CIP Safety Protocol Training Session 0: Overview of Functional Safety and Safety Networks

Virtual Training Courses Before We Begin

• Introductions • All attendees are automatically muted with no video connection as a default. • Please use the Q&A to ask questions, not the chat. We will address questions as they come in. • At the end if there is time, we will take questions verbally from the attendees. We will advise if and when there is time for you to “raise your hand” if you have a question. • Please complete the 4 question post session survey. The survey will launch when you close out of the webinar.

Jim Grosskreuz Rockwell Automation Evolution of Factory Safety In early factories, workers were encouraged to act in unsafe ways to meet production goals.

Industry 2.0 and 3.0 gave us increased focus improved safety by focusing on human factors and developing best practices.

Industry 4.0 requires flexibility, ease of use, human-machine collaboration, and interoperability between vendors.

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 4 Machinery Builder & Operator Responsibilities • European Union – Machinery Directive • Prescriptive approach to machinery safety • Mandates risk assessments and safe machines • United States – OSHA • Less prescriptive approach to machinery safety • Introduces fines for violations – Litigious Culture • OEMs and System Integrators aren’t protected from litigation • Elsewhere – Mixed legal and cultural environments

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 5 Automation Device Vendor Responsibilities • Simplified Safety Interfaces – Traditional wiring, Serial fieldbus, Industrial Ethernet – Design to applicable standards and for interoperability • Documentation – Wiring and integration with control systems – Safety Functions – Diagnostics and troubleshooting – Functional Safety data • Third Party Certification – Validated implementation according to relevant standards

Images are the EC-type certificates for products that use CIP Safety

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 6 Functional Safety • Long history of evolving standards from many organizations • IEC1 defines safety as – Freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment. • IEC further defines functional safety as – The part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. – The detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism to prevent hazardous events arising or providing mitigation to reduce the consequence of the hazardous event.

1International Electrotechnical Commission; http://www.iec.ch/functionalsafety/

How Bad? How Often? How Likely?

Consequences Frequency Chances

• Important to remember: – What is the operating mode? – Who is interacting with the machine? – When in the lifecycle is this activity? – What has already been done for protection?

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 8 Basic Concepts of Functional Safety - Mitigation Duality (Also known as Redundancy) – If one thing fails, there is another thing that can bring the system to a safe state – In parallel for Inputs or in series for Outputs Diversity – Protects against two things failing in exactly the same way at the same time – Example: Using one NO and one NC set of contacts – Example: Using both a high and a low input channel to a safety device Diagnostics – Safety products spend much of their time performing self-diagnostics – If a problem is detected, the system will go to its “safe state” and will not allow the system to be restarted until the problem is fixed – Example: A safety PLC has a significantly higher degree of self-diagnostic versus a standard PLC (> 90% vs. ≈ 50%)

ISO 13849-1 Safety of Machinery IEC 61800-5-2 EN 50128 Electronic Drives Safety for Railway IEC 61508 EN 60601 IEC 61496 Safety for Medical devices Functional Protective equipment Safety IEC 62061 Safety of Machinery – Electrical control systems IEC 61784-3 Functional Safety fieldbusses IEC 61511 Safety for Process Industry

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 10 IEC 61508-1 General Requirements • Documentation • Management • Safety Lifecycle – 61508-1 7.1.1.5 defines 16 phases – Phase 10 (Realisation) is further refined in: • 61508-2 (Hardware) • 61508-3 (Software) – Verification is expected at every phase • Assessment

– PFDAVG (low demand, <1 per year) – PFH (high demand, continuous) • SIL – Safety integrity level – SIL 3 (high demand) → 10-8 ≤ PFH < 10-7 -4 -3 – SIL 3 (low demand) → 10 ≤ PFDAVG < 10 • Basis for derived standards targeting application and product sectors – IEC 61511 Safety Instrumented Systems (SIS) – IEC 62061 Safety-Related Electrical Control System (SRECS) – ISO 13849-1 Safety-Related Parts of Control Systems (SRPCS) • This standard also uses Categories and Performance Levels

Machine image from IEC 62061:2005 Section B.2, Figure B.2 Flow chart from IEC 12100:2010 Chapter 4, Figure 2

Simple Machine Example

• Motor power is removed when the E-stop is pressed. Once power is removed, hazardous motion coasts to a stop. • Tests have determined that coasting to a stop can take as long as 20 seconds. Risk assessment has shown that a person can open the gate and reach the hazardous motion in less than 20 seconds. To prevent dangerous access, a guard lock is used to keep the gate locked for 30 seconds after the E-stop is pressed. After 30 seconds, the operator is allowed to unlock the door by applying power to the guard lock by using the key switch. • While the door is open, the system is monitored to prevent an unexpected start-up. When the door is closed, hazardous motion and power to the motor do not resume until a secondary action (start button depressed) occurs. Faults at the door interlock switch, wiring terminals, or safety controller are detected before the next safety demand. • The safety function in this example is capable of connecting and interrupting power to motors rated up to 9 A, 600VAC. The safety function meets the requirements for Category 4, Performance Level e (CAT. 4, PLe), per ISO 13849-1, SIL3 per IEC 62061, and control reliable operation per ANSI B11.19.

Simple Machine Example

Input Logic Output

Guard-Locking Safety Function

Jim Grosskreuz Rockwell Automation Industrial Communications Backbone • Industrial network basics: – Quick connect/disconnect of devices – Simple integration of new devices – Easy configuration and communication between devices – Diagnostic data

• Extra requirements for Functional Safety: 1. Messages delivered as intended or the device goes to the safe state 2. Suitably small quantitative risk that the device won’t go to the safe state

• Safety networks are just a means to high integrity communications – they require safety devices to deliver the safety function

– Loss – Electrical noise – Repetition – Cable breaks – Corruption – Delay

– Hardware failures – Incorrect message routing – Software bugs – Coupling with other packets – Mixing with other packets

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 19 IEC 61784-3:2016 Figure 1 - Relationships of IEC 61784-3 with standards (machinery) Subclauses 6.7.6.4 (high complexity) and 6.7.8.1.6 (low complexity) of IEC 62061 specify the relationship between PL (Category) and SIL. (gray) safety-related standards (gold) fieldbus-related standards Safety Standards for Functional Safety (red) this standard

Product Standards ISO 12100-1 and ISO 14121 IEC 61131-6 IEC 61496 IEC 61800-5-2 ISO 10218-1 Machinery: design & risk assessment PLCs (under (light curtains) Drives Robots consideration) IEC 61784-4 IEC 62443 Design of safety-related electrical, electronic, & programmable electronic control systems (SRECS) for machinery Security (profile-specific) Security (common part) SIL based) PL based) IEC 61784-5 IEC 61918 Install guide (profile-specific) Install guide (common) Design Objective Applicable Standards IEC 61000-1-2 IEC 60204-1 ISO 13849-1, -2 Methodology EMC & FS Electrical Equipment Safety-related parts of machinery (SRPCS) IEC 61784-3 IEC 61325-3-1 Non-electrical FS communication profiles US: NFPA 79 (2006) Test EMC & FS Electrical

IEC 61158 Series / IEC 61784-1, -2 IEC 61508 Series IEC 62061 Series Fieldbus: industrial control FS (basic standard) FS for machinery (SRECS)

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 20 White Channel vs Black Channel • 61508-2 7.4.11.2 describes two possible approaches for safety communications – white channel (entire network must be developed according to 61508 and certified) – black channel (only network protocol subject to certification)

• IEC 61784-3 extends IEC 61158 fieldbus specifications to Functional Safety Communication Profiles (FSCP) – All defined 61784-3 FSCPs use the black channel approach – CIP Safety is FSCP 2/1 in IEC 61784-3-2

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 21 Introduction to Network Errors • IEC 61784-3 Section 5.3 defines 8 types of errors that must be mitigated for functional safety communications 1. Corruption 2. Unintended Repetition 3. Incorrect Sequence Many of these errors can be 4. Loss interrelated! If a corrupt message 5. Unacceptable Delay arrives, a new message may be 6. Insertion requested by the client… Will that 7. Masquerade 8. Addressing cause unintended repetition? Incorrect sequence? Unacceptable delay? Loss?

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 22 Network Error - Corruption Messages may be corrupted due to errors within a bus participant, due to errors on the transmission medium, or due to message interference.