This part of the IEC 61784-3 series specifies a safety communication layer (services and protocol) based on CPF 2 of IEC 61784-1, IEC 61784-2 and IEC 61158 Type 2. It identifies the principles for functional safety communications defined in IEC 61784-3 that are relevant for this safety communication layer. This safety communication layer is intended for implementation in safety devices only.

NOTE 1 It does not cover electrical safety and intrinsic safety aspects. Electrical safety relates to hazards such as electrical shock. Intrinsic safety relates to hazards associated with potentially explosive atmospheres.

This part1 defines mechanisms for the transmission of safety-relevant messages among participants within a distributed network using fieldbus technology in accordance with the requirements of IEC 61508 series2 for functional safety. These mechanisms may be used in various industrial applications such as process control, manufacturing automation and machinery.

This part provides guidelines for both developers and assessors of compliant devices and systems.

NOTE 2 The resulting SIL claim of a system depends on the implementation of the selected functional safety communication profile within this system – implementation of a functional safety communication profile according to this part in a standard device is not sufficient to qualify it as a safety device.

PDF Catalog

PDF Pages	PDF Title
2	National foreword
7	English CONTENTS
17	FOREWORD
19	Figures Figure 1 – Relationships of IEC 617843 with other standards (machinery)
20	Figure 2 – Relationships of IEC 617843 with other standards (process)
22	1 Scope 2 Normative references
24	3 Terms, definitions, symbols, abbreviated terms and conventions 3.1 Terms and definitions 3.1.1 Common terms and definitions
29	3.1.2 CPF 2: Additional terms and definitions 3.2 Symbols and abbreviated terms 3.2.1 Common symbols and abbreviated terms
30	3.2.2 CPF 2: Additional symbols and abbreviated terms
31	3.3 Conventions 4 Overview of FSCP 2/1 (CIP Safety™) 4.1 General 4.2 FSCP 2/1
32	5 General 5.1 External documents providing specifications for the profile Figure 3 – Relationship of Safety Validators
33	5.2 Safety functional requirements 5.3 Safety measures
34	5.4 Safety communication layer structure Tables Table 1 – Communications errors and detection measures matrix
35	5.5 Relationships with FAL (and DLL, PhL) 5.5.1 General 5.5.2 Data types 6 Safety communication layer services 6.1 Introduction Figure 4 – Communication layers
36	6.2 Connection object 6.2.1 General 6.2.2 Class attribute extensions 6.2.3 Service extensions Table 2 – New class attributes
37	6.2.4 Explicit message response format for SafetyOpen and SafetyClose 6.3 Connection Manager object 6.3.1 General Table 3 – Service extensions Table 4 – SafetyOpen and SafetyClose response format
38	6.3.2 ForwardOpen for safety
39	Figure 5 – ForwardOpen with safety network segment
40	6.3.3 Safety network segment Table 5 – Safety network segment identifier Table 6 – Safety network segment definition
41	Figure 6 – Safety network target format
42	Table 7 – Safety network segment router format Table 8 – Safety Network Segment Extended Format
43	6.3.4 Originator rules for calculating the connection parameter CRC 6.3.5 SafetyOpen processing flowcharts
44	Figure 7 – Target Processing SafetyOpen with no configuration data(Form 2 SafetyOpen)
45	Figure 8 – Target Processing for SafetyOpen with configuration data(Form 1 SafetyOpen)
46	6.3.6 Checks required by Multipoint producers with existing connections Figure 9 – Originator logic to determine which format to use
47	6.3.7 Electronic key usage for safety 6.3.8 RPI vs. API in safety connections 6.3.9 Application path construction for safety Table 9 – Multipoint producer parameter evaluation rules
48	6.3.10 Safety Validator connection types
49	Table 10 – ForwardOpen setting options for safety connections
51	6.3.11 Application reply data in a successful SafetyOpen response Table 11 – Network connection parameters for safety connections Table 12 – CP 2/3 Safety target application reply (size: 10 octets)
52	Table 13 – EF CP 2/3 Safety target application reply (size: 14 octets) Table 14 – SafetyOpen target application reply (size: 18 octets)
53	6.3.12 Unsuccessful SafetyOpen response Table 15 – EF SafetyOpen target application reply (size: 22 octets) Table 16 – New and extended error codes for safety
54	Table 17 – SafetyOpen error event guidance table
55	6.3.13 ForwardClose for safety 6.4 Identity object 6.4.1 General 6.4.2 Changes to common services
56	6.4.3 Extensions for CP 16/3 devices 6.5 Link objects 6.5.1 DeviceNet object changes Table 18 – Identity object common service changes Table 19 – Identity object extensions for CP 16/3 devices Table 20 – New DeviceNet object instance attribute
57	6.5.2 TCP/IP Interface object changes 6.5.3 SERCOS III Link object Table 21 – New TCP/IP Interface object instance attribute Table 22 – SERCOS III Link object class attributes
58	6.6 Safety Supervisor object 6.6.1 General Table 23 – SERCOS III Link object instance attributes Table 24 – SERCOS III Link Object Common Services
59	6.6.2 Safety Supervisor class attributes 6.6.3 Subclasses 6.6.4 Safety Supervisor instance attributes Table 25 – Safety Supervisor class attributes
60	Table 26 – Safety Supervisor instance attributes
63	6.6.5 Semantics
64	Table 27 – Device status attribute state values Table 28 – Exception status attribute format
65	Table 29 – Common exception detail attribute values
66	Table 30 – Exception detail format summary
68	Table 31 – Summary of device behavior for various CFUNID values
69	6.6.6 Subclasses 6.6.7 Safety Supervisor common services
70	Table 32 – Safety Supervisor common services Table 33 – Safety Supervisor object specific services
72	Table 34 – Configure_Request message structure Table 35 – Validate_Configuration message structure Table 36 – Validate_Configuration success message structure
73	Figure 10 – Applying device configuration Table 37 – Validate_Configuration error code Table 38 – Validate_Configuration extended codes
74	Figure 11 – Configure and Validate processing flowcharts
75	Table 39 – Set_Password message structure Table 40 – Reset_Password message structure
76	Table 41 – Configuration_Lock/Unlock message structure Table 42 – Mode_Change message structure
77	Table 43 – Safety_Reset message structure Table 44 – Safety Supervisor safety reset types Table 45 – Attribute bit map parameter
78	Table 46 – Reset processing rules for reset types Table 47 – Propose_TUNID service
79	Table 48 – Apply_TUNID service
80	6.6.8 Safety Supervisor behavior Figure 12 – UNID handling during “Waiting for TUNID”
81	Figure 13 – Safety Supervisor state diagram Table 49 – Safety Supervisor events
82	Table 50 – State event matrix for Safety Supervisor
85	Figure 14 – Configuration, testing and locked relationships Table 51 – Configuration owner control vs. device state
86	Table 52 – State mapping of Safety Supervisor to Identity object Table 53 – Safety Supervisor object event mapping
87	6.7 Safety Validator object 6.7.1 General 6.7.2 Class attributes Table 54 – Identity object event mapping
88	6.7.3 Instance attributes Table 55 – Safety Validator class attributes Table 56 – Safety Validator instance attributes
90	Table 57 – Safety Validator state assignments
91	Figure 15 – Safety connection types Table 58 – Safety Validator type, bit field assignments
92	Table 59 – Multipoint producer SafetyOpen parameter evaluation rules
93	6.7.4 Class services Table 60 – Safety Validator class services
94	6.7.5 Instance services 6.7.6 Object behavior Table 61 – Safety Validator instance services Table 62 – Safety Validator Get_Attributes_All service data
95	Figure 16 – Safety Validator state transition diagram
96	Table 63 – Safety Validator state event matrix
97	6.8 Connection Configuration Object 6.8.1 General 6.8.2 Class attribute extensions 6.8.3 Instance attributes, additions and extensions. Table 64 – State mapping between Safety Supervisor and Safety Validator objects Table 65 – Connection configuration object class attribute extensions Table 66 – Connection Configuration Object instance attribute additions/extensions
100	6.8.4 Instance attribute semantics extensions or restrictions for safety Table 67 – Connection flag bit definitions
101	Table 68 – O-to-T connection parameters
102	Table 69 – T-to-O connection parameters
103	Table 70 – Data map formats
104	6.8.5 Special Safety Related Parameters – (Attribute 13) Table 71 – Data map format 0 Table 72 – Data map format 1
106	Table 73 – Target device’s SCCRC values Table 74 – Target device’s SCTS values
107	Table 75 – Time correction connection parameters for multipoint connection
108	Table 76 – Format Type attribute meaning
109	Figure 17 – Logic for Auto-detecting format type Table 77 – Format Status attribute meaning
110	6.8.6 Object-specific services 6.8.7 Common service extensions for safety Table 78 – Connection Configuration Object-specific services Table 79 – Get_Attributes_All Response service data (added attributes )
111	Table 80 – Get_Attributes_All Response service data (added parameters ) Table 81 – Set_Attributes_All Request service data (added attributes) Table 82 – Set_Attributes_All Response service data (added parameters )
112	6.8.8 Object behavior Figure 18 – Connection Configuration Object state diagram Table 83 – State Mapping between Safety Supervisor and the CCO objects
113	7 Safety communication layer protocol 7.1 Safety PDU format 7.1.1 Safety PDU encoding Figure 19 – Connection Configuration Object data flow
114	Figure 20 – Format of the mode octet Table 84 – Connection sections and PDU formats
115	Figure 21 – 1 or 2 octet data section, Base Format Table 85 – Mode octet variables
116	Figure 22 – 1 or 2 octet data section, Extended Format Figure 23 – 3 to 250 octet data section format, Base Format
117	Figure 24 – 3 to 250 octet data section format, Extended Format
118	Figure 25 – Time Stamp section format, Base Format Table 86 – Time Stamp variables
119	Figure 26 – BF Time Coordination message encoding Figure 27 – EF Time Coordination message encoding Table 87 – Time Coordination message variables
120	Figure 28 – BF Time Correction message encoding Figure 29 – EF Time Correction message encoding
121	Table 88 – Time Correction Message variables
122	Figure 30 – 1 or 2 octet point-to-point PDU encoding Figure 31 – 1 or 2 Octet multipoint PDU encoding
123	Figure 32 – 1 or 2 Octet, multipoint, Format 2 safety connection format Figure 33 – 3 to 250 Octet Point-to-point PDU encoding
124	Figure 34 – 3 to 248 Octet Multipoint PDU encoding Figure 35 – 3 to 248 Octet, Multipoint, safety connection format
125	7.1.2 Safety CRC Figure 36 – CRC Calculation order for Extended Format messages Table 89 – CRC polynomials used
126	7.2 Communication protocol behavior 7.2.1 Sequence of safety checks 7.2.2 Connection termination 7.2.3 Cross checking error Table 90 – Connection sections and message formats
127	7.3 Time stamp operation Figure 37 – Time stamp sequence
128	7.4 Rollover counts in the EF 7.5 Protocol sequence diagrams 7.5.1 General 7.5.2 Normal safety transmission Figure 38 – Sequence diagram of a normal producer/consumer safety sequence
129	7.5.3 Lost, corrupted and delayed message transmission Figure 39 – Sequence diagram of a normal producer/consumersafety sequence (production repeated)
130	Figure 40 – Sequence diagram of a corrupted producer to consumer message
131	Figure 41 – Sequence diagram of a lost producer to consumer message
132	7.5.4 Lost, corrupted or delayed message transmission with production repeated Figure 42 – Sequence diagram of a delayed message
133	Figure 43 – Sequence diagram of a corrupted producer to consumer message with production repeated
134	7.5.5 Point-to-point ping Figure 44 – Sequence diagram of a connection terminated due to delays Figure 45 – Sequence diagram of a failure of safety CRC check
135	7.5.6 Multipoint ping on CP 2/3 Safety Figure 46 – Sequence diagram of a point-to-point ping – normal response
136	7.5.7 Multipoint ping on CP 2/2 safety networks Figure 47 – Sequence diagram of a successful multipoint ping, CP 2/3 safety
137	7.5.8 Multipoint ping – retry with success Figure 48 – Sequence diagram of a successful multipoint ping, CP 2/2 safety
138	7.5.9 Multipoint ping – retry with timeout Figure 49 – Sequence diagram of a multipoint ping retry Figure 50 – Sequence diagram of a multipoint ping timeout
139	7.6 Safety protocol definition 7.6.1 General 7.6.2 High level view of a safety device 7.6.3 Safety Validator object Figure 51 – Safety device reference model entity relation diagram
140	7.6.4 Relationship between SafetyValidatorServer and SafetyValidatorClient 7.6.5 Extended Format time stamp rollover handling Figure 52 – Two devices interchanging safety data via a SafetyValidatorClient and a SafetyValidatorServer
142	Figure 53 – Point-to-point, originating consumer. target producer
143	Figure 54 – Point-to-point, originator producer, target consumer
144	Figure 55 – Multi-point, originator consumer, target producer
145	7.6.6 SafetyValidatorClient function definition Figure 56 – Safety production data flow
153	7.6.7 SafetyValidatorServer function definition
154	Figure 57 – Consumer safety data monitoring
155	Figure 58 – SafetyValidatorServer – application triggered
156	Table 91 – Data reception – Link triggered Table 92 – Time_Correction reception – Link triggered Table 93 – Data reception – Application triggered
157	Table 94 – Time_Correction reception – Application triggered Table 95 – Consuming application – Safety data monitoring
166	7.7 Safety message and protocol data specifications 7.7.1 Mode octet
167	7.7.2 Time Stamp Section 7.7.3 Time Coordination Message
168	7.7.4 Time correction message 7.7.5 Safety data production
169	Table 96 – Producer connection status determination
176	7.7.6 Producer dynamic variables
178	7.7.7 Producer per consumer dynamic variables
179	7.7.8 Consumer data variables
180	Table 97 – Consuming safety connection status
181	7.7.9 Consumer input static variables
182	7.7.10 Consumer dynamic variables
184	8 Safety communication layer management 8.1 Overview 8.2 Definition of the measures used during connection establishment Table 98 – Connection establishment errors and measures to detect errors
185	Table 99 – SNN Date/Time allocations Table 100 – SNN legal range of time values
188	8.3 Originator-Target relationship validation 8.4 Detection of mis-routed connection requests Figure 59 – Target ownership
189	8.5 SafetyOpen processing 8.6 Ownership management Figure 60 – SafetyOpen forms
190	8.7 Bridging different physical layers Figure 61 – Connection ownership state chart Figure 62 – SafetyOpen UNID mapping
191	Figure 63 – Common CPF 2 application layer Figure 64 – End-to-End routing example
192	8.8 Safety connection establishment 8.8.1 Overview 8.8.2 Basic facts for connection establishment 8.8.3 Configuring safety connections
193	Table 101 – Safety connection parameters
194	8.8.4 Network time expectation multiplier Figure 65 – Sources for safety related connection parameters
195	8.8.5 Establishing connections Figure 66 – Parameter mapping between originator and target
196	Table 102 – SafetyOpen summary
197	Figure 67 – CP 2/3 Safety connection establishment in targets for Form 2a SafetyOpen
198	8.8.6 Recommendations for consumer number allocation Figure 68 – General sequence to detect configuration is required
199	8.8.7 Recommendations for connection establishment 8.8.8 Ownership establishment
200	8.8.9 Ownership use cases
203	8.8.10 PID/CID usage and establishment 8.8.11 Proper PID/CID usage in multipoint and point-to-point connections Figure 69 – PID/CID exchanges for two originator scenarios
204	Figure 70 – Seed generation for multipoint connections
205	8.8.12 Network supported services Figure 71 – PID/CID runtime handling
206	8.8.13 FSCP 2/1 safety device type
207	Table 103 – Originator/Target service mapping Table 104 – Unsupported originator/target service types
208	Figure 72 – Connection categories and supported services
209	Figure 73 – Recommended connection types Figure 74 – Logic-to-logic supported services
210	8.9 Safety configuration process 8.9.1 Introduction to safety configuration 8.9.2 Configuration goals Figure 75 – Recommended connection types for logic to logic
211	8.9.3 Configuration overview Figure 76 – Configuration data transfers Table 105 – Configuration goals
212	8.9.4 User configuration guidelines
213	8.9.5 Configuration process SIL3 justification Figure 77 – Protection measures in safety devices
214	8.9.6 Device functions for tool configuration 8.9.7 Password security 8.9.8 SNCT interface services 8.9.9 Configuration lock
215	8.9.10 Effect of configuration lock on device behavior Figure 78 – Configuration, testing and locked relationships
216	8.9.11 Configuration ownership 8.9.12 Configuration mode 8.9.13 Measures used to ensure integrity of configuration process Table 106 – Configuration owner control vs. device state
217	Figure 79 – Originator’s configuration data
218	8.9.14 Download process
219	Figure 80 – SNCT to device download process
220	Figure 81 – SNCT Downloads to originators that perform Form 1 configuration
221	8.9.15 Verification process
222	Figure 82 – Protection from locking and ownership Figure 83 – Example of read back and comparison of original and printout
223	8.9.16 Verification process Figure 84 – Diverse display without full data read back
224	8.9.17 Configuration error analysis Figure 85 – Verification process including all alternatives
225	Table 107 – Errors and detection measures
228	8.10 Electronic Data Sheets extensions for safety 8.10.1 General rules for EDS based safety devices
229	8.10.2 EDS extensions for safety Table 108 – Object Class section keywords
230	Table 109 – Safety Classx entry format Table 110 – Parameter class keywords
231	Table 111 – New Connection Manager section keywords for safety
232	Table 112 – Connection Manager field usage for safety
233	Table 113 – Connection parameter field settings for safety
234	8.11 Requirements for CP 2/2 8.11.1 EPI rules for safety messages that travel over CP 2/2 8.11.2 Default safety I/O service 8.11.3 Duplicate IP detection 8.11.4 Priority for safety connections
235	8.12 Requirements for CP 2/3 8.12.1 Allocation of CP 2/3 identifiers Table 114 – CP 2/3 ID assignment rules
237	8.12.2 Additional requirements 8.13 CP 16/3 requirements 8.13.1 General architecture for CPF 2 on CP 16/3
238	8.13.2 Baseline FSCP 2/1 on CP 16/3 device Figure 86 – Baseline FSCP 2/1 on CP 16/3 device
239	8.13.3 Supported objects and services in CP 16/3 devices 8.13.4 Transport layer requirements
241	Figure 87 – FSCP 2/1 Adaptation Layer and SMP interaction
242	8.13.5 FSCP 2/1 and the CP 16/3 device model Figure 88 – FSCP 2/1 Adaptation
243	8.13.6 UNID assignment on CP 16/3 Figure 89 – CP 16/3 device model
245	Figure 90 – Adding a standard module to a modular device
246	9 System requirements 9.1 Indicators and switches 9.1.1 General indicator requirements 9.1.2 LED indications for setting the device UNID 9.1.3 Module Status LED Table 115 – LED indications for setting UNID
247	9.1.4 Indicator warning 9.1.5 Network Status LED Table 116 – Module Status LED Table 117 – Network status LED states
248	9.1.6 Switches
250	9.2 Installation guidelines Figure 91 – Safety device NodeID processing logic
251	9.3 Safety function response time 9.3.1 Overview 9.3.2 Network time expectation Figure 92 – Safety function response time
252	9.3.3 Equations for calculating network reaction times Table 118 – Connection reaction time type – producing/consuming applications
253	Figure 93 – Safety function response time components
254	9.4 Duration of demands 9.5 Constraints for calculation of system characteristics 9.5.1 Number of nodes 9.5.2 Network PFH Figure 94 – Network protocol reliability block diagram (RBD)
256	Figure 95 – Network PFH summary
257	9.5.3 Bit Error Rate (BER) Figure 96 – Extended Format PFH summary
258	9.6 Maintenance 9.7 Safety manual 10 Assessment
259	Annex A (informative) Additional information for functional safety communication profiles of CPF 2 A.1 Hash function example code
273	A.2 …
274	Annex B (informative) Information for assessment of the functional safety communication profiles of CPF 2
275	Bibliography

Published By	Publication Date	Number of Pages
BSI	2017	278


PDF Format	Searchable	Printable	Preview Now

Status	Withdrawn
Title	Industrial communication networks. Profiles – Functional safety fieldbuses. Additional specifications for CPF 2
Replaces	BS EN 61784-3-2:2010
Publisher	BSI
Committee	GEL/65/3
Pages	278
Publication Date	2017-12-31
Withdrawn Date	2024-07-02
Replaced By	BS EN IEC 61784-3-2:2021
ISBN	978 0 580 85167 4
Standard Number	BS EN 61784-3-2:2017
Identical National Standard Of	EN 61784-3-2:2017, IEC 61784-3-2:2016
Descriptors	Data transfer, Open systems interconnection, Data processing, Interfaces (data processing), Bus networks, Automatic control systems, Safety, Industrial, Fieldbus, Process control, Communication networks, Computer networks, Data link layer (OSI), Data transmission
ICS Codes	25.040.40 - Industrial process measurement and control

BS EN 61784-3-2:2017

PDF Catalog

Related products

BS EN 61784-3-2:2017

BS EN 61784-3-2:2017 – TC:2020 Edition

BS EN 61784-3-2:2017