IEC 61784-3 application

Dr. Wolfgang [email protected]

Neue

Kenngren

in IEC 61784-3

Edition 3

IEC 61784-3

Status

Status

Previous

New

Hot stuff

Parameter

3

Dr.-Ing. Wolfgang Stripf / FSCP Kenngren in IEC 61784-3

VDE-Tagung "funktionalesicherheit2013"

The Fieldbus vision

Coexistence of safety-

and standard communication

Laserscanner

Standard

PLC Standard

input/output

Level

switch

E.g. Emergency

StopSafety

PLC

Safety

input/output

Lightcurtains Robots

Drives

Status

Previous

New

Hot stuff

Parameter

4



Fieldbus standards (IEC 61158 / 61784)

IEC 61158(Communication Layers)

IEC 61158(Communication Layers)

-3 Data-link Service, Type 1,2, 3, 4,7,8,11,12,14...22

-3 Data-link Service, Type 1,2, 3, 4,7,8,11,12,14...22

-5 App. Layer Service, Type 1,2, 3, 4,5,7,8,9, 10, 11...22

-5 App. Layer Service, Type 1,2, 3, 4,5,7,8,9, 10, 11...22

-4 Data-link Protocol, Type 1,2, 3, 4,7,8,11,12,14...22

-4 Data-link Protocol, Type 1,2, 3, 4,7,8,11,12,14...22

IEC 61784-1(Communication Profiles)

IEC 61784-1(Communication Profiles)

IEC 61784-2(Realtime Ethernet RTE)

IEC 61784-2(Realtime Ethernet RTE)

IEC 61784-3(Functional Safety Profiles)

IEC 61784-3(Functional Safety Profiles)

...General

Part

...General

Part

IEC 61784-4(Security)

IEC 61784-4(Security)

IEC 61784-5(Installation)

IEC 61784-5(Installation)

IEC 61918

...-3PROFIsafe

...-3PROFIsafe

IEC 62443

...-2CIP

Safety

...-2CIP

Safety

...-6InterbusSafety

...-6InterbusSafety

...-x3rd

Edition

...-x3rd

Edition

...-1FFSIS

...-1FFSIS

-1Over-

view

-1Over-

view

-2Phys.

Layer

-2Phys.

Layer

-6 App. Layer Protocol, Type 1,2, 3, 4,5,7,8,9, 10, 11...22

-6 App. Layer Protocol, Type 1,2, 3, 4,5,7,8,9, 10, 11...22

Status

Previous

New

Hot stuff

Parameter

5



FSCPs in IEC 61784-3 Edition 3 and in EN 50325-5

Safety over EtherCAT

Open Safety

EPA Safety

CC-Link Safety

SafetyNet p

CAN open

Safety

EN 50325-5

AS-i Safetyat Work

Standard?

Functional Safety Communication Profiles

Interbus

SafetyCIP

Safety

FF

SIS

PROFIsafe

RAPInet Safety

IE

Considerations in previous editions 1 + 2

of

IEC 61784-3

Status

Previous

New

Hot stuff

Parameter

7



Quantification of Safety Communication

SensorSensorSensor PESPESPES ActuatorActuatorActuator

Safety FunctionSafety Function

Logical

connection

The sum of the residual error rates of all logical connections of a safety function shall

not exceed 1 %

of the PFD, PFH of that safety function

e.g. for SIL3 with 10-7 / h 1 x 10-9 / h

Logical

connection

The 1 % rule:

Status

Previous

New

Hot stuff

Parameter

8



"Black Channel" communication principle

GatewayGatewaySafety

Communication Layer

SafetyCommunication

Layer

Application Layer (optional)


Data Link LayerData Link Layer

Physical LayerPhysical Layer



Data Link LayerData Link Layer

Physical LayerPhysical Layer

FALFAL

DLLDLL

PhLPhL

SafetyCommunication

Layer

SafetyCommunication

Layer

FALFAL

DLLDLL

PhLPhL

Internalcommunication link

FieldbusFieldbus

Otherprotocol

Device

e.g. Repeater,Switches,Wireless

61158 Communication Layers

61784 Functional SafetyCommunication Profile

61784 Functional SafetyCommunication Profile

New: "Intelligent" (programmable) IO data router

Covered so far

in the

Black

Channel: Repeater, switches, wireless

Status

Previous

New

Hot stuff

Parameter

9



Safety

Communication

Layer (FSCP)

Safety

Communication

Layer (FSCP)

Safety

Communication

Layer (FSCP)

Safety

Communication

Layer (FSCP)

Device

Logical connection

Black Channel (closed system)

with constraints (Pe, rates, etc.)

Corruption

Unintended

repetion

Incorrect

sequence

LossUnacceptable

delay

Insertion

Masquerade

Addressing

Out-of-sequence

Loopback

Examples of communi-

cation errors

Fieldbus messages with

non-safety and/or safety PDUs

Sample rate of

safety PDUs

Unknown error detection and

repetition of messages

Traditional characterizations (IT world)

IEC 61784-3 started with the "Prfgrundstze GS-ET-26" with its IT driven communication errors

Status

Previous

New

Hot stuff

Parameter

10



Send pointer

Receive pointer

Pointer failure

Queue:

New error type: Out-of-sequence

Storage elements within the Black Channel:

How many messages shall be considered for the design of the FSCP?

Status

Previous

New

Hot stuff

Parameter

11



Safety Measures (IEC 61784-3)

Status

Previous

New

Hot stuff

Parameter

12



Model for calculations: BSC

1 1

0 0

Q

Q

P

P

Binary Symmetric Channel(BSC)

1 1

0 0

Q

Q

P

PX

Binary Erasure Channel(BEC)

P = Pe for all bits equal Bit Error Probability (BEP)

The bits are falsified independently

Binary Symmetric Channel and Assumptions:

Pe Pe Pe Pe

1-Pe 1-Pe 1-Pe 1-Pe

Message bits:

Status

Previous

New

Hot stuff

Parameter

13



Proper and improper CRC Polynomials

0.00001 0.0001 0.001 0.01 0.1epsilon

1. 10 - 10

1. 10 - 8

1. 10 - 6

Pue g=16^ 1^9003 , n=1008

0.00001 0.0001 0.001 0.01 0.1epsilon

1. 10 - 10

1. 10 - 8

1. 10 - 6

Pue g=16^ 1^9003 , n=1008

0.0005 0.001 0.005 0.01 0.05 0.1epsilon

1. 10 - 12

1. 10 - 11

1. 10 - 10

1. 10 - 9

Pue g=16^ 1^99999331 , n=1056

0.0005 0.001 0.005 0.01 0.05 0.1epsilon

1. 10 - 12

1. 10 - 11

1. 10 - 10

1. 10 - 9

Pue g=16^ 1^99999331 , n=1056

2-r

Gradient = Hamming distance

= dmax

10-6

10-8

10-10

0,00001 0,0001 0,001 0,01 0,1

Bit Error Probability

ResidualError Probability Generator polynomial: 19003h n = dmax = 1008

Improper Polynomial

knekerndk

eCRC PPkn

PR

12)(

min

Usage of "proper" generator polynomials makes our lifes easier :

Caution: Formula only applicable for proper polynomials!

Status

Previous

New

Hot stuff

Parameter

14



mvPRP eCRCe )((Pe

)

= Residual error rate per hourRCRC

(Pe

) = residual error probability

v

= number of safety messages per hour

m

= worst case number of message sinks (e.g. logic solver, actuator)

SIL relationship

Applicable for safety functions up to SIL

Probability of a dangerous failure per hour for the FSCP

Maximum permissible residual error rate for the FSCP

4 < 10-10

/ h

< 10-10

/ h

3 < 10-9

/ h

< 10-9

/ h

2 < 10-8

/ h

< 10-8

/ h

1 < 10-7

/ h

< 10-7

/ h

NOTE Values in this table are based on the assumption that the

functional safety communication system contributes no more than 1% of the total faults of the safety function.

"Sample rate"

Status

Previous

New

Hot stuff

Parameter

15



E-StopE-Stop ProcessingProcessing DriveDrive

DriveDrive

DriveDrive

Example 1:

m = 4

Safety Function

Logical connection

Key

Fieldbus network

Worst case number of message sinks "m"

Example 1:

One safety function with a total of m = 4 sinks (1 x Processing, 3 x drives)

Status

Previous

New

Hot stuff

Parameter

16



E-StopE-Stop ProcessingProcessing

DriveDrive

DriveDrive

DriveDrive

Logical connection

Key

Fieldbus network

Example 2:

3 independent production cells

m = 2Safety Function 2

Safety Function 1

Safety Function 3

Worst case number of message sinks "m"

Example 2:

Three safety functions with each m = 2 sinks (1 x Processing, 1 x drive)

New considerations for

Edition 3 of

IEC 61784-3

Status

Previous

New

Hot stuff

Parameter

18



Timeliness

of safety data ("Aktualitt")

Authenticity

of safety data ("Authentizitt")

Integrity

of safety data ("Unversehrtheit")

Formula: SL

(Pe) = RCRC

(Pe) v m

FSCP to show Residual Error Rates for:

Data(t)

Data(t)

Data(t-)

Data(A1)

Data(A1)

Data(An)

Data(A1,t)

Data(A1,t)

Storage

Other source

Corruption

IEC 61508 requirements

Status

Previous

New

Hot stuff

Parameter

19



Safety

Communication

Layer (FSCP)

Safety

Communication

Layer (FSCP)

Safety

Communication

Layer (FSCP)

Safety

Communication

Layer (FSCP)

Device

Logical connection

Black Channel (closed system)

with constraints (Pe, rates, etc.)

New characteristics

Fieldbus messages with

non-safety and/or safety PDUs

Sample rate of

safety PDUs ()

Unknown error detection and

repetition of messages

New characteristics: "TADI" ("TADIS")

Corruption

Unintended

repetion

Incorrect

sequence

LossUnacceptable

delay

Insertion

Masquerade

Addressing

Out-of-sequence

Loopback

Examples of communi-

cation errors

TimelinessTimeliness AuthenticityAuthenticity SecuritySecurityData IntegrityData Integrity

Status

Previous

New

Hot stuff

Parameter

20



InitializationInitialization

Correct FSCP operationCorrect FSCP operation

StartStart

Warm startWarm startFaultFault

Tolerated

error (optional)

New: Protocol phases to consider

Expanded considerations:

Setup or change

Initialization (establish communication)

Operation (process data exchange)

Warmstart after transition from Fault

Shutdown

Hot stuff

Status

Previous

New

Hot stuff

Parameter

22



DA SA

Fieldbus address

CRCNon-safety

PDU

Safety PDU

Non-safety

PDU

Bit error probability = Pe

Model and assumptions

How to calculate (estimate) Residual Error Rates (RER)?

Transmitted bits across the fieldbus BSC model

Misrouting faults (Authenticity expectation)

Uniform distribution

Store and foreward faults (Timeliness expectation) Uniform distribution

Status

Previous

New

Hot stuff

Parameter

23



n user data r Generator polynomial = x4

+ x1

+ x0

1 1 1 0

CRC-signature

Principle of CRC signature calculation

Status

Previous

New

Hot stuff

Parameter

24



DA SA

Safety PDU

CRC signatureDataAuthenticity

(A-code)

Timeliness

(T-code)

Expectation:Equal to (one of)

Expectation:Equal to

Fieldbus address

Rest

0 Data incorrect, or from incorrect source, or

out of time

Rest = 0 Data correct with

certain RP,

*) If several values are permitted (window "w") and/or sequence number/time stamp with wrap over,

Timeliness will also have a certain RP RP: Residual Error Probability

Local A-CodeLocal A-Code

Local T-Code *)Local T-Code *)

Step : Authenticity 100 % correct,

Step : Timeliness has certain RP *)

CRC calculation

using generator

polynomial

CRC calculation

using generator

polynomial

Locally stored parameter

Locally generated synchronized value

Safety checks within the receiver: :

"Explicit" safety measures

Status

Previous

New

Hot stuff

Parameter

25



DA SA

Safety PDU

CRC signatureData

Fieldbus address

Rest


out of time

*) If sequence number/time stamp with wrap over,

Timeliness will also have a certain RP

RP: Residual Error Probability



Rest = 0 Data correct with certain

RP,Authenticity at a certain RP,Timeliness at a certain RP

S

e

e

d

CRC calculation

using generator

polynomial

CRC calculation

using generator

polynomial

Optional for performance


"Implicit" safety measures

Status

Previous

New

Hot stuff

Parameter

26



Bus

interface

Bus

interfaceBus

interface

Bus

interface

Intended safety message, e.g. SIL3

Message with incorrect fieldbus address or internal address

(Non-safety or lower SIL)

Logical connection (authenticity)

Bit error probability = Pe

(configured)

Message source

(configured)

Message source

Message

sink

Message

sinkInternal address

Fieldbus address

KeyPA

Probability of an authenticity error for logical connections

e.g. switches

Internal address

PA

Model for Authenticity considerations

Receiver shall be able to detect misdirected Safety PDUs:

Status

Previous

New

Hot stuff

Parameter

27



DA SA

Misdirected

safety PDU

CRC signatureDataAuthenticity

(A-code)

Timeliness

(T-code)

Expectation:Equal to (one of)

Expectation:Equal to

Corrupted

fieldbus address

Rest


out of time

Rest = 0 Certain probability

*) If several values are permitted (window "w") and/or sequence number/time stamp with wrap over,





Step : Authenticity incorrect

Step : Timeliness has certain RP *)

CRC calculation

using generator

polynomial

CRC calculation

using generator

polynomial

Locally stored parameter

Locally generated synchronized value


Misdirected safety PDUs (Explicit)

Status

Previous

New

Hot stuff

Parameter

28



DA SA

Misdirected

safety PDU

CRC signatureData

Corrupted

fieldbus address


Rest


out of time

*) If several values are permitted (window "w") and/or sequence number with wrap over,



UD: Uniform Distribution

BSC: Binary Symmetric Channel



Rest = 0 Data correct with RP acc. BSC,Authenticity with RP acc. UDTimeliness with RP acc. UD

S

e

e

d

CRC calculation

using generator

polynomial

CRC calculation

using generator

polynomial

Optional for performance

Correlation?Fieldbus address

Bit errors in

address responsible for mis-

directed safety PDU

BSC

Misdirected safety PDUs (Implicit)

Status

Previous

New

Hot stuff

Parameter

29



New "Table 2" with RPs

FSCP categories

Timeliness (T) Authenticity (A) Data Integrity (DI)

Sequence number/

Time stamp

Safety connection authentication

Detection of masquerade

CRC signature

Explicit RPT = 2-T-Code

x w RPS = 2-A-Code

x d RPM RPI

Explicit and implicit

RPT RPS RPM

Implicit T or A

RPT RPS RPM

Implicit T and A

RPT RPS RPM

A new "Table 2" with Residual Error Probabilities (RP) was created for fast and easy estimates. The RPx values may be too pessimistic due to overlap effects from the CRC signature (data integrity).Together with the estimates of occurrences the Residual Error Rates (RR) can be calculated.

Status

Previous

New

Hot stuff

Parameter

30



Approach with "universal" formula

"Table 2" could be accompanied by a proposed "universal" formula:

Caution: formula not yet approved by the group!

Prelim

inary

Benefit of a "universal" formula: better values due to no overlap from CRC signature (data integrity)

Parameterization

issues

Status

Previous

New

Hot stuff

Parameter

32



Engineering

tool

CRC-secured FSCP parameter block

FSCP parameters

of the device,

e.g. timeout

Technology

(device specific

parameters)

CRC

CRC

Controller

CRC

Configuration &

parameterization

CRC

Device

toolDevice

Fieldbus

Parameterization considerations

Procedures to consider:

Assumption:

Parameter change rate: 1 / Day

Status

Previous

New

Hot stuff

Parameter

33



Just do it!

Vielen Dank.

Fragen?

Date post:	01-Oct-2015
Category:	Documents
Upload:	pietro-ballini
View:	198 times
Download:	23 times

IEC 61784-3 application

Documents