profisafe-environments 2232 v25 mar07

7/30/2019 PROFIsafe-Environments 2232 V25 Mar07

1/43

PROFIsafe Environmental

Requirementsrelated to

PROFIsafe Profile for Safety Technology

on PROFIBUS DP and PROFINET IO

(IEC 61784-3-3)

Guideline

for PROFIBUSand PROFINET

Version 2.5March 2007

Order No: 2.232


2/43

PROFIsafe Environmental Requirements Version 2.5

Copyright PNO 2007 All Rights Reserved Page 2 of 43

Document Identification: TC3-05-0006File name: PROFIsafe-Environments_2 232_V25_Mar07.doc

PROFIsafe - Requirements forInstallation, Immunity, electrical Safety and Securityfor PROFIBUS DP and PROFINET IO

Version 2.5March 2007

Prepared by the PROFIBUS Working Group 5 PROFIsafe within the Technical Committee 3 Appli-cation Profiles.

The attention of adopters is directed to the possibility that compliance with or adoption of PI (PROFIBUS International)specifications may require use of an invention covered by patent rights. PI shall not be responsible for identifying pat-ents for which a license may be required by any PI specification, or for conducting legal inquiries into the legal validityor scope of those patents that are brought to its attention. PI specifications are prospective and advisory only. Prospec-tive users are responsible for protecting themselves against liability for infringement of patents.

NOTICE:

The information contained in this document is subject to change without notice. The material in this document details a PIspecification in accordance with the license and notices set forth on this page. This document does not represent acommitment to implement any portion of this specification in any company's products.

WHILE THE I NFORMATION I N THIS PUBLICATION IS BELIEVED TO BE ACCURATE, PI MAKES NO WARRANTYOF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS MATERIAL INCLUDING, BUT NOT LIMITED TOANY W ARRANTY OF TITLE OR OWNERSHIP, IMPLIED WARRANTY OF MERCHANTABILITY OR W ARRANTYOF FITNESS FOR PARTICULAR PURPOSE OR USE.

In no event shall PI be liable for errors contained herein or for indirect, incidental, special, consequential, relianceor cover damages, including loss of profits, revenue, data or use, incurred by any user or any third party. Compli-ance with this specification does not absolve manufacturers of PROFIBUS or PROFINET equipment, from therequirements of safety and regulatory agencies (TV, BGIA, UL, CSA, etc.).

PROFIBUS and PROFINET logos are registered trade marks. The use is restricted for membersof Profibus International. More detailed terms for the use can be found on the web pagewww.profibus.com/libraries.html. Please select button "Presentations & logos".

Publisher:PROFIBUS Nutzerorganisation e.V.Haid-und-Neu-Str. 7D-76131 KarlsruheGermanyPhone: ++49 (0) 721 / 96 58 590Fax: ++49 (0) 721 / 96 58 589E-mail: [email protected]

http://www.profibus.com

No part of this publication may be reproduced or uitilized in any form or by any means, electronic ormechanical, including photocopying and microfilm, without permission in writing from the publisher.


3/43



Revision Log:

Version Date Changes/History0.91 Team 04-Nov-2002 Working draft0.95 Team 18-Dec-2002 Working draft after internal review on Dec, 6 th 2002

Minor editorial changes: safety extra low voltage, protective extra lowvoltage, electromagnetic immunity and alike.Chapters 1.2 and 3: Term "nuisance trip" added.Chapter 4.1: Voltage levels for SELV and PELV defined

Chapter 1.3.2 and 4.1: IEC 61010-1 addedFigure 4-1and Figure 4-3: "60VAC/75VDC" changed to "SELV/PELV"Chapter 3.3: table with test levels addedFigure 3-2 "construction sketch of test bed" added

0.96 Team 07-Jan-2003 Several editorial changes for unambiguousness0.97 Team 30-Jan-2003 Chapter 1.3.3: IEC 61131-2 just finished new FDIS (new test levels);

Chapter 3.3: Table complemented by standard test levels1.0 Plenum 26-Feb-2003 Chapter 3.4.1: Table for increased immunity levels: frequencies re-

moved in row "HF conducted"1.1 Plenum 28-Jun-2004 The following changes are introduced in version 1.0 according to the

change request database (PROFIsafe environments) as of June 28 th,2004. The CRs can be downloaded from t he project database.CR-ID2: Pages 15 and 16: Index for tables added.CR-ID3: Pages 22 and 24: Names f or BGIA correctedCR-ID4: Literature: Reference to GS-ET-26CR-ID5: New chapter 5: No spurs or branch lines with PROFIsafe(RS485)

CR-ID6: Chapter 3.1: Test bed to provide decoupling for the EUT anddiagnosis reporting.

01-Oct-2004 Released by PROFIBUS advisory board2.0 Team1 27-Jun-2006 Extended for PROFINET IO and updated according to new IEC activi-

ties.28-Jun-2006 Updated version according to WG meeting and BGIA meeting

2.1 Team1 29-Sep-2006 Incorporated changes from project database ID=8 through ID=692.2 Team1 05-Oct-2006 Incorporated changes from project database ID=70 through ID=122

All CRs accepted by PROFIsafe WG on October 5 th, 20062.3 Team1 08-Nov-2006 Chapter 6 (data security) extended by more detailed specifications

due to delayed other PNO guidelines. Conclusion by PROFIsafe WGon November 8 th, 2006.

2.4 Team1 03-Jan-2007 Changes to chapter 6 (data security) due to approval discussions withBGIA on December 14 th, 2006. Additional changes due to an "OpenIssue List" from BGIA on December 11th, 2006 (CR 126 140).

2.5 Team1 22-Feb-2007 Changes to chapter 6 (data security) and to Ch. 3.3 (EMC) due tocomments from BGIA (CR141151).

Team1: PROFIsafe core team founded in 2004.


4/43



Contents

1 Management summary scope of this document............................................................71.1 PROFIBUS DP, PROFINET IO, and PROFIsafe.....................................................71.2 Terms and Definitions ........... ............. ............. ............ ............ ............. ............ ....81.3 Standards and Directives ............. ............ ............. ............ ............. ............ ..........8

1.3.1 Functional Safety ...................................................................................101.3.2 Electrical Safety .....................................................................................101.3.3 Electromagnetic immunity ............ ............. ............. ............. ............ ........ 111.3.4 Installation Guidelines ............................................................................141.3.5 Security aspects.....................................................................................151.3.6 Test Principles of BGIA...........................................................................15

2 Safety Functions according to IEC 61508.....................................................................163 Immunity against electromagnetic phenomena ............ ............. ............ ............ ............ 17

3.1 Test Bed ...........................................................................................................173.2 (Safety) Performance criteria for functional safety ........... ............ ............. ........... 193.3 Generic increased immunity levels for PROFIsafe devices .............. ............. ........ 19

3.3.1 General industrial environments (IEC 61326-3-1).....................................193.3.2 Specified electromagnetic environment (IEC 61326-3-2).............. ............. 213.4 Product family specifics......................................................................................21

3.4.1 F-Sensor (ESPE/AOPD) .........................................................................213.4.2 PA Devices for functional safety..............................................................223.4.3 F-PLC and F-I/O.....................................................................................223.4.4 F-Actuator (drives with integrated safety).................................................22

3.5 Non-safety PROFIBUS and PROFINET devices .............. ............ .............. .......... 234 Overvoltages and Shock Protection ........... ............ ............. ............. ............. ............ ...24

4.1 Definitions .........................................................................................................244.2 Device Model including Power Supplies ............. ............. ............. ............. .......... 244.3 Specifications for Standard-PROFIBUS Devices..................................................264.4 SIL3 Considerations...........................................................................................26

5 Installation constraints ............ ............. ............ .............. ............ ............. ............. ....... 285.1 Overview on PROFIBUS/PROFINET and international installation guidelines. ....... 285.2 Topology ...........................................................................................................285.3 Planning of cabling and wiring ............ ............. ............ ............. ............ ............. .28

5.3.1 NFPA 79 (2006) .....................................................................................285.3.2 Hybrid cables .........................................................................................295.3.3 Wiring....................................................................................................30

5.4 EMC aspects of power supply networks (TN-C, TN-S) ............. .............. ............. .305.5 Shielding and grounding (earthing) ........... ............. ............ ............. ............. ....... 32

5.5.1 Single-ended versus double-ended grounding..........................................325.5.2 IP20.......................................................................................................32 5.5.3 IP67.......................................................................................................33

5.6 Electrical safety with drives with integrated safety ............. ............. ............. ........ 335.7 High frequency currents with drives .......... ............. ............ ............. ............. ....... 34

6 Data security..............................................................................................................356.1 Dangerous threats .............................................................................................356.2 PROFIsafe data security requirements................................................................356.3 General data security concept of PROFINET IO .............. ............ ............. ........... 35


5/43



6.4 Security measures ........... ............. ............. ............ ............. ............. ............. ..... 366.4.1 Administration of firewalls ............. ............. ............ .............. ............ ....... 366.4.2 Administration of security gates (devices) and VPN clients ............. .......... 366.4.3 Security protocols...................................................................................376.4.4 Authentication of security gates and VPN clients......................................376.4.5 Encryption algorithms ............. ............. ............ ............. ............ .............. 376.4.6 Message authentication codes ............. ............ ............. ............. ............. 386.4.7 Key change............................................................................................38

6.5 Constraints........................................................................................................38 6.6 Software update ................................................................................................386.7 Robustness .......................................................................................................386.8 Test and certification of data security components (gates and VPN c lient software)

.........................................................................................................................386.9 Obligations ........................................................................................................38

7 International specifics ............ ............. ............ ............ ............. ............ ............. .......... 397.1 Europe ..............................................................................................................397.2 USA ..................................................................................................................39

7.2.1 UL508/508C...........................................................................................39 7.2.2 Values for SELV/PELV ...........................................................................407.3 Asia ..................................................................................................................40

8 Appendix....................................................................................................................41 8.1 Applicable Documents........................................................................................418.2 Abbreviations ....................................................................................................42

Figures

Figure 1-1 The PROFIsafe Vision ............. ............ ............. ............. ............. ............. .........7Figure 1-2 Safety for machinery and fieldbus standards...... ............ ............. ............ ...........9 Figure 1-3 Safety for PA and fieldbus standards..... ............. ............. ............. ............ .........9

Figure 1-4 Overview on safety related IEC/ISO standards...... ............. ............. ............. ....10Figure 1-5 EMC Standards referenced by IEC 61508 for industrial Environments ........... ....12Figure 1-6 Overview on device related EMC standards ............... ............. ............ ............. 14Figure 2-1 Influences on Safety Functions ........... ............. ............. ............ ............. ......... 16Figure 3-1 PROFIsafe test bed for immunity testing ............. ............. ............. ............ ....... 18Figure 3-2 Construction sketch for a test bed ............. ............. ............. ............. ............. ..18Figure 3-3 Increased immunity test levels ............ ............. ............. ............ ............. ......... 20Figure 3-4 Modified test bed for PA devices .............. ............ ............. ............ ............. .....22Figure 4-1 Typical structure of a PROFIsafe/PROFIBUS DP device....... ............. ............. ..25Figure 4-2 Typical structure of a PROFIsafe/PROFINET IO device ............ .............. .......... 25Figure 4-3 SIL3 Considerations on Overvoltages.... ............. ............. ............. ............ ....... 27Figure 5-1 Overview on PROFIBUS and international installation guidelines .............. ........ 28Figure 5-2 IEC 61508-2, excerpt of table A.13.. ............. ............ ............. ............. ............. 29Figure 5-3 IEC 61508-2, excerpt of table A.17.. ............. ............ ............. ............. ............. 29Figure 5-4 IEC 61508-7, Explanation A.11.1................ ............. ............ ............. ............ ...29Figure 5-5 Power-over-Ethernet (modulation). ............. ............. ............ ............. ............ ...30Figure 5-6 Four conductor power network (TN-C) ............ ............. ............ ............ ............ 31


6/43



Figure 5-7 Five conductor power network (TN-S).... .............. ............. ............. .............. ....31Figure 5-8 Effect of shielding and twisting of cables ............ ............ .............. ............ ....... 32Figure 5-9 Electrical safety with drives with integrated safety ............. ............ ............ ....... 33Figure 5-10 High frequency currents with drives ............. ............. ............. .............. .......... 34Figure 6-1 Security concept of PROFIBUS/PROFINET ............ ............. ............. ............ ...36Figure 7-1 UL 508 C considerations.............. ............. ............. ............. ............. ............ ...40

Tables

Table 1 Performance criteria of GS-ET-26.................. ............. ............. ............. ............ ...19Table 2 Immunity levels per phenomenon (e.g. machinery) ........... ............. ............. .......... 20Table 3 Immunity levels per phenomenon (e.g. process industries) .............. ............. ........ 21


7/43



1 Management summary scope of this document

PROFIsafe is a supplementary technology for standard PROFIBUS and PROFINET. This technologyreduces the residual error probability of data t ransmissions between fail-safe controllers and fail-safefield devices to the level required by the relevant standards, or better. In addition, PROFIsafe de-scribes fail-safe solutions for configuration, parameter assignment, and maintenance.

The PROFIsafe technology is described in a profile specification for PROFIBUS DP [1] that will re-

main valid besides a new specification for PROFIBUS DP and PROFINET IO [11]. Both BGIA andTV as notified bodies have issued positive technical reports. In the meantime certain PROFIBUSworking groups had been defining safety amendments for their device families on how to usePROFIsafe. One is covering drives with integrated safety [13] and the other PA devices for safetyapplications [12].

Since the above mentioned notified bodies only can issue the safety certifications on the basis of ac-tual implementations in products or systems, open issues have been arising in the course of individ-ual approvals of different devices in the new fieldbus environment in contrast to the relay technology.These are to be coordinated between the TV, BGIA, other notified bodies and the PROFIBUS WG5"PROFIsafe".

The open issues are partially depending on standards that are not yet covering fieldbus operations.The BGIA, with the strong support of the fieldbus organizations (including PROFIsafe) and the TV,

has started early to fill this gap with so-called test principles [2].

It is the purpose of this PROFIBUS guideline to collect agreed upon requirements and constraints forthe design of PROFIsafe devices and for PROFIsafe specific operations within normal industrial envi-ronment as defined e.g. in IEC 61000-6-2. It is the responsibility of device manufacturers to definethe test conditions for their intended product deployments.

1.1 PROFIBUS DP, PROFINET IO, and PROFIsafe

It is the declared objective of the PROFIBUS community to integrate the safety technology into theStandard PROFIBUS and PROFINET; that means to communicate on one cable without having animpact on the installed base of devices and systems. In addition, no separate power supply shallbe required for the safety devices.

Standardcontroller

Standardinput / output

Standardinput / output

Limitswitch

PA

Coexistence of Safety- and Standard Communication

conventional,e.g. E-StopSafety

controller

Safetyinput / output

Laserscanner

Lightcurtains Robots

Drives

Figure 1-1 The PROFIsafe Vision


8/43



The electrical safety is a precondition for a PROFIBUS/PROFINET system. Thus, for functionalsafety, a defined situation for using fail-safe devices can only be provided through corresponding:

Compliance to the installation guidelines (cables, cable installation, shields, shield connec-tions, grounding, power supply, etc.) including constraints for PROFIsafe operations (5.1)

Defined requirements for the standard bus devices (conformance to IEC 61158/ 61784-1and -2 [3], certification)

Defined safety requirements for the power supplies (SELV, PELV)

The overall steps required for such a network may differ regarding the different safety integrity levels(SIL). Wherever it is economically possible, the adherence to the capability for SIL3 is the aim. Thesteps taken must be compliant and/or conforme to the existing standards. There are cases wherethe standards do not yet cover the state-of-the-art. This is frequently the case with fieldbus opera-tions. Here, ways and means are to be found that are based on basic standards such as IEC 61508[4] and proven principles and that ensure the required safety performance (e.g. EN954-1 [5], NFPA79 [6], etc.). These ways and means must retain their validity for a suitable transitional period even ifnew standards are published in the meantime.

1.2 Terms and Definitions

EMI Electromagnetic Interference.

Safety aspects (increased immunity) are not covered by the EMC-requirementsfor normal use. While the EMC requirements for normal use as defined in e.g.

IEC61000-6-2 aim to support sufficient operation under normal conditions theaim of the safety requirements only is to assure safe operations of the equip-ment or the equipment under control (Figure 3-3).

Fail-safe pertaining to a system or device that automatically places itself in a safe oper-ating mode in the event of a failure

Nuisance Trip trip with no harmful effect caused by the safety system without a process de-mand ("false alarm").

PerformanceCriterion

During immunity tests the equipment under test shall react in a way that is de-fined by a performance criterion.

Increased Level EMC standards like IEC 61000-6-2 are defining normal immunity test levels forsufficient operation of equipment under control. Increased Levels are related tofunctional safety aspects only and for some phenomena exceed the normal

immunity levels. During these tests only the performance criteria for functionalsafety apply.

SELV, PELV Safety Extra Low Voltage, Protective Extra Low Voltage as defined in IEC60364-4-41.

SIL Monitor A special feature of PROFIsafe monitoring the number of corrupted messagesper safety function during a certain period of time that depends on the SILclass. If more than 1 corrupted message is discovered the system will turn thesafety function into a fail-safe state.

See IEC 61508-4 [7], IEC 61000-1-1 [8], and the PROFIsafe profiles [1] and [11] for further termsand definitions.

1.3 Standards and Directives

Regarding the issues in this paper which deal with industrial environments, the following internationalstandards for functional and electrical safety shall be taken into account, as well as the PROFIBUSinstallation guidelines [9] and [9a]. It is highly recommended to consider the testing principles ofBGIA [2].

Figure 1-2 and Figure 1-3 are providing an overview on safety and fieldbus standards for both ma-chinery and process automation (PA) applications.


9/43



For this PROFIsafe "environment" specification the data security aspects are relevant for safetyconsiderations (see 6). General issues are covered by IEC 62443 and the PROFIBUS/ PROFINET IOspecifics by IEC 61784-4-3.

Design of safety-related electrical, electronic and programmableelectronic control systems (SRECS) for machinery

ISO 12100-1 and ISO 14121Safety of machinery Principles for

design and risk assessment

ISO 12100-1 and ISO 14121Safety of machinery Principles for

design and risk assessment

SIL based PL based

Design objectiveApplicable standards

IEC 60204-1Safety of electrical

equipment

IEC 60204-1Safety of electrical

equipment

IEC 62061Functional safetyfor machinery

(SRECS)(including EMI for

industrial environment)

IEC 62061Functional safetyfor machinery

(SRECS)(including EMI for

industrial environment)

ISO 13849-1, -2Safety-related parts

of machinery(SRPCS)

Non-electrical

Electrical

ISO 13849-1, -2Safety-related parts

of machinery(SRPCS)

Non-electrical

Electrical

IEC 61508Functional safety(basic standard)


IEC 61158 /61784-1/2

Fieldbus for use inindustrial control systems

IEC 61158 /61784-1/2

Fieldbus for use inindustrial control systems

IEC 61784-3Functional safetycommunication

profiles


profiles

IEC 61784-4Security

IEC 61784-4Security

IEC 61784-5Installation guide(profile-specific)


IEC 61918Installation guide(common part)


IEC 61326-3-1EMC and

functional safety

IEC 61326-3-1EMC and

functional safety

IEC 62443Security (common)


US: NFPA 79(2006)

US: NFPA 79(2006)

IEC 61496Safety f. e.g.light curtains


IEC 61800-5-2Safety functions

for drives


for drives

Product Standards

IEC 61131-6Safety for

PLC


PLC

Figure 1-2 Safety for machinery and fieldbus standards

Throughout this document the term "machinery" is including "discrete manufacturing" also.

IEC 61511b)Functional safety Safety instrumented

systems for theprocess industry sector





IEC 61158 /61784-1/2

Fieldbus for useinindustrial control systems

IEC 61158 /61784-1/2



profiles


profiles

IEC 61784-4Security

IEC 61784-4Security





IEC 61326-3-2a)EMC and

functional safety

IEC 61326-3-2a)

EMC andfunctional safety



a) for specified electromagnetic environments; otherwise IEC 61326-3-1.b) EN ratified.




for drives


for drives

Product Standards


PLC

IEC 61131-6Safetyfor

PLC

See safety standards for machinery(Figure 1)

Valid also in process industries,whenever applicable

US:ISA-84.00.01

(3 parts = modifiedIEC 61511)

US:ISA-84.00.01


DE: VDI 2180Part 1-4








IEC 61158 /61784-1/2


IEC 61158 /61784-1/2



profiles


profiles

IEC 61784-4Security

IEC 61784-4Security





IEC 61326-3-2a)EMC and

functional safety

IEC 61326-3-2a)

EMC andfunctional safety



a) for specified electromagnetic environments; otherwise IEC 61326-3-1.b) EN ratified.




for drives


for drives

Product Standards


PLC

IEC 61131-6Safetyfor

PLC

See safety standards for machinery(Figure 1)

Valid also in process industries,whenever applicable

US:ISA-84.00.01


US:ISA-84.00.01




Figure 1-3 Safety for PA and fieldbus standards


10/43



1.3.1 Functional Safety

IEC 61508 Functional Safety

ISO/IEC Guide 51 (el., mech)

Sector Standards Product Standard Extensions

IEC

61511

Process

Indus

try

IEC

62061

Mac

hinery

(SIL)

IEC

61513

Nuc

lear

Sec

tor

Ra

ilway...

Me

dica

l...

IEC

61496-1

Sa

fetysensors

IEC

61800-5-2

Sa

fetydrives

IEC

61784-3-3

PROFIsafe

IEC

61131-6

2

)

Sa

fetyPLC

ISO

13849-1

1

)

Mac

hinery

(PL

)

1) Limited correlation to IEC 61508 2) In preparation

Figure 1-4 Overview on safety related IEC/ISO standards

The basic standardfor functional safety is the IEC 61508, which covers the functional safety of elec-trical equipment and the basic principles and procedures. The sector standards, IEC 61511, for ex-ample, describe the specific requirements of industries; in this case, the process industry. Productstandards, IEC 61496, for example, deal with the requirements for individual device classes such aslight curtains and laser scanners.

Both the future release of IEC 61508 and the new IEC 61784-3 will address the safety technologyprofiles for field busses. Subpart IEC 61784-3-3 holds the content of the PROFIsafe specificationV2.0 including some extensions such as conformance classes, wireless transmissions, reactiontimes, etc.

IEC 62061 covers safety related electrical control systems for machinery. ISO 13849-11, the succes-sor of the EN954-1 introduces a different classification of safety ranges (performance levels) andcovers non-electrical systems also. The annex of the EC "Machinery Directive 98/37/EC" [23] liststhe machines and parts which legally require certification by a "Notified Body" (BGIA, TV, FM (Fac-tory Mutual), etc.). If there is a harmonized corresponding product standard (for example, IEC61496), a declaration by the manufacturer is sufficient.

PROFIsafe as a means for safe communication always is part of an overall safety system. It there-fore should be noted that this guideline will not be able to cover all kinds of safety applications andtheir appropriate standards and directives. It only is possible to provide an overview and to describethe most important minimum requirements for safety applications with PROFIBUS/PROFINET. It isup to the device manufacturer to define higher levels of electrical safety or immunity than describedin this guideline in order to meet various markets with their particular requirements.

1.3.2 Electrical Safety

General requirements for the communication ports of every PROFIBUS/PROFINET and PROFIsafe

device are laid down in

IEC 60364-4-41 (2005)Electrical installations of buildings - Part 4-41: Protection for safety - Protection against elec-tric shock

This standard deals with extra low voltages (SELV/PELV).

1 Currently in FDIS state and not yet harmonized (Europe)


11/43



General safety information, which may be useful for all kinds of safety products, can be retrievedfrom 5.6 and from

IEC 60204-1 (2005)Safety of machinery - Electrical equipment of machines - Part 1: General requirements

For "Programmable Logic Controllers" (PLC) and fieldbus devices like remote I/O terminals the fol-lowing applies

IEC 61131-2(2003)Programmable controllers - Part 2: Equipment requirements and tests

IEC 61010-1(2003)Safety requirements for electrical equipment for measurement, control, and laboratory use - Part 1:General requirements

For "Electro Sensitive Protective Equipment" (ESPE or AOPD) the following applies

IEC 61496-1 (2004)Safety of machinery Electro sensitive protective equipment - Part 1: General requirementsand tests

For electrical power drives the following applies

IEC 61800-5-1 (2003)Adjustable speed electrical power drive systems - Part 5-1: Safety Requirements Electrical,thermal and energy

1.3.3 Electromagnetic immunity

IEC 61508-2 requires specifying all requirements for the safety related system in the safety require-ments specification (SRS ) of the E/E/PES. In clause 7.2.3.2 it states:

The E/E/PES safety integrity requirements specification shall contain:e) The electromagnetic immunity limits (see IEC 61000-1-1) which are required to achieve electro-magnetic compatibility. the electromagnetic immunity limits should be derived taking into account

both the electromagnetic environment (see IEC 61000-2-5)and the required safety integrity levels.

It should be clearly stated in the SRS, which of the assumed electromagnetic immunity levels aregeneral values for non safety functions (standard levels) and which electromagnetic immunity levelsare required for the safety functions. It should be stated wether the specified value already includesan increased level.

This PROFIBUS guideline provides advice how different electromagnetic immunity requirements forPROFIsafe devices connected to PROFIBUS should be handled within normal industrial environ-ments2 for PROFIBUS automation equipment. Heavier industrial environments as defined in IEC61000-2-5 are not subject of this guideline. In such a case appropriate measures shall be taken toachieve the according electromagnetic immunity (e.g. extra housing, fibre optics, etc.).

Thus the generic standard for this guideline at hand is

IEC 61000-6-2 (2005)Electromagnetic compatibility (EMC) - Part 6-2: Generic standards - Immunity for industrialenvironments

2 In contrast to residential or commercial environments or outdoors


12/43



IEC 61508-2 (Requirements for electrical/electronic/ programmable electronic safety-related systems)references:

IEC 61000-1-1(Electromagnetic compatibility (EMC)) - Part 1: General - Section 1:Application and interpretation of fundamental definitions and terms

IEC 61000-2-5Electromagnetic compatibility (EMC) - Part 2: Environment - Section 5:Classification of electromagnetic environments. Basic EMC publication

medical

and others...

industrial environments:

IEC 61000-6-2Electromagnetic compatibility (EMC) - Part 6-2:Generic standards - Immunity for industrial environments

IEC 61000-4-1Electromagnetic compatibility (EMC) - Part 4-1:Testing and measurement techniques - Overview of IEC 61000-4 seriesphenomena relevant for safety: -2: ESD -8: 50/60 Hz magnetic Field -3: HF Field -11: Voltage dips & interruptions -4: Burst -16: Conducted, common mode, 0-150 kHz *) -5: Surge -29: DC power port dips & interruptions *) -6: HF Conducted

*) not included in IEC 61000-6-2

IEC 61508-2 (Requirements for electrical/electronic/ programmable electronic safety-related systems)references:

IEC 61000-1-1(Electromagnetic compatibility (EMC)) - Part 1: General - Section 1:Application and interpretation of fundamental definitions and terms

IEC 61000-2-5Electromagnetic compatibility (EMC) - Part 2: Environment - Section 5:Classification of electromagnetic environments. Basic EMC publication

medical

and others...

industrial environments:

IEC 61000-6-2Electromagnetic compatibility (EMC) - Part 6-2:Generic standards - Immunity for industrial environments

IEC 61000-4-1Electromagnetic compatibility (EMC) - Part 4-1:Testing and measurement techniques - Overview of IEC 61000-4 seriesphenomena relevant for safety: -2: ESD -8: 50/60 Hz magnetic Field -3: HF Field -11: Voltage dips & interruptions -4: Burst -16: Conducted, common mode, 0-150 kHz *) -5: Surge -29: DC power port dips & interruptions *) -6: HF Conducted

*) not included in IEC 61000-6-2 Figure 1-5 EMC Standards referenced by IEC 61508 for industrial Environments

It defines requirements and test levels. It is important to note that this standard for industrial envi-ronment does not include two phenomena, which are considered to be relevant for safety applica-tions: conducted common mode disturbances, and DC power port dips & interruptions.

The test and measurement techniques are defined in

IEC 61000-4-1 (2000)Electromagnetic compatibility (EMC) - Part 4-1: Testing and measurement techniques - Over-

view of IEC 61000-4 seriesPart 4-1 gives applicability assistance to the users and manufacturers of electrical and electronicequipment on EMC standards within the IEC 61000-4 series on testing and measurement techniques.It provides general recommendations concerning the choice of relevant tests. The subsequent parts(-4-2 -4-29) are defining the measurement techniques for the phenomena relevant for safety appli-cations such as electrostatic discharge ESD (-4-2), HF Field (-4-3), Burst (-4-4), Surge (-4-5), HFConducted (-4-6), Magnetic Fields (-4-8), Voltage Dips & Interruptions (-4-11), Conducted commonmode disturbances (-4-16), DC power port dips & interruptions (-4-29).

The first standard defining EMC requirements for functional safety for machinery is

IEC 62061 (2005)Safety of machinery - Functional safety of safety-related electrical, electronic and program-mable electronic control systems

Its EMC requirements are in line with the requirements of the previous version 1.1 of this PROFIsafe"environment" guideline. Conducted common mode disturbances (-4-16) are not covered within both.

Current activities on EMC requirements for functional safety are concentrated on


13/43



IEC 61326-3-1 (CDV)Electrical equipment for measurement, control and laboratory use - EMC requirements - Part3-1: Immunity requirements for equipment performing or intended to perform safety relatedfunctions (functional safety) - General industrial applications

This standard is still in progress. It will become the main source of information for all industrial ap-plications and hence for PROFIsafe applications whenever no particular product standard exists.Conducted common mode disturbances (IEC 61000-4-16) and DC power port dips & interruptions are

covered within this standard. See 3.

For the PROFIBUS area, additional "product standards" apply:For PLCs (normally also covers all PROFIBUS-certified devices)

IEC 61131-2 (2004)Programmable controllers - Part 2: Equipment requirements and tests

This standard does not define any EMC requirements for functional safety and thus either IEC62061 or the new IEC 61326-3-1 apply.

For electro sensitive protective equipment (ESPE or AOPD) such as light curtains:

IEC 61496-1 (2004)

Safety of machinery Electro sensitive protective equipment - Part 1: General requirementsand tests

IEC 61496-2 (2006)Safety of machinery - Electro-sensitive protective equipment - Part 2: Particular requirementsfor equipment using active opto-electronic protective devices (AOPD)

For electrical power drives:

IEC 61800-3(2004)Adjustable speed electrical power drive systems - Part 3: EMC product standard includingspecific test methods (Revision of IEC 61800-3)

This standard does not define any EMC requirements for functional safety and thus either IEC62061 or the new IEC 61326-3-1 apply. [10] defines for electrical power drives with functionalsafety the EMC requirements, which are to be certified by BGIA. These are based on the IEC61800-3 using the methodology of duplication of the standard levels or the next category.Thus, for some phenomena the levels are higher than in IEC 61326-3-1.

For robots:

ISO/TR 11062 (1994) (withdrawn)Manipulating industrial robots -- EMC test methods and performance evaluation criteria Guidelines

ISO 10218-1 (2006)Robots for industrial environments -- Safety requirements -- Part 1: Robot

This standard is not defining any increased EMI requirements for functional safety other thanIEC 61000-6-2. It is highly recommended to apply either IEC 62061 or the new IEC 61326-3-1

(see 3.4.4).For PA devices:

IEC 61326-1 (2005)Electrical equipment for measurement, control and laboratory use - EMC requirements - Part1: General requirements

IEC 61326-2-5 (2006)Electrical equipment for measurement, control and laboratory use - EMC requirements - Part2-5: Particular requirements - Test configurations, operational conditions and performancecriteria for field devices with interfaces according to communication profile Family 3 Profile


14/43



3/2 ( PROFIBUS PA. The other subparts within this -2-x series are covering different devicefamilies)

IEC 61326-3-2 (CDV)Electrical equipment for measurement, control and laboratory use - EMC requirements - Part3-2: Immunity requirements for equipment performing or intended to perform safety relatedfunctions (functional safety) - Industrial applications with specified EM environment

Figure 1-6 provides an overview on the current standards, which are of main interest for PROFIsafe.

Background: IEC 61508-2 requires "increased immunity" and requires IEC 61000-2-5 as source for phenomena toconsider in safety requirement specifications (SRS)

EMC standards (TC77):IEC 61000-6-2 is defining standard industrial environments (separate transformer, switching of high currents, etc. andaccordingly neccesary test levels).IEC 61000-4-1 provides an overview on immunity test procedures

EMC standards (TC77):IEC 61000-6-2 is defining standard industrial environments (separate transformer, switching of high currents, etc. andaccordingly neccesary test levels).IEC 61000-4-1 provides an overview on immunity test procedures

Product family standards:

IEC 61496-1

(TC44)(Light curtain,laser scanner)

Specialties:- muting functions- HF level: 30V/m

IEC 61496-1(TC44)(Light curtain,laser scanner)

Specialties:- muting functions- HF level: 30V/m

IEC 61800-5-2

(TC22)(Drives withintegrated safety)

Specialties:- no levels defined

IEC 61800-5-2(TC22)(Drives withintegrated safety)

Specialties:- no levels defined

IEC 61131-2

(TC65)(PLC andsubsystems)

Specialties:- FS not defined

IEC 61131-2(TC65)(PLC andsubsystems)

Specialties:- FS not defined

IEC 61326-3-1

(TC65)Generic industrial environ-ment (whenever appli-

cable), else:IEC 61326-3-2Distinct process environ-ment:EMC and FS

IEC 61326-3-1(TC65)Generic industrial environ-ment (whenever appli-

cable), else:IEC 61326-3-2Distinct process environ-ment:EMC and FS

ISO 10218

(TC184)(Robots for industrialenvironment)

- no increasedimmunity defined

ISO 10218(TC184)(Robots for industrialenvironment)

- no increasedimmunity defined

Sector standards:

IEC 62061 (TC44)(Safety of machinery: design, integration and validation of safety related systems);EMI-levels of industrial environments

IEC 62061 (TC44)(Safety of machinery: design, integration and validation of safety related systems);EMI-levels of industrial environments

IEC 61511 (TC65)(FS for the processindustry sector)

IEC 61511 (TC65)(FS for the processindustry sector)

IEC 61000-1-2 is a technical specification describing a methodology for the achievement of functional safetyIEC 61326-3-1 product standard for EMC and functional safetyIEC 61000-1-2 is a technical specification describing a methodology for the achievement of functional safetyIEC 61326-3-1 product standard for EMC and functional safety

Figure 1-6 Overview on device related EMC standards

The environmental conditions within the process industries can be different from those of normal in-dustrial environments and thus the specific levels and performance criteria described in IEC 61326-3-2 can be used for PA devices with functional safety (3.3.2). PROFIsafe will stay with the alreadydefined levels, which correspond to those of IEC 61326-3-1, for all devices not having individual levelspecifications until final agreements in IEC are becoming effective. In respect to performance criteriathe more elaborated scenarios of IEC 61326-3-1 will become effective (3.2).

1.3.4 Installation Guidelines

For PROFIBUS and PROFINET more than seven specifications exist that are related to installationaspects. These existing documents have been created at different times and therefore feature differ-ent stages in the course of PROFIBUS /PROFINET development. In addition, they contain extensivespecifications aimed at the needs of device developers. The PNO decided to publish a comprehensi-ble summary as a handbook for users [9]. The content of this handbook has been incorporated in theIEC 61784-5-33 [9a] and IEC 619184 [9b].

These installation guidelines shall be observed as a precondition for decentralized safety applica-tions using PROFIBUS, PROFINET, and PROFIsafe equipment especially regarding shielding,grounding, and cable routing.

Additional hints in Chapter 3.4.2, 4.1, 4.3, 4.4, 5, and 7.2.1.

3 work in progress

4 work in progress


15/43



1.3.5 Security aspects

IEC 62443 [15] and IEC 61784-4-3 [16] are not yet published and cannot be taken as reference. PNOhas published PROFINET security guidelines [14] for the intervening period.

1.3.6 Test Principles of BGIA

In May 2002, the final version of a recommendation -prepared by BGIA together with numerous busorganizations- called "Principle for testing and certifying bus systems for the transmission of safety-

relevant messages has been published. It now is available for public use by BG [2].

Essential statements regarding the PROFIsafe scope are made in this paper due to the:

Zone distribution of the bus stations (close to the process, control cabinet or office) Validity of area separation of station and bus (electrical isolation of the data lines)


16/43



2 Safety Functions according to IEC 61508

To further discuss this matter, it is necessary to refer to a model that is generally accepted and todetail it in steps for the respective problem area. In principle, the IEC 61508 defines so-called safetyfunctions. A hazardous final element -for example a drive as actuator- is controlled by program logicin a PLC which in turn receives signals from encoders. All elements are embedded in the environ-mental conditions and depend on their "suppliers, for example, power supplies.

Figure 2-1 Influences on Safety Functions

To this model, the safety considerations listed in IEC 61508 and corresponding failure probabilitiesare to be applied. In the present case, for example, these would be:

Requirements for power supplies

Increased Immunity (several phenomena)

IEC 61508 makes no quantitative statements about "Increased Immunity Levels".

Depending on particular deployments and the corresponding threats, the requirements for e.g. gen-eral purpose factory automation and machinery are defined in IEC 62061 or IEC 61326-3-1, for proc-

ess industries in IEC 61326-3-2. Product standards such as IEC 61496-1 require stronger electro-magnetic immunity to withstand very likely special threats such as mobile phones operated veryclosely to light curtains.

logic operations Bin. O ActuatorSensor Bin. IAnal. I

Safety Integrity Level (SIL) 3 : 10-7/ h

within one PLC

e.g. SIL3

Power Supply (e.g. 24 VDC)


17/43



3 Immunity against electromagnetic phenomena

Regarding the electromagnetic immunity of automated facilities based on bus systems, PROFIBUScan point to more than 10 years of operational experience and thousands of different operationalconditions as the necessary prerequisite for the use of safety technology (proven-in-use). The eco-nomic success proves to be a well-maintained balance between the technical effort for immunity andthe availability obtained with it. It is a matter of course for PROFIBUS and PROFINET that this isbased on the relevant standards related to this communication profile family (CPF3).

Because there is no overreaching standard for bus systems, IEC 61131-2 and/or IEC 61000-6-2 wasviewed as binding for all devices on PROFIBUS within standard industrial environments. It also wasthe basis for the PROFIsafe devices certified so far. IEC 61131-2 is defining test levels as well asperformance criteria; that is, descriptions of the system or device setpoint behavior during the test.

With the advent of safety devices on PROFIBUS and PROFINET new requirements arose from stan-dards and certifying bodies (Figure 3-3):

1. Normal functions and safety functions are expected to work correctly when applying standard(IEC 61131-2 or IEC 61000-6-2) test levels thus guaranteeing functionality and availability. Nonuisance trips are to be perceived.

2. Safety functions are expected to work either correctly or at least to switch into a safe state (for"performance criteria" see 3.2) when applying increased test levels for the safety relevant phe-

nomena thus guaranteeing safety.

The main phenomena to be covered are:

1. ESD (IEC 61000-4-2)2. HF Field (IEC 61000-4-3)3. Burst (IEC 61000-4-4)4. Surge (IEC 61000-4-5)5. HF Conducted (IEC 61000-4-6)6. DC voltage dips (IEC 61000-4-29)

IEC 61326-3-1 recommends considering an additional phenomenon:

7. Conducted common mode disturbances (IEC 61000-4-16)

This phenomenon appears in the industrial practice in conjunction with power-electronic systems(see 5.7). IEC 61326-3-1 restricts the safety relevant tests to short time power frequency phenomenalimited to the rated voltage of the power supply.

Others are to be observed according to the requirements of a particular safety application.

It should be noted that PROFIsafe already provides a high degree of safety for data transmission viaits SIL-Monitor mechanism [1].

3.1 Test Bed

The following reference model has been agreed upon to be used as the basis for a "test bed". It is tobe set up for the acceptance of PROFIsafe devices and consists of a minimum configuration with an

F-sensor, an F-actuator, an F-PLC and a standard PROFIBUS device. As long as there is no F-actuator, a safe motor starter can be used. A monitoring device such as a diagnosis repeater can beincluded in this test bed.


18/43



EMC-Test acc. IEC 62061 Levels orIEC61326-3-1(Safety) Performance Criteria

EMC-Test acc. IEC 61131-2or Product StandardPerformance Criteria: acc. IEC 61131-2

EMC-Test acc. IEC 61496Performance criteria acc. IEC 61496

*) other F Sensors: like F-I/O

IEC 61326-3-1

EMC-Test acc. IEC 61800-3and 61326-3-1 or BGIA levels(Safety) Performance Criteria

EMC-Test acc. IEC 61496(Safety) Performance criteria:F-System shall not fail to danger!

F-PLC(F-I/O)

F Actuatore.g. Drive

F Sensor *)e.g. Laser-

scanner (ESPE)

Standard Field Devicee.g. Barcode Reader

" SafetyFunction "

Fieldbus components assemblyacc. IEC 61918 and 61784-5-3

EMC-Test acc. IEC 62061 Levels orIEC61326-3-1(Safety) Performance Criteria


EMC-Test acc. IEC 61496Performance criteria acc. IEC 61496

*) other F Sensors: like F-I/O

IEC 61326-3-1


EMC-Test acc. IEC 61496(Safety) Performance criteria:F-System shall not fail to danger!

F-PLC(F-I/O)


F Sensor *)e.g. Laser-

scanner (ESPE)


" SafetyFunction "


Figure 3-1 PROFIsafe test bed for immunity testing

The test levels to be applied to these devices are provided in the respective product standards. Ad-ditional notes are included in the chapters below regarding the test instructions for PROFIsafe opera-tion.

Figure 3-2 shows a construction sketch of the test bed. Cable lengths of 1m are critical and shouldnot be changed. The PROFIsafe devices and one standard PROFINET IO / PROFIBUS DP deviceare to be mounted on a copper plate, about 2mm thick. The equipment under test (EUT), a PROFIs-afe device, shall be mounted considering the test requirements of the different IEC 61000-4-x stan-dards.

PROFIsafeDevice 1)

PROFIsafeDevice 1)

PROFIsafeDevice 1)

PROFIsafeDevice 1)

Cu, 2mm

Cu, 2mm

PROFIsafeDevice(EUT)

10 cm

1m

1m

1m>=1m

1) One device to be a standardPROFINET IO / PROFIBUS DPdevice2) Example for electric dischargetest PROFINET IO

orPROFIBUS DP

Decoupling for absence of reaction

2)

PROFIsafeDevice 1)

PROFIsafeDevice 1)

PROFIsafeDevice 1)

PROFIsafeDevice 1)

Cu, 2mm

Cu, 2mm

PROFIsafeDevice(EUT)

10 cm

1m

1m

1m>=1m

1) One device to be a standardPROFINET IO / PROFIBUS DPdevice2) Example for electric dischargetest PROFINET IO

orPROFIBUS DP

Decoupling for absence of reaction

2)

Figure 3-2 Construct ion sketch for a test bed

The test bed is to be grounded.

The test bed and the additional engineering equipment will provide the necessary means

to decouple the EUT from the network (special shielding or other means)

to report diagnosis messages of the devices (programming device or alike)


19/43



See 3.4.2 for modifications of the test bed for PA devices.

3.2 (Safety) Performance criteria for functional safety

While performing the tests with increased levels the behaviour of the EUT shall be according to therequired performance criterion. The following criteria 5 are specified in the BGIA test principles [2]:

Criterion Description

A The bus system must continue working according to its normal use during and after interference.

B The bus system must work according to its normal use after interference. If the (safety relevant)time-out time is exceeded because of interference, the safety-relevant stations must initiate thesafe mode (state). Restart is automatic -depending on the application- or it is to be imple-mented through an explicit enable *). Bus communication automatically resumes after interfer-ence.

C The safety-relevant stations initiate the safe mode. Communication may fail. All safety-relevantstations must remain in the safe mode during and after the interference. Normal operation isrestored through setting devices/operating controls (such as power off/power on).

*) In the case of PROFIsafe, "Enable" is usually called "Operator Acknowledge".

Table 1 Performance criteria of GS-ET-26

Criterion "D", which is currently under discussion, is not permissible for PROFIsafe regarding the testinstructions and test levels defined in this document (and not required if the installation guidelinesare adhered to). It permits the destruction of components if the facility responds safely.

IEC 61326-3-1 states that the criteria A, B, and C are already defined for tests with normal levels ac-cording to IEC 61326-1. It rather defines a performance criterion " FS", which allows any of the be-haviors of Table 1 if specified for the particular device, even the destruction of components.

3.3 Generic increased immunity levels for PROFIsafe devices

There are two main industrial environments for the deployment of PROFIBUS and PROFINET IO:one is the electromagnetic environment of manufacturing industries and machinery and the other isthe electromagnetic environment of the process industries. Both have very different constraints in

respect to EMC and thus the two different IEC 61326-3-1 and IEC 61326-3-2 apply.

It should be noted that PROFIsafe technology can be used in other application areas as well. Theseareas may have their own standards defining environmental and immunity conditions. Examples areburner management with EN 298 or trains with EN 50121-3-2.

3.3.1 General industrial environments (IEC 61326-3-1)

According to chapter 1.3.3 PROFIsafe is referring to normal industrial environments and thus IEC61000-6-2. Within the scope of this standard, the following test requirements are specified in IEC61326-3-1as "Increased Immunity Level for testing all PROFIsafe devices that do not have their ownproduct standard.

Table 2 contains an overview of the safety relevant phenomena and the test levels. See IEC 61326-3-1 for the complete information, especially for the ports of the EUT to be tested. The increased im-munity levels of Table 2 are minimum requirements and shall not be under-run by any PROFIsafeproduct.

5 These criteria are derived but deviate from the criteria in IEC 61000-6-2.


20/43



IEC61000-4-x

Phenomenon Standard level(Zone B)

IEC 61326-3-1Increasedimmunity level

Constraint

4/8 kV 4/8 kV 1)

(no safety mar-gin)

Safety device ("open type") within separatecontrol room;

6/8 kV 1) Safety device within cabinet or housing

-2 ESD

(electrostatic dis-charge)

6/15 kV 1) "Enclosed type controller"

10 V/m 20 V/m 80MHz bis 1GHz (particular frequencies only)

3 V/m 10 V/m 1,4-2,0 GHz

-3 HF Field

1 V/m 3 V/m 2,0-2,7 GHz

2 kV 4 kV Power Supply Cabling-4 Burst

1 kV 2 kV PROFIBUS /PROFINET cable shielding

1 k V 2) 2 kV 3) Power Supply Cabling; external measurespermitted, e.g. centralised lightning conductor

-5 Surge

1 k V 2) 2 kV PROFIBUS /PROFINET cable shielding

-6 HF conducted 10 V (3V) 4) 20 V (10V) 3,39 MHz 40,68 MHz (only)

-8 50/60 Hzmagnetic field

30 A/m No increasedlevels

-

-16 5) Conducted commonmode disturbance

not required No increasedlevels

1,5kHz to 15kHz: 1V to 10V with 20dB/Dec15kHz to 150kHz: 10VDC and 50Hz/60Hz:

10V continuous100V short duration (1s)

150Hz/180Hz: 10V continuous

-29 Voltage dips:Voltage interruptions:Voltage deviations:

60% for 10ms100% for 20ms-15% / +20%

No increasedlevels

1) First value: contact, second value: air 2) Common Mode (CM) 3) DC power; 4 kV for AC power4) Current versions of the IEC 61131-2 are specifying a reduced value of 3 V. It is highly recommended to stay with10 V and the increased level of 20 V instead of 10 V.5) This test can be omitted if it can be guaranteed through system design and instructions that no conducted com-mon mode situation such as coupling of sensor signals and power supply currents can occur, e.g. by foll owing IEC60204-1 (see 5.4).

Table 2 Immunity levels per phenomenon (e.g.machinery)

Figure 3-3 shows the relationship between increased immunity test levels and the performance crite-ria according to IEC 61326-3-1.

Current standard level: IEC 61131-2IEC 61000-6-2 ( level 3 resp. level 4 )

Immunitylevels

IEC 61496-1 (2004)for ESPE (AOPD)

for F-PLC, F-I/O, etc.

Performance

Criteria A,B,C

Levels:(see Table 2)

PerformanceCriterion FS(Functional Safety)

IncreasedLevels

d

No negative impact on safety of personnel!d No negative impact on availability of facilities

Current standard level: IEC 61131-2IEC 61000-6-2 ( level 3 resp. level 4 )

Immunitylevels

IEC 61496-1 (2004)for ESPE (AOPD)

for F-PLC, F-I/O, etc.

Performance

Criteria A,B,C

Levels:(see Table 2)

PerformanceCriterion FS(Functional Safety)

IncreasedLevels

d

No negative impact on safety of personnel!d No negative impact on availability of facilities

Figure 3-3 Increased immunity test levels


21/43



3.3.2 Specified electromagnetic environment(IEC 61326-3-2)

The measurement of very small analog voltages, currents or other physical quantities and the proc-essing of explosive chemicals are the main characteristics of the process industries. Accordingly,special care is taken to achieve a high level of availability and safety:

Industrial area with limited access

Highly meshed metal constructions of the buildings

Excellent grounding /earthing systems Explosion and overvoltage / lightning protection areas

Restricted use of mobile phones

Safety requirement specifications (SRS) based on long term statistics

Professional staff

Continuous maintenance

Based on these preconditions it is possible to deal with a different set of immunity levels for PA de-vices such as in Table 3. See IEC 61326-3-2 for details. Additional information can be retrieved from[19] and [20].

IEC61000-4-x

Phenomenon IEC 61326-1

(industrial)

IEC 61326-3-2

(industrial)

Constraint

-2 ESD

(electrostatic dis-charge) 4/8 kV 6/8 kV 1) "Enclosed type controller"

10 V/m 10 V/m 80-1000MHz ISM/GSM, mobile phone

3V/m 10V/m 1,4 2,0 GHz

-3 HF Field

1V/m 3V/m 2,0 2,7 GHz

2 kV 2 kV Power Supply Cabling-4 Burst

1 kV 1 kV 2) PROFIBUS cable shielding

1 kV 3) 1 kV 3) + 4) Power supply cabling; external measurespermitted, e.g. centralised lightning con-ductor; line to ground

-5 Surge

1 kV 3) 1 kV 3) + 2) PROFIBUS cable shielding

-6 HF conducted 3 V 10 V 10kHz-80MHz-8 50/60 Hz

magnetic field30 A/m 100 A/m enclosure

-29 Voltage dips:Voltage interruptions:Voltage deviations:

60% for 1s, 100% for 1s100% for 20ms-15% / +20%

only DC supply lines

1) First value: contact, second value: air 2) Current versions of the IEC 61326-3-2 are specifying a value of 1kV.For PROFIsafe it is highly recommended to test with 2kV 3) Common Mode (CM) 4) DC power; 2 kV for AC power

Table 3 Immunity levels per phenomenon (e.g. process industries)

3.4 Product family specifics

Some of the PROFIsafe device families are totally new designs and do not have their own specificproduct standard. In these cases IEC 61326-3-1 applies. For some of the devices product standardsalready existed for relay technologies. In the meantime updated versions have been published takingthe fieldbus situation into account.

3.4.1 F-Sensor (ESPE/AOPD)

The new version of the IEC 61496-1 is covering now the safety communication across a fieldbus.The communication interface is supposed to provide galvanic insulation from the device.

Hint: An increased immunity level of 30 V/m for the "HF Field" test is required.


22/43



3.4.2 PA Devices for functional safety

The increased immunity levels of Table 3 apply. See IEC 61326-3-2 for more details.

Figure 3-4 illustrates the modifications of the test beds for PA devices.


EMC-Test acc. IEC 61326-3-2Performance criteria acc. IEC 61326-3-2

EMC-Test acc. IEC 61496(Safety) Performance criteria:F-System shall not failto danger!

F-PLC(F-I/O)


PA Devicee.g. Pressure

transmitter


" SafetyFunction "

EMC-Test acc. IEC 62061 Levels orIEC 61326-3-1(Safety) Performance Criteria



MBP-IS

Explosiveenvironment

Normalenvironment

Figure 3-4 Modified test bed for PA devices

3.4.3 F-PLC and F-I/O

The normal EMC requirements for these devices are based on the IEC 61000-6-2 or IEC 61131-2.No product standard exist defining increased immunity levels for functional safety. Thus, 3.2, 3.3.1,Table 2 and the IEC 61326-3-1 apply.

It should be noted that F-PLC and F-I/O can be deployed in particular applications such as burnermanagement or t rains with their own set of standards to be observed.

3.4.4 F-Actuator (drives with integrated safety)

Here, different "device types" are to be distinguished:

F-I/O with motor starters

F-I/O with integrated frequency converters

Drives with integrated safety

In case of F-I/O, the information provided in 3.3 applies.

For drives with integrated safety, no IEC standards with dedicated electromagnetic immunity testinghave been published. Thus, either IEC 61326-3-1 or the levels defined by BGIA [10] are to be con-sidered for normal industrial use. The levels defined by BGIA are set up according to the followingrule: wherever a level is defined in IEC 61800-3 the doubled value or next level is taken, wherever nophenomenon is specified the first level is taken (e.g. signal lines: 500V). No surge on DC lines. ForSIL 3 the duration of tests is increased: ESD: 3 times; bursts: 5 Min; surge: pulses 3 times longer.

Design hint: Regarding inverter-fed drives, it should be noted that the DC supply voltage for the elec-tronics usually is derived from the electric power supply of the motor (DC intermediate circuit). A


23/43



switch-off of the electrical power shall not abandon the power supply of the termination impedance ofthe communication system as it will lead into a malfunction of the bus system. This is not a safety butan availability issue.

3.5 Non-safety PROFIBUS and PROFINET devices

When testing these devices according to IEC 61131-2 or IEC 61000-6-2 their performance criteria Aand B apply. PROFIsafe applications shall use (PNO) certified standard devices in order to ensureproper communication, conformant to PROFIBUS and/or PROFINET standards. This is not a safetybut an availability issue.


24/43



4 Overvoltages and Shock Protection

Safety regarding PROFIsafe devices is considered on the assumption that no impermissibly highvoltages occur on neither the power supply cables nor the data communication cables or only with apermissibly low probability under normal and single fault conditions.

On the other hand, these cables are hazardous to humans if touched, regardless of whether theseare safety devices or not. Therefore, we apply this shock protection to our safety electronics: it must

be able to "tolerate the voltage that a human being is expected to tolerate and then respond safely.

4.1 Definitions

SELV: Safety Extra-Low Voltage

Being specified as a SELV system includes a limitation of voltage and a protective measure againstdirect and indirect contact with hazardous voltages through "safe separation implemented in the de-vice. However, a SELV system must not be grounded (in contrast to a PELV system).

PELV: Protective Extra-Low Voltage ("Function voltage")

Protective extra low voltage is a grounded variant of SELV. Being specified as a PELV system ac-cording to IEC 60364-4-41 (originally DIN VDE 0100-410:1997-01) or IEC 61010-1 includes a limita-tion of voltage and a protective measure against direct and indirect contact with hazardous voltages

through "safe separation of the primary and secondary side implemented in the device.The above mentioned isolation testing voltages only refer to the SELV/PELV voltages or data linesrespectively.

Current Sources for SELV and PELV

The following are permissible:

Transformers with safe isolation

Power sources with the same degree of safety; for example, motor generators with corre-sponding separated windings or Diesel units

Electro-chemical power sources; for example, batteries, galvanic elements

On the same level are electronic devices if, in case of normal conditions, the voltage on the output

terminals and against ground is no higher than 30V AC, 42,4V peak or 60V DC. In case of a singlefault no higher than 50V AC, 70V peak or 120V DC.

Arrangement of the Power Circuits for Safety Extra Low Voltage (SELV)

Active parts of safety extra low voltage power circuits are not to be connected to ground or with pro-tective conductors of other power circuits. They must be safely separated from active parts withhigher voltage. Exposed conductive parts must not be connected intentionally. Cables are to be in-stalled separated from the cables of other power circuits, or special isolation steps must be taken.See IEC 61918 [9b] and IEC 61784-5-3 [9a] for further hints.

Special plugs, socket outlets and couplers that do not fit the plugs, socket outlets and couplers ofhigher voltages are to be used for safety extra low voltage. They must not have ground contact.

4.2 Device Model including Power Supplies

Figure 4-1 and Figure 4-2 below show the typical structure of PROFIsafe devices.

In Figure 4-1 the data lines are connected via a "Line Driver" to an optocoupler or a transformer andare therefore galvanically separated from the remaining device electronics. The "Line Drivers"power supply is also decoupled.


25/43



If another station should apply a SELV or PELV voltage to the data line, the PROFIsafe station canperform its safety response unharmed.

PROFIBUS

Line driverRS485

Profibus-ASIC

Standard or F-Slave connected to PROFIBUS

SELV / PELV(SIL2+3)

SELV / PELV(Shock Protection)

housing

Test Voltage:DC 500 V (1 min)

e.g.DC 5V

e.g.AC 230V

DC 24V,e.g.40A

Power Supply

DC 24V

F Slave

Electronic

highvoltage

SELV / PELV

galvanicinsulation

e.g. optocoupler

e.g. trans-former

Figure 4-1 Typical structure of a PROFIsafe/PROFIBUS DP device

Every PROFIBUS and PROFIsafe device must be designed and built in a way that despite all possi-ble internal voltages (including high voltages) in the worst case only SELV/PELV voltages reach thedata lines and the outside.

In Figure 4-2 the PROFINET IO data lines are isolated f rom the transceiver via transformers.

PROFINET IO

Transceiver/Switch

Standard or F-Device connected to PROFINET IO

SELV / PELV(SIL2+3)


housing

Test Voltage:AC 1,5 k V 50/60Hz(1 min) 1)

e.g.DC 5V

e.g.AC 230V

DC 24V,

e.g.40A

Power Supply

DC 24V

F Slave

Electronic

highvoltage

SELV / PELV

RJ45

Galvanicinsulation

1) For other possibilities see IEEE 802.3 (ISO/IEC 8802.3)

PROFINET IO

Transceiver/Switch

Standard or F-Device connected to PROFINET IO

SELV / PELV(SIL2+3)


housing

Test Voltage:AC 1,5 k V 50/60Hz(1 min) 1)

e.g.DC 5V

e.g.AC 230V

DC 24V,

e.g.40A

Power Supply

DC 24V

F Slave

Electronic

highvoltage

SELV / PELV

RJ45

Galvanicinsulation

1) For other possibilities see IEEE 802.3 (ISO/IEC 8802.3)

Figure 4-2 Typical structure of a PROFIsafe/PROFINET IO device

As a rule, the safety systems are set up with a 24 VDC power supply (load power supply unit, batter-ies, etc.) providing SELV/PELV.


26/43



4.3 Specifications for Standard-PROFIBUS Devices

Before a standard PROFIBUS /PROFINET IO or PROFIsafe device is accepted for certification in aPI test laboratory, it must prove its general capability by a manufacturer declaration of conformity tothe appropriate EMC standards. In Europe it shall be signed with a CE mark.

PROFIBUS certification is then performed based on the international standards IEC 61158 and IEC61784-1/-2 (Communication Profiles). The latter one specifies the following:

"PROFIBUS-DP (PROFIBUS-PA) devices shall comply with the legal requirements of that countrywhere they are deployed (e.g , within Europe, indicated by the CE mark).The measures for protection against electrical shocks (i.e., electrical safety) within industrial applica-tions shall be based on IEC 61010 or IEC 61131-2 depending on a device type specified therein."

4.4 SIL3 Considerations

Regarding the safety functions according to SIL3, the behavior of the devices must be considered iftwo errors occur that are weighted with respect to time. This is necessary if the errors are unde-tected. In this chapter, the influences of power supplies are discussed as well as the influences ofdata transfer lines.

Power Supplies with Double Fault Safety

Since we are aiming for the use of one and the same 24V power supply for all devices, the request

for double fault safety would be a problem since there are no power supplies with this correspondingqualification.

From the PROFIsafe perspective, the requirement does not present itself due to the following:

1. The quality and the prevalence of industrial power supplies according to IEC 61010/61131-2with SELV/PELV is so high that such error cases are not known. The fact that such an errorwould jeopardize a high investment volume in a standard plant should be sufficient motivationfor such high quality.

2. The failure of such a power supply beyond SELV/PELV would already jeopardize human lifebecause when working with power supply cables, the cable ends are not contact-protected.

3. Only PROFIsafe devices with output functions would be affected. They must be able to han-dle their safety functions autonomously in any case, even if impermissibly high voltages oc-

cur. Here, it may be useful to increase the test voltage in Chapter 4.2 to 1500 VDC for finalelements such as drives or devices with power supplies exceeding 60V unless proven other-wise.

4. F-PLC and PROFIsafe input/output devices must be toughened up against overvoltages ac-cording to IEC 61508-2, table A9, i.e. they must detect all errors caused by overvoltage andrespond in a safe manner. Conformance to the safety regulations can be shown through typetesting.

Voltages above SELV/PELV on Data Lines

Here, it is a question of whether PROFIsafe devices must be tested for voltages above SELV/PELVlevels.

From the PROFIsafe viewpoint, this requirement does not present itself due to the following:

1. If the installation guidelines are adhered to (cable types and cable installation6) and certifieddevices are used, the occurrence of voltages higher than SELV/PELV on data lines becauseof second errors can be estimated as extremely unlikely (probability of cable error multipliedwith the probability of a SELF/PELV error).

6 PROFIBUS installation guide requires data lines to be kept separate from power lines. In case of crossings they shall beprotected from each other by distance or a separator.


27/43



2. In this case again, humans would be in danger, because when working with data cables, thecable ends are not contact protected.

3. Only PROFIsafe devices with output functions would be affected. They must be able to han-dle their safety functions autonomously in any case, even if impermissibly high voltages oc-cur. Here, it may be useful to increase the test voltage in Chapter 4.2 to 1500 VDC for finalelements such as drives or devices with power supplies exceeding 60V unless proven other-wise.

4. F-PLC and PROFIsafe input devices must detect all errors caused by overvoltage and re-spond in a safe manner. Conformance to the safety regulations can be shown through typetesting.

Line driverRS485

e.g. optocoupler

Profibus-ASIC

SlaveElectronic

e.g. trans-former

SELV / PELV

IEC 61784SELV / PELV

housing


e.g. DC 5V

DC 24V

Line driverRS485

e.g. optocoupler

Profibus-ASIC

SafetyElectronic

e.g. trans-former

SELV / PELV


housing


e.g. DC 5V

DC 24V

PROFIBUS DP Slave

F Slave / F Host(SIL3)

e.g.AC 230V

DC 24V,e.g.

40A

Power Supplye.g. IEC 61010,IEC 61131-2

single faultprove

P*)

SELV / PELV

*) Input protection for SIL3

single faultprove

single faultprove

Line driverRS485

e.g. optocoupler

Profibus-ASIC

SlaveElectronic

e.g. trans-former

SELV / PELV


housing


e.g. DC 5V

DC 24V

Line driverRS485

e.g. optocoupler

Profibus-ASIC

SafetyElectronic

e.g. trans-former

SELV / PELV


housing


e.g. DC 5V

DC 24V

PROFIBUS DP Slave

F Slave / F Host(SIL3)

e.g.AC 230V

DC 24V,e.g.

40A

Power Supplye.g. IEC 61010,IEC 61131-2

single faultprove

P*)

SELV / PELV

*) Input protection for SIL3

single faultprove

single faultprove

Figure 4-3 SIL3 Considerations on Overvoltages

The following conclusions regarding hazards from overvoltages for a PROFIsafe device ("safety elec-tronic") can be drawn out of Figure 4-3:

1. If the main power supply fails above SELV/PELV the PROFIsafe slave in case of SIL3 mustbe able to protect the "slave electronic" by special precautions (not within the scope of thePROFIsafe profile and guidelines). Thus this power supply port is 2 error prove.

2. If the main power supply fails above SELV/PELV (2 errors) the galvanic isolation (opto cou-pler, transformer) of a standard PROFIBUS slave (1 error) and the galvanic isolation of thePROFIsafe slave (1 error) must fail before the "slave electronic" will be damaged. Thus thecommunication port of a PROFIsafe slave is more than 2 error prove.


28/43



5 Installation constraints

5.1 Overview on PROFIBUS/PROFINET and international installation guidelines

Figure 5-1 is presenting an overview on various PROFIBUS / PROFINET and international guidelinesthat are going to be integrated in the IEC standards. This "PROFIsafe Environmental Require-ments" are intended to be integrated in IEC 61784-5-3. The most important and very helpful docu-ment for the user of PROFIsafe equipment is the "Guideline Assembly", order no. 8.022.

"Guideline Assembly"V1.06, Order No. 8.022, May 2006

"Guideline Assembly"V1.06, Order No. 8.022, May 2006

"Guideline Commissioning"V1.01, Order No. 8.032, February 2006

"Guideline Commissioning"V1.01, Order No. 8.032, February 2006

"Guideline Planning" *)Order No. 8.012

"Guideline Planning" *)Order No. 8.012

"Installation Guideline forPROFIBUS DP/FMS"

V1.0, Order No. 2.112, September 1998

"Installation Guideline forPROFIBUS DP/FMS"

V1.0, Order No. 2.112, September 1998

"PROFIBUS Interconnection

Technology"dV1.21, Order No. 2.112, September 2005

"PROFIBUS InterconnectionTechnology"

dV1.21, Order No. 2.112, September 2005

"PROFIBUS PA User andInstallation Guidline"

V2.2, Order No. 2.092, February 2003

"PROFIBUS PA User andInstallation Guidline"

V2.2, Order No. 2.092, February 2003

"Profibus RS 485-IS User andInstallation Guideline"

dV2.0, Order No. 2.021, July 1999

"Profibus RS 485-IS User andInstallation Guideline"

dV2.0, Order No. 2.021, July 1999

ISO/IEC 11801"Information technology Generic

cabling for customer premises"Edition 2, 2002


cabling for customer premises"Edition 2, 2002

"Installation Guideline PROFINET"

V1.8, Order No. 2.252, November 2002

"Installation Guideline PROFINET"V1.8, Order No. 2.252, November 2002

"Installation Guideline PROFINETPart2: Network Components"

V1.01, Order No. 2.252p2, February 2004

"Installation Guideline PROFINETPart2: Network Components"

V1.01, Order No. 2.252p2, February 2004

"PROFIsafe EnvironmentalRequirements for

PROFIBUS DP and PROFINET IO"dV2.0, Order No. 2.232, June 2006

"PROFIsafe EnvironmentalRequirements for

PROFIBUS DP and PROFINET IO"dV2.0, Order No. 2.232, June 2006

IEC61918

IEC

61918

IEC61784-5-3

IEC61784-5-3


cabling Industrial premises "FDIS, 2006


cabling Industrial premises "FDIS, 2006

"Fibre optical data transferfor PROFIBUS"

dV2.0, Order No. 2.021, July 1999

"Fibre optical data transferfor PROFIBUS"

dV2.0, Order No. 2.021, July 1999

Figure 5-1 Overview on PROFIBUS and international installation guidelines

5.2 Topology

PROFIsafe communication shall not be operated on RS485 transmission technology basedPROFIBUS DP networks with spurs or branch lines.

5.3 Planning of cabling and wiring

For the planning of projects the different cable types (power, signal, communication, etc.) to be con-sidered should be classified and the appropriate specifications and rules should be assigned (bend-ing radius, shield type, field of application, minimum distances to other categories, etc.).

5.3.1 NFPA 79 (2006)

In its clause 13.2.6 (shielded conductors), NFPA 79 [6] requests:


29/43


30/43



lays in output modules. Devices currently in the field with hybrid technology comprise e.g.wireless access points.

PROFIsafe communication on PROFINET IO transmission systems using PoE (Power-over-Ethernet according IEEE 802.3af) based on modulation shall not be used for F-Devices(Figure 5-5). A PROFINET IO network with safety functions may comprise PoE for activenetwork components such as wireless access points, switches, etc.

1

2

3

6

PHY

PHY

DC

DC48 VDC

Application

PSE (Power Sourcing Equipment) PD (Powered Device)

Figure 5-5 Power-over-Ethernet (modulation)

5.3.3 Wiring

In addition to the guidelines in [9] the following rules appy:

It is highly recommended for power supply cables to provide both the supply and return con-ductor as twisted pair to avoid uncertain current flow and interferences.

Power rails are not compensating in the same manner and thus should be used very care-fully.

All safety projects shall provide wiring schematics with cable types, cable categories, type ofcable twist, type of cable shielding, and the locations of cable shield groundings.

5.4 EMC aspects of power supply networks (TN-C, TN-S)

A major source of electromagnetic interference is based on the wiring of power lines between decen-tralized automation systems communicating via fieldbus. So far it was common practice and permit-ted by standards to use a combined PE (protection earth) and N (neutral lead) conductor betweenmain racks and sub racks. This kind of grounding is also called a TN-C power network. This methodis acceptable if no extended fieldbus networks are involved and the currents within the power linesL1, L2, L3 are balanced out (Figure 5-6).

Modern drive electronics and power supplies are using high frequency switching technology, whichcauses unbalanced (injected high frequency) currents flowing through the combined PEN conductorof the system (I1). The low impedance shielding of a fieldbus cable in parallel to the PEN conductor(I2)will take over these high frequency currents and thus perturb the transmission of messages.


31/43



Main Rack Subrack

L1

L2

L3