POWERLINK Safety

Issue 1 / October 2009 The Magazine for the Industrial Ethernet Standard Volume 4, FACTS POWERLINK Safety

How does POWERLINK Safety work?

openSAFETY: Stage 1 Christian Schlegel

Interview with Anton Meindl EPSG Executive Ofﬁ cer 2 EDITORIAL 1/2009

POWERLINK

openSAFETY expands the open world of POWERLINK

With their open source release of the POWERLINK Safety stack, IXXAT adds a safety-oriented transfer protocol to the open source world of POWERLINK. A renowned service provider for data communication systems in the automation industry and a leading member of the Ethernet POWERLINK Standardiza- tion Group, IXXAT will make the stack available for download free of charge from their website on the occasion of the upcoming SPS/IPC/Drives exhibition. We take that cue to give you a POWERLINK FACTS issue that focuses exclusively on POWER- LINK Safety. You will fi nd a brief explanation of what POWERLINK Safety actually is, and how the software works. Christian Schlegel, IXXAT‘s CEO, tells you in our interview why his company has decided to take this step. You also get the views of Anton Meindl, EPSG Executive Offi cer, as well as of Dr. Till Jaeger. A distinguished expert in the fi eld of open source law, Jaeger discusses the specifi c liability issues anyone involved in the open source release and distribution of safety-oriented products should consider. The closing article provides information ■■ The purpose of tromagnetic interference also threa- safety systems tens the integrity of information trans- about the requirements for standard-compliant missions. In bus-based safety systems, developments of safety software and hardware In order to prevent any damage to per- performance free from defects must be according to IEC 61508. sons and machines, it is paramount ensured by the protocol, which must that data in safety-sensitive areas of enable cyclic checks of the network I hope you will fi nd this an interesting read. Should machines and plants are transmitted in segments that are relevant for safety, you have any further questions about this subject, time and in their entirety. Failures can and checks of the devices involved. feel welcome to ask me in person at the EPSG occur for various reasons, e.g. if data In case of an interruption in communi- packets are routed to the wrong recipi- cation or an incomplete data transmis- stand at the upcoming SPS/IPC/Drives show. ent, or are delayed at a gateway due sion, it is to initiate a safe shutdown of to traffi c overload. Adverse conditions the machine or plant. Yours, may also lead to erroneous transfer sequences for the packets, or cause Rüdiger Eikmeier incorrect data insertions. Lastly, elec- EPSG General Manager SPECIAL 3 The Magazine for the FACTS Industrial Ethernet Standard

Safety – what it is

units, I/O modules, and drives. That has enabled safety measures with very little negative impact on production ■ Total independence from the ﬁ eldbus routines in risk scenarios. ■ Safe reaction time down to 100 μs Only

■■ POWERLINK Safety ■ Automatic safe parameterization

The safety-oriented protocol POWER- ■ Ideal for safe modular machine concepts LINK Safety is a real-time Ethernet- capable solution for machine and fac- ■ Sole 100 % open safety solution tory automation that is suitable for communication cycles in the microse- ■ True SIL3 Black Channel approach cond range. As early as 2004, POWER- LINK Safety was tested by TÜV RHEIN- LAND and approved for use in safety- sensitive applications as specifi ed for IEC 61508 SIL 3 (see page 7), and for solution, parallel lines and installations ping altogether. This response Category 4 of the EU standard 954-1. of extra systems are no longer needed. maintains the synchronicity of the Hence, POWERLINK Safety is generally, axes, and prevents offl oading proce- and with no restrictions, suitable for dures, empty runs and restarts. In applications of any safety level e.g. ■■ ”Smart Safe Reac- robot-supported factories, suitable in power plants or traffi c systems. tions“ instead of programming allows for fl exible machine stops changes to production routines as POWERLINK Safety allows for the trans- long as there are people within an fer of both safety-oriented data and POWERLINK Safety enables fl exible unsafe area. control data on one system, and via hazards management. ”Smart Safe Safety-oriented reactions therefore one line, irrespective of the bus that is Reaction“ denotes the safety system‘s only apply to specifi c mechatronic used. Additional safe hardware mo- capability for fl exible, measured re- units where a person is close by. dules, such as controllers and I/O sponses to various situations. In order modules, are indispensable to ensure to protect people in hazardous areas, compliance with safety requirements. it is often entirely suffi cient to slow However, they constitute components down machine motions, or limit the of one homogenous system. With this torque to a safe level, instead of stop-

■■ Protocol-based solutions instead of extra wires

Safety systems have long been imple- mented via dedicated external wiring. The introduction of new standards, such as the IEC 61508 in 1998, which deﬁ nes the ”Functional Safety of elec- trical/electronic/programmable electronic safety-related systems,“ has cleared the way for bus-based safety systems featuring safety-oriented transfer protocols, which have allowed for shifting safety functions to control 4 SPECIAL 1/2009

POWERLINK Safe

The POWERLINK Safety protocol basi- errors that may occur in networks, and of partial packages due to their ■■ … and how cally features three outstanding cha- of the mechanisms POWERLINK Safety length, and different transfer routes POWERLINK Safety racteristics: its defi nition of data trans- uses to recognize these faults. via various gateways result in a mix- deals with them fer, its upper-level confi guration ser- up of specifi c packet segments. vices, and, most notably, its encapsu- – Gateways can delay data transfers One of POWERLINK Safety‘s most cru- lation of data that is relevant to safety due to high load. cial mechanisms, the time stamp pre- into an extremely fl exible telegram for- ■■ Causes of fault … – Electromagnetic interference can dis- vents data duplications, mix-ups, and mat. In all applications, POWERLINK tort data, which may result in the de- delays. Every data packet is stamped indeed uses a frame with a uniform – Data duplications can occur if a net- struction of single bits, or even entire with the current time when it is sent. format, no matter whether for payload work is linked to other networks via information sections. This stamp enables the receiver to avo- data transfer, or for confi guration or two gateways, both of which transfer – And, lastly, in networks where stan- id double read-outs, and to determine time synchronization purposes. As the same set of data. dard data as well as safety data are the time sequence of different packets variable as it is economic, frame length – Data loss will happen when a gate- transferred, so-called ”masquerades“ as well as any delays. POWERLINK is contingent on the amount of data to way does not pass on data at all, or can occur, i.e. standard data is taken Safety does not depend on distributed be transferred. The safety nodes on the feeds it into the wrong network. to be safety data due to mix-ups and clocks; a special procedure provides network automatically recognize the – Insertions can occur if data packets insertions. This will result in serious for reliable synchronization of all micro- content, i.e. frame types and lengths can only be transferred in a sequence malfunctions. controller clocks within the nodes. do not have to be confi gured. Since POWERLINK Safety only uses the application-oriented layers of the OSI model, it is independent from the bus protocol in use. While the open transfer protocol POWERLINK is an ideal basis due to its strictly deterministic timing, very short cycle times, and low jitter, Measures it is not an outright prerequisite for using the Safety protocol. An auto- nomous, bus-independent protocol, POWERLINK Safety is categorically compatible to Ethernet-based and Faults Time stamp Time monitoring Identifier CRC Protection Redundancy with Distinct frame real-time capable fi eldbuses. POWER- cross-checks structures LINK Safety uses checksum proce- Duplication dures to perpetually examine whether transferred data content is incomplete, Loss and constantly monitors the data transfer rate. As POWERLINK features Insertion extremely short cycle times, failures are detected almost without any delay. Incorrect sequence Since all data traffi c irregularities will thus be recognized, even unsafe net- Delay works do not compromise safety func- tionality. However, the highest degree Distortion of safety for an automation solution can be achieved by implementing a Mix-up of standard consistent safety-oriented architec- and Safety Frames ture, which uses safe sensors, actua- tors, and controllers, i.e. devices that supply and process redundant data. Illustration 1: The table shows all known transmission errors and POWERLINK Safety‘s applicable The following paragraphs provide a fault recognition mechanisms. brief overview of the transmission SPECIAL 5 The Magazine for the FACTS Industrial Ethernet Standard ty – how it works

Time monitoring in order to prevent to the data set. The checksum is a compares the identical content of the up to 1023 nodes or devices permitted faults caused by data loss or excessive distinctive encoding of the data set two subframes. The probability that the within each of these. Safety domains delays means that the nodes are conti- itself. Using the bit sequence and the same data is changed or destroyed in can extend over different and inhomo- nuously monitored for live operation key, the receiver calculates the original two such frames is extremely low, and geneous networks, and can integrate and proper functioning. In addition, data set, and checks the result against even lower the more the frame length the Safety nodes that are scattered as they are prompted for reply, Consu- the unencoded data set received. If increases. That said, even in this extre- throughout these into one domain. mers can tell that the data link remains any deviations from the original data mely exceptional case, the checksums Safe and unsafe devices can be opera- established. POWERLINK Safety imple- content are detected, the message will still serve as a corrective. The special ted within one domain. Gateways allow ments this mechanism, which is called be ignored. format of the POWERLINK Safety fra- for intercommunication between diffe- “Watchdog,” as a software-based mes, i.e. the two subframes with their rent Safety domains. POWERLINK Sa- function. own individual checksums, also makes fety enables users to make hierarchical separations as well as to establish separate Safety zones on a network. The- refore, e.g. installations can be made in one zone, while production in other Frame zones carries on unimpeded. In every domain, a Safety Conﬁ guration Mana- ger (SCM) is responsible for continuo- Payload data area us monitoring of all Safety nodes.

Data CRC Data CRC

subframe 1 subframe 2

Safety frame

Illustration 2: The Safety frame is transported in the payload data area of a standard frame. It is comprised of two identical subframes, each of which carries an individual checksum to safeguard its integrity.

POWERLINK Safety frames also feature ■■ Structure of the “masquerades” extremely unlikely to a unique, 8-bit or 16-bit identifi cation POWERLINK Safety occur, and precludes any erroneous tag that encodes parts of the address frame processing of a masked standard fi eld, the telegram type contained, and message. the frame type. This identifi er preclu- POWERLINK Safety duplicates the con- des any mix-ups on the receiving end. tents to be transferred and conjoins the The most reliable means to identify two blocks of data into one POWER- changes to the original content is the LINK Safety frame. Hence, the POWER- ■■ The POWERLINK CRC procedure, which employs polyno- LINK Safety frame consists of two sub- Safety network mial division to generate a checksum frames with identical content. Each for each data set, and attaches that subframe is provided with an individual A POWERLINK Safety network may con- and the polynomial as a bit sequence checksum as a safeguard. The receiver tain up to 1023 Safety domains, with 6 SPECIAL 1/2009

»openSAFETY – the ﬁ rst entirely open system for safety-oriented applications« INTERVIEW WITH ANTON MEINDL, EPSG EXECUTIVE OFFICER

■■■■■■■■■■■■■ Mr Meindl, one and a half years ago, the EPSG has released openPOWERLINK, and it is now announcing an openSAFETY release for the upcoming SPS/IPC/Drives exhibition. What has been your experience with the open source release so far?

Meindl: We have had very good ex- periences with our open source policy. Since the day of the release of open- POWERLINK, we have seen a surge of downloads and have ﬁ elded many in- quires. Besides the German-speaking countries, our offer has been in great demand in Italy and France as well, and in Asia in particular, where open- POWERLINK has given rise to many new developments.

■■■■■■■■■■■■■ What, then, was the reason for the EPSG to release openSAFETY, i.e. a safety- oriented protocol, as open Anton Meindl, EPSG Executive Ofﬁ cer source?

Meindl: It is laid open because we intend to provide users in automation with an open source version of all nufacturers have inquired whether the- Meindl: No, the protocol is identical Bernecker+Rainer. What have crucial software needed to operate re was also an open system for safety- and provides the same scope of func- been the reactions at B&R, POWERLINK networks – in order to en- oriented applications. Hence, we are tions. With this open source release, where POWERLINK Safety is sure top long-term viability for their in- glad that a respected specialist like manufacturers get a tried and tested used as an integrated part of vestments. After SYSTEC electronic IXXAT has taken up this issue and is system with no development risk, a sy- the safety systems? took the fi rst step last year in April by now going to provide openSAFETY. stem they can base their own product releasing the open source version of developments on. Meindl: Well, comparable issues the POWERLINK stacks for Masters have come up with respect to POWER- and Slaves, the French service provider ■■■■■■■■■■■■■ LINK before. Based on that previous Kalycito followed suit one year later Are there any differences or ■■■■■■■■■■■■■ experience, there is a very positive view with a free confi guration tool for restrictions compared to the You are not only the EPSG‘s at B&R as regards the opening of the POWERLINK networks, the openCONFI- existing POWERLINK Safety? Executive Offi cer, but also safety protocol. We generally believe GURATOR. In the aftermath, many ma- a Business Manager at we need to distinguish ourselves based SPECIAL 7 The Magazine for the FACTS Industrial Ethernet Standard

What does SIL mean?

POWERLINK Safety has been approved by TÜV Rheinland for SIL 3 systems. What does that mean? SIL means Safety Integrity Level and constitutes a rating of the failure probability of a system based on IEC/EN 61508. The categories run from SIL level 1 to 4, with the probability of failure decreasing as the level rating increases. SIL 3 cor- responds to a probability of failure of 10 –7 to 10 –8 failures per hour. The responsible IEC commission once established the general rule that the bus of a safety system must not be involved with more than one percent of all failures. In practice, that means that POWERLINK Safety may cause no more than 10 –9 errors per hour – in other words, no more than one fault about every 115,000 years.

on the devices. This is where we can ■■■■■■■■■■■■■ compliant technology development, we project management skills needed for create unique selling points. If you What does that mean? recommend that they seek adequate the creation of functionally safe pro- were to use a protocol as your USP, support from experts, anyway. When in ducts. Those who have the expert and this also goes for a safety-oriented Meindl: That means that, while doubt, this will save manufacturers a knowledge as well as the necessary protocol, that would even result in un- openSAFETY is released under the great deal of time, money, and nerves, experience, and who can do without favorable views on the part of your cu- BSD license, it can only be downloa- since the IEC 61508 standard imposes external services, do get a free soft- stomers. Openness tends to be more ded via IXXAT‘s website, and only demanding requirements on them. ware basis in openSAFETY, and do and more – and rightfully so – equated following a registration. These include experience with the in- not have to pay any license fees. with long-term investment viability. terpretation of the standards, the strict What is true for standard network tech- documentation rules, and the special nologies will, in the future, increasingly ■■■■■■■■■■■■■ be true for safety protocols as well. Why is that so?

Meindl: For reasons to do with the ■■■■■■■■■■■■■ special considerations regarding If anyone can modify the safety-sensitive products. This is the software, doesn‘t a safety- only way to enable IXXAT to provide 1/2009 oriented product like those who have downloaded openSA- The Magazine for the FACTS Industrial Ethernet Standard POWERLINK Safety imply FETY with important information about the danger that a user may the software, or notify them about up- disable safety-sensitive dates or revisions. Masthead functions by making changes to the protocol? »POWERLINKFACTS« is an information service of the EPSG – ETHERNET POWERLINK STANDARDIZATION GROUP, ■■■■■■■■■■■■■ POWERLINK Offi ce, Kurfürstenstraße 112, 10787 Berlin, Germany Meindl: You are addressing a very Do you generally assume important point here, in fact, one we that the “downloaders” have Conception, Layout, Project Marketing and Coordination: FR&P Werbeagentur Reisenecker & Broddack GmbH, have discussed in detail with our legal the necessary know-how for Kurfürstenstr. 112, 10787 Berlin, Germany department. The TÜV approval for SIL 3 safe adaptations of the soft- Phone: +49 30 85 08 85-0, Fax: +49 30 85 08 85-86 systems is only valid for the unmodifi ed ware to their devices? Publication Management: A.-Christian Broddack, original stack. Every modifi cation for Erich Reisenecker actual use in an application requires a Meindl: That totally depends on the Coordination Editorial Offi ce/Production Team: new examination or certifi cation by an specifi c case. We do give all users a Heide Rennemann-Ihlenburg authorized entity. Since there is no ap- chance, though, to review the source Editorial Offi ce: gii die Presse-Agentur GmbH, plicable precedent for laying open sa- code. If and how they use the software Immanuelkirchstr. 12, 10405 Berlin, Germany fety-oriented software, we are breaking depends on the experience and capa- Phone: +49 30 53 89 65-0, Fax: +49 30 53 89 65-29 new ground here in the open source cities of the development departments Editor in Chief: Rüdiger Eikmeier arena. that use the code. If users have only Staff Editor: Heiko Wittke Editorial Assistant: Asja Kootz little or no expertise for IEC standard- © Copyright Notice The name and layout of »POWERLINKFACTS« are protected by copyright laws. Republication in full or in excerpts requires advance permission from the editorial offi ce. 8 SPECIAL 1/2009

openSA

Schlegel: ching the entire safety development It is not so that users cannot modify the process; it applies a structure of recur- stack. Functional changes or optimiza- ring cycles of analysis, development, tions are, of course, possible. However, validation, and extensive documentati- if a modifi ed stack is to be used in an on. Besides these procedures, a Func- actual application, it will have to under- tional Safety Management System go a reexamination and a new certifi ca- (FSM) must also be established. For tion. As a rule, though, this will be ne- SIL3, the Functional Safety assess- cessary anyway, since manufacturers ment including the development pro- will have to create new or modifi ed cess and FSM should be conducted code in any case in order to adapt the by an independent organization (e.g., stack to their hardware, and a certifi - TÜV). Hence, manufacturers seeking to cate can basically only be issued for a implement a product in compliance specifi c product. Hence, our release with the IEC 61508 standard on Func- Christian Schlegel, CEO at IXXAT, on the open source is supposed to initially provide users tional Safety need a great deal of me- and other interested parties with two thodological skills as well as adequate release of the POWERLINK Safety stack, and on what makes things: fi rstly, we support manufactu- qualifi cations. In order to facilitate that safety-oriented software with an open source license a rers who are developing safety pro- and to speed it up, we offer our range ducts, or plan such developments, by of services, including a hands-on intro- special case. making code openly available to them duction to POWERLINK Safety and the that they can familiarize themselves implementation of the openSAFETY with, and base developments of their stack, and services for the creation of own solutions on, even for their own systems and deployment concepts, communication protocols. Secondly, and development and certifi cation ser- the open source release relieves users vices for customized, IEC 61508 com- ■■■■■■■■■■■■■ ■■■■■■■■■■■■■ of license fees that would otherwise be pliant hardware and software, and ad- Mr Schlegel, what has What are the differences? due. Of course, we offer our services to ditional support and maintenance ser- moved you and your manufacturers as well. vices. company to make the stack Schlegel: for POWERLINK Safety The differences lie in liability issues. In openly available to the this regard, safety-oriented products public at this time? are a very sensitive area. Only in its ■■■■■■■■■■■■■ ■■■■■■■■■■■■■ present form is the POWERLINK Safety What kind of services do If I am interested in your Schlegel: stack TÜV-certifi ed for Safety Integrity you actually offer in this POWERLINK Safety stack, We are doing this in support of the Level 3. This is a sample certifi cation, regard? where do I get it? Will IXXAT EPSG policy of creating an open so to speak, which is obviously only make it available on Source- POWERLINK world. With the POWER- valid for the unmodifi ed stack, and for Schlegel: forge.net? LINK user organization releasing an POWERLINK Safety‘s basic safety me- Generally speaking, in order to comply open source POWERLINK version last chanisms. with the standard, any development Schlegel: year, and the openCONFIGURATOR of safety-oriented hardware and soft- No, at least not with the fi rst step we following suit this year, we believe this ware must observe the applicable IEC take. Again, this is due to legal issues is a logical next step. Even though 61508 requirements, which makes the and user safety issues. We will provide laying open POWERLINK Safety is a ■■■■■■■■■■■■■ matter somewhat complex. It is guided the stack on the IXXAT website for fundamentally different matter than But if users cannot adapt the by the systematics of the V model. One download free of charge, but tied to the open release of the regular stack, what good is the open might say that the V model can, as a a registration, so we can notify users POWERLINK stack. source release? rule, be used as a blueprint for approa- of any changes as they happen via SPECIAL 9 The Magazine for the FACTS Industrial Ethernet Standard

FETY: Stage 1

e-mail. We will see what form this will ■■■■■■■■■■■■■ ABOUT THE COMPANY actually take, and whether an eventual What does the free release on Sourceforge will be consi- availability of the stack dered at some point in time. This is a mean for manufacturers IXXAT is a leading supplier of products new practice for us, too; we are taking and for IXXAT? and services for industrial data commu- a gradual approach to it. nication systems used in automation Schlegel: and automotive technology. In industrial For manufacturers, openSAFETY is a basis for implementing safety systems communication systems, key technologies comprise solutions based ■■■■■■■■■■■■■ and components that is delivered free on CAN (CANopen, DeviceNet), Ethernet (POWERLINK, EtherNet/IP, Where is the POWERLINK to their doorstep. However, every ma- Profi net, EtherCAT, SERCOS III, Modbus-TCP), and TCP/IP with the asso- Safety Stack already in use? nufacturer of safety technology will ciated Internet protocols and IEEE 1588. In automotive applications, key Has the software been tried have to make some adaptations so the solutions are based on CAN (diagnostics protocols, SAE J1939), FlexRay, in practice? software fi ts their hardware. For these and LIN. The company‘s product range includes interface cards, test necessary adaptations, manufacturers Schlegel: may choose to take these on them- systems, tools for analysis, and protocol software. IXXAT‘s engineering It certainly has. B&R uses the stack selves, or to make use of services of- services provide comprehensive support for introducing and operating in their safety controllers and safety fered by IXXAT. Besides that, we are, of communication systems: from training and consulting, systems solu- I/Os. course, not only a software provider; tions design, and customized hardware and software development, to our range of services includes custo- supply and maintenance of customer-specifi c series products. Moreover, mized hardware developments as well IXXAT also has suitable experience in the development of safety-relevant as the supply and maintenance of cu- ■■■■■■■■■■■■■ stomer-specifi c series products. Ma- hardware and software according to IEC 61508. Where do you see potential nufacturers without intimate expe- growth areas for safety tech- rience regarding safety matters may nology? fi nd it much more economical to commission an external service provider Schlegel: like IXXAT for complex developments. With the proliferation of automation, The Safety open source release simple the CAN world, and our experience in there are more and more areas with an gives manufacturers in the industry this fi eld has been that an open stan- increasing demand for safe data trans- more room to maneuver. dard is a boon to all, and enables mar- fer technology, which ensures that ket growth. While we do not want to be transmission errors are automatically dogmatic about it – we also provide a detected, and functional failures are wide range of other industrial Ethernet- prevented. What fi rst comes to mind is ■■■■■■■■■■■■■ based communication systems –, we medical technology, as well as auto- And you benefi t from that? do consider POWERLINK and its poten- motive technology in the broadest sen- tial for high availability networks and se. Another key area would be outdoor Schlegel: safety applications to be an ideal machines, such as cranes, excavators, The bottom line is that we will, of complement to CANopen. Moreover, and the like. course, also benefi t from the increa- POWERLINK Safety also works in CAN sing proliferation, and will gain more networks. exposure as a competent partner for technology relevant to safety. For quite some time, we have already been ha- ving a similar experience with CAN- open. Obviously, we have grown up in 10 SPECIAL 1/2009

Dr. Till Jaeger is a partner at JBB Rechtsanwälte in Berlin, a law ﬁ rm specializing in intellectual property protection issues and focusing on counseling corporate clients from the IT industry. In 2000, he co-founded the Institute for Legal Issues of Free and Open Source Software (ifrOSS), which provides an academic perspective on legal issues concerning open source software and intellectual property legislation. Till Jaeger is an accredited IP law and media law specialist and co-author of the standard work, “Open Source Software – Rechtsfragen der Freien Software” (Open Source Software – Legal Issues in Free Software). Liability for safety open source?

As in other areas, the use of open sour- Generally speaking, anyone who sup- certifi cates for it, the presence of a technical workings. The information ce software has become an everyday plies something in return for compen- software defect can be assumed if the requirements pertain to the collection practice in the automation industry. For sation is liable for deliberate as well as software does not meet the expecta- and examination of customer com- all the benefi ts comprehensive licen- (even slightly) negligent actions. No- tions regarding safety. In this case, the plaints – software manufacturers may sing may have for users, it does, on the tably, this is unaffected by the liability seller must provide compensation for therefore not close their eyes to pro- other hand, leave software manufactu- and warranty exclusion clauses com- any damage that results from intentio- blems. Hence, a download service rers faced with the question of the ex- monly found in open source licenses, nal or negligent conduct causing a fai- should not only provide the open sour- tent of their liability whenever they which, at least in Germany, are incom- lure to meet the safety level, while the ce software itself, but should also ena- provide developments under an open patible with applicable Law governing grantor of a license for a gratuitous of- ble defect reports and establish a me- source license, such as the GNU Gene- General Terms and Conditions. fer is only liable for immediate damage ans to contact the acquirers to pass ral Public License (GPL). Do any additi- caused by intentional misrepresenta- any relevant notifi cations on to them. onal liabilities arise for implementa- However, the liability situation changes tions, and for so-called consequential However, a general obligation to reme- tions that make a claim to provide spe- when software is distributed free of damage to other legally protected in- diate defects that occur is unlikely to cial safety standards, e.g. because charge, e.g. via a free download ser- terests if such damage is caused by apply. they are supplied with suitable safety vice. In this instance, the predominant gross negligence. certifi cates? view in jurisprudence is that the laws Besides the contractual liability and governing donations should be ap- Though some liability remains with de- the obligation to monitor one‘s own In order to understand legal liability as plied. That means, as the maxim “never velopers who provide their creations products, there is a statutory strict pro- it pertains to the use of open source look a gift horse in the mouth” has it, free of charge as open source software, duct liability, i.e. a liability regardless of software, one must be aware that the the provider is only liable for intentional that only applies to the unchanged pro- fault. However, it only extends to bodily scope of liability is not tied to the na- conduct, including defects intentionally gram. Anyone who deploys an open injuries and material damages suffered ture of the licensing model, but rather misrepresented by silence, and for source program changed in some way by private consumers. Ultimately a me- to the actual distribution model. As a gross negligence, if a product causes can only hold the grantor of the license ans of consumer protection, it affects rule, liability for software therefore ap- damage to legally protected interests liable if he or she can prove that speci- manufacturers as well as distributors. plies regardless of whether conventio- other than the product itself, as e.g. in fi c damages caused would also have Every software provider must assume nally licensed, so-called proprietary the case of injuries to persons due to a occurred if no changes had been made this basic liability, which, incidentally, software or an open source program is software-related machine malfunction. to the software. Since, in practice, does not extend to general fi nancial used. Anyone selling products that such proof is usually very hard to come losses. In practice, though, it rarely operate with the help of open source Hence, manufacturers or grantors of by, the liability risk of software manuf- becomes relevant at all. software is liable to buyers of these to open source software licenses are lia- acturers who release their develop- the same extent as to users of proprie- ble to a much lesser extent than distri- ments as open source is likely to re- tary software; since the customer pays butors who include such programs in main a small concern in many cases. for a product as a whole, he may ex- products for commercial distribution. pect a working system irrespective of This also applies to open source soft- It should be noted, though, that both the specifi c license(s) of the software ware on which users bestow particular commercial distributors and manufac- contained within. What matters is the- trust due to a safety certifi cate. Safety turers who provide gratuitous offers are refore not the extent of the user rights certifi cates do not lead to an expansi- subject to a general obligation to moni- provided, but the fact whether the soft- on of the grounds of liability – i.e. tor their products. This includes infor- ware is paid for, or is rendered free of whether liability must be assumed for mation requirements as regards de- charge. As part of a product for com- negligent acts or only for intentional fects of the software that become mercial distribution, open source soft- misrepresentations –, but solely have known as well as an obligation to take ware can also be considered to have an impact on what can be considered a measures that depends on the scale been provided for valuable considerati- software defect. If a software buyer can and scope of the danger and on other on. expect particular safety features due to individual circumstances, e.g. the safe- public statements of the seller about ty relevance and the price of the soft- the software at hand or designated ware, as well as on knowledge about SPECIAL 11 The Magazine for the FACTS Industrial Ethernet Standard

What do manufacturers of Safety devices need to consider?

One mistaken often made is e.g. the ■■ Structuring soft- Manufacturers seeking to develop products that comply separate development of safety-rela- ware development: with the IEC 61508 standard on Functional Safety in elec- ted and not safety-related parts of a the V model tronics face much more demanding requirements than system, when it is indeed imperative those for technical expertise alone. The development of to defi ne the safety requirements for In order to identify any faults as quickly safe devices is a management task that calls for highly every single component at the outset. as possible, and to comply with the qualifi ed staff with a range of advanced methodological Much in the same vein, the overall ef- standard at all times in the course of skills. fort must be monitored continually, a project, the entire development se- and there must be running assess- quence should adhere to the V model. ments at all times as the project pro- This project management method ceeds, lest expenses for incidental re- aligns all project stages, such as analy- mediation become unnecessarily high. ses of requirements, the design, imple- Inexperienced developers often expect mentation, software and hardware auditors to provide precise instructions testing phases, and the validation of for remediation – but to no avail, for the system as a whole, with a view to an auditor will only check whether a their timing and level of detail, which system complies with the standard or yields a diagram featuring a V-formati- not. The only means to come to grips on for the sequence of discrete steps. with any faults is a design-oriented ma- The particular methods and tools nagement scheme that systematically employed depend on the SIL level to defi nes measures in every phase of de- be achieved, which calls for highly velopment, and considers the entire qualifi ed developers with a range of safety lifecycle. advanced methodological skills. Given its extensive obligations regar- ■■ Functional Safety It has become clear that Functional ding documentation as well as proof Management Safety developments impose deman- of extensive analyses and validations, ■■ Avoid systematic ding requirements on management IEC 61508 constitutes a management A “proven-in-use” approval is not pos- faults, keep acciden- as a whole. Manufacturers lacking ex- challenge with repercussions through- sible for new developments. The proce- tal faults in check tensive experience in these matters out the company. The Safety Integrity dural steps mandated by the IEC are well advised to turn to specialized Level (SIL) is often mistaken for a plain 61508 standard must therefore be de- The extensive documentation that ac- service providers. The additional ex- device predicate. However, the IEC fi ned and established as binding by a companies the project is not the only penses can be compensated to some 61508 standard applies to the entire development department. At fi rst, the cause for considerable effort. Contri- degree by using the free and openly safety lifecycle of a product – from its existing hardware and software of the buting factors also include risk analy- available protocols openSAFETY and conceptual design, to planning and devices must be analyzed with respect ses, analyses of the implications of openPOWERLINK, which relieve manu- development, to implementation, to the planned safety function. Small changes, and validations that conclude facturers of a great portion of the deve- operation, maintenance, and modifi - changes to the hardware will usually every development step in order to rule lopment effort for data communication cation, to its eventual decommissio- suffi ce, and sometimes some existing out any systematic faults. However, solutions. ning. It even extends to the deinstalla- software portions can be kept as well. accidental faults cannot be eliminated tion of the safety-sensitive system A lack of experience regarding the in- in this way, but do instead require an for which the manufacturer has made terpretation of the complex standard, analysis of the probability of failure as a specifi c safe device. Some manufac- as well as pertaining to audit and certi- well as a deployment of tools for sy- turers are quickly overwhelmed by fi cation procedures, often make it hard stem diagnostics. A dedicated Safety the complexity of the IEC standard to achieve the goal. Insuffi cient syste- Manager must assume responsibility document. matics of the working process and an for monitoring all activities based on insuffi cient defi nition of procedural a safety plan. steps also add to these complications. 6 100 % reliable 100 % secure 100 % safe 100 % FACT 6: 300PERCENT APPROVED POWERLINK TOP TEN

with POWERLINKSafety equipment andyourinvestments. www.ethernet-powerlink.org and reliability. POWERLINKthusperfectlysafeguardsyour real-time communicationensuresmaximummachinesafety up toSIL3. Itscleardistinctionbetweenreal-timeandnon- POWERLINK safetyimplementsintegrated TÜV-certi

due toseparate domains

due toHigh Availability services

ﬁ ed safety ed

FR&P

MM-E00941.782 Powerlink Facts Herbst 2009 englisch