PROFIBUS-DP/PAProfiSafe, Profile for Failsafe Technology, V1.0
P r o f i S a f e
Document No. 740257
Members of the working group : phone
Eric Dönges TU München 089-289-23590
Uwe Gräff Festo AG 0711-347-4184
Heinz-Theo Hannen Hima GmbH & Co. KG 06202-709-286
Torsten Kühn Klöckner Moeller GmbH 0228-602-1811
Gerd Lausberg Schmersal GmbH & Co. 0202-6474-250
Dr. Thomas Laux Wago Kontakttechnik GmbH 0571-887-464/345
Dr. Wolfgang Stripf Siemens AG 0721-595-3046
Working group chairman:
Herbert Barthel Siemens AG 0911-895-3677
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 2
ProfiSafe-Profil-100e.doc
Contents
1 MOTIVATION.............................................................................................................................................. 5
1.1 TERMINOLOGY ......................................................................................................................................... 5
2 INTRODUCTION......................................................................................................................................... 8
2.1 POSSIBLE APPLICATION AREAS OF THE SAFETY PROFILE......................................................................... 82.2 REQUIREMENTS PLACED UPON THE SAFETY PROFILE.............................................................................. 82.3 PRINCIPLE OF SAFE COMMUNICATIONS ( GRAY CHANNEL ) .................................................................... 82.4 THE SAFETY PROFILE............................................................................................................................... 92.5 APPLICATION ......................................................................................................................................... 10
3 BASICS OF THE SAFETY PROFILE ..................................................................................................... 11
3.1 SYSTEM CHARACTERISTICS ................................................................................................................... 113.2 MASTER-SLAVE OPERATION IN PROFIBUS-DP ................................................................................... 113.3 BUS STRUCTURES .................................................................................................................................. 113.4 DELIMITATION OF THE BUS COMPONENTS ............................................................................................. 123.5 DELIMITATION OF THE COMMUNICATION FUNCTIONS ........................................................................... 133.6 RISK CONSIDERATION............................................................................................................................ 133.7 RELEVANT STANDARDS AND DIRECTIVES.............................................................................................. 143.8 ERROR CASES THAT SHALL BE MASTERED ........................................................................................... 15
4 FUNCTIONAL PRINCIPLE OF SAFE COMMUNICATION.............................................................. 16
4.1 F MESSAGE STRUCTURE ........................................................................................................................ 164.1.1 F Process Data.............................................................................................................................. 174.1.2 Status/Control Byte........................................................................................................................ 184.1.3 Consecutive Number...................................................................................................................... 194.1.4 CRC Signature............................................................................................................................... 204.1.5 Appended Standard User Data...................................................................................................... 20
4.2 REGULAR F COMMUNICATION ............................................................................................................... 214.2.1 Operational Behavior of F Host and F Slave................................................................................ 214.2.2 State Diagrams.............................................................................................................................. 24
4.3 REACTION IN THE EVENT OF A MALFUNCTION....................................................................................... 304.3.1 Repetition ...................................................................................................................................... 304.3.2 Loss ............................................................................................................................................... 304.3.3 Insertion ........................................................................................................................................ 304.3.4 Incorrect Sequence........................................................................................................................ 304.3.5 Corruption of F Message Data...................................................................................................... 304.3.6 Delay ............................................................................................................................................. 304.3.7 Interconnecting Safety-Relevant and Standard Messages (Masquerade) .................................... 31
4.4 F PARAMETER STRUCTURE .................................................................................................................... 314.4.1 F_Device ( ProfiSafe Participant )................................................................................................ 324.4.2 F_Source/Destination_Address ( Codename, Password )............................................................. 324.4.3 F_WD_Time ( F Watchdog Time ) ................................................................................................ 324.4.4 F_Prm_Flag ( Parameters for the Profile Management )............................................................. 324.4.5 F_Check_SeqNr ( Consecutive Number in the CRC2 ) ................................................................. 324.4.6 F_Check_iPar ( CRC1 including i-Parameters ) .......................................................................... 324.4.7 F_SIL (SIL Stage).......................................................................................................................... 334.4.8 F_CRC_Length (Length of the CRC2 Key) ................................................................................... 334.4.9 F_Par_CRC ( CRC1 across F-Parameters )................................................................................. 334.4.10 Structure of the F Parameter Block (Prm telegram) .................................................................... 344.4.11 F Data Fraction ............................................................................................................................ 344.4.12 i-Parameter (individual F-Device Parameters) ............................................................................ 34
4.5 F-PARAMETRIZATION............................................................................................................................. 354.5.1 F-Parametrization Tools ............................................................................................................... 354.5.2 GSD Structure ............................................................................................................................... 364.5.3 F-Parameter Assignment Paths..................................................................................................... 37
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 3
ProfiSafe-Profil-100e.doc
4.6 F-STARTUP COORDINATION ................................................................................................................... 384.6.1 Standard Startup (F Slave State Machine) .................................................................................... 394.6.2 Parameter Assignment Deblocking ............................................................................................... 394.6.3 Interaction Diagrams for Parameter Assignments........................................................................ 40
4.7 SAFE ALARM GENERATION .................................................................................................................... 414.8 DIAGNOSIS ............................................................................................................................................. 424.9 F MODULE COMMISSIONING / REPAIR BEHAVIOR.................................................................................. 424.10 REACTION TIMES ................................................................................................................................... 424.11 PROBABILISTIC CONSIDERATIONS.......................................................................................................... 43
4.11.1 Calculations .................................................................................................................................. 434.11.2 Operational Reliability of the Standard Profibus Components..................................................... 474.11.3 Practical Bit Error Rates of the Profibus...................................................................................... 47
5 USING THE PROFIBUS STANDARD..................................................................................................... 48
5.1 PROFIBUS LAYERS 1 AND 2 ................................................................................................................ 485.2 PROFIBUS DP...................................................................................................................................... 485.3 DEFINITION OF THE "GRAY" CHANNEL .................................................................................................. 485.4 STANDARD EMC REQUIREMENTS OF THE PROFIBUS ............................................................................. 48
5.4.1 CE Mark ........................................................................................................................................ 485.4.2 Noise Emission .............................................................................................................................. 485.4.3 Noise Immunity.............................................................................................................................. 485.4.4 On Long Signal Cables >10m....................................................................................................... 485.4.5 Static Discharge ............................................................................................................................ 495.4.6 High-Frequency Irradiation.......................................................................................................... 495.4.7 HF-Induced Current on Cables and Cable Shields....................................................................... 495.4.8 Power Supply................................................................................................................................. 495.4.9 Voltage Dips.................................................................................................................................. 495.4.10 Voltage Interruption ...................................................................................................................... 495.4.11 Definition of the Malfunction ........................................................................................................ 49
5.5 STANDARD INSTALLATION GUIDELINES FOR PROFIBUS ......................................................................... 49
6 APPENDIX .................................................................................................................................................. 50
6.1 MEASURES AGAINST FAILURES BEFORE CRC2 CALCULATIONS ............................................................ 506.2 CRC CALCULATION.............................................................................................................................. 516.3 SAMPLE GSD FILE FOR A MODULAR F SLAVE ....................................................................................... 536.4 APPLICABLE DOCUMENTS...................................................................................................................... 566.5 ABBREVIATIONS..................................................................................................................................... 56
Figure 2-1 F layer architecture .............................................................................................................................. 9Figure 2-2 Message model for safety-relevant data .............................................................................................. 9Figure 3-1 Typical system configuration ............................................................................................................ 11Figure 3-2 Bus structure...................................................................................................................................... 12Figure 3-3 Entire safety function......................................................................................................................... 12Figure 3-4 Risk consideration according IEC 61508 .......................................................................................... 13Figure 3-5 Profibus-DP, proportional risk........................................................................................................... 13Figure 4-1 Error mastering measures .................................................................................................................. 16Figure 4-2 DP frame structure (Process Data) .................................................................................................... 16Figure 4-3 Complete F message structure ........................................................................................................... 17Figure 4-4 Modular slave with two F modules.................................................................................................... 18Figure 4-5 Embedding the F I/O data of compact and modular slaves ............................................................. 18Figure 4-6 Status byte ......................................................................................................................................... 18Figure 4-7 Control byte ....................................................................................................................................... 19Figure 4-8 Consecutive number function ............................................................................................................ 19Figure 4-9 CRC generation ................................................................................................................................. 20
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 4
ProfiSafe-Profil-100e.doc
Figure 4-10 F communication structure .............................................................................................................. 21Figure 4-11 F User Interfaces of F driver instances ............................................................................................ 21Figure 4-12 Monitoring the message transit time F-CPU ↔ F output ............................................................... 22Figure 4-13 Monitoring the message transit time F input ↔ F-CPU................................................................. 24Figure 4-14 Interaction F host / F slave during start-up ...................................................................................... 24Figure 4-15 Interaction F host / F slave during Host Power Off → On .............................................................. 25Figure 4-16 Interaction F host / F slave with delayed Power On ........................................................................ 25Figure 4-17 Interaction F host / F slave during Slave Power Off → On ............................................................. 26Figure 4-18 F host states during interactions with the F slave ............................................................................ 27Figure 4-19 F output (input) slave states............................................................................................................. 28Figure 4-20 Interaction F host / F slave while host recognizes CRC failure....................................................... 29Figure 4-21 Interaction F host / F slave while slave recognizes CRC failure ..................................................... 29Figure 4-22 F parameter data and CRC............................................................................................................... 30Figure 4-23 F_Prm telegram ............................................................................................................................... 34Figure 4-24 Safety of individual device parameters............................................................................................ 35Figure 4-25 Dynamic i-parameter sets ................................................................................................................ 35Figure 4-26 Standard device parameter in Profibus ............................................................................................ 36Figure 4-27 F-parameter assignment for simple F slaves.................................................................................... 37Figure 4-28 F-parameter assignment for complex F slaves................................................................................. 38Figure 4-29 Startup coordination with F parameters........................................................................................... 39Figure 4-30 Parameter assignment deblocking by the F host.............................................................................. 39Figure 4-31 Assigning "static" i-parameter from F host ..................................................................................... 40Figure 4-32 Assigning "dynamic" i-parameter from operator level .................................................................... 41Figure 4-33 Reaction times ................................................................................................................................. 42Figure 4-34 Residual error rates.......................................................................................................................... 43Figure 4-35 Monitoring of corrupted messages .................................................................................................. 47Figure 6-1 Typical procedure of a cyclic redundancy check............................................................................... 51Figure 6-2 Using a CRC table for generating the signature ................................................................................ 51
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 5
ProfiSafe-Profil-100e.doc
1 MotivationThe PROFIBUS, EN 50170, [8], field bus standard, which is the successor of the national DIN 19245, [1]through [3], standard, covers a wide range of communications applications in the automation hierarchy:
From I&C via control down to field level.
By simplifications and restriction to the two lowest layers of the ISO/OSI model, the specific requirements ofindustrial communications (such as short messages, deterministic, and high performance) were taken into ac-count. The Profibus version for distributed I/O has gained particular importance in this context. Using a hybridaccess procedure of master/slave and/or token principles, the base Profibus functions are employed here for thecyclic data exchange between peripherals and processing units.
While automation solutions with distributed I/O gained widely acceptance through Profibus DP, failsafe appli-cations were still relying on a second layer of conventional electrical techniques or special busses thus limitingthe seemless engineering and interoperability. Additionally modern failsafe devices could not be fueled up asneeded due to missing system support. It is the purpose of these Profibus directives to provide the correspondingenabling technologies.
The specific utilization of the communication functions by specific groups of participants is called a profile. Aprofile is a set of rules and definitions that are valid within a user or a field device group. The DP Safety Profile,in short ProfiSafe, describes the communications between failsafe peripherals and failsafe controllers. It is basedon the requirements of the standards for safety-oriented applications and the experience of the PLC users andPLC manufacturers community. The DP Safety Profile be certified by TÜV and BIA (Institute for labor safety ofthe mutual indemnity association). Since the PA variation of the Profibus DP merely defines a different trans-mission technique, while the higher protocol layers are identical, the DP Safety Profile also applies to the Pro-fibus PA.
The working group for producing this DP Safety Profile was founded by the PNO advisory board (PNO = PRO-FIBUS user organization e.V.). The DP Safety Profile is published as a suggestion of a PNO Directive. It is re-stricted exclusively to the description of the mechanisms that are required for safe communication, and their pa-rameter assignments. The additional measures that are required in the terminal equipment (host/PLC or fielddevice) to make it safe are not described here because they are irrelevant to "open" safe communications.Albeit the measures for a safe connection of the AS-I bus are discussed in the working group, they will not bedescribed in this profile.
In the following text, the terms "safety-oriented", "safety-relevant" and "failsafe" will be used equally, and beabbreviated by the letter "F".
Chapters 1 through 3 give a general introduction into the requirements and basics of safe communications thatare relevant to this profile. Chapter 4 discusses the solution principles in detail. Chapter 5 describes the validProfibus boundary conditions. The calculations and sources used for deriving the profile are specified in Chapter6.
1.1 Terminology
Bit information Encoded binary information without a technical unit.
Codename for sender and recipient This code is usually within the address space of a F communication de-vice an unambiguous source-destination parameter that is used as a"password" between the F communication partners.
Configuration Defining the standard communication between the units and defining thespecific device parameters.
Configuration (FailSafe) Defining the F-communication between the F-units and defining the spe-cific F-device parameters.
Consecutive number Consecutive count that is transferred from the sender to the recipient thatis monitored there with respect to the sequence (increment 1) and the in-terval to the next value. Also known as heartbeat..
Control bits Bits that are used for triggering control functions. In contrast to bits that
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 6
ProfiSafe-Profil-100e.doc
represent a data item (such as a numeric value).
Cycle Interval at which a list of instruction is repetitively and continuouslyexecuted.
Driver Software module used for abstracting the hardware with respect to theremaining software.
EMC Electro-magnetic compatibility: electro-magnetic "Worst Case"-boundary conditions for the normal utilization of the ProfiSafe profile.See Profibus standards.
Encapsulated (closed) system Conducted electrical or optical message transfer, radio, infrared, butwithout public data transmission and with the following characteristics:- authorized access only- known maximum number of communicating partners ("F" and
standard)- transmission media is known and well defined
Error Errors are static conditions that exist throughout the product lifecycle,and are inherent characteristics of the system.
Failsafe (F-...) Ability of a system that by adequate technical or organizational measuresprevents from hazards either deterministically or by reducing the risk toa tolerable measure.
Failsafe values If the system is triggered to a failsafe state it uses failsafe values insteadof process data.
F-Driver Software that administers safe messages within F-Hosts and F-Slavesaccording to the ProfiSafe directives
Failure (states) The nonperformance of a system to achieve its intended function withinits performance constraints. Failures are events that occur and somepoint in time, leading to a failed condition (state).
Fault A fault is an unsatisfactory system condition. Thus, failure states and er-rors are different kinds of faults.
Fault reaction Fault reaction basically means indicating a communication malfunctionby setting the fault bits in the status byte and- within F-Output: Shutting down the outputs, and/or automatic
safe reaction of the actuator unit.- within F-CPU: Corresponding user program reaction possible;
F-I/O-Data be set to default values.- within F-Input: Sets only fault bits in the F status byte; F-I/O-
Data be set to default values.
Frame (Telegram) Data unit that is transported on layer 2 of the ISO/OSI model [9].
Function block Self-contained program part that possesses a specific functionality.
"gray channel" Single-channel standard Profibus communication facility that is used bythe ProfiSafe failsafe profile (F-Driver).
Hazard A state or set of conditions of a system that, together with other condi-tions in the environment of the system will inevitably lead to an accident.
Host Information processing unit that is able to perform the F profile mecha-nisms, and services the "gray" channel. This is usually a PLC or an IPCwith an adequate operating system.
i-parameter Individual F device parameters, e.g. detection zone coordinates of a la-ser scanner.
I/O module Addressable sub I/O unit in a DP slave.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 7
ProfiSafe-Profil-100e.doc
Master Active communication partner that triggers the slave for information ex-change.
Message (packet or TPDU) Due to the missing higher layers ( >2 ) of the ISO/OSI model in Pro-fibus, the process data including safety and control information within aframe corresponds to the transported message [9].
PES Programmable electronic safety-related system
Process data Here: The data in a message that is required for process control.
Profile Specific utilization of the communication functions by specific usergroups.
Reaction time The time between the "electrical" recognition of an emergency requestand the "electrical" initiation of a safety reaction. The response time con-sists of several time segments, including the bus transfer time.
Reliability Reliability can be specified as the mean number of failures in a giventime (failure rate λ), or as the mean time between failures (MTBF) foritems which are repairable or as mean time to failure (MTTF) for itemswhich are not repairable. For repairable items, it is often assumed thatfailures occur at a constant rate, in which case the failure rate λ = 1/MTBF. The reliability of components usually is measured in FIT (= onefailure in 109 device-hours) during its operating stage after the infantmortality stage and before the wear-out stage ("bathtub" curve).
Risk A combination of the likelihood of an accident and the severity of thepotential consequences
Scan rate Time between any two read processes on input signals.
Shared I/O Several Hosts/PLCs access the same inputs and outputs. Common utili-zation of inputs is less problematic than sharing outputs.
Slave Passive communication partner that is usually triggered by the master forexchanging information.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 8
ProfiSafe-Profil-100e.doc
2 Introduction
2.1 Possible Application Areas of the Safety Profile
• Manufacturing industry
• rapid protection of personnel and machines, such as• emergency stop functions• light gates• guard doors• scanners• drives with integrated safety
• Process industry• Fuel engineering• Public transport, such as cable railways
2.2 Requirements Placed Upon the Safety Profile
• Independence between safety-relevant communication and standard communicationUsing standard devices and "safe devices" at the same DP system shall be possible!
• Suitable for safety level SIL3 (IEC61508), AK6 (DIN V 19250); control category 4 (EN 954-1)
• Satisfying the safety requirements in a single-channel communication system → redundancy only for in-creased reliability
• Any DP master or "links" can be used
• DP masters, ASICs, links, couplers, ... shall remain unmodified (gray channel) → security functions aboveOSI layer 7 (i.e. profile, no DP protocol changes or enhancements).
• Environmental conditions according to Profibus requirements.
• The implementation of the safe transmission function shall be restricted to the communication end device(CPU / host – slave and/or I/O module).
• The security profile shall not reduce the permitted number of devices (restrictions may occur during map-ping in case of PA).
• There is always a 1:1 communication relationship between the F devices.
• The transmission duration times be monitored
2.3 Principle of Safe Communications ( Gray Channel )
ProfiSafe’s way of safe communication is based on the experience made in the railway signaling technique as ithas been laid down in the European Standard prEN 50159-1 "Railway Aplications: Requirements for Safety-Related Communication in Closed Transmission Systems" [5].On this basis, safe communication is performed by
• a standard transmission system (here: Profibus-DP)• and additional safety transmission functions as a profile on this standard transmission system.
The standard transmission system includes the entire hardware of the transmission system and the related proto-col functions (i.e. OSI layers 1, 2 and 7 according to figure 2-1).
Safety applications and standard applications are sharing the same standard Profibus DP communication sys-tems at the same time.
The safe transmission function comprises all measures to deterministically discover all possible faults / hazardsthat could be infiltrated by the standard transmission system or to keep the residual error (fault) probabilityunder a certain limit. This includes• random malfunctions, e.g. due to EMI impact on the transmission channel• failures / faults of the standard hardware• systematic malfunctions of components within the standard hardware and software
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 9
ProfiSafe-Profil-100e.doc
StandardInput/Output
StandardLogic
Operation
1
2
7
1
2
7
1
2
7
1
2
7
1
2
7
"Gray Channel": ASICs, wires, links, etc. are not safety relevant components
ProfiSafe: the safety relevant Profibus profile comprises: addressing, watch-dog timing, sequencing, signatures, etc.
The safe I/O and safe logic controller functions are safety relevant but not part of the ProfiSafe profile
Safety-Input
SafetyLogic
Operation
SafetyOutput
Safety-LayerSafety-LayerSafety-Layer
e.g. Diagnostics
Not safety related functions, e.g. diagnostics
Figure 2-1 F layer architecture
This principle delimits the certification effort to the "safe transmission functions". The "standard transmissionsystem" does not need any additional certification.
Transmission is performed via electrical or optical conductors. Permissible topologies and transmission featuresof the standard transmission system, and the components of the "gray" channel are described in Chapter 5.3.
2.4 The Safety Profile
Figure 2-2 shows the model of the complete message structure on the transmission medium [5]. The F profile is"embedded" in the DP transmission protocol (layer 7) and in the transmission code (layer 2), and defines thelayers "safety procedures" and "safety code".
user dataof safety process
transmission code (message)
transmission protocol (Profibus)
safety code, e.g. CRC
safety procedures(e.g. source identifier) F-Profile
Figure 2-2 Message model for safety-relevant data
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 10
ProfiSafe-Profil-100e.doc
2.5 Application
Host – field device The F profile describes the F communication between safety-oriented units via the PRO-FIBUS-DP/PA. The method described in this profile permits a "safe" field device to cycli-cally exchange safety-relevant data with a "safe" CPU (host).
Host - Host Not included in the first version of this profile description.
Field device – fielddevice (cross co-munication)
The ProfiSafe principle will cover this operational mode also. There will be little exten-sions like e.g. additional process data within an acknowledgment message. The details willnot be included in the first version of this profile description.
Failsafe sharedinputs
Multi-master operation of safe CPUs/Hosts with safe I/O is permitted, "Failsafe SharedInputs" is not (not included in the first version of this profile).
Dynamic configu-ration
In particular in the field of robots, there may be two or more automation subunits that willonly be activated when they are "docked". This is also possible in the safety field.
Othersafe busses
Exchanging safe information with other "safe" bus systems is possible if a correspondingF gateway behaves like a safe Profibus slave.
EMC field Same as standard Profibus
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 11
ProfiSafe-Profil-100e.doc
3 Basics of the Safety Profile
3.1 System Characteristics
Profibus DP
Monitoring DeviceDP-Master (class 2)
F-Host/F-PLCDP-Master (class 1)
F-I/ODP-Slave
Standard-Host/PLCDP-Master (class 1)
F-DeviceDP-Slave
F-Field DevicePA-Slave
DP/PA
Repeater
segment A
segment B
F-Gateway
other safebus systems
Standard-I/ODP-Slave
failsafe and standard users are sharing the same bus
Master-Slave-mapping
Standard-I/ODP-Slave
Figure 3-1 Typical system configuration
The system configuration shown in the figure above characterizes a typical structure of interconnectedhosts/PCs, safety-oriented hosts/PLCs, distributed I/O's, field devices, safety-oriented field devices and moni-toring units on the Profibus-DP/PA. In this structure (blue dotted line in figure 3-1), a safety-oriented host/PLCcontrols, via the Profibus-DP master, several subordinate safety-oriented and non-safety-oriented Profibus-DPslave units/modules. The encapsulated (closed) transmission system may extend across several segments that areinterconnected via repeaters.The connection to other safe bus systems via F gateways is not discussed in this Profibus profile description.
3.2 Master-Slave Operation in PROFIBUS-DP
The PLC/IPC is the host in a PROFIBUS-DP system. The related DP master is in a stand-alone module or it is asubunit of the host. The I/O stations are slaves. The master (PLC) addresses each slave (I/O module) once in aDP cycle. In this process, a fixed number of output bytes is sent to the slave or the slave reads a fixed number ofinput bytes respectively.
3.3 Bus Structures
In contrast to the typical system configuration, Figure 3-2 shows the possible bus structure (i.e. how far the Fprofile extents into the individual units). A standard DP slave, for example, can accommodate a safe F modulefor the connection of an emergency stop pushbutton. Multi-master operation of safe hosts is permitted, "FailsafeShared Inputs" (not included in the first version of this profile) are not. A mix of F host and standard host is pos-sible.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 12
ProfiSafe-Profil-100e.doc
optionalSafety-CPU
Safety-CPU
DP-Ma-ster
DP-Ma-ster
PG/ES withsecure access,e.g. firewall
DP: encapsulated (closed) transmission system acc. EN50159-1
DP-PA-Link resp.Coupling
PA
F-PA-Field
Device
F-DP-Slave
StandardDP-Slave
TCP/IP
F-Module
Figure 3-2 Bus structure
It is within the user’s responsibility to employ adequate organizational and/or technical measures (e.g. call-back,firewall, etc.) to ensure that unauthorized access from the connected programming and/or engineering stationscannot jeopardize safe operation. These devices are not usually participants in a safe operation.
3.4 Delimitation of the Bus Components
The entire safety function shall be considered for the acceptance of the system.
Logical Operation Bin. O Actuator
Inspection of the complete safety function of control loops according to IEC 61508:
Sensor Bin. IAnal. I
The whole path is safety relevant:
Scan safe Information
Process safe information
Initiatesafe reaction
safe transmission
safe transmission
Figure 3-3 Entire safety function
The units "safety-oriented input", "safety-oriented logic processing", and "safety-oriented output" are not in-cluded in the discussion of the F profile.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 13
ProfiSafe-Profil-100e.doc
We only define the measures that implement the F communication in the individual communication end points.
The F profile ensures the protection of the data between the peripheral F modules and/or safe directly connectedsensors/actuators/F-PA units and the F-CPU. There are no additional requirements placed upon the componentsDP master, DP slave, PA master, DP/PA link. They belong to the "gray channel".
This means:a) not safety-relevant are: ASICs, bus drivers, lines, repeaters, links, and the slave interface of modular slaves
(see definition "gray channel").b) safety-relevant are: Safety profile, F watchdog functions, F addressing, F parameters, peripheral F modules,
and/or safe field devices.
3.5 Delimitation of the Communication Functions
The F profile only supports the cyclic service (DP).
Acyclic services are used for communicating non-safety-relevant data.Parts of the slave parametrization are safety-relevant, and are protected via the cyclic service.
3.6 Risk Consideration
EUCrisk
EUCrisk
Tolerablerisk
Tolerablerisk
Residualrisk
Residualrisk
Necessary risk reduction
Actual risk reduction
Risk reduction achieved by all safety-relatedsystems and external risk reduction facilitiesRisk reduction achieved by all safety-relatedsystems and external risk reduction facilities
from IEC 61508:
Partial risk coveredby other technology
safety-related systems(e.g. mechanical)
Partial risk coveredby E/E/PE
safety-relatedsystems
Partial risk coveredby external risk
reduction facilities(e.g. organizational)
Increasingrisk
Figure 3-4 Risk consideration according IEC 61508
Logical Operations Bin. O AktuatorSensor Bin. IAnal. I
15 %
1 % 1 %
Figure 3-5 Profibus-DP, proportional risk
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 14
ProfiSafe-Profil-100e.doc
The risk reduction of a facility is achieved via a safety function provided by a safety-oriented electrical/electronic /programmable electronic system (E/E/PES) with a certain residual error probability (Safety Integ-rity). The contribution of the Profibus-DP to this residual error probability may be 1%. This means that the re-sidual error probability of the DP bus, in conjunction with the ProfiSafe profile, shall be 100 times "better" thanit is required in SIL3, for example.
Thus, the residual error probability of the other components involved in the safety control loop results as 99/100of the value that is required in SIL. This assessment deals with balancing the individual implementation efforts.
According to [6], the following bit error probability values are valid for transmission systems including bus driv-ers ( this chart originates from Dieter Conrad's book, "Datenkommunikation", 3rd edition).
Bit error probability p Transmission system
>10-3 Radio link
10-4 Unshielded telephone cable
10-5 shielded, "twisted-pair" telephone cable
10-6 - 10-7 Digital telephone cable of Deutsche Telekom (ISDN)
10-9 Coaxial cable in locally delimited applications
10-12 Fiber optics cable transmission
Thus, the typical error frequency (bit error probability) on the shielded DP cable is less than or equal to 10-5. Thecalculation of the profile, however, is based on the bit error rate of the "gray channel". The Hamming distance ofthe standard Profibus protocol is 4; this does not influence safe communication, however.According to IEC 61508 [5], the following residual error rate values are permitted in the individual SIL stages:
SIL Probability of a hazardous error per hour in uninterrupted operation mode
3 >10-8 .....<10-7
2 ≥10-7 .....<10-6
1 ≥10-6 .....<10-5
Thus, the required residual error rate of <10-9 /h results for the entire equipment within the range of the Profi-Safe profile for SIL3.
3.7 Relevant Standards and Directives
• General standards for systems with safety responsibility- IEC 61508 Base standard for safety-relevant electronic / programmable electronic systems- DIN V VDE 801 A1
• Principle of safe communication- prEN 50159-1/2 "Railway applications: Requirements for Safety-Related Communication in Closed /
Open Transmission Systems"
• Process engineering (chemistry, petrol)- IEC 61511 "... Safety instrumented Systems for the Process Industry"- VDI/VDE 2180 "Protection of process-engineering plants using process control means).- DIN V 19251 Instrumentation and control – MSR protective equipment, requirements and measures re-
lated to the safe function
• Fuel systems- prEN50156 "Electrical equipment of fuel systems ..." (burner control)
• Machine safety- EN / IEC 60204-1"Electrical equipment of industrial machines "
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 15
ProfiSafe-Profil-100e.doc
- EN 60954-1 "Safety-related controller components"
• Position document- DKE-AK 226.03 dated 04-Jun-98 [4]
3.8 Error Cases That Shall Be Mastered
According to [4], the following transmission errors exist:
• Repetition• Loss• Insertion• Incorrect sequence• Corrupted process data• Delay• Interconnecting safety-relevant and standard messages (masquerade)• Erroneous addressing (double-, wrong-)
It is within the responsibility of the profile that is described here, to provide additional safety measures over andabove the means that already exist in Profibus that permit the necessary residual error rate to be reached.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 16
ProfiSafe-Profil-100e.doc
4 Functional Principle of Safe CommunicationThe above-mentioned measures for mastering failures that shall be taken are a significant component of the Fprofile. Due to the existing protective functions of the standard Profibus, only a selection of the measures listedin the position document DKE-AK 226.03, [4] is required. The measures shall be taken and monitored withinone FailSafe unit.
Failure:
Measure: ConsecutiveNumber
Time expec-tation with
acknowledge
Codename for sender and
recipient
DataProtection
Repetition
Loss
Insertion
Incorrect Sequence
Corrupted Data
Delay
Interconnecting of F- andStandard Messages (Masquerade),incl. wrong- unddouble addressing
XXXX
XX
X X
Excerpt from table of the position paper DKE-AK 226.03
X
XX X
Figure 4-1 Error mastering measures
4.1 F Message Structure
S S S S S S
Standard Message
SD LE LEr SD DA SA FC FCS ED
68H ... ... 68H .... .... ... ..... 16H
Synctime
33 TBit
Data Unit = Standard-or Failsafe-Process Data
1.......244 Bytes
TBit = Clock-Bit = 1 / BaudrateSD = Start Delimiter (here SD2, var. data length)LE = Length of Process DataLEr = Repetition of Length; no check in FCSDA = Destination Address SA = Source AddressFC = Function Code (Message type)
LE
Data Unit = Process Data, for Failsafe Process Data also, max. 244 Bytes
FCS = Frame Checking Sequence (across data within LE)
ED = End DelimiterSB = Start-BitZB0...7 = Character-BitPB = (even) Parity BitEB = Stop-Bit
SB ZB0
ZB1
ZB2
ZB3
ZB4
ZB5
ZB6
ZB7
PB EB
1 Cell = 11 Bit
Figure 4-2 DP frame structure (Process Data)
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 17
ProfiSafe-Profil-100e.doc
Figure 4-2 shows the frame structure of the single-channel PROFIBUS-DP communication that contains the Fprocess data within its data unit as well as the basic Profibus safety measures via Parity and Frame CheckingSequence.
S S S S S S
Standard Message Frame
max. 244 Bytes DP process data
F Process Data Status /Control Byte
CRC2ConsecutiveNumber
acrossF Proc. Data
andF-Parameter
sourcebased counter
Max. 12 resp. 122 Bytes 1 Byte 2 / 4 Bytes *)1 Byte
StandardProcess Data
240 / 238 - F Data
*) 2 Bytes for max. 12 Bytes F data.; 4 Bytes for max. 122 Bytes F data.
Figure 4-3 Complete F message structure
A maximum of 128 bytes out of the maximum possible 244 bytes can be used for F process data. This is due tothe limitation of the data consistency to a maximum of 64 words in the case of Profibus-DP (a maximum of 64words can consistently be exchanged at any one time between the host and the bus master). CRC generation,however, requires a contiguous data area.
Two operational modes can be chosen by parametrization: few F process data up to 12 Bytes together with 16Bit CRC2 (2 Bytes) and F process data up to 122 Bytes together with 32 Bit CRC2 (4 Bytes).
In addition, 4 bytes in total are required for the status/control byte, 1 byte for the consecutive number, and 2 to 4bytes for the CRC2 code.
The F profile permits standard process data to be appended to the F message segment (F slaves only). In thiscase, the F slave needs one codename (F source-destination relationship) for the F process data area and anotherone for the standard process data area.The F modules in a modular slave only know F process data.
The following sections give a detailed description of the components of the F data structure.
4.1.1 F Process Data
The data of the safe I/O peripherals is accommodated in this frame section. The code corresponds to the one ofthe standard Profibus. In the case of only a few F process data up to 12 Bytes one should for performance rea-sons choose 16 Bit CRC by parametrization.
The appended standard process data is used, for example, in gateways to other safe field buses in order to be ableto include standard I/O data in the transport via a single slave address.
Besides the compact slaves, there are modular slaves with F and standard I/O units and subaddresses. TheirProfibus head-end station, that is considered as a part of the "gray channel", is used for agreeing the structure ofa "modular" message frame via the parametrization. In this case, F module process data may also be a part of theframe. The amount of data corresponds to the net amount of data in Profibus DP minus 4 or 6 Bytes respec-tively. That means for a head-end station with m F modules a reduction of m times 4 or 6 Bytes respectively.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 18
ProfiSafe-Profil-100e.doc
Process DataModular Slave
Σ = 244 Bytes
Head I/O I/O I/O I/O I/O
F
Slot 1 2 3 4 5Cfg-ID 1 2 3 4 5Module 1 2 3 4 5
F 4/64/6
slot 1slot 2slot 3slot 4slot 5
Figure 4-4 Modular slave with two F modules
Configuration supposes Slot = Cfg-ID = Module.
S S S S S
standard messageF-I/O data
completeF message
status /control
byte
CRC-signature
consecutive number
"appended" standard data
acknowledgmentmessage
M M
standard module dataF-I/O data
complete F message
status /controlbyte
CRC-signature
consecutive number
max.244 Bytes
M
standard messageof a modular Slave
Figure 4-5 Embedding the F I/O data of compact and modular slaves
4.1.2 Status/Control Byte
Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0
tbd res res Failsafevalues (FV)activated
Communicationfailure:WD-timeout
Communicationfailure:CRC orconsecutivenumber
Failure existsin F slave orF module
F slave has newi-parameter val-ues assigned
Figure 4-6 Status byte
The status byte is contained in each slave frame.
Bit 0 is set when the F slave has new parameter values assigned.Bit 1 is set for at least two (2) message cycles, if there is a malfunction in the F slave itself.Bit 2 is set if the F slave is recognizing a F communication failure, i.e. if the consecutive number is wrong or the
data integrity is violated (CRC). This bit information enables the F host to count all erroneous messageswithin a defined time period T and to trigger a configured safe state of the system if the number exceeds acertain limit (maximum residual failure rate). See also chap. 4.11.1.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 19
ProfiSafe-Profil-100e.doc
Bit 3 is set if the F slave is recognizing a F communication failure, i.e. if the watch dog time in the F slave isexceeded.
Bit 4 is set if the F input slave is sending failsafe values (FV) or the F output slave set FVs respectively.Bit 5,6 are reserved (res).Bit 7 can be defined according to the manufacturer requirements (tbd).
Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0
tbd tbd res res res res res i-parameter as-signment de-blocked
Figure 4-7 Control byte
The control byte is sent with each DP master message frame.
Bit 0 is set if a parametrization request is detected or a F slave needs new i-parameters. In this case the systemuses the failsafe values (FV).
Bits 1 to 5 are reserved (res).Bits 6,7 can be defined according to the manufacturer requirements (tbd).
4.1.3 Consecutive Number
The consecutive number is used for monitoring the "life" of the sender and the communication link by the re-cipient. It is used in an acknowledgment mechanism for monitoring the propagation times between sender andrecipient.
The value "0" is reserved for the first run. Thus, the consecutive number counts in cyclic mode from 1... 255,wrapping over back to 1 at the end.
F process data control byte
CRC2consecutivenumber
acrossF proc. data,control byte,F parameter
counterwithinF host
max. 12 / 122 Bytes 1 Byte 2 / 4 Bytes1 Byte
statusbyte
CRC2consecutivenumber
taken fromF host
1 Byte 2 / 4 Bytes1 Byte
F host message to F output slave
output data ...
Acknowledge: F output slave to F host
CRC2
1 Byte 2 / 4 Bytes1 Byte
...
CRC2
max. 12 / 122 Bytes 1 Byte 2 / 4 Bytes1 Byte
input data
F host message to F input slave Acknowledge: F input slave to F host
*)
*) in mixed I/O slaves the acknowledge may contain F process data also
acrossstatus byte
andF parameter
control byte
consecutivenumber
counterwithinF host
acrosscontrol byte
andF parameter
F process data status byte
consecutivenumber
taken fromF host
acrossF proc. data,status byte,F parameter
Figure 4-8 Consecutive number function
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 20
ProfiSafe-Profil-100e.doc
4.1.4 CRC Signature
Once the F parameters (source-destination relationship or codename, SIL, watch dog times, etc.) have beenloaded, these identical parameters are employed in an identical procedure in the source and in the target for pro-ducing CRC1 keys (CRC1). The CRC1 key, the failsafe process data, and the status or control byte are used forproducing another 2-byte / 4-byte CRC2 key (CRC2) in the source. The CRC1 key provides the initial value forthe calculation of CRC2 that is transferred cyclically. In the target, the identical CRC key is generated and thekeys are compared. The subsequent cyclic transfer only requires one CRC2 key comparison (that can be donevery rapidly).
F process data status /control byte CRC2
acrossF proc. data,
status/control,i-Parameter,
SIL,WD-time,
source-dest.
max. 12 / 122 Bytes 1 Byte 2 / 4 Bytes
source anddestination rel.
identicalindividuali device
parameters(CRC3)
individuali device
parameters(CRC3)
F CPU (Host)F Slave
2 bytesCRC1
across F-Parameter=
"constant" portion
"variable" portion:F process data
within destination:
1. CRC2 comparision2. diagnostics in case of discrepancy
CRC1
consecutivenumber
sourcebased counter
1 Byte
optional:not coveredby CRC2
SIL WD_TimeSIL WD_Time
provides initialvalue for CRC2
*)*)*) including i parameters is optional
source anddestination rel.
Figure 4-9 CRC generation
The CRC1 recalculations shall be executed once a day, i.e. within 24 h (maximum cycle time of self testing).
4.1.5 Appended Standard User Data
With F slaves, the F profile permits standard user data to be appended to the F message part until the maximumframe length is reached. In this case, the F slave requires one codename (F source-destination relationship) forthe F process data area and one for the standard process data area.
The appended standard process data is used, for example, in F gateways to other safe field buses in order to beable to include standard I/O data in the transport via a single slave address.
F modules in modular slaves only know F process data.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 21
ProfiSafe-Profil-100e.doc
4.2 Regular F Communication
The following chapters are dealing with the "dynamics" of the ProfiSafe profile. First of all the start-up and cy-clic behavior, later on the failure reactions.
4.2.1 Operational Behavior of F Host and F Slave
Figure 4-10 shows that each F input and each F output requires a F message frame management (F driver) inorder to handle the ProfiSafe profile. The corresponding F host (F CPU) operates with an instance of a F mes-sage management (F driver) for each F input or F output respectively. The whole standard Profibus communica-tion equipment between F drivers belongs to the "gray channel". The arrows are indicating the cyclic data trans-port between the F drivers: the safety addenda (consecutive number, CRC, status/control byte) are transferred inaddition to the F process data from the F input to the F CPU. As an acknowledgment, the F input merely receivesthe safety addenda (safety code).
F input F outputF CPU
F-driver
safety code
process data+
safety code
"profile administration"
Preconditions for an encapsulated transmission system:
n authorized access only
n known maximum number of communicating peers (F and standard)
n transmission media is known and well defined
additional measuresin a device in orderto achieve a requiredSIL. E.g. for SIL3 asecond micropro-cessor and comparefacilities
F-driver
inputdata Failsafe
controlprogram
usingF user
interface
outputdata
DP master DP master
DP slave DP slave
F-driver
F-driver
Figure 4-10 F communication structure
Accordingly, the F output receives the safety addenda in addition to the F process data, and uses it for acknowl-edgment.
F driver instancesfor outputs
FV activated
Fault
Output values(process or failsafe (FV))
operatoracknowledgment (OA)
via parametrization:each codename *) initiatesan instance
*) codename = F host - slave 1:1 relationship
F driver instancesfor inputs
FV activated
Fault
Input values(process or failsafe (FV))
operatoracknowledgment (OA)
via parametrization:each codename *) initiatesan instance
generalrelease
Figure 4-11 F User Interfaces of F driver instances
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 22
ProfiSafe-Profil-100e.doc
Message frame management and F parametrization of F host and F peripherals are tasks of the F drivers withinthe F CPU and the F slaves. Figure 4-11 shows the user interface at the failsafe control program level. There areseveral signals available to the programmer to manipulate failsafe processes according to the standards.
Codename The F host – slave 1:1 relationship parameter (4 Bytes) initiates an instance incl.CRC1
Operator Acknowledg-ment OA
In changing this signal from 0 to 1 the user is able to release a safety function after afault reaction (failsafe control loop specific) via a F control program (type: boolean).
FV activated This signal is available to F control programs and indicates that the outputs are set tofailsafe values and the inputs are sending failsafe values due to a fault recognized byF host or F slave (type: boolean).
Fault This signal is available to F control programs and indicates that the F host or F slaverecognized any of these failures: timeout, CRC, consecutive Nr., slave malfunction(type: boolean). In any of these cases outputs are set to failsafe values and inputs aresending failsafe values as long as faults are recognized until the OA signal will re-lease the safety function.
General release This signal is available to F control programs (type: boolean). Usage of any processvalues instead of failsafe values only is possible if this signal turns from 0 to 1. Canbe used for a general release of the safety system after startup.
Output and input values During normal operation these are user defined process values.
The following figure 4-11 demonstrates how the F driver is using the underlying PROFIBUS-DP communica-tions and some timing definitions. Meaning of the short arrows: in Profibus-DP, the DP master sends the framemore frequently to the slave than it receives it from the host (F-CPU).
F CPU F Output
timemonitor
timemonitor
timemonitor
timemonitor
consec. Nr. = n
consec. Nr. = n+1
consec. Nr. = n+2
consec. Nr. = n
consec. Nr. = n+1
CPUcycletime
CPUcycletime
DPcycletime
Figure 4-12 Monitoring the message transit time F-CPU ↔ F output
The main features of the operational behavior are listed below:
Startup(synchronization)
To synchronize after a cold restart, new parametrization, or timeout of F input/F out-put, the F driver starts with the consecutive number "0". Next, the F-CPU incrementsthe consecutive number in each call modulo 256, skipping the value 0. At the latestbefore the monitoring time is about to expire, F input/F output expects a message witha consecutive number that is incremented by 1. A F output does not supply any proc-ess value after it has received a consecutive number of 0.
F protocol cycle F input/F output sends a F message frame with the same consecutive number (F proto-
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 23
ProfiSafe-Profil-100e.doc
col cycle) to acknowledge the reception of a F message from the F-CPU.
The F-CPU cycle shall not exceed the F protocol cycle (it may be shorter).
Time monitor(watch dog)
Arrival of a new correct message frame at the F device within the watchdog time ismonitored. This verification can be performed as often as necessary, but at least once atthe end of the monitoring time interval. It is permitted and tolerated that one incorrectmessage frame (with faulty CRC code or where the consecutive number has been in-cremented by more than 1) arrives before a new correct frame is received. This meansthat this does not lead to a safe state error reaction. When the watchdog time expires,the related recipient switches over to a safe state.
The slowest Profibus DP cycle time may not be longer than half the monitoring time.The F-CPU cycle may be shorter than the monitoring time.
Monitoring the con-secutive number
A new correct message frame is characterized by the fact that at least the consecutivenumber has been incremented by 1 and that either the entire rest of the F frame part isunchanged or has been changed faultlessly. This means that an incorrect change of theconsecutive number by +1 is not recognized at once, but only after another DP cycle orF protocol cycle. This will then lead to a fault reaction.
Assuming two simultaneous faults, i.e. "failure of the F-CPU" and "incorrect incre-menting" of the consecutive number is not realistic. Neither is the case of simultaneousfailures where a smart device in the gray channel continuously increments the con-secutive number by +1 while the F-CPU has failed.
The simultaneous case "safety-oriented request" and "incorrect incrementing" of theconsecutive number by +1 is discovered immediately with the request message andleads to the described fault reactions.
Frame repetition A complete message frame repetition in the event that a new correct message frame hasnot been received inside the watchdog time interval is not supported.
SIL monitor Every corrupted message (CRC and consecutive Nr. failure) will be counted during aconfigurable monitor time period. The failsafe values are set whenever more thanone such failure occured. The cases, where CRC=0 and the consecutive Nr.=0, shallnot be counted, they cause the setting of the failsafe values instead.
The monitor time period T is a constant value with the dimension hour (h), that resultsfrom the requested SIL and the configured CRC length (see chap. 4.11.1):
SIL CRC Length of process data Time period (h)
3 16 Bit < 16 Bytes 10
2 16 Bit < 16 Bytes 1
3 32 Bit < 128 Bytes 0.1
Monitor time period(T)
2 32 Bit < 128 Bytes 0.01
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 24
ProfiSafe-Profil-100e.doc
F input F CPU
timemonitor
timemonitor
consec. Nr. = m
consec. Nr. = m+1
consec. Nr. = m+2
consec. Nr. = m
consec. Nr. = m+1
timemonitor
timemonitor
Figure 4-13 Monitoring the message transit time F input ↔ F-CPU
4.2.2 State Diagrams
The following chapter demonstrates the operational behavior of F host and F slave by means of interaction andstate diagrams.
The figures show the interaction messages of F host and F slave during start-up phase. Three phases are covered:both partners during start-up, host temporarily switches power off or slave temporarily switches power off whileits partner is still operating. The following figures are informing about the states and the correspondingtransitions. The states the respective F system is passing through are represented by numbers within circles.
HostPower On
SlavePower On
2
3
4
6
7
failsafe values (FV), Nr.=0
FV, Nr.=0
:
22
1x=0
x=x+1
21
25
23
23
x=x+1
:
20initial values = 0 *)
PV (for output slaves), Nr.=1
PV (for input slaves), Nr.=1
switch from failsafe values (FV) to process values(PV) after 3 message cycles (slave responsibility) *) Profibus DP behavior
5 24
Output:
FV
FV
FV
25
PV (output), Nr.=2 245
6
7
PV (input), Nr.=2 23 FV
PV (output), Nr.=3 5
25
24
PV6PV (input), Nr.=3
23
x=x+1
x=FF
Figure 4-14 Interaction F host / F slave during start-up
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 25
ProfiSafe-Profil-100e.doc
Hostpower off → on
Slaveoperating
2
3
4
9
10
FV (input); Status=timeout, cons.Nr., Nr.=0
FV, Nr.=0
FV (output), Nr.=1
PV (input), Nr.=1
:
1x=0
x=x+1
x=x+1
:switch from failsafe values (FV) to process values (PV)after 3 message cycles (slave responsibility)
FV; Nr.=n ; Status=timeout
6
PV, Nr.=2OA=1
26
27
24
22
27
21
22
23
21
25
23
24
Output:
FV
FV
FV
FV
FV.PV
8
5
slaverecognizes
timeout
Figure 4-15 Interaction F host / F slave during Host Power Off → On
Hostoperating
Slavedelayed power on
3
failsafe values (FV), Nr.=0
failsafe values (FV), Nr.=1
:
20
:
OA=1
9power on
9
9
8
8
10FV, Nr.=n+1
6
PV, Nr.=n+2
25
x=x+1
x=x+1
x=x+1
x=x+1
x=x+1 FV, Nr.=2
FV (output), Nr.=n
hostrecognizestimeout
switch from failsafe values to process valuesafter 3 message cycles
x=n
FV (input), Status=cons. Nr.,Nr.=n
PV (input), Nr.=n+1
10
Output:
FV
FV
FV
FV
FVPV (input), Nr.=n+2
7 PV, Nr.=n+3
FV.PV
x=x+1
8
hostrecognizestimeout
8
9
5
5
hostrecognizestimeout 21
2227
21
2322
24
23
2425
23
21
Figure 4-16 Interaction F host / F slave with delayed Power On
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 26
ProfiSafe-Profil-100e.doc
Hostoperating
Slavepower off → on
6
process values (PV), Nr.=n
failsafe values (FV), Nr.=n+1
:
25
5
23
24
20
:
OA=1
power off
9power on
9
9
8
8
10FV, Nr.=n+4
6
PV, Nr.=n+5
25
x=x+1
x=x+1
x=x+1
x=x+1
x=x+1 FV, Nr.=n+2
FV (output), Nr.=n+3
11
hostrecognizestimeout
switch from failsafe values to process valuesafter 3 message cycles
x=n
FV (input), Status=cons. Nr.,Nr.=n+3
PV (input), Nr.=n+4
10
Output:
PV
FV
FV
FV
FVPV (input), Nr.=n+5
7 PV, Nr.=n+6
FV.PV
x=x+1
8
hostrecognizestimeout
8
9
5
5
hostrecognizestimeout 21
2227
21
2322
24
23
2425
23
Figure 4-17 Interaction F host / F slave during Slave Power Off → On
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 27
ProfiSafe-Profil-100e.doc
Legend:- consecutive Nr. x: after 255 wrap over back to 1 - slave failure: Status Bit 1=1- CRC, cons.Nr.: Status Bit 2=1- timeout: Status Bit 3=1: slave reports timeout to host- Host Timeout: host recognizes local timeout while awaiting slave acknowledgment- store faults: persistent fault storage within host only (no slave persistence required)- >> receive: consecutive Nr. changed- << send: data ready for transport- Ack: acknowledgment- failsafe values: used instead of process values in case of hazardous event - initial values: Status / Control Bits=0 during startup - process values: values used in normal operation- OA: operator acknowledgment (user-IF)- user-IF: signals available at PLC program level
*) to cover Power Off settling time within the whole system
1 Power On
2 Message prepared8 Message prepared
11 Wait 5 s *)
7 Slave Ack checked
9 Await Slave Ack
6 Await Slave Ack
3 Await Slave Ack
10 Slave Ack checked
5 Message prepared
4 Slave Ack checked
indicate to user-IF
use failsafe values,set Control Byte,Nr.=x
use process values,set Control Byte,Nr.=x
parametrization okconfiguration okfaults checkedinitial values=0
ignore initial values
( x=x+1 )OA=0
use failsafe values,set Control Byte,store faults,Nr.=x
(get process values),get Status Byte,
Host Timeout; ( x=x+1 )
>> receive
Host Timeout; ( x=x+1 ) >> receive
<< send
ok; ( x=x+1 )
OA=1
slave failure, timeout, CRC, cons.Nr.; Nr.=0; ( x=x+1 )
Nr.><0; ( x=0 )
ok, Nr.=0; ( x=x+1 )
faults before / during PowerOff; ( x=1 )
<< send
>> receive
Host Timeout; ( x=x+1 )
<< send
slave failure, timeout, CRC, cons.Nr.; ( x=x+1 )
ok; ( x=x+1 )
no fault before PowerOff; ( x=0 )
startup cycles
normal operation cycles
failure remedy cyclesIII
I
II
IIII
II
Figure 4-18 F host states during interactions with the F slave
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 28
ProfiSafe-Profil-100e.doc
20 Power On
21 Await Message
22 Message checked
23 Ack prepared
27 Ack prepared 26 Set FV (Use FV)
Nr.=x+1?Nr.=0 or 1 permittedafter FF
set (get) process values,set failsafe values for first 3 ok-cycles *),set Status Bits 2 and 3=0
Legend:- ( ) operations valid for input slave only- __ operations valid for output slave only- consecutive Nr. x: after 255 wrap over back to 1 - slave failure: Status Bit 1=1: slave reports internal failure- CRC, cons.Nr.: Status Bit 2=1; slave reports CRC, cons.Nr. failure to host - Slave Timeout: slave recognizes local timeout while awaiting host-acknowledgment
Status Bit 3=1: slave reports timeout failure to host- >> receive: consecutive Nr. changed- << send: data ready for transport- Ack: acknowledgment- failsafe values: (FV) used instead of process values in case of hazardous event - initial values: any F-message values=0 during startup (PROFIBUS-PDU) - process values: (PV) values used in normal operation- OA: operator acknowledgment (user-IF)- user-IF: signals available at PLC program level
*) failsafe values shall be used during slave hardware failure and/orduring the first three (3) cycles of normal operation (output slave only)**) watch dog timer started after first message
<< send
use current consec. Nr.set Status Byte
start-up test ok set (use) failsafe valuesparametrization ok Status Bit 3=1, Slave Timeoutconfiguration ok x =FFinitial values = 0
24 Await Message
<< send
25 Message checked
Nr.=x+1?
CRC, consec. Nr.
ok
ok
CRC, cons.Nr.
ignore initial values
ignore initial values
Slave Timeout
>> receive
>> receive
timeout **)
startup / failure cycles
normal operation cycles
I
II
I
II
Figure 4-19 F output (input) slave states
After Power On the output slave is setting "0". Immediately after F parametrization it is setting failsafe values.
After Power On the input slave is sending "0". Immediately after F parametrization it is sending process values.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 29
ProfiSafe-Profil-100e.doc
Host Slave
7
9
6
Nr.=n
failsafe values (FV); Nr.=n+1
PV; Nr.=n+1
:
7
Nr.=n
10
:
OA=1
CRCfailure
process values (PV); Nr.=n+2
x=n
x=x+1
x=x+1
PV; Nr.=n+3
Nr.=n+2
7
5x=x+1
5
6
8
5
25
23
24
25
23
24
25
23
24
24
Output:
PV
FV
FV
.
.PV
Figure 4-20 Interaction F host / F slave while host recognizes CRC failure
Host Slave
process values (PV), Nr.=n
PV (input), Nr.=n
FV (output), Nr.=n+2
FV; Status=CRC failure, Nr.=n+1
25
23
25
2627
25
21
:
25
5
6
7
x=n
6
7
x=x+1
8
9
x=x+1
PV (output), Nr.=n+1
OA=1x=x+1
PV (output), Nr.=n+3
66
7
6
x=x+1
PV (input), Nr.=n+3
PV (output), Nr.=n+4
:
CRC failure
10
24
PV (input), Nr.=n+2
7
5
5
5
24
22
23
24
23
24
Output:
PV
FV
FV
FV
23 FV
.PV
switch from failsafe values to process valuesafter 3 message cycles
Figure 4-21 Interaction F host / F slave while slave recognizes CRC failure
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 30
ProfiSafe-Profil-100e.doc
4.3 Reaction in the Event of a Malfunction
4.3.1 Repetition
Quote: "The malfunction of a bus device causes old and obsolete messages to be repeated at the wrong time sothat a recipient would dangerously be disturbed (e.g. guard door is reported closed albeit it has already beenopened)."
Remedial action: The data in DP mode is transferred cyclically. Thus, an incorrect message that is inserted oncewill immediately be overwritten by a correct message. The thereby possible delay of an emergency request canbe one watch dog time.
4.3.2 Loss
Quote: "The malfunction of a bus device deletes a message (e.g. request for "safe operational stop")."
Remedial action: Lost information will be discovered by the stringently incrementation and surveillance of theconsecutive number.
4.3.3 Insertion
Quote: "The malfunction of a bus device inserts a message (e.g. deselection of the "safe operational stop")."
Remedial action: Due to the stringently sequential expectation of the consecutive number, the recipient will dis-cover an inserted message.
4.3.4 Incorrect Sequence
Quote: "The malfunction of a bus device modifies the message sequence. Example: Prior to initiating the safeoperational stop you want to select the safely reduced velocity. The machine will be running instead of beingstopped when these messages are confused."
Remedial action: Due to the stringently sequential expectation of the consecutive number, the recipient will dis-cover any incorrect sequence.
4.3.5 Corruption of F Message Data
Quote: "The malfunction of a bus device or the transmission link corrupts messages."
Remedial action: The CRC2 code discovers a corruption of the data between sender and recipient.
F parameter data DP net dataF user data status/
control byteCRC2
F parameter: F source-destination relationship,F WD time, etc.
acrossF process data andF parameters
m bytes 1 byte 2 / 4 bytes
Figure 4-22 F parameter data and CRC
The CRC2 code is generated across the F parameters (including F source-destination relationship) and across theF process data and the control/status byte. The source-destination relationship of F-CPU and F slave is defined inthe configuration, and retentively stored.
After a repair, the F address of a F device be restored / adjusted before F operation is resumed.
4.3.6 Delay
Quote: "1. The operational data exchange exceeds the capacity of the communication link. 2. A bus devicecauses an overload situation by simulating incorrect messages so that a service that belongs to the message isdelayed or prevented."
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 31
ProfiSafe-Profil-100e.doc
Remedial action:
• Consecutive number in the sender data and in the acknowledgment data.• Watchdog time in the respective recipient (watchdog time for F communication).
The watchdog time is a part of the whole safety time of the safety control loop. The total time guaranteed by thePES is the sum of the following time segments:
+ input delay of the F input slave (operation time)+ watchdog time "F communication": F input ↔ F-CPU+ Scan rate or execution time in the F-CPU+ watchdog time "F communication": F-CPU ↔ F input+ output delay of the F output slave (operation time)
The ProfiSafe DP profile defines the meaning of the "F communication" watchdog time.
4.3.7 Interconnecting Safety-Relevant and Standard Messages (Masquerade)
Quote: " The malfunction of a bus device causes safety-relevant messages and non-safety-relevant messages tobe mixed".
Remedial action: The data comes from the correct sender or go to the correct recipient [authenticity]. This isguaranteed by the CRC2 signature across the F parameters (which includes the F source-destination relation-ship).
Principle of safe addressing:
a) Detecting the interconnection of safety-relevant and non-safety-relevant messages is guaranteed by the factthat a standard device is not capable of creating a F message frame with the correct CRC2 and the correctconsecutive number.
b) Detecting data from a different sender or for a different recipient is guaranteed by the fact that the F senderthat belongs to the F source-destination relationship (codename) is the only one that generates exactly thematching CRC key that is expected by the F receiver. At the same time, the recipient employs this CRC keyfor implicitly checking the authenticity of the F sender address (since it was included in the CRC).
c) A retentive selection of the F address in the individual devices can be achieved through one of the followingmethods:- Coding switch in the unit (the F slave address of compact slaves, for example)- A one-time device parametrization by software that requires to be checked whether the correct device
has been addressed. This shall be repeated when a unit is replaced.- By address mechanisms that are independent of Profibus-DP addressing.
Sabotage is not assumed.
4.4 F Parameter Structure
The parameter values of the Profibus devices on the "gray channel" are assigned according to the Profibus stan-dard description, i.e. via GSD files from the Class 1 Profibus master (cyclic) or, with Profibus-PA, via DDL andclass 2 master (acyclic). The F parameters that are additionally required for the F profile can be loaded via sev-eral alternative parametrization ways.Here is an overview:
• F_Device Identification telling that the unit supports ProfiSafe (corresponds to command byte)• F_S/D_Address "Code word" between sender and recipient• F_WD_Time Watchdog time in the F unit (default in GSD: operation time of a F slave)• F_Prm_Flag Parameter word containing several parameters for the profile management• F_Check_SeqNr Including the consecutive number into the CRC2• F_Check_iPar Including individual F device parameter into the CRC1• F_SIL Check: configured = employed F device ?• F_CRC_Length CRC2 length• F_Par_CRC CRC1 across the F parameters
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 32
ProfiSafe-Profil-100e.doc
4.4.1 F_Device ( ProfiSafe Participant )
This parameter marks a unit as a F device that supports the ProfiSafe profile. It can also be used for distinguish-ing between safety-oriented and non-safety-oriented units. This parameter has to be distributed to the F compo-nent during startup. It corresponds to the command byte in the Prm-telegram.
4.4.2 F_Source/Destination_Address ( Codename, Password )
The addresses of the F components of a safety control loop F input, F-CPU and F output shall be unambiguous.Locally, each F device has the configured source-destination relationship of the safe communication link with itspartner. It is retentively stored in the F devices, is a part of the F parameter set, and, consequently, is cyclicallychecked by the F profile. The F_S/D_Address parameters are logic address designations that can freely but un-ambiguously be assigned and are allocated to the Profibus addresses during the configuration (see chap. 4.3.7).The addresses 0 and 0FFFFh be excluded.The parameter consists of two parts: F module/slave and F host: each Unsigned 16
4.4.3 F_WD_Time ( F Watchdog Time )
Locally, each F device maintains a configured F watchdog time for each source-destination relationship. Thedevice starts this timer whenever it sends a safe message frame.The F watchdog time consists of at least four times the slowest DP cycle time (that results from the worst-casecalculations of the entire configuration) plus two times the slower scan rate of the combination of the relatedsender and recipient. The configured value overwrites the default value within the GSD.It is encoded as follows: Unsigned 16; time base 1ms.Remark: a manufacturer of a F device assigns the device operation time (scan rate) to the default value of theparameter F_WD_Time. An engineering tool will then be able to propose the necessary F watch dog times and tocalculate the overall reaction times.
4.4.4 F_Prm_Flag ( Parameters for the Profile Management )
The chapters 4.4.5 up to 4.4.8 are describing the details of the F_Prm_Flag parameter word. It has the followingstructure:
15 14 13... 6 5 4 3 2 1 0↑___ ____ F_Check_SeqNr
↑___ ____ ____ F_Check_iPar↑___ ↑___ ____ ____ ____ F_SIL
↑___ ↑___ ____ ____ ____ ____ ____ F_CRC_Length↑___ ↑___ ____ ____ ____ ____ ____ ____ ____ reserved
↑___ ↑___ ____ ____ ____ ____ ____ ____ ____ ____ ____ Version No. of F parameter set
4.4.5 F_Check_SeqNr ( Consecutive Number in the CRC2 )
This parameter defines whether or not the consecutive number shall be included in the CRC2 key. The parameteris distributed to the F component during startup.It is encoded as follows: bit 0 of the parameter word "F_Prm_Flag"
15.... 6 5 4 3 2 1 0
0 = No check1 = check
4.4.6 F_Check_iPar ( CRC1 including i-Parameters )
This parameter defines whether or not the CRC3 of individual device parameters shall be included in the cyclicCRC2 key (see chap. 4.4.9). If "check" is selected, CRC1 is generated across the F-parameters first and thenacross the i-parameters including its CRC3. The parameter is distributed to the F component during startup.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 33
ProfiSafe-Profil-100e.doc
It is encoded as follows: bit 1 of the parameter word "F_Prm_Flag".
15.... 6 5 4 3 2 1 0
0 = No check1 = check
4.4.7 F_SIL (SIL Stage)
The F profile permits parallel operation of standard communication and safety-relevant communication. In thesafety-relevant case, risk-related safety circuits with different SIL (Safety-Integrity-Level) stages are distin-guished. The F devices are able to use this locally available information for checking the agreement between theSIL stage and the partner. If the configured SIL stage is higher that the one in the connected F unit, the "devicefailure" status bit is set and a safe state reaction is triggered. There are four different stages: 1,2,3,4.It is encoded as follows: Bits 2 and 3 of the parameter word "F_Prm_Flag".
15... 6 5 4 3 2 1 0
0 0 = SIL10 1 = SIL21 0 = SIL31 1 = SIL4
4.4.8 F_CRC_Length (Length of the CRC2 Key)
Depending on the length of the F process data (12 or 122 bytes) and the SIL stage, a CRC of 2, or 4 bytes is re-quired. This parameter transfers the expected length of the CRC2 key in the F message frame to the F compo-nent. The parameter depends on the slave/module and is distributed to the F components during startup.It is encoded as follows: Bits 4 and 5 of the parameter word "F_Prm_Flag".
15... 6 5 4 3 2 1 0
0 0 = reserved0 1 = 2 Byte CRC1 0 = 4 Byte CRC1 1 = reserved
4.4.9 F_Par_CRC ( CRC1 across F-Parameters )
This CRC1 key is generated by the engineering tool across the F-parameters. The initial value for CRC1 is 0.The same 16 Bit CRC polynomial is used (14EABh). CRC1 is the initial value for cyclic CRC2 computation.In case of 32 Bit CRC polynomial (1F4ACFB13h) the initial value for CRC2 calculations is "0000xxxx", wherexxxx=CRC1.It is encoded as: Unsigned 16.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 34
ProfiSafe-Profil-100e.doc
4.4.10 Structure of the F Parameter Block (Prm telegram)
Block within Standard Prm Telegram
Block-Length
Command = 0x05
Slot
Specifier
F_Source_Add
F_Dest_Add
F_WD_Time
F_Prm_Flag
F_Par_CRC (=CRC1)
14 - 234
F_Parameter/F-Device
0 oder Slot des F-Moduls
0
Unsigned 16
Unsigned 16
Unsigned 16
Unsigned 16
Unsigned 16
F_Prm-Block
F_Parameter
End_F_Prm-Block
Figure 4-23 F_Prm telegram
The figure shows the structure of the F parameter block within a standard Profibus Prm-Telegram. The byte or-dering is according to standard Profibus. The following applies to modular slaves: For each F module, aF_Prm_Block is inserted in the Prm-Telegram. The allocation to the module can be established on the basis ofthe slot number.
4.4.11 F Data Fraction
Standard process data can be appended to a F message frame. For compact F slaves, this is achieved by allocat-ing a separate module identification. F modules in modular slaves are not able to support this mechanism.
4.4.12 i-Parameter (individual F-Device Parameters)
F peripherals are increasingly provided with smart functions that require extensive parameter values to be as-signed. In particular in the event of a device replacement it is expedient to load these parameters directly via thebus on the standard path. These parameter records usually exceed the range of the GSD data (a laser scannerwith approximately 1 kB per protection zone leads to an overall quantity of up to 90kB ) and so the ProfiSafedirectives provide additional mechanisms.
The following figure shows a proposal for the protection of large amounts of individual F device parameters.The F source/destination relationship (codename) allows checking of delivery to the configured recipient and theCRC keys allow checking of the i-parameter integrity using the same CRC polynomial like with the F-parameters (14EABh). A special procedure shall be used for ensuring the data integrity between the i-parameterswithin the destination and within the source. See section "CRC Signature".
The requirements for more flexibility in today's manufacturing areas can be solved by recipe programs via pro-gram controlled dynamic i-parameter assignments. Thus several different sets of e.g. coordinates for detectionzones of laser scanners ("blanking") can be assigned one after the other (Fig. 4-25). The identification number ofthe actual i-parameter set shall be communicated cyclically within the F process data.
The F host system should provide mechanisms ("read data set") to acquire e.g. detection zone coordinates viateach-in into the F host itself or into an engineering tool.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 35
ProfiSafe-Profil-100e.doc
source destination addressnumber of data setsident Nr. of the i-parameter (e.g. detect. zone)
i-parameter
2-byte-CRC across data set n
i-Parameter
2-byte-CRC across data set n+1
i-Parameter
2-byte-total-CRC = CRC3
data set n+1
data set n
data set n+m
max. 8 data sets à 244 bytes,with PA à max. 40 bytes recomm.
Figure 4-24 Safety of individual device parameters
GSD1..
GSD n
Engineering Tool
DP-Master
F-Host / PLC
Prm + DPV1, C1 (data sets)
F-Parameter(SIL, WD_time, etc.)
i-Parameter(individual device
parameter)
GSD
F user programm(IEC 1131-3)
detectionzone 2(DBy)
detectionzone 1(DBx)
System-API:"Write_Data"
Acquiring of i-parametervia teach-in possible
Figure 4-25 Dynamic i-parameter sets
4.5 F-Parametrization
ProfiSafe provides scaled methodes for i-parameter supply of F devices because of the different handlings offield devices within the manufacturing and the process industries.
4.5.1 F-Parametrization Tools
The discussion of use cases yielded the following F system requirements and resulting subsets for integratedrespectively separate F parameter assignment tools:
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 36
ProfiSafe-Profil-100e.doc
1. Swift unit replacement and automatic reparametrization are mandatory in manufacturing industries. Not allcustomers will accept memory cards that contain the parameters. They request adequate programming fa-cilities at the parametrization tool, or the customer shall put the equipment on the desk for parameter valueassignment.
2. Individual parametrization software for each manufacturer or unit cannot be accepted. Parameter value pro-files and/or templates shall be defined for each device class, and be certified by the PNO. For more complexand special parameters, the general-purpose parametrization tool shall provide a "plug-in" interface for thedevice manufacturers that permits the specific (e.g. graphical) acquisition of the device parameters. How-ever, these parameters shall be supplied to the general-purpose parametrization tool in a standardized form(GSD, DDL, XML?). See Figure 4-26.
3. A F parametrization tool shall be able to calculate worst case reaction times of safety control loops.4. A general-purpose parametrization tool on the Profibus shall be able to load parameters across network hier-
archies into a host (manufacturing industries) and/or into field devices (process industries). This requires aseparate user interface to exist. A "service interface" shall be provided for tooling machine or plant manu-facturers for their own visualization software invoking basic Profibus/ProfiSafe service functions.
5. All parameters shall be available from a common archive. It shall be possible to lock accidental incorrectloading of parameters by service personnel.
6. Four different roles can be seen and the corresponding access locking (e.g. by passwords) is required:– Operator– Service (unit replacement)– Authorized customer (program modifications)– Device manufacturer (device data that is only accessible to the manufacturer provide information aboutunauthorized utilization and unjustified claims of recourse)
7. A change log shall record each and every change in program and parameter value assignment.Remark: It is mandatory to take the appropriate measures against all kinds of faults during acquisition, manipu-lation and transport of the F- and i-parameters. It is not the task of the ProfiSafe directives to provide a completelist of measures and their assessment. Please see the appendix 6.1 for further hints.
GSD
DDL
Interpreter from PNO
COM-SS,ActiveX
COM-SS,ActiveX
DTM
Device TypeManager
Type Instancies/Proxies
Field Device Tool
XML(Internet)
Figure 4-26 Standard device parameter in Profibus
4.5.2 GSD Structure
Essentially there is only one additional keyword "F_Device_Supp" necessary within a GSD structure. Thiskeyword needs to be inserted twice in the GSD file of a compact or modular F slave:
- first as a general keyword to distinguish a safety related slave from a standard slave.- additionally in each F modul.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 37
ProfiSafe-Profil-100e.doc
With the help of this keyword a special F configuration modul (F control) inside the engineering tool may belaunched.
ProfiSafe recommends the usage of the keyword "Prm_Structure_Supp" in order to indicate that the F slave isexpecting a block structure within a F-Prm-Telegram (details to be published by other working groups).The structure of a typical GSD file for a F device can be seen in appendix 6.3. There is a special agreement forthe F parameter "F_WD_Time". Since this parameter is contained in the Prm-block of a F module and isdescribed by a default value and a range, this default value is defined as the operation time of the F slave. The Fconfiguration tool can use the value as the basis for the calculation of the F watch dog time and over all reactiontime. The manufacturer of a F device is usually the provider of the default value via the corresponding GSD file.Excerpt from the GSD file of a F device:; User_Prm_Data-Definition 8ExtUserPrmData=8 "F_WD_Time" ; reference number 8Unsigned16 3 0-65535 ; time base=1ms; default (operation time)=3ms; max=65.5sEndExtUserPrmDataEnd of excerpt from GSD file...
4.5.3 F-Parameter Assignment Paths
GSD1..
GSD n
engineering tool completesF parameter,e.g. F_WD_Time
DP-Master
F-Host
Prm-Telegram
F-Parameter(SIL, WD_time, etc.)
GSD
Domain:
ProfibusStandard
HostManufacturer
ProfibusStandard
F param.F-driver
F-Address
F-Address
Figure 4-27 F-parameter assignment for simple F slaves
Simple slaves can be supplied via the standard Prm-Telegram path described in the following chapters. The totalamount of F parameters hereby can not exceed the upper limit of 234 bytes.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 38
ProfiSafe-Profil-100e.doc
e.g.RS232
GSD1..
GSD n
Engineering Tool
DP-Master
F-Host / PLC
GSD..
DDL
univ.parameter assignment toolwith service-IFfor visuali-zation-SW
DPV1, C2 (data sets)
Prm + DPV1, C1 (data sets)
App1, App2, ..App n
F-Parameter(SIL, WD_time, etc.)
i-Parameter(individual
device parameter)
GSD
Plug-In-SW,e.g. graphicalacquisitionofcoordinates
Change log
Prm
Figure 4-28 F-parameter assignment for complex F slaves
For complex devices a decision shall be made whether an automatic startup assignment is requested or a separateassignment from a parametrization tool. In each case the F host shall deblock the assignment (see chap. 4.5.4),that is only permitted, if there is no hazardous process state.
Basically, two ways are possible:
• Startup parameter value assignment from a class 1 (cyclic or acyclic) Profibus master• Startup parameter value assignment by a class 2 master (acyclic through, e.g. PG/ES or PC)
4.6 F-Startup Coordination
The F-startup that is embedded into the Profibus standard startup is described here.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 39
ProfiSafe-Profil-100e.doc
4.6.1 Standard Startup (F Slave State Machine)
F-Slave incl. DP-Slave
Wait_Prm
entry: Set_Slave_Addon Telegram: Slave_Diagon Telegram: Get_Cfg
Power_On
Wait_Cfg
entry: Set_Parameteron Telegram: Slave_Diagon Telegram: Get_Cfg
Set_Prm
Data_Exch
entry: Chk_Cfgon Telegram: Write_Dataon Telegram: Read_Dataon Telegram: Slave_Diagon Telegram: Get_Cfgon Telegram: Commandon Telegram: Global_Cntrl
Mandatory telegram:Slave_Diag
Prm-Telegram incl. F-Parameter
1. Config.-Telegram defines the In-/Output bytes2. Diagnostic request (here the F slave may request new param. assignment)3. Cyclic operation
i-parameter assignm. via Write_Data / Read_Data
Chk_Cfg
Set_Prm --> not ok
Chk_Cfg --> not ok
F-Slave state 20: ready(see fig 4-15 and 4-17)
Figure 4-29 Startup coordination with F parameters
After Power-On a F slave switches into the state "Wait_Prm" where it is possible to assign an address bysoftware. The transition into the state "Wait_Cfg" is initiated by a Prm-Telegram "Set Parameter" that in our casecontains the F parameter also. By means of a "Chk_Cfg" telegram the F DP slave receives the information howto configure the Inputs and Outputs and with successful assignment it transits to state "Data_Exch" and waits forcyclic data exchange with its DP master. Within each of the states status requests are permitted at any time ("onTelegram" = per telegram request "Slave_Diag" ) [10].
4.6.2 Parameter Assignment Deblocking
Due to a diagnosis message of the F slave that needs additional i-parameters or per external request the F hostsets bit 0 ("parameter assignment deblocked") within the control byte of its next message. The F slave receivesthen via Write-Data-commands data set by data set the i-parameters and acknowledges at the end by setting bit 0("F slave has new i-parameter values assigned") within the status byte of its next message.
Remark: Deblocking is only permitted, if there is no hazardous process state.
F-Modul:
F-CPU/Host:
acknow-ledged
assignment
assignmentdeblockedre-
quest
assigned andinitialized
synchronized; cyclic safe operation
Figure 4-30 Parameter assignment deblocking by the F host
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 40
ProfiSafe-Profil-100e.doc
4.6.3 Interaction Diagrams for Parameter Assignments
Engineering Tool : S1
F-Host : S2
DP-Master : S3
F-Slave incl. DP-Slave : S4
parameter inGSD fileF-parameter;i-parameter asdata sets with CRC3;"global" CRC1
1:
2: DP-Master supply
Prm-data withCRC1;Config-Data
Addressesadjusted:F + standard
3: memory managem.4: F-Host supply
F driver data;i-parameter
5: Prm-Telegram
6: Config-Telegram
with F-parameterblock incl. CRC1
7: Slave_Diag: i-parameter missing
8: i-par. assignm. deblocked (control byte)
9: F-acknowledgem. with CRC2
10: i-parameter: write data set n
11: i-parameter: read data set n (opt.)
12: i-parameter acknowledgm. (status byte)
i-par. assignment;i-parameter stored inF host
13: F message with CRC2
14: F acknowledgm. with CRC2cyclic operation
additional datasets up to n+m
assignment locking viacontrol byte
Figure 4-31 Assigning "static" i-parameter from F host
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 41
ProfiSafe-Profil-100e.doc
Engineering-Tool : S1
F-Host : S2
DP-Master : S3
F-Slave incl. DP-Slave : S4
1:
parameters inGSD file;F-parameter with CRC1 2: DP-Master supply
Prm data withCRC1;Config data
3: memory management4: F-Host supply
F driver data;
7: i-parameter: write data set n
8: i-parameter: read data set n
addressesadjusted:F + standard
initial parameterassignment:i-parameter withCRC3;teach-in viaread back
F-parameter block with CRC1
startupProfibus-DP
cyclicoperation
14: i-parameter: write data set n
15: i-parameter: read data set n
new i-parameterassignment :i-parameter withCRC3;
assignmentlocking via control byte
17: F message via CRC2
assignmentlocking viacontrol byte
18: F acknowledgement with CRC2cyclicoperation
additional datasets up to n+m
additional datasets up to n+m
16: i-par. acknowledgem. (status byte)
5: Prm-Telegram
6: Config-Telegram
9: F message with CRC2
10: F acknowledement with CRC2
11: i-par. ext. request
12: i-par. assignm. deblocked (control byte)
13: F acknowledgement with CRC2
Figure 4-32 Assigning "dynamic" i-parameter from operator level
4.7 Safe Alarm Generation
Due to swift polling in the user program, the speed of determining modifications of the F process data and theCRC is satisfactory.There is no safety-related utilization of the alarm of the Profibus protocol.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 42
ProfiSafe-Profil-100e.doc
4.8 Diagnosis
The safe diagnosis of F slave and communication failures is possible via the status byte. The F host providesmeans to count the number of reported erronuous communication messages during configurable time periods. Ifconfigurable upper limits are exceeded the safe control loop switches to a safe state. The F host supports moni-toring of the number of reported erronuous communication messages.
Every standard diagnostic option of standard Profibus is possible.
4.9 F Module Commissioning / Repair Behavior
F modules can be replaced while the system is running. Restart of the corresponding safety control loop is onlypermitted, if there is no hazardous process state.
4.10 Reaction Times
The time between the "electrical" recognition of an emergency request and the "electrical" initiation of the safetyreaction is relevant in safety technique. This response time consists of several individual time values includingthe bus transfer times.
InputModule
DP-Master F-CPU DP-Master DP-SlaveDP-Slave
1 ms 2 ms 5 ms 2 ms 1 ms
Constraints:
(1ms + 2ms + 5ms + 2ms + 1ms) x 2 = 22 ms
OutputModule
n e.g. station failure / station recovery / acyclic services
n 1 operator panel / 1 programmer / 1 repetition
n 10 slaves à 18 Byte Input + 18 Byte Output (2 may fail)
n 12 Mbaud
n 720 Input + 720 Output
n 240 F-Input + 240 F-Output
Figure 4-33 Reaction times
+ input delay of the F input slave (operation time)+ watchdog time "F communication": F input ↔ F-CPU+ Scan rate or execution time in the F-CPU+ watchdog time "F communication": F-CPU ↔ F input+ output delay of the F output slave (operation time)
Compared with the standard, the safety profile requires additional execution time (F driver). The fact that a stan-dard slave can extend the DP cycle time in the event of a failure shall also be taken into account.
DESINA requirement: 5 ms "single" bus transfer time is achieved .
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 43
ProfiSafe-Profil-100e.doc
4.11 Probabilistic Considerations
4.11.1 Calculations
BitErrorRate
ResidualErrorRate
calculated for:input bytes of the slave = 10output bytes of the slave = 10cycle time = 2ms
Legend:
assumed max.bit error rate of Profibus = 10
-4
from: IEC 870-5-1
Figure 4-34 Residual error rates
To EN50159-1 and IEC61508, the following applies to SIL3:
hRRRRTCEMIHWDP
/10 9−<++=The three terms are calculated as follows:
USHWSHWFHW PxxfailureHardwareR ⋅⋅+⋅=− )21()( λλ
HWFλ = failure probability of the HW of the 2 currently communicating F devices
HWSλ = failure probability of the HW of the max. 120 currently not communicating devices 1x = fraction (0...1) of the hazardous faults in the involved components 2x = fraction (0...1) of the hazardous faults by the components that are not involved
USP = max. residual error probability for 16/32-bit CRC, at a bit error rate of 0 ...0,5
See chapter 4.11.2 "Operational Reliability of the Standard Profibus Components".
USUBWEMI PPfimpactEMIR ⋅⋅=− )(
Wf = Frequency of corrupted messages on the transmission system
UBP = Residual error probability for Profibus-DP at a bit error rate of 10-4 (EN60870-5-1)
USP = max. residual error probability for 16/32-bit CRC, at a bit error rate of 0 ...0,5
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 44
ProfiSafe-Profil-100e.doc
To EN50159-1 this term is valid, if safety code (ProfiSafeCode) and transmission code (BusCode) areindependent. The probabilities of both data integrity check mechanisms, parity and frame checking sequencefrom standard Profibus (HD=4) and CRC from ProfiSafe can be treated as independent since computersimulations did not show any significant "filter gaps".
Furthermore according to EN50159-1 the "properness" of the used CRC polynomials has to be proven. Thisrequires calculation of the residual error rate (Pue) as a function of the bit error rate (epsilon) for a givenpolynomial, here for the 16 bit version (14EABh), as well as for the 32 bit version (1F4ACFB13h).A polynomial will be assessed "proper" if there is no significant "humpback" curve with increasing bit error rate,i.e. if it rises monotonously.
The following figures are showing the diagrams for the 16 Bit polynomial:
Properness for 4 Bytes of data:
0.00001 0.0001 0.001 0.01 0.1epsilon1. ´ 10 - 29
1. ´ 10 - 24
1. ´ 10 - 19
1. ´ 10 - 14
1. ´ 10 - 9
Pue g=16̂ 1̂4eab , n=32
Properness for 8 Bytes of data:
0.00001 0.0001 0.001 0.01 0.1epsilon1.´ 10- 27
1.´ 10- 23
1.´ 10- 19
1.´ 10- 15
1.´ 10- 11
1.´ 10- 7
Pue g=16^^14eab, n=64
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 45
ProfiSafe-Profil-100e.doc
Properness for 12 Bytes of data:
0.00001 0.0001 0.001 0.01 0.1epsilon1. ´ 10 - 26
1. ´ 10 - 22
1. ´ 10 - 18
1. ´ 10 - 14
1. ´ 10 - 10
1. ´ 10 - 6
Pue g=16̂ 1̂4eab , n=96
Properness for 16 Bytes of data:
0.00001 0.0001 0.001 0.01 0.1epsilon1.´10 -25
1. ´ 10-21
1. ´ 10-17
1. ´ 10-13
1. ´ 10-9
0.00001
Pue g= 16̂ 1̂4eab , n= 128
In contrast a polynomial (199999331h) with worse Properness:
0.0005 0.001 0.005 0.01 0.05 0.1epsilon
1. ´ 10- 12
1. ´ 10- 11
1. ´ 10- 10
1. ´ 10 - 9
Pue g=16̂ 1̂99999331 , n=1056
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 46
ProfiSafe-Profil-100e.doc
The following figures are showing the diagrams for the 32 Bit polynomial:
Properness for 52 Bytes of data:
0.00001 0.0001 0.001 0.01 0.1epsilon1. ´ 10 - 27
1. ´ 10 - 24
1. ´ 10 - 21
1. ´ 10 - 18
1. ´ 10 - 15
1. ´ 10 - 12
Pue g=16̂ 1̂f4acfb13 , n=416
Properness for 132 Bytes of data:
0.00001 0.0001 0.001 0.01 0.1epsilon1. ´ 10 - 24
1. ´ 10 - 21
1. ´ 10 - 18
1. ´ 10 - 15
1. ´ 10 - 12
Pue g=16̂ 1̂f4acfb13 , n=1056
The third term covers the possible failures of the safety mechanisms (parity and frame checking sequence)within the Profibus-ASIC.
( ) TktypPureoncodefailTransmissiR USTC /1)( 2 ⋅⋅=
:2k only one out of 10,000 HW failures creates a fault of the Profibus safety mechanisms (parity and
frame checking sequence) on the ASIC that passes unrecognized, i.e. 42 101 −⋅=k will be used for the
estimates.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 47
ProfiSafe-Profil-100e.doc
:T monitored time period wherein a welldefined maximum number of corrupted messages on thetransmission system shall not exceed without the system switching into a safe state.
The reflections about T lead directly to Fig. 4-32. The combination of the bus failure causes provides a (fictive)frequency of corrupted messages on the Profibus transmission system. The standard safety mechanisms of theProfibus (1. Filter) are recognizing every failure up to HD=4, thus only special bit patterns HD>4 are reachingthe ProfiSafe safety mechanisms. For the number of unrecognized corrupted messages the worst case value of
n−2 shall not be taken (n=16, bzw 32), since the overall frequency of corrupted messages on the bus iscontinuously monitored.
1. FilterBusCode: PUB (typ)
fw
HD≥1
HD≥4-Bit-failures
2. FilterProfiSafeCode:
1-C
C (very little)
"raw" channel, BusCode failed
HW-failures
EMI
other
frequency ofcorruptedmessages
special bit patterns
statistical bit patterns
(<2-n)
PUS (typ)
"time period": T h
recognized corrupted messages from every participant
safestate
within F-Host
PUS
Figure 4-35 Monitoring of corrupted messages
If the safety mechanisms within the standard Profibus ASIC are failing (very little probability), then corruptedmessages with statistical bit patterns are reaching the ProfiSafe safety mechanisms. In this case the morefavourable value )(typPUS can be used for the estimate:
{ } { } EMIUSUSUBUSUSUBw RtypPPtypPTtypPPtypPf ≤+⋅=+⋅⋅ )()(/1)()(
The ProfiSafe profile allows simple monitoring of every corrupted message within the F host via the status bytewithin the acknowledgment of a F slave.
4.11.2 Operational Reliability of the Standard Profibus Components
In thousands of field applications, the Profibus has proven its reliability. Thus, it is obvious to determine practi-cal base security of the Profibus to keep the effort required for the additional security layer as small as possible.Currently, this data is provided by return goods statistics that go down to component level. Components that areintegrated into a "gray" channel are included (i.e. from the host down to the safety equipment in the slave).Information about the operational reliability can be found in Chapter 502.2 of DIN V VDE 0801 A1.
4.11.3 Practical Bit Error Rates of the Profibus
In order to support the stochastic considerations, the bit error rates of the Profibus as they are quoted in the lit-erature shall be measured in practical examples. Besides cables and driver blocks, the data transmission proce-dure also plays a role. With Profibus-DP, this is RS485 and NRZ encoding; with Profibus-PA it is IEC1158-2and Manchester-II encoding.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 48
ProfiSafe-Profil-100e.doc
5 Using the PROFIBUS STANDARD
5.1 PROFIBUS Layers 1 and 2
The F profile is based on the Profibus services and specifications to EN 50170 Volume 2, that are required forProfibus-DP applications. The F profile does not require any additional layer 2 services.
5.2 PROFIBUS DP
PROFIBUS-DP to EN 50170 Volume 2 requires the base range (startup, cyclic transfer, and watchdog). Consis-tent transfer with a minimum of one F message frame byte shall be possible.
5.3 Definition of the "Gray" Channel
Here, the maximum topological structures as they are defined in the standard are used as the basis. For example,a maximum of three repeaters is currently permitted. Increasing this limit may be possible if more favorablefailure rates of the F overall system will result in the course of the profile definition.
Any baud rate is permitted.
5.4 Standard EMC Requirements of the Profibus
5.4.1 CE Mark
All electrical devices that are put on the market and can generally be purchased shall carry the CE mark. A pre-requisite of the CE mark is the conformity with the ENs that shall be declared by the company who launches theelectrical device. An additional prerequisite is the conformity with the corresponding product standards duringthe development phase.The EMC Directive affects all units, systems and plants that contain electrical or electronic components.
Applications:
Industry Separation from the public low-voltage mains by separate transformer.
Residential areas, office, Electrical energy is taken from the public low-voltage mainslight industry
Requirements Limitation of the noise radiation and definition of the noise immunityof conducted and irradiated interference
Responsible Manufacturer, importer, distributor
Mark CE
Standards:
Industry EN 50082-2 Basic specification noise immunity, March 1995
Wohnbereich EN 50082-1 Basic specification noise immunity, August 1997
5.4.2 Noise Emission
Not relevant with ProfiSafe.
5.4.3 Noise Immunity
Below, only the noise immunity characteristics for industrial applications are shown because they represent themost severe requirements.See Chapter 5.4.11 for a definition of the assessment criteria.
5.4.4 On Long Signal Cables >10m
Long bus cables. Also laid together with process cables.Test according to IEC 61000-4-4 , 1995 "Electrical fast transient/burst immunity test" ( Burst )
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 49
ProfiSafe-Profil-100e.doc
Test according to IEC 61000-4-5 , 1995 "Surge immunity test"
5.4.5 Static Discharge
Test according to IEC 61000-4-2 , 1995 "Electrostatic discharge immunity test"
5.4.6 High-Frequency Irradiation
Test according to EN 61000-4-3, 1996 "Radiated Electromagnetic Field Requirements"Test according to ENV 50204, 1995 "Radiated electromagnetic field from digital radio telephones Immunitytest"
5.4.7 HF-Induced Current on Cables and Cable Shields
Test according to ENV 50141, 1993 "Immunity to conducted disturbances induced by RF fields" ( correspondsto IEC 61000-4-6 ) and to NAMUR draft May 1998
5.4.8 Power Supply
Test according to EN 61000-4-11, 1994
5.4.9 Voltage Dips
Reduction by Duration Assessment criterion30 % 10 ms B60 % 100 ms CSudden voltage change at zero crossing
5.4.10 Voltage Interruption
Reduction by Duration Assessment criterion> 95 % 5000 ms CSudden voltage change at zero crossing
5.4.11 Definition of the Malfunction
Reaction of the test object in its performance characteristic (function): Interpretation of "B" in F areas: Thespecified reaction denotes a fault reaction to a safe state; the communication functions remain working correctly.Usually after manual deblocking and a safety delay time the system returns to normal operation. The latter also ispossible automatically with special applications in process industries.
Assessment criterionA B B B Cfor interference
Functionunit
Continuous inter-ference (HF irra-diation, HF-induced current,magnetic field)
Transient inter-ference (Burst,ESD) on the bus
Surge on powersupply, not onthe fieldbus
Voltage inter-ruption inside thepermissible du-ration
Voltage interrup-tion outside thepermissible dura-tion
Safetyequipmentwith Pro-fiSafe
no impairment Fault reaction toa configuredsafe state
Fault reactionto a configuredsafe state
Fault reaction toa configured safestate
Fault reaction to aconfigured safestate; completerestart
5.5 Standard Installation Guidelines for Profibus
Necessary prerequisite for ProfiSafe communications is the observance of theInstallation Guidelines for Profibus-DP/FMS, V1.0September 1998, Order Nr. 2.112During design phase of a F slave the appropriate standards regarding excess voltage and electric shock protectionshall be observed.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 50
ProfiSafe-Profil-100e.doc
6 Appendix
6.1 Measures against Failures before CRC2 Calculations
Failures may occur during acquisition and processing of individual device parameters. These aspects are notwithin the scope of this profile description but the main failure root causes and the appropriate remedialmeasures are mentioned.
Parameterintegrity
Addressing failures Parametrization atthe wrong point intime
Wrong sequence ofthe i-parameters
Authorized access to theF device (slave or host)
partially X
Address switches in fielddevices; unambiguousaddresses
X
Complete functionaltesting
X X X
Teach-In; Self-Learning X X XRead-Back of the i-parameters from the fielddevice via diverse path
X partially X
Read-Back of the i-parameters via a diversepath from F-host, thatgenerates CRC2 across i-parameters also
X partially X
Diverse processing of thei-parameters (Acquisitionand Test)
X partially X
Failsafe configuration ofthe i-parameters orfailsafe engineering tool
X partially X X
Version management ofGSD type file and Fdevice
X
For end-users a similar catalogue of failure / remedial measures shall be generated and processed.
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 51
ProfiSafe-Profil-100e.doc
6.2 CRC Calculation
This procedure detects 99.9985% of all errors that result from data modifications. It also discovers sequentialerrors because the signature check takes the sequence of the words into account.For the 16-bit CRC code, the value 14EABh is used as the generator polynomial. The number of data bits maybe odd or even. The value that is generated after the last byte corresponds to the transferred CRC code.
procedure crc16(x: Byte; var r: word);{ CRC – Pascal, using division procedure
with every procedure call one Byte x will be operated;CRC value: r contains the 16 Bit of the CRC;The CRC value r(x) = CRC value of the F-parametersbe initialized before the first call of a CRC calculation;Generator polynomial = 4eab hex }
constg = $4eab;
vari: byte;
beginfor i := 1 to 8 dobegin
if ( r and $8000) = 0 thenbegin
if (x and $80) = 0 then r := r shl 1 else r:= (r shl 1) xor 1;
endelsebegin
if (x and $80) = 0 then r := (r shl 1) xor g else r:= (r shl 1) xor g xor 1;
end;x := x shl 1;
end;end;
Figure 6-1 Typical procedure of a cyclic redundancy check
Runtime-optimized variantThe runtime-optimized variant for the calculation of the CRC code requires slightly more memory space, and isdescribed below.The following figure shows the signature generation using a CRC table:
16-Bit signature of 0 (= 0h)16-Bit signature of 1 (= 04EABh)16-Bit signature of 2 (= 09D56h)
.
.
.16-Bit signature of n
.
.
.16-Bit signature of 25316-Bit signature of 25416-Bit signature of 255 (= 0C4B3h)
new signature Lnew signature H
old signature L
n = (old signature H) XOR (act. Byte)
table valueH L
act. Byteold signature H
4.3.
2.
1.
CRC-Table (16Bit, 256 elements):
+
+
Figure 6-2 Using a CRC table for generating the signature
Explanation:
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 52
ProfiSafe-Profil-100e.doc
The values 0-255 that are encoded using the generator polynomial (here: 14EABh) are specified in the word-structured CRC table.1. First, the current byte is EXORed with the high part of the signature register.2. The result is used as an offset to the table. The signature is read from the table.3. The high byte of the word from the table is EXORed with the low byte of the old signature. The result is the
new byte of the signature.4. The low byte of the word from the table is the new low byte of the signature.These operations are only performed once for a byte.The corresponding formula for the 16 Bit CRC calculations is: r = crctab16[(r >> 8) ^ *q++] ^ (r << 8)And its corresponding table:
00000 04EAB 09D56 0D3FD 07407 03AAC 0E951 0A7FA 0E80E 0A6A5 07558 03BF3 09C09 0D2A2 0015F 04FF4
09EB7 0D01C 003E1 04D4A 0EAB0 0A41B 077E6 0394D 076B9 03812 0EBEF 0A544 002BE 04C15 09FE8 0D143
073C5 03D6E 0EE93 0A038 007C2 04969 09A94 0D43F 09BCB 0D560 0069D 04836 0EFCC 0A167 0729A 03C31
0ED72 0A3D9 07024 03E8F 09975 0D7DE 00423 04A88 0057C 04BD7 0982A 0D681 0717B 03FD0 0EC2D 0A2860E78A 0A921 07ADC 03477 0938D 0DD26 00EDB 04070 00F84 0412F 092D2 0DC79 07B83 03528 0E6D5 0A87E
0793D 03796 0E46B 0AAC0 00D3A 04391 0906C 0DEC7 09133 0DF98 00C65 042CE 0E534 0AB9F 07862 036C9
0944F 0DAE4 00919 047B2 0E048 0AEE3 07D1E 033B5 07C41 032EA 0E117 0AFBC 00846 046ED 09510 0DBBB
00AF8 04453 097AE 0D905 07EFF 03054 0E3A9 0AD02 0E2F6 0AC5D 07FA0 0310B 096F1 0D85A 00BA7 0450C
081BF 0CF14 01CE9 05242 0F5B8 0BB13 068EE 02645 069B1 0271A 0F4E7 0BA4C 01DB6 0531D 080E0 0CE4B
01F08 051A3 0825E 0CCF5 06B0F 025A4 0F659 0B8F2 0F706 0B9AD 06A50 024FB 08301 0CDAA 01E57 050FC
0F27A 0BCD1 06F2C 02187 0867D 0C8D6 01B2B 05580 01A74 054DF 08722 0C989 06E73 020D8 0F325 0BD8E
06CCD 02266 0F19B 0BF30 018CA 05661 0859C 0CB37 084C3 0CA68 01995 0573E 0F0C4 0BE6F 06D92 02339
06635 0289E 0FB63 0B5C8 01232 05C99 08F64 0C1CF 08E3B 0C090 0136D 05DC6 0FA3C 0B497 0676A 029C1
0F882 0B629 065D4 02B7F 08C85 0C22E 011D3 05F78 0108C 05E27 08DDA 0C371 0648B 02A20 0F9DD 0B776
015F0 05B5B 088A6 0C60D 061F7 02F5C 0FCA1 0B20A 0FDFE 0B355 060A8 02E03 089F9 0C752 014AF 05A0408B47 0C5EC 01611 058BA 0FF40 0B1EB 06216 02CBD 06349 02DE2 0FE1F 0B0B4 0174E 059E5 08A18 0C4B3
The formula for the 32 Bit CRC calculations is: r = crctab32[((r >> 24) ^ *q++) & 0xff] ^ (r << 8)And its corresponding table:
00000000 F4ACFB13 1DF50D35 E959F626 3BEA1A6A CF46E179 261F175F D2B3EC4C
77D434D4 8378CFC7 6A2139E1 9E8DC2F2 4C3E2EBE B892D5AD 51CB238B A567D898
EFA869A8 1B0492BB F25D649D 06F19F8E D44273C2 20EE88D1 C9B77EF7 3D1B85E4
987C5D7C 6CD0A66F 85895049 7125AB5A A3964716 573ABC05 BE634A23 4ACFB130
2BFC2843 DF50D350 36092576 C2A5DE65 10163229 E4BAC93A 0DE33F1C F94FC40F
5C281C97 A884E784 41DD11A2 B571EAB1 67C206FD 936EFDEE 7A370BC8 8E9BF0DB
C45441EB 30F8BAF8 D9A14CDE 2D0DB7CD FFBE5B81 0B12A092 E24B56B4 16E7ADA7
B380753F 472C8E2C AE75780A 5AD98319 886A6F55 7CC69446 959F6260 61339973
57F85086 A354AB95 4A0D5DB3 BEA1A6A0 6C124AEC 98BEB1FF 71E747D9 854BBCCA202C6452 D4809F41 3DD96967 C9759274 1BC67E38 EF6A852B 0633730D F29F881E
B850392E 4CFCC23D A5A5341B 5109CF08 83BA2344 7716D857 9E4F2E71 6AE3D562
CF840DFA 3B28F6E9 D27100CF 26DDFBDC F46E1790 00C2EC83 E99B1AA5 1D37E1B6
7C0478C5 88A883D6 61F175F0 955D8EE3 47EE62AF B34299BC 5A1B6F9A AEB79489
0BD04C11 FF7CB702 16254124 E289BA37 303A567B C496AD68 2DCF5B4E D963A05D
93AC116D 6700EA7E 8E591C58 7AF5E74B A8460B07 5CEAF014 B5B30632 411FFD21
E47825B9 10D4DEAA F98D288C 0D21D39F DF923FD3 2B3EC4C0 C26732E6 36CBC9F5
AFF0A10C 5B5C5A1F B205AC39 46A9572A 941ABB66 60B64075 89EFB653 7D434D40
D82495D8 2C886ECB C5D198ED 317D63FE E3CE8FB2 176274A1 FE3B8287 0A977994
4058C8A4 B4F433B7 5DADC591 A9013E82 7BB2D2CE 8F1E29DD 6647DFFB 92EB24E8
378CFC70 C3200763 2A79F145 DED50A56 0C66E61A F8CA1D09 1193EB2F E53F103C840C894F 70A0725C 99F9847A 6D557F69 BFE69325 4B4A6836 A2139E10 56BF6503
F3D8BD9B 07744688 EE2DB0AE 1A814BBD C832A7F1 3C9E5CE2 D5C7AAC4 216B51D7
6BA4E0E7 9F081BF4 7651EDD2 82FD16C1 504EFA8D A4E2019E 4DBBF7B8 B9170CAB
1C70D433 E8DC2F20 0185D906 F5292215 279ACE59 D336354A 3A6FC36C CEC3387F
F808F18A 0CA40A99 E5FDFCBF 115107AC C3E2EBE0 374E10F3 DE17E6D5 2ABB1DC6
8FDCC55E 7B703E4D 9229C86B 66853378 B436DF34 409A2427 A9C3D201 5D6F2912
17A09822 E30C6331 0A559517 FEF96E04 2C4A8248 D8E6795B 31BF8F7D C513746E
6074ACF6 94D857E5 7D81A1C3 892D5AD0 5B9EB69C AF324D8F 466BBBA9 B2C740BA
D3F4D9C9 275822DA CE01D4FC 3AAD2FEF E81EC3A3 1CB238B0 F5EBCE96 01473585
A420ED1D 508C160E B9D5E028 4D791B3B 9FCAF777 6B660C64 823FFA42 76930151
3C5CB061 C8F04B72 21A9BD54 D5054647 07B6AA0B F31A5118 1A43A73E EEEF5C2D4B8884B5 BF247FA6 567D8980 A2D17293 70629EDF 84CE65CC 6D9793EA 993B68F9
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 53
ProfiSafe-Profil-100e.doc
6.3 Sample GSD File for a modular F Slave
; ===========================================================; Sample GSD file for a slave with F-module parametrization; demonstration only, no real product; File name : SIEM2222.GSD; Revision : 1.1 Bitmap SX; Last changes : 17-Feb-1999; ===========================================================;#Profibus_DPVendor_Name = "SIEMENS AG"GSD_Revision = 2Model_Name = "F-Device"Revision = "1.0"Ident_Number = 0x2222Protocol_Ident = 0 ; 0 = PROFIBUS-DPSlave_Family = 9 ; = OthersPrm_Struct_supp = 1 ; 1 = block structure supportedStation_Type = 0 ; 0 = DP-SlaveFMS_supp = 0 ; no FMS/DP mixed deviceF_Device_supp = 1 ; 1 = F-device (launches "F-Control" within parametrization tool)Hardware_Release = "A1"Software_Release = "V1.0"9.6_supp = 119.2_supp = 193.75_supp = 1187.5_supp = 1500_supp = 11.5M_supp = 1 ; 9.6 up to 12,000 Kbaud supported3M_supp = 16M_supp = 112M_supp = 1MaxTsdr_9.6 = 60MaxTsdr_19.2 = 60MaxTsdr_93.75 = 60MaxTsdr_187.5 = 60MaxTsdr_500 = 100MaxTsdr_1.5M = 150MaxTsdr_3M = 250MaxTsdr_6M = 450MaxTsdr_12M = 800Redundancy = 0 ; redundancy not supportedRepeater_Ctrl_Sig = 224V_Pins = 0Bitmap_Device = "UNIVSLVE";Slave specific data;******************;******************;Text definition for User_Prm_DataPrmText = 1 ; Reference number 1Text(0) = "SIL 1"Text(1) = "SIL 2"Text(2) = "SIL 3"Text(3) = "SIL 4"EndPrmText;;Text definition for Check/no check;PrmText = 2 ; Reference number 2
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 54
ProfiSafe-Profil-100e.doc
Text(0) = "No Check"Text(1) = "Check"EndPrmText;;Text definition for CRC-Length;PrmText = 3 ; Reference number 3Text(0) = "2 Byte CRC"Text(1) = "4 Byte CRC"EndPrmText;; Ext-User-Prm-Data-Def-List:;;User_Prm_Data definition 1ExtUserPrmData = 1 "Slot" ; Reference number 1Unsigned8 1 1-254 ; Default = 1, Max = 254EndExtUserPrmData;;;User_Prm_Data definition 2ExtUserPrmData = 2 "F_Prm_Flag" ; Reference number 2Unsigned16 0 0-65535 ; Default = 0, Max = 65535EndExtUserPrmData;;User_Prm_ Data definition 3ExtUserPrmData = 3 "F_Dest_Add" ; Reference number 3Unsigned16 1 1-65534 ; Default = 1, Max = 65534EndExtUserPrmData;;User_Prm_ Data definition 4ExtUserPrmData = 4 "F_Source-Add" ; Reference number 4Unsigned16 1 1-65534 ; Default = 1, Max = 65534EndExtUserPrmData;;User_Prm_ Data definition 5ExtUserPrmData = 5 "F_WD-Time" ; Reference number 5Unsigned16 3 0-65535 ; Default = 3, Max = 65535, Manufacturer definesEndExtUserPrmData ; maximum device operation time via default value;;User_Prm_ Data definition 6ExtUserPrmData = 6 "F_SIL " ; Reference number 6BitArea(2-3) 1 0-3 ; Default = 1, Min = 0, Max = 3Prm_Text_Ref = 1 ; Pointer to text definition 1EndExtUserPrmData;;User_Prm_ Data definition 7ExtUserPrmData = 7 "F_Check_SeqNr" ; Reference number 7Bit(0) 0 ; Default = 0,Prm_Text_Ref = 2 ; Pointer to text definition 2EndExtUserPrmData;;User_Prm_ Data definition 8ExtUserPrmData = 8 "F_Check_iPar" ; Reference number 8Bit(1) 0 ; Default = 0,Prm_Text_Ref = 2 ; Pointer to text definition 2EndExtUserPrmData;;User_Prm_ Data definition 9ExtUserPrmData = 9 "F_CRC_Length" ; Reference number 9BitArea(4-5) 2 0-3 ; Default = 2, Min = 0, Max = 3
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 55
ProfiSafe-Profil-100e.doc
Prm_Text_Ref = 3 ; Pointer to text definition 3EndExtUserPrmData;;******************;******************;Freeze_Mode_supp = 0 ;Freeze-Mode not supportedSync_Mode_supp = 0 ;Sync.-Mode not supportedAuto_Baud_supp = 1 ;automatic Baudrate checkMax_Diag_Data_Len = 6Set_Slave_Add_supp = 1User_Prm_Data_Len = 100 ;Length of the total User-Prm-DataMin_Slave_Intervall = 6 ;0.6msModular_Station = 1Max_Module = 5 ;max. Nr. of modules to choose fromMax_Input_Len = 100Max_Output_Len = 100Max_Data_Len = 200;Module = "F-Module 16Byte-E 4Byte-A" 0xC0, 0x83, 0x8fF_Device_supp = 1 ; F-SlaveExt_Module_Prm_Data_Len = 12Ext_User_Prm_Data_Const(0) = 12 ;predefined F_Prm-Block lengthExt_User_Prm_Data_Const(1) = 4 ; predefined F_Prm-Block identifierExt_User_Prm_Data_Const(2) = 0 ; predefined Slot numberExt_User_Prm_Data_Const(3) = 0 ; predefined SpecifierExt_User_Prm_Data_Const(4) = 0x00 ; predefined F_Prm-Flag highExt_User_Prm_Data_Const(5) = 0x00 ; predefined F_Prm-Flag lowExt_User_Prm_Data_Ref(2) = 1Ext_User_Prm_Data_Ref(4) = 7Ext_User_Prm_Data_Ref(4) = 8Ext_User_Prm_Data_Ref(4) = 6Ext_User_Prm_Data_Ref(4) = 9Ext_User_Prm_Data_Ref(6) = 3Ext_User_Prm_Data_Ref(8) = 4Ext_User_Prm_Data_Ref(10) = 5EndModuleModule = "F-Modul 16Word-E 16Byte-A" 0xC0, 0x8f, 0x9fF_Device_supp = 1 ; F-SlaveExt_Module_Prm_Data_Len = 12Ext_User_Prm_Data_Const(0) = 12 ; predefined F_Prm-Block lengthExt_User_Prm_Data_Const(1) = 4 ; predefined F_Prm-Block identifierExt_User_Prm_Data_Const(2) = 0 ; predefined Slot numberExt_User_Prm_Data_Const(3) = 0 ; predefined SpecifierExt_User_Prm_Data_Const(4) = 0x00 ; predefined F_Prm-Flag highExt_User_Prm_Data_Const(5) = 0x00 ; predefined F_Prm-Flag lowExt_User_Prm_Data_Ref(2) = 1Ext_User_Prm_Data_Ref(4) = 7Ext_User_Prm_Data_Ref(4) = 8Ext_User_Prm_Data_Ref(4) = 6Ext_User_Prm_Data_Ref(4) = 9Ext_User_Prm_Data_Ref(6) = 3Ext_User_Prm_Data_Ref(8) = 4Ext_User_Prm_Data_Ref(10) = 5EndModule;Module = "E-/A-Modul" 0xF4 ;standard I/O module;consistency, 5 Words Inputs and OutputsEndModule
PROFIBUS-ProfiSafe-Profile for Failsafe Technology Version 1.00, 30-Mar-1999, 6:00 pm
_________________________________________________________________________________________ Copyright PNO 1999 – All Rights Reserved Page 56
ProfiSafe-Profil-100e.doc
6.4 Applicable Documents
[1] DIN 19245, Part 1: Control and Instrumentation; PROFIBUS Process Field Bus: Layer 1+2; BeuthVerlag Berlin.
[2] DIN 19245, Part 2: Control and Instrumentation; PROFIBUS Process Field Bus: FMS; Beuth VerlagBerlin.
[3] DIN 19245, Part 3: Control and Instrumentation; PROFIBUS Process Field Bus: Profibus-DP[4] Position Paper DKE-AK 226.03 dated 8-Aug-1997[5] IEC 61508, Functional Safety of Electrical/Electronic/Programmable El. Safety-Related Systems[6] "New concepts for safety-related bus systems", 3rd International Symposium "Programmable Electronic
Systems in Safety Related Applications " May 1998, from Dr. Michael Schäfer, central institute forresearch and testing of the German Berufsgenossenschaften (BG)
[7] prEN 50159-1: (Railway Applications) "Requirements for Safety-Related Communication in ClosedTransmission Systems "
[8] EN 50170, European Standard for Profibus-DP and FMS. Successor of the national DIN 19245.[9] Andrew S. Tanenbaum, "Computer Networks", 2nd Edition, Prentice Hall, N.J., ISBN 0-13-162959-X[10] Manfred Popp, "Rapid Way to Profibus DP", 1996, Order # 4.072, PROFIBUS User Organization e.V.[11] W. Wesley Peterson, "Error-Correcting Codes", 2nd Edition 1981, MIT-Press, ISBN 0-262-16-039-0[12] IEC 870-5-1, "Telecontrol equipment and systems; Part 5: Transmission protocols; Section One:
Transmission frame formats"
6.5 Abbreviations
ASCII American Standard Code for Information InterchangeASIC Application Specific Integrated CircuitC CoverageCPU Central Processing UnitCRC Cyclic Redundancy Check [9], [11]DB Data BlockDDL Device Description LanguageDIN Deutsches Institut für Normung (German Institute for Standards)DKE-AK Working Group of the German Electrotechnical Commission within DIN and VDEDP Decentralized PeripheralsEMI Electro Magnetic InterferenceEN, prEN European Norm, preliminary ...ESD ElectroStatic DischargeF FailsafeFB Function BlockGSD Geräte-Stamm-Daten (Device Data Base)HD Hamming DistanceHW HardwareIEC International Electrotechnical CommissionI/O Input/OutputISO/OSI International Standards Organization / Open Systems Interconnection (Reference Model)M ModulePA Process AutomationPES Programmable Electronic (Safety-Related) SystemPG/ES Programmer/Engineering StationPLC Programmable Logic ControllerS StandardPLC Programmable Logic ControllerSW SoftwareTPDU (Transport) Protocol Data Unit [9]VDE Association of German Electrical Engineers VDEVDI Association of Engineers VDIXML Extendable Markup Language (World Wide Web Consortium)