09FE8 0D143

073C5 03D6E 0EE93 0A038 007C2 04969 09A94 0D43F 09BCB 0D560 0069D 04836 0EFCC 0A167 0729A 03C31

0ED72 0A3D9 07024 03E8F 09975 0D7DE 00423 04A88 0057C 04BD7 0982A 0D681 0717B 03FD0 0EC2D 0A2860E78A 0A921 07ADC 03477 0938D 0DD26 00EDB 04070 00F84 0412F 092D2 0DC79 07B83 03528 0E6D5 0A87E

0793D 03796 0E46B 0AAC0 00D3A 04391 0906C 0DEC7 09133 0DF98 00C65 042CE 0E534 0AB9F 07862 036C9

0944F 0DAE4 00919 047B2 0E048 0AEE3 07D1E 033B5 07C41 032EA 0E117 0AFBC 00846 046ED 09510 0DBBB

00AF8 04453 097AE 0D905 07EFF 03054 0E3A9 0AD02 0E2F6 0AC5D 07FA0 0310B 096F1 0D85A 00BA7 0450C

081BF 0CF14 01CE9 05242 0F5B8 0BB13 068EE 02645 069B1 0271A 0F4E7 0BA4C 01DB6 0531D 080E0 0CE4B

01F08 051A3 0825E 0CCF5 06B0F 025A4 0F659 0B8F2 0F706 0B9AD 06A50 024FB 08301 0CDAA 01E57 050FC

0F27A 0BCD1 06F2C 02187 0867D 0C8D6 01B2B 05580 01A74 054DF 08722 0C989 06E73 020D8 0F325 0BD8E

06CCD 02266 0F19B 0BF30 018CA 05661 0859C 0CB37 084C3 0CA68 01995 0573E 0F0C4 0BE6F 06D92 02339

06635 0289E 0FB63 0B5C8 01232 05C99 08F64 0C1CF 08E3B 0C090 0136D 05DC6 0FA3C 0B497 0676A 029C1

0F882 0B629 065D4 02B7F 08C85 0C22E 011D3 05F78 0108C 05E27 08DDA 0C371 0648B 02A20 0F9DD 0B776

015F0 05B5B 088A6 0C60D 061F7 02F5C 0FCA1 0B20A 0FDFE 0B355 060A8 02E03 089F9 0C752 014AF 05A0408B47 0C5EC 01611 058BA 0FF40 0B1EB 06216 02CBD 06349 02DE2 0FE1F 0B0B4 0174E 059E5 08A18 0C4B3

The formula for the 32 Bit CRC calculations is: r = crctab32[((r >> 24) ^ *q++) & 0xff] ^ (r << 8)And its corresponding table:

00000000 F4ACFB13 1DF50D35 E959F626 3BEA1A6A CF46E179 261F175F D2B3EC4C

77D434D4 8378CFC7 6A2139E1 9E8DC2F2 4C3E2EBE B892D5AD 51CB238B A567D898

EFA869A8 1B0492BB F25D649D 06F19F8E D44273C2 20EE88D1 C9B77EF7 3D1B85E4

987C5D7C 6CD0A66F 85895049 7125AB5A A3964716 573ABC05 BE634A23 4ACFB130

2BFC2843 DF50D350 36092576 C2A5DE65 10163229 E4BAC93A 0DE33F1C F94FC40F

5C281C97 A884E784 41DD11A2 B571EAB1 67C206FD 936EFDEE 7A370BC8 8E9BF0DB

C45441EB 30F8BAF8 D9A14CDE 2D0DB7CD FFBE5B81 0B12A092 E24B56B4 16E7ADA7

B380753F 472C8E2C AE75780A 5AD98319 886A6F55 7CC69446 959F6260 61339973

57F85086 A354AB95 4A0D5DB3 BEA1A6A0 6C124AEC 98BEB1FF 71E747D9 854BBCCA202C6452 D4809F41 3DD96967 C9759274 1BC67E38 EF6A852B 0633730D F29F881E

B850392E 4CFCC23D A5A5341B 5109CF08 83BA2344 7716D857 9E4F2E71 6AE3D562

CF840DFA 3B28F6E9 D27100CF 26DDFBDC F46E1790 00C2EC83 E99B1AA5 1D37E1B6

7C0478C5 88A883D6 61F175F0 955D8EE3 47EE62AF B34299BC 5A1B6F9A AEB79489

0BD04C11 FF7CB702 16254124 E289BA37 303A567B C496AD68 2DCF5B4E D963A05D

93AC116D 6700EA7E 8E591C58 7AF5E74B A8460B07 5CEAF014 B5B30632 411FFD21

E47825B9 10D4DEAA F98D288C 0D21D39F DF923FD3 2B3EC4C0 C26732E6 36CBC9F5

AFF0A10C 5B5C5A1F B205AC39 46A9572A 941ABB66 60B64075 89EFB653 7D434D40

D82495D8 2C886ECB C5D198ED 317D63FE E3CE8FB2 176274A1 FE3B8287 0A977994

4058C8A4 B4F433B7 5DADC591 A9013E82 7BB2D2CE 8F1E29DD 6647DFFB 92EB24E8

378CFC70 C3200763 2A79F145 DED50A56 0C66E61A F8CA1D09 1193EB2F E53F103C840C894F 70A0725C 99F9847A 6D557F69 BFE69325 4B4A6836 A2139E10 56BF6503

F3D8BD9B 07744688 EE2DB0AE 1A814BBD C832A7F1 3C9E5CE2 D5C7AAC4 216B51D7

6BA4E0E7 9F081BF4 7651EDD2 82FD16C1 504EFA8D A4E2019E 4DBBF7B8 B9170CAB

1C70D433 E8DC2F20 0185D906 F5292215 279ACE59 D336354A 3A6FC36C CEC3387F

F808F18A 0CA40A99 E5FDFCBF 115107AC C3E2EBE0 374E10F3 DE17E6D5 2ABB1DC6

8FDCC55E 7B703E4D 9229C86B 66853378 B436DF34 409A2427 A9C3D201 5D6F2912

17A09822 E30C6331 0A559517 FEF96E04 2C4A8248 D8E6795B 31BF8F7D C513746E

6074ACF6 94D857E5 7D81A1C3 892D5AD0 5B9EB69C AF324D8F 466BBBA9 B2C740BA

D3F4D9C9 275822DA CE01D4FC 3AAD2FEF E81EC3A3 1CB238B0 F5EBCE96 01473585

A420ED1D 508C160E B9D5E028 4D791B3B 9FCAF777 6B660C64 823FFA42 76930151

3C5CB061 C8F04B72 21A9BD54 D5054647 07B6AA0B F31A5118 1A43A73E EEEF5C2D4B8884B5 BF247FA6 567D8980 A2D17293 70629EDF 84CE65CC 6D9793EA 993B68F9




6.3 Sample GSD File for a modular F Slave

; ===========================================================; Sample GSD file for a slave with F-module parametrization; demonstration only, no real product; File name : SIEM2222.GSD; Revision : 1.1 Bitmap SX; Last changes : 17-Feb-1999; ===========================================================;#Profibus_DPVendor_Name = "SIEMENS AG"GSD_Revision = 2Model_Name = "F-Device"Revision = "1.0"Ident_Number = 0x2222Protocol_Ident = 0 ; 0 = PROFIBUS-DPSlave_Family = 9 ; = OthersPrm_Struct_supp = 1 ; 1 = block structure supportedStation_Type = 0 ; 0 = DP-SlaveFMS_supp = 0 ; no FMS/DP mixed deviceF_Device_supp = 1 ; 1 = F-device (launches "F-Control" within parametrization tool)Hardware_Release = "A1"Software_Release = "V1.0"9.6_supp = 119.2_supp = 193.75_supp = 1187.5_supp = 1500_supp = 11.5M_supp = 1 ; 9.6 up to 12,000 Kbaud supported3M_supp = 16M_supp = 112M_supp = 1MaxTsdr_9.6 = 60MaxTsdr_19.2 = 60MaxTsdr_93.75 = 60MaxTsdr_187.5 = 60MaxTsdr_500 = 100MaxTsdr_1.5M = 150MaxTsdr_3M = 250MaxTsdr_6M = 450MaxTsdr_12M = 800Redundancy = 0 ; redundancy not supportedRepeater_Ctrl_Sig = 224V_Pins = 0Bitmap_Device = "UNIVSLVE";Slave specific data;******************;******************;Text definition for User_Prm_DataPrmText = 1 ; Reference number 1Text(0) = "SIL 1"Text(1) = "SIL 2"Text(2) = "SIL 3"Text(3) = "SIL 4"EndPrmText;;Text definition for Check/no check;PrmText = 2 ; Reference number 2




Text(0) = "No Check"Text(1) = "Check"EndPrmText;;Text definition for CRC-Length;PrmText = 3 ; Reference number 3Text(0) = "2 Byte CRC"Text(1) = "4 Byte CRC"EndPrmText;; Ext-User-Prm-Data-Def-List:;;User_Prm_Data definition 1ExtUserPrmData = 1 "Slot" ; Reference number 1Unsigned8 1 1-254 ; Default = 1, Max = 254EndExtUserPrmData;;;User_Prm_Data definition 2ExtUserPrmData = 2 "F_Prm_Flag" ; Reference number 2Unsigned16 0 0-65535 ; Default = 0, Max = 65535EndExtUserPrmData;;User_Prm_ Data definition 3ExtUserPrmData = 3 "F_Dest_Add" ; Reference number 3Unsigned16 1 1-65534 ; Default = 1, Max = 65534EndExtUserPrmData;;User_Prm_ Data definition 4ExtUserPrmData = 4 "F_Source-Add" ; Reference number 4Unsigned16 1 1-65534 ; Default = 1, Max = 65534EndExtUserPrmData;;User_Prm_ Data definition 5ExtUserPrmData = 5 "F_WD-Time" ; Reference number 5Unsigned16 3 0-65535 ; Default = 3, Max = 65535, Manufacturer definesEndExtUserPrmData ; maximum device operation time via default value;;User_Prm_ Data definition 6ExtUserPrmData = 6 "F_SIL " ; Reference number 6BitArea(2-3) 1 0-3 ; Default = 1, Min = 0, Max = 3Prm_Text_Ref = 1 ; Pointer to text definition 1EndExtUserPrmData;;User_Prm_ Data definition 7ExtUserPrmData = 7 "F_Check_SeqNr" ; Reference number 7Bit(0) 0 ; Default = 0,Prm_Text_Ref = 2 ; Pointer to text definition 2EndExtUserPrmData;;User_Prm_ Data definition 8ExtUserPrmData = 8 "F_Check_iPar" ; Reference number 8Bit(1) 0 ; Default = 0,Prm_Text_Ref = 2 ; Pointer to text definition 2EndExtUserPrmData;;User_Prm_ Data definition 9ExtUserPrmData = 9 "F_CRC_Length" ; Reference number 9BitArea(4-5) 2 0-3 ; Default = 2, Min = 0, Max = 3




Prm_Text_Ref = 3 ; Pointer to text definition 3EndExtUserPrmData;;******************;******************;Freeze_Mode_supp = 0 ;Freeze-Mode not supportedSync_Mode_supp = 0 ;Sync.-Mode not supportedAuto_Baud_supp = 1 ;automatic Baudrate checkMax_Diag_Data_Len = 6Set_Slave_Add_supp = 1User_Prm_Data_Len = 100 ;Length of the total User-Prm-DataMin_Slave_Intervall = 6 ;0.6msModular_Station = 1Max_Module = 5 ;max. Nr. of modules to choose fromMax_Input_Len = 100Max_Output_Len = 100Max_Data_Len = 200;Module = "F-Module 16Byte-E 4Byte-A" 0xC0, 0x83, 0x8fF_Device_supp = 1 ; F-SlaveExt_Module_Prm_Data_Len = 12Ext_User_Prm_Data_Const(0) = 12 ;predefined F_Prm-Block lengthExt_User_Prm_Data_Const(1) = 4 ; predefined F_Prm-Block identifierExt_User_Prm_Data_Const(2) = 0 ; predefined Slot numberExt_User_Prm_Data_Const(3) = 0 ; predefined SpecifierExt_User_Prm_Data_Const(4) = 0x00 ; predefined F_Prm-Flag highExt_User_Prm_Data_Const(5) = 0x00 ; predefined F_Prm-Flag lowExt_User_Prm_Data_Ref(2) = 1Ext_User_Prm_Data_Ref(4) = 7Ext_User_Prm_Data_Ref(4) = 8Ext_User_Prm_Data_Ref(4) = 6Ext_User_Prm_Data_Ref(4) = 9Ext_User_Prm_Data_Ref(6) = 3Ext_User_Prm_Data_Ref(8) = 4Ext_User_Prm_Data_Ref(10) = 5EndModuleModule = "F-Modul 16Word-E 16Byte-A" 0xC0, 0x8f, 0x9fF_Device_supp = 1 ; F-SlaveExt_Module_Prm_Data_Len = 12Ext_User_Prm_Data_Const(0) = 12 ; predefined F_Prm-Block lengthExt_User_Prm_Data_Const(1) = 4 ; predefined F_Prm-Block identifierExt_User_Prm_Data_Const(2) = 0 ; predefined Slot numberExt_User_Prm_Data_Const(3) = 0 ; predefined SpecifierExt_User_Prm_Data_Const(4) = 0x00 ; predefined F_Prm-Flag highExt_User_Prm_Data_Const(5) = 0x00 ; predefined F_Prm-Flag lowExt_User_Prm_Data_Ref(2) = 1Ext_User_Prm_Data_Ref(4) = 7Ext_User_Prm_Data_Ref(4) = 8Ext_User_Prm_Data_Ref(4) = 6Ext_User_Prm_Data_Ref(4) = 9Ext_User_Prm_Data_Ref(6) = 3Ext_User_Prm_Data_Ref(8) = 4Ext_User_Prm_Data_Ref(10) = 5EndModule;Module = "E-/A-Modul" 0xF4 ;standard I/O module;consistency, 5 Words Inputs and OutputsEndModule




6.4 Applicable Documents

[1] DIN 19245, Part 1: Control and Instrumentation; PROFIBUS Process Field Bus: Layer 1+2; BeuthVerlag Berlin.

[2] DIN 19245, Part 2: Control and Instrumentation; PROFIBUS Process Field Bus: FMS; Beuth VerlagBerlin.

[3] DIN 19245, Part 3: Control and Instrumentation; PROFIBUS Process Field Bus: Profibus-DP[4] Position Paper DKE-AK 226.03 dated 8-Aug-1997[5] IEC 61508, Functional Safety of Electrical/Electronic/Programmable El. Safety-Related Systems[6] "New concepts for safety-related bus systems", 3rd International Symposium "Programmable Electronic

Systems in Safety Related Applications " May 1998, from Dr. Michael Schäfer, central institute forresearch and testing of the German Berufsgenossenschaften (BG)

[7] prEN 50159-1: (Railway Applications) "Requirements for Safety-Related Communication in ClosedTransmission Systems "

[8] EN 50170, European Standard for Profibus-DP and FMS. Successor of the national DIN 19245.[9] Andrew S. Tanenbaum, "Computer Networks", 2nd Edition, Prentice Hall, N.J., ISBN 0-13-162959-X[10] Manfred Popp, "Rapid Way to Profibus DP", 1996, Order # 4.072, PROFIBUS User Organization e.V.[11] W. Wesley Peterson, "Error-Correcting Codes", 2nd Edition 1981, MIT-Press, ISBN 0-262-16-039-0[12] IEC 870-5-1, "Telecontrol equipment and systems; Part 5: Transmission protocols; Section One:

Transmission frame formats"

6.5 Abbreviations

ASCII American Standard Code for Information InterchangeASIC Application Specific Integrated CircuitC CoverageCPU Central Processing UnitCRC Cyclic Redundancy Check [9], [11]DB Data BlockDDL Device Description LanguageDIN Deutsches Institut für Normung (German Institute for Standards)DKE-AK Working Group of the German Electrotechnical Commission within DIN and VDEDP Decentralized PeripheralsEMI Electro Magnetic InterferenceEN, prEN European Norm, preliminary ...ESD ElectroStatic DischargeF FailsafeFB Function BlockGSD Geräte-Stamm-Daten (Device Data Base)HD Hamming DistanceHW HardwareIEC International Electrotechnical CommissionI/O Input/OutputISO/OSI International Standards Organization / Open Systems Interconnection (Reference Model)M ModulePA Process AutomationPES Programmable Electronic (Safety-Related) SystemPG/ES Programmer/Engineering StationPLC Programmable Logic ControllerS StandardPLC Programmable Logic ControllerSW SoftwareTPDU (Transport) Protocol Data Unit [9]VDE Association of German Electrical Engineers VDEVDI Association of Engineers VDIXML Extendable Markup Language (World Wide Web Consortium)