profisafe system description v 2010 english

7/24/2019 PROFIsafe System Description v 2010 English

1/26

PROFIsafe System DescriptionTechnology and Application


2/26


3/26IPROFIsafe System Description

Introduction

PROFIBUS and PROFINET are the only industrialcommunication systems providing comprehensivecoverage including both factory and processautomation. Both protocols are specified in thecommunication profile family 3 in the InternationalStandards IEC 61158 and IEC 61784-1/-2.

One of the major events within the lifetime of thePROFIBUS and PROFINET International (PI)community was the first release of a specificationfor safety communication in 1999. It caused a

quantum leap in possibilities in the world of auto-mation.

The name of this technology is PROFIsafeand itslogo is shown below.

Since this event, PROFIsafe has evolved to be-come the leading and most comprehensive safetycommunication technology in the world. PROFI-safe is now progressing toward becoming an In-ternational Standard within IEC 61784-3-3.

It is the objective of this document to provide athorough insight into the PROFIsafe technologyand the related issues without becoming too en-

gulfed in specific details. It is not meant to replacestandards or the official specifications and guide-lines mentioned below. Those are definitive andbinding.

PROFIsafe is approved by both the IFA and TV.

Safety is a sensitive area of automation. Thus, thedissemination, implementation, and deployment of

PROFIsafe technology must be treated seriously.The companies and institutions involved are obli-gated to conduct themselves according to the so-called PROFIsafe Policy.

This short description is to serve as a complementto and a modest summary of the official sources.

The abbreviation "F" in this document stands for"fail-safe", "functional safety", or just "safety re-lated".


4/26II PROFIsafe System Description

Table of Contents

1. SAFETY IN AUTOMATION ...................... 1

1.1. TRENDS ............................................. 1

1.2. PROFIBUS&PROFINETINTERNATIONAL (PI)ACHIEVEMENTS ..... 1

1.3. INTERNATIONAL STANDARDS ................ 2

2. REQUIREMENTS FULLFILLED............... 3

3. BLACK CHANNEL CONSTRAINTS..... 5

3.1. BASIC FEATURES ................................ 53.2. NETWORK COMPONENTS ..................... 53.3. WIRELESS &SECURITY ....................... 53.4. DATA TYPES ....................................... 5

4. PROFISAFE THE SOLUTION ............... 5

4.1. SAFETY MEASURES ............................. 6

4.2. PROFISAFE FORMATS ........................ 64.3. PROFISAFE SERVICES........................ 7

5. HOW TO IMPLEMENT? ........................... 8

5.1. SAFETY CLASSES................................ 85.2. F-DEVICES......................................... 85.3. F-HOST ........................................... 10

6. CONFORMITY & CERTIFICATION........ 10

6.1. THE PROFISAFE TESTS .................... 106.2. SAFETY ASSESSMENT........................ 11

7. PROFISAFE DEPLOYMENT.................. 11

7.1. ELECTRICAL SAFETY.......................... 11

7.2. POWER SUPPLIES ............................. 127.3. INCREASED IMMUNITY ........................ 127.4. HIGH AVAILABILITY ............................ 127.5. INSTALLATION GUIDELINES ................. 127.6. WIRELESS TRANSMISSION.................. 137.7. SECURITY ........................................ 14

7.8. RESPONSE TIME ................................14

8. FOR INTEGRATORS ..............................15

8.1. DIRECTIVES &STANDARDS .................158.2. RISK REDUCTION STRATEGY ...............158.3. APPLICATION OF IEC62061...............158.4. RISK EVALUATION ..............................168.5. SILDETERMINATION ..........................168.6. SAFETY FUNCTION DESIGN..................168.7. ACHIEVED SIL...................................168.8. ELECTROMECHANICS .........................168.9. NON-ELECTRICAL PARTS ....................168.10. VALIDATION ......................................16

9. F-DEVICE FAMILIES...............................16

9.1. REMOTE I/O .....................................169.2. OPTICAL SENSORS.............................169.3. DRIVES.............................................169.4. ROBOTS ...........................................179.5. F-GATEWAYS....................................179.6. PADEVICES .....................................17

10. USER BENEFITS .................................... 18

10.1. INTEGRATORS AND END USERS............1810.2. DEVICE MANUFACTURERS...................1810.3. FOR FUTURE INVESTMENTS.................18

11. PROFIBUS & PROFINETINTERNATIONAL (PI) .............................19

11.1. RESPONSIBILITIES OF PI.....................1911.2. TECHNOLOGICAL DEVELOPMENT .........1911.3. TECHNICAL SUPPORT .........................1911.4. CERTIFICATION..................................1911.5. TRAINING..........................................1911.6. INTERNET .........................................19


5/261PROFIsafe System Description

1. Safety in automation

Any active industrial process is more or less as-sociated with the risk

of injuring or killing people,

of destroying nature of damaging investments.

With most processes it is quite easy to avoid riskwithout special requirements imposed on automa-tion systems. However, there are typical applica-tions associated with high risk, e.g. presses,saws, tooling machines, robots, conveying andpacking systems, chemical processes, high pres-sure operations, off-shore technology, fire andgas sensing, burners, cable cars, etc. Theseapplications need special care and technology.

Over time the market balances out the reliabilityand availability of standard automation technology

to a certain economic cost level. That means thefailure or error rate of standard automation tech-nology under normal circumstances is justacceptable for normal operations but not sufficientfor the above-mentioned high-risk applications.

The situation may be compared with a public mailsystem. While normal letter delivery is expected tobe as affordable as possible at a certain reliabilitylevel, everybody will use special mail for importantmessages.

1.1. Trends

In the past, micro-controllers, software, personalcomputers and communication networks weredramatically influencing the standard automationtechnologies thus leading to cost reductions,improved flexibility and higher availability. Withrespect to safety, existing standards and regula-tions were prohibiting any use of those technolo-gies. Safety automation had to be "hard-wired"and based on "relay" technology. See Figure 1.

This dichotomy or gap is quite comprehensibledue to the fact that safety relies on trusted tech-

nology or material. Trust, in turn, is based onexperience and experience needs time. But add-ing "classic" safety to modern automation solu-

tions always leads to disappointing situations. Forexample, costs due to additional wiring and engi-neering, less flexibility and availability thanexpected and other disadvantages such as unde-fined stop positions of machines and tediousefforts to resume operation.

This situation has now changed dramatically. Mi-cro-controllers and software have been proven inuse in millions of applications and the precondi-tions for their use in safety applications are givensince the introduction of the international standardIEC 61508.

The error detection mechanisms of many types ofdigital communication systems have been investi-gated and are well understood. Standards likeIEC 62280-1 have been paving the ways.

1.2. PROFIBUS & PROFINET In-ternational (PI) achievements

Thats why PI has developed the PROFIsafetechnology as an additional layer on top of theexisting PROFIBUS and PROFINET protocols. Itreduces the error probability of the data transmis-sion between an F-Host (safety controller) and anF-Device to the level required by or better thanthe relevant standards.

PROFIsafe can be realized in software only, mak-ing it easy to implement while covering the entirespectrum of safety applications utilizing PROFI-BUS and PROFINET in process and factoryautomation. It is even approved for wirelesstransmission channels such as WLAN and Blue-

tooth. With the help of certain security provisions,it can be used on open Industrial Ethernet Back-bones.

It covers the need for high availability and lowpower consumption in process automation as wellas the demand for short reaction times within mil-liseconds in factory automation.

Modern F-Devices such as laser scanners ordrives with integrated safety now can flourish asneeded. The handling of their individual safetyparameters (iParameters) is made easy due tosophisticated system support. This system sup-port comprises interfaces for F-Device tools withinengineering frameworks (for example theTool Calling Interface) and iParameter storageand retrieval options (iPar-Server). It is importantto note that the tool interfaces and the iPar-Serverfeature can also be used by any non-safetydevice.

The IEC 61508 standard defines special require-ments such as increased electromagnetic immu-nity without specifying the details. A supplementalguideline "PROFIsafe Environment" fills this gapand others for the development and deploymentof F-Devices and F-Hosts.

There is common agreement within PI that onlyF-Devices and F-Hosts in PROFIBUS and PRO-FINET networks that are certified according IEC

Trusted technologyTrusted technology

Drive Frequencyconverter

andcontrol

Frequencyconverter

andcontrol

PowerSupply

Motor

PROFIBUS/PROFINET

PLC

Circuit breaker"Deenergize to trip" principle I

Figure 1: Classic Safety


6/262 PROFIsafe System Description

61508 are permitted. Conformity with thePROFIsafe protocol shall be tested by PI testlaboratories and certified by PI office. A supple-mental "PROFIsafe Test Specification" documentdefines the roles and tasks of assessment bodiessuch as TV and the roles and tasks of PI testlaboratories.

See www.profisafe.net for actual informationabout PROFIsafe and www.profibus.com for gen-eral PROFIBUS and PROFINET information.

1.3. International standards

In most countries, national laws regulate howpeople and the environment shall be protected. InEurope, the Low Voltage Directive, the EMCDirective, and the Machinery Directive areexamples of such legislation. The laws in turnrefer to International Standards.

In Figure 2 you will find a selection of IEC andISO standards dealing with safety and fieldbusissues and how they are related.

The basic standard for functional safety is the IEC61508 covering the functional safety of electricalequipment and the basic principles and proce-dures. It introduces a quantitative approach forcalculating the residual probability of so-calledsafety functions to fail (Safety Integrity Levels -SIL). It is mainly useful for F-Device and F-Host

developers. The sector standard IEC 62061describes the specific safety aspects for machin-ery applications such as those found in factoryautomation. This standard deals with ready-to-usesystems, subsystems, and elements and how toassess safety functions for certain combinationsof these. ISO 13849-1 is the successor of the

EN 954-1 and has a similar scope. However, itintroduces a slightly different calculation model(Performance Levels - PL) and covers non-electrical devices such as hydraulic valves, etc.For machine safety, the basic terminology andmethodology used are defined in ISO 12100-1.ISO 14121 provides the principles of risk assess-ment. The IEC 60204-1 specifies general re-quirements and recommendations relating to theelectrical equipment of machines. Some of theissues are power supply, protection against elec-trical shock, emergency stops, conductors andcables, etc. Product standards such as IEC61496, IEC 61800-5-2, and IEC 61131-6 for

example, deal with the requirements for individualdevice families.

The annex of the European "Machinery Directive"lists the machines and parts which legally requirecertification by a "Notified Body" (IFA, TV, FM(Factory Mutual), etc.). If there is a harmonizedcorresponding product standard (for example, IEC61496), a declaration by the manufacturer is suffi-cient.

Design of safety-related electrical, electronic and programmableelectronic control systems (SRECS) for machinery

ISO 12100-1 and ISO 14121Safety of machinery Principles for

design and risk assessment

ISO 12100-1 and ISO 14121Safety of machinery Principles for

design and risk assessment

SIL based PL based

Design objective

Applicable standards

IEC 60204-1Safety of electrical

equipment

IEC 60204-1Safety of electrical

equipment

IEC 62061Functional safety

for machinery(SRECS)

(including EMC forindustrial environment)

IEC 62061Functional safety

for machinery(SRECS)

(including EMC forindustrial environment)

ISO 13849-1, -2Safety-related parts

of machinery(SRPCS)

Non-electrical

Electrical

ISO 13849-1, -2Safety-related parts

of machinery(SRPCS)

Non-electrical

Electrical

IEC 61508Functional safety(basic standard)


IEC 61158 series /61784-1, -2

Fieldbus for use inindustrial control systems

IEC 61158 series /61784-1, -2

Fieldbus for use inindustrial control systems

IEC 61784-3-3(PROFIsafe)

Functional safetycommunication

profile 3



profile 3

IEC 61784-4Security

(profile-specific)

IEC 61784-4Security

(profile-specific)

IEC 61784-5Installation guide(profile-specific)


IEC 61918Installation guide(common part)


IEC 61326-3-1EMC andfunctional safety

IEC 61326-3-1EMC andfunctional safety

IEC 62443Security

(common part)

IEC 62443Security

(common part)

US: NFPA 79(2006)

US: NFPA 79(2006)

IEC 61496Safety f. e.g.light curtains


IEC 61800-5-2Safety functions

for drives

IEC 61800-5-2Safety functionsfor drives

Product standards

IEC 61131-6Safety for

PLC

IEC 61131-6Safety forPLC

(yellow) safety-related standards (blue) fieldbus-related standards (dashed yellow) PROFIsafe

Figure 2: International fieldbus and safety standards for factory automation



The requirements for F-Devices and F-Hosts toprovide increased electromagnetic immunity aredefined in IEC 61326-3-1. Special functionalsafety (FS) performance criteria allow for incorrectfunctioning under increased electromagnetic inter-ference conditions above the normally requiredlevels. However, in these cases the equipmentunder test (EUT) at least shall go into a safestate.

The fieldbus standards are specified in IEC 61158and IEC 61784-1. Realtime Ethernet variantssuch as PROFINET IO are defined in IEC 61784-2. Common parts for installation guidelines are

summed up in IEC 61918, whereas profile-specific parts are collected in IEC 61784-5. Com-mon parts for security guidelines are summed upin IEC 62443, whereas profile-specific parts arecollected in IEC 61784-4.

In Figure 3 you will find a similar selection of IECand ISO standards adapted to the requirementsof process automation. Here, the sector standardIEC 61511 is considering the particular situationof long term experience ("proven-in-use") withvery sensitive process instrumentation and aspecified electromagnetic environment in thisarea. Thus, the IEC 61326-3-2 takes these EMC

requirements into account.

2. Requirements fullfilled

From the very beginning, it was the intention ofPROFIsafe to specify a comprehensive and effi-cient solution for both the safety device developerand the end user.

The PROFIsafe protocol is suitable for bothPROFIBUS and PROFINET networks withoutimpacts on these existing fieldbus standards. It ispossible to transmit safety messages on the exist-ing standard bus cables in coexistence with thestandard messages (Figure 4).

IEC 61511b)

Functional safety Safety instrumented

systems for theprocess industry sector

IEC 61511b)





IEC 61158 series /61784-1, -2

Fieldbus for use in

industrial control systems

IEC 61158 series /61784-1, -2

Fieldbus for use in




profile 3



profile 3

IEC 61784-4Security(profile-specific)






IEC 61326-3-2a)

EMC andfunctional safety

IEC 61326-3-2a)


IEC 62443Security(common part)


a) For specified electromagnetic environments; otherwise IEC 61326-3-1 b) EN ratified




for drives


for drives

Product standards


PLC


PLC

See safety standards for machinery

(Figure 2)

Valid also in process industries,

whenever applicable

US:

ISA-84.00.01(3 parts = modified

IEC 61511)

US:


IEC 61511)

DE: VDI 2180Part 1-4


(yellow) safety-related standards (blue) f ieldbus-related standards (dashed yellow) PROFIsafe

IEC 61511b)



IEC 61511b)





IEC 61158 series /61784-1, -2

Fieldbus for use in


IEC 61158 series /61784-1, -2

Fieldbus for use in




profile 3



profile 3







IEC 61326-3-2a)


IEC 61326-3-2a)




a) For specified electromagnetic environments; otherwise IEC 61326-3-1 b) EN ratified




for drives


for drives

Product standards


PLC


PLC

See safety standards for machinery

(Figure 2)

Valid also in process industries,

whenever applicable

US:


IEC 61511)

US:


IEC 61511)



(yellow) safety-related standards (blue) f ieldbus-related standards (dashed yellow) PROFIsafe

Figure 3: International fieldbus and safety standards for process automation

Combinationpossible

StandardCPU

Compact

remote I/O

Limit

switch

Link

Coexistence of standard and safety communication

ConventionalE-Stops

Safety-CPU(F-Host)

F-Modules ina remote I/Odevice

Laser

scanner

Light

curtains Robots Drives

Figure 4: The "Single Channel" approach



This "Single Channel" approach also allows theuse of standard PLCs with integrated but logicallyseparated safety processing. This way mediaredundancy to achieve higher availability could berealized as an option. For those users who favorphysical separation of the standard and safetycommunications, PROFIsafe is not a handicap.However, these users could still benefit from thecommon PROFIsafe technology on the separate

communication networks.The PROFIsafe protocol has not any impact onthe standard bus protocols. On the other hand, itshould be as independent as possible from thebase transmission channels be it copper wires,fiber optics, wireless, or backplanes. Neither thetransmission rates nor the error detection mecha-nisms play a role. For PROFIsafe they are just"Black Channels" (Figure 5).

The PROFIsafe protocol has to free its users fromthe safety assessment of their individual back-plane communications or other transmissionpaths beyond the PROFINET and PROFIBUS

networks. Therefore, it has to secure the whole

path from the location where a safety signal origi-nates (e.g., F-Module in a remote I/O device) tothe location where it is processed (F-Host) andvice versa (Figure 6).

The PROFIsafe protocol can be used for safetyapplications up to SIL3 according to IEC 61508 /IEC 62061, or Category 4 according to EN 954-1,or PL "e" according to ISO 13849-1.

The parameters for the PROFIsafe protocol needto be defined, maintained, and engineered withthe standard means of PROFIBUS or PROFINET,i.e. via GSD. However, the parameters should besecured during storage, interpretation, value as-signment and transfer from the configuration toolto the IO Controller or DP-Master and from thereinto the F-Device. There has to be the same setof PROFIsafe parameters for all F-Devices orF-Modules in a remote I/O device to ensure uni-form handling.

The individual safety parameters of an F-Deviceare technology-specific, e.g., drives with inte-

grated safety, laser scanners, etc. Handling theseparameters with a GSD would entail tremendousefforts and unnecessary dependencies. It there-fore has to be possible for F-Device developers tointegrate their individual configuration, parame-terization and diagnostic tools (CPD tools) viaappropriate interfaces into the engineering toolsof system vendors. This facilitates the navigationand communication to the specific F-Device orF-Module.

For fast F-Device replacement in case of a failure,the system has to support "Save and Restore"functionality for individual safety parameters (iPar-Server) in a uniform way. Usually the F-Host or

the controller that provides the basic bus start-upparameterization has to provide this feature.

Standard

protocol

Standard

application,

e.g. diagnosis

Safetyapplication

PROFIsafe

layer

Black

Channel"

(Industrial Ethernet) PROFINET IO, PROFIBUS-DP, Backplanes

PROFIsafelayer

PROFIsafelayer

Standard

protocol

Standard

application,

e.g. diagnosisSafety

application

Figure 5: The Black Channel principle

IODevice(head

station)

IODevice(head

station)

F

D

I

F

D

I

F

D

O

F

D

O

Remote I/O

E.g. backplane

F-

Host

F-

HostIO

Controller

IOController

F-

Device

F-

Device

Intrinsic

safety:

Ex-i

PROFINET IO

e.g.

ASIsafe

PROFIsafe layer

Other safety layer

PA

Device

PA

Device

PROFIBUS DP

F-Gate-

way

F-

Device

F-

Device

DP-Link

PA-Link

Figure 6: The complete safety communicationpaths



Supplementary documentation define all aspectsof deployment of PROFIsafe devices such asrequirements for

Installation

Electrical safety

Power supplies

Electromagnetic compatibilityData security

Finally strong support for developers of PROFI-safe in F-Devices or F-Modules needs to be avail-able in the form of PROFIsafe development kits,competence centers and test centers.

In its current version, PROFIsafe meets all ofthese requirements. The final concept is stillstraightforward and easy to understand.

Before we learn more about PROFIsafe in detaillet's take a look at some preconditions and con-

straints.

3. Black Channel con-straints

Even though PROFIsafe uses the "Black Chan-nel" principle, there are some basic features ofPROFIBUS and PROFINET that were consideredfor its design.

3.1. Basic features

One such feature is the cyclic communicationbetween a bus controller and its associated fielddevices (send and receive response principle).This polling operation will immediately detect anyfailed device. PROFIsafe adopted this principle.

The other feature is the 1:1 communication rela-tionship between a bus controller and its associ-ated field devices. PROFIsafe also adopts thisprinciple to ensure the authenticity of messages.However, this restricts an F-Module (Subslot)within a modular field device to be accessed byonly one F-Host.

3.2. Network componentsA "Black Channel" may comprise several types oftransparent network components such asswitches, routers, links, and wireless transmissionchannels. For PROFIsafe, minor constraints existin order to meet the SIL3 requirements.

Any kind of switch is permitted but only 100 maybe connected in a row. The F-Address spacewithin a PROFIsafe island must be unique. Con-nected islands with the same F-Address spacemust be separated by multi-port routers. Thereare no known restrictions for links such as fromPROFINET to PROFIBUS and from there to the

intrinsic safety version MBP-IS (Figure 6).

3.3. Wireless & Security

Wireless transmission is permitted as long assufficient availability (no nuisance trips) and secu-rity can be guaranteed.

PROFIsafe specifies certain security requirements

for wireless transmission and for wired networksthat are connected to industrial Ethernet back-bones or the Internet (open networks).

3.4. Data types

Fieldbus communication in general uses manydifferent data types for information transfer (seeliterature box on page 9). In order to reduce com-plexity, PROFIsafe offers a reasonable subset.

4. PROFIsafe the solution

It is the task of safety communication betweentwo partners to deliver

Correct data Arrival at the right destinationJust-in-time updates.

Various errors may occur when messages aretransferred in complex network topologies,whether due to hardware failures, extraordinaryelectromagnetic interference, or other influences.A message can be lost, occur repeatedly, beinserted from somewhere else, appear delayed orin an incorrect sequence, and/or show corrupted

data. In the case of safety communications, theremay also be incorrect addressing: a standardmessage erroneously appears at an F-Device andpretends to be a safety message. Different trans-mission rates may additionally cause bus compo-nent storage effects to occur. Out of the numer-ous remedies known from literature, PROFIsafeconcentrates on those presented in the matrixshown in Figure 7.

Error:

Measure:ConsecutiveNumber(sign of life)

Time-out(with receipt)

Codename(for sender andreceiver)

Data integrity(CRC)

Unintended repetition

Loss

Insertion

Incorrect sequence

Corruption

Unacceptable delay

Adressing

X

XX

X

X

X

X

XX X

Masquerade(standardmessage mimics failsafe) X

Revolving memoryfailures within switches X

X X

Error:

Measure:ConsecutiveNumber(sign of life)

Time-out(with receipt)

Codename(for sender andreceiver)

Data integrity(CRC)

Unintended repetition

Loss

Insertion

Incorrect sequence

Corruption

Unacceptable delay

Adressing

X

XX

X

X

X

X

XX X

Masquerade(standardmessage mimics failsafe) X

Revolving memoryfailures within switches X

X X

Figure 7: Transmission error types and safetyremedies



4.1. Safety measures

These safety measures include:

The consecutive numbering of the PROFIsafemessages ("sign-of-life")

A time expectation with acknowledgement

("watch-dog") A codename between sender and receiver

("F-Address") Data integrity checks (CRC = cyclic redundancy

check)

Using the Consecutive Number, a receiver cansee whether or not it received the messagescompletely and within the correct sequence.When it returns a message with the ConsecutiveNumber only as an acknowledgement to thesender, the sender, too, will be assured. Basi-cally, a simple "toggle bit" would have provensufficient. However, due to the storage buffers in

some bus components, e.g. switches, a 24-bitcounter was selected for PROFIsafe.

In safety technology, it not only matters that amessage transfers the correct process signals orvalues, the updated actual values must arrivewithin a fault tolerance time, thus enabling therespective F-Device to automatically initiate anynecessary safety reactions on site, e.g. stoppageof movement. For this purpose, the F-Devicesutilize a watchdog timer that is restarted whenevera new PROFIsafe message with incrementedConsecutive Number arrives.

The 1:1 relationship between the master and a

slave facilitates the detection of misdirected mes-sage frames. Sender and receiver must simplyhave identification (codename) that is unique inthe network, and can be used for verifying theauthenticity of a PROFIsafe message. PROFIsafeuses an "F-Address" as the sender/receiver-codename.

A cyclic redundancy check (CRC) plays a key rolein detecting corrupted data bits. The necessaryprobabilistic examination makes use of the defini-tions within the IEC 61508 that considers theprobability of dangerous failures of entire safetyfunctions. PROFIsafe follows this approach(Figure 8).

According to these definitions, a safety circuitincludes all sensors, actuators, transfer elements

and logic processes that are involved in a safetyfunction. IEC 61508 defines overall values for theprobability of failures for different safety integritylevels. For SIL3, for example, this is 10 -7/h. Forthe transmission, PROFIsafe is allowed a mere1% contribution, meaning that the permissibleprobability of dangerous failures is 10-9/h. This

permits suitable CRC polynomials to be deter-mined for the intended PROFIsafe messagelengths. The resulting residual error probability ofundetected corrupted PROFIsafe messages at amaximum bit error probability of 10-2 guaranteesthe required order of magnitude. PROFIsafe usesa 24-bit and a 32-bit CRC generator polynomial tocalculate the corresponding 3- or 4-byte signa-tures. The quality of the chosen CRC polynomialsand the special calculation method is such thatPROFIsafe is totally independent of any errordetection mechanisms of the "Black Channel".

4.2. PROFIsafe formats

A PROFIsafe message that is exchanged be-tween F-Host and its F-Device is carried withinthe payload of a standard PROFIBUS or PROFI-NET message. In case of a modular F-Devicewith several F-Modules, the payload consists ofseveral PROFIsafe messages. Figure 9 showsthe format of a PROFIsafe message.

It begins with F-Input or F-Output data using thealready-mentioned subset of data types. Thesedata structures of a particular F-Device usuallyare defined via its associated GSD (General Sta-tion Description) file. Normally, factory automationand process automation place different require-ments upon a safety system. One deals with short("bit") signals that must be processed at a veryhigh speed, the other involves longer ("floatingpoint") process values that may take a little moretime. PROFIsafe therefore offers two differentlengths for data structures. One length is limitedto a maximum of 12 bytes requiring a 3-byte CRCsignature to ensure data integrity. The otherlength is limited to 123 bytes requiring a 4-byteCRC signature. Safety functions and SIL

Following the F-Input or F-Output data is a Con-trol Byte if the message is from the F-Host or aStatus Byte if it is from the F-Device. This infor-mation is needed to synchronize the sender andreceiver of PROFIsafe messages.

The PROFIsafe data ends with a CRC signaturedepending on the length of the F-Input orF-Output data as mentioned above.

Logic operations Actuator Sensor

14 %1 % 1 %

e.g. Safety Integrity Level (SIL) 3 : 10-7 / h(PROFIsafe-Portion: 1% = 10-9 / h)

F-Host

50 %35 %

F-Device F-Device

Figure 8: Safety functions and SIL

F-Input/Output dataStatus /

Control ByteCRC signature

acrossF-I/O data,

F-Parameter,and Consecutive

Number

Maximum of 12 or 123 bytes 1 byte 3 or 4 bytes

F-Input/Output dataStatus /

Control ByteCRC signature

acrossF-I/O data,

F-Parameter,and Consecutive

Number

Maximum of 12 or 123 bytes 1 byte 3 or 4 bytes

Figure 9: PROFIsafe message format



The Consecutive Number is not transmitted withina PROFIsafe message. Both sender and receiveruse their own counters that are synchronized viathe Control Byte and Status Byte. Correct syn-chronization is monitored through the inclusion ofthe counter values into the CRC signature calcu-lation.

The "F-Address" is secured by inclusion in theCRC signature calculation as well.

4.3. PROFIsafe services

Senders and receivers of PROFIsafe messagesare located in layers above the "Black Channel"communication layers (Figure 5). Usually thesePROFIsafe layers are realized in software("drivers"). Their central functionality is a statemachine controlling the regular cyclic processingof PROFIsafe messages and the exceptions suchas start-up, power-on/off, CRC error handling, etc.

Figure 10 hows how the PROFIsafe layers inter-act with the technology part in F-Devices and withthe user program in F-Hosts.

F-Host services

The main services provide exchange of F-Outputand F-Input data. During start-up, or in case oferrors, the actual process values are replaced bydefault fail-safe values. These fail-safe valuesshall be all "0" to force the receiver into a safestate (de-energize).

For F-Devices where de-energize is not the onlypossible safe state but rather low speed instead,PROFIsafe provides additional services via a flagin the Control Byte ("activate_FV"). In return, anF-Device can inform the user program that it hasactivated its safe state via a flag in the StatusByte ("FV_activated").

PROFIsafe communication errors cause theF-Host driver to switch into a safe state. A safetyfunction is usually not allowed to automaticallyswitch from a safe state to normal operation with-out human interaction. To inform the user pro-gram that an operator intervention and acknowl-

edgement is requested, PROFIsafe provides anadditional service ("OA_Req"). PROFIsafe

informs the F-Device about a pending requestsuch that the F-Device can indicate it via a LED(optional). The operator acknowledgement can bepassed over from the user program to the F-Hostdriver via a corresponding service ("OA_C").

The technology-specific parameters of an

F-Device are called iParameters. In case anF-Device needs different iParameters at runtime,another set of services is available. One serviceallows the user program to switch the F-Deviceinto a mode during which it will accept newiParameters ("iPar_EN"). The other indicates tothe user program the readiness to resume normalsafety operation ("iPar_OK").

F-Device services

The PROFIsafe services for F-Device technologyinclude the corresponding exchange of F-Outputand F-Input data, the extra possibility to activateand report fail-safe values, the indicators for the

iParameter handling and for the already-mentioned operator request.

Additionally the F-Device technology is able toreport device faults to the F-Host driver via a flagin the Status Byte ("Device_Fault").

The duration of the demand of an F-Device for asafety reaction shall be long enough to be trans-mitted by the PROFIsafe communication (at leasttwo increments of the Consecutive Number). Aspecial service informs the technology about newConsecutive Numbers in order to facilitate therealization of this requirement.

Diagnostic information from the PROFIsafe layermay be passed over to the technology part via aspecial service.

Last but not least the technology is able to passover the F-Parameters to the PROFIsafe layer.The F-Device received these F-Parameterstogether with all the other parameters duringstartup. What is the purpose of theseF-Parameters?

F-Parameter

The F-Parameters are containing information forthe PROFIsafe layer to adjust its behavior to par-

ticular customer needs and to doublecheck thecorrectness of assignments. The most importantF-Parameters are:

F_S/D_Address (short F-Address) F_WD_Time F_SIL F_iPar_CRC F_Par_CRC

The F_S/D_Address is a unique address forsafety devices within one PROFIsafe island. TheF-Device technology compares this F-Addresswith the locally assigned value of a microswitch orotherwise entered information to ensure the

authenticity of the connection.

F-Host driver instanceF-Host d river instance

State machineState machine

F-Device driverF-Device driver


Input data Status Byte CRC

Output dataControl ByteCRC

PROFIsafemessage

Services Services

F-Device technology(e.g. laser scanner)F-Device technology(e.g. laserscanner)

User application(program logic)

User application(programlogic)

F-Parameter

iParameter

F-Host driver instanceF-Host d river instance


F-Device driverF-Device driver


Input data Status Byte CRC

Output dataControl ByteCRC

PROFIsafemessage

Services Services

F-Device technology(e.g. laser scanner)F-Device technology(e.g. laserscanner)

User application(program logic)

User application(programlogic)

F-Parameter

iParameter

Figure 10: PROFIsafe layer structure in F-Host andF-Device



The F_WD_Time specifies a number of milli-seconds for a watchdog timer. This timer monitorsthe reception of the next valid PROFIsafe mes-sage.

F_SIL indicates the SIL expected by the user forthe particular F_Device. It is compared with the

locally stored manufacturer information.

F_iPar_CRC is a signature across all the iPara-meters within the technology of the F-Device.

Finally, the F_Par_CRC is a signature across allthe F-Parameters which is used to ensure correctdelivery of the F-Parameters.

That's an overview of PROFIsafe and we will nowget into the details. Are you ready? Let's see whatelse PI is offering.

5. How to implement?

First of all, it should be made sure, that all thenecessary and helpful literature for the work thatis available from PI has been obtained (see litera-ture box). Use the denoted or a later version. Aprevious version V1.30 of the PROFIsafe specifi-cation is available for information only and shouldnot be used for new product developments.

Next it is recommended to study at least the basicsafety standard IEC 61508 or get some consul-tancy on what needs to be established in yourdevelopment processes and in your organizationto achieve the necessary safety for your device.

As a general rule, it is not possible to turn a stan-dard device into a safety device just by imple-menting the PROFIsafe protocol. The architectureof the safety technology together with the protocoland the manner in which both are implementeddefine the final SIL of the device.

5.1. Safety classes

Even though PROFIsafe is suitable for safetyfunctions up to SIL3, it may not be necessary todesign and develop the F-Device also for SIL3.The required safety class depends on the finalcustomer application and on how the safety func-

tions are defined. It may be possible through re-dundancy or other measures to achieve highersafety integrity levels with F-Devices of an evenlower safety class.

5.2. F-Devices

You have two choices for the implementation ofthe PROFIsafe driver software. Either use thespecification and do it from scratch or use adevelopment kit available on the market. See theproduct guide on the PI website for further infor-mation. The advantage of using a development kitis obvious: precertified driver software, additionalvaluable information and tools, and technical sup-port.

For the PROFIBUS and PROFINET interface, youcan use any of the available ASICs and layerstacks and adapt the PROFIsafe driver software.

Securing the GSD

For every device on PROFIBUS or PROFINET, aGeneral Station Description (GSD file) is neces-sary. After defining the common part of the GSDfor an F-Device, the coding of the F-Parameters isnecessary. This section of the F-Parameters mustbe protected by a special CRC signature("F_ParamDescCRC") against data corruption onstorage media. A configuration tool can check thedata integrity of the F-Parameter descriptionsection utilizing this special signature, which isalso a part of the GSD file.

Securing configurations

The GSD file also contains descriptions for theF-Input and/or F-Output formats. In order to se-cure this part of the GSD file, another CRC signa-ture ("F_IO_StructureDescCRC") is used.

iParameter

According to the many different safety devicetechnologies there is a huge variety of individualsafety parameters (iParameter).

The amount of iParameters ranges from a fewbytes for an F-Module up to several tens of kbytesfor a laser scanner. For most of the safetydevices, special parameterization and diagnosticsoftware tools (CPD-Tool) already exist: thereforeit did not make sense to handle iParameters viathe GSD.

PROFIsafe therefore recommends using a newmechanism, the so-called Universal-ParameterServer (iPar-Server). It is the responsibility ofF-Host manufacturers to provide this capability,whether it is realized within the non-safety part ofan F-Host as the parameterization master orwithin a controlled subsystem such as a non-safety PLC or an industrial computer on the samenetwork.

Figure 11 demonstrates the principle steps of theiPar-Server mechanism via an example. Togetherwith the network configuration and F-Para-meterization of an F-Device, an associated iPar-Server function is instantiated (1). The F-Device isable to switch into the data exchange mode whileusing a safe state (FV). An associated CPD toolcan be launched via an appropriate interface (2)such as TCI (Tool Calling Interface) or FDT (FieldDevice Tool) from the engineering tool, propagat-ing at least the node address of the configureddevice. Parameterization, commissioning, testing,etc., can be executed with the help of the CPDtool (3). After finalization, the iPar_CRC signatureis calculated and displayed in hexadecimal formfor (at least) copying and pasting of this value intothe "F_iPar_CRC" entry field of the configurationpart of the engineering tool (4). A restart of the

F-Device is necessary to transfer the"F_iPar_CRC" parameter into the F-Device (5).After final verification and release, the F-Device is



enabled to initiate an upload notification (6) to itsiPar-Server instance. It thereby utilizes the stan-dard diagnosis mechanism. The iPar-Server polls

the diagnosis information (e.g. RDIAG FB) to in-terpret the request (R) and to establish the uploadprocess (7), storing the iParameters as instancedata within the iPar-Server host using acyclic ser-vices (Read Record).

After the replacement of a defective F-Device, thenew F-Device receives its F-Parameters, includ-ing the "F_iPar_CRC", at start-up. As iParametersare normally missing in a replacement or a non-retentive F-Device, it recognizes a difference be-tween the "F_iPar_CRC" and its stored iParame-ters and initiates a download notification (6) to itsiPar-Server instance, again using the standarddiagnosis mechanism. The iPar-Server polls the

diagnosis information to interpret the request (R)and to establish the download process (Write Re-cord). Through this transfer the F-Device is en-abled to provide the original functionality withoutfurther engineering or CPD tools.

PROFIdrive

The IEC 61800-5-2 defines some safety featuresfor drives with integrated safety. These featurescomprise a group of stopping functions:

Safe torque off (de-energize) Safe stop 1 Safe stop 2 Safe operating stop

Engineering-Tool

Master or IO controller

F-Host/ PLC Protection

field(instance

data)

CPD-Tool

Comm-FB

iPar-Server

IEC61131-3

7

F-Device

6 Notification

RPolling

RDIAG-FB

RD/WR

Save

1

3

2

"iPar_CRC"

4

Initialization (F_iPar_CRC)

5

Supported by sytem manufacturer

Figure 11: The iPar-Server concept

PROFIsafe Policy V1.5; Order No. 2.282 PROFIsafe Profile for Safety Technology on

PROFIBUS DP and PROFINET IO, V2.5;

Order No. 3.192b PROFIsafe Environmental Requirements,

V2.5; Order No. 2.232 PROFIsafe Test Specification for F-Slaves,

F-Devices, and F-Hosts, V2.1; Order No. 2.242 PROFIsafe for PA-Devices, V1.0; Order No.

3.042 PROFIdrive on PROFIsafe, V1.0; Order No.

3.272 Specification for PROFIBUS Device Descrip-

tion and Device Integration, Volume 1: GSD,V5.04; Order No. 2.122

GSDML Specification for PROFINET IO, V2.2;Order No. 2.352

Profile Guideline, Part 1: Identification & Main-tenance Functions, V1.1; Order No. 3.502

Profile Guideline, Part 2: Data Types, Pro-gramming Languages, and Platforms, V1.0;Order No. 3.512

Profile Guideline, Part 3: Diagnosis, Alarmsand Time Stamping, V1.0; Order No. 3.522

Profile Guideline, Part 4: Universal ParameterServer, V1.0; Order No. 3.532

Communication Function Blocks onPROFIBUS DP and PROFINET IO, V2.0;Order No. 2.182

Rapid way to PROFIBUS DP; Order No. 4.072 Industrial Communications with PROFINET;

Order No. 4.182



And a group of monitoring functions:

Safely limited acceleration Safely limited speed Safely limited torque / force Safely limited (absolute) position Safely limited incrementSafe direction Safely limited motor temperature

Figure 12 illustrates how electromechanics arereplaced by electronic safety stops and monitor-ing functions. One major objective is to mainlymonitor the operations of the drive control and tode-energize in case of failures only. The workinggroup PROFIdrive within PI is specifying parts ofthese functions in a special amendment to theirPROFIdrive specification (see literature box).

PA Devices

F-Devices for process automation follow the sec-tor standard IEC 61511, which takes into accountthe particular aspect of "proven-in-use". Undercertain conditions a PA-Device may achieve abetter SIL if it is proven-in-use. PA Devicesusually follow the design models of IEC 61804.The Electronic Device Description (EDD) plays animportant role here. Therefore, the PI WorkingGroup "PA Devices" also specified, within a sepa-rate amendment to their PA Device specification,how to use the PROFIsafe platform for their

devices and parameterization methodologies (seeliterature box).

I&M functions

Since 2005 the so-called I&M functions are man-datory for all PROFIBUS and PROFINET devicesproviding acyclic services. I&M stands for Identifi-cation and Maintenance and allows retrievinginformation about the device's manufacturer code,its catalog and serial number, and its hardwareand software versions in a standardized manner.Via the manufacturer code and additional informa-tion on the PI website, the user can be directed tothe most current product information on the

manufacturer's website. See the Profile Guideline(literature box).

Diagnosis

One of the major advantages of PROFIBUS andPROFINET is the possibility for devices to reportdiagnosis information to the operator in excep-tional situations such as failures or errors. Gooddiagnosis information helps in reducing down

times of facilities and thus costs. The conceptsnot only cover how to code the information butalso how to provide foreign language support andhow to provide HELP information on what to do ina particular situation. See the corresponding Pro-file Guideline (literature box).

5.3. F-Host

Depending on the strategy of system manufactur-ers, different kinds of architectures for F-Hostswith PROFIsafe communication are possible:stand-alone F-CPUs or integrated but logicallyseparated safety processing within standardCPUs.

Possible structures

Safety processing also can be realized in manydifferent ways: for example via hardware redun-dancy and discrepancy checking or via "softwareredundancy" or via "safeguarding" or by usingalready existing diverse hardware platforms. Dueto the many different possibilities it did not makesense to create development kits, especially sincethe effort to implement the PROFIsafe driver is sominimal.

Conformance classes

In order to ensure that all F-Devices will be sup-ported by all the PROFIsafe F-Hosts on the mar-ket, PROFIsafe specifies conformance classes forF-Hosts. PROFIsafe F-Hosts shall meet therequirements of these conformance classes as aprecondition for PI certification (Figure 13).

6. Conformity & certifica-tion

Several products of different types from variousvendors communicate within a PROFIsafe island.

The products must be implemented conform tothe PROFIsafe specification to ensure that thiscommunication works correctly. Usually the con-formance is documented through a certificatefrom the PI Certification Office based on the testreport of one of the accredited PI test laborato-ries.

6.1. The PROFIsafe tests

The PROFIsafe protocol mechanisms are basedon finite state machines. Thus it was possible viaa validation tool for finite state machines tomathematically prove that PROFIsafe workscorrectly even in cases where more than two in-dependent errors or failures may occur. This sys-tematically was achieved by generating all possi-

DrivecontrolDrive

control Drive

controlDrive

control

MotorMotor

Externalsafety

technology

Externalsafety

technology

Safety

STOP andmonitoringfunctions

Safety


MotorMotor

Externalsafety

technology

Externalsafety

technology

PROFIsafeonPROFINET IO /PROFIBUS DP

"De-energize"From to "Safe Operating STOP"

DrivecontrolDrive

control Drive

controlDrive

control

MotorMotor

Externalsafety

technology

Externalsafety

technology

Safety


Safety


MotorMotor

Externalsafety

technology

Externalsafety

technology

PROFIsafeonPROFINET IO /PROFIBUS DP

"De-energize"From to "Safe Operating STOP"

Figure 12: Drives with integrated safety STOP andmonitoring functions



ble cases for "test-to-pass" and "test-to-fail" situa-tions. They have been extracted as test cases fora fully automated PROFIsafe layer tester, which isused to check the PROFIsafe conformance ofF-Devices and F-Hosts. It is part of a three-step-procedure within the overall safety certificationprocess according IEC 61508 by notified bodies(Figure 13).

6.2. Safety assessment

It is important to note that the PI Test Laborato-ries perform the approved PROFIsafe layer testson behalf of notified bodies such as, for example

TV (worldwide) INRS (France) IFA (Germany)SP (Sweden)SUVA (Switzerland) HSE (United Kingdom) FM, UL (USA)

These are the only ones to be responsible for thesafety assessments according IEC 61508.

The mandatory safety manual of each and everyF-Device shall provide information about the SILCL(claim limit) and the PFHd (probability of danger-ous failure per hour).

PROFIsafe provides a specification for test and

certification. Currently two PI test laboratories areaccredited for the PROFIsafe testing.

7. PROFIsafe deployment

PROFIsafe would not be complete if there wereonly a specification of the safety communicationprotocol. For F-Devices questions would be raisedsuch as:

Do I need to protect my F-Device against veryhigh voltages coming across the PROFIBUS /PROFINET cable from an unknown othersource?

Is it safe to use the same 24V power supplythat I use for the standard devices in my net-work?

How do I test my F-Devices for the "increasedimmunity" that is required by IEC 61508?

What are the installation rules? What are the security requirements?

The guideline "PROFIsafe - EnvironmentalRequirements" answers these and other ques-tions as well.

7.1. Electrical safety

The fieldbus standards IEC 61158 and IEC61784-1, -2 require for all devices within the net-work "to comply with the legal requirements ofthat country where they are deployed (for exam-ple, as indicated by the CE mark). The measuresfor protection against electrical shocks (i.e. elec-trical safety) within industrial applications shall bebased on the IEC 61010 series or IEC 61131-2,

Applicant starts developing an F-Slave, F-Device, or F-Hos tApplicant starts developing an F-S lave, F-Device, or F-Hos t

Applicant applies foran EMC test at

any accredited testlaboratory

Applicant applies foran EMC test at

any accredited testlaboratory

Applicant orders aPROFIBUS Ident_Numberor a PROF INET Vendor_IDfrom PN O and applies for a

PRO FIsafe cert if ication test atany accredited test lab.

Applicant orders aPROFIBUS Ident_Numberor a PROF INET Vendor_IDfrom PN O and applies for a

PRO FIsafe cert if ication test atany accredited test lab.

Applicant applies for asafety assessment by

any "Notif ied Body"(optional for PA-Devices)

Applicant applies for asafety assessment by

any "Notif ied Body"(optional for PA-Devices)

Test of F-Slave, F-Device, orF-Host *)

Test of F-Slave, F-Device, orF-Host *)

NoTest

passed?

Testpassed?

Applicant applies fora cert if icate from PN O

Applicant applies fora cert if icate from P NO

Applicant achievescertificate from"Notif ied B ody"

Applicant achievescertificate from"Notif ied B ody"

Testsuccessfully passed

Assessmentsuccessful

PNOcertificate

Ye s

*) Prove for CRC2 operation DP-V1/PN-IO test PROFIsafe layer test Reference F-Host test

+

+

Immunity (EMC)Immunity (EMC) Conformance (PB/PN)Conformance (PB/PN) Conformance (IEC 61508)Conformance (IEC 61508)

AvailabilityAvailability SafetySafety

CorrectionsCorrections

Figure 13: Test and certification procedures



clause 10 depending on device type specifiedtherein". These measures are called PELV (Pro-tected Extra Low Voltage) and limit the permittedvoltages in case of one failure to ranges that arenot dangerous for humans.

Due to this normally legal requirement, it is possi-

ble to limit the protection effort within an F-Deviceor an F-Host.

7.2. Power supplies

It is possible to use the same 24V power suppliesfor standard and F-Devices / F-Hosts. In bothcases the power supplies shall provide PELV dueto legal requirements.

7.3. Increased immunity

For each safety application, the correspondingSRS (Safety Requirements Specification) shall

define electromagnetic immunity limits (seeIEC 61000-1-1) which are required to achieveelectromagnetic compatibility. These limits shouldbe derived taking into account both the electro-magnetic phenomena (see IEC 61000-2-5) andthe required safety integrity levels.

For general industrial applications the IEC 61326-3-1 defines immunity requirements for equipmentperforming or intended to perform safety relatedfunctions.

Product standards such as IEC 61496-1 (e.g.laser scanners) may define increased immunityrequirements for some phenomena.

The environmental conditions within the processindustries can be different from those of generalindustrial environments. Thus the specificrequirements and performance criteria describedin IEC 61326-3-2 can be used for PA Devices.

For PROFIsafe a particular EMC test bed isdefined.

7.4. High availability

The objective of safety is to maintain safety func-tions in order to prevent personnel from beinginjured, e.g., by de-energizing hazardous ele-ments. A characteristic measure for a safety func-tion is SIL (Safety Integrity Level). It describes the

safety function's probability of a dangerous failureper hour, e.g. 10-7/h for SIL3. In contrast, theobjective of high availability (fault tolerance) is tomaintain the automation even in case of failures.A characteristic measure for high availability is theratio of uptime to the total operation time, forexample 99.99%. Redundancy is a means thatcan be used together with others to achieve thisobjective.

PROFIsafe is designed such that it can bedeployed with or without redundancy for fault tol-erance. Figure 14 shows possible combinations.

7.5. Installation guidelinesIt is the goal of PROFIsafe to integrate safetycommunication into the standard PROFIBUS andPROFINET networks with minimal impact on theexisting installation guidelines. In order to achievereliable performance and to fulfill legal require-ments, following the PROFIsafe specificationsand guidelines is highly recommended. Somemajor issues to be considered are mentionedbelow.

Preconditions

All standard and F-Devices on the network shallbe electrically safe as outlined in 7.1.

All F-Devices shall be certified according to IEC61508 and, in case of process automation accord-ing to IEC 61511. They shall be tested andapproved for PROFIsafe conformity by PI TestLaboratories.

Factory and processautomation:

Presses, robots,level switches,shutdown valves,as well as burnercontrol and cable cars

Process automation;Tranportation infra-structure

Chemical or pharma-ceutical productions,refineries, offshore;tunnels

Process automation;Transportation infra-structure

Chemical or pharma-ceutical productions,refineries, offshore;tunnels

Application

- No downtimes at best(fault tolerance)

No downtimes at best(fault tolerance)

HighAvailability

No dangerous failures(required bylaw or insurances)

Redundancy by itselfdoes not providesafety

No dangerous failures(required by law orinsurances)

Safety

PROFIsafe Redundancy PROFIsafe andRedundancy

Figure 14: Safety and High Availability (Fault Tolerance)



All other standard devices within a PROFIsafenetwork shall prove conformity to PROFIBUS orPROFINET via a PI certificate or equivalent evi-dence.

Constraints

For PROFIBUS DP, no spurs or branch lines arepermitted.

For PROFINET IO, the following rules apply

Less than 100 switches in a row Only one F-Host per submodule All network components must be suitable for an

industrial environment (e.g. IEC 61131-2) No single-port routers permitted to separate

PROFIsafe islands (characterized by uniqueF-Addresses)

Cabling

PROFIBUS and PROFINET both specify the use

of shielded cables and double-sided connection ofthe shield with the connector housing for bestelectromagnetic immunity. As a consequenceusually equipotential bonding is usually required.If this is not possible fiber optics may be used.

At their own risk, machine designers may usecables without shielding in case of specified elec-tromagnetic compatibility with minor burst andsurge interferences.

Availability

Even with shielded cables unacceptable signalnoise may be introduced onto the data lines of a

device if, for example, the intermediate DC link ofa frequency inverter is not filtering well enough.Other sources of unacceptable signal quality maybe due to missing terminating resistors and thelike. This is not a safety but an availability issue.Sufficient availability of the control functions is aprecondition of safety. Safety functions on equip-

ment with insufficient availability may cause nuinuisance trips and as a consequence may temptproduction managers to eventually remove thesesafety functions ("Bhopal effect").

PI companies provide many tools, procedures,and checklists to investigate the transmission

quality of networks.

PROFIsafe has been the enabling technology formany safety devices, especially drives with inte-grated safety. Nowadays drives can provide safestates without de-energizing the motor. Forexample the new safety feature "SOS" (safe op-erating stop) holds the motor under closed loopcontrol in a certain position. This new possibilityrequires a paradigm shift for the user. In earliertimes, pushing an emergency stop button causedthe power lines to be physically disconnectedfrom the motor and, therefore, there was no elec-trical danger for a person exchanging the motor.

The new IEC 60204-1 provides concepts on howto protect against electrical shock (emergencyswitch- off) with lockable motor protection circuitbreakers, main circuit breakers and main isolatorswith fuses. Figure 15 demonstrates these con-cepts. It also shows the recommended 5-wirepower line connections (TN-S) with separated Nand PE lines and the shielded cables betweendrives and motors. The IEC 60204-1 is a valuablesource for many other safety issues complement-ing the PROFIsafe technology. The correspond-ing national standard NFPA 79 considers somedeviations for the North American market (Figure3).

7.6. Wireless transmission

More and more applications such as AGV (Auto-mated Guided Vehicles), rotating machines, gan-try robots, and teach panels use wireless trans-mission in PROFIBUS and PROFINET networks.

Main Rack Subrack

M

PowerSupply

PowerSupply 24V

+

-

Remote IORemote IO

Equipotential Bonding

Central

earthground

"Emergency Stop"

1

1 Motor protection circuit breaker, lockable

Main circuit breaker, lockable

Main isolator (with fuses), lockable

2

3

23

L1

L2

L3

N

PE

"Emergency Stop"

FC(Safety)

FC(Safety)

Shielding

Figure 15: Emergency switching off concept (IEC 60204-1)



PI will specify details for WLAN and Bluetooth aswell. PROFIsafe, with its error detection mecha-nism for bit error probabilities up to 10-2 isapproved for both "Black Channels". However, thesecurity issues below must be considered in addi-tion.

7.7. Security

With PROFINET being based on IndustrialEthernet as an open network and in the context ofwireless transmission the issue of security has

been raised.

PI is pushing the concept of building so-calledsecurity zones which can be considered to beclosed networks (Figure 16). The only possibilityto cross open networks such as IndustrialEthernet Backbones from one security zone toanother is via Security Gates.The Security Gatesuse generally accepted mechanisms such asVPN (Virtual Private Network) and Firewalls toprotect themselves from intrusion. PROFIsafenetworks always shall be located inside securityzones and protected by Security Gatesif connec-tions to open networks cannot be avoided, refer to

PROFIsafe Environmental Requirements, V2.5;Order No. 2.232.

For wireless transmission, the IEEE 802.11i stan-dard provides sufficient security measures forPROFIsafe networks. Only the InfrastructureMode is permitted; the Adhoc Mode shall not beused. More details can be found in the PROFIsafespecification.

7.8. Response time

Usually the response times of normal control func-tions are fast enough for safety functions as well.However, some time-critical safety applications

need safety function response times (SFRT) to beconsidered more thoroughly. Presses that are

protected by light curtains are examples. A ma-chine designer wants to know very early at whatminimum distance the light curtain shall bemounted away from the hazardous press. It iscommon agreement that a hand moves at amaximum of 2 m/s. The minimum distance s to beconsidered then is s = 2 m/s x SFRT if theresoltion of the light curtain is high enough to de-tect a single finger (EN 999). Otherwise correctionsummands are needed.

Now what is the mystery behind an SFRT? The

model in Figure 17 is used to explain the defini-tion. The model consists of an input F-Device, aPROFIsafe bus transmission, signal processing inan F-Host, another PROFIsafe bus transmission,and an output F-Device each with its own statisti-cal cycle times. The maximum time for a safetysignal to pass through this chain is called TWCDT(Total Worst Case Delay Time) considering thatall parts require their particular maximum cycletimes. In case of safety the considerations goeven further: The signal could be delayed evenmore if one of the parts just fails at that point intime. Thus, a delta time needs to be added forthat particular part which represents the maximum

difference between its watchdog time and itsworst case delay time (there is no need to con-sider more than one failure at one time). Eventu-ally, TWCDT plus this delta time comprise theSFRT.

Each and every F-Device shall provide informa-tion about its worst case delay time as required inthe PROFIsafe specification in order for the engi-neering tools to estimate the SFRTs.

Industrial Ethernet Backbone

PROFIBUS DP

Security Gate Security Gate

PROFINET IOPROFINET IO

Internet

Production PC

with SecurityVPN

ClientSoftware

Service PC

with SecurityVPN

ClientSoftware

Firewall

PROFIBUS DP

PROFIsafe Island PROFIsafe Island

Security Zone Security ZoneSSSS

Firewall

VPN

VPN

VPN

Internet

VPN

Industrial Ethernet Backbone

PROFIBUS DP

Security Gate Security Gate

PROFINET IOPROFINET IO

Internet

Production PC

with SecurityVPN

ClientSoftware

Service PC

with SecurityVPN

ClientSoftware

Firewall

PROFIBUS DP

PROFIsafe Island PROFIsafe Island

Security Zone Security ZoneSSSS

Firewall

VPN

VPN

VPN

Internet

VPN

Figure 16: Security concepts for closed and open networks



8. For integrators

So far, we learned a lot about the deployment ofPROFIsafe. But what about safety applicationsand these safety functions?

8.1. Directives & standardsIn many countries, the safety requirements forhazardous machineries are regulated by law.Within the EU this is the Machinery Directive98/37/EC. This directive contains a list ofso-called harmonized standards. For a machinebuilder, there is presumption of conformity to thedirectives if the relevant standards are fulfilled.

Relevant standards in the context of PROFIsafeare, for example, IEC 62061, ISO 13849-1, ISO12100-1, and ISO 14121 (see 1.3 and Figure 3).

8.2. Risk reduction strategy

It is always better to design a machine with inher-ent safety such that it avoids any hazards. In thefirst part the ISO 12100-1 lists all kinds of possiblehazards. In its second part it shows an iterativestrategy on how to reduce the risk of any auto-mated equipment via a risk assessment. This riskassessment consists of a risk analysis and a riskevaluation:

Specify the limits and the intended use of themachine

Identify the hazards and the associated haz-ardous situations during the whole life cycle ofthe machine

Estimate the risk for each identified hazard andhazardous situation

Evaluate the risk and make decisions about theneed for risk reduction

By using the "3-step-method"

inherently safe design measures, safeguarding and possibly complementary pro-

tective measures, information for use about the residual risk,

the designer can eliminate the hazards or reducethe risk associated with the hazards by protectivemeasures.

Safeguarding and complementary protectivemeasures are the building up of safety functionssuch as a light curtain, the associated logic opera-tion, and a circuit breaker to de-energize themotor.

8.3. Application of IEC 62061

Both IEC 62061 and ISO 13849-1 providemethods for dealing with safety functions. WhileIEC 62061 fits well to the PROFIsafe technologyand programmable safety controllers (F-Hosts),the ISO 13849-1 fills the gap for hydraulic, pneu-matic, electric, and mechanical components.

The IEC 62061 requires a safety plan for thewhole life cycle of the machinery covering designstrategies, personnel roles and responsibilites,commissioning, change and maintenance untildismantling.

fixed

Processing duration

defines

minimum

time triggered

scan rate

fixed

Input

delay

Bus

delay

Processing

delay

Bus

delayOutput

delay

Worst Casedelay time (Bus)

Worst Casedelay time (output)

F_WD_Time 1 F_WD_Time 2

Total Worst Case Delay Time = TWCDT

Worst Casedelay time (process.)

Safety Function Response Time (TWCDT + T of the longest "Watchdog Time")

Worst Casedelay time (Input)

Worst Casedelay time (Bus)

Device_WD F-Host_WD Device_WD

longestT_WD

Actuation Safe state

Figure 17: Safety Function Response Time (SFRT)



8.4. Risk evaluation

Both standards offer similar concepts for the riskevaluation of safety functions, based onISO 14121:

Risk = severity of harm and probability of occur-

rence of that harm

The probability of occurrence consists of theexposure of persons, the occurrence, and thepossibility of avoidance.

8.5. SIL determination

Both standards provide calculated characteristics.One is the required SIL and the other the requiredPL (see 1.3). It is possible to transform one intothe other. In the long run it can be expected thatthe difference will disappear for the user when therisk evaluation is performed in engineering toolsvia "questionnaires".

8.6. Safety function design

IEC 62061 defines so-called safety-related controlsystems (SRECS) for safety functions with sub-systems for sensing, processing, and actuation.Subsystems may contain elements (e.g.switches).

The easiest way to design a safety function is touse certified F-Devices (sensors, actuators) and acertified F-Host connected via PROFIsafe.

8.7. Achieved SIL

The F-Devices provide the necessary informationin their safety manual to determine the achievedSIL of a particular safety function. In the first step,the least SILCL (claim limit) of all the safetydevices (F-Devices, F-Host) is selected. Thisdetermines the maximum achievable SIL of theentire safety function. In some cases systemmanufacturers may offer system support toupgrade to a higher SIL via redundancy ofF-Devices and corresponding system software.

In the second step, the PFHd values are addedand the result is checked against the permittedvalue ranges for a particular SIL.

The least SIL value from these two steps deter-mines the achievable SIL.

In the following sections, you will see how youcan combine F-Modules within remote I/O withclassic electromechanical safety devices such asemergency stop buttons, door switches, etc. asshown in Figure 4.

8.8. Electromechanics

IEC 62061 provides four predetermined architec-tures A, B, C, and D for subsystems to connectclassic safety devices. Formulas to calculatefailure probabilities are provided for these circuits.With the help of B10 values for the switches, the

estimated number of switch cycles, the diagnosticcoverage, and a common cause factor, thenecessary probability of dangerous failures canbe calculated with the formulas and added todetermine the overall SIL.

8.9. Non-electrical partsThe ISO 13849-1 defines so-called SRP/CS(Safety-Related Parts of Control Systems) also forhydraulic, pneumatic, electric, and mechaniccomponents. A PL and a PFHd value can bedetermined for such a component with the help ofthis standard and transformed into the SIL deter-mination for the safety function according to IEC62061.

8.10. Validation

IEC 62061 requires a validation plan to be part ofthe overall safety plan. According to this plan the

machinery shall be tested, checked, and docu-mented.

9. F-Device families

PROFIsafe as an enabling technology has beeninitiating new possibilities for standard and safetydevices. This chapter is to provide a brief over-view of some important F-Devices and typicalapplications.

9.1. Remote I/O

Standard remote I/O now are able to incorporatesafety modules without changing the headstations. F-Modules such as digital input/output,analog input/output, power modules, motor start-ers, and frequency converters with integratedsafety are available. The F-Modules can begrouped together and allow shut-down in groups.

Emergency stop buttons need very costly yearlyinspections as each and every button has to betested. The new technology allows for easy col-lection of all actuations over the year. This wayonly the remaining unactuated buttons have to betested, thus saving tremendous costs.

9.2. Optical sensors

Optical safety sensors such as light curtains andlaser scanners are standardized withinIEC 61496. Optical sensors are ideally suited toprotect entry/exit portals in a flexible manner. Theexample in Figure 18 also shows how PROFIsafecomplements the safety features of laser scan-ners and drives with integrated safety. See detailsbelow.

9.3. Drives

The safety features of drives are standardized inIEC 61800-5-2. These safety functions usually rerequire a safe position indicator. The value is



available to the user via PROFIsafe and can re-place physical "end-of-travel"-switches or physical"muting"-sensors. As shown in Figure 18 the mo-tor position affects the protection fields of laserscanners according to the profiles of car bodies at

entry/exit portals of a manufacturing cell.Section 0 lists many more possible safety featureswhich will cause revolutionary applications tooccur in the near future.

9.4. Robots

Safety features for robots can be found inISO 10218. The new safety features for drivesfoster robots to integrate those features and pro-vide new functionality such as "collaborativerobots", where persons work hand-in-hand withrobots.

9.5. F-Gateways

For PROFIsafe an F-Gateway to AS-i Safety-at-work (ASIsafe) exists. This device combines theadvantages of both worlds. While ASIsafe caneasily collect the signals from many emergencystop buttons connected in series, PROFIsafe iseasily able to deal with sophisticated F-Devicessuch as drives with integrated safety.

9.6. PA Devices

It was previously mentioned that safety for proc-ess automation follows its own sector standard

IEC 61511. NAMUR, as standards body for

chemical and pharmaceutial industries publishesthe companion standard NE97 specifying howsafety communication can be used with safetyfield devices. A "proven-in-use" PA Device,equipped with a PROFIBUS MBP-IS interface,accommodates a PROFIsafe driver that can beconfigured "Off" or "On". In one mode it repre-

sents a standard PA Device, in the other mode anF-Device (Figure 19).

NAMUR initiated another companion standard,the VDI 2180, which facilitates the development ofsafety-related PA Devices.

Currently most of the PROFIsafe applications inprocess automation deploy remote I/O withF-Modules for 4-20mA or HART communication.Figure 20 demonstrates the two possibilities forusing PROFIsafe with "proven-in-use"PA Devices. This is a good compromise eventhough it suffers from the lack of the direct field-bus advantages such as wide range measure-ments, parameterization and sophisticated diag-nosis.

Level switches

Level switches for tanks benefit much from thePROFIsafe technology. PROFIBUS PA with itsMBP-IS and RS485-IS explosion-proof transmis-sion technologies fit well into the requirements ofthese F-Devices. PROFIsafe provides the safetytransmission of the shut-down signals while thestandard "black channel" informs the user about

the status of the sensors.ESD valves

Similar improvements can be achieved for ESD(Electronic Shut-Down) valves. The main objec-tive here is to periodically test the valve functionthrough "partial valve strokes" and trend monitor-ing of the end position and of the time elapsed toreach this position. This can be done automati-cally via F-Hosts and allows predictive mainte-nance whenever it is convenient for the user. TheRS485-IS communication together with barriersallows fast shut-down even within an Ex-i envi-ronment.

Entry/exit portalLaserscanner

Skid

Skid position

Motor position scale

Protectionfield (PF0)

PF1 PF2

Profile 1

Profile 2

PF0

Figure 18: Software muting sensors for laser-scanners

Bus interfaceBus interface

Process

control

system

Safetyprogram


PROFIsafe

PROFIsafe

(PROFIsafe"On)

Userprogram


PROFIsafe

(PROFIsafe"Off")

SIL2

Figure 19: PROFIsafe and NE97 for PA-Devices

MBP-IS with

PROFIsafe

PROFIBUS DPwith PROFIsafe

ProcessControlSystem

HART 4-20mA

ProcessControlSystem

Remote I/Owith F-Modules

"Proven-in-use"(SIL2)

Figure 20: Two possibilities for PROFIsafe and PA-Devices



Pressure transmitter

Safe pressure transmitters combine the functionof measuring the tank filling and of protectionagainst overflow ("level switch") via comparisonwith a setpoint value.

Gas and fire sensors

These sensors are in service on unmanned oilplatforms for example. Additional position informa-tion makes it possible to automatically battendown the relevant hatches.

10. User benefits

More than 30 million PROFI-BUS devices havenow been installed. Therefore, the top priority fordevelopment has always been and will continueto be ensuring that the system remains fully com-patible with the devices that are already in thefield.

Thanks to the autonomous functional safetycommunication protocol of PROFIsafe and its"Black Channel" approach, it is even possible tocross-over from PROFINET to PROFIBUS withoutany major difficulties. The identical PROFIsafedriver software can be used in both PROFINETand PROFIBUS devices.

Introduction of PROFIsafe has been causing athree-step quantum leap:

From safety-related relay logic to safeprogrammable logic

From multi-wire to functional safe serialcommunication

From isolated to cooperating safety-relateddevices

The following statements perfectly sum up thebenefits from several points of view.

10.1. Integrators and end users

Same cost savings as with the introduction ofstandard PROFI-BUS: reduced wiring, flexibleconfigurations, parameterization, and diagnosis

Easy and cost-efficient system design with abroad product spectrum from all types of manu-facturers

In general no special installation restrictions

Highly innovative safety applications througheasy communication between sophisticatedF-Devices

High flexibility in the replacement of existingrelay technology as well as expansion and retro-

fit of existing installationsIntegrated technology for both factory and

process automation

Training, documentation, and maintenancerequired for only one bus technology

Programming of standard and safety-relatedapplications with only one tool and certifiedfunction blocks

Easy documentation of safety-related configu-rations and logics

Cost saving system acceptance due to certifieddevices

International acceptance through IEC 61508-conforming technology.

Positive assessments by BGIA and TV

10.2. Device manufacturers

TV-certified software allows for easy imple-mentation and cost-efficient reproduction of aPROFIsafe solution

Different architectures of safety-relatedprogrammable controllers can adopt thePROFIsafe communication

Trailblazer for new innovative device functions

10.3. For future investments

Huge installed base of PROFIBUS and PROFI-NET devices

PROFIBUS/PROFINET organizations and sup-port centers are present worldwide

Use of all existing and future standards definedby PI also for safety-related applications

PROFIsafe is an international standard in IEC61784-3-3

Future software to assist the life-cycle of safetyapplications from design through assessment,validation, and documentation, thus further reducing efforts



11. PROFIBUS & PROFINETInternational (PI)

As far as maintenance, ongoing development,and market penetration are concerned, opentechnologies need a company-independent insti-tution that can serve as a working platform. Asregards the PROFIBUS and PROFINET tech-nologies, this was achieved by founding thePROFIBUS Nutzerorganisation e.V. (PNO) in1989 as a non-profit interest group for manufac-turers, users, and institutions. The PNO is amember of PI (PROFIBUS & PROFINET Interna-tional), an umbrella group which was founded in1995. PI now has 25 regional user organizations(RPA: Regional PI Associations) and approxi-mately 1,400 members, meaning that it is repre-sented on every continent and is the worlds larg-est interest group for the industrial communica-tions field (Figure 21).

11.1. Responsibilities of PI

The key tasks performed by PI are:

Maintenance and further development ofPROFIBUS and PROFINET

Promotion of the worldwide establishment ofPROFIBUS and PROFINET

Protection of the investments of users andmanufacturers through influence on

international standardization Representation of the interests of members to

standards bodies and unions Worldwide technical support for companies

through PI Competence Centers (PICC) Quality control through a system for product

certification at PI Test Laboratories (PITL)based on standard conformity tests

Establishment of a worldwide training standardthrough PI Training Centers (PITC)

11.2. Technological development

PI has handed responsibility for technologicaldevelopment over to PNO Germany. TheAdvisory Board of PNO Germany oversees thedevelopment activities. Technological develop-ment takes place in the context of more than 50

working groups with input from more than 500experts.

11.3. Technical support

PI supports more than 35 accredited PICCsworldwide. These facilities provide users andmanufacturers with all kinds of advice and sup-port. As institutions of PI, they are independentservice providers and adhere to mutually agreedupon regulations. The PICCs are regularlychecked for their suitability as part of an individu-ally tailored accreditation process. Currentaddresses can be found on the PI website.

11.4. Certification

PI supports 9 accredited PITLs worldwide, whichassist in the certification of products with aPROFIBUS/PROFINET interface. As institutionsof PI, they are independent service providers andadhere to mutually agreed upon regulations. Thetesting services provided by the PITLs are regu-larly audited in accordance with a strict accredita-tion process to ensure that they meet the neces-sary quality requirements. Current addresses canbe found on the PI website.

11.5. TrainingThe PITCs have been set up with the specific aimof establishing a global training standard for engi-neers and installation technicians. The fact thatthe Training Centers and the experts that arebased there have to be officially accreditedmeans that quality is assured, not only withrespect to the PROFIBUS and PROFINET train-ing offered but also of the associated engineeringand installation services. Current addresses canbe found on the PI website.

11.6. Internet

Also available on the PI websitewww.profibus.com is actual information about theorganization of PI and the PROFIBUS and PRO-FINET technologies. An online-product guide, aglossary, diverse web-based trainings are to befound there, as well as the download area withspecifications, application profiles, installationguidelines, and other documents.

Regional PI

AssociationsPI Competence

CentersPI Test

Laboratories

PI TrainingCenters

PI (PROFIBUS & PROFINET International)

Technologies

Fieldbus based

Automation

Technology

Ethernet based

Automation

Technology

Proxy Technology

Regional PI


CentersPI Test

Laboratories

PI TrainingCenters


Technologies

Fieldbus based

Automation

Technology

Ethernet based

Automation

Technology

Proxy Technology

Regional PI


CentersPI Test

Laboratories

PI TrainingCenters


Technologies

Fieldbus based

Automation

Technology

Ethernet based

Automation

Technology

Proxy Technology

Figure 21: PROFIBUS & PROFINET International (PI)


24/26


25/26

profisafe system description v 2010 english

Documents