cip safety protocol training - odva · 2021. 3. 6. · cyclic redundancy code. • all safety...

CIP Safety Protocol Training

Virtual Training Courses

Session 3: CIP Safety Details

Before We Begin

• Introductions

• All attendees are automatically muted with no video connection as a

default.

• Please use the Q&A to ask questions, not the chat. We will address

questions as they come in.

• At the end if there is time, we will take questions verbally from the

attendees. We will advise if and when there is time for you to “raise your

hand” if you have a question.

• Please complete the 4 question post session survey. The survey will

launch when you close out of the webinar.

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 2

Review - Yesterday We Covered:

CIP Safety Overview

• Introduction to CIP Safety Specification: CIP Networks Library – Volume 5

• Building on standard CIP services and international standards

• Application level protocol, routable by standard infrastructure (“black channel”)

• Leveraging network topologies for flexibility and efficiency

• Analysis of a complex safety system

• Scalability through segmented EtherNet/IP architecture and multicasting

• Example safety application, analysis of safety functions using SISTEMA

3PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA

Review - Yesterday We Covered:

CIP Safety Profiles, Objects and Services

• Defined Safety Profiles: Discrete and Analog Safety I/O, Safety Drive device types

• Extension of Volume 1 Profiles and Vendor Specific Profiles

• Baseline requirements for CIP Safety Devices: Safety Supervisor and Safety Validator objects

• Provide means to configure, establish and monitor safety I/O connections

• Establishment and optional configuration of Safety I/O Connections using Safety Open

• Measures used during establishment: TUNID, SNN, SCID, PIEM, NTEM, …

• High integrity explicit messaging achieved through CRC and multiple step operations

4PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA

CIP Safety Configuration

David Crane

ODVA

Configuration of Safety Devices• Configuration of safety devices must be achieved with high integrity

– Creation of certified tools, routers, workstations and device communication is

problematic

• Solution: SNCT Interface

– Assume unreliable communication between devices and ensure integrity using CRC

and verification checking

– Ref: Vol 5 2-1.9

– Ref: Vol 5 7-1


Configuration of Safety Devices• Device Configuration

– Tool configures all nodes

– Originator establishes pre-configured connectionsConfiguration Owner:

e.g., Windows-based

SNCT Software

Safety Open Response

Safety Open (TYPE 2)

Target Devicee.g: Safety input

Originator Devicee.g: Safety PLC


Configuration of Safety Devices• Device Configuration

– Tool downloads configuration to controller

– Originator establishes and configures connectionsConfiguration Owner:

e.g., Windows-based

SNCT Software

Safety Open Response

Safety Open (TYPE 1)

Target Devicee.g: Safety input

Originator Devicee.g: Safety PLC


CIP Safety Errors and

Measures

David Crane

ODVA

Data A Mode CRC-A Data B CRC-B Time Stamp CRC

Normal Data

Inverted Data

Concepts• Specifically for CIP Safety, how is the packet different from Standard CIP?

(RT hdr) (Seq#) Data

DUALITY – Standard and Complemented Data

DIVERSITY – Standard & CRC + Complemented Data & Complemented CRC

DIAGNOSTICS – Authentication, Timestamp, CRC’s


Simplified view of IEC 61784-3-2:2016 Page 29

CIP SafetyIEC 61784-3-2:2016

Page 29

Time Stamp

Time Expectation

Connection Authenticatio

n

Data Integrity

Assurance

Redundancy with Cross Checking

Diff. Data Integrity

Assurance Systems

Corruption X XUnintended repetition X XIncorrect sequence X XLoss X XUnacceptable delay XInsertion X X XMasquerade X X X X XAddressing X X

IEC 61784-3-2:2016 –vs– CIP Networks Volume 5

Actual content from IEC 61784-3-2:2016 Page 29


Error Detection Measures

Coupling of safety &

safety data Coupling of safety &

standard data Increased age of data

in bridge or router

Message

RepetitionMessage

LossMessage

InsertionIncorrect

Sequence

Message

Delay

Message

Corruption

Time expectation

via a timestamp

X

X

X

X

X

X

X

Errors

MeasuresID for send and

receiveSafety CRC Redundancy

Diverse

Measures


Time Expectation via a Timestamp• A simple watchdog timer cannot detect the age of data

– Watchdog timer detects if a individual message was not received within an interval

– A watchdog timer cannot detect queue delays or gradual shifts of time

• Solution: timestamp on every message

• Producer and Consumer clocks run at 128μsec rate, ±0.02%

– Skew/drift still happens…

• Time coordination is achieved via ping request/response message transaction sequence (Ping Interval)

– Single-cast producers produce time-stamped data relative to consumer’s clock

– A multi-cast producer stamps data with its own clock but provides a time correction

offset to each consumer once per ping interval

• Ref: Vol 5 2-1.8.1


Single-Cast Ping

Safety Message (Data, Mode, Ping=3, Timestamp =1, CRC-Sx)

Producer Consumer

Pro

ducer

Pin

g Inte

rval

EP

IE

PI

EP

IE

PI

EP

IE

PI

Pro

ducer

Pin

g In

terv

al

Time Coordination Msg (Consumer_Time_Value,Ping = 3,Con_Status, CRC)

Safety Message

Safety Message

Safety Message (Data, Mode, Ping=0, Timestamp = 2 1, CRC-Sx)

Time Coordination Msg (Consumer_Time_Value,Ping = 0,Con_Status, CRC)Safety

Message

Safety Message

Ping

Response

Node 1

Ping

Response

Node 2

Ping

Request

Ping

Success,

New Ping

Request

Ping

RequestPing

Response

Ping

Response

Ping Success

New Ping

Request


Timestamp Single-Cast (1)

8990919293949596979899100101102103104105106107108

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

Producer

Count

Consumer

Count

Timestamp = 87+9=96

Timestamp =

87+16=103

Max. age = 100-96 =4

Max. age = 108-103

=5

New Ping count

Offset = 92-5=87

New Offset

Age limit = 20



18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

109110111112113114115116117118119120121122123124125126127128129130131

Producer

Count

Consumer

CountOffset = 87

Timestamp = 87+18=105





Max. age = 110-105 =5

Max. age = 130-121 =9

Max. age = 115-109 =6

Max. age = 120-113 =7

Max. age = 125-117 =8

Age limit = 20



36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

132133134135136137138139140141142143144145146147148149150151152153

Producer

CountConsumer

Count

Offset = 87

Timestamp =

87+36=123

Timestamp =

87+40=127

Max. age = 133-123

=10

Max. age = 151-146 =6

Timestamp =

87+=13144

Timestamp =

94+49=143

Timestamp =

94+52=146

Max. age = 138-128

=10

Max. age = 148-143 =5

Max. age = 142-131

=11

New Ping count

Offset = 141-47=94

New Offset

Age limit = 20


Multi-Cast

Ping


Timestamp Multi-Cast

0123456789

1011121314151617

8990919293949596979899

100101102103104105106107108

Producer

CountConsumer

Count

Time Correction Value = 92-5=87

Timestamp = 87+9=96

Timestamp =

87+16=103

Max. age = 100-96=4

Max. age = 108-103 =5

New Ping count

New Time Correction Value

Age limit = 20






in bridge or router

Message

RepetitionMessage

LossMessage

InsertionIncorrect

Sequence

Message

Delay

Message

Corruption

Time expectation

via a timestamp

ID for send and

receive

X

X

X X

X

X

X

X X

X

Errors

Measures

Safety CRC RedundancyDiverse

Measures


Producer/Consumer Identifier– All transmitted messages include a PID/CID which is derived from:

• Device Serial Number

• Vendor ID

• CIP connection number

– PID/CID exchanged during Forward Open request/response

– Used to seed CRCs

• “Implicit” data

– Ref: Vol 5 2-6.7 PID/CID Usage and Establishment






in bridge or router

Message

RepetitionMessage

LossMessage

InsertionIncorrect

Sequence

Message

Delay

Message

Corruption

Time expectation

via a timestamp

X

X

X

X

X

X

X

ID for send and

receive

X

X

X

Errors

Measures

RedundancyDiverse

MeasuresSafety CRC

X

X

X

X

X

X


Cyclic Redundancy Code• All safety messages are transmitted with a safety CRC

– The size of the CRC is dependent on the size of the message being transmitted

– Base Format

• 2 bytes or less: 8 bit CRC

• 3-250 bytes: 16 bit CRC

– Extended Format

• 2 bytes or less: 24 bit CRC

• 3-250 bytes: 16 and 24 bit CRCs

• Safety CRC is an end to end protection measure

– Independent of link CRCs

• Each safety CRC provides a Hamming distance of 4

– 4 Individual errors must occur before an error would be undetected

– Burst error coverage is greater

• Ref: Vol 5 2-1.7.2, Appendix E






in bridge or router

Message

RepetitionMessage

LossMessage

InsertionIncorrect

Sequence

Message

Delay

Message

Corruption

Time expectation

via a timestampRedundancy

X

X

X

X

X

X

X X

X

ID for send

and receive

X

X

X

Safety CRC

X

X

X

X

X

X

Errors

MeasuresDiverse

Measures


Redundancy and Crosscheck• All data packets contain redundant CRCs

– CRC of safety data

– CRC of the inverted safety data

• Long data packets contain a redundant copy of inverted data

– Two channel architecture can exploit this

• Ref: Vol 5 2-1.3.3, 2-2.3






in bridge or router

Message

RepetitionMessage

LossMessage

InsertionIncorrect

Sequence

Message

Delay

Message

Corruption

Time expectation

via a timestampRedundancy

Diverse

Measures

X

X

X

X

X

X

X X X

X

ID for send and

receive

X

X

X

Errors

Measures

X

Safety CRC

X

X

X

X

X


CIP Safety: Builds on Standard CIP Services

IEE

E

802.3

IET

F

TC

P/IP

Suite


CIP Safety I/O Connections

David Crane

ODVA

Safety Connection Roles and Behaviors• Originator/Target

– Establishment (Safety/Forward Open service)

• Producer/Consumer

– Extension of Link level behavior

– Refers to application data

• Client/Server

– Safety Validator instance roles

• Single/Multi-Cast

– One or many consumers

– Up to 15 devices listening to the same safety production

– Equivalent to unicast, point-to-point, multipoint, etc.


Safety Connection Data Formats• Base/Extended Format

– Time Coordination

– CRC width

– Fault count

• Short/Long (Small/Large) Application Data Size

– Small: 2 bytes or less

– Large: 3 bytes or more


Originator/Target• Safety Connection Establishment


Producer/Consumer : Client/Server• Safety I/O Logical Structures

– Producer (Safety Validator Client)

• Data Message (time stamped1)

– Consumer (Safety Validator Server)

• Time Coordination Message

1single-cast and multi-cast differ in how time stamps are managed; single-cast shown here


Target

Data Link

Originator

Data Link

CIP Safety Protocol Concepts

Safety Validator

Server

Safety

Validator

ClientProducing

Safety

Application

Time Coordination

Safety Message w/ Data,

Time Stamp (Correction)

Safety Validator Client Safety Validator ServerSafety Originator Safety Target

Consuming

Safety

Application

P SPSC C

SP SCCP


Single-Cast Safety Connections

SVSDNDN

P C

C P

Originator Target

Safety Data +

Time Correction Msg.

Time Coordination Msg.

SVC

SP

SC

SC

SP

Originator is Producer of Safety Data (Example: Outputs)

Producing

Safety

Application

Consuming

Safety

Application

SVSDNDNSVC

P C

C P

Originator Target

Safety Data +


Time Coordination Msg.SP

SC

SC

SP

Target is Producer of Safety Data (Example: Inputs)

Consuming

Safety

Application

Producing

Safety

Application


Multi-Cast Safety Connections

Safety

Validator Server

Data LinkData Link

P C

Target Originator0Safety

Validator

SP SCProducing Safety

Application

Consuming

Safety

Application

C P

Data Link

C

P

C


OriginatorN

SC

Consuming

Safety

Application

Safety

Validator Server

SC

SP

SP

Safety Data + Timestamp +




Summary• CIP Safety I/O provides….

– High-integrity, functionally safe application data

– Cross checking and Time Expectation

– End-to-end CRC protection of application data

• Originators and Targets

• Producers and Consumers

• Safety Validator Client/Server

• Base/Extended Format

• Short/Long Application Data


Message Sections and Formats• CIP Safety defines two message formats

– Base (introduced as version 1.0; DeviceNet)

• RPI <= 100 mSec on EtherNet/IP

– Extended (version 2.0; introduced with EtherNet/IP)

• Extended timestamp to 32-bit

• Allows RPI > 100 mSec on EtherNet/IP

• CIP Safety has 4 message sections

– Data

– Timestamp

• (Base format only; Timestamp included in Data section for Extended format)

– Time Correction

– Time Coordination

• All CIP Safety messages are formed through combinations of these sections


Safety Messages• Safety sections are appended

to form safety messages

– Single-cast

– Multi-cast

– Multi-cast DeviceNet

• Ref: Vol 5 2-1.7.1


Message Sections• Base Format, Data Section

– Short 1-2 bytes

– Long 3-250 bytes

Actual Data Mode Byte Actual CRC Comp. CRC

1 - 2 Bytes CRC-S1 CRC-S2

Short Data Section

Actual Data Mode Byte Actual CRC Comp. CRC

3 - 250 Bytes CRC-S3 CRC-S3

Long Data section

Complemented Data

3 - 250 Bytes


Message Sections• Timestamp Section (Base Format)

– Time stamps mark all safety data production

– Extended Format includes TS in data section

Time Stamp Section

Time Stamp CRC-S1Mode Byte


Message Sections• Base Format, Time Coordination

CRC-S3Ack

Byte

Consumer Time

Value

Ack

Byte2


Message Sections• Base Format, Time Correction

– Multi-cast only

CRC-S3MCast

Byte

Time Correction

Value

MCast

Byte2


Safety Messages• Base Format, Single-cast

Data 0 Data 1CRC-

S2Time_Stamp

CRC-

S1

CRC-

S1

Producer to Consumer

CRC-S3Ack_

Byte

Consumer_Time

_Value

Ack_

Byte_2

Consumer to Producer

Mode

Byte

Data Message

Time Stamp SectionData Section

Time Coordination Message


Safety Messages• Base Format, Multi-cast

Data 0 Data 1CRC-

S2Time_Stamp

CRC-

S1

CRC-

S1

Mode

Byte

Data Message

Time Stamp SectionShort Data Section


CRC-S3MCast

ByteTime Correction

MCast

Byte_2

Time Correction Section

CRC-S3Ack

Byte

Consumer Time

Value

Ack

Byte2




Safety Messages• Base Format, Multi-cast, DeviceNet

Data 0 Data 1CRC-

S2Time_Stamp

CRC-

S1

CRC-

S1

Mode

Byte

Data Message

Time Stamp Section1 or 2 byte Data Section


Producer to ConsumerCRC-S3

MCast

ByteTime Correction

MCast

Byte2

Time Correction Message

CRC-S3Ack

Byte

Consumer Time

Value

Ack

Byte2




Base vs. Extended Format• Base Format limited to 16-bit clock (~8.3s)

• In routing scenarios with Ethernet switches, this time range is inadequate for RPI >100ms

• Extended Format allows larger EPIs by increasing the clock range with a 16-bit Rollover Count.

• Similar to the PID/CID mechanism, the rollover count is used as part of the CRC calculation.

• Extended Format adds Maximum Fault Count to allow connections to tolerate a certain number of failures per hour (e.g., dropped packet, CRC error).

• Base Format connection is faulted on first occurance of any error


Base vs. Extended CRCs• Data Section:

– CRC-S5 (24 bits) replaces 2 x CRC-S1 (8 bits) and CRC-S2 (8 bits)

– Same CRC covers Data and Timestamp

• Time Correction and Time Coordination

– CRC-S5 (24 bits) replaces CRC-S3 (16 bits)


Message Sections• Extended Format, Data Section

Short 1-2 bytes

Long 3-250 bytes

Actual Data CRC S5

CRC-S5_1

Short Data Section

CRC-S5_0

Mode Byte CRC S5

Time Stamp CRC-S5_2

Time Stamp

Actual Data Mode Byte Actual CRC .

3 - 250 Bytes CRC-S3

Long Data section

Complemented Data

3 - 250 Bytes

Complemented CRC S5

CRC-S5_1CRC-S5_0

CRC S5

Time Stamp CRC-S5_2

Time Stamp


Message Sections• Extended Format, Time Coordination

CRC-S3AckByte

Consumer Time Value

CRC-S5_0 CRC-S5_1 CRC-S5_2


Message Sections• Extended Format, Time Correction

– Multi-cast only

CRC-16MCast Byte

Time Correction Value



Safety Messages• Extended Format, Single-cast



Data Message

Data and Time Correction Section


1 – 2 Bytes CRC-S5_1CRC-S5_0 Time Stamp CRC-S5_2

CRC - S 3ACK Byte Consumer Time Value

Consumer Time



EF Multi-Cast Messages



Data Message

Data Section


1 – 2 BytesCRC-

S5_1

CRC-

S5_0Time Stamp

CRC-

S5_2


Consumer Time


C

R

C

-1

6Mcast

Byte

Time Correction

Value

CRC-

S5_0

CRC-

S5_1CRC-

S5_2

Time Correction SectionTime Stamp


EF Multi-Cast Messages (DeviceNet)



Data Message

Data and Time stamp Section


1 – 2 BytesCRC-

S5_1

CRC-

S5_0Time Stamp

CRC-

S5_2


Consumer Time


CRC- 16Mcast

ByteTime Correction Value

CRC-

S5_0

CRC-

S5_1

CRC-

S5_2

Time Correction Section



Next Session:Session 4 – Implementation, Testing, and Next Steps

Tomorrow, 10:00am – 11:30am US Eastern

cip safety protocol training - odva · 2021. 3. 6. · cyclic redundancy code. • all safety...

Documents