profisafe system description v 2010 english
TRANSCRIPT
-
7/24/2019 PROFIsafe System Description v 2010 English
1/26
PROFIsafe System DescriptionTechnology and Application
-
7/24/2019 PROFIsafe System Description v 2010 English
2/26
-
7/24/2019 PROFIsafe System Description v 2010 English
3/26IPROFIsafe System Description
Introduction
PROFIBUS and PROFINET are the only industrialcommunication systems providing comprehensivecoverage including both factory and processautomation. Both protocols are specified in thecommunication profile family 3 in the InternationalStandards IEC 61158 and IEC 61784-1/-2.
One of the major events within the lifetime of thePROFIBUS and PROFINET International (PI)community was the first release of a specificationfor safety communication in 1999. It caused a
quantum leap in possibilities in the world of auto-mation.
The name of this technology is PROFIsafeand itslogo is shown below.
Since this event, PROFIsafe has evolved to be-come the leading and most comprehensive safetycommunication technology in the world. PROFI-safe is now progressing toward becoming an In-ternational Standard within IEC 61784-3-3.
It is the objective of this document to provide athorough insight into the PROFIsafe technologyand the related issues without becoming too en-
gulfed in specific details. It is not meant to replacestandards or the official specifications and guide-lines mentioned below. Those are definitive andbinding.
PROFIsafe is approved by both the IFA and TV.
Safety is a sensitive area of automation. Thus, thedissemination, implementation, and deployment of
PROFIsafe technology must be treated seriously.The companies and institutions involved are obli-gated to conduct themselves according to the so-called PROFIsafe Policy.
This short description is to serve as a complementto and a modest summary of the official sources.
The abbreviation "F" in this document stands for"fail-safe", "functional safety", or just "safety re-lated".
-
7/24/2019 PROFIsafe System Description v 2010 English
4/26II PROFIsafe System Description
Table of Contents
1. SAFETY IN AUTOMATION ...................... 1
1.1. TRENDS ............................................. 1
1.2. PROFIBUS&PROFINETINTERNATIONAL (PI)ACHIEVEMENTS ..... 1
1.3. INTERNATIONAL STANDARDS ................ 2
2. REQUIREMENTS FULLFILLED............... 3
3. BLACK CHANNEL CONSTRAINTS..... 5
3.1. BASIC FEATURES ................................ 53.2. NETWORK COMPONENTS ..................... 53.3. WIRELESS &SECURITY ....................... 53.4. DATA TYPES ....................................... 5
4. PROFISAFE THE SOLUTION ............... 5
4.1. SAFETY MEASURES ............................. 6
4.2. PROFISAFE FORMATS ........................ 64.3. PROFISAFE SERVICES........................ 7
5. HOW TO IMPLEMENT? ........................... 8
5.1. SAFETY CLASSES................................ 85.2. F-DEVICES......................................... 85.3. F-HOST ........................................... 10
6. CONFORMITY & CERTIFICATION........ 10
6.1. THE PROFISAFE TESTS .................... 106.2. SAFETY ASSESSMENT........................ 11
7. PROFISAFE DEPLOYMENT.................. 11
7.1. ELECTRICAL SAFETY.......................... 11
7.2. POWER SUPPLIES ............................. 127.3. INCREASED IMMUNITY ........................ 127.4. HIGH AVAILABILITY ............................ 127.5. INSTALLATION GUIDELINES ................. 127.6. WIRELESS TRANSMISSION.................. 137.7. SECURITY ........................................ 14
7.8. RESPONSE TIME ................................14
8. FOR INTEGRATORS ..............................15
8.1. DIRECTIVES &STANDARDS .................158.2. RISK REDUCTION STRATEGY ...............158.3. APPLICATION OF IEC62061...............158.4. RISK EVALUATION ..............................168.5. SILDETERMINATION ..........................168.6. SAFETY FUNCTION DESIGN..................168.7. ACHIEVED SIL...................................168.8. ELECTROMECHANICS .........................168.9. NON-ELECTRICAL PARTS ....................168.10. VALIDATION ......................................16
9. F-DEVICE FAMILIES...............................16
9.1. REMOTE I/O .....................................169.2. OPTICAL SENSORS.............................169.3. DRIVES.............................................169.4. ROBOTS ...........................................179.5. F-GATEWAYS....................................179.6. PADEVICES .....................................17
10. USER BENEFITS .................................... 18
10.1. INTEGRATORS AND END USERS............1810.2. DEVICE MANUFACTURERS...................1810.3. FOR FUTURE INVESTMENTS.................18
11. PROFIBUS & PROFINETINTERNATIONAL (PI) .............................19
11.1. RESPONSIBILITIES OF PI.....................1911.2. TECHNOLOGICAL DEVELOPMENT .........1911.3. TECHNICAL SUPPORT .........................1911.4. CERTIFICATION..................................1911.5. TRAINING..........................................1911.6. INTERNET .........................................19
-
7/24/2019 PROFIsafe System Description v 2010 English
5/261PROFIsafe System Description
1. Safety in automation
Any active industrial process is more or less as-sociated with the risk
of injuring or killing people,
of destroying nature of damaging investments.
With most processes it is quite easy to avoid riskwithout special requirements imposed on automa-tion systems. However, there are typical applica-tions associated with high risk, e.g. presses,saws, tooling machines, robots, conveying andpacking systems, chemical processes, high pres-sure operations, off-shore technology, fire andgas sensing, burners, cable cars, etc. Theseapplications need special care and technology.
Over time the market balances out the reliabilityand availability of standard automation technology
to a certain economic cost level. That means thefailure or error rate of standard automation tech-nology under normal circumstances is justacceptable for normal operations but not sufficientfor the above-mentioned high-risk applications.
The situation may be compared with a public mailsystem. While normal letter delivery is expected tobe as affordable as possible at a certain reliabilitylevel, everybody will use special mail for importantmessages.
1.1. Trends
In the past, micro-controllers, software, personalcomputers and communication networks weredramatically influencing the standard automationtechnologies thus leading to cost reductions,improved flexibility and higher availability. Withrespect to safety, existing standards and regula-tions were prohibiting any use of those technolo-gies. Safety automation had to be "hard-wired"and based on "relay" technology. See Figure 1.
This dichotomy or gap is quite comprehensibledue to the fact that safety relies on trusted tech-
nology or material. Trust, in turn, is based onexperience and experience needs time. But add-ing "classic" safety to modern automation solu-
tions always leads to disappointing situations. Forexample, costs due to additional wiring and engi-neering, less flexibility and availability thanexpected and other disadvantages such as unde-fined stop positions of machines and tediousefforts to resume operation.
This situation has now changed dramatically. Mi-cro-controllers and software have been proven inuse in millions of applications and the precondi-tions for their use in safety applications are givensince the introduction of the international standardIEC 61508.
The error detection mechanisms of many types ofdigital communication systems have been investi-gated and are well understood. Standards likeIEC 62280-1 have been paving the ways.
1.2. PROFIBUS & PROFINET In-ternational (PI) achievements
Thats why PI has developed the PROFIsafetechnology as an additional layer on top of theexisting PROFIBUS and PROFINET protocols. Itreduces the error probability of the data transmis-sion between an F-Host (safety controller) and anF-Device to the level required by or better thanthe relevant standards.
PROFIsafe can be realized in software only, mak-ing it easy to implement while covering the entirespectrum of safety applications utilizing PROFI-BUS and PROFINET in process and factoryautomation. It is even approved for wirelesstransmission channels such as WLAN and Blue-
tooth. With the help of certain security provisions,it can be used on open Industrial Ethernet Back-bones.
It covers the need for high availability and lowpower consumption in process automation as wellas the demand for short reaction times within mil-liseconds in factory automation.
Modern F-Devices such as laser scanners ordrives with integrated safety now can flourish asneeded. The handling of their individual safetyparameters (iParameters) is made easy due tosophisticated system support. This system sup-port comprises interfaces for F-Device tools withinengineering frameworks (for example theTool Calling Interface) and iParameter storageand retrieval options (iPar-Server). It is importantto note that the tool interfaces and the iPar-Serverfeature can also be used by any non-safetydevice.
The IEC 61508 standard defines special require-ments such as increased electromagnetic immu-nity without specifying the details. A supplementalguideline "PROFIsafe Environment" fills this gapand others for the development and deploymentof F-Devices and F-Hosts.
There is common agreement within PI that onlyF-Devices and F-Hosts in PROFIBUS and PRO-FINET networks that are certified according IEC
Trusted technologyTrusted technology
Drive Frequencyconverter
andcontrol
Frequencyconverter
andcontrol
PowerSupply
Motor
PROFIBUS/PROFINET
PLC
Circuit breaker"Deenergize to trip" principle I
Figure 1: Classic Safety
-
7/24/2019 PROFIsafe System Description v 2010 English
6/262 PROFIsafe System Description
61508 are permitted. Conformity with thePROFIsafe protocol shall be tested by PI testlaboratories and certified by PI office. A supple-mental "PROFIsafe Test Specification" documentdefines the roles and tasks of assessment bodiessuch as TV and the roles and tasks of PI testlaboratories.
See www.profisafe.net for actual informationabout PROFIsafe and www.profibus.com for gen-eral PROFIBUS and PROFINET information.
1.3. International standards
In most countries, national laws regulate howpeople and the environment shall be protected. InEurope, the Low Voltage Directive, the EMCDirective, and the Machinery Directive areexamples of such legislation. The laws in turnrefer to International Standards.
In Figure 2 you will find a selection of IEC andISO standards dealing with safety and fieldbusissues and how they are related.
The basic standard for functional safety is the IEC61508 covering the functional safety of electricalequipment and the basic principles and proce-dures. It introduces a quantitative approach forcalculating the residual probability of so-calledsafety functions to fail (Safety Integrity Levels -SIL). It is mainly useful for F-Device and F-Host
developers. The sector standard IEC 62061describes the specific safety aspects for machin-ery applications such as those found in factoryautomation. This standard deals with ready-to-usesystems, subsystems, and elements and how toassess safety functions for certain combinationsof these. ISO 13849-1 is the successor of the
EN 954-1 and has a similar scope. However, itintroduces a slightly different calculation model(Performance Levels - PL) and covers non-electrical devices such as hydraulic valves, etc.For machine safety, the basic terminology andmethodology used are defined in ISO 12100-1.ISO 14121 provides the principles of risk assess-ment. The IEC 60204-1 specifies general re-quirements and recommendations relating to theelectrical equipment of machines. Some of theissues are power supply, protection against elec-trical shock, emergency stops, conductors andcables, etc. Product standards such as IEC61496, IEC 61800-5-2, and IEC 61131-6 for
example, deal with the requirements for individualdevice families.
The annex of the European "Machinery Directive"lists the machines and parts which legally requirecertification by a "Notified Body" (IFA, TV, FM(Factory Mutual), etc.). If there is a harmonizedcorresponding product standard (for example, IEC61496), a declaration by the manufacturer is suffi-cient.
Design of safety-related electrical, electronic and programmableelectronic control systems (SRECS) for machinery
ISO 12100-1 and ISO 14121Safety of machinery Principles for
design and risk assessment
ISO 12100-1 and ISO 14121Safety of machinery Principles for
design and risk assessment
SIL based PL based
Design objective
Applicable standards
IEC 60204-1Safety of electrical
equipment
IEC 60204-1Safety of electrical
equipment
IEC 62061Functional safety
for machinery(SRECS)
(including EMC forindustrial environment)
IEC 62061Functional safety
for machinery(SRECS)
(including EMC forindustrial environment)
ISO 13849-1, -2Safety-related parts
of machinery(SRPCS)
Non-electrical
Electrical
ISO 13849-1, -2Safety-related parts
of machinery(SRPCS)
Non-electrical
Electrical
IEC 61508Functional safety(basic standard)
IEC 61508Functional safety(basic standard)
IEC 61158 series /61784-1, -2
Fieldbus for use inindustrial control systems
IEC 61158 series /61784-1, -2
Fieldbus for use inindustrial control systems
IEC 61784-3-3(PROFIsafe)
Functional safetycommunication
profile 3
IEC 61784-3-3(PROFIsafe)
Functional safetycommunication
profile 3
IEC 61784-4Security
(profile-specific)
IEC 61784-4Security
(profile-specific)
IEC 61784-5Installation guide(profile-specific)
IEC 61784-5Installation guide(profile-specific)
IEC 61918Installation guide(common part)
IEC 61918Installation guide(common part)
IEC 61326-3-1EMC andfunctional safety
IEC 61326-3-1EMC andfunctional safety
IEC 62443Security
(common part)
IEC 62443Security
(common part)
US: NFPA 79(2006)
US: NFPA 79(2006)
IEC 61496Safety f. e.g.light curtains
IEC 61496Safety f. e.g.light curtains
IEC 61800-5-2Safety functions
for drives
IEC 61800-5-2Safety functionsfor drives
Product standards
IEC 61131-6Safety for
PLC
IEC 61131-6Safety forPLC
(yellow) safety-related standards (blue) fieldbus-related standards (dashed yellow) PROFIsafe
Figure 2: International fieldbus and safety standards for factory automation
-
7/24/2019 PROFIsafe System Description v 2010 English
7/263PROFIsafe System Description
The requirements for F-Devices and F-Hosts toprovide increased electromagnetic immunity aredefined in IEC 61326-3-1. Special functionalsafety (FS) performance criteria allow for incorrectfunctioning under increased electromagnetic inter-ference conditions above the normally requiredlevels. However, in these cases the equipmentunder test (EUT) at least shall go into a safestate.
The fieldbus standards are specified in IEC 61158and IEC 61784-1. Realtime Ethernet variantssuch as PROFINET IO are defined in IEC 61784-2. Common parts for installation guidelines are
summed up in IEC 61918, whereas profile-specific parts are collected in IEC 61784-5. Com-mon parts for security guidelines are summed upin IEC 62443, whereas profile-specific parts arecollected in IEC 61784-4.
In Figure 3 you will find a similar selection of IECand ISO standards adapted to the requirementsof process automation. Here, the sector standardIEC 61511 is considering the particular situationof long term experience ("proven-in-use") withvery sensitive process instrumentation and aspecified electromagnetic environment in thisarea. Thus, the IEC 61326-3-2 takes these EMC
requirements into account.
2. Requirements fullfilled
From the very beginning, it was the intention ofPROFIsafe to specify a comprehensive and effi-cient solution for both the safety device developerand the end user.
The PROFIsafe protocol is suitable for bothPROFIBUS and PROFINET networks withoutimpacts on these existing fieldbus standards. It ispossible to transmit safety messages on the exist-ing standard bus cables in coexistence with thestandard messages (Figure 4).
IEC 61511b)
Functional safety Safety instrumented
systems for theprocess industry sector
IEC 61511b)
Functional safety Safety instrumented
systems for theprocess industry sector
IEC 61508Functional safety(basic standard)
IEC 61508Functional safety(basic standard)
IEC 61158 series /61784-1, -2
Fieldbus for use in
industrial control systems
IEC 61158 series /61784-1, -2
Fieldbus for use in
industrial control systems
IEC 61784-3-3(PROFIsafe)
Functional safetycommunication
profile 3
IEC 61784-3-3(PROFIsafe)
Functional safetycommunication
profile 3
IEC 61784-4Security(profile-specific)
IEC 61784-4Security(profile-specific)
IEC 61784-5Installation guide(profile-specific)
IEC 61784-5Installation guide(profile-specific)
IEC 61918Installation guide(common part)
IEC 61918Installation guide(common part)
IEC 61326-3-2a)
EMC andfunctional safety
IEC 61326-3-2a)
EMC andfunctional safety
IEC 62443Security(common part)
IEC 62443Security(common part)
a) For specified electromagnetic environments; otherwise IEC 61326-3-1 b) EN ratified
IEC 61496Safety f. e.g.light curtains
IEC 61496Safety f. e.g.light curtains
IEC 61800-5-2Safety functions
for drives
IEC 61800-5-2Safety functions
for drives
Product standards
IEC 61131-6Safety for
PLC
IEC 61131-6Safety for
PLC
See safety standards for machinery
(Figure 2)
Valid also in process industries,
whenever applicable
US:
ISA-84.00.01(3 parts = modified
IEC 61511)
US:
ISA-84.00.01(3 parts = modified
IEC 61511)
DE: VDI 2180Part 1-4
DE: VDI 2180Part 1-4
(yellow) safety-related standards (blue) f ieldbus-related standards (dashed yellow) PROFIsafe
IEC 61511b)
Functional safety Safety instrumented
systems for theprocess industry sector
IEC 61511b)
Functional safety Safety instrumented
systems for theprocess industry sector
IEC 61508Functional safety(basic standard)
IEC 61508Functional safety(basic standard)
IEC 61158 series /61784-1, -2
Fieldbus for use in
industrial control systems
IEC 61158 series /61784-1, -2
Fieldbus for use in
industrial control systems
IEC 61784-3-3(PROFIsafe)
Functional safetycommunication
profile 3
IEC 61784-3-3(PROFIsafe)
Functional safetycommunication
profile 3
IEC 61784-4Security(profile-specific)
IEC 61784-4Security(profile-specific)
IEC 61784-5Installation guide(profile-specific)
IEC 61784-5Installation guide(profile-specific)
IEC 61918Installation guide(common part)
IEC 61918Installation guide(common part)
IEC 61326-3-2a)
EMC andfunctional safety
IEC 61326-3-2a)
EMC andfunctional safety
IEC 62443Security(common part)
IEC 62443Security(common part)
a) For specified electromagnetic environments; otherwise IEC 61326-3-1 b) EN ratified
IEC 61496Safety f. e.g.light curtains
IEC 61496Safety f. e.g.light curtains
IEC 61800-5-2Safety functions
for drives
IEC 61800-5-2Safety functions
for drives
Product standards
IEC 61131-6Safety for
PLC
IEC 61131-6Safety for
PLC
See safety standards for machinery
(Figure 2)
Valid also in process industries,
whenever applicable
US:
ISA-84.00.01(3 parts = modified
IEC 61511)
US:
ISA-84.00.01(3 parts = modified
IEC 61511)
DE: VDI 2180Part 1-4
DE: VDI 2180Part 1-4
(yellow) safety-related standards (blue) f ieldbus-related standards (dashed yellow) PROFIsafe
Figure 3: International fieldbus and safety standards for process automation
Combinationpossible
StandardCPU
Compact
remote I/O
Limit
switch
Link
Coexistence of standard and safety communication
ConventionalE-Stops
Safety-CPU(F-Host)
F-Modules ina remote I/Odevice
Laser
scanner
Light
curtains Robots Drives
Figure 4: The "Single Channel" approach
-
7/24/2019 PROFIsafe System Description v 2010 English
8/264 PROFIsafe System Description
This "Single Channel" approach also allows theuse of standard PLCs with integrated but logicallyseparated safety processing. This way mediaredundancy to achieve higher availability could berealized as an option. For those users who favorphysical separation of the standard and safetycommunications, PROFIsafe is not a handicap.However, these users could still benefit from thecommon PROFIsafe technology on the separate
communication networks.The PROFIsafe protocol has not any impact onthe standard bus protocols. On the other hand, itshould be as independent as possible from thebase transmission channels be it copper wires,fiber optics, wireless, or backplanes. Neither thetransmission rates nor the error detection mecha-nisms play a role. For PROFIsafe they are just"Black Channels" (Figure 5).
The PROFIsafe protocol has to free its users fromthe safety assessment of their individual back-plane communications or other transmissionpaths beyond the PROFINET and PROFIBUS
networks. Therefore, it has to secure the whole
path from the location where a safety signal origi-nates (e.g., F-Module in a remote I/O device) tothe location where it is processed (F-Host) andvice versa (Figure 6).
The PROFIsafe protocol can be used for safetyapplications up to SIL3 according to IEC 61508 /IEC 62061, or Category 4 according to EN 954-1,or PL "e" according to ISO 13849-1.
The parameters for the PROFIsafe protocol needto be defined, maintained, and engineered withthe standard means of PROFIBUS or PROFINET,i.e. via GSD. However, the parameters should besecured during storage, interpretation, value as-signment and transfer from the configuration toolto the IO Controller or DP-Master and from thereinto the F-Device. There has to be the same setof PROFIsafe parameters for all F-Devices orF-Modules in a remote I/O device to ensure uni-form handling.
The individual safety parameters of an F-Deviceare technology-specific, e.g., drives with inte-
grated safety, laser scanners, etc. Handling theseparameters with a GSD would entail tremendousefforts and unnecessary dependencies. It there-fore has to be possible for F-Device developers tointegrate their individual configuration, parame-terization and diagnostic tools (CPD tools) viaappropriate interfaces into the engineering toolsof system vendors. This facilitates the navigationand communication to the specific F-Device orF-Module.
For fast F-Device replacement in case of a failure,the system has to support "Save and Restore"functionality for individual safety parameters (iPar-Server) in a uniform way. Usually the F-Host or
the controller that provides the basic bus start-upparameterization has to provide this feature.
Standard
protocol
Standard
application,
e.g. diagnosis
Safetyapplication
PROFIsafe
layer
Black
Channel"
(Industrial Ethernet) PROFINET IO, PROFIBUS-DP, Backplanes
PROFIsafelayer
PROFIsafelayer
Standard
protocol
Standard
application,
e.g. diagnosisSafety
application
Figure 5: The Black Channel principle
IODevice(head
station)
IODevice(head
station)
F
D
I
F
D
I
F
D
O
F
D
O
Remote I/O
E.g. backplane
F-
Host
F-
HostIO
Controller
IOController
F-
Device
F-
Device
Intrinsic
safety:
Ex-i
PROFINET IO
e.g.
ASIsafe
PROFIsafe layer
Other safety layer
PA
Device
PA
Device
PROFIBUS DP
F-Gate-
way
F-
Device
F-
Device
DP-Link
PA-Link
Figure 6: The complete safety communicationpaths
-
7/24/2019 PROFIsafe System Description v 2010 English
9/265PROFIsafe System Description
Supplementary documentation define all aspectsof deployment of PROFIsafe devices such asrequirements for
Installation
Electrical safety
Power supplies
Electromagnetic compatibilityData security
Finally strong support for developers of PROFI-safe in F-Devices or F-Modules needs to be avail-able in the form of PROFIsafe development kits,competence centers and test centers.
In its current version, PROFIsafe meets all ofthese requirements. The final concept is stillstraightforward and easy to understand.
Before we learn more about PROFIsafe in detaillet's take a look at some preconditions and con-
straints.
3. Black Channel con-straints
Even though PROFIsafe uses the "Black Chan-nel" principle, there are some basic features ofPROFIBUS and PROFINET that were consideredfor its design.
3.1. Basic features
One such feature is the cyclic communicationbetween a bus controller and its associated fielddevices (send and receive response principle).This polling operation will immediately detect anyfailed device. PROFIsafe adopted this principle.
The other feature is the 1:1 communication rela-tionship between a bus controller and its associ-ated field devices. PROFIsafe also adopts thisprinciple to ensure the authenticity of messages.However, this restricts an F-Module (Subslot)within a modular field device to be accessed byonly one F-Host.
3.2. Network componentsA "Black Channel" may comprise several types oftransparent network components such asswitches, routers, links, and wireless transmissionchannels. For PROFIsafe, minor constraints existin order to meet the SIL3 requirements.
Any kind of switch is permitted but only 100 maybe connected in a row. The F-Address spacewithin a PROFIsafe island must be unique. Con-nected islands with the same F-Address spacemust be separated by multi-port routers. Thereare no known restrictions for links such as fromPROFINET to PROFIBUS and from there to the
intrinsic safety version MBP-IS (Figure 6).
3.3. Wireless & Security
Wireless transmission is permitted as long assufficient availability (no nuisance trips) and secu-rity can be guaranteed.
PROFIsafe specifies certain security requirements
for wireless transmission and for wired networksthat are connected to industrial Ethernet back-bones or the Internet (open networks).
3.4. Data types
Fieldbus communication in general uses manydifferent data types for information transfer (seeliterature box on page 9). In order to reduce com-plexity, PROFIsafe offers a reasonable subset.
4. PROFIsafe the solution
It is the task of safety communication betweentwo partners to deliver
Correct data Arrival at the right destinationJust-in-time updates.
Various errors may occur when messages aretransferred in complex network topologies,whether due to hardware failures, extraordinaryelectromagnetic interference, or other influences.A message can be lost, occur repeatedly, beinserted from somewhere else, appear delayed orin an incorrect sequence, and/or show corrupted
data. In the case of safety communications, theremay also be incorrect addressing: a standardmessage erroneously appears at an F-Device andpretends to be a safety message. Different trans-mission rates may additionally cause bus compo-nent storage effects to occur. Out of the numer-ous remedies known from literature, PROFIsafeconcentrates on those presented in the matrixshown in Figure 7.
Error:
Measure:ConsecutiveNumber(sign of life)
Time-out(with receipt)
Codename(for sender andreceiver)
Data integrity(CRC)
Unintended repetition
Loss
Insertion
Incorrect sequence
Corruption
Unacceptable delay
Adressing
X
XX
X
X
X
X
XX X
Masquerade(standardmessage mimics failsafe) X
Revolving memoryfailures within switches X
X X
Error:
Measure:ConsecutiveNumber(sign of life)
Time-out(with receipt)
Codename(for sender andreceiver)
Data integrity(CRC)
Unintended repetition
Loss
Insertion
Incorrect sequence
Corruption
Unacceptable delay
Adressing
X
XX
X
X
X
X
XX X
Masquerade(standardmessage mimics failsafe) X
Revolving memoryfailures within switches X
X X
Figure 7: Transmission error types and safetyremedies
-
7/24/2019 PROFIsafe System Description v 2010 English
10/266 PROFIsafe System Description
4.1. Safety measures
These safety measures include:
The consecutive numbering of the PROFIsafemessages ("sign-of-life")
A time expectation with acknowledgement
("watch-dog") A codename between sender and receiver
("F-Address") Data integrity checks (CRC = cyclic redundancy
check)
Using the Consecutive Number, a receiver cansee whether or not it received the messagescompletely and within the correct sequence.When it returns a message with the ConsecutiveNumber only as an acknowledgement to thesender, the sender, too, will be assured. Basi-cally, a simple "toggle bit" would have provensufficient. However, due to the storage buffers in
some bus components, e.g. switches, a 24-bitcounter was selected for PROFIsafe.
In safety technology, it not only matters that amessage transfers the correct process signals orvalues, the updated actual values must arrivewithin a fault tolerance time, thus enabling therespective F-Device to automatically initiate anynecessary safety reactions on site, e.g. stoppageof movement. For this purpose, the F-Devicesutilize a watchdog timer that is restarted whenevera new PROFIsafe message with incrementedConsecutive Number arrives.
The 1:1 relationship between the master and a
slave facilitates the detection of misdirected mes-sage frames. Sender and receiver must simplyhave identification (codename) that is unique inthe network, and can be used for verifying theauthenticity of a PROFIsafe message. PROFIsafeuses an "F-Address" as the sender/receiver-codename.
A cyclic redundancy check (CRC) plays a key rolein detecting corrupted data bits. The necessaryprobabilistic examination makes use of the defini-tions within the IEC 61508 that considers theprobability of dangerous failures of entire safetyfunctions. PROFIsafe follows this approach(Figure 8).
According to these definitions, a safety circuitincludes all sensors, actuators, transfer elements
and logic processes that are involved in a safetyfunction. IEC 61508 defines overall values for theprobability of failures for different safety integritylevels. For SIL3, for example, this is 10 -7/h. Forthe transmission, PROFIsafe is allowed a mere1% contribution, meaning that the permissibleprobability of dangerous failures is 10-9/h. This
permits suitable CRC polynomials to be deter-mined for the intended PROFIsafe messagelengths. The resulting residual error probability ofundetected corrupted PROFIsafe messages at amaximum bit error probability of 10-2 guaranteesthe required order of magnitude. PROFIsafe usesa 24-bit and a 32-bit CRC generator polynomial tocalculate the corresponding 3- or 4-byte signa-tures. The quality of the chosen CRC polynomialsand the special calculation method is such thatPROFIsafe is totally independent of any errordetection mechanisms of the "Black Channel".
4.2. PROFIsafe formats
A PROFIsafe message that is exchanged be-tween F-Host and its F-Device is carried withinthe payload of a standard PROFIBUS or PROFI-NET message. In case of a modular F-Devicewith several F-Modules, the payload consists ofseveral PROFIsafe messages. Figure 9 showsthe format of a PROFIsafe message.
It begins with F-Input or F-Output data using thealready-mentioned subset of data types. Thesedata structures of a particular F-Device usuallyare defined via its associated GSD (General Sta-tion Description) file. Normally, factory automationand process automation place different require-ments upon a safety system. One deals with short("bit") signals that must be processed at a veryhigh speed, the other involves longer ("floatingpoint") process values that may take a little moretime. PROFIsafe therefore offers two differentlengths for data structures. One length is limitedto a maximum of 12 bytes requiring a 3-byte CRCsignature to ensure data integrity. The otherlength is limited to 123 bytes requiring a 4-byteCRC signature. Safety functions and SIL
Following the F-Input or F-Output data is a Con-trol Byte if the message is from the F-Host or aStatus Byte if it is from the F-Device. This infor-mation is needed to synchronize the sender andreceiver of PROFIsafe messages.
The PROFIsafe data ends with a CRC signaturedepending on the length of the F-Input orF-Output data as mentioned above.
Logic operations Actuator Sensor
14 %1 % 1 %
e.g. Safety Integrity Level (SIL) 3 : 10-7 / h(PROFIsafe-Portion: 1% = 10-9 / h)
F-Host
50 %35 %
F-Device F-Device
Figure 8: Safety functions and SIL
F-Input/Output dataStatus /
Control ByteCRC signature
acrossF-I/O data,
F-Parameter,and Consecutive
Number
Maximum of 12 or 123 bytes 1 byte 3 or 4 bytes
F-Input/Output dataStatus /
Control ByteCRC signature
acrossF-I/O data,
F-Parameter,and Consecutive
Number
Maximum of 12 or 123 bytes 1 byte 3 or 4 bytes
Figure 9: PROFIsafe message format
-
7/24/2019 PROFIsafe System Description v 2010 English
11/267PROFIsafe System Description
The Consecutive Number is not transmitted withina PROFIsafe message. Both sender and receiveruse their own counters that are synchronized viathe Control Byte and Status Byte. Correct syn-chronization is monitored through the inclusion ofthe counter values into the CRC signature calcu-lation.
The "F-Address" is secured by inclusion in theCRC signature calculation as well.
4.3. PROFIsafe services
Senders and receivers of PROFIsafe messagesare located in layers above the "Black Channel"communication layers (Figure 5). Usually thesePROFIsafe layers are realized in software("drivers"). Their central functionality is a statemachine controlling the regular cyclic processingof PROFIsafe messages and the exceptions suchas start-up, power-on/off, CRC error handling, etc.
Figure 10 hows how the PROFIsafe layers inter-act with the technology part in F-Devices and withthe user program in F-Hosts.
F-Host services
The main services provide exchange of F-Outputand F-Input data. During start-up, or in case oferrors, the actual process values are replaced bydefault fail-safe values. These fail-safe valuesshall be all "0" to force the receiver into a safestate (de-energize).
For F-Devices where de-energize is not the onlypossible safe state but rather low speed instead,PROFIsafe provides additional services via a flagin the Control Byte ("activate_FV"). In return, anF-Device can inform the user program that it hasactivated its safe state via a flag in the StatusByte ("FV_activated").
PROFIsafe communication errors cause theF-Host driver to switch into a safe state. A safetyfunction is usually not allowed to automaticallyswitch from a safe state to normal operation with-out human interaction. To inform the user pro-gram that an operator intervention and acknowl-
edgement is requested, PROFIsafe provides anadditional service ("OA_Req"). PROFIsafe
informs the F-Device about a pending requestsuch that the F-Device can indicate it via a LED(optional). The operator acknowledgement can bepassed over from the user program to the F-Hostdriver via a corresponding service ("OA_C").
The technology-specific parameters of an
F-Device are called iParameters. In case anF-Device needs different iParameters at runtime,another set of services is available. One serviceallows the user program to switch the F-Deviceinto a mode during which it will accept newiParameters ("iPar_EN"). The other indicates tothe user program the readiness to resume normalsafety operation ("iPar_OK").
F-Device services
The PROFIsafe services for F-Device technologyinclude the corresponding exchange of F-Outputand F-Input data, the extra possibility to activateand report fail-safe values, the indicators for the
iParameter handling and for the already-mentioned operator request.
Additionally the F-Device technology is able toreport device faults to the F-Host driver via a flagin the Status Byte ("Device_Fault").
The duration of the demand of an F-Device for asafety reaction shall be long enough to be trans-mitted by the PROFIsafe communication (at leasttwo increments of the Consecutive Number). Aspecial service informs the technology about newConsecutive Numbers in order to facilitate therealization of this requirement.
Diagnostic information from the PROFIsafe layermay be passed over to the technology part via aspecial service.
Last but not least the technology is able to passover the F-Parameters to the PROFIsafe layer.The F-Device received these F-Parameterstogether with all the other parameters duringstartup. What is the purpose of theseF-Parameters?
F-Parameter
The F-Parameters are containing information forthe PROFIsafe layer to adjust its behavior to par-
ticular customer needs and to doublecheck thecorrectness of assignments. The most importantF-Parameters are:
F_S/D_Address (short F-Address) F_WD_Time F_SIL F_iPar_CRC F_Par_CRC
The F_S/D_Address is a unique address forsafety devices within one PROFIsafe island. TheF-Device technology compares this F-Addresswith the locally assigned value of a microswitch orotherwise entered information to ensure the
authenticity of the connection.
F-Host driver instanceF-Host d river instance
State machineState machine
F-Device driverF-Device driver
State machineState machine
Input data Status Byte CRC
Output dataControl ByteCRC
PROFIsafemessage
Services Services
F-Device technology(e.g. laser scanner)F-Device technology(e.g. laserscanner)
User application(program logic)
User application(programlogic)
F-Parameter
iParameter
F-Host driver instanceF-Host d river instance
State machineState machine
F-Device driverF-Device driver
State machineState machine
Input data Status Byte CRC
Output dataControl ByteCRC
PROFIsafemessage
Services Services
F-Device technology(e.g. laser scanner)F-Device technology(e.g. laserscanner)
User application(program logic)
User application(programlogic)
F-Parameter
iParameter
Figure 10: PROFIsafe layer structure in F-Host andF-Device
-
7/24/2019 PROFIsafe System Description v 2010 English
12/268 PROFIsafe System Description
The F_WD_Time specifies a number of milli-seconds for a watchdog timer. This timer monitorsthe reception of the next valid PROFIsafe mes-sage.
F_SIL indicates the SIL expected by the user forthe particular F_Device. It is compared with the
locally stored manufacturer information.
F_iPar_CRC is a signature across all the iPara-meters within the technology of the F-Device.
Finally, the F_Par_CRC is a signature across allthe F-Parameters which is used to ensure correctdelivery of the F-Parameters.
That's an overview of PROFIsafe and we will nowget into the details. Are you ready? Let's see whatelse PI is offering.
5. How to implement?
First of all, it should be made sure, that all thenecessary and helpful literature for the work thatis available from PI has been obtained (see litera-ture box). Use the denoted or a later version. Aprevious version V1.30 of the PROFIsafe specifi-cation is available for information only and shouldnot be used for new product developments.
Next it is recommended to study at least the basicsafety standard IEC 61508 or get some consul-tancy on what needs to be established in yourdevelopment processes and in your organizationto achieve the necessary safety for your device.
As a general rule, it is not possible to turn a stan-dard device into a safety device just by imple-menting the PROFIsafe protocol. The architectureof the safety technology together with the protocoland the manner in which both are implementeddefine the final SIL of the device.
5.1. Safety classes
Even though PROFIsafe is suitable for safetyfunctions up to SIL3, it may not be necessary todesign and develop the F-Device also for SIL3.The required safety class depends on the finalcustomer application and on how the safety func-
tions are defined. It may be possible through re-dundancy or other measures to achieve highersafety integrity levels with F-Devices of an evenlower safety class.
5.2. F-Devices
You have two choices for the implementation ofthe PROFIsafe driver software. Either use thespecification and do it from scratch or use adevelopment kit available on the market. See theproduct guide on the PI website for further infor-mation. The advantage of using a development kitis obvious: precertified driver software, additionalvaluable information and tools, and technical sup-port.
For the PROFIBUS and PROFINET interface, youcan use any of the available ASICs and layerstacks and adapt the PROFIsafe driver software.
Securing the GSD
For every device on PROFIBUS or PROFINET, aGeneral Station Description (GSD file) is neces-sary. After defining the common part of the GSDfor an F-Device, the coding of the F-Parameters isnecessary. This section of the F-Parameters mustbe protected by a special CRC signature("F_ParamDescCRC") against data corruption onstorage media. A configuration tool can check thedata integrity of the F-Parameter descriptionsection utilizing this special signature, which isalso a part of the GSD file.
Securing configurations
The GSD file also contains descriptions for theF-Input and/or F-Output formats. In order to se-cure this part of the GSD file, another CRC signa-ture ("F_IO_StructureDescCRC") is used.
iParameter
According to the many different safety devicetechnologies there is a huge variety of individualsafety parameters (iParameter).
The amount of iParameters ranges from a fewbytes for an F-Module up to several tens of kbytesfor a laser scanner. For most of the safetydevices, special parameterization and diagnosticsoftware tools (CPD-Tool) already exist: thereforeit did not make sense to handle iParameters viathe GSD.
PROFIsafe therefore recommends using a newmechanism, the so-called Universal-ParameterServer (iPar-Server). It is the responsibility ofF-Host manufacturers to provide this capability,whether it is realized within the non-safety part ofan F-Host as the parameterization master orwithin a controlled subsystem such as a non-safety PLC or an industrial computer on the samenetwork.
Figure 11 demonstrates the principle steps of theiPar-Server mechanism via an example. Togetherwith the network configuration and F-Para-meterization of an F-Device, an associated iPar-Server function is instantiated (1). The F-Device isable to switch into the data exchange mode whileusing a safe state (FV). An associated CPD toolcan be launched via an appropriate interface (2)such as TCI (Tool Calling Interface) or FDT (FieldDevice Tool) from the engineering tool, propagat-ing at least the node address of the configureddevice. Parameterization, commissioning, testing,etc., can be executed with the help of the CPDtool (3). After finalization, the iPar_CRC signatureis calculated and displayed in hexadecimal formfor (at least) copying and pasting of this value intothe "F_iPar_CRC" entry field of the configurationpart of the engineering tool (4). A restart of the
F-Device is necessary to transfer the"F_iPar_CRC" parameter into the F-Device (5).After final verification and release, the F-Device is
-
7/24/2019 PROFIsafe System Description v 2010 English
13/269PROFIsafe System Description
enabled to initiate an upload notification (6) to itsiPar-Server instance. It thereby utilizes the stan-dard diagnosis mechanism. The iPar-Server polls
the diagnosis information (e.g. RDIAG FB) to in-terpret the request (R) and to establish the uploadprocess (7), storing the iParameters as instancedata within the iPar-Server host using acyclic ser-vices (Read Record).
After the replacement of a defective F-Device, thenew F-Device receives its F-Parameters, includ-ing the "F_iPar_CRC", at start-up. As iParametersare normally missing in a replacement or a non-retentive F-Device, it recognizes a difference be-tween the "F_iPar_CRC" and its stored iParame-ters and initiates a download notification (6) to itsiPar-Server instance, again using the standarddiagnosis mechanism. The iPar-Server polls the
diagnosis information to interpret the request (R)and to establish the download process (Write Re-cord). Through this transfer the F-Device is en-abled to provide the original functionality withoutfurther engineering or CPD tools.
PROFIdrive
The IEC 61800-5-2 defines some safety featuresfor drives with integrated safety. These featurescomprise a group of stopping functions:
Safe torque off (de-energize) Safe stop 1 Safe stop 2 Safe operating stop
Engineering-Tool
Master or IO controller
F-Host/ PLC Protection
field(instance
data)
CPD-Tool
Comm-FB
iPar-Server
IEC61131-3
7
F-Device
6 Notification
RPolling
RDIAG-FB
RD/WR
Save
1
3
2
"iPar_CRC"
4
Initialization (F_iPar_CRC)
5
Supported by sytem manufacturer
Figure 11: The iPar-Server concept
PROFIsafe Policy V1.5; Order No. 2.282 PROFIsafe Profile for Safety Technology on
PROFIBUS DP and PROFINET IO, V2.5;
Order No. 3.192b PROFIsafe Environmental Requirements,
V2.5; Order No. 2.232 PROFIsafe Test Specification for F-Slaves,
F-Devices, and F-Hosts, V2.1; Order No. 2.242 PROFIsafe for PA-Devices, V1.0; Order No.
3.042 PROFIdrive on PROFIsafe, V1.0; Order No.
3.272 Specification for PROFIBUS Device Descrip-
tion and Device Integration, Volume 1: GSD,V5.04; Order No. 2.122
GSDML Specification for PROFINET IO, V2.2;Order No. 2.352
Profile Guideline, Part 1: Identification & Main-tenance Functions, V1.1; Order No. 3.502
Profile Guideline, Part 2: Data Types, Pro-gramming Languages, and Platforms, V1.0;Order No. 3.512
Profile Guideline, Part 3: Diagnosis, Alarmsand Time Stamping, V1.0; Order No. 3.522
Profile Guideline, Part 4: Universal ParameterServer, V1.0; Order No. 3.532
Communication Function Blocks onPROFIBUS DP and PROFINET IO, V2.0;Order No. 2.182
Rapid way to PROFIBUS DP; Order No. 4.072 Industrial Communications with PROFINET;
Order No. 4.182
-
7/24/2019 PROFIsafe System Description v 2010 English
14/2610 PROFIsafe System Description
And a group of monitoring functions:
Safely limited acceleration Safely limited speed Safely limited torque / force Safely limited (absolute) position Safely limited incrementSafe direction Safely limited motor temperature
Figure 12 illustrates how electromechanics arereplaced by electronic safety stops and monitor-ing functions. One major objective is to mainlymonitor the operations of the drive control and tode-energize in case of failures only. The workinggroup PROFIdrive within PI is specifying parts ofthese functions in a special amendment to theirPROFIdrive specification (see literature box).
PA Devices
F-Devices for process automation follow the sec-tor standard IEC 61511, which takes into accountthe particular aspect of "proven-in-use". Undercertain conditions a PA-Device may achieve abetter SIL if it is proven-in-use. PA Devicesusually follow the design models of IEC 61804.The Electronic Device Description (EDD) plays animportant role here. Therefore, the PI WorkingGroup "PA Devices" also specified, within a sepa-rate amendment to their PA Device specification,how to use the PROFIsafe platform for their
devices and parameterization methodologies (seeliterature box).
I&M functions
Since 2005 the so-called I&M functions are man-datory for all PROFIBUS and PROFINET devicesproviding acyclic services. I&M stands for Identifi-cation and Maintenance and allows retrievinginformation about the device's manufacturer code,its catalog and serial number, and its hardwareand software versions in a standardized manner.Via the manufacturer code and additional informa-tion on the PI website, the user can be directed tothe most current product information on the
manufacturer's website. See the Profile Guideline(literature box).
Diagnosis
One of the major advantages of PROFIBUS andPROFINET is the possibility for devices to reportdiagnosis information to the operator in excep-tional situations such as failures or errors. Gooddiagnosis information helps in reducing down
times of facilities and thus costs. The conceptsnot only cover how to code the information butalso how to provide foreign language support andhow to provide HELP information on what to do ina particular situation. See the corresponding Pro-file Guideline (literature box).
5.3. F-Host
Depending on the strategy of system manufactur-ers, different kinds of architectures for F-Hostswith PROFIsafe communication are possible:stand-alone F-CPUs or integrated but logicallyseparated safety processing within standardCPUs.
Possible structures
Safety processing also can be realized in manydifferent ways: for example via hardware redun-dancy and discrepancy checking or via "softwareredundancy" or via "safeguarding" or by usingalready existing diverse hardware platforms. Dueto the many different possibilities it did not makesense to create development kits, especially sincethe effort to implement the PROFIsafe driver is sominimal.
Conformance classes
In order to ensure that all F-Devices will be sup-ported by all the PROFIsafe F-Hosts on the mar-ket, PROFIsafe specifies conformance classes forF-Hosts. PROFIsafe F-Hosts shall meet therequirements of these conformance classes as aprecondition for PI certification (Figure 13).
6. Conformity & certifica-tion
Several products of different types from variousvendors communicate within a PROFIsafe island.
The products must be implemented conform tothe PROFIsafe specification to ensure that thiscommunication works correctly. Usually the con-formance is documented through a certificatefrom the PI Certification Office based on the testreport of one of the accredited PI test laborato-ries.
6.1. The PROFIsafe tests
The PROFIsafe protocol mechanisms are basedon finite state machines. Thus it was possible viaa validation tool for finite state machines tomathematically prove that PROFIsafe workscorrectly even in cases where more than two in-dependent errors or failures may occur. This sys-tematically was achieved by generating all possi-
DrivecontrolDrive
control Drive
controlDrive
control
MotorMotor
Externalsafety
technology
Externalsafety
technology
Safety
STOP andmonitoringfunctions
Safety
STOP andmonitoringfunctions
MotorMotor
Externalsafety
technology
Externalsafety
technology
PROFIsafeonPROFINET IO /PROFIBUS DP
"De-energize"From to "Safe Operating STOP"
DrivecontrolDrive
control Drive
controlDrive
control
MotorMotor
Externalsafety
technology
Externalsafety
technology
Safety
STOP andmonitoringfunctions
Safety
STOP andmonitoringfunctions
MotorMotor
Externalsafety
technology
Externalsafety
technology
PROFIsafeonPROFINET IO /PROFIBUS DP
"De-energize"From to "Safe Operating STOP"
Figure 12: Drives with integrated safety STOP andmonitoring functions
-
7/24/2019 PROFIsafe System Description v 2010 English
15/2611PROFIsafe System Description
ble cases for "test-to-pass" and "test-to-fail" situa-tions. They have been extracted as test cases fora fully automated PROFIsafe layer tester, which isused to check the PROFIsafe conformance ofF-Devices and F-Hosts. It is part of a three-step-procedure within the overall safety certificationprocess according IEC 61508 by notified bodies(Figure 13).
6.2. Safety assessment
It is important to note that the PI Test Laborato-ries perform the approved PROFIsafe layer testson behalf of notified bodies such as, for example
TV (worldwide) INRS (France) IFA (Germany)SP (Sweden)SUVA (Switzerland) HSE (United Kingdom) FM, UL (USA)
These are the only ones to be responsible for thesafety assessments according IEC 61508.
The mandatory safety manual of each and everyF-Device shall provide information about the SILCL(claim limit) and the PFHd (probability of danger-ous failure per hour).
PROFIsafe provides a specification for test and
certification. Currently two PI test laboratories areaccredited for the PROFIsafe testing.
7. PROFIsafe deployment
PROFIsafe would not be complete if there wereonly a specification of the safety communicationprotocol. For F-Devices questions would be raisedsuch as:
Do I need to protect my F-Device against veryhigh voltages coming across the PROFIBUS /PROFINET cable from an unknown othersource?
Is it safe to use the same 24V power supplythat I use for the standard devices in my net-work?
How do I test my F-Devices for the "increasedimmunity" that is required by IEC 61508?
What are the installation rules? What are the security requirements?
The guideline "PROFIsafe - EnvironmentalRequirements" answers these and other ques-tions as well.
7.1. Electrical safety
The fieldbus standards IEC 61158 and IEC61784-1, -2 require for all devices within the net-work "to comply with the legal requirements ofthat country where they are deployed (for exam-ple, as indicated by the CE mark). The measuresfor protection against electrical shocks (i.e. elec-trical safety) within industrial applications shall bebased on the IEC 61010 series or IEC 61131-2,
Applicant starts developing an F-Slave, F-Device, or F-Hos tApplicant starts developing an F-S lave, F-Device, or F-Hos t
Applicant applies foran EMC test at
any accredited testlaboratory
Applicant applies foran EMC test at
any accredited testlaboratory
Applicant orders aPROFIBUS Ident_Numberor a PROF INET Vendor_IDfrom PN O and applies for a
PRO FIsafe cert if ication test atany accredited test lab.
Applicant orders aPROFIBUS Ident_Numberor a PROF INET Vendor_IDfrom PN O and applies for a
PRO FIsafe cert if ication test atany accredited test lab.
Applicant applies for asafety assessment by
any "Notif ied Body"(optional for PA-Devices)
Applicant applies for asafety assessment by
any "Notif ied Body"(optional for PA-Devices)
Test of F-Slave, F-Device, orF-Host *)
Test of F-Slave, F-Device, orF-Host *)
NoTest
passed?
Testpassed?
Applicant applies fora cert if icate from PN O
Applicant applies fora cert if icate from P NO
Applicant achievescertificate from"Notif ied B ody"
Applicant achievescertificate from"Notif ied B ody"
Testsuccessfully passed
Assessmentsuccessful
PNOcertificate
Ye s
*) Prove for CRC2 operation DP-V1/PN-IO test PROFIsafe layer test Reference F-Host test
+
+
Immunity (EMC)Immunity (EMC) Conformance (PB/PN)Conformance (PB/PN) Conformance (IEC 61508)Conformance (IEC 61508)
AvailabilityAvailability SafetySafety
CorrectionsCorrections
Figure 13: Test and certification procedures
-
7/24/2019 PROFIsafe System Description v 2010 English
16/2612 PROFIsafe System Description
clause 10 depending on device type specifiedtherein". These measures are called PELV (Pro-tected Extra Low Voltage) and limit the permittedvoltages in case of one failure to ranges that arenot dangerous for humans.
Due to this normally legal requirement, it is possi-
ble to limit the protection effort within an F-Deviceor an F-Host.
7.2. Power supplies
It is possible to use the same 24V power suppliesfor standard and F-Devices / F-Hosts. In bothcases the power supplies shall provide PELV dueto legal requirements.
7.3. Increased immunity
For each safety application, the correspondingSRS (Safety Requirements Specification) shall
define electromagnetic immunity limits (seeIEC 61000-1-1) which are required to achieveelectromagnetic compatibility. These limits shouldbe derived taking into account both the electro-magnetic phenomena (see IEC 61000-2-5) andthe required safety integrity levels.
For general industrial applications the IEC 61326-3-1 defines immunity requirements for equipmentperforming or intended to perform safety relatedfunctions.
Product standards such as IEC 61496-1 (e.g.laser scanners) may define increased immunityrequirements for some phenomena.
The environmental conditions within the processindustries can be different from those of generalindustrial environments. Thus the specificrequirements and performance criteria describedin IEC 61326-3-2 can be used for PA Devices.
For PROFIsafe a particular EMC test bed isdefined.
7.4. High availability
The objective of safety is to maintain safety func-tions in order to prevent personnel from beinginjured, e.g., by de-energizing hazardous ele-ments. A characteristic measure for a safety func-tion is SIL (Safety Integrity Level). It describes the
safety function's probability of a dangerous failureper hour, e.g. 10-7/h for SIL3. In contrast, theobjective of high availability (fault tolerance) is tomaintain the automation even in case of failures.A characteristic measure for high availability is theratio of uptime to the total operation time, forexample 99.99%. Redundancy is a means thatcan be used together with others to achieve thisobjective.
PROFIsafe is designed such that it can bedeployed with or without redundancy for fault tol-erance. Figure 14 shows possible combinations.
7.5. Installation guidelinesIt is the goal of PROFIsafe to integrate safetycommunication into the standard PROFIBUS andPROFINET networks with minimal impact on theexisting installation guidelines. In order to achievereliable performance and to fulfill legal require-ments, following the PROFIsafe specificationsand guidelines is highly recommended. Somemajor issues to be considered are mentionedbelow.
Preconditions
All standard and F-Devices on the network shallbe electrically safe as outlined in 7.1.
All F-Devices shall be certified according to IEC61508 and, in case of process automation accord-ing to IEC 61511. They shall be tested andapproved for PROFIsafe conformity by PI TestLaboratories.
Factory and processautomation:
Presses, robots,level switches,shutdown valves,as well as burnercontrol and cable cars
Process automation;Tranportation infra-structure
Chemical or pharma-ceutical productions,refineries, offshore;tunnels
Process automation;Transportation infra-structure
Chemical or pharma-ceutical productions,refineries, offshore;tunnels
Application
- No downtimes at best(fault tolerance)
No downtimes at best(fault tolerance)
HighAvailability
No dangerous failures(required bylaw or insurances)
Redundancy by itselfdoes not providesafety
No dangerous failures(required by law orinsurances)
Safety
PROFIsafe Redundancy PROFIsafe andRedundancy
Figure 14: Safety and High Availability (Fault Tolerance)
-
7/24/2019 PROFIsafe System Description v 2010 English
17/2613PROFIsafe System Description
All other standard devices within a PROFIsafenetwork shall prove conformity to PROFIBUS orPROFINET via a PI certificate or equivalent evi-dence.
Constraints
For PROFIBUS DP, no spurs or branch lines arepermitted.
For PROFINET IO, the following rules apply
Less than 100 switches in a row Only one F-Host per submodule All network components must be suitable for an
industrial environment (e.g. IEC 61131-2) No single-port routers permitted to separate
PROFIsafe islands (characterized by uniqueF-Addresses)
Cabling
PROFIBUS and PROFINET both specify the use
of shielded cables and double-sided connection ofthe shield with the connector housing for bestelectromagnetic immunity. As a consequenceusually equipotential bonding is usually required.If this is not possible fiber optics may be used.
At their own risk, machine designers may usecables without shielding in case of specified elec-tromagnetic compatibility with minor burst andsurge interferences.
Availability
Even with shielded cables unacceptable signalnoise may be introduced onto the data lines of a
device if, for example, the intermediate DC link ofa frequency inverter is not filtering well enough.Other sources of unacceptable signal quality maybe due to missing terminating resistors and thelike. This is not a safety but an availability issue.Sufficient availability of the control functions is aprecondition of safety. Safety functions on equip-
ment with insufficient availability may cause nuinuisance trips and as a consequence may temptproduction managers to eventually remove thesesafety functions ("Bhopal effect").
PI companies provide many tools, procedures,and checklists to investigate the transmission
quality of networks.
PROFIsafe has been the enabling technology formany safety devices, especially drives with inte-grated safety. Nowadays drives can provide safestates without de-energizing the motor. Forexample the new safety feature "SOS" (safe op-erating stop) holds the motor under closed loopcontrol in a certain position. This new possibilityrequires a paradigm shift for the user. In earliertimes, pushing an emergency stop button causedthe power lines to be physically disconnectedfrom the motor and, therefore, there was no elec-trical danger for a person exchanging the motor.
The new IEC 60204-1 provides concepts on howto protect against electrical shock (emergencyswitch- off) with lockable motor protection circuitbreakers, main circuit breakers and main isolatorswith fuses. Figure 15 demonstrates these con-cepts. It also shows the recommended 5-wirepower line connections (TN-S) with separated Nand PE lines and the shielded cables betweendrives and motors. The IEC 60204-1 is a valuablesource for many other safety issues complement-ing the PROFIsafe technology. The correspond-ing national standard NFPA 79 considers somedeviations for the North American market (Figure3).
7.6. Wireless transmission
More and more applications such as AGV (Auto-mated Guided Vehicles), rotating machines, gan-try robots, and teach panels use wireless trans-mission in PROFIBUS and PROFINET networks.
Main Rack Subrack
M
PowerSupply
PowerSupply 24V
+
-
Remote IORemote IO
Equipotential Bonding
Central
earthground
"Emergency Stop"
1
1 Motor protection circuit breaker, lockable
Main circuit breaker, lockable
Main isolator (with fuses), lockable
2
3
23
L1
L2
L3
N
PE
"Emergency Stop"
FC(Safety)
FC(Safety)
Shielding
Figure 15: Emergency switching off concept (IEC 60204-1)
-
7/24/2019 PROFIsafe System Description v 2010 English
18/2614 PROFIsafe System Description
PI will specify details for WLAN and Bluetooth aswell. PROFIsafe, with its error detection mecha-nism for bit error probabilities up to 10-2 isapproved for both "Black Channels". However, thesecurity issues below must be considered in addi-tion.
7.7. Security
With PROFINET being based on IndustrialEthernet as an open network and in the context ofwireless transmission the issue of security has
been raised.
PI is pushing the concept of building so-calledsecurity zones which can be considered to beclosed networks (Figure 16). The only possibilityto cross open networks such as IndustrialEthernet Backbones from one security zone toanother is via Security Gates.The Security Gatesuse generally accepted mechanisms such asVPN (Virtual Private Network) and Firewalls toprotect themselves from intrusion. PROFIsafenetworks always shall be located inside securityzones and protected by Security Gatesif connec-tions to open networks cannot be avoided, refer to
PROFIsafe Environmental Requirements, V2.5;Order No. 2.232.
For wireless transmission, the IEEE 802.11i stan-dard provides sufficient security measures forPROFIsafe networks. Only the InfrastructureMode is permitted; the Adhoc Mode shall not beused. More details can be found in the PROFIsafespecification.
7.8. Response time
Usually the response times of normal control func-tions are fast enough for safety functions as well.However, some time-critical safety applications
need safety function response times (SFRT) to beconsidered more thoroughly. Presses that are
protected by light curtains are examples. A ma-chine designer wants to know very early at whatminimum distance the light curtain shall bemounted away from the hazardous press. It iscommon agreement that a hand moves at amaximum of 2 m/s. The minimum distance s to beconsidered then is s = 2 m/s x SFRT if theresoltion of the light curtain is high enough to de-tect a single finger (EN 999). Otherwise correctionsummands are needed.
Now what is the mystery behind an SFRT? The
model in Figure 17 is used to explain the defini-tion. The model consists of an input F-Device, aPROFIsafe bus transmission, signal processing inan F-Host, another PROFIsafe bus transmission,and an output F-Device each with its own statisti-cal cycle times. The maximum time for a safetysignal to pass through this chain is called TWCDT(Total Worst Case Delay Time) considering thatall parts require their particular maximum cycletimes. In case of safety the considerations goeven further: The signal could be delayed evenmore if one of the parts just fails at that point intime. Thus, a delta time needs to be added forthat particular part which represents the maximum
difference between its watchdog time and itsworst case delay time (there is no need to con-sider more than one failure at one time). Eventu-ally, TWCDT plus this delta time comprise theSFRT.
Each and every F-Device shall provide informa-tion about its worst case delay time as required inthe PROFIsafe specification in order for the engi-neering tools to estimate the SFRTs.
Industrial Ethernet Backbone
PROFIBUS DP
Security Gate Security Gate
PROFINET IOPROFINET IO
Internet
Production PC
with SecurityVPN
ClientSoftware
Service PC
with SecurityVPN
ClientSoftware
Firewall
PROFIBUS DP
PROFIsafe Island PROFIsafe Island
Security Zone Security ZoneSSSS
Firewall
VPN
VPN
VPN
Internet
VPN
Industrial Ethernet Backbone
PROFIBUS DP
Security Gate Security Gate
PROFINET IOPROFINET IO
Internet
Production PC
with SecurityVPN
ClientSoftware
Service PC
with SecurityVPN
ClientSoftware
Firewall
PROFIBUS DP
PROFIsafe Island PROFIsafe Island
Security Zone Security ZoneSSSS
Firewall
VPN
VPN
VPN
Internet
VPN
Figure 16: Security concepts for closed and open networks
-
7/24/2019 PROFIsafe System Description v 2010 English
19/2615PROFIsafe System Description
8. For integrators
So far, we learned a lot about the deployment ofPROFIsafe. But what about safety applicationsand these safety functions?
8.1. Directives & standardsIn many countries, the safety requirements forhazardous machineries are regulated by law.Within the EU this is the Machinery Directive98/37/EC. This directive contains a list ofso-called harmonized standards. For a machinebuilder, there is presumption of conformity to thedirectives if the relevant standards are fulfilled.
Relevant standards in the context of PROFIsafeare, for example, IEC 62061, ISO 13849-1, ISO12100-1, and ISO 14121 (see 1.3 and Figure 3).
8.2. Risk reduction strategy
It is always better to design a machine with inher-ent safety such that it avoids any hazards. In thefirst part the ISO 12100-1 lists all kinds of possiblehazards. In its second part it shows an iterativestrategy on how to reduce the risk of any auto-mated equipment via a risk assessment. This riskassessment consists of a risk analysis and a riskevaluation:
Specify the limits and the intended use of themachine
Identify the hazards and the associated haz-ardous situations during the whole life cycle ofthe machine
Estimate the risk for each identified hazard andhazardous situation
Evaluate the risk and make decisions about theneed for risk reduction
By using the "3-step-method"
inherently safe design measures, safeguarding and possibly complementary pro-
tective measures, information for use about the residual risk,
the designer can eliminate the hazards or reducethe risk associated with the hazards by protectivemeasures.
Safeguarding and complementary protectivemeasures are the building up of safety functionssuch as a light curtain, the associated logic opera-tion, and a circuit breaker to de-energize themotor.
8.3. Application of IEC 62061
Both IEC 62061 and ISO 13849-1 providemethods for dealing with safety functions. WhileIEC 62061 fits well to the PROFIsafe technologyand programmable safety controllers (F-Hosts),the ISO 13849-1 fills the gap for hydraulic, pneu-matic, electric, and mechanical components.
The IEC 62061 requires a safety plan for thewhole life cycle of the machinery covering designstrategies, personnel roles and responsibilites,commissioning, change and maintenance untildismantling.
fixed
Processing duration
defines
minimum
time triggered
scan rate
fixed
Input
delay
Bus
delay
Processing
delay
Bus
delayOutput
delay
Worst Casedelay time (Bus)
Worst Casedelay time (output)
F_WD_Time 1 F_WD_Time 2
Total Worst Case Delay Time = TWCDT
Worst Casedelay time (process.)
Safety Function Response Time (TWCDT + T of the longest "Watchdog Time")
Worst Casedelay time (Input)
Worst Casedelay time (Bus)
Device_WD F-Host_WD Device_WD
longestT_WD
Actuation Safe state
Figure 17: Safety Function Response Time (SFRT)
-
7/24/2019 PROFIsafe System Description v 2010 English
20/2616 PROFIsafe System Description
8.4. Risk evaluation
Both standards offer similar concepts for the riskevaluation of safety functions, based onISO 14121:
Risk = severity of harm and probability of occur-
rence of that harm
The probability of occurrence consists of theexposure of persons, the occurrence, and thepossibility of avoidance.
8.5. SIL determination
Both standards provide calculated characteristics.One is the required SIL and the other the requiredPL (see 1.3). It is possible to transform one intothe other. In the long run it can be expected thatthe difference will disappear for the user when therisk evaluation is performed in engineering toolsvia "questionnaires".
8.6. Safety function design
IEC 62061 defines so-called safety-related controlsystems (SRECS) for safety functions with sub-systems for sensing, processing, and actuation.Subsystems may contain elements (e.g.switches).
The easiest way to design a safety function is touse certified F-Devices (sensors, actuators) and acertified F-Host connected via PROFIsafe.
8.7. Achieved SIL
The F-Devices provide the necessary informationin their safety manual to determine the achievedSIL of a particular safety function. In the first step,the least SILCL (claim limit) of all the safetydevices (F-Devices, F-Host) is selected. Thisdetermines the maximum achievable SIL of theentire safety function. In some cases systemmanufacturers may offer system support toupgrade to a higher SIL via redundancy ofF-Devices and corresponding system software.
In the second step, the PFHd values are addedand the result is checked against the permittedvalue ranges for a particular SIL.
The least SIL value from these two steps deter-mines the achievable SIL.
In the following sections, you will see how youcan combine F-Modules within remote I/O withclassic electromechanical safety devices such asemergency stop buttons, door switches, etc. asshown in Figure 4.
8.8. Electromechanics
IEC 62061 provides four predetermined architec-tures A, B, C, and D for subsystems to connectclassic safety devices. Formulas to calculatefailure probabilities are provided for these circuits.With the help of B10 values for the switches, the
estimated number of switch cycles, the diagnosticcoverage, and a common cause factor, thenecessary probability of dangerous failures canbe calculated with the formulas and added todetermine the overall SIL.
8.9. Non-electrical partsThe ISO 13849-1 defines so-called SRP/CS(Safety-Related Parts of Control Systems) also forhydraulic, pneumatic, electric, and mechaniccomponents. A PL and a PFHd value can bedetermined for such a component with the help ofthis standard and transformed into the SIL deter-mination for the safety function according to IEC62061.
8.10. Validation
IEC 62061 requires a validation plan to be part ofthe overall safety plan. According to this plan the
machinery shall be tested, checked, and docu-mented.
9. F-Device families
PROFIsafe as an enabling technology has beeninitiating new possibilities for standard and safetydevices. This chapter is to provide a brief over-view of some important F-Devices and typicalapplications.
9.1. Remote I/O
Standard remote I/O now are able to incorporatesafety modules without changing the headstations. F-Modules such as digital input/output,analog input/output, power modules, motor start-ers, and frequency converters with integratedsafety are available. The F-Modules can begrouped together and allow shut-down in groups.
Emergency stop buttons need very costly yearlyinspections as each and every button has to betested. The new technology allows for easy col-lection of all actuations over the year. This wayonly the remaining unactuated buttons have to betested, thus saving tremendous costs.
9.2. Optical sensors
Optical safety sensors such as light curtains andlaser scanners are standardized withinIEC 61496. Optical sensors are ideally suited toprotect entry/exit portals in a flexible manner. Theexample in Figure 18 also shows how PROFIsafecomplements the safety features of laser scan-ners and drives with integrated safety. See detailsbelow.
9.3. Drives
The safety features of drives are standardized inIEC 61800-5-2. These safety functions usually rerequire a safe position indicator. The value is
-
7/24/2019 PROFIsafe System Description v 2010 English
21/2617PROFIsafe System Description
available to the user via PROFIsafe and can re-place physical "end-of-travel"-switches or physical"muting"-sensors. As shown in Figure 18 the mo-tor position affects the protection fields of laserscanners according to the profiles of car bodies at
entry/exit portals of a manufacturing cell.Section 0 lists many more possible safety featureswhich will cause revolutionary applications tooccur in the near future.
9.4. Robots
Safety features for robots can be found inISO 10218. The new safety features for drivesfoster robots to integrate those features and pro-vide new functionality such as "collaborativerobots", where persons work hand-in-hand withrobots.
9.5. F-Gateways
For PROFIsafe an F-Gateway to AS-i Safety-at-work (ASIsafe) exists. This device combines theadvantages of both worlds. While ASIsafe caneasily collect the signals from many emergencystop buttons connected in series, PROFIsafe iseasily able to deal with sophisticated F-Devicessuch as drives with integrated safety.
9.6. PA Devices
It was previously mentioned that safety for proc-ess automation follows its own sector standard
IEC 61511. NAMUR, as standards body for
chemical and pharmaceutial industries publishesthe companion standard NE97 specifying howsafety communication can be used with safetyfield devices. A "proven-in-use" PA Device,equipped with a PROFIBUS MBP-IS interface,accommodates a PROFIsafe driver that can beconfigured "Off" or "On". In one mode it repre-
sents a standard PA Device, in the other mode anF-Device (Figure 19).
NAMUR initiated another companion standard,the VDI 2180, which facilitates the development ofsafety-related PA Devices.
Currently most of the PROFIsafe applications inprocess automation deploy remote I/O withF-Modules for 4-20mA or HART communication.Figure 20 demonstrates the two possibilities forusing PROFIsafe with "proven-in-use"PA Devices. This is a good compromise eventhough it suffers from the lack of the direct field-bus advantages such as wide range measure-ments, parameterization and sophisticated diag-nosis.
Level switches
Level switches for tanks benefit much from thePROFIsafe technology. PROFIBUS PA with itsMBP-IS and RS485-IS explosion-proof transmis-sion technologies fit well into the requirements ofthese F-Devices. PROFIsafe provides the safetytransmission of the shut-down signals while thestandard "black channel" informs the user about
the status of the sensors.ESD valves
Similar improvements can be achieved for ESD(Electronic Shut-Down) valves. The main objec-tive here is to periodically test the valve functionthrough "partial valve strokes" and trend monitor-ing of the end position and of the time elapsed toreach this position. This can be done automati-cally via F-Hosts and allows predictive mainte-nance whenever it is convenient for the user. TheRS485-IS communication together with barriersallows fast shut-down even within an Ex-i envi-ronment.
Entry/exit portalLaserscanner
Skid
Skid position
Motor position scale
Protectionfield (PF0)
PF1 PF2
Profile 1
Profile 2
PF0
Figure 18: Software muting sensors for laser-scanners
Bus interfaceBus interface
Process
control
system
Safetyprogram
Bus interfaceBus interface
PROFIsafe
PROFIsafe
(PROFIsafe"On)
Userprogram
Bus interfaceBus interface
PROFIsafe
(PROFIsafe"Off")
SIL2
Figure 19: PROFIsafe and NE97 for PA-Devices
MBP-IS with
PROFIsafe
PROFIBUS DPwith PROFIsafe
ProcessControlSystem
HART 4-20mA
ProcessControlSystem
Remote I/Owith F-Modules
"Proven-in-use"(SIL2)
Figure 20: Two possibilities for PROFIsafe and PA-Devices
-
7/24/2019 PROFIsafe System Description v 2010 English
22/2618 PROFIsafe System Description
Pressure transmitter
Safe pressure transmitters combine the functionof measuring the tank filling and of protectionagainst overflow ("level switch") via comparisonwith a setpoint value.
Gas and fire sensors
These sensors are in service on unmanned oilplatforms for example. Additional position informa-tion makes it possible to automatically battendown the relevant hatches.
10. User benefits
More than 30 million PROFI-BUS devices havenow been installed. Therefore, the top priority fordevelopment has always been and will continueto be ensuring that the system remains fully com-patible with the devices that are already in thefield.
Thanks to the autonomous functional safetycommunication protocol of PROFIsafe and its"Black Channel" approach, it is even possible tocross-over from PROFINET to PROFIBUS withoutany major difficulties. The identical PROFIsafedriver software can be used in both PROFINETand PROFIBUS devices.
Introduction of PROFIsafe has been causing athree-step quantum leap:
From safety-related relay logic to safeprogrammable logic
From multi-wire to functional safe serialcommunication
From isolated to cooperating safety-relateddevices
The following statements perfectly sum up thebenefits from several points of view.
10.1. Integrators and end users
Same cost savings as with the introduction ofstandard PROFI-BUS: reduced wiring, flexibleconfigurations, parameterization, and diagnosis
Easy and cost-efficient system design with abroad product spectrum from all types of manu-facturers
In general no special installation restrictions
Highly innovative safety applications througheasy communication between sophisticatedF-Devices
High flexibility in the replacement of existingrelay technology as well as expansion and retro-
fit of existing installationsIntegrated technology for both factory and
process automation
Training, documentation, and maintenancerequired for only one bus technology
Programming of standard and safety-relatedapplications with only one tool and certifiedfunction blocks
Easy documentation of safety-related configu-rations and logics
Cost saving system acceptance due to certifieddevices
International acceptance through IEC 61508-conforming technology.
Positive assessments by BGIA and TV
10.2. Device manufacturers
TV-certified software allows for easy imple-mentation and cost-efficient reproduction of aPROFIsafe solution
Different architectures of safety-relatedprogrammable controllers can adopt thePROFIsafe communication
Trailblazer for new innovative device functions
10.3. For future investments
Huge installed base of PROFIBUS and PROFI-NET devices
PROFIBUS/PROFINET organizations and sup-port centers are present worldwide
Use of all existing and future standards definedby PI also for safety-related applications
PROFIsafe is an international standard in IEC61784-3-3
Future software to assist the life-cycle of safetyapplications from design through assessment,validation, and documentation, thus further reducing efforts
-
7/24/2019 PROFIsafe System Description v 2010 English
23/2619PROFIsafe System Description
11. PROFIBUS & PROFINETInternational (PI)
As far as maintenance, ongoing development,and market penetration are concerned, opentechnologies need a company-independent insti-tution that can serve as a working platform. Asregards the PROFIBUS and PROFINET tech-nologies, this was achieved by founding thePROFIBUS Nutzerorganisation e.V. (PNO) in1989 as a non-profit interest group for manufac-turers, users, and institutions. The PNO is amember of PI (PROFIBUS & PROFINET Interna-tional), an umbrella group which was founded in1995. PI now has 25 regional user organizations(RPA: Regional PI Associations) and approxi-mately 1,400 members, meaning that it is repre-sented on every continent and is the worlds larg-est interest group for the industrial communica-tions field (Figure 21).
11.1. Responsibilities of PI
The key tasks performed by PI are:
Maintenance and further development ofPROFIBUS and PROFINET
Promotion of the worldwide establishment ofPROFIBUS and PROFINET
Protection of the investments of users andmanufacturers through influence on
international standardization Representation of the interests of members to
standards bodies and unions Worldwide technical support for companies
through PI Competence Centers (PICC) Quality control through a system for product
certification at PI Test Laboratories (PITL)based on standard conformity tests
Establishment of a worldwide training standardthrough PI Training Centers (PITC)
11.2. Technological development
PI has handed responsibility for technologicaldevelopment over to PNO Germany. TheAdvisory Board of PNO Germany oversees thedevelopment activities. Technological develop-ment takes place in the context of more than 50
working groups with input from more than 500experts.
11.3. Technical support
PI supports more than 35 accredited PICCsworldwide. These facilities provide users andmanufacturers with all kinds of advice and sup-port. As institutions of PI, they are independentservice providers and adhere to mutually agreedupon regulations. The PICCs are regularlychecked for their suitability as part of an individu-ally tailored accreditation process. Currentaddresses can be found on the PI website.
11.4. Certification
PI supports 9 accredited PITLs worldwide, whichassist in the certification of products with aPROFIBUS/PROFINET interface. As institutionsof PI, they are independent service providers andadhere to mutually agreed upon regulations. Thetesting services provided by the PITLs are regu-larly audited in accordance with a strict accredita-tion process to ensure that they meet the neces-sary quality requirements. Current addresses canbe found on the PI website.
11.5. TrainingThe PITCs have been set up with the specific aimof establishing a global training standard for engi-neers and installation technicians. The fact thatthe Training Centers and the experts that arebased there have to be officially accreditedmeans that quality is assured, not only withrespect to the PROFIBUS and PROFINET train-ing offered but also of the associated engineeringand installation services. Current addresses canbe found on the PI website.
11.6. Internet
Also available on the PI websitewww.profibus.com is actual information about theorganization of PI and the PROFIBUS and PRO-FINET technologies. An online-product guide, aglossary, diverse web-based trainings are to befound there, as well as the download area withspecifications, application profiles, installationguidelines, and other documents.
Regional PI
AssociationsPI Competence
CentersPI Test
Laboratories
PI TrainingCenters
PI (PROFIBUS & PROFINET International)
Technologies
Fieldbus based
Automation
Technology
Ethernet based
Automation
Technology
Proxy Technology
Regional PI
AssociationsPI Competence
CentersPI Test
Laboratories
PI TrainingCenters
PI (PROFIBUS & PROFINET International)
Technologies
Fieldbus based
Automation
Technology
Ethernet based
Automation
Technology
Proxy Technology
Regional PI
AssociationsPI Competence
CentersPI Test
Laboratories
PI TrainingCenters
PI (PROFIBUS & PROFINET International)
Technologies
Fieldbus based
Automation
Technology
Ethernet based
Automation
Technology
Proxy Technology
Figure 21: PROFIBUS & PROFINET International (PI)
-
7/24/2019 PROFIsafe System Description v 2010 English
24/26
-
7/24/2019 PROFIsafe System Description v 2010 English
25/26