cip safety protocol training - odva · 2021. 3. 6. · cyclic redundancy code. • all safety...
TRANSCRIPT
CIP Safety Protocol Training
Virtual Training Courses
Session 3: CIP Safety Details
Before We Begin
• Introductions
• All attendees are automatically muted with no video connection as a
default.
• Please use the Q&A to ask questions, not the chat. We will address
questions as they come in.
• At the end if there is time, we will take questions verbally from the
attendees. We will advise if and when there is time for you to “raise your
hand” if you have a question.
• Please complete the 4 question post session survey. The survey will
launch when you close out of the webinar.
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 2
Review - Yesterday We Covered:
CIP Safety Overview
• Introduction to CIP Safety Specification: CIP Networks Library – Volume 5
• Building on standard CIP services and international standards
• Application level protocol, routable by standard infrastructure (“black channel”)
• Leveraging network topologies for flexibility and efficiency
• Analysis of a complex safety system
• Scalability through segmented EtherNet/IP architecture and multicasting
• Example safety application, analysis of safety functions using SISTEMA
3PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA
Review - Yesterday We Covered:
CIP Safety Profiles, Objects and Services
• Defined Safety Profiles: Discrete and Analog Safety I/O, Safety Drive device types
• Extension of Volume 1 Profiles and Vendor Specific Profiles
• Baseline requirements for CIP Safety Devices: Safety Supervisor and Safety Validator objects
• Provide means to configure, establish and monitor safety I/O connections
• Establishment and optional configuration of Safety I/O Connections using Safety Open
• Measures used during establishment: TUNID, SNN, SCID, PIEM, NTEM, …
• High integrity explicit messaging achieved through CRC and multiple step operations
4PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA
CIP Safety Configuration
David Crane
ODVA
Configuration of Safety Devices• Configuration of safety devices must be achieved with high integrity
– Creation of certified tools, routers, workstations and device communication is
problematic
• Solution: SNCT Interface
– Assume unreliable communication between devices and ensure integrity using CRC
and verification checking
– Ref: Vol 5 2-1.9
– Ref: Vol 5 7-1
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 6
Configuration of Safety Devices• Device Configuration
– Tool configures all nodes
– Originator establishes pre-configured connectionsConfiguration Owner:
e.g., Windows-based
SNCT Software
Safety Open Response
Safety Open (TYPE 2)
Target Devicee.g: Safety input
Originator Devicee.g: Safety PLC
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 7
Configuration of Safety Devices• Device Configuration
– Tool downloads configuration to controller
– Originator establishes and configures connectionsConfiguration Owner:
e.g., Windows-based
SNCT Software
Safety Open Response
Safety Open (TYPE 1)
Target Devicee.g: Safety input
Originator Devicee.g: Safety PLC
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 8
CIP Safety Errors and
Measures
David Crane
ODVA
Data A Mode CRC-A Data B CRC-B Time Stamp CRC
Normal Data
Inverted Data
Concepts• Specifically for CIP Safety, how is the packet different from Standard CIP?
(RT hdr) (Seq#) Data
DUALITY – Standard and Complemented Data
DIVERSITY – Standard & CRC + Complemented Data & Complemented CRC
DIAGNOSTICS – Authentication, Timestamp, CRC’s
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 10
Simplified view of IEC 61784-3-2:2016 Page 29
CIP SafetyIEC 61784-3-2:2016
Page 29
Time Stamp
Time Expectation
Connection Authenticatio
n
Data Integrity
Assurance
Redundancy with Cross Checking
Diff. Data Integrity
Assurance Systems
Corruption X XUnintended repetition X XIncorrect sequence X XLoss X XUnacceptable delay XInsertion X X XMasquerade X X X X XAddressing X X
IEC 61784-3-2:2016 –vs– CIP Networks Volume 5
Actual content from IEC 61784-3-2:2016 Page 29
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 11
Error Detection Measures
Coupling of safety &
safety data Coupling of safety &
standard data Increased age of data
in bridge or router
Message
RepetitionMessage
LossMessage
InsertionIncorrect
Sequence
Message
Delay
Message
Corruption
Time expectation
via a timestamp
X
X
X
X
X
X
X
Errors
MeasuresID for send and
receiveSafety CRC Redundancy
Diverse
Measures
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 12
Time Expectation via a Timestamp• A simple watchdog timer cannot detect the age of data
– Watchdog timer detects if a individual message was not received within an interval
– A watchdog timer cannot detect queue delays or gradual shifts of time
• Solution: timestamp on every message
• Producer and Consumer clocks run at 128μsec rate, ±0.02%
– Skew/drift still happens…
• Time coordination is achieved via ping request/response message transaction sequence (Ping Interval)
– Single-cast producers produce time-stamped data relative to consumer’s clock
– A multi-cast producer stamps data with its own clock but provides a time correction
offset to each consumer once per ping interval
• Ref: Vol 5 2-1.8.1
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 13
Single-Cast Ping
Safety Message (Data, Mode, Ping=3, Timestamp =1, CRC-Sx)
Producer Consumer
Pro
ducer
Pin
g Inte
rval
EP
IE
PI
EP
IE
PI
EP
IE
PI
Pro
ducer
Pin
g In
terv
al
Time Coordination Msg (Consumer_Time_Value,Ping = 3,Con_Status, CRC)
Safety Message
Safety Message
Safety Message (Data, Mode, Ping=0, Timestamp = 2 1, CRC-Sx)
Time Coordination Msg (Consumer_Time_Value,Ping = 0,Con_Status, CRC)Safety
Message
Safety Message
Ping
Response
Node 1
Ping
Response
Node 2
Ping
Request
Ping
Success,
New Ping
Request
Ping
RequestPing
Response
Ping
Response
Ping Success
New Ping
Request
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 14
Timestamp Single-Cast (1)
8990919293949596979899100101102103104105106107108
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Producer
Count
Consumer
Count
Timestamp = 87+9=96
Timestamp =
87+16=103
Max. age = 100-96 =4
Max. age = 108-103
=5
New Ping count
Offset = 92-5=87
New Offset
Age limit = 20
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 15
Timestamp Single-Cast (2)
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
109110111112113114115116117118119120121122123124125126127128129130131
Producer
Count
Consumer
CountOffset = 87
Timestamp = 87+18=105
Timestamp = 87+22=109
Timestamp = 87+26=113
Timestamp = 87+30=117
Timestamp = 87+34=121
Max. age = 110-105 =5
Max. age = 130-121 =9
Max. age = 115-109 =6
Max. age = 120-113 =7
Max. age = 125-117 =8
Age limit = 20
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 16
Timestamp Single-Cast (3)
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
132133134135136137138139140141142143144145146147148149150151152153
Producer
CountConsumer
Count
Offset = 87
Timestamp =
87+36=123
Timestamp =
87+40=127
Max. age = 133-123
=10
Max. age = 151-146 =6
Timestamp =
87+=13144
Timestamp =
94+49=143
Timestamp =
94+52=146
Max. age = 138-128
=10
Max. age = 148-143 =5
Max. age = 142-131
=11
New Ping count
Offset = 141-47=94
New Offset
Age limit = 20
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 17
Multi-Cast
Ping
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 18
Timestamp Multi-Cast
0123456789
1011121314151617
8990919293949596979899
100101102103104105106107108
Producer
CountConsumer
Count
Time Correction Value = 92-5=87
Timestamp = 87+9=96
Timestamp =
87+16=103
Max. age = 100-96=4
Max. age = 108-103 =5
New Ping count
New Time Correction Value
Age limit = 20
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 19
Error Detection Measures
Coupling of safety &
safety data Coupling of safety &
standard data Increased age of data
in bridge or router
Message
RepetitionMessage
LossMessage
InsertionIncorrect
Sequence
Message
Delay
Message
Corruption
Time expectation
via a timestamp
ID for send and
receive
X
X
X X
X
X
X
X X
X
Errors
Measures
Safety CRC RedundancyDiverse
Measures
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 20
Producer/Consumer Identifier– All transmitted messages include a PID/CID which is derived from:
• Device Serial Number
• Vendor ID
• CIP connection number
– PID/CID exchanged during Forward Open request/response
– Used to seed CRCs
• “Implicit” data
– Ref: Vol 5 2-6.7 PID/CID Usage and Establishment
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 21
Error Detection Measures
Coupling of safety &
safety data Coupling of safety &
standard data Increased age of data
in bridge or router
Message
RepetitionMessage
LossMessage
InsertionIncorrect
Sequence
Message
Delay
Message
Corruption
Time expectation
via a timestamp
X
X
X
X
X
X
X
ID for send and
receive
X
X
X
Errors
Measures
RedundancyDiverse
MeasuresSafety CRC
X
X
X
X
X
X
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 22
Cyclic Redundancy Code• All safety messages are transmitted with a safety CRC
– The size of the CRC is dependent on the size of the message being transmitted
– Base Format
• 2 bytes or less: 8 bit CRC
• 3-250 bytes: 16 bit CRC
– Extended Format
• 2 bytes or less: 24 bit CRC
• 3-250 bytes: 16 and 24 bit CRCs
• Safety CRC is an end to end protection measure
– Independent of link CRCs
• Each safety CRC provides a Hamming distance of 4
– 4 Individual errors must occur before an error would be undetected
– Burst error coverage is greater
• Ref: Vol 5 2-1.7.2, Appendix E
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 23
Error Detection Measures
Coupling of safety &
safety data Coupling of safety &
standard data Increased age of data
in bridge or router
Message
RepetitionMessage
LossMessage
InsertionIncorrect
Sequence
Message
Delay
Message
Corruption
Time expectation
via a timestampRedundancy
X
X
X
X
X
X
X X
X
ID for send
and receive
X
X
X
Safety CRC
X
X
X
X
X
X
Errors
MeasuresDiverse
Measures
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 24
Redundancy and Crosscheck• All data packets contain redundant CRCs
– CRC of safety data
– CRC of the inverted safety data
• Long data packets contain a redundant copy of inverted data
– Two channel architecture can exploit this
• Ref: Vol 5 2-1.3.3, 2-2.3
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 25
Error Detection Measures
Coupling of safety &
safety data Coupling of safety &
standard data Increased age of data
in bridge or router
Message
RepetitionMessage
LossMessage
InsertionIncorrect
Sequence
Message
Delay
Message
Corruption
Time expectation
via a timestampRedundancy
Diverse
Measures
X
X
X
X
X
X
X X X
X
ID for send and
receive
X
X
X
Errors
Measures
X
Safety CRC
X
X
X
X
X
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 26
CIP Safety: Builds on Standard CIP Services
IEE
E
802.3
IET
F
TC
P/IP
Suite
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 27
CIP Safety I/O Connections
David Crane
ODVA
Safety Connection Roles and Behaviors• Originator/Target
– Establishment (Safety/Forward Open service)
• Producer/Consumer
– Extension of Link level behavior
– Refers to application data
• Client/Server
– Safety Validator instance roles
• Single/Multi-Cast
– One or many consumers
– Up to 15 devices listening to the same safety production
– Equivalent to unicast, point-to-point, multipoint, etc.
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 29
Safety Connection Data Formats• Base/Extended Format
– Time Coordination
– CRC width
– Fault count
• Short/Long (Small/Large) Application Data Size
– Small: 2 bytes or less
– Large: 3 bytes or more
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 30
Originator/Target• Safety Connection Establishment
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 31
Producer/Consumer : Client/Server• Safety I/O Logical Structures
– Producer (Safety Validator Client)
• Data Message (time stamped1)
– Consumer (Safety Validator Server)
• Time Coordination Message
1single-cast and multi-cast differ in how time stamps are managed; single-cast shown here
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 32
Target
Data Link
Originator
Data Link
CIP Safety Protocol Concepts
Safety Validator
Server
Safety
Validator
ClientProducing
Safety
Application
Time Coordination
Safety Message w/ Data,
Time Stamp (Correction)
Safety Validator Client Safety Validator ServerSafety Originator Safety Target
Consuming
Safety
Application
P SPSC C
SP SCCP
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 33
Single-Cast Safety Connections
SVSDNDN
P C
C P
Originator Target
Safety Data +
Time Correction Msg.
Time Coordination Msg.
SVC
SP
SC
SC
SP
Originator is Producer of Safety Data (Example: Outputs)
Producing
Safety
Application
Consuming
Safety
Application
SVSDNDNSVC
P C
C P
Originator Target
Safety Data +
Time Correction Msg.
Time Coordination Msg.SP
SC
SC
SP
Target is Producer of Safety Data (Example: Inputs)
Consuming
Safety
Application
Producing
Safety
Application
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 34
Multi-Cast Safety Connections
Safety
Validator Server
Data LinkData Link
P C
Target Originator0Safety
Validator
SP SCProducing Safety
Application
Consuming
Safety
Application
C P
Data Link
C
P
C
Time Coordination Msg.
OriginatorN
SC
Consuming
Safety
Application
Safety
Validator Server
SC
SP
SP
Safety Data + Timestamp +
Time Correction Msg.
Time Coordination Msg.
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 35
Summary• CIP Safety I/O provides….
– High-integrity, functionally safe application data
– Cross checking and Time Expectation
– End-to-end CRC protection of application data
• Originators and Targets
• Producers and Consumers
• Safety Validator Client/Server
• Base/Extended Format
• Short/Long Application Data
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 36
Message Sections and Formats• CIP Safety defines two message formats
– Base (introduced as version 1.0; DeviceNet)
• RPI <= 100 mSec on EtherNet/IP
– Extended (version 2.0; introduced with EtherNet/IP)
• Extended timestamp to 32-bit
• Allows RPI > 100 mSec on EtherNet/IP
• CIP Safety has 4 message sections
– Data
– Timestamp
• (Base format only; Timestamp included in Data section for Extended format)
– Time Correction
– Time Coordination
• All CIP Safety messages are formed through combinations of these sections
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 37
Safety Messages• Safety sections are appended
to form safety messages
– Single-cast
– Multi-cast
– Multi-cast DeviceNet
• Ref: Vol 5 2-1.7.1
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 38
Message Sections• Base Format, Data Section
– Short 1-2 bytes
– Long 3-250 bytes
Actual Data Mode Byte Actual CRC Comp. CRC
1 - 2 Bytes CRC-S1 CRC-S2
Short Data Section
Actual Data Mode Byte Actual CRC Comp. CRC
3 - 250 Bytes CRC-S3 CRC-S3
Long Data section
Complemented Data
3 - 250 Bytes
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 39
Message Sections• Timestamp Section (Base Format)
– Time stamps mark all safety data production
– Extended Format includes TS in data section
Time Stamp Section
Time Stamp CRC-S1Mode Byte
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 40
Message Sections• Base Format, Time Coordination
CRC-S3Ack
Byte
Consumer Time
Value
Ack
Byte2
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 41
Message Sections• Base Format, Time Correction
– Multi-cast only
CRC-S3MCast
Byte
Time Correction
Value
MCast
Byte2
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 42
Safety Messages• Base Format, Single-cast
Data 0 Data 1CRC-
S2Time_Stamp
CRC-
S1
CRC-
S1
Producer to Consumer
CRC-S3Ack_
Byte
Consumer_Time
_Value
Ack_
Byte_2
Consumer to Producer
Mode
Byte
Data Message
Time Stamp SectionData Section
Time Coordination Message
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 43
Safety Messages• Base Format, Multi-cast
Data 0 Data 1CRC-
S2Time_Stamp
CRC-
S1
CRC-
S1
Mode
Byte
Data Message
Time Stamp SectionShort Data Section
Producer to Consumer
CRC-S3MCast
ByteTime Correction
MCast
Byte_2
Time Correction Section
CRC-S3Ack
Byte
Consumer Time
Value
Ack
Byte2
Consumer to Producer
Time Coordination Message
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 44
Safety Messages• Base Format, Multi-cast, DeviceNet
Data 0 Data 1CRC-
S2Time_Stamp
CRC-
S1
CRC-
S1
Mode
Byte
Data Message
Time Stamp Section1 or 2 byte Data Section
Producer to Consumer
Producer to ConsumerCRC-S3
MCast
ByteTime Correction
MCast
Byte2
Time Correction Message
CRC-S3Ack
Byte
Consumer Time
Value
Ack
Byte2
Consumer to Producer
Time Coordination Message
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 45
Base vs. Extended Format• Base Format limited to 16-bit clock (~8.3s)
• In routing scenarios with Ethernet switches, this time range is inadequate for RPI >100ms
• Extended Format allows larger EPIs by increasing the clock range with a 16-bit Rollover Count.
• Similar to the PID/CID mechanism, the rollover count is used as part of the CRC calculation.
• Extended Format adds Maximum Fault Count to allow connections to tolerate a certain number of failures per hour (e.g., dropped packet, CRC error).
• Base Format connection is faulted on first occurance of any error
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 46
Base vs. Extended CRCs• Data Section:
– CRC-S5 (24 bits) replaces 2 x CRC-S1 (8 bits) and CRC-S2 (8 bits)
– Same CRC covers Data and Timestamp
• Time Correction and Time Coordination
– CRC-S5 (24 bits) replaces CRC-S3 (16 bits)
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 47
Message Sections• Extended Format, Data Section
Short 1-2 bytes
Long 3-250 bytes
Actual Data CRC S5
CRC-S5_1
Short Data Section
CRC-S5_0
Mode Byte CRC S5
Time Stamp CRC-S5_2
Time Stamp
Actual Data Mode Byte Actual CRC .
3 - 250 Bytes CRC-S3
Long Data section
Complemented Data
3 - 250 Bytes
Complemented CRC S5
CRC-S5_1CRC-S5_0
CRC S5
Time Stamp CRC-S5_2
Time Stamp
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 48
Message Sections• Extended Format, Time Coordination
CRC-S3AckByte
Consumer Time Value
CRC-S5_0 CRC-S5_1 CRC-S5_2
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 49
Message Sections• Extended Format, Time Correction
– Multi-cast only
CRC-16MCast Byte
Time Correction Value
CRC-S5_0 CRC-S5_1 CRC-S5_2
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 50
Safety Messages• Extended Format, Single-cast
Producer to Consumer
Consumer to Producer
Data Message
Data and Time Correction Section
Time Coordination Message
1 – 2 Bytes CRC-S5_1CRC-S5_0 Time Stamp CRC-S5_2
CRC - S 3ACK Byte Consumer Time Value
Consumer Time
CRC-S5_0 CRC-S5_1 CRC-S5_2
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 51
EF Multi-Cast Messages
Producer to Consumer
Consumer to Producer
Data Message
Data Section
Time Coordination Message
1 – 2 BytesCRC-
S5_1
CRC-
S5_0Time Stamp
CRC-
S5_2
CRC - S 3ACK Byte Consumer Time Value
Consumer Time
CRC-S5_0 CRC-S5_1 CRC-S5_2
C
R
C
-1
6Mcast
Byte
Time Correction
Value
CRC-
S5_0
CRC-
S5_1CRC-
S5_2
Time Correction SectionTime Stamp
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 52
EF Multi-Cast Messages (DeviceNet)
Producer to Consumer
Consumer to Producer
Data Message
Data and Time stamp Section
Time Coordination Message
1 – 2 BytesCRC-
S5_1
CRC-
S5_0Time Stamp
CRC-
S5_2
CRC - S 3ACK Byte Consumer Time Value
Consumer Time
CRC-S5_0 CRC-S5_1 CRC-S5_2
CRC- 16Mcast
ByteTime Correction Value
CRC-
S5_0
CRC-
S5_1
CRC-
S5_2
Time Correction Section
Producer to Consumer
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 53
Next Session:Session 4 – Implementation, Testing, and Next Steps
Tomorrow, 10:00am – 11:30am US Eastern