CIP Safety Protocol Training
Virtual Training Courses
Session 0: Overview of Functional Safety and Safety Networks
Before We Begin
• Introductions
• All attendees are automatically muted with no video connection as a
default.
• Please use the Q&A to ask questions, not the chat. We will address
questions as they come in.
• At the end if there is time, we will take questions verbally from the
attendees. We will advise if and when there is time for you to “raise your
hand” if you have a question.
• Please complete the 4 question post session survey. The survey will
launch when you close out of the webinar.
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 2
Overview of Functional
Safety Standards
Jim Grosskreuz
Rockwell Automation
Evolution of Factory Safety
In early factories, workers were
encouraged to act in unsafe ways to
meet production goals.
Industry 2.0 and 3.0 gave us increased focus
improved safety by focusing on human
factors and developing best practices.
Industry 4.0 requires flexibility,
ease of use, human-machine collaboration,
and interoperability between vendors.
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 4
Machinery Builder & Operator Responsibilities• European Union
– Machinery Directive
• Prescriptive approach to machinery safety
• Mandates risk assessments and safe machines
• United States
– OSHA
• Less prescriptive approach to machinery safety
• Introduces fines for violations
– Litigious Culture
• OEMs and System Integrators aren’t protected from litigation
• Elsewhere
– Mixed legal and cultural environments
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 5
Automation Device Vendor Responsibilities• Simplified Safety Interfaces
– Traditional wiring, Serial fieldbus, Industrial
Ethernet
– Design to applicable standards and for
interoperability
• Documentation
– Wiring and integration with control systems
– Safety Functions
– Diagnostics and troubleshooting
– Functional Safety data
• Third Party Certification
– Validated implementation according to relevant
standards
Images are the EC-type certificates for products that use CIP Safety
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 6
Functional Safety• Long history of evolving standards from many organizations
• IEC1 defines safety as
– Freedom from unacceptable risk of physical injury or of damage to the health of
people, either directly, or indirectly as a result of damage to property or to the
environment.
• IEC further defines functional safety as
– The part of the overall safety that depends on a system or equipment operating
correctly in response to its inputs.
– The detection of a potentially dangerous condition resulting in the activation of a
protective or corrective device or mechanism to prevent hazardous events arising or
providing mitigation to reduce the consequence of the hazardous event.
1International Electrotechnical Commission; http://www.iec.ch/functionalsafety/
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 7
Basic Concepts of Functional Safety - Risk
• Important to remember:
– What is the operating mode?
– Who is interacting with the machine?
– When in the lifecycle is this activity?
– What has already been done for protection?
How Likely?
Chances
How Often?
Frequency
How Bad?
Consequences
Risk
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 8
Basic Concepts of Functional Safety - MitigationDuality (Also known as Redundancy)
– If one thing fails, there is another thing that can bring the system to a safe state
– In parallel for Inputs or in series for Outputs
Diversity
– Protects against two things failing in exactly the same way at the same time
– Example: Using one NO and one NC set of contacts
– Example: Using both a high and a low input channel to a safety device
Diagnostics
– Safety products spend much of their time performing self-diagnostics
– If a problem is detected, the system will go to its “safe state” and will not allow the
system to be restarted until the problem is fixed
– Example: A safety PLC has a significantly higher degree of self-diagnostic versus a
standard PLC (> 90% vs. ≈ 50%)
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 9
IEC 61508Functional
Safety
ISO 13849-1Safety of Machinery
EN 50128Safety for Railway
EN 60601Safety for Medical devices
IEC 62061Safety of Machinery –
Electrical control systems
IEC 61511Safety for Process Industry
IEC 61800-5-2Electronic Drives
IEC 61496Protective equipment
IEC 61784-3Functional Safety fieldbusses
Group Standards(Type B standard)
Product Standards(Type C standard)
Basic Standards(Type A standard)
Classification of Standards
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 10
IEC 61508-1 General Requirements• Documentation
• Management
• Safety Lifecycle
– 61508-1 7.1.1.5 defines 16 phases
– Phase 10 (Realisation) is further
refined in:
• 61508-2 (Hardware)
• 61508-3 (Software)
– Verification is expected at every
phase
• Assessment
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 11
IEC 61508 Key Concepts• Quantifying probability of dangerous failure
– Common Cause Failure, Safe Failure Fraction, Diagnostic Coverage
– PFDAVG (low demand, <1 per year)
– PFH (high demand, continuous)
• SIL – Safety integrity level
– SIL 3 (high demand) → 10-8 ≤ PFH < 10-7
– SIL 3 (low demand) → 10-4 ≤ PFDAVG < 10-3
• Basis for derived standards targeting application and product sectors
– IEC 61511 Safety Instrumented Systems (SIS)
– IEC 62061 Safety-Related Electrical Control System (SRECS)
– ISO 13849-1 Safety-Related Parts of Control Systems (SRPCS)
• This standard also uses Categories and Performance Levels
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 12
Your Customer’s Safety Flow
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 13
Simple Machine Example
Machine image from IEC 62061:2005 Section B.2, Figure B.2
Flow chart from IEC 12100:2010 Chapter 4, Figure 2
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 14
Simple Machine Example
• Motor power is removed when the E-stop is pressed. Once power is removed, hazardous motion coasts
to a stop.
• Tests have determined that coasting to a stop can take as long as 20 seconds. Risk assessment has
shown that a person can open the gate and reach the hazardous motion in less than 20 seconds. To
prevent dangerous access, a guard lock is used to keep the gate locked for 30 seconds after the E-stop
is pressed. After 30 seconds, the operator is allowed to unlock the door by applying power to the guard lock by using the key switch.
• While the door is open, the system is monitored to prevent an unexpected start-up. When the door is
closed, hazardous motion and power to the motor do not resume until a secondary action (start button
depressed) occurs. Faults at the door interlock switch, wiring terminals, or safety controller are detected before the next safety demand.
• The safety function in this example is capable of connecting and interrupting power to motors rated up to
9 A, 600VAC. The safety function meets the requirements for Category 4, Performance Level e (CAT. 4,
PLe), per ISO 13849-1, SIL3 per IEC 62061, and control reliable operation per ANSI B11.19.
This example comes from Rockwell Automation publication SAFETY-AT063D
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 15
Simple Machine Example
Input Logic Output
This example comes from Rockwell Automation publication SAFETY-AT063D
Guard-Locking Safety Function
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 16
Safety Networks
Jim Grosskreuz
Rockwell Automation
Industrial Communications Backbone• Industrial network basics:
– Quick connect/disconnect of devices
– Simple integration of new devices
– Easy configuration and communication between devices
– Diagnostic data
• Extra requirements for Functional Safety:
1. Messages delivered as intended or the device goes to the safe state
2. Suitably small quantitative risk that the device won’t go to the safe state
• Safety networks are just a means to high integrity communications – they require safety devices to
deliver the safety function
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 18
Challenges with Industrial Ethernet
Which can cause:
– Loss
– Repetition
– Corruption
– Delay
– Incorrect message routing
– Coupling with other packets
– Mixing with other packets
Communication faults:
– Electrical noise
– Cable breaks
– Hardware failures
– Software bugs
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 19
Product Standards
Safety Standards for Functional Safety
Subclauses 6.7.6.4 (high complexity) and 6.7.8.1.6 (low complexity) of
IEC 62061 specify the relationship between PL (Category) and SIL.
IEC 61784-3:2016 Figure 1 - Relationships of IEC 61784-3 with standards (machinery)
IEC 61496
(light curtains)
IEC 61131-6
PLCs (under
consideration)
IEC 61800-5-2
Drives
ISO 10218-1
Robots
IEC 61784-4
Security (profile-specific)
IEC 62443
Security (common part)
IEC 61784-5
Install guide (profile-specific)
IEC 61918
Install guide (common)
IEC 61784-3
FS communication profiles
IEC 61158 Series / IEC 61784-1, -2
Fieldbus: industrial control
IEC 61000-1-2
Methodology EMC & FS
IEC 61325-3-1
Test EMC & FS
IEC 62061 Series
FS for machinery (SRECS)
ISO 12100-1 and ISO 14121
Machinery: design & risk assessment
Design of safety-related electrical, electronic, & programmable electronic
control systems (SRECS) for machinery
SIL based) PL based)
IEC 60204-1
Electrical Equipment
ISO 13849-1, -2Safety-related parts of machinery (SRPCS)
Non-electricalUS: NFPA 79 (2006)
Electrical
IEC 61508 Series
FS (basic standard)
Design Objective
Applicable Standards
(gray) safety-related standards
(gold) fieldbus-related standards
(red) this standard
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 20
White Channel vs Black Channel• 61508-2 7.4.11.2 describes two possible approaches for safety communications
– white channel (entire network must be developed according to 61508 and certified)
– black channel (only network protocol subject to certification)
• IEC 61784-3 extends IEC 61158 fieldbus specifications to Functional Safety Communication Profiles
(FSCP)
– All defined 61784-3 FSCPs use the black channel approach
– CIP Safety is FSCP 2/1 in IEC 61784-3-2
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 21
Introduction to Network Errors• IEC 61784-3 Section 5.3 defines 8 types of errors that must be mitigated for functional safety
communications
1. Corruption
2. Unintended Repetition
3. Incorrect Sequence
4. Loss
5. Unacceptable Delay
6. Insertion
7. Masquerade
8. Addressing
Many of these errors can be interrelated! If a corrupt message
arrives, a new message may be requested by the client… Will that
cause unintended repetition? Incorrect sequence? Unacceptable
delay? Loss?
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 22
Network Error - Corruption
Messages may be corrupted due to errors within a bus participant, due
to errors on the transmission medium, or due to message interference.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Sdetfq N34 &! Safety Msg #4
Example of correct behavior:
Example of corruption:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 23
Network Error – Unintended Repetition
Due to an error, fault or interference, messages are repeated.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Safety Msg #2 Safety Msg #3
Example of correct behavior:
Example of unintended repetition:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 24
Network Error – Incorrect Sequence
Due to an error, fault or interference, the predefined sequence (for
example natural numbers, time references) associated with messages
from a particular source is incorrect.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Safety Msg #4 Safety Msg #3
Example of correct behavior:
Example of incorrect sequence:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 25
Network Error - Loss
Due to an error, fault or interference, a message or acknowledgment is
not received.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Safety Msg #4
Example of correct behavior:
Example of loss:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 26
Network Error – Unacceptable DelayMessages may be delayed beyond their permitted arrival time window, for example due to
errors in the transmission medium, congested transmission lines, interference, or due to
bus participants sending messages in such a manner that services are delayed or denied
(for example FIFOs in switches, bridges, routers).
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Safety Msg #2 Safety Msg #3
Example of correct behavior:
Example of unacceptable delay:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 27
Network Error - Insertion
Due to a fault or interference, a message is received that relates to an
unexpected or unknown source entity.
Safety Msg A → B #1
Safety Msg A → B #2
Safety Msg A → B #3
Safety Msg A → B #4
Safety Msg A → B #1
Safety Msg A→ B #2
Safety MsgC → B #97
Safety Msg A → B #3
Example of correct behavior:
Example of insertion:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 28
Network Error - Masquerade
Due to a fault or interference, a message is inserted that relates to an
apparently valid source entity, so a non-safety related message may be
received by a safety related participant, which then treats it as safety related.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Std Msg #19 Safety Msg #3
Example of correct behavior:
Example of masquerade:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 29
Network Error - AddressingDue to a fault or interference, a safety related message is delivered to the incorrect safety
related participant, which then treats reception as correct. This includes the so-called
loopback error case, where the sender receives back its own sent message.
Safety Input #1 Safety Input #2 Safety Input #3 Safety Input #4
Example of correct behavior:
Example of addressing:
Safety Output #1 Safety Output #2 Safety Output #3 Safety Output #4
Safety Input #1 Safety Input #2 Safety Output #2 Safety Input #4
Safety Output #1 Safety Output #2 Safety Output #3 Safety Output #4
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 30
CIP Safety• This protocol addresses all the errors previously discussed
• Provides a stated probability of failure (PFH)
– PFH is probability of dangerous failure per hour
– 10-8 =< PFH < 10-7 required for SIL 3
– 10-10 =< Network PFH < 10-9 required for SIL 3
• 61784-3 recommendation is 1% of target SIL
• Certified by TÜV Rheinland for functional safety applications up
to SIL 3
• Suitable for use on EtherNet/IP, DeviceNet, SERCOS
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 31
FSoEIEC 61784-3-12:2010
Page 21
Sequence Number
Time Expectation
Connection Authentication
Feedback Message
Data Integrity
Assurance
Corruption XUnintended repetition X XIncorrect sequence X XLoss X X X XUnacceptable delay X X XInsertion X XMasquerade X X XAddressing XRevolving memory failures within switches
X X
Error Mitigation from Various Black Channel Protocols
CIP SafetyIEC 61784-3-2:2016
Page 29
Time Stamp
Time Expectation
Connection Authenticatio
n
Data Integrity
Assurance
Redundancy with Cross Checking
Diff. Data Integrity
Assurance Systems
Corruption X XUnintended repetition X XIncorrect sequence X XLoss X XUnacceptable delay XInsertion X X XMasquerade X X X X XAddressing X X
SafetyNET PIEC 61784-3-18:2011
Page 21
Sequence Number
Time Expectatio
n
Connection Authentication
Data Integrity
Assurance
Diff. Data Integrity Assurance Systems
Corruption XUnintended repetition XIncorrect sequence XLoss X XUnacceptable delay XInsertion X XMasquerade X X XAddressing X XRevolving memory failures within switches
X X X X
PROFIsafeIEC 61784-3-3:2016
Page 32
Sequence Number
Time Expectation & Feedback Message
Connection Authentication
Data Integrity Assurance
Corruption XUnintended repetition XIncorrect sequence XLoss X XUnacceptable delay XInsertion XMasquerade XAddressing X XOut-of-sequence XLoop-back of messages X
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 32
Sensor InputData
TransportLogic
Data Transport
Output Actuator
Network Performance in Standard Networks• Response time determines how fast a production line can operate
– Network response times are used as a measure of performance
Input to Output Response Time
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 33
Network Performance in Safety Networks• Worst case control system reaction time must satisfy process safety time
– Reaction time must include error conditions
• Detecting non-arrival of data is typically the limiting factor
Sensor InputSafety Data
TransportLogic
Safety Data
TransportOutput Actuator
Safety Response Time
45 ms 6 ms 10 ms
6 ms Input Time & 10 ms Output Time using
typical watchdog & timeout parameters & no faults
38 ms Inertia & Speed
Dependent
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 34
Next Sessions:Session 1 – Overview of CIP and EtherNet/IP
Tomorrow, 8:00am – 9:30am US Eastern
Session 2 – CIP Safety Overview
Tomorrow, 10am – 11:30am US Eastern