BS EN 61784-3:2016+A1:2017:2018 Edition
$215.11
Industrial communication networks. Profiles – Functional safety fieldbuses. General rules and profile definitions
| Published By | Publication Date | Number of Pages |
| BSI | 2018 | 102 |
This part of the IEC 61784-3 series explains some common principles that can be used in the transmission of safety-relevant messages among participants within a distributed network which use fieldbus technology in accordance with the requirements of IEC 61508 series1 for functional safety. These principles are based on the black channel approach. They can be used in various industrial applications such as process control, manufacturing automation and machinery.
This part2 and the IEC 61784-3-x parts specify several functional safety communication profiles based on the communication profiles and protocol layers of the fieldbus technologies in IEC 61784-1, IEC 61784-2 and the IEC 61158 series. These functional safety communication profiles use the black channel approach, as defined in IEC 61508. These functional safety communication profiles are intended for implementation in safety devices exclusively.
NOTE 1 Other safety-related communication systems meeting the requirements of IEC 61508 series can exist that are not included in this standard.
NOTE 2 It does not cover electrical safety and intrinsic safety aspects. Electrical safety relates to hazards such as electrical shock. Intrinsic safety relates to hazards associated with potentially explosive atmospheres.
All systems are exposed to unauthorized access at some point of their life cycle. Additional measures need to be considered in any safety-related application to protect fieldbus systems against unauthorized access. The IEC 62443 series will address many of these issues; the relationship with the IEC 62443 series is detailed in a dedicated subclause of this part.
NOTE 3 Additional profile specific requirements for security can also be specified in IEC 61784-43.
NOTE 4 Implementation of a functional safety communication profile according to this part in a device is not sufficient to qualify it as a safety device, as defined in IEC 61508 series.
NOTE 5 The resulting SIL claim of a system depends on the implementation of the selected functional safety communication profile within this system.
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 2 | undefined |
| 4 | European foreword Endorsement notice |
| 8 | Annex ZA (normative) Normative references to international publications with their corresponding European publications |
| 26 | English CONTENTS |
| 31 | FOREWORD |
| 33 | 0 Introduction 0.1 General Figures Figure 1 – Relationships of IEC 61784-3 with other standards (machinery) |
| 34 | Figure 2 – Relationships of IEC 61784-3 with other standards (process) |
| 35 | 0.2 Transition from Edition 2 to extended assessment methods in Edition 3 Figure 3 – Transition from Edition 2 to Edition 3 assessment methods |
| 36 | 0.3 Patent declaration |
| 37 | 1 Scope 2 Normative references |
| 39 | 3 Terms, definitions, symbols, abbreviated terms and conventions 3.1 Terms and definitions |
| 46 | 3.2 Symbols and abbreviated terms |
| 47 | 4 Conformance 5 Basics of safety-related fieldbus systems 5.1 Safety function decomposition |
| 48 | 5.2 Communication system 5.2.1 General 5.2.2 IEC 61158 fieldbuses Figure 4 – Safety communication as a part of a safety function |
| 49 | 5.2.3 Communication channel types 5.2.4 Safety function response time Figure 5 – Example model of a functional safety communication system |
| 50 | 5.3 Communication errors 5.3.1 General 5.3.2 Corruption 5.3.3 Unintended repetition 5.3.4 Incorrect sequence Figure 6 – Example of safety function response time components |
| 51 | 5.3.5 Loss 5.3.6 Unacceptable delay 5.3.7 Insertion 5.3.8 Masquerade 5.3.9 Addressing 5.4 Deterministic remedial measures 5.4.1 General 5.4.2 Sequence number 5.4.3 Time stamp |
| 52 | 5.4.4 Time expectation 5.4.5 Connection authentication 5.4.6 Feedback message 5.4.7 Data integrity assurance 5.4.8 Redundancy with cross checking |
| 53 | 5.4.9 Different data integrity assurance systems 5.5 Typical relationships between errors and safety measures |
| 54 | 5.6 Communication phases Tables Table 1 – Overview of the effectiveness ofthe various measures on the possible errors |
| 55 | 5.7 FSCP implementation aspects 5.8 Data integrity considerations 5.8.1 Calculation of the residual error rate Figure 7 – Conceptual FSCP protocol model Figure 8 – FSCP implementation aspects |
| 56 | Table 2 – Definition of items used for calculation of the residual error rates |
| 57 | 5.8.2 Total residual error rate and SIL Figure 9 – Example application 1 (m=4) Figure 10 – Example application 2 (m = 2) |
| 58 | 5.9 Relationship between functional safety and security Table 3 – Typical relationship of residual error rate to SIL Table 4 – Typical relationship of residual error on demand to SIL |
| 59 | 5.10 Boundary conditions and constraints 5.10.1 Electrical safety 5.10.2 Electromagnetic compatibility (EMC) Figure 11 – Zones and conduits concept for security according to IEC 62443 |
| 60 | 5.11 Installation guidelines 5.12 Safety manual 5.13 Safety policy |
| 61 | 6 Communication Profile Family 1 (Foundation™ Fieldbus) – Profiles for functional safety 7 Communication Profile Family 2 (CIP™) and Family 16 (SERCOS®) – Profiles for functional safety 8 Communication Profile Family 3 (PROFIBUS™, PROFINET™) – Profiles for functional safety |
| 62 | 9 Communication Profile Family 6 (INTERBUS®) – Profiles for functional safety 10 Communication Profile Family 8 (CC-Link™) – Profiles for functional safety 10.1 Functional Safety Communication Profile 8/1 Table 5 – Overview of profile identifier usable for FSCP 6/7 |
| 63 | 10.2 Functional Safety Communication Profile 8/2 11 Communication Profile Family 12 (EtherCAT™) – Profiles for functional safety |
| 64 | 12 Communication Profile Family 13 (Ethernet POWERLINK™) – Profiles for functional safety 13 Communication Profile Family 14 (EPA®) – Profiles for functional safety 14 Communication Profile Family 17 (RAPIEnet™) – Profiles for functional safety |
| 65 | 15 Communication Profile Family 18 (SafetyNET p™ Fieldbus) – Profiles for functional safety |
| 66 | Annex A (informative) Example functional safety communication models A.1 General A.2 Model A (single message, channel and FAL, redundant SCLs) A.3 Model B (full redundancy) Figure A.1 – Model A |
| 67 | A.4 Model C (redundant messages, FALs and SCLs, single channel) A.5 Model D (redundant messages and SCLs, single channel and FAL) Figure A.2 – Model B Figure A.3 – Model C |
| 68 | Figure A.4 – Model D |
| 69 | Annex B (normative) Safety communication channel model using CRC-based error checking B.1 Overview B.2 Channel model for calculations Figure B.1 – Communication channel with perturbation |
| 70 | B.3 Bit error probability Pe Figure B.2 – Binary symmetric channel (BSC) |
| 71 | B.4 Cyclic redundancy checking B.4.1 General Figure B.3 – Example of a block with a message part and a CRC signature |
| 72 | B.4.2 Considerations concerning CRC polynomials Figure B.4 – Block codes for error detection Table B.1 – Example dependency dmin and block bit length n |
| 73 | Figure B.5 – Proper and improper CRC polynomials |
| 74 | Annex C (informative) Structure of technology-specific parts Table C.1 – Common subclause structure for technology-specific parts |
| 76 | Annex D (informative) Assessment guideline D.1 Overview D.2 Channel types D.2.1 General D.2.2 Black channel D.2.3 White channel |
| 77 | D.3 Data integrity considerations for white channel approaches D.3.1 General D.3.2 Models B and C |
| 78 | D.3.3 Models A and D Figure D.1 – Basic Markov model |
| 79 | D.4 Verification of safety measures D.4.1 General D.4.2 Implementation D.4.3 “De-energize to trip” principle D.4.4 Safe state D.4.5 Transmission errors D.4.6 Safety reaction and response times |
| 80 | D.4.7 Combination of measures D.4.8 Absence of interference D.4.9 Additional fault causes (white channel) D.4.10 Reference test beds and operational conditions D.4.11 Conformance tester |
| 81 | Annex E (informative) Examples of implicit vs. explicit FSCP safety measures E.1 General E.2 Example fieldbus message with safety PDUs E.3 Model with completely explicit safety measures Figure E.1 – Example safety PDUs embedded in a fieldbus message Figure E.2 – Model with completely explicit safety measures |
| 82 | E.4 Model with explicit A-code and implicit T-code safety measures E.5 Model with explicit T-code and implicit A-code safety measures Figure E.3 – Model with explicit A-code and implicit T-code safety measures |
| 83 | E.6 Model with split explicit and implicit safety measures Figure E.4 – Model with explicit T-code and implicit A-code safety measures Figure E.5 – Model with split explicit and implicit safety measures |
| 84 | E.7 Model with completely implicit safety measures E.8 Addition to Annex B – impact of implicit codes on properness Figure E.6 – Model with completely implicit safety measures |
| 85 | Annex F (informative) Extended models for estimation of the total residual error rate F.1 Applicability F.2 General models for black channel communications Figure F.1 – Black channel from an FSCP perspective |
| 86 | F.3 Identification of generic safety properties F.4 Assumptions for residual error rate calculations |
| 87 | F.5 Residual error rates F.5.1 Explicit and implicit mechanisms F.5.2 Residual error rate calculations |
| 89 | F.6 Data integrity F.6.1 Probabilistic considerations F.6.2 Deterministic considerations |
| 90 | F.7 Authenticity F.7.1 General Figure F.2 – Model for authentication considerations |
| 91 | F.7.2 Residual error rate for authenticity (RRA) Figure F.3 – Fieldbus and internal address errors |
| 92 | F.8 Timeliness F.8.1 General |
| 93 | Figure F.4 – Example of slowly increasing message latency |
| 94 | F.8.2 Residual error rate for timeliness (RRT) Figure F.5 – Example of an active network element failure |
| 95 | F.9 Masquerade F.9.1 General F.9.2 Other terms used to calculate residual error rate for masquerade rejection (RRM) F.10 Calculation of the total residual error rates F.10.1 Based on the summation of the residual error rates |
| 96 | F.10.2 Based on other quantitative proofs F.11 Total residual error rate and SIL Figure F.6 – Example application 1 (m = 4) Figure F.7 – Example application 2 (m = 2) |
| 97 | F.12 Configuration and parameterization for an FSCP F.12.1 General Table F.1 – Typical relationship of residual error rate to SIL Table F.2 – Typical relationship of residual error on demand to SIL |
| 98 | Figure F.8 – Example of configuration and parameterization procedures for FSCP |
| 99 | F.12.2 Configuration and parameterization change rate F.12.3 Residual error rate for configuration and parameterization |
| 100 | Bibliography |
