Professional Documents
Culture Documents
CIPSafety White Paper
CIPSafety White Paper
Safety networks have emerged, which allow control system developers to replace
hardwired safety chains with communication networks. Typically using industry
standard networks for the base services, these safety networks add additional
services to transport data with high integrity. Unfortunately the user must change
their approach when going from one network or media to another. This paper
presents a scalable, network independent approach to safety network design, where
the safety services are described in a well defined layer, allowing the network to be
changed without impacting the user’s approach to safety. This approach also enables
the routing of safety data, allowing the user to create end to end safety chains across
multiple links without being forced to difficult to manage gateways.
safety services. This paper presents a device is responsible for ensuring the
solution for a scalable, routable, network integrity of the data. If an error occurs in
independent safety layer, thus removing the transmission of data or in the
the requirement for dedicated safety intermediate router, the end device will
gateways. Since all safety devices detect the failure and take an appropriate
execute the same protocol, independent of action.
which media they resided on, the user
CIP Safety CIP Safety
approach is consistent and independent of App Objects App Objects
media or network used.
CIP Safety CIP Safety
Connection Connection
CIP Routing
CIP Safety: A Common Industrial Protocol DeviceNet DeviceNet EtherNet/IP EtherNet/IP
Transport & Transport & Transport & Transport &
for Safety Data Link Data Link Data Link Data Link
Layer Layer Layer Layer
The Common Industrial Protocol (CIP) is DeviceNet Ethernet /IP
designed to allow different networks to be
used with a common protocol. Since it is Figure 2: Routing of safety data
designed to be media and data link
independent it allows for expansion to This routing capability allows the creation
future networks. CIP Safety is the TÜV of DeviceNet™ Safety cells with quick
approvedb extension to standard CIP. It reaction times to be interconnected with
extends the model by adding CIP Safety other cells via a backbone networks such
application layer functionality, as shown in as EtherNet/IP™ Safety for interlocking,
Figure 1. as show in Figure 3. Only the safety data
Safety Other
that is needed is routed to the required
Semicon Other
Devices
Drives Valves
Profiles
I/O
Profiles
Safety
Profiles cell, which reduces the individual
User
Layer bandwidth requirements. The combination
Safety Application
Application Object Library
Object Library of fast responding local safety cells and
the inter cell routing of safety data allows
CIP
CIP Safety
Application Layer users to create significant safety
Application
and
transport
CIP Application Layer
Explicit, I/O, Routing applications with fast response times.
Layer
Safety
Safety Safety
Safety
ControlNet
Encapsulation PLC
PLC PLC
PLC
Adaptation DeviceNet
Data Link
Data Link TCP
IP
UDP
Futures EtherNet/IP
and Data Layer
Link Layer
Layer [CAN]
(CTDMA) Ethernet Da ta Link
Layer (CSMA/CD)
Safety
Future
Physical DeviceNet ControlNet Ethernet
(Firewire, USB,
Layer Physical Layer Physical Layer Physical Layer
Blue Tooth) Router Router Router
Router Router Router
DeviceNet ControlNet Ethernet /IP Other Networks
DeviceNet DeviceNet DeviceNet
Safety 1 Safety 2 Safety 3
Figure 1: CIP communications layers
Measures to detect
communication errors
Data Connection
Producing Consuming Time ID for Safety Redundan Diverse
Safety Safety
Safety
Data Data Expectati send CRC cy with measure
Application
Producer Consumer Safety Application
Validator Validator on via and Cross
Client Server time receive Checking
Safety_Data stamp
Safety_Data
Reception
Production
Safety_Ack
Message
Repeat
X X*
Safety_Ack
Reception Production
Message Loss
X X*
Time Coordination
Connection Message
Insertion
X X X*
Data Data
Consumer Producer Incorrect
Sequence
X X*
Message
Figure 4: Relationship of Safety Validators Corrupt
X X
Message
Delay
X
•The producing safety application Coupling of
uses an instance of a client safety and
X
safety data
validator to produce safety data
Coupling of
and ensure time coordination. safety and
X X X X X
standard data
• The client uses a link data
Increased age
producer to transmit the data and a of data in
X
link consumer to receive time bridge
Safety Connections
To optimize the throughput on DeviceNet,
CIP Safety provides two types of safety three data link connections are used for
connections: each Multi-Cast connection, as shown in
• Single-Cast Figure 8. The data and time correction
• Multi-Cast messages are sent on separate
connections. This allows short messages
A Single-Cast, as shown in Figure 6,
to be transmitted on DeviceNet within a
allows a Safety Validator Client to be
single CAN frame and reduces the overall
connected to a Safety Validator Server
bandwidth, since the time correction and
using two link layer connections.
time coordination messages are sent at a
much slower periodic interval .
Data Connection
Producing Consuming
Safety Safety
Application Safety
Data
Producer
Data
Consumer Safety Application When Multi-Cast messages are routed off
Validator Validator
Client Server link, the router combines the data and time
Safety_Data
Production
Safety_Data
Reception
correction messages from DeviceNet and
Safety_Ack Safety_Ack separates them when messages reach
Reception Production
DeviceNet. Since the safety message
Time Coordination contents are unchanged, the router
Connection
Data Data
provides no safety function.
Consumer Producer Consuming
Producing Data Connection 1
Safety
Safety Safety Data Data
Safety Application
Application
Validator Producer Consumer Validator 1
Data
Data Connection 2
Data
Safety Application
2
Figure 9, provides high integrity
Validator
Producer Consumer
Server 2 transmission for up to 2 bytes of safety
Time Coordination Connection 2
Data Data
Safety Data
Reception data and serves as the primary format for
Consumer Producer Safety Ack
Production most safety data messages. It includes a
Time
Correction
Reception
single instance of the safety data, an 8-bit
Safety CRC and an 8-bit Safety CRC
calculated on an inverted image of the
Figure 7: Multi-Cast Connection data.
CAN in Automation Session
Actual Data Mode Byte Actual CRC Complemented Data Comp. CRC Short Data Section Time Stamp Section Time Coordination
Message
3 - 250 Bytes CRC-S3 3 - 250 Bytes CRC-S3 Consumer to Producer
Ack_ Consumer_Time Ack_
CRC-16
Byte _Value Byte_2
Figure 10: Long Data Section Format Figure 14: Single-Cast Message Packets
(3-250 bytes)
The Timestamp section of the protocol, as In the multicast message packet, shown in
shown in Figure 11, is used to mark the Figure 15, an additional Time Correction
production time of all safety productions. section is added to the producer to
Time Stamp Section
consumer message to provide time
Mode Byte synchronization among the multiple
Time Stamp CRC_S1
consumers.
Data Message
Figure 11 Timestamp Section Producer to Consumer
Figure 12, is used only for Multi-Cast Short Data Section Time Stamp Section
Time Coordination
Time Correction Section
Cast connections. This section is not Figure 15: Multi-Cast Message Packets
needed in Single-Cast messages because
each producer is only associated with a When the Multi-Cast message packet is
single consumer. sent across DeviceNet, as shown in Figure
Ack_ Consumer_Time Ack_
16, the Time Correction section is sent as
CRC-S3 a separate producer to consumer
Byte _Value Byte_2
message. This optimization allows the
Figure 12: Time Correction Section high frequency data messages to be sent
(Multi-Cast only) in a separate CAN frame, while the
The time coordination section, shown in background time correction messages are
Figure 13, contains the information sent produced at a slower frequency,
from consumers to producers to correct conserving bandwidth and improving
the time value. response time.
Data Message
Producer to Consumer
Mode
Data 0 Data 1 CRC-8 CRC-8' Time_Stamp CRC-8
MCast_ Time_Correction MCast_ Byte
CRC-16
Byte _Value Byte_2 Short Data Section Time Stamp Section
Time Correction Message
Producer to Consumer
Figure 13: Time coordination section MCast
Byte
Time_Correction
MCast
Byte_2
CRC-16
Time Coordination
Message
Consumer to Producer
Ack_ Consumer_Time Ack_
CRC-16
Byte _Value Byte_2
The complete message telegram for long There are two types of Safety_Open
messages is formed by replacing the short requests:
data section in Figure 14 through Figure • Type 1: With configuration
16 with the long data section shown in
Figure 10. • Type 2: Without configuration
With the Type 1 Safety_Open,
configuration and connections are
Configuration established at the same time. This allows
rapid configuration of devices with simple
Before safety devices can be used in a
and relatively small configuration data.
safety system, they must first be
configured and connections must be With the Type 2 SafetyOpen, the safety
established. The process of configuration device must first be configured and the
requires configuration data from a SafetyOpen then establishes a safety
configuration tool to be placed in a safety connection. This separation of
device. There are two possible sequences configuration and connection
for configuration: establishment allows the configuration of
devices with large and complex
• Configuration Tool directly to configuration data.
device, or
In both cases, the SafetyOpen establishes
• Via an intermediate device. all underlying link layer connections:
In the configuration tool to device case, as across the local link as well as any
shown in Figure 17, the configuration tool intermediate links and routers.
writes directly to the device to be
configured (1) (2).
Configuration Implementation
In the case of intermediate device
configuration, the tool first writes to an CIP Safety provides the following
originator (1) and the originator writes to protection measures to ensure the integrity
the target using an Originator to Target of configuration:
Download (3) or a Safety_Open service
• Safety Network Number
(4). The Safety_Open service (4) is
unique in that it allows a safety connection • Password Protection
to be established at the same time that a • Configuration Ownership
device is configured. • Configuration Locking
Safety Network
)
igi d
tor
Configuration Tool
(2 ol to
Or nloa
(T
ow Tar
l to ow
nlo get
oo D
(T (1)
ad )
(3) Download
The safety network number provides a
(Originator to Target Download) unique network identifier for each network
Originator Target
in the safety system. The safety network
(4) SafetyOpen Configuration
Device Device number combined with the local device
address allows any device in the safety
Figure 17: Configuration Transfers system to be uniquely addressed.
The owner of a CIP Safety device can be The concept presented in this paper
specified and enforced. Each safety demonstrates a scalable, routable network
device can specify that its configuration is independent safety protocol based on
configured by a selected originator or that extensions to the CIP architecture. This
the configuration is only configured by a concept can be used in solutions ranging
configuration tool. from device level networks such as
DeviceNet™ to higher level networks such
as EtherNet/IP™. By designing network
Configuration Locking
independence into CIP Safety, multilink
Configuration locking provides the user routing of safety connections can be
with a mechanism to ensure that all supported. Functions such as multilink
devices have been verified and tested routing and Multi-Cast messaging provide
prior to being used in a safety application. a strong foundation that enable users to
create the fast responding local cells and
interconnect remote cells that are
Safety Devices required for today’s safety applications.
The design also enables expansion to
The relationship of the objects within a future network technologies as they
safety device is shown in Figure 18. Note become available.
that CIP Safety extends the CIP common
object model, with the addition of Safety
I/O assemblies, Safety Validator, and David A. Vasko
Safety Supervisor objects. Rockwell Automation
1 Allen-Bradley Drive Mayfield Hts. OH
Application Data
Application Profile Objects 44124 USA
Diagnostics,
NVS/Config, Parameter Standard IO
Phone: 440 646 4695
Safety IO
Handling Objects Assemblies
Assemblies Fax: 440 646 3076
davasko@ra.rockwell.com
www.rockwellautomation.com
Safety
Identity
Suresh R. Nair
Supervisor
Rockwell Automation
DeviceNet 1 Allen-Bradley Drive Mayfield Hts. OH
Message 44124 USA
Router
Safety
Phone: 440 646 4471
Validator Fax: 440 646 3258
srnair@ra.rockwell.com
Standard
Connections Safety
www.rockwellautomation.com
Explicit Msg
Connections
Objects
References
1
Figure 18: Safety Device Objects EN 50159-1:2001: Railway applications,
communication, signaling and processing
Safety Supervisor systems.
2
The Safety Supervisor object provides a Draft proposal test and certification guideline,
common configuration interface for safety safety bus systems, BG Fachausschuß
Elektrotechnik 28-May-2000
devices. The Safety Supervisor object 3
centralizes and coordinates application IEC 61508/1999: Functional safety of
E/E/PES safety-related system
object state behavior and related status 4
information, exception status indications CIP Common Specification, ODVA
5
(alarms and warnings), and defines a Eushiuan Tran, May 1999 Multi-Bit Error
behavior model which is assumed by Vulnerabilities in the Controller Area Network
objects identified as belonging to safety Thesis, CMU
devices.