CAN CANopen Safety

Sensor Actuator

safety shutoff
safety switching 2nd shutoff path
device

control- monitoring- control-

testsignal signal signal
signal
dual channel dual channel dual channel

1 Chip 16-Bit MCU

Safety Applikation
object dictionary monitoring the
(DS4xx)
2nd shutoff path

event leading CANopen Stack

to safety object dictionary (OD)
diagnostic trigger-
(CANopen data watchdog
critical
structures according to functions signal
shutoff (eg. RAM/ ROM/
with independent
DS301 and DS304)
Op- Code Test, time base
redundant CANopen safety-relevant
Register,
monitoring, cross comparison.
Periphery)
sequence monitoring, time monitoring

/NMI

alternating transmission

higher level supply

voltage/voltage
CAN- Controller 1 CAN- Controller 2 monitoring

CAN Tx 1 CAN Rx 1 CAN Tx 2 CAN Rx 2

CAN- Transceiver

CAN-Bus

Reiner Zitzmann
(CAN in Automation)
www.can-cia.org

© CiA
CAN
Application fields
• Generic control functions in machine building (SIL2 and SIL3)
• Interfaces for extruder downstream devices (SIL2)
• Embedded control system for medical devices (SIL2 and SIL3)
• Control systems for industrial cranes (SIL3)
• Electronic control units for forklifts (SIL3)
• Elevator control systems (SIL2 and SIL3)
• Garbage truck bodies and off-road vehicles (SIL2)
• Control systems for rail vehicles and locomotives (SIL3)
• Embedded control systems for building doors (SIL2)

CANopen
safety easy to use
© CiA
CAN
CANopen safety device
I/O lines
(Process IF)

Multiple device
SRDO
(Safety IF) Object dictionary
Logical Logical
device 1 device 8
Virtual Virtual
PDO/SDO device 1 SDO
device 1
(Control IF) to (Configuration IF)
to
to
Virtual Virtual
device n device n

Emergency/SDO
(Diagnostics IF)

© CiA
CAN
Communication profile area
Index range Description
1000h to 1029h General communication objects
1200h to 12FFh SDO parameter objects
1300h to 13FFh CANopen safety objects
1400h to 1BFFh PDO parameter objects
1F00h to 1F11h SDO manager objects
1F20h to 1F27h Configuration manager objects
1F50h to 1F54h Program control objects
1F80h to 1F89h NMT master objects

© CiA
CAN
Communication protocols
◆ Service Data Object (SDO) protocols
◆ Standard SDO protocols
◆ SDO block protocols
◆ Safety-Related Data Object (SRDO) protocol
◆ Process Data Object (PDO) protocol
◆ Special object protocols:
◆ Synchronization (SYNC) protocol
◆ Time Stamp (TIME) protocol
◆ Emergency (EMCY) protocol
◆ Network Management protocols:
◆ NMT Message protocol
◆ Boot-Up protocol
◆ Error Control protocols
- Heartbeat protocol
- Node guarding protocol

© CiA
CAN CANopen network with safe nodes

PLC

CAN Safety Power

Switch

S1 N1 S2 N2 N3 D1 S3
Drive
Controll
Emergency SLM M
Push Button
Sx Safety Node (S3: Saftey controller)
Nx Normal Node
Dx Drive Controll

© CiA
CAN
Safety-relevant Data Object

CAN Data Frame 1

request
1 to 8 Byte

Bit-wise inverted Data Field

of CAN Data Frame 1
indication(s)
1 to 8 Byte

© CiA
CAN
SRDO Timing
SRDO1 SRDO1 SRDO1

refresh-time refresh-time

SCT expired
time
SCT
SCT
SCT

SRDO1 SRDO1 SRDO1

SRVT
expired

time
SRVT SRVT SRVT

© CiA
CAN
SRDO parameter record

Index Sub-Index Field in SRDO Communication Parameter Record Data Type

13xxh 0h Number of entries UNSIGNED8
1h Information direction (TX or RX) UNSIGNED8
2h Refresh-time/SCT (in ms) UNSIGNED16
3h SRVT (in ms) UNSIGNED8
4h Transmission type UNSIGNED8
5h COB ID1 UNSIGNED32
6h COB ID2 UNSIGNED32

© CiA
CAN
Optionally reserved IDs

Object CAN identifier

Global failsafe command 1h
Safety-relevant data objects (SRDO) 101h to 180h
Flying master 71h to 76h
Dynamic SDO request 6E0h
Node claiming procedure 6E1h to 6E3h
Node claiming procedure 6F0h to 6FFh
Layer setting services (LSS) 7E4h, 7E5h

© CiA
CAN
SRDO mapping
Object Dictionary
Index Sub Object contents
1381h 01h 2000h 01h 8h
1381h 02h 2003h 03h 10h SRDO_1
1381h 03h 2003h 01h 8h Object A Object G Object E

2000h 01h Object A

2000h 02h Object B
2001h 00h Object C
2002h 00h Object D
2003h 01h Object E
2003h 02h Object F
2003h 03h Object G

© CiA
CAN
Variable SRDO mapping
Object Dictionary
Index Sub Object contents
1381h 01h 2000h 01h 8h
1381h 02h 2001
2003h 00
03h 10h SRDO_1
1381h 03h 2003h 01h 8h Object A Object G
C Object E

2000h 01h Object A

2000h 02h Object B
2001h 00h Object C
2002h 00h Object D
2003h 01h Object E
2003h 02h Object F
2003h 03h Object G

© CiA
CAN
Object dictionary extension
1
Index Object Name Type Acc. M/O
1300h VAR GFC parameter UNSIGNED8 rw O
SRDO Communication Parameter
st
1301h RECORD 1 SRDO parameter SRDO Parameter (26h) rw M
nd
1302h RECORD 2 SRDO parameter SRDO Parameter (26h) rw M/O*
::::: ::::: ::::: ::::: ::::: :::::
th
1340h RECORD 64 SRDO parameter SRDO Parameter (26h) rw M/O*
1341h reserved
::::: :::::
1380h reserved
SRDO Mapping Parameter
st
1381h ARRAY 1 SRDO mapping UNSIGNED32 rw M
nd
1382h ARRAY 2 SRDO mapping UNSIGNED32 rw M/O*
::::: ::::: ::::: ::::: ::::: :::::
th
13C0h ARRAY 64 SRDO mapping UNSIGNED32 rw M/O*
13C1h reserved
::::: :::::
13FDh reserved
13FEh VAR Configuration valid UNSIGNED 8 rw M
13FFh ARRAY Safety Configuration Checksum UNSIGNED16 ro M

© CiA
CAN
BIA approval

© CiA
CAN
Communication failures
(1) Message repetition

(2) Message lost

(3) Message insertion

(4) Wrong message sequence

(5) Message corruption

(6) Message delay

(7) Coupling

© CiA
CAN
Failure-avoiding methods
(1) Running number in safety-relevant messages

(2) Relative, absolute or double time-marks

(3) Time-out

(4) Confirmation of message

(5) Identifying of producer and consumer

(6) Application CRC

(7) Redundancy with cross-checking

© CiA
CAN
BIA recommendations

Running number

Different data
Confirmation
Identification

Cross-check
Time mark
Time-out

CRC
Repetition x x - - - - x - 1) application-specific
2) only for producer
Lost x - - x - - x - 3) mandatory
4) low error-rate shall be
Insertion x - - x1 x2 - x - testable
Wrong sequence x x - - - - x -
Corruption - - - x - x x4 -
Delay - x xx3 - - - - -
Methods used by
Coupling - - - x1 x - - x
CANopen Safety

© CiA
CAN
CANopen safety chip
Sensor Actuator

safety shutoff
safety switching 2nd shutoff path
device

control- monitoring- control-

testsignal signal signal
signal
dual channel dual channel dual channel

1 Chip 16-Bit MCU

Safety Applikation
object dictionary monitoring the
(DS4xx)
2nd shutoff path

event leading CANopen Stack

to safety object dictionary (OD)
diagnostic trigger-
(CANopen data watchdog
critical
structures according to functions signal
shutoff (eg. RAM/ ROM/
with independent
DS301 and DS304)
Op- Code Test, time base
redundant CANopen safety-relevant
Register,
monitoring, cross comparison.
Periphery)
sequence monitoring, time monitoring

/NMI

alternating transmission

higher level supply

voltage/voltage
CAN- Controller 1 CAN- Controller 2 monitoring

CAN Tx 1 CAN Rx 1 CAN Tx 2 CAN Rx 2

CAN- Transceiver

CAN-Bus

© CiA
CAN
Requirements (Consortium)
 CANopen Safety
• 2 independent CAN controllers
• 2 TSRDO + 2 RSRDO
• Minimal SRVT: 5 ms
• Minimal refresh-time: 20 ms
 CANopen
• 2 TPDO + 2 RPDO
• SRDO/PDO linking
• SRDO/PDO static mapping
• Heartbeat producer
• Emergency producer

© CiA