IEC 61784-3:2016/AMD1:2017

IEC 61784-3 ®
Edition 3.0 2017-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
A MENDMENT 1
AM ENDEMENT 1
Industrial communication networks – Profiles –
Part 3: Functional safety fieldbuses – General rules and profile definitions

Réseaux de communication industriels – Profils –
Partie 3: Bus de terrain de sécurité fonctionnelle – Règles générales et
définitions de profils
IEC 61784-3:2016-05/AMD1:2017-08(en-fr)

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 16 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.

IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and

CISPR.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Catalogue IEC - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
Application autonome pour consulter tous les renseignements Le premier dictionnaire en ligne de termes électroniques et
bibliographiques sur les Normes internationales, électriques. Il contient 20 000 termes et définitions en anglais
Spécifications techniques, Rapports techniques et autres et en français, ainsi que les termes équivalents dans 16
documents de l'IEC. Disponible pour PC, Mac OS, tablettes langues additionnelles. Egalement appelé Vocabulaire
Android et iPad. Electrotechnique International (IEV) en ligne.

Recherche de publications IEC - www.iec.ch/searchpub Glossaire IEC - std.iec.ch/glossary
La recherche avancée permet de trouver des publications IEC 65 000 entrées terminologiques électrotechniques, en anglais
en utilisant différents critères (numéro de référence, texte, et en français, extraites des articles Termes et Définitions des
comité d’études,…). Elle donne aussi des informations sur les publications IEC parues depuis 2002. Plus certaines entrées
projets et les publications remplacées ou retirées. antérieures extraites des publications des CE 37, 77, 86 et

CISPR de l'IEC.
IEC Just Published - webstore.iec.ch/justpublished

Restez informé sur les nouvelles publications IEC. Just Service Clients - webstore.iec.ch/csc
Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur cette
Disponible en ligne et aussi une fois par mois par email. publication ou si vous avez des questions contactez-nous:
csc@iec.ch.
IEC 61784-3 ®
Edition 3.0 2017-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
A MENDMENT 1
AM ENDEMENT 1
Industrial communication networks – Profiles –

Part 3: Functional safety fieldbuses – General rules and profile definitions

Réseaux de communication industriels – Profils –

Partie 3: Bus de terrain de sécurité fonctionnelle – Règles générales et

définitions de profils
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040.40; 35.100.05 ISBN 978-2-8322-4585-9

– 2 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
FOREWORD
This amendment has been prepared by subcommittee 65C: Industrial networks, of IEC
technical committee 65: Industrial-process measurement, control and automation.
The text of this amendment is based on the following documents:
FDIS Report on voting
65C/879/FDIS 65C/886/RVD
Full information on the voting for the approval of this amendment can be found in the report
on voting indicated in the above table.
The committee has decided that the contents of this amendment and the base publication will
remain unchanged until the stability date indicated on the IEC website under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the
publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
_____________
© IEC 2017
INTRODUCTION
This Amendment 1 discusses the concepts of implicit data safety mechanisms for use in
functional safety communications protocols (FSCPs) as specified in IEC 61784-3:2016.
3 Terms, definitions, symbols, abbreviated terms and conventions
3.1 Terms and definitions
Add the following new terms and definitions 3.1.56 and 3.1.57:
3.1.56
explicit data
data that is transmitted
3.1.57
implicit data
additional data that is not transmitted but is known to the sender and receiver
[SOURCE: IEC 62280:2014, 3.1.25]
3.2 Symbols and abbreviated terms
Add two new Subclauses 3.2.1 and 3.2.2, as specified below.
3.2.1 Abbreviated terms
Move the existing list of symbols and abbreviated terms to this new Subclause 3.2.1.
Delete “Pe” and “RP” from the existing list of abbreviated terms. Add, in alphabetical order, in
the list of abbreviated terms the following new abbreviated terms:
A-code Authenticity code
T-code Timeliness code
3.2.2 Symbols
Add, in this new Subclause 3.2.2 the following list of symbols:
A Weight distribution of the code: number of valid
k
codewords having k bits set to “one”
e Bit length of explicit data
err Bitwise disjunction of impl and impl
impl S R
expl Explicit data
expl Explicit data in the receiver
R
expl Explicit data in the sender
S
FCS Frame check sequence calculated in the receiver
C
FCS Frame check sequence received
R
FCS Frame check sequence sent
S
i Bit length of implicit data
ID Incorrect delivery
impl Implicit data in the receiver
R
impl Implicit data in the sender
S
– 4 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
n Bit length of SPDU
P Bit error probability
e
P Probability of incorrect delivery
ID
r Bit length of FCS (degree of generator polynomial)
RP Residual error probability
Add, after Annex F, the following new informative Annex G:

© IEC 2017
Annex G
(informative)
Implicit data safety mechanisms for IEC 61784­3 functional
safety communication profiles (FSCPs)
G.1 Overview
Annex G discusses the concepts of implicit data safety mechanisms for use in functional
safety communications protocols (FSCPs) as specified in this standard. Implicit data is that
which is not explicitly transmitted in a PDU. Instead, the implicit data values are known by
both the sender (source) and the receiver (sink). Implicit data values are validated by the
value of one or more transmitted frame check sequence(s) (FCS) which are calculated using
an overall data string comprised of the implicit data string appended with the explicit data
string. Because the implicit data is not transmitted, the load on the transmission media is
reduced.
Today, the FSCPs that use implicit data mechanisms do so in order to communicate complete
or partial timeliness codes (T-codes) and/or authenticity codes (A-codes), see Annex E.
These FSCPs also use cyclic redundancy check (CRC) algorithms for the frame check
sequence (FCS) exclusively. Therefore, Annex G is limited to the analysis of implicitly
transmitted T-codes and A-codes using CRC-algorithms.
According to Clause E.8, with regard to implicit data, "Due to the various possible approaches
generic formulae cannot be provided. It is up to the individual FSCP to prove sufficient
residual error probabilities." In the hope of advancing IEC 61784-3 for the next edition and
beyond, the subject of this new Annex G is to improve the understanding of formulating
models for the residual error probabilities of FSCPs using CRC-algorithms to implicitly
transmit T-codes and A-codes when a single FCS code is used by the protocol.
Presented in Annex G are two formulae examples, applicable for two special cases, and from
which a better understanding is promoted for the development of additional (specific and
general) formulae.
Also presented is a summation method generally applicable when conditional weight
distributions for implicit data error patterns are known and can be quantified in a way either
leading to a closed-form solution, or suitable for iterative summation with a reasonably
bounded execution time.
G.2 Basic principles
Calculations in Annex G also use the binary symmetric channel (BSC) model as specified in
Annex B.
NOTE 1 Although it does not take into account burst errors, the BSC model with a sufficiently conservative bit
error probability is so far the most practical known for use in probability calculations needed for the determination
of the FSCP residual error rate.
Figure G.1 shows the basic principle of an FSCP using single FCS protection mechanisms
involving implicit data. In the sender, a CRC-checksum over the implicit data impl
S
concatenated with the explicit data expl is generated, resulting in a frame check sequence
S
FCS . When multiple FCS codes are used in an FCSP format, the calculation shall be done
S
for each FCS code. While expl and FCS are explicitly transmitted over the black channel,
S S
impl is not transmitted, but impacts the value of the FCS . Therefore, it can only contain
S S
data whose value is already known to the receiver. Implicit data is used to detect e.g. SPDUs
which were misdirected in either space (“authentication error”) or time (“timeliness error”).
This is accomplished by deriving the implicit data from the A-code (e.g. connection identifier)
and/or the T-code (e.g. sequence number) of an SPDU.

– 6 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
NOTE 2 Initialization details are addressed in F.12.1.
Sender Receiver
expl
S
impl
R
impl
S
CRC CRC
calculation calculation
impl expl
R R
impl expl
S S
?
FCS
C
ok
expl FCS
S S
expl FCS
R R
expl FCS
Black channel
SPDU
IEC
Key Symbols are specified in 3.2.2
Figure G.1 – FSCP with implicit transmission of authenticity
and/or timeliness codes
When the SPDU comprising expl and FCS is delivered to the FSCP-layer in the receiver, it
may contain transmission errors, i.e. the value delivered may differ from the value sent. For
discrimination, the symbols expl and FCS are used in the receiver.
R R
The expected value of the implicit data is called impl . In the error free case, this expectation
R
is identical to impl . In case of, for example, a misdirected SPDU, impl and impl may differ.
S R S
The receiver generates one or more frame check sequence(s) FCS by building a CRC-
C
checksum over the concatenation of impl and expl . When each FCS is identical to its
R R C
corresponding FCS , it is assumed that no error occurred. Otherwise an error has been
R
detected.
The lengths of the bitstrings for a single FCS are defined as follows:
r length of FCS (degree of generator-polynomial);
i length of implicit data (it is assumed that i ≥ r);
e length of explicit data;
n length of SPDU, with n = e + r.
G.3 Problem statement: constant values for implicit data
In FSCPs using implicit data, the CRC-check in the receiver is used for both the detection of
data integrity errors as well as the detection of mis-directed or mis-timed SPDUs. Therefore, it
may happen that the CRC-mechanism becomes “overburdened” by multiple simultaneous
errors, resulting in an increase of the overall residual error probability. This is exemplified in
the following scenario in Figure G.2.

© IEC 2017
A-code: 0x0001
R1
Authenticity error
S Router
SPDU
Data corruption
For receiver R1
A-code: 0x1156
R2
SPDU
Misdirected and corrupted content

IEC
Figure G.2 – Example of an incorrect transmission with multiple error causes
The scenario assumes a sender S sending SPDUs to receiver R1 and receiver R2, using a
black channel containing a router. The implicit data used comprises a single field containing
an authenticity-code (A-code) of length 16 bits, identifying the receiver (see Figure E.4). For
each SPDU sent from S to R1, the A-code of R1 is used as implicit data, and similarly the
A-code of R2 for SPDUs sent from S to R2. It is further assumed that the following errors can
occur during the transmission of an SPDU.
a) Authenticity error: Due to a fault within the router, the SPDU is delivered to the incorrect
receiver (receiver R2 instead of receiver R1 or vice versa). Thus, the implicit authenticity
code impl used to calculate the FCS in the sender is unequal to the expected
S S
authenticity code impl in the receiver.
R
b) Data corruption: Due to for example interference or noise on the transmission media, the
content of the SPDU is corrupted (expl and/or FCS).
It is further assumed that the black channel itself does not detect any of these errors.
Therefore, the errors, and possibly a combination of errors shall be detected by the check
within the safety layer of the receiver. The error pattern err caused by the authenticity
impl
error is defined by the bit-wise exclusive disjunction (XOR) of the A-codes in use. In this case
with only two receivers, this error pattern is constant. The error pattern err is defined as
expl
the bit-wise exclusive disjunction (XOR) of expl and expl . It is modelled by a BSC (see
S R
Annex B).
Figure G.3 shows the residual error probabilities for different parameters when using the
16 14 11 10 9 7 5 3
proper generator polynomial x +x +x +x +x +x +x +x +x+1 (0x14EAB) of degree 16.

– 8 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
0,1
0,01
–3
1 × 10
err = 0x1157,
impl
P = 0,01
ID
–4
1 × 10
-16
–5
1 × 10
–6
1 × 10
–7
1 × 10
–8
1 × 10
err = 0x0003,
impl
–9
1 × 10 err = 0x0000,
impl
P = 1
ID
P = 0
ID
err = 0x1157,
impl
–10 P = 0,001
1 × 10 ID
–11
1 × 10
-7 -6 -5 -4 -3
1 × 10 1 × 10 1 × 10 1 × 10 1 × 10 0,01 0,1 1
P
e
IEC
Figure G.3 – Impact of errors in implicit data on the residual error probability
Figure G.3 is based on data which was generated by a brute force algorithm checking all
possible error patterns. In addition to the generator polynomial, the following input data was
used in the algorithm:
probability of incorrect delivery (here: addressing error);
P
ID
err constant error pattern caused by an addressing error (bitwise disjunction of the
impl
A-codes).
It is important to note that the residual error probability does not only depend on p and P ,
ID
but also on the constant err and hence on the values of the A-codes chosen during
impl
commissioning.
= 0 (solid black) proves the properness of the generator polynomial. In this
The curve for P
ID
-16
case of no errors in implicit data, the residual error probability is always below the limit 2
and the curve is monotonically increasing.
The dashed purple curve and the dotted-dashed green curve show the characteristics when
using A-codes resulting in an err of 0x1157 (for example the A-codes 0x0001 and 0x1156).
impl
The residual error probability is no longer monotonically increasing but has a maximum
-16 -3
. For P = 10 , the corresponding curve (dotted-dashed green) does not
greater than 2
ID
-16 -2
pass the limit of 2 . However, if P is set to 10 (dashed purple), the maximum is greater
ID
-16 -r
(worse) than the limit 2 . As a consequence the limit 2 cannot be used as an approximation
even if the generator polynomial has proven properness for the case P = 0.
ID
The green and purple curve is only observed for certain rare values of err . For most other
impl
values of err , the curves are below the limit even for a probability of occurrence P = 1.
impl ID
= 0x0003 (e.g. A-codes equal to 0x0001 and 0x0002)
As an example, the curve for err
impl
shows this characteristics (solid blue).
RP
© IEC 2017
Conclusion: When using implicit transmission mechanisms, the residual error probability is not
-r
necessarily bounded by 2 . This bound is only valid if the FSCP provides additional
mechanisms such as the ones shown in the following clauses.
NOTE Improper bounding of an FCS would not necessarily lead to insufficient residual error when other FSCP
specific protocol measures are combined in the error detection scheme.
G.4 RP for FSCPs with random, uniformly distributed err
impl
G.4.1 General
Clause G.4 investigates the case of a random err taking each possible value with equal
impl
probability (“uniform distribution”). As seen in Clause G.3 where err is constant, this
impl
assumption is not always justified and shall be provably guaranteed by the design of the
respective FSCP.
As already defined earlier, err is the bitwise exclusive disjunction (XOR) between the
impl
implicit data impl used in the sender of the erroneous packet, and the expected value for the
S
implicit data impl in the receiver. Clearly, if impl and impl are uniformly distributed,
R S R
independent random variables, also err is uniformly distributed, i.e. takes each possible
impl
value with equal possibility. However, because errors can be assumed to happen at ‘random’
points of time, it is also possible to achieve a uniformly distributed err if impl and impl
impl S R
are non-random variables. In order to validate whether err follows a uniform distribution,
impl
statistical checks such as the Chi-Square-Test or the Kolmogoroff-Smirnoff-Test can be used,
(see for example [35]).
NOTE 1 err being a uniformly distributed random variable, it does not require that all possible values are
impl
observed with equal frequency during a finite interval of time. It is therefore not always possible to evaluate a
random number generator by simply counting the number of occurrences within a limited time interval.
Depending on the design of the FSCP, there are two reasonable variants of the assumption
“err is uniformly distributed”:
impl
i -i
a) err takes each value out of [0;2 -1] with probability 2 ;
impl
i i
b) err takes each value out of [1;2 -1] with probability 1/(2 -1).
impl
NOTE 2 There is a slight difference in the two variants: in the second variant, a value of err = 0 means that
impl
the SPDU was delivered correctly, as an incorrectly delivered SPDU will always result in a value err ≠ 0. In the
impl
first variant, a value of err = 0 does not necessarily imply a correct delivery.
impl
In the second case, measures shall be implemented to ensure that each SPDU is assigned a
unique value for implicit data. Hence, the error pattern in case of a misdirected SPDU can
never become zero. In the first case, no such measures are implemented and hence the error
pattern ‘zero’ may occur. Clearly, such an error cannot be detected in the receiver unless
there are additional detectable data integrity errors or other FSCP specific checks.
In the following, the two variants are shown separately.
Other and perhaps more detailed models are beyond the scope of this document. For
example, it is possible to eliminate data error patterns with demonstrated certainty of
detection by the CRC polynomial.
EXAMPLE Examples of these data error patterns include: Hamming distances less than the minimum Hamming
distance for the CRC polynomial over the data block length; burst errors of length r; odd number of bit errors; and
others.
Subclause G.4.2 shows an example where the implicit data field is at least as long as the FCS
and the implicit data values are randomly generated in such a way that A-codes are not
guaranteed unique for each endpoint, T-codes are not guaranteed unique for each SPDU
time, and the combinations of A-code and T-code are not guaranteed unique.

– 10 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
Subclause G.4.3 shows an example where the implicit data field is exactly as long as the FCS
and A-codes and T-codes are guaranteed unique for each endpoint and SPDU time. In actual
application, additional terms may be necessary to account for exceptions such as T-code
wrap around.
Clause G.5 shows a summation method for general applicability when conditional weight
distributions for implicit data error patterns are known and can be quantified.
i
G.4.2 Uniform distribution within the interval [0;2 ­1], i ≥ r
This case applies in particular to FSCPs that use random number generators to derive implicit
data values.
At a coarse-grained level, two main types of errors can be discriminated:
• Incorrect content of an SPDU, i. e. data integrity errors;
• Incorrect delivery of an SPDU, i.e. the SPDU is delivered to the wrong receiver or at the
wrong instance of time.
In combination, the following disjoint cases can be discriminated:
• Case 1. CC: No error (correct delivery, and correct explicit data);
• Case 2. IC: Incorrect delivery, and correct explicit data;
• Case 3. CI: Correct delivery, and incorrect explicit data;
• Case 4. II: Incorrect delivery, and incorrect data.
The residual error probabilities RP , RP , and RP for each of the cases 2, 3, and 4 are
2 3 4
calculated from the following parameters:
P is the “probability of incorrect delivery”, i.e. the probability that due to for example an
ID
authenticity or timeliness error an SPDU is erroneously delivered to the FSCP;
NOTE 1 The event “incorrect delivery” can result in an err ≠ 0. However, due to the uniform
impl
r
distribution within [0;2 -1] the case err = 0 can also occur.
impl
P is the probability of incorrect explicit data, i.e. the probability that data corruption
IED
occurs;
P is the probability that an error is not detected in the receiver under the condition that
IC
case 2 occurs;
P is the probability that an error is not detected in the receiver under the condition that
CI
case 3 occurs;
P is the probability that an error is not detected in the receiver under the condition that
II
case 4 occurs;
RP is the residual error probability for data corruption as defined in Annex F.
I
R is the residual error probability for CRC polynomials as defined in Equation B.3.
CRC
NOTE 2 RP ≤ R because other safety measures than CRC can further reduce the value of RP .
I CRC I
r is the length of the FCS, identical to the degree of the CRC polynomial;
i is the length of the implicit data, with i ≥ r;
n is the number of bits of the SPDU.
Because the events IC, CI, and II are disjoint, the overall residual error probability can be
obtained by building the sum of the respective RP values.
x
In general, RP is calculated by:
x
RP = P(“error case x takes place”) × P(“error case x is not detectable”).
x
© IEC 2017
This leads to the formulae for cases 2, 3 and 4 detailed in the following paragraphs.
Case 2 (IC)
RP = P × (1 – P ) × P
2 ID IED IC
-r
= P × (1 – P ) × 2
ID IED
Explanations on P :
IC
-r
• If i > r, this probability is 2 , because
– by assumption, the bitwise disjunction of impl and impl is uniformly distributed in the
S R
i
interval [0;2 -1];
– therefore, the bitwise disjunction of FCS = FCS and FCS is uniformly distributed in
S R C
r
the interval [0;2 -1];
and FCS equals zero is
– therefore, the probability that the bitwise disjunction of FCS
R C
-r
2 ;
-r
– therefore, the probability that FCS is equal to FCS is 2 .
R C
-r
• If i = r, this probability is 2 , because
– FCS is equal to FCS , if and only if err = 0, because the length of err does not
R C impl impl
exceed the degree of the CRC polynomial. CRC-codes detect all burst errors of length
less than or equal to r;
-r
– the probability that err = 0 is 2 because of the uniform distribution in the interval
impl
r
[0;2 -1].
Case 3 (CI)
RP = (1-P ) × P × P
3 ID IED CI
= (1-P ) × RP
ID I
-r
≤ (1-P ) × 2 for proper polynomials.
ID
Case 4 (II)
RP = P × P × P
4 ID IED II
-r
= P × P × 2
ID IED
Explanations:
i
• Due to the assumptions, err takes all values from [0;2 -1] with equal probability.
impl
• Hence, each bit of err takes the value 0 or 1 with equal probability 0,5.
impl
• Because CRC-codes are linear codes, and because |err | ≥ r, each bit of err
impl impl
determines the result of one bit in the bitwise exclusive disjunction of FCS and FCS .
R C
• Hence, the bits in the bitwise exclusive disjunction of FCS and FCS can be treated as
R C
independent random variables, each taking the values 0 and 1 with equal probability 0,5.
• The bitwise exclusive disjunction of FCS and FCS is a uniformly distributed random
R c
r
variable, taking all values from [0;2 -1] with equal probability.
-r
• The probability that the bitwise exclusive disjunction of FCS and FCS equals zero is 2 .
R C
-r
• The probability that FCS is identical to FCS is 2 .
C R
In summary, the residual error probability of an FSCP using implicit mechanisms for the

detection of timeliness and authenticity error (guaranteeing that the error in the implicit data is
i
-1] can be calculated using the following formula:
uniformly distributed in the interval [0;2

– 12 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
RP = RP2 + RP3 + RP4
TOTAL
-r -r
= (P × (1 – P ) × 2 ) + ((1-P ) × P × P ) + (P × P × 2 )
ID IED ID IED CI ID IED
-r
= (P × 2 ) + ((1-P ) × P × P )
ID ID IED CI
-r
= (P × 2 ) + ((1-P ) × RP )
ID ID I
Explanation:
• Cases 2 to 4 are disjoint events.
In case of a proper polynomial, the following applies:
RP = RP2 + RP3 + RP4
TOTAL
-r -r
= (P × (1 – P ) × 2 ) + ((1-P ) × P × P ) + (P × P × 2 )
ID IED ID IED CI ID IED
-r -r -r
≤ (P × (1 – P ) × 2 ) + ((1-P ) × 2 ) + (P × P × 2 )
ID IED ID ID IED
-r
≤ 2
Explanations:
• Cases 2 to 4 are disjoint events.
• This upper bound of RP is independent of the values of P and P .
TOTAL IED ID
r
G.4.3 Uniform distribution in the interval [1;2 ­1], i = r
For this variant, it is assumed i = r, i.e. the length of the implicit data is exactly the degree of
r
the CRC polynomial, and that err is uniformly distributed within the interval [1;2 -1]. In
impl
contrast to the variant shown in G.4.2, err is always unequal to 0 in case of an incorrect
impl
delivery.
The following cases of error combinations can be discriminated:
• Case 1. CC: No error (correct delivery, and correct explicit data);
• Case 2. IC: Incorrect delivery, and correct explicit data;
• Case 3. CI: Correct delivery, and incorrect explicit data;
• Case 4. II: Incorrect delivery, and incorrect data.
The residual error probabilities RP , RP , and RP for each of the cases 2, 3, and 4 are
2 3 4
calculated from the following parameters:
P is the “probability of incorrect delivery”, i.e. the probability that due to for example an
ID
authenticity or timeliness error an SPDU is erroneously delivered to the FSCP;
r
NOTE Due to the uniform distribution within [1;2 -1], err ≠ 0 is guaranteed. Hence, the event
impl
“incorrect delivery” is equivalent to the event “incorrect implicit data” in this case.
P is the probability of incorrect explicit data, i.e. the probability that data corruption
IED
occurs;
P is the probability that an error is not detected in the receiver under the condition that
IC
case 2 occurs;
P is the probability that an error is not detected in the receiver under the condition that
CI
case 3 occurs;
P is the probability that an error is not detected in the receiver under the condition that
II
case 4 occurs;
P (i) is the probability that the error pattern in the explicit data err complements the error
EIC expl
pattern in the implicit data err making the error undetectable, under the condition
impl
that “err = i";
impl
r is the length of the implicit data and the length of the FCS (degree of the CRC
polynomial);
© IEC 2017
n is the number of bits in the SPDU.
Because the events IC, CI, and II are disjoint, the overall residual error probability can be
obtained by building the sum of the respective RP values.
x
In general, RP is calculated by:
x
RP = P(“error case x takes place”) × P(“error case x is not detectable”).
x
This leads to the formulae for cases 2, 3 and 4 detailed in the following paragraphs.
Case 2 (IC)
RP = P × (1 – P ) × P
2 ID IED IC
= 0
Explanation:
• Errors of type 2 are always detected, because the length of err does not exceed r.
impl
CRC-codes detect all burst errors of length less than or equal to r.
is equal to 0 in this case.
Hence P
IC
Case 3 (CI)
RP = (1-P ) × P × P
3 ID IED CI
= (1-P ) × RP
ID I
-r
≤ (1-P ) × 2 for proper polynomials.
ID
Case 4 (II)
RP = P × P × P
4 ID IED II
-r
≈ P × P × 2
ID IED
Explanations:
r
2−1
• P = P{err = i}×P ( i)
II ∑ impl EIC
i=1
r
2 −1
= × P ( i )
∑ EIC
r
2− 1
i=1
r
2 −1
= × P ( i )
EIC
∑
r
2− 1
i=1
= (because for all possible err there is exactly one matching err )
expl impl
r
2− 1
−r
≈ 2
In summary, the residual error probability of an FSCP using implicit mechanisms for the
detection of timeliness and authenticity error guaranteeing that the error in the implicit data is
r
uniformly distributed in the interval [1;2 -1], can be calculated using the following formula:
RP = RP2 + RP3 + RP4
TOTAL
-r -r
= (P × (1 – P ) × 2 ) + ((1-P ) × P × P ) + (P × P × 2 )
ID IED ID IED CI ID IED
-r
= (P × 2 ) + ((1-P ) × P × P )
ID ID IED CI
– 14 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
-r
= (P × 2 ) + ((1-P ) × RP )
ID ID I
Explanation:
• Cases 2 to 4 are disjoint events.
G.5 General case
The calculations presented in G.4.2 and G.4.3 are only valid under the assumption of a
uniform distribution of err and with certain restrictions on the length of the implicit data
impl
field. In the general case, RP can be calculated as follows, if the conditional weight
TOTAL
distribution of the code is known for each possible value of err .
impl
i
2−1
CRC,BSC
RP = P × P{ err = j}×P{ FCS = FCS | err = j} +( 1−P )×P
TOTAL ID ∑ impl C R impl ID re
j=0
where
P{ err = j} is the probability that the error pattern in implicit data has the
impl
value j (under the condition that there is a misdirected SPDU);
P{ FCS =FCS |err = j}
is the probability that no error is indicated for the given CRC-
C R impl
polynomial and code length, under the condition that the error
pattern in implicit data has the value j;
CRC,BSC
P is the residual error probability for the given CRC-polynomial
re
and code length without implicit data.
CRC,BSC
P and P{ FCS = FCS | err = j} are given by:
C R impl
re
n
CRC,BSC k n−k
P = A ( err = 0)×P ×( 1−P )
re ∑ k impl e e
k=1
n
k n−k
P{ FCS = FCS | err = j}= A ( err = j)×P ×( 1−P )
C R impl ∑ k impl e e
k=0
where
A ( err = j)
is the weight distribution of the code under the condition that the error pattern
k impl
in the implicit data takes the value j.
Explanations:
CRC,BSC
n
• P{ FCS = FCS | err = 0} = P + (1-P ) .
C R impl
re e
G.6 Calculation of P
ID
If both the T-code and the A- code are implicit, P can be calculated as follows:
ID
R +R
 
T A
P = min ,1
 
ID
ν
 
© IEC 2017
where
P is the probability that due to for example an authenticity or timeliness error an SPDU is
ID
erroneously delivered to the FSCP;
R is the rate of occurrence for incorrect sequence safety PDUs (see F.5.2.4);
T
R is the rate of occurrence for misdirected safety PDUs (see F.5.2.3);
A
v is the maximum number of SPDU samples by the SCL ("sample rate") per hour (see
F.5.2.2).
Explanation:
• Due to approximation, R + R may become greater than one. In this case, the value 1
T A
shall be used for P .
ID
If only the T-code is implicit, P can be calculated as follows:
ID
R
T
P =
ID
ν
If only the A-code is implicit, P can be calculated as follows:
ID
R
A
P =
ID
ν
Calculation of the total residual error rate
According to F.10.1, the total residual error rate is calculated by (see Equation (F.6)):
λ =RR +RR +RR +RR
SC T A I M
Alternatively, the following formula can be used:
λ =ν×RP
SC TOTAL
Bibliography
Add, at the end of Bibliography, the following new reference:
[35] D. KNUTH, The Art of Computer Programming, Volume 2: Seminumerical Algorithms,
rd
3 Edition, Addison-Wesley, 1997

___________
– 16 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
AVANT-PROPOS
Le présent amendement a été établi par le sous-comité 65C: Réseaux industriels, du comité
d'études 65 de l'IEC: Mesure, commande et automation dans les processus industriels.
Le texte de cet amendement est issu des documents suivants:
FDIS Rapport de vote
65C/879/FDIS 65C/886/RVD
Le rapport de vote indiqué dans le tableau ci-dessus donne toute information sur le vote ayant
abouti à l'approbation de cet amendement.
Le comité a décidé que le contenu de cet amendement et de la publication de base ne sera
pas modifié avant la date de stabilité indiquée sur le site web de l'IEC sous
"http://webstore.iec.ch" dans les données relatives à la publication recherchée. A cette date,
la publication sera
• reconduite,
• supprimée,
• remplacée par une édition révisée, ou
• amendée.
IMPORTANT – Le logo "colour inside" qui se trouve sur la page de couverture de cette
publication indique qu'elle contient des couleurs qui sont considérées comme utiles à
une bonne compréhension de son contenu. Les utilisateurs devraient, par conséquent,
imprimer cette publication en utilisant une imprimante couleur.

_____________
© IEC 2017
INTRODUCTION
Le présent Amendement 1 traite des concepts de mécanismes de sécurité reposant sur des
données implicites destinés à être utilisés dans les protocoles de communication de sécurité
fonctionnelle (FSCP, functional safety communications protocols) spécifiés dans
l'IEC 61784-3:2016.
3 Termes, définitions, symboles, abréviations et conventions
3.1 Termes et définitions
Ajouter les nouveaux termes et définitions 3.1.56 et 3.1.57 suivants:
3.1.56
données explicites
données qui sont transmises
3.1.57
données implicites
données additionnelles qui ne sont pas transmises, mais sont connues de l'émetteur et du
récepteur
[SOURCE: IEC 62280:2014, 3.1.25]
3.2 Symboles et abréviations
Ajouter deux nouveaux Paragraphes 3.2.1 et 3.2.2, comme spécifié ci-dessous.
3.2.1 Abréviations
Déplacer la liste existante des symboles et abréviations dans ce nouveau Paragraphe 3.2.1.
Supprimer “Pe” et “RP” de la liste existante des abréviations. Ajouter, dans l'ordre
alphabétique, les nouvelles abréviations suivantes à la liste des abréviations:
Code A Code d'authenticité
Code T Code d'opportunité
3.2.2 Symboles
Ajouter, dans ce nouveau Paragraphe 3.2.2, la liste des symboles suivants:
A Répartition du poids du code: nombre de mots de
k
code valides à k bits définis sur "un"
e Longueur binaire des données explicites
err Disjonction bit à bit de impl et impl
impl S R
expl Données explicites
expl Données explicites côté récepteur
R
expl Données explicites côté émetteur
S
FCS Séquence de contrôle de trame calculée au niveau
C
du récepteur
FCS Séquence de contrôle de trame reçue
R
FCS Séquence de contrôle de trame émise
S
i Longueur binaire des données implicites

– 18 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
ID Remise incorrecte (Incorrect Delivery)
impl Données implicites côté récepteur
R
impl Données implicites côté émetteur
S
n Longueur binaire du SPDU
P Probabilité d'erreurs sur les éléments binaires
e
P Probabilité de remise incorrecte
ID
r Longueur binaire de la FCS (degré de polynôme
générateur)
RP Probabilité d'erreurs résiduelles

Ajouter, à la suite de l'Annexe F, la nouvelle Annexe informative G suivante:

© IEC 2017
Annexe G
(informative)
Mécanismes de sécurité reposant sur des données implicites
pour les profils de communication de sécurité fonctionnelle
(FSCP) définis dans l'IEC 61784-3
G.1 Vue d'ensemble
L'Annexe G traite des concepts de mécanismes de sécurité reposant sur des données
implicites destinés à être utilisés dans les protocoles de communication de sécurité
fonctionnelle (FSCP) spécifiés dans la présente norme. Les données implicites sont les
données qui ne sont pas explicitement transmises dans un PDU. Au lieu de cela, les valeurs
des données implicites sont connues à la fois de l'émetteur (source) et du récepteur
(collecteur). Les valeurs des données implicites sont validées par la valeur d'une ou plusieurs
séquences de contrôle de trame (FCS, Frame Check Sequence) calculées à l'aide d'une
chaîne de données globale constituée de la chaîne de données implicites à laquelle est
accolée la chaîne de données explicites. Les données implicites n'étant pas transmises, la
charge sur le support de transmission s'en trouve réduite.
Aujourd'hui, les FSCP qui utilisent des mécanismes reposant sur des données implicites s'en
servent pour communiquer des codes d'opportunité (codes T) complets ou partiels et/ou des
codes d'authenticité (codes A), voir l'Annexe E. Ces FSCP utilisent également des
algorithmes de contrôle de redondance cyclique (CRC) exclusivement pour la séquence de
contrôle de trame (FSC). Par conséquent, l'Annexe G est limitée à l'analyse des codes A et
des codes T transmis implicitement à l'aide d'algorithmes de CRC.
Conformément à l’Article E.8, concernant les données implicites, "En raison de la diversité
des méthodes possibles, aucune formule générique ne peut être fournie. Il incombe au FSCP
individuel de démontrer des probabilités d'erreurs résiduelles suffisantes." Dans la
perspective de faire évoluer l'IEC 61784-3 pour la prochaine édition et les suivantes, cette
nouvelle Annexe G a pour objet d'approfondir la compréhension des modèles de formulation
pour les probabilités d'erreurs des FSCP utilisant des algorithmes de CRC afin d'assurer la
transmission implicite de codes T et de codes A lorsqu'un code FCS unique est utilisé par le
protocole.
L'Annexe G propose deux exemples de formules applicables pour deux cas spécifiques, qui
permettent de mieux comprendre les modèles de formulation afin de développer de nouvelles
formules (spécifiques et générales).
Elle propose également une méthode d'addition généralement applicable lorsque les
répartitions du poids conditionnel pour les configurations d'erreurs dans les données
implicites sont connues et peuvent être quantifiées de manière à obtenir une solution en
forme fermée, ou bien de manière adaptée à une addition itérative avec un temps d'exécution
aux limites raisonnables.
G.2 Principes de base
Les calculs donnés dans l'Annexe G utilisent également le modèle de canal symétrique
binaire (BSC, binary symmetric channel) spécifié dans l’Annexe B.
NOTE 1 Bien qu'il ne tienne pas compte des erreurs en rafale, le modèle BSC avec une probabilité d'erreurs sur
les éléments binaires estimée suffisante est le moyen le plus pratique actuellement connu pour réaliser les calculs
de probabilités nécessaires à déterminer le taux d'erreurs résiduelles du FSCP.
La Figure G.1 représente le principe de base d'un FSCP utilisant des mécanismes de
protection FCS simples impliquant des données implicites. Côté émetteur, une somme de

– 20 – IEC 61784-3:2016/AMD1:2017
© IEC 2017
contrôle CRC sur les données implicites impl concaténées avec les données explicites expl
S S
est générée, formant ainsi une séquence de contrôle de trame FCS . Lorsque plusieurs
S
codes FCS sont utilisés dans un format FSCP, le calcul doit être réalisé pour chaque code
FCS. Lorsque expl et FCS sont transmis explicitement par le canal noir, impl n'est pas
S S S
transmise, mais influe sur la valeur de FCS . Par conséquent, elle ne peut contenir que des
S
données dont la valeur est déjà connue du récepteur. Des données implicites sont utilisées
pour détecter, par exemple, des SPDU mal acheminés dans l'espace ("erreur
d'authentification") ou le temps ("erreur d'opportunité"). Cette opération est accomplie par
dérivation des données implicites à partir du code A (par exemple, un identifiant de
connexion) et/ou le code T (par exemple, un numéro de séquence) d'un SPDU.
NOTE 2 Les détails d'initialisation font l'objet du F.12.1
...