EN 62439-5:2010

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Industrijska komunikacijska omrežja za avtomatizacijo z visoko razpoložljivostjo - 5. del: Protokol redundance Beacon (BRP) (IEC 62439-5:2010)Industrielle Kommunikationsnetze - Hochverfügbare Automatisierungsnetze - Teil 5: Funkbaken-Redundanz-Protokoll (BRP) (IEC 62439-5:2010)Réseaux de communication industrielle - Réseaux d’automatisme à haute disponibilité - Partie 5 :Protocole de redondance à balise (BRP) (CEI 62439-5:2010)Industrial communication networks high availability automation networks - Part 5: Beacon Redundancy Protocol (BRP) (IEC 62439-5:2010)35.110OmreževanjeNetworking25.040.01Sistemi za avtomatizacijo v industriji na splošnoIndustrial automation systems in generalICS:Ta slovenski standard je istoveten z:EN 62439-5:2010SIST EN 62439-5:2010en01-maj-2010SIST EN 62439-5:2010SLOVENSKI
STANDARD
EUROPEAN STANDARD EN 62439-5 NORME EUROPÉENNE
EUROPÄISCHE NORM March 2010
CENELEC European Committee for Electrotechnical Standardization Comité Européen de Normalisation Electrotechnique Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: Avenue Marnix 17, B - 1000 Brussels
© 2010 CENELEC -
All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 62439-5:2010 E
ICS 25.040; 35.040 Supersedes EN 62439:2008 (partially)
English version
Industrial communication networks -
High availability automation networks -
Part 5: Beacon Redundancy Protocol (BRP) (IEC 62439-5:2010)
Réseaux de communication industrielle - Réseaux d’automatisme à haute disponibilité -
Partie 5 :Protocole de redondance à balise (BRP)
(CEI 62439-5:2010)
Industrielle Kommunikationsnetze -
Hochverfügbare Automatisierungsnetze - Teil 5: Funkbaken-Redundanz-Protokoll (BRP)
(IEC 62439-5:2010)
This European Standard was approved by CENELEC on 2010-03-01. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the Central Secretariat or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the Central Secretariat has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom.
Foreword The text of document 65C/583/FDIS, future edition 1 of IEC 62439-5, prepared by SC 65C, Industrial networks, of IEC TC 65, Industrial-process measurement, control and automation, was submitted to the IEC-CENELEC parallel vote and was approved by CENELEC as EN 62439-5 on 2010-03-01. This EN 62439-5 together with EN 62439-1, EN 62439-2, EN 62439-3, EN 62439-4 and EN 62439-6 supersedes EN 62439:2008. EN 62439-5:2010 includes the following significant technical changes with respect to EN 62439:2008: –
adding a calculation method for RSTP (rapid spanning tree protocol, IEEE 802.1Q), –
adding two new redundancy protocols: HSR (High-availability Seamless Redundancy) and DRP (Distributed Redundancy Protocol), –
moving former Clauses 1 to 4 (introduction, definitions, general aspects) and the Annexes (taxonomy, availability calculation) to EN 62439-1, which serves now as a base for the other documents, –
moving Clause 5 (MRP) to EN 62439-2 with minor editorial changes, –
moving Clause 6 (PRP) was to EN 62439-3 with minor editorial changes, –
moving Clause 7 (CRP) was to EN 62439-4 with minor editorial changes, and –
moving Clause 8 (BRP) was to EN 62439-5 with minor editorial changes, –
adding a method to calculate the maximum recovery time of RSTP in a restricted configuration (ring) to EN 62439-1 as Clause 8, –
adding specifications of the HSR (High-availability Seamless Redundancy) protocol, which shares the principles of PRP to EN 62439-3 as Clause 5, and –
introducing the DRP protocol as EN 62439-6. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and CENELEC shall not be held responsible for identifying any or all such patent rights. The following dates were fixed: – latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement
(dop)
2010-12-01 – latest date by which the national standards conflicting
with the EN have to be withdrawn
(dow)
2013-03-01 Annex ZA has been added by CENELEC. __________ SIST EN 62439-5:2010

- 3 - EN 62439-5:2010 Endorsement notice The text of the International Standard IEC 62439-5:2010 was approved by CENELEC as a European Standard without any modification. In the official version, for Bibliography, the following notes have to be added for the standards indicated: IEC 61158 series NOTE
Harmonized in EN 61158 series (not modified). IEC 62439-2 NOTE
Harmonized as EN 62439-2. IEC 62439-3 NOTE
Harmonized as EN 62439-3. IEC 62439-4 NOTE
Harmonized as EN 62439-4. IEC 62439-6 NOTE
Harmonized as EN 62439-6.
Annex ZA
(normative)
Normative references to international publications with their corresponding European publications
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
NOTE
When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD applies.
Publication Year Title EN/HD Year
IEC 60050-191 - International Electrotechnical Vocabulary (IEV) - Chapter 191: Dependability
and quality of service - -
IEC 62439-1 2010 Industrial communication networks - High availability automation networks -
Part 1: General concepts and calculation methods EN 62439-1 2010
ISO/IEC/TR 8802-1 - Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements -
Part 1: Overview of Local Area Network Standards - -
ISO/IEC 8802-3 2000 Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements -
Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specifications - -
IEEE 802.1D - IEEE Standard for Local and Metropoitan Area Networks - Media Access Control (MAC) Bridges - -
IEEE 802.1Q - IEEE Standard for Local and Metropolitan Area Networks - Virtual Bridged Local Area Networks - -
IEC 62439-5Edition 1.0 2010-02INTERNATIONAL STANDARD
Industrial communication networks – High availability automation networks –
Part 5: Beacon Redundancy Protocol (BRP)
INTERNATIONAL ELECTROTECHNICAL COMMISSION XICS 25.040, 35.040
PRICE CODEISBN 2-8318-1081-5
– 2 – 62439-5 © IEC:2010(E) CONTENTS FOREWORD.4 INTRODUCTION.6 1 Scope.7 2 Normative references.7 3 Terms, definitions, abbreviations, acronyms, and conventions.7 3.1 Terms and definitions.7 3.2 Abbreviations and acronyms.8 3.3 Conventions.8 4 BRP overview.8 5 BRP principle of operation.8 5.1 General.8 5.2 Network topology.8 5.3 Network components.10 5.4 Rapid reconfiguration of network traffic.11 6 BRP stack and fault detection features.11 7 BRP protocol specification.13 7.1 MAC addresses.13 7.2 EtherType.13 7.3 Fault detection mechanisms.13 7.4 End node state diagram.13 7.5 Beacon end node state diagram.21 8 BRP message structure.27 8.1 General.27 8.2 ISO/IEC 8802-3 (IEEE 802.3) tagged frame header.28 8.3 Beacon message.28 8.4 Learning_Update message.28 8.5 Failure_Notify message.29 8.6 Path_Check_Request message.29 8.7 Path_Check_Response message.29 9 BRP fault recovery time.29 10 BRP service definition.30 10.1 Supported services.30 10.2 Common service parameters.31 10.3 Set_Node_Parameters service.31 10.4 Get_Node_Parameters service.33 10.5 Add_Node_Receive_Parameters service.35 10.6 Remove_Node_Receive_Parameters service.37 10.7 Get_Node_Status service.38 11 BRP Management Information Base (MIB).39 Bibliography.41
Figure 1 – BRP star network example.9 Figure 2 – BRP linear network example.9 Figure 3 – BRP ring network example.10 Figure 4 – BRP stack architecture.11 SIST EN 62439-5:2010

62439-5 © IEC:2010(E) – 3 – Figure 5 – BRP state diagram of end node.14 Figure 6 – BRP state diagram for beacon end node.21
Table 1 – BRP end node flags.16 Table 2 – BRP end node state transition table.17 Table 3 – BRP beacon end node flags.23 Table 4 – BRP beacon end node state transition table.24 Table 5 – BRP common header with ISO/IEC 8802-3 (IEEE 802.3) tagged frame format.28 Table 6 – BRP beacon message format.28 Table 7 – BRP Learning_Update message format.28 Table 8 – BRP Failure_Notify message format.29 Table 9 – BRP Path_Check_Request message format.29 Table 10 – BRP Path_Check_Response message format.29 Table 11 – BRP Set_Node_Parameters service parameters.32 Table 12 – BRP Get_Node_Parameters service parameters.34 Table 13 – BRP Add_Node_Receive_Parameters service parameters.36 Table 14 – BRP Remove_Node_Receive_Parameters service parameters.37 Table 15 – BRP Get_Node_Status service parameters.38
– 4 – 62439-5 © IEC:2010(E) INTERNATIONAL ELECTROTECHNICAL COMMISSION ____________
INDUSTRIAL COMMUNICATION NETWORKS –
HIGH AVAILABILITY AUTOMATION NETWORKS –
Part 5: Beacon Redundancy Protocol (BRP)
FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. International Standard IEC 62439-5 has been prepared by subcommittee 65C: Industrial Networks, of IEC technical committee 65: Industrial-process measurement, control and automation. This standard cancels and replaces IEC 62439 published in 2008. This first edition constitutes a technical revision. This edition includes the following significant technical changes with respect to IEC 62439 (2008): – adding a calculation method for RSTP (rapid spanning tree protocol, IEEE 802.1Q),
– adding two new redundancy protocols: HSR (High-availability Seamless Redundancy) and DRP (Distributed Redundancy Protocol),
– moving former Clauses 1 to 4 (introduction, definitions, general aspects) and the Annexes (taxonomy, availability calculation) to IEC 62439-1, which serves now as a base for the other documents,
– moving Clause 5 (MRP) to IEC 62439-2 with minor editorial changes, SIST EN 62439-5:2010

62439-5 © IEC:2010(E) – 5 – – moving Clause 6 (PRP) was to IEC 62439-3 with minor editorial changes,
– moving Clause 7 (CRP) was to IEC 62439-4 with minor editorial changes, and
– moving Clause 8 (BRP) was to IEC 62439-5 with minor editorial changes, – adding a method to calculate the maximum recovery time of RSTP in a restricted configuration (ring) to IEC 62439-1 as Clause 8,
– adding specifications of the HSR (High-availability Seamless Redundancy) protocol, which shares the principles of PRP to IEC 62439-3 as Clause 5, and
– introducing the DRP protocol as IEC 62439-6. The text of this standard is based on the following documents: FDIS Report on voting 65C/583/FDIS 65C/589/RVD
Full information on the voting for the approval of this standard can be found in the report on voting indicated in the above table. This International Standard is to be read in conjunction with IEC 62439-1:2010, Industrial communication networks – High availability automation networks – Part 1: General concepts and calculation methods. A list of the IEC 62439 series can be found, under the general title Industrial communication networks – High availability automation networks, on the IEC website. This publication has been drafted in accordance with ISO/IEC Directives, Part 2. The committee has decided that the contents of this amendment and the base publication will remain unchanged until the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data related to the specific publication. At this date, the publication will be
• reconfirmed, • withdrawn, • replaced by a revised edition, or • amended. A bilingual version of this standard may be issued at a later date.
IMPORTANT – The “colour inside” logo on the cover page of this publication indicates that it contains colours which are considered to be useful for the correct understanding of its contents. Users should therefore print this publication using a colour printer.
– 6 – 62439-5 © IEC:2010(E) INTRODUCTION The IEC 62439 series specifies relevant principles for high availability networks that meet the requirements for industrial automation networks.
In the fault-free state of the network, the protocols of the IEC 62439 series provide ISO/IEC 8802-3 (IEEE 802.3) compatible, reliable data communication, and preserve determinism of real-time data communication. In cases of fault, removal, and insertion of a component, they provide deterministic recovery times.
These protocols retain fully the typical Ethernet communication capabilities as used in the office world, so that the software involved remains applicable. The market is in need of several network solutions, each with different performance characteristics and functional capabilities, matching diverse application requirements. These solutions support different redundancy topologies and mechanisms which are introduced in IEC 62439-1 and specified in the other Parts of the IEC 62439 series. IEC 62439-1 also distinguishes between the different solutions, giving guidance to the user. The IEC 62439 series follows the general structure and terms of IEC 61158 series. The International Electrotechnical Commission (IEC) draws attention to the fact that it is claimed that compliance with this document may involve the use of a patent concerning fault-tolerant Ethernet provided
through the use of special interfaces providing duplicate ports
that may be alternatively enabled with the same network address. Switching between the ports corrects for single faults in a two-way redundant system. This is given in Clauses 5 and 6. IEC takes no position concerning the evidence, validity and scope of this patent right. The holder of this patent right has assured the IEC that he/she is willing to negotiate licences either free of charge or under reasonable and non-discriminatory terms and conditions with applicants throughout the world.
In this respect, the statement of the holder of this patent right is registered with IEC. Information may be obtained from:
Rockwell Automation Technologies
1 Allen-Bradley Drive
Mayfield Heights
Ohio
USA Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. IEC shall not be held responsible for identifying any or all such patent rights. ISO (www.iso.org/patents) and IEC (http://www.iec.ch/tctools/patent_decl.htm) maintain on-line data bases of patents relevant to their standards. Users are encouraged to consult the data bases for the most up to date information concerning patents. SIST EN 62439-5:2010

62439-5 © IEC:2010(E) – 7 – INDUSTRIAL COMMUNICATION NETWORKS –
HIGH AVAILABILITY AUTOMATION NETWORKS –
Part 5: Beacon Redundancy Protocol (BRP)
1 Scope The IEC 62439 series is applicable to high-availability automation networks based on the ISO/IEC 8802-3 (IEEE 802.3) (Ethernet) technology. This part of the IEC 62439 series specifies a redundancy protocol that is based on the duplication of the network, the redundancy protocol being executed within the end nodes, as opposed to a redundancy protocol built in the switches. Fast error detection is provided by two beacon nodes, the switchover decision is taken in every node individually. The cross-network connection capability enables single attached end nodes to be connected on either of the two networks.
2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. IEC 60050-191, International Electrotechnical Vocabulary – Chapter 191: Dependability and quality of service IEC 62439-1:2010, Industrial communication networks – High availability automation networks – Part 1: General concepts and calculation methods ISO/IEC/TR 8802-1, Information technology – Telecommunications and information exchange between systems – Local and metropolitan area networks – Specific requirements – Part 1: Overview of Local Area Network Standards (IEEE 802.1) ISO/IEC 8802-3:2000, Information technology – Telecommunications and information exchange between systems – Local and metropolitan area networks – Specific requirements – Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specifications IEEE 802.1D, IEEE standard for local Local and metropolitan area networks Media Access Control (MAC) Bridges IEEE 802.1Q, IEEE standards for local and metropolitan area network. Virtual bridged local area networks 3 Terms, definitions, abbreviations, acronyms, and conventions 3.1 Terms and definitions For the purposes of this document, the terms and definitions given in IEC 60050-191, as well as in IEC 62439-1, apply. SIST EN 62439-5:2010

– 8 – 62439-5 © IEC:2010(E) 3.2 Abbreviations and acronyms For the purposes of this document, the abbreviations and acronyms given in IEC 62439-1, apply, in addition to the following: BRP Beacon Redundancy Protocol DANB Double attached node implementing BRP 3.3 Conventions This part of the IEC 62439 series follows the conventions defined in IEC 62439-1. 4 BRP overview This clause specifies a protocol for an Ethernet network tolerant to all single point failures. This protocol is called Beacon Redundancy Protocol or BRP. A network based on the BRP is called a BRP network. The BRP network is based on switched ISO/IEC 8802-3 (IEEE 802.3) (Ethernet) and ISO/IEC/TR 8802-1 (IEEE 802.1) technologies and redundant infrastructure. In this network, the decision to switch between infrastructures is made individually in each end node. 5 BRP principle of operation 5.1 General Subclauses
5.2 to
5.4 are an explanation of overall actions performed by the BRP state machine. If a difference in the interpretation occurs between these subclauses and the state machines in
7, then the state machines take precedence. 5.2 Network topology The BRP network topology can be described as two interconnected top switches, each heading an underlying topology of star, line, or ring. Beacon end nodes shall be connected to the top switches. Examples of star, linear and ring BRP networks are shown in Figure 1, Figure 2 and Figure 3 respectively. SIST EN 62439-5:2010

62439-5 © IEC:2010(E) – 9 – endnodeendnodeendnodeendnodeendnodeendnodebeaconnodebeaconnodeendnodeendnodeendnodeswitchswitchswitchswitchswitchswitchswitchswitchleaflinkleaflinkleaflinkinterswitchlinkinterswitchlinkedgeportsedgeportsaggregated linksinterswitchlportnetworkinfrastructure Anetworkinfrastructure Bendnodeendnodeendnodeendnodeendnodeendnodeendnodenodeend
Figure 1 – BRP star network example endnodeendnodeendnodeendnodeendnodeendnodeendnodeendnodebeaconnodebeaconnodeendnodeendnodeendnodeswitchswitchleaf linkleaf linkinterswitchlinkinterswitchlinkedgeportsedgeportsinterswitchportinterswitchportswitchswitchswitchswitchswitchswitch Figure 2 – BRP linear network example IEC
385/10 IEC
386/10 SIST EN 62439-5:2010
– 10 – 62439-5 © IEC:2010(E)
endnodeendnodeendnodeendnodeendnodeendnodeendnodeendnodebeaconnodebeaconnodeendnodeendnodeendnodeswitchswitchleaf linkleaf linkinterswitchlinkinterswitchlinkedgeportsedgeportsinterswitchportinterswitchportswitchswitchswitchswitchswitchswitch Figure 3 – BRP ring network example 5.3 Network components The BRP network is built from layer 2 switches compliant with IEEE 802.1D and ISO/IEC 8802-3 (IEEE 802.3). No support of the BRP protocol in switches is required.
Figure 1 shows an example of a BRP star network in the 2-way redundancy mode. It uses two sets of network infrastructure A and B (shown in two different colours). The number of levels of switches and number of switches on each level are dependent only on application requirements. Even with three levels of hierarchy it is possible to construct very large networks. For example, a BRP star network built from switches with eight regular ports and one uplink port can contain 500 nodes maximum. Two switches at the top level shall be connected to each other with one or more links providing sufficient bandwidth. With link aggregation capability, traffic is shared among bundle of links and failure of one link does not bring the network down. With such an arrangement infrastructures A and B form a single network. Two types of end nodes can be connected to the BRP network: doubly attached and singly attached. A doubly attached end node can function as a BRP end node or a BRP beacon end node. A BRP beacon end node is a special case of a doubly attached end node that is connected directly to the top switches. Though doubly attached BRP end nodes have two network ports they use only one MAC address. At any given point in time a BRP end node actively communicates through only one of its ports, while blocking all transmit and receive traffic on its other port, with the exception of received beacon messages and Failure_Notify messages. Fault tolerance is achieved in a IEC
387/10 SIST EN 62439-5:2010
62439-5 © IEC:2010(E) – 11 – distributed fashion by BRP end nodes switching between their ports from inactive to active mode and vice versa. As shown in Figure 1, Figure 2 and Figure 3, two beacon end nodes shall be connected to top level switches. Beacon end nodes multi/broadcast a short beacon message on the network periodically. Similarly to BRP end nodes, beacon end node at any given point in time actively communicates through only one of its ports, while blocking all traffic on its other port, with the exception of received Failure_Notify messages. Fault tolerance is achieved by beacon end nodes switching between their ports from inactive to active mode and vice versa. Singly attached end nodes may also be connected to BRP network but they do not support the BRP protocol. A singly attached node can communicate with doubly attached nodes as well as other singly attached nodes on the network. Since switches are IEEE 802.1D compliant, they support the RSTP protocol. This eliminates loop formation in BRP ring networks like in the one shown in Figure 3. 5.4 Rapid reconfiguration of network traffic For fast reconfiguration, multicast control features in the switches shall be disabled. The multicast traffic is therefore treated as the broadcast traffic. Unicast packets are affected by switches learning and filtering features. After end node port reconfiguration, switches have invalid knowledge. A switch implementing learning shall update its database when a packet with a learned MAC address in the source field is received on a different port from the learned port stored in the database. When a BRP end node switches to the inactive port, its first action is to send a short multicast message, called Learning_Update message, through its newly enabled port. As this message propagates through the network, switches update their MAC address database resulting in rapid reconfiguration of the unicast traffic. This message is of no interest to other end nodes in the network and is dropped by them. 6 BRP stack and fault detection features Figure 4 shows the BRP stack architecture. It is applicable to both BRP and beacon end nodes. IEEE 802.3 PHYIEEE 802.3 MACIEEE 802.3 MAClink redundancy entityIPTCPUDPIEEE 802.3 PHYupper layer protocolsLREManagement(Service)Port APort Bnon-TCP/IPstack Figure 4 – BRP stack architecture IEC
388/10 SIST EN 62439-5:2010
– 12 – 62439-5 © IEC:2010(E) The BRP stack contains two identical ISO/IEC 8802-3 (IEEE 802.3) ports, identified here as ports A and B, connected to the network. These ports interface with the MAC sub-layer compliant with ISO/IEC 8802-3 (IEEE 802.3). Though there are two physical ports, a BRP end node uses only a single MAC address. The link redundancy entity continuously monitors the status of leaf links between both ports and corresponding ports on the switches. When a failure of the leaf link between the end node active port and the corresponding port on the switch is detected, the link redundancy entity shall reconfigure end node ports, provided the inactive port was not in the fault mode as well. After reconfiguration, all traffic flows through the newly activated port. Some messages may be lost during the failure detection and reconfiguration process, and their recovery is supported by upper layer protocols which also deal with messages lost due to other network errors. The link redundancy entity also monitors arrival of beacon messages on both ports. When a beacon message fails to arrive at the active port for a configured timeout period, the port is declared to be in the fault mode, and the link redundancy entity shall reconfigure end node ports, provided the other port was not in the fault mode as well. After reconfiguration all traffic starts flowing through newly activated port. Failure of beacon messages to arrive at inactive ports shall also be detected. If one of the top switches fails, then all BRP nodes connected directly to it, or to network infrastructure below it, switch to the other network infrastructure. If, for example, the top switch of the LAN A fails, then all BRP nodes connected to LAN A switch over to LAN B. If the fault occurred on a beacon end node, the network continues to operate without any problems, since the other beacon end node is active. The rate of beacon message arrival decreases from approximately two messages per beacon timer interval to one. It is possible for transmit path failures to occur in the opposite direction to the flow of beacon messages. If such a fault manifests itself in the physical layer, it is detected by end nodes or switches adjacent to the faulty link. This results in a BRP end node reconfiguring its ports immediately or results in traffic being blocked on the affected link. The latter event leads to loss of beacon messages at the downstream end nodes, so they reconfigure themselves at expiry of the beacon timeout. In a case when such failures are not detectable in the physical layer, the following mechanism is employed by the BRP link redundancy entity to detect them. The fault detection method for identifying all transmission failures shall be implemented using lists of communication nodes including a receive timeout value for each transmitting end node of interest to the node. This list may be communicated to the link redundancy entity manually or dynamically configured utilizing LRE management entity. When a frame from a transmitting end node of interest fails to arrive before expiry of the associated Node_Receive timer, the receiving end node shall send a Failure_Notify message to the transmitting end node and send a Path_Check_Request message to beacon end nodes. Upon reception of a Failure_Notify message, the transmitting end node shall attempt to verify the transmit path by sending the Path_Check_Request message to beacon end nodes. When beacon end nodes receive these messages, they shall respond with Path_Check_Response messages. When Path_Check_Request fails to elicit response, an end node shall place its active port in faulted state and activate its inactive port, provided it is not in fault mode as well. BRP beacon end nodes also behave in a similar way. When a frame from a transmitting end node of interest fails to arrive before expiry of the associated Node_Receive timer, the receiving beacon end node shall send a Failure_Notify message to the transmitting end node and send a Path_Check_Request message to a designated set of end nodes. When beacon end nodes receive Failure_Notify messages themselves, they shall verify their transmit path by sending a Path_Check_Request message to a designated set of end nodes. Upon receiving Path_Check_Request message, the designated end nodes shall respond with SIST EN 62439-5:2010

62439-5 © IEC:2010(E) – 13 – Path_Check_Response message. When Path_Check_Request fails to elicit response, a beacon end node shall place its active port in faulted state and activate its inactive port, provided it is not in fault mode as well. When the faulted port is restored, it shall stay idle until a switchover is initiated or the currently active port fails. When both ports are operational, the BRP end node shall periodically switch its message activity from one port to the other. This switchover is controlled by the Active_Port_Swap timer. The LRE management entity is used to select an end node type (normal or beacon), configure protocol parameters (for example, beacon timer) and obtain the end node port status (active, failed, idle). All detected failures shall be reported to the LRE management entity to trigger further diagnosis and repair. Fault diagnostics services shall be provided by LRE management entity or other accessible entities in the network. 7 BRP protocol specification 7.1 MAC addresses BRP protocol shall use multicast address 01-15-4E-00-02-01. Both ports of a BRP node shall have the same MAC address for active communication. 7.2 EtherType The BRP protocol shall use assigned EtherType 0x80E1. 7.3 Fault detection mechanisms The following fault detection mechanisms are used: • Link fault detection This mechanism covers physical layer failures in transmit and receive directions on a link directly connected to the end node. • Receive path fault detection This is accomplished utilizing the beacon message transmission mechanism. • Transmit path fault detection This is accomplished utilizing Failure_Notify, Path_Check_Request, and Path_Check_Response messages. The periodic switchover between active and inactive ports ensures coverage of all transmit paths in the network. 7.4 End node state diagram The BRP end node state diagram is shown in Figure 5. SIST EN 62439-5:2010

– 14 – 62439-5 © IEC:2010(E) INITIALIZATIONIDLEFAULTpower oninitialization completedport A isoperationalboth portsfailedat least oneport is operationalport A failedport B failedPORT_A_ACTIVEPORT_B_ACTIVEbeaconbeaconport B isoperationalActive port swap timer expired Figure 5 – BRP state diagram of end node The BRP end node protocol state machine shall perform in accordance with the state transition table presented in Table 2. When the node is powered up and passed the initialization process (the Initialization_Completed flag is set), it resets the protocol state machine and transitions to the IDLE state. Since Port_A_Failed and Port_B_Failed flags were initially set, the node immediately transitions from the IDLE to the FAULT state. If link A is active and a beacon message is received on this link, then the node transitions from the FAULT state back to the IDLE. A Learning_Update message is generated on this port and the node transitions from the IDLE to the PORT_A_ACTIVE state. The node tests port B simultaneously with port A using the procedure described above. If both ports are operational, either one can be selected as the default. Periodic reception of beacon messages (Beacon_A_Received is set) keeps the node in the PORT_A_ACTIVE state and trigger reset of the No_Beacon_A timer. If, when in the PORT_A_ACTIVE state, link A becomes inactive (Link_A_Active is reset) or no beacon messages were received for a given time period (No_Beacon_A timer expired and Beacon_A_Received is reset), the node sets the Port_A_Failed flag and transitions to the IDLE state where it attempts to switch to port B. Operation of port B is identical to operation of port A. IEC
389/10 SIST EN 62439-5:2010
62439-5 © IEC:2010(E) – 15 – If a Node_Receive timer expires, the receiving node sends a Failure_Notify message to the associated transmitting end node and sends Path_Check_Request message on its active port to beacon end nodes. When the transmitting end node receives the Failure_Notify message, it attempts to verify transmission path on its active port by sending a Path_Check_Request message on this port to beacon end nodes. When beacon nodes receive these messages, they issue Path_Check_Response messages addressed to the requesting node. When Path_Check_Request fails to elicit response (Path_A_Check/Path_B_Check timer expired), the node sets the Path_A_Failed/Path_B_Failed flag and Port_A_Failed/ Port_B_Failed flag, and transitions to the IDLE state where it attempts to switch to port B/A. If both ports failed, then the node transitions from the IDLE to the FAULT state and stays there until one of the ports becomes operational. In FAULT state, a node continuously monitors link status (Link_A_Active/Link_B_Active flags) and beacon arrival status (Beacon_A_Received/Beacon_B_Received flags). If Path_A_Failed and/or Path_B_Failed flags were set, the node also sends Path_Check_Request and monitors arrival of Path_Check_Response message for corresponding ports. When one of the ports becomes operational (Port_A_Failed/Port_B_Failed is reset), the node transitions back to the IDLE state and then to PORT_A_ACTIVE/PORT_B_ACTIVE as appropriate. When a node receives a Path_Check_Request message in PORT_A_ACTIVE or PORT_B_ACTIVE states, it responds with the Path_Check_Response message and stays in current state. When in PORT_A_ACTIVE/PORT_B_ACTIVE state and the Active_Port_Swap timer expires, the node transitions to PORT_B_ACTIVE/PORT_A_ACTIVE state provided PORT_B_FAILED/PORT_A_FAILED is not set.
The No_Beacon timer period is a configuration parameter selected for a specific system. The mandatory default value of the beacon period is 450 µs, resulting in the default value of the No_Beacon period of 950 µs. The timeout period is chosen in such a way that at least two beacon messages from each beacon end node have to be lost before fault is declared on a port. A BRP compliant end node shall be able to receive beacon messages over both of its ports sent from both beacon end nodes at the mandatory default value of the beacon period. The Path_A_Check and Path_B_Check timer periods are configuration parameters selected for a specific system. The mandatory default value is 2 ms. The Active_Port_Swap timer period is a configuration parameter selected for a specific system. The mandatory default value is 1 h. Table 1 specifies the flags used in the BRP end node state machine. SIST EN 62439-5:2010

– 16 – 62439-5 © IEC:2010(E) Table 1 – BRP end node flags Name Description Data Type Initialization_Completed Used to indicate initialization completed successfully BOOL Link_A_Active Used to indicate physical layer link status of port A BOOL Beacon_A_Received Used to indicate beacon message was received on port A BOOL Path_A_Failed Used to indicate if Path_Check_Response message was received for Path_Check_Request message on port A BOOL Link_B_Active Used to indicate physical layer link status of port B BOOL Beacon_B_Received Used to indicate beacon message was received on port B BOOL Path_B_Failed Used to indicate if Path_Check_Response message was received for Path_Check_Request message on port B BOOL Path_A_Request Used to indicate if Path_Check_Request message was sent on port A BOOL Path_B_Request Used to indicate if Path_Check_Request message was sent on port B BOOL Port_A_Failed Used to indicate if port A has failed BOOL Port_B_Failed Used to indicate if port B has failed BOOL NOTE In this table, BOOL means Boolean. Table 2 specifies the BRP end node state transition table. SIST EN 62439-5:2010

62439-5 © IEC:2010(E) – 17 – Table 2 – BRP end node state transition table State number Current state Event
/Condition =>Action Next state 1 INITIALIZATION Initialization is completed => Set Initialization_Completed Reset Link_A_Active Reset Beacon_A_Received Stop No_Beacon_A timer Reset Path_A_Failed Stop Path_A_Check timer, reset Path_A_Request Reset Link_B_Active Reset Beacon_B_Received Stop No_Beacon_B timer Reset Path_B_Failed Stop Path_B_Check timer Reset Path_B_Request Set Port_A_Failed Set Port_B_Failed Stop Node_Receive timers Stop Active_Port_Swap timer IDLE 2 IDLE, FAULT, PORT_A_ACTIVE, PORT_B_ACTIVE Port A link pass status => Set Link_A_Active STAY IN CURRENT STATE 3 IDLE, FAULT, PORT_A_ACTIVE, PORT_
...