CIP Safety Protocol Training - ODVA

CIP Safety Protocol Training

Virtual Training Courses

Session 0: Overview of Functional Safety and Safety Networks

Before We Begin

• Introductions

• All attendees are automatically muted with no video connection as a

default.

• Please use the Q&A to ask questions, not the chat. We will address

questions as they come in.

• At the end if there is time, we will take questions verbally from the

attendees. We will advise if and when there is time for you to “raise your

hand” if you have a question.

• Please complete the 4 question post session survey. The survey will

launch when you close out of the webinar.

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 2

Overview of Functional

Safety Standards

Jim Grosskreuz

Rockwell Automation

Evolution of Factory Safety

In early factories, workers were

encouraged to act in unsafe ways to

meet production goals.

Industry 2.0 and 3.0 gave us increased focus

improved safety by focusing on human

factors and developing best practices.

Industry 4.0 requires flexibility,

ease of use, human-machine collaboration,

and interoperability between vendors.


Machinery Builder & Operator Responsibilities• European Union

– Machinery Directive

• Prescriptive approach to machinery safety

• Mandates risk assessments and safe machines

• United States

– OSHA

• Less prescriptive approach to machinery safety

• Introduces fines for violations

– Litigious Culture

• OEMs and System Integrators aren’t protected from litigation

• Elsewhere

– Mixed legal and cultural environments


Automation Device Vendor Responsibilities• Simplified Safety Interfaces

– Traditional wiring, Serial fieldbus, Industrial

Ethernet

– Design to applicable standards and for

interoperability

• Documentation

– Wiring and integration with control systems

– Safety Functions

– Diagnostics and troubleshooting

– Functional Safety data

• Third Party Certification

– Validated implementation according to relevant

standards

Images are the EC-type certificates for products that use CIP Safety


Functional Safety• Long history of evolving standards from many organizations

• IEC1 defines safety as

– Freedom from unacceptable risk of physical injury or of damage to the health of

people, either directly, or indirectly as a result of damage to property or to the

environment.

• IEC further defines functional safety as

– The part of the overall safety that depends on a system or equipment operating

correctly in response to its inputs.

– The detection of a potentially dangerous condition resulting in the activation of a

protective or corrective device or mechanism to prevent hazardous events arising or

providing mitigation to reduce the consequence of the hazardous event.

1International Electrotechnical Commission; http://www.iec.ch/functionalsafety/


Basic Concepts of Functional Safety - Risk

• Important to remember:

– What is the operating mode?

– Who is interacting with the machine?

– When in the lifecycle is this activity?

– What has already been done for protection?

How Likely?

Chances

How Often?

Frequency

How Bad?

Consequences

Risk


Basic Concepts of Functional Safety - MitigationDuality (Also known as Redundancy)

– If one thing fails, there is another thing that can bring the system to a safe state

– In parallel for Inputs or in series for Outputs

Diversity

– Protects against two things failing in exactly the same way at the same time

– Example: Using one NO and one NC set of contacts

– Example: Using both a high and a low input channel to a safety device

Diagnostics

– Safety products spend much of their time performing self-diagnostics

– If a problem is detected, the system will go to its “safe state” and will not allow the

system to be restarted until the problem is fixed

– Example: A safety PLC has a significantly higher degree of self-diagnostic versus a

standard PLC (> 90% vs. ≈ 50%)


IEC 61508Functional

Safety

ISO 13849-1Safety of Machinery

EN 50128Safety for Railway

EN 60601Safety for Medical devices

IEC 62061Safety of Machinery –

Electrical control systems

IEC 61511Safety for Process Industry

IEC 61800-5-2Electronic Drives

IEC 61496Protective equipment

IEC 61784-3Functional Safety fieldbusses

Group Standards(Type B standard)

Product Standards(Type C standard)

Basic Standards(Type A standard)

Classification of Standards


IEC 61508-1 General Requirements• Documentation

• Management

• Safety Lifecycle

– 61508-1 7.1.1.5 defines 16 phases

– Phase 10 (Realisation) is further

refined in:

• 61508-2 (Hardware)

• 61508-3 (Software)

– Verification is expected at every

phase

• Assessment


IEC 61508 Key Concepts• Quantifying probability of dangerous failure

– Common Cause Failure, Safe Failure Fraction, Diagnostic Coverage

– PFDAVG (low demand, <1 per year)

– PFH (high demand, continuous)

• SIL – Safety integrity level

– SIL 3 (high demand) → 10-8 ≤ PFH < 10-7

– SIL 3 (low demand) → 10-4 ≤ PFDAVG < 10-3

• Basis for derived standards targeting application and product sectors

– IEC 61511 Safety Instrumented Systems (SIS)

– IEC 62061 Safety-Related Electrical Control System (SRECS)

– ISO 13849-1 Safety-Related Parts of Control Systems (SRPCS)

• This standard also uses Categories and Performance Levels


Your Customer’s Safety Flow


Simple Machine Example

Machine image from IEC 62061:2005 Section B.2, Figure B.2

Flow chart from IEC 12100:2010 Chapter 4, Figure 2



• Motor power is removed when the E-stop is pressed. Once power is removed, hazardous motion coasts

to a stop.

• Tests have determined that coasting to a stop can take as long as 20 seconds. Risk assessment has

shown that a person can open the gate and reach the hazardous motion in less than 20 seconds. To

prevent dangerous access, a guard lock is used to keep the gate locked for 30 seconds after the E-stop

is pressed. After 30 seconds, the operator is allowed to unlock the door by applying power to the guard lock by using the key switch.

• While the door is open, the system is monitored to prevent an unexpected start-up. When the door is

closed, hazardous motion and power to the motor do not resume until a secondary action (start button

depressed) occurs. Faults at the door interlock switch, wiring terminals, or safety controller are detected before the next safety demand.

• The safety function in this example is capable of connecting and interrupting power to motors rated up to

9 A, 600VAC. The safety function meets the requirements for Category 4, Performance Level e (CAT. 4,

PLe), per ISO 13849-1, SIL3 per IEC 62061, and control reliable operation per ANSI B11.19.

This example comes from Rockwell Automation publication SAFETY-AT063D



Input Logic Output

This example comes from Rockwell Automation publication SAFETY-AT063D

Guard-Locking Safety Function


Safety Networks

Jim Grosskreuz

Rockwell Automation

Industrial Communications Backbone• Industrial network basics:

– Quick connect/disconnect of devices

– Simple integration of new devices

– Easy configuration and communication between devices

– Diagnostic data

• Extra requirements for Functional Safety:

1. Messages delivered as intended or the device goes to the safe state

2. Suitably small quantitative risk that the device won’t go to the safe state

• Safety networks are just a means to high integrity communications – they require safety devices to

deliver the safety function


Challenges with Industrial Ethernet

Which can cause:

– Loss

– Repetition

– Corruption

– Delay

– Incorrect message routing

– Coupling with other packets

– Mixing with other packets

Communication faults:

– Electrical noise

– Cable breaks

– Hardware failures

– Software bugs


Product Standards

Safety Standards for Functional Safety

Subclauses 6.7.6.4 (high complexity) and 6.7.8.1.6 (low complexity) of

IEC 62061 specify the relationship between PL (Category) and SIL.

IEC 61784-3:2016 Figure 1 - Relationships of IEC 61784-3 with standards (machinery)

IEC 61496

(light curtains)

IEC 61131-6

PLCs (under

consideration)

IEC 61800-5-2

Drives

ISO 10218-1

Robots

IEC 61784-4

Security (profile-specific)

IEC 62443

Security (common part)

IEC 61784-5

Install guide (profile-specific)

IEC 61918

Install guide (common)

IEC 61784-3

FS communication profiles

IEC 61158 Series / IEC 61784-1, -2

Fieldbus: industrial control

IEC 61000-1-2

Methodology EMC & FS

IEC 61325-3-1

Test EMC & FS

IEC 62061 Series

FS for machinery (SRECS)

ISO 12100-1 and ISO 14121

Machinery: design & risk assessment

Design of safety-related electrical, electronic, & programmable electronic

control systems (SRECS) for machinery

SIL based) PL based)

IEC 60204-1

Electrical Equipment

ISO 13849-1, -2Safety-related parts of machinery (SRPCS)

Non-electricalUS: NFPA 79 (2006)

Electrical

IEC 61508 Series

FS (basic standard)

Design Objective

Applicable Standards

(gray) safety-related standards

(gold) fieldbus-related standards

(red) this standard


White Channel vs Black Channel• 61508-2 7.4.11.2 describes two possible approaches for safety communications

– white channel (entire network must be developed according to 61508 and certified)

– black channel (only network protocol subject to certification)

• IEC 61784-3 extends IEC 61158 fieldbus specifications to Functional Safety Communication Profiles

(FSCP)

– All defined 61784-3 FSCPs use the black channel approach

– CIP Safety is FSCP 2/1 in IEC 61784-3-2


Introduction to Network Errors• IEC 61784-3 Section 5.3 defines 8 types of errors that must be mitigated for functional safety

communications

1. Corruption

2. Unintended Repetition

3. Incorrect Sequence

4. Loss

5. Unacceptable Delay

6. Insertion

7. Masquerade

8. Addressing

Many of these errors can be interrelated! If a corrupt message

arrives, a new message may be requested by the client… Will that

cause unintended repetition? Incorrect sequence? Unacceptable

delay? Loss?


Network Error - Corruption

Messages may be corrupted due to errors within a bus participant, due

to errors on the transmission medium, or due to message interference.

Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4

Safety Msg #1 Safety Msg #2 Sdetfq N34 &! Safety Msg #4

Example of correct behavior:

Example of corruption:


Network Error – Unintended Repetition

Due to an error, fault or interference, messages are repeated.




Example of unintended repetition:


Network Error – Incorrect Sequence

Due to an error, fault or interference, the predefined sequence (for

example natural numbers, time references) associated with messages

from a particular source is incorrect.




Example of incorrect sequence:


Network Error - Loss

Due to an error, fault or interference, a message or acknowledgment is

not received.


Safety Msg #1 Safety Msg #2 Safety Msg #4


Example of loss:


Network Error – Unacceptable DelayMessages may be delayed beyond their permitted arrival time window, for example due to

errors in the transmission medium, congested transmission lines, interference, or due to

bus participants sending messages in such a manner that services are delayed or denied

(for example FIFOs in switches, bridges, routers).




Example of unacceptable delay:


Network Error - Insertion

Due to a fault or interference, a message is received that relates to an

unexpected or unknown source entity.

Safety Msg A → B #1





Safety Msg A→ B #2

Safety MsgC → B #97



Example of insertion:


Network Error - Masquerade

Due to a fault or interference, a message is inserted that relates to an

apparently valid source entity, so a non-safety related message may be

received by a safety related participant, which then treats it as safety related.


Safety Msg #1 Safety Msg #2 Std Msg #19 Safety Msg #3


Example of masquerade:


Network Error - AddressingDue to a fault or interference, a safety related message is delivered to the incorrect safety

related participant, which then treats reception as correct. This includes the so-called

loopback error case, where the sender receives back its own sent message.

Safety Input #1 Safety Input #2 Safety Input #3 Safety Input #4


Example of addressing:

Safety Output #1 Safety Output #2 Safety Output #3 Safety Output #4

Safety Input #1 Safety Input #2 Safety Output #2 Safety Input #4

Safety Output #1 Safety Output #2 Safety Output #3 Safety Output #4


CIP Safety• This protocol addresses all the errors previously discussed

• Provides a stated probability of failure (PFH)

– PFH is probability of dangerous failure per hour

– 10-8 =< PFH < 10-7 required for SIL 3

– 10-10 =< Network PFH < 10-9 required for SIL 3

• 61784-3 recommendation is 1% of target SIL

• Certified by TÜV Rheinland for functional safety applications up

to SIL 3

• Suitable for use on EtherNet/IP, DeviceNet, SERCOS


FSoEIEC 61784-3-12:2010

Page 21

Sequence Number

Time Expectation

Connection Authentication

Feedback Message

Data Integrity

Assurance

Corruption XUnintended repetition X XIncorrect sequence X XLoss X X X XUnacceptable delay X X XInsertion X XMasquerade X X XAddressing XRevolving memory failures within switches

X X

Error Mitigation from Various Black Channel Protocols

CIP SafetyIEC 61784-3-2:2016

Page 29

Time Stamp

Time Expectation

Connection Authenticatio

n

Data Integrity

Assurance

Redundancy with Cross Checking

Diff. Data Integrity

Assurance Systems

Corruption X XUnintended repetition X XIncorrect sequence X XLoss X XUnacceptable delay XInsertion X X XMasquerade X X X X XAddressing X X

SafetyNET PIEC 61784-3-18:2011

Page 21

Sequence Number

Time Expectatio

n


Data Integrity

Assurance

Diff. Data Integrity Assurance Systems

Corruption XUnintended repetition XIncorrect sequence XLoss X XUnacceptable delay XInsertion X XMasquerade X X XAddressing X XRevolving memory failures within switches

X X X X

PROFIsafeIEC 61784-3-3:2016

Page 32

Sequence Number

Time Expectation & Feedback Message


Data Integrity Assurance

Corruption XUnintended repetition XIncorrect sequence XLoss X XUnacceptable delay XInsertion XMasquerade XAddressing X XOut-of-sequence XLoop-back of messages X


Sensor InputData

TransportLogic

Data Transport

Output Actuator

Network Performance in Standard Networks• Response time determines how fast a production line can operate

– Network response times are used as a measure of performance

Input to Output Response Time


Network Performance in Safety Networks• Worst case control system reaction time must satisfy process safety time

– Reaction time must include error conditions

• Detecting non-arrival of data is typically the limiting factor

Sensor InputSafety Data

TransportLogic

Safety Data

TransportOutput Actuator

Safety Response Time

45 ms 6 ms 10 ms

6 ms Input Time & 10 ms Output Time using

typical watchdog & timeout parameters & no faults

38 ms Inertia & Speed

Dependent


Next Sessions:Session 1 – Overview of CIP and EtherNet/IP

Tomorrow, 8:00am – 9:30am US Eastern

Session 2 – CIP Safety Overview

Tomorrow, 10am – 11:30am US Eastern

Date post:	15-Feb-2022
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

CIP Safety Protocol Training - ODVA

Documents