7.3.1 Repetition
Quote: "The malfunction of a bus device causes old and obsolete safety messages to be repeated at the wrong time so that a recipient would dangerously be disturbed (for example guard door is reported closed albeit it has already been opened)."
Remedial action: The data are transferred cyclically. Thus, an incorrect message with a safety PDU that is inserted once will immediately be overwritten by a correct message. The thereby possible delay of an emergency request can be one watchdog time.
7.3.2 Loss
Quote: "The malfunction of a bus device deletes a safety message (for example request for
"safe operational stop")."
Remedial action: Lost information will be discovered by stringently incrementing and examining the consecutive number.
7.3.3 Insertion
Quote: "The malfunction of a bus device inserts a safety message (for example deselection of the "safe operational stop")."
Remedial action: Due to the stringently sequential expectation of the consecutive number, the recipient will discover an inserted message.
7.3.4 Incorrect sequence
Quote: "The malfunction of a bus device modifies the safety message sequence. Example:
Prior to initiating the safe operational stop one wants to select the safely reduced velocity.
The machine will be running instead of being stopped when these messages are confused."
Remedial action: Due to the stringently sequential expectation of the consecutive number, the recipient will discover any incorrect sequence.
7.3.5 Corruption of safety data
Quote: "The malfunction of a bus device or the transmission link perturbs safety messages."
Remedial action: The CRC2 signature discovers a perturbation of the data between sender and recipient.
F-Parameter data Safety PDU
F-I/O data Status or Control Byte
(Virtual) Consecutive Number
CRC2
F-Parameter: Codename,
WD time, SIL, etc. Across F-I/O data,
Status or Control Byte, (Virtual) Consecutive Number, and F-Parameters m octets 1 octet 3 octets 3 or 4 octets
Figure 40 – F-Parameter data and CRC
The CRC2 signature is generated across the F-Parameters (including the codename), the F I/O data, the virtual consecutive number, and the Control/Status Byte (see 7.1.5 and Figure 40). The codename (source-destination relationship) of F-Host and F-Device is defined during the configuration phase with the help of an engineering tool and retentively stored.
After a repair, the F-Address of an F-Module/Device shall be restored / adjusted before the safety operation is resumed.
7.3.6 Delay
Quote: "1. The operational data exchange exceeds the capacity of the communication link. 2.
A bus device causes an overload situation by simulating incorrect safety messages so that a service that belongs to the message is delayed or prevented."
Remedial action:
• Consecutive number in the sender data and in the acknowledgment data.
• Watchdog time in the respective recipient (watchdog time for F communication).
The watchdog time is defined 9.3.3.
7.3.7 Masquerade
Quote: "The malfunction of a bus device causes safety-relevant messages and non-safety- relevant messages to be mixed up".
Remedial action: The data are coming from the correct sender and are going to the correct recipient (authenticity). This authenticity is guaranteed through inclusion of the F-Parameters with the F-Address (F source-destination relationship) into the CRC2 signature.
Principle of safe addressing:
Detecting the interconnection of safety-relevant and non-safety-relevant messages is guaranteed by the fact that a standard device is not capable of creating a safety PDU with the correct CRC2 and the correct consecutive number.
Detecting data from a different sender or for a different recipient is guaranteed by the fact that the F sender that belongs to the F source-destination relationship (codename) is the only one that generates exactly the matching CRC signature that is expected by the F receiver. At the same time, the recipient employs this CRC signature for implicitly checking the authenticity of the F sender address (since it was included in the CRC).
A retentive selection of the F address in the individual devices can be achieved through one of the following methods:
⎯ coding switch in the unit for the codename (the F-Device address of compact Devices, for example);
⎯ a one-time device parameterization by software that requires to be checked whether the correct device has been addressed. This shall be repeated when such a unit is replaced;
⎯ by address mechanisms that are independent of CPF 3 addressing.
Sabotage is not assumed.
7.3.8 Memory failures within switches
Quote: "1. The operational data exchange exceeds the capacity of the communication link. 2.
A bus device causes an overload situation by simulating incorrect messages so that a service that belongs to the message is delayed or prevented."
See Figure 9 and Figure 10 as possible safety network examples for the following considerations. Central elements of these networks are switches, which are fairly complex active network components. They can have different faults. Messages may be sent to the wrong destination or their data content can be perturbed. Furthermore a switch can send stored messages over and over again even when the sender already was shut down. Table 7
contains a list of possible switch faults and their remedial measures to achieve sufficient safety.
Table 7 – Remedies for switch failures
Fault type Detection and Mastering
Perturbed data CRC signature (24 bit)
Wrong destination Codename (2 x 16 bit)
Lost safety message Consecutive number (24 bit) and Timeout
Duplicated message Consecutive number (24 bit)
Delayed message Timeout
Retransmission of stored messages with less than 3 consecutive safety PDUs in series.
The F-Host is no longer connected.
Consecutive number (24 bit) and no automatic restart
Retransmission of stored messages with 3 or more consecutive safety PDUs in series.
The F-Host is no longer connected.
Consecutive number (24 bit) and fault reaction via the Control Byte (Figure 36)
The following faults are detected / mastered:
⎯ The F-Host faults or its safety PDUs do not reach the receiver. A switch transmits the messages of its revolving buffer without the correct consecutive number instead. The F-Device recognizes a consecutive number fault and sets failsafe values.
⎯ A single message of the switch buffer is retransmitted and has a safety PDU with the correct consecutive number. This fault will be detected due to the 24 bit consecutive number and the fact that the restart of the F-Output-Device needs an OA_C = 1 (Operator Acknowledgement).
⎯ A switch transmits messages with safety PDUs out of its revolving buffer with the correct consecutive numbers and this message sequence starts within the safety watchdog time. This fault will be detected due to the 24 bit consecutive number and the fact that the restart of the F-Output-Device needs an OA_C = 1 (Operator Acknowledgement).
7.3.9 Network boundaries and router
Quote: "1. The operational data exchange exceeds the capacity of the communication link. 2.
A bus device causes an overload situation by simulating incorrect messages so that a service that belongs to the message is delayed or prevented."
For CP 3/RTE networks with routers Figure 11 applies and the corresponding explanations.
Let's assume such a system with subnetworks connected via routers. The following considerations are demonstrating that a single error will not misdirect a safety PDU to the wrong F-Device and will not cause it to switch to a dangerous state.
The router connects two or more subnets over layer 3 levels. Every F-Host and F-Device can be configured to "use router" together with an appropriate router address. The router manages IP addresses of the connected subnets. Table 8 contains a list of fault types and the constraints for router operation to achieve sufficient safety.
Table 8 – Safety network boundaries
Fault type Consequences Detection and
Mastering Router holds the wrong address
of an F-Device
Router receives message for that particular F- Device. Result: Target not found.
Timeout of F-Device Two F-Devices with identical
addresses. One in subnet 0, the other one in subnet 1
Constraint: 2-Port-Router as in Figure 11
1) F-Device of subnet 0 not found in subnet 0 2) F-Device of subnet 0 not reachable in subnet 1 3) F-Device of subnet 1 not reachable in subnet 0 4) F-Device of subnet 1 correct in subnet 1
By standard CP 3/RTE
Two F-Devices with identical addresses. One in subnet 0, the other one in subnet 1
Constraint: Router with single port (for example PC, Laptop):
1) F-Device of subnet 0 not found in subnet 0 2) Address doubling in subnet 1
Single port routers are not building (safety) network boundaries