CIP Safety Protocol Training Session 0: Overview of and Safety Networks

Virtual Training Courses Before We Begin

• Introductions • All attendees are automatically muted with no video connection as a default. • Please use the Q&A to ask questions, not the chat. We will address questions as they come in. • At the end if there is time, we will take questions verbally from the attendees. We will advise if and when there is time for you to “raise your hand” if you have a question. • Please complete the 4 question post session survey. The survey will launch when you close out of the webinar.

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 2 Overview of Functional Safety Standards

Jim Grosskreuz Rockwell Automation Evolution of Factory Safety In early factories, workers were encouraged to act in unsafe ways to meet production goals.

Industry 2.0 and 3.0 gave us increased focus improved safety by focusing on human factors and developing best practices.

Industry 4.0 requires flexibility, ease of use, human-machine collaboration, and interoperability between vendors.

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 4 Machinery Builder & Operator Responsibilities • European Union – Machinery Directive • Prescriptive approach to machinery safety • Mandates risk assessments and safe machines • United States – OSHA • Less prescriptive approach to machinery safety • Introduces fines for violations – Litigious Culture • OEMs and System Integrators aren’t protected from litigation • Elsewhere – Mixed legal and cultural environments

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 5 Automation Device Vendor Responsibilities • Simplified Safety Interfaces – Traditional wiring, Serial , Industrial Ethernet – Design to applicable standards and for interoperability • Documentation – Wiring and integration with control systems – Safety Functions – Diagnostics and troubleshooting – Functional Safety data • Third Party Certification – Validated implementation according to relevant standards

Images are the EC-type certificates for products that use CIP Safety

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 6 Functional Safety • Long history of evolving standards from many organizations • IEC1 defines safety as – Freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment. • IEC further defines functional safety as – The part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. – The detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism to prevent hazardous events arising or providing mitigation to reduce the consequence of the hazardous event.

1International Electrotechnical Commission; http://www.iec.ch/functionalsafety/

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 7 Basic Concepts of Functional Safety - Risk Risk

How Bad? How Often? How Likely?

Consequences Frequency Chances

• Important to remember: – What is the operating mode? – Who is interacting with the machine? – When in the lifecycle is this activity? – What has already been done for protection?

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 8 Basic Concepts of Functional Safety - Mitigation Duality (Also known as Redundancy) – If one thing fails, there is another thing that can bring the system to a safe state – In parallel for Inputs or in series for Outputs Diversity – Protects against two things failing in exactly the same way at the same time – Example: Using one NO and one NC set of contacts – Example: Using both a high and a low input channel to a safety device Diagnostics – Safety products spend much of their time performing self-diagnostics – If a problem is detected, the system will go to its “safe state” and will not allow the system to be restarted until the problem is fixed – Example: A safety PLC has a significantly higher degree of self-diagnostic versus a standard PLC (> 90% vs. ≈ 50%)

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 9 Classification of Standards Basic Standards Group Standards (Type A standard) Product Standards (Type B standard) (Type C standard)

ISO 13849-1 Safety of Machinery IEC 61800-5-2 EN 50128 Electronic Drives Safety for Railway IEC 61508 EN 60601 IEC 61496 Safety for Medical devices Functional Protective equipment Safety IEC 62061 Safety of Machinery – Electrical control systems IEC 61784-3 Functional Safety fieldbusses IEC 61511 Safety for Process Industry

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 10 IEC 61508-1 General Requirements • Documentation • Management • Safety Lifecycle – 61508-1 7.1.1.5 defines 16 phases – Phase 10 (Realisation) is further refined in: • 61508-2 (Hardware) • 61508-3 (Software) – Verification is expected at every phase • Assessment

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 11 IEC 61508 Key Concepts • Quantifying probability of dangerous failure – Common Cause Failure, Safe Failure Fraction, Diagnostic Coverage

– PFDAVG (low demand, <1 per year) – PFH (high demand, continuous) • SIL – Safety integrity level – SIL 3 (high demand) → 10-8 ≤ PFH < 10-7 -4 -3 – SIL 3 (low demand) → 10 ≤ PFDAVG < 10 • Basis for derived standards targeting application and product sectors – IEC 61511 Safety Instrumented Systems (SIS) – IEC 62061 Safety-Related Electrical Control System (SRECS) – ISO 13849-1 Safety-Related Parts of Control Systems (SRPCS) • This standard also uses Categories and Performance Levels

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 12 Your Customer’s Safety Flow

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 13 Simple Machine Example

Machine image from IEC 62061:2005 Section B.2, Figure B.2 Flow chart from IEC 12100:2010 Chapter 4, Figure 2

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 14 This example comes from Rockwell Automation publication SAFETY-AT063D

Simple Machine Example

• Motor power is removed when the E-stop is pressed. Once power is removed, hazardous motion coasts to a stop. • Tests have determined that coasting to a stop can take as long as 20 seconds. Risk assessment has shown that a person can open the gate and reach the hazardous motion in less than 20 seconds. To prevent dangerous access, a guard lock is used to keep the gate locked for 30 seconds after the E-stop is pressed. After 30 seconds, the operator is allowed to unlock the door by applying power to the guard lock by using the key switch. • While the door is open, the system is monitored to prevent an unexpected start-up. When the door is closed, hazardous motion and power to the motor do not resume until a secondary action (start button depressed) occurs. Faults at the door interlock switch, wiring terminals, or safety controller are detected before the next safety demand. • The safety function in this example is capable of connecting and interrupting power to motors rated up to 9 A, 600VAC. The safety function meets the requirements for Category 4, Performance Level e (CAT. 4, PLe), per ISO 13849-1, SIL3 per IEC 62061, and control reliable operation per ANSI B11.19.

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 15 This example comes from Rockwell Automation publication SAFETY-AT063D

Simple Machine Example

Input Logic Output

Guard-Locking Safety Function

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 16 Safety Networks

Jim Grosskreuz Rockwell Automation Industrial Communications Backbone • Industrial network basics: – Quick connect/disconnect of devices – Simple integration of new devices – Easy configuration and communication between devices – Diagnostic data

• Extra requirements for Functional Safety: 1. Messages delivered as intended or the device goes to the safe state 2. Suitably small quantitative risk that the device won’t go to the safe state

• Safety networks are just a means to high integrity communications – they require safety devices to deliver the safety function

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 18 Challenges with Industrial Ethernet Communication faults: Which can cause:

– Loss – Electrical noise – Repetition – Cable breaks – Corruption – Delay

– Hardware failures – Incorrect message routing – Software bugs – Coupling with other packets – Mixing with other packets

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 19 IEC 61784-3:2016 Figure 1 - Relationships of IEC 61784-3 with standards (machinery) Subclauses 6.7.6.4 (high complexity) and 6.7.8.1.6 (low complexity) of IEC 62061 specify the relationship between PL (Category) and SIL. (gray) safety-related standards (gold) fieldbus-related standards Safety Standards for Functional Safety (red) this standard

Product Standards ISO 12100-1 and ISO 14121 IEC 61131-6 IEC 61496 IEC 61800-5-2 ISO 10218-1 Machinery: design & risk assessment PLCs (under (light curtains) Drives Robots consideration) IEC 61784-4 IEC 62443 Design of safety-related electrical, electronic, & programmable electronic control systems (SRECS) for machinery Security (profile-specific) Security (common part) SIL based) PL based) IEC 61784-5 IEC 61918 Install guide (profile-specific) Install guide (common) Design Objective Applicable Standards IEC 61000-1-2 IEC 60204-1 ISO 13849-1, -2 Methodology EMC & FS Electrical Equipment Safety-related parts of machinery (SRPCS) IEC 61784-3 IEC 61325-3-1 Non-electrical FS communication profiles US: NFPA 79 (2006) Test EMC & FS Electrical

IEC 61158 Series / IEC 61784-1, -2 IEC 61508 Series IEC 62061 Series Fieldbus: industrial control FS (basic standard) FS for machinery (SRECS)

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 20 White Channel vs Black Channel • 61508-2 7.4.11.2 describes two possible approaches for safety communications – white channel (entire network must be developed according to 61508 and certified) – black channel (only network protocol subject to certification)

• IEC 61784-3 extends IEC 61158 fieldbus specifications to Functional Safety Communication Profiles (FSCP) – All defined 61784-3 FSCPs use the black channel approach – CIP Safety is FSCP 2/1 in IEC 61784-3-2

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 21 Introduction to Network Errors • IEC 61784-3 Section 5.3 defines 8 types of errors that must be mitigated for functional safety communications 1. Corruption 2. Unintended Repetition 3. Incorrect Sequence Many of these errors can be 4. Loss interrelated! If a corrupt message 5. Unacceptable Delay arrives, a new message may be 6. Insertion requested by the client… Will that 7. Masquerade 8. Addressing cause unintended repetition? Incorrect sequence? Unacceptable delay? Loss?

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 22 Network Error - Corruption Messages may be corrupted due to errors within a bus participant, due to errors on the transmission medium, or due to message interference.

Example of correct behavior: Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4

Example of corruption: Safety Msg #1 Safety Msg #2 Sdetfq N34 &! Safety Msg #4

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 23 Network Error – Unintended Repetition Due to an error, fault or interference, messages are repeated.

Example of correct behavior: Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4

Example of unintended repetition: Safety Msg #1 Safety Msg #2 Safety Msg #2 Safety Msg #3

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 24 Network Error – Incorrect Sequence Due to an error, fault or interference, the predefined sequence (for example natural numbers, time references) associated with messages from a particular source is incorrect.

Example of correct behavior: Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4

Example of incorrect sequence: Safety Msg #1 Safety Msg #2 Safety Msg #4 Safety Msg #3

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 25 Network Error - Loss Due to an error, fault or interference, a message or acknowledgment is not received.

Example of correct behavior: Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4

Example of loss: Safety Msg #1 Safety Msg #2 Safety Msg #4

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 26 Network Error – Unacceptable Delay Messages may be delayed beyond their permitted arrival time window, for example due to errors in the transmission medium, congested transmission lines, interference, or due to bus participants sending messages in such a manner that services are delayed or denied (for example FIFOs in switches, bridges, routers).

Example of correct behavior: Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4

Example of unacceptable delay: Safety Msg #1 Safety Msg #2 Safety Msg #2 Safety Msg #3

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 27 Network Error - Insertion Due to a fault or interference, a message is received that relates to an unexpected or unknown source entity.

Example of correct behavior: Safety Msg Safety Msg Safety Msg Safety Msg A → B #1 A → B #2 A → B #3 A → B #4 Example of insertion: Safety Msg Safety Msg Safety Msg Safety Msg A → B #1 A→ B #2 C → B #97 A → B #3

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 28 Network Error - Masquerade Due to a fault or interference, a message is inserted that relates to an apparently valid source entity, so a non-safety related message may be received by a safety related participant, which then treats it as safety related.

Example of correct behavior: Safety Msg #1 Safety Msg #2 Safety Msg #3 Safety Msg #4

Example of masquerade: Safety Msg #1 Safety Msg #2 Std Msg #19 Safety Msg #3

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 29 Network Error - Addressing Due to a fault or interference, a safety related message is delivered to the incorrect safety related participant, which then treats reception as correct. This includes the so-called loopback error case, where the sender receives back its own sent message.

Example of correct behavior: Safety Input #1 Safety Input #2 Safety Input #3 Safety Input #4 Safety Output #1 Safety Output #2 Safety Output #3 Safety Output #4 Example of addressing: Safety Input #1 Safety Input #2 Safety Output #2 Safety Input #4 Safety Output #1 Safety Output #2 Safety Output #3 Safety Output #4

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 30 CIP Safety • This protocol addresses all the errors previously discussed • Provides a stated probability of failure (PFH) – PFH is probability of dangerous failure per hour – 10-8 =< PFH < 10-7 required for SIL 3 – 10-10 =< Network PFH < 10-9 required for SIL 3 • 61784-3 recommendation is 1% of target SIL • Certified by TÜV Rheinland for functional safety applications up to SIL 3 • Suitable for use on EtherNet/IP, DeviceNet, SERCOS

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 31 Error Mitigation from Various Black Channel Protocols

Diff. Data Connection Data Redundancy PROFIsafe CIP Safety Time Time Integrity Sequence Time Expectation & Connection Data Integrity Authenticatio Integrity with Cross IEC 61784-3-2:2016 Stamp Expectation Assurance IEC 61784-3-3:2016 Number Feedback Message Authentication Assurance n Assurance Checking Page 32 Page 29 Systems Corruption X X Corruption X Unintended repetition X X Unintended repetition X Incorrect sequence X X Incorrect sequence X Loss X X Loss X X Unacceptable delay X Unacceptable delay X Insertion X X X Insertion X Masquerade X X X X X Masquerade X Addressing X X Addressing X X Out-of-sequence X Loop-back of messages X

Data Time Data FSoE Sequence Time Connection Feedback SafetyNET P Sequence Connection Diff. Data Integrity Integrity Expectatio Integrity IEC 61784-3-12:2010 Number Expectation Authentication Message IEC 61784-3-18:2011 Number Authentication Assurance Systems Page 21 Assurance Page 21 n Assurance Corruption X Corruption X Unintended repetition X X Unintended repetition X Incorrect sequence X X Incorrect sequence X Loss X X X X Loss X X Unacceptable delay X X X Unacceptable delay X Insertion X X Insertion X X Masquerade X X X Masquerade X X X Addressing X Addressing X X Revolving memory failures Revolving memory X X X X X X within switches failures within switches PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 32 Network Performance in Standard Networks • Response time determines how fast a production line can operate – Network response times are used as a measure of performance

Input to Output Response Time

Data Data Sensor Input Logic Output Actuator Transport Transport

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 33 Network Performance in Safety Networks • Worst case control system reaction time must satisfy process safety time – Reaction time must include error conditions • Detecting non-arrival of data is typically the limiting factor

Safety Response Time

Safety Safety Sensor Input Data Logic Data Output Actuator Transport Transport

6 ms Input Time & 10 ms Output Time using typical watchdog & timeout parameters & no faults

45 ms 6 ms 38 ms 10 ms Inertia & Speed Dependent

PUB00303R6, CIP Safety Protocol Training, © 2021 ODVA 34 Next Sessions: Session 1 – Overview of CIP and EtherNet/IP Tomorrow, 8:00am – 9:30am US Eastern

Session 2 – CIP Safety Overview Tomorrow, 10am – 11:30am US Eastern