cip safety protocol training - odva
TRANSCRIPT
![Page 1: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/1.jpg)
CIP Safety Protocol Training
Virtual Training Courses
Session 0: Overview of Functional Safety and Safety Networks
![Page 2: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/2.jpg)
Before We Begin
• Introductions
• All attendees are automatically muted with no video connection as a
default.
• Please use the Q&A to ask questions, not the chat. We will address
questions as they come in.
• At the end if there is time, we will take questions verbally from the
attendees. We will advise if and when there is time for you to “raise your
hand” if you have a question.
• Please complete the 4 question post session survey. The survey will
launch when you close out of the webinar.
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 2
![Page 3: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/3.jpg)
Overview of Functional
Safety Standards
Jim Grosskreuz
Rockwell Automation
![Page 4: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/4.jpg)
Evolution of Factory Safety
In early factories, workers were
encouraged to act in unsafe ways to
meet production goals.
Industry 2.0 and 3.0 gave us increased focus
improved safety by focusing on human
factors and developing best practices.
Industry 4.0 requires flexibility,
ease of use, human-machine collaboration,
and interoperability between vendors.
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 4
![Page 5: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/5.jpg)
Machinery Builder & Operator Responsibilities• European Union
– Machinery Directive
• Prescriptive approach to machinery safety
• Mandates risk assessments and safe machines
• United States
– OSHA
• Less prescriptive approach to machinery safety
• Introduces fines for violations
– Litigious Culture
• OEMs and System Integrators aren’t protected from litigation
• Elsewhere
– Mixed legal and cultural environments
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 5
![Page 6: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/6.jpg)
Automation Device Vendor Responsibilities• Simplified Safety Interfaces
– Traditional wiring, Serial fieldbus, Industrial
Ethernet
– Design to applicable standards and for
interoperability
• Documentation
– Wiring and integration with control systems
– Safety Functions
– Diagnostics and troubleshooting
– Functional Safety data
• Third Party Certification
– Validated implementation according to relevant
standards
Images are the EC-type certificates for products that use CIP Safety
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 6
![Page 7: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/7.jpg)
Functional Safety• Long history of evolving standards from many organizations
• IEC1 defines safety as
– Freedom from unacceptable risk of physical injury or of damage to the health of
people, either directly, or indirectly as a result of damage to property or to the
environment.
• IEC further defines functional safety as
– The part of the overall safety that depends on a system or equipment operating
correctly in response to its inputs.
– The detection of a potentially dangerous condition resulting in the activation of a
protective or corrective device or mechanism to prevent hazardous events arising or
providing mitigation to reduce the consequence of the hazardous event.
1International Electrotechnical Commission; http://www.iec.ch/functionalsafety/
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 7
![Page 8: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/8.jpg)
Basic Concepts of Functional Safety - Risk
• Important to remember:
– What is the operating mode?
– Who is interacting with the machine?
– When in the lifecycle is this activity?
– What has already been done for protection?
How Likely?
Chances
How Often?
Frequency
How Bad?
Consequences
Risk
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 8
![Page 9: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/9.jpg)
Basic Concepts of Functional Safety - MitigationDuality (Also known as Redundancy)
– If one thing fails, there is another thing that can bring the system to a safe state
– In parallel for Inputs or in series for Outputs
Diversity
– Protects against two things failing in exactly the same way at the same time
– Example: Using one NO and one NC set of contacts
– Example: Using both a high and a low input channel to a safety device
Diagnostics
– Safety products spend much of their time performing self-diagnostics
– If a problem is detected, the system will go to its “safe state” and will not allow the
system to be restarted until the problem is fixed
– Example: A safety PLC has a significantly higher degree of self-diagnostic versus a
standard PLC (> 90% vs. ≈ 50%)
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 9
![Page 10: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/10.jpg)
IEC 61508Functional
Safety
ISO 13849-1Safety of Machinery
EN 50128Safety for Railway
EN 60601Safety for Medical devices
IEC 62061Safety of Machinery –
Electrical control systems
IEC 61511Safety for Process Industry
IEC 61800-5-2Electronic Drives
IEC 61496Protective equipment
IEC 61784-3Functional Safety fieldbusses
Group Standards(Type B standard)
Product Standards(Type C standard)
Basic Standards(Type A standard)
Classification of Standards
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 10
![Page 11: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/11.jpg)
IEC 61508-1 General Requirements• Documentation
• Management
• Safety Lifecycle
– 61508-1 7.1.1.5 defines 16 phases
– Phase 10 (Realisation) is further
refined in:
• 61508-2 (Hardware)
• 61508-3 (Software)
– Verification is expected at every
phase
• Assessment
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 11
![Page 12: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/12.jpg)
IEC 61508 Key Concepts• Quantifying probability of dangerous failure
– Common Cause Failure, Safe Failure Fraction, Diagnostic Coverage
– PFDAVG (low demand, <1 per year)
– PFH (high demand, continuous)
• SIL – Safety integrity level
– SIL 3 (high demand) → 10-8 ≤ PFH < 10-7
– SIL 3 (low demand) → 10-4 ≤ PFDAVG < 10-3
• Basis for derived standards targeting application and product sectors
– IEC 61511 Safety Instrumented Systems (SIS)
– IEC 62061 Safety-Related Electrical Control System (SRECS)
– ISO 13849-1 Safety-Related Parts of Control Systems (SRPCS)
• This standard also uses Categories and Performance Levels
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 12
![Page 13: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/13.jpg)
Your Customer’s Safety Flow
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 13
![Page 14: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/14.jpg)
Simple Machine Example
Machine image from IEC 62061:2005 Section B.2, Figure B.2
Flow chart from IEC 12100:2010 Chapter 4, Figure 2
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 14
![Page 15: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/15.jpg)
Simple Machine Example
• Motor power is removed when the E-stop is pressed. Once power is removed, hazardous motion coasts
to a stop.
• Tests have determined that coasting to a stop can take as long as 20 seconds. Risk assessment has
shown that a person can open the gate and reach the hazardous motion in less than 20 seconds. To
prevent dangerous access, a guard lock is used to keep the gate locked for 30 seconds after the E-stop
is pressed. After 30 seconds, the operator is allowed to unlock the door by applying power to the guard lock by using the key switch.
• While the door is open, the system is monitored to prevent an unexpected start-up. When the door is
closed, hazardous motion and power to the motor do not resume until a secondary action (start button
depressed) occurs. Faults at the door interlock switch, wiring terminals, or safety controller are detected before the next safety demand.
• The safety function in this example is capable of connecting and interrupting power to motors rated up to
9 A, 600VAC. The safety function meets the requirements for Category 4, Performance Level e (CAT. 4,
PLe), per ISO 13849-1, SIL3 per IEC 62061, and control reliable operation per ANSI B11.19.
This example comes from Rockwell Automation publication SAFETY-AT063D
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 15
![Page 16: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/16.jpg)
Simple Machine Example
Input Logic Output
This example comes from Rockwell Automation publication SAFETY-AT063D
Guard-Locking Safety Function
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 16
![Page 17: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/17.jpg)
Safety Networks
Jim Grosskreuz
Rockwell Automation
![Page 18: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/18.jpg)
Industrial Communications Backbone• Industrial network basics:
– Quick connect/disconnect of devices
– Simple integration of new devices
– Easy configuration and communication between devices
– Diagnostic data
• Extra requirements for Functional Safety:
1. Messages delivered as intended or the device goes to the safe state
2. Suitably small quantitative risk that the device won’t go to the safe state
• Safety networks are just a means to high integrity communications – they require safety devices to
deliver the safety function
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 18
![Page 19: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/19.jpg)
Challenges with Industrial Ethernet
Which can cause:
– Loss
– Repetition
– Corruption
– Delay
– Incorrect message routing
– Coupling with other packets
– Mixing with other packets
Communication faults:
– Electrical noise
– Cable breaks
– Hardware failures
– Software bugs
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 19
![Page 20: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/20.jpg)
Product Standards
Safety Standards for Functional Safety
Subclauses 6.7.6.4 (high complexity) and 6.7.8.1.6 (low complexity) of
IEC 62061 specify the relationship between PL (Category) and SIL.
IEC 61784-3:2016 Figure 1 - Relationships of IEC 61784-3 with standards (machinery)
IEC 61496
(light curtains)
IEC 61131-6
PLCs (under
consideration)
IEC 61800-5-2
Drives
ISO 10218-1
Robots
IEC 61784-4
Security (profile-specific)
IEC 62443
Security (common part)
IEC 61784-5
Install guide (profile-specific)
IEC 61918
Install guide (common)
IEC 61784-3
FS communication profiles
IEC 61158 Series / IEC 61784-1, -2
Fieldbus: industrial control
IEC 61000-1-2
Methodology EMC & FS
IEC 61325-3-1
Test EMC & FS
IEC 62061 Series
FS for machinery (SRECS)
ISO 12100-1 and ISO 14121
Machinery: design & risk assessment
Design of safety-related electrical, electronic, & programmable electronic
control systems (SRECS) for machinery
SIL based) PL based)
IEC 60204-1
Electrical Equipment
ISO 13849-1, -2Safety-related parts of machinery (SRPCS)
Non-electricalUS: NFPA 79 (2006)
Electrical
IEC 61508 Series
FS (basic standard)
Design Objective
Applicable Standards
(gray) safety-related standards
(gold) fieldbus-related standards
(red) this standard
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 20
![Page 21: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/21.jpg)
White Channel vs Black Channel• 61508-2 7.4.11.2 describes two possible approaches for safety communications
– white channel (entire network must be developed according to 61508 and certified)
– black channel (only network protocol subject to certification)
• IEC 61784-3 extends IEC 61158 fieldbus specifications to Functional Safety Communication Profiles
(FSCP)
– All defined 61784-3 FSCPs use the black channel approach
– CIP Safety is FSCP 2/1 in IEC 61784-3-2
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 21
![Page 22: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/22.jpg)
Introduction to Network Errors• IEC 61784-3 Section 5.3 defines 8 types of errors that must be mitigated for functional safety
communications
1. Corruption
2. Unintended Repetition
3. Incorrect Sequence
4. Loss
5. Unacceptable Delay
6. Insertion
7. Masquerade
8. Addressing
Many of these errors can be interrelated! If a corrupt message
arrives, a new message may be requested by the client… Will that
cause unintended repetition? Incorrect sequence? Unacceptable
delay? Loss?
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 22
![Page 23: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/23.jpg)
Network Error - Corruption
Messages may be corrupted due to errors within a bus participant, due
to errors on the transmission medium, or due to message interference.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Sdetfq N34 &! Safety Msg #4
Example of correct behavior:
Example of corruption:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 23
![Page 24: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/24.jpg)
Network Error – Unintended Repetition
Due to an error, fault or interference, messages are repeated.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Safety Msg #2 Safety Msg #3
Example of correct behavior:
Example of unintended repetition:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 24
![Page 25: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/25.jpg)
Network Error – Incorrect Sequence
Due to an error, fault or interference, the predefined sequence (for
example natural numbers, time references) associated with messages
from a particular source is incorrect.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Safety Msg #4 Safety Msg #3
Example of correct behavior:
Example of incorrect sequence:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 25
![Page 26: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/26.jpg)
Network Error - Loss
Due to an error, fault or interference, a message or acknowledgment is
not received.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Safety Msg #4
Example of correct behavior:
Example of loss:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 26
![Page 27: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/27.jpg)
Network Error – Unacceptable DelayMessages may be delayed beyond their permitted arrival time window, for example due to
errors in the transmission medium, congested transmission lines, interference, or due to
bus participants sending messages in such a manner that services are delayed or denied
(for example FIFOs in switches, bridges, routers).
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Safety Msg #2 Safety Msg #3
Example of correct behavior:
Example of unacceptable delay:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 27
![Page 28: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/28.jpg)
Network Error - Insertion
Due to a fault or interference, a message is received that relates to an
unexpected or unknown source entity.
Safety Msg A → B #1
Safety Msg A → B #2
Safety Msg A → B #3
Safety Msg A → B #4
Safety Msg A → B #1
Safety Msg A→ B #2
Safety MsgC → B #97
Safety Msg A → B #3
Example of correct behavior:
Example of insertion:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 28
![Page 29: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/29.jpg)
Network Error - Masquerade
Due to a fault or interference, a message is inserted that relates to an
apparently valid source entity, so a non-safety related message may be
received by a safety related participant, which then treats it as safety related.
Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4
Safety Msg #1 Safety Msg #2 Std Msg #19 Safety Msg #3
Example of correct behavior:
Example of masquerade:
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 29
![Page 30: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/30.jpg)
Network Error - AddressingDue to a fault or interference, a safety related message is delivered to the incorrect safety
related participant, which then treats reception as correct. This includes the so-called
loopback error case, where the sender receives back its own sent message.
Safety Input #1 Safety Input #2 Safety Input #3 Safety Input #4
Example of correct behavior:
Example of addressing:
Safety Output #1 Safety Output #2 Safety Output #3 Safety Output #4
Safety Input #1 Safety Input #2 Safety Output #2 Safety Input #4
Safety Output #1 Safety Output #2 Safety Output #3 Safety Output #4
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 30
![Page 31: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/31.jpg)
CIP Safety• This protocol addresses all the errors previously discussed
• Provides a stated probability of failure (PFH)
– PFH is probability of dangerous failure per hour
– 10-8 =< PFH < 10-7 required for SIL 3
– 10-10 =< Network PFH < 10-9 required for SIL 3
• 61784-3 recommendation is 1% of target SIL
• Certified by TÜV Rheinland for functional safety applications up
to SIL 3
• Suitable for use on EtherNet/IP, DeviceNet, SERCOS
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 31
![Page 32: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/32.jpg)
FSoEIEC 61784-3-12:2010
Page 21
Sequence Number
Time Expectation
Connection Authentication
Feedback Message
Data Integrity
Assurance
Corruption XUnintended repetition X XIncorrect sequence X XLoss X X X XUnacceptable delay X X XInsertion X XMasquerade X X XAddressing XRevolving memory failures within switches
X X
Error Mitigation from Various Black Channel Protocols
CIP SafetyIEC 61784-3-2:2016
Page 29
Time Stamp
Time Expectation
Connection Authenticatio
n
Data Integrity
Assurance
Redundancy with Cross Checking
Diff. Data Integrity
Assurance Systems
Corruption X XUnintended repetition X XIncorrect sequence X XLoss X XUnacceptable delay XInsertion X X XMasquerade X X X X XAddressing X X
SafetyNET PIEC 61784-3-18:2011
Page 21
Sequence Number
Time Expectatio
n
Connection Authentication
Data Integrity
Assurance
Diff. Data Integrity Assurance Systems
Corruption XUnintended repetition XIncorrect sequence XLoss X XUnacceptable delay XInsertion X XMasquerade X X XAddressing X XRevolving memory failures within switches
X X X X
PROFIsafeIEC 61784-3-3:2016
Page 32
Sequence Number
Time Expectation & Feedback Message
Connection Authentication
Data Integrity Assurance
Corruption XUnintended repetition XIncorrect sequence XLoss X XUnacceptable delay XInsertion XMasquerade XAddressing X XOut-of-sequence XLoop-back of messages X
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 32
![Page 33: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/33.jpg)
Sensor InputData
TransportLogic
Data Transport
Output Actuator
Network Performance in Standard Networks• Response time determines how fast a production line can operate
– Network response times are used as a measure of performance
Input to Output Response Time
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 33
![Page 34: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/34.jpg)
Network Performance in Safety Networks• Worst case control system reaction time must satisfy process safety time
– Reaction time must include error conditions
• Detecting non-arrival of data is typically the limiting factor
Sensor InputSafety Data
TransportLogic
Safety Data
TransportOutput Actuator
Safety Response Time
45 ms 6 ms 10 ms
6 ms Input Time & 10 ms Output Time using
typical watchdog & timeout parameters & no faults
38 ms Inertia & Speed
Dependent
PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 34
![Page 35: CIP Safety Protocol Training - ODVA](https://reader030.vdocuments.net/reader030/viewer/2022021713/620b6e111fae284a856f58c7/html5/thumbnails/35.jpg)
Next Sessions:Session 1 – Overview of CIP and EtherNet/IP
Tomorrow, 8:00am – 9:30am US Eastern
Session 2 – CIP Safety Overview
Tomorrow, 10am – 11:30am US Eastern