IEC PAS 61784-3-18:2009

IEC/PAS 61784-3-18 ®
Edition 1.0 2009-08
PUBLICLY AVAILABLE
SPECIFICATION
PRE-STANDARD
colour
inside
Industrial communication networks – Profiles –
Part 3-18: Functional safety fieldbuses – Additional specifications for CPF
SNpFAMILY
IEC/PAS 61784-3-18:2009(E)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC/PAS 61784-3-18 ®
Edition 1.0 2009-08
PUBLICLY AVAILABLE
SPECIFICATION
PRE-STANDARD
colour
inside
Industrial communication networks – Profiles –
Part 3-18: Functional safety fieldbuses – Additional specifications for CPF
SNpFAMILY
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
XA
ICS 13.110; 25.040.40; 35.100.05 ISBN 978-2-88910-807-7
– 2 – PAS 61784-3-18 © IEC:2009(E)
CONTENTS
FOREWORD.5
INTRODUCTION.7
1 Scope.8
2 Normative references .8
3 Terms, definitions, symbols, abbreviated terms and conventions .9
3.1 Terms and definitions .9
3.1.1 Common terms and definitions .9
3.1.2 CPF X: Additional terms and definitions.13
3.2 Symbols and abbreviated terms.14
3.2.1 Common symbols and abbreviated terms .14
3.2.2 CPF SNpFAMILY: Additional abbreviated terms .15
3.2.3 CPF SNpFAMILY: Additional symbols.16
3.3 Conventions .16
4 Overview of FSCP SNpFAMILY/1 (SafetyNET p™).17
5 General .18
5.1 External documents providing specifications for the profile.18
5.2 Safety functional requirements .19
5.3 Safety measures .19
5.4 Safety communication layer structure .20
5.5 Relationships with FAL (and DLL, PhL) .20
5.5.1 General .20
5.5.2 Data Types .20
6 Safety communication layer services .21
6.1 General elements .21
6.1.1 General .21
6.1.2 Safe object dictionary .21
6.1.3 Safe process data object (SPDO) .21
6.1.4 Safe heartbeat (SHB) .21
6.1.5 Safe delay monitoring (SDM) .21
6.2 Communication relation.21
7 Safety communication layer protocol .23
7.1 Safety PDU formats.23
7.1.1 Safe process data objects (SPDO) .23
7.1.2 Safe heartbeat (SHB) .24
7.1.3 Safety PDUs embedded in a Type SNpTYPE PDU.26
7.2 Safe application layer management (SALMT) .27
7.3 Safe process data communication .28
7.4 Safe heartbeat.29
7.5 Delay monitoring .30
8 Safety communication layer management.31
8.1 Parameter handling .31
8.2 Object dictionary .31
8.2.1 General .31
8.2.2 Communication profile section.32
8.2.3 Standardized device profile section .47
8.3 Device description.47

PAS 61784-3-18 © IEC:2009(E) – 3 –
9 System requirements.47
9.1 Indicators and switches .47
9.1.1 Indicator states and flash rates.47
9.1.2 Indicators .48
9.1.3 Switches.48
9.2 Installation guidelines.48
9.3 Safety function response time .48
9.3.1 General .48
9.3.2 Determination of FSCP SNpFAMILY time expectation behavior .50
9.3.3 Calculation of the worst case safety function response time .50
9.4 Duration of demands .51
9.5 Constraints for calculation of system characteristics.51
9.5.1 Safety related constraints .51
9.5.2 Probabilistic considerations .52
9.6 Maintenance.52
9.7 Safety manual .53
10 Certification.53
Bibliography.54

Figure 1 – FSCP SNpFAMILY/1 system .18
Figure 2 – FSCP SNpFAMILY/1 software architecture.20
Figure 3 – SPDO interaction model.22
Figure 4 – SHB interaction model .22
Figure 5 – Safe process data object frame.23
Figure 6 – Safe heartbeat request PDU .24
Figure 7 – Safe heartbeat response PDU.25
Figure 8 – Safety PDU for FSCP SNpFAMILY embedded in a Type SNpTYPE CDC
data section .27
Figure 9 – Safe application layer management state machine .28
Figure 10 – RxSPDO state machine.29
Figure 11 – Heartbeat procedure .30
Figure 12 – Delay measurement principle .30
Figure 13 – Parameter handling.31
Figure 14 – Safety response time components.49
Figure 15 – Considered data fields for message size calculation.52
Figure 16 – Residual error rate .52

Table 1 – Object definition .17
Table 2 – Safety PDU element definition.17
Table 3 – Communication errors and detection measures .19
Table 4 – SPDO PDU structure.23
Table 5 – SHB request PDU structure.25
Table 6 – SHB response PDU structure .25
Table 7 – Safe heartbeat FS AL state encoding .26
Table 8 – Safe application layer management commands .27

– 4 – PAS 61784-3-18 © IEC:2009(E)
Table 9 – State transitions SALMT state machine .28
Table 10 – State transitions RxSPDO state machine.29
Table 11 – Object dictionary structure.32
Table 12 – Objects of communication section .33
Table 13 – Device type .34
Table 14 – Safe ID.34
Table 15 – Fail-safe consumer heartbeat list entry encoding.35
Table 16 – Fail-safe consumer heartbeat .36
Table 17 – Fail-safe producer heartbeat parameter.36
Table 18 – Fail-safe bus cycle times .39
Table 19 – SPDO timeout tolerance .40
Table 20 – Receive SPDO communication parameter .40
Table 21 – Transmit SPDO communication parameter .43
Table 22 – Mapping format .45
Table 23 – Receive SPDO mapping parameter .46
Table 24 – Transmit SPDO mapping parameter .47
Table 25 – Indicator states definiton .48
Table 26 – STATUS indicator states .48
Table 27 – Definition of terms .49
Table 28 – Definition of terms for time expectation behavior .50
Table 29 – Definition of terms for SFR calculation.51

PAS 61784-3-18 © IEC:2009(E) – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL COMMUNICATION NETWORKS –
PROFILES –
Part 3-18: Functional safety fieldbuses –
Additional specifications for CPF SNpFAMILY

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
A PAS is a technical specification not fulfilling the requirements for a standard, but made
available to the public.
IEC-PAS 61784-3-18 has been processed by subcommittee 65C: Industrial networks, of IEC
technical committee 65: Industrial-process measurement, control and automation.
The text of this PAS is based on the This PAS was approved for
following document: publication by the P-members of the
committee concerned as indicated in
the following document
Draft PAS Report on voting
65C/530/PAS 65C/534/RVD
Following publication of this PAS, which is a pre-standard publication, the technical committee
or subcommittee concerned may transform it into an International Standard.

– 6 – PAS 61784-3-18 © IEC:2009(E)
This PAS shall remain valid for an initial maximum period of 3 years starting from the
publication date. The validity may be extended for a single 3-year period, following which it
shall be revised to become another type of normative document, or shall be withdrawn.
The list of all the parts of the IEC 61784 series, under the general title Industrial
communication networks – Profiles, can be found on the IEC web site.

IMPORTANT – The “colour inside” logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this publication using a colour printer.

PAS 61784-3-18 © IEC:2009(E) – 7 –
INTRODUCTION
This PAS contains an additional profile – SNpTYPE – which may be integrated into a future
new edition of IEC 61784-3.
– 8 – PAS 61784-3-18 © IEC:2009(E)

INDUSTRIAL COMMUNICATION NETWORKS –
PROFILES –
Part 3-18: Functional safety fieldbuses –
Additional specifications for CPF SNpFAMILY

1 Scope
This part of the IEC 61784-3 series specifies a safety communication layer (services and
protocol) based on CPF SNpFAMILY of IEC/PAS 62633 and IEC/PAS 61158 Type SNpTYPE.
It identifies the principles for functional safety communications defined in IEC 61784-3 that
are relevant for this safety communication layer.
NOTE 1 It does not cover electrical safety and intrinsic safety aspects. Electrical safety relates to hazards such
as electrical shock. Intrinsic safety relates to hazards associated with potentially explosive atmospheres.
This part of the IEC 61784-3 series defines mechanisms for the transmission of safety-
relevant messages among participants within a distributed network using fieldbus technology
in accordance with the requirements of IEC 61508 series for functional safety. These
mechanisms may be used in various industrial applications such as process control,
manufacturing automation and machinery.
This part of the IEC 61784-3 series provides guidelines for both developers and assessors of
compliant devices and systems.
NOTE 2 The resulting SIL claim of a system depends on the implementation of the selected functional safety
communication profile within this system – implementation of a functional safety communication profile according to
this part of the IEC 61784-3 series in a standard device is not sufficient to qualify it as a safety device.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 61158 (all parts), Industrial communication networks – Fieldbus specifications
IEC/PAS 61158-3-22, Industrial communication networks – Fieldbus specifications –
Part 3-22: Data-link layer service definition – Type SNpType elements
IEC/PAS 61158-4-22, Industrial communication networks – Fieldbus specifications –
Part 4-22: Data-link layer protocol specification – Type SNpType elements
IEC/PAS 61158-5-22, Industrial communication networks – Fieldbus specifications –
Part 5-22: Application layer service definition – Type SNpType elements
IEC/PAS 61158-6-22, Industrial communication networks – Fieldbus specifications –
Part 6-22: Application layer protocol specification – Type SNpType elements
IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic safety
related systems
PAS 61784-3-18 © IEC:2009(E) – 9 –
IEC 61784-2, Industrial communication networks – Profiles – Part 2: Additional fieldbus
profiles for real-time networks based on ISO/IEC 8802-3
IEC 61784-3, Industrial communication networks – Profiles – Part 3: Functional safety
fieldbuses – General rules and profile definitions
IEC/PAS 62633, Industrial communication networks – Profiles – Additional fieldbus profiles for
real-time networks based on ISO/IEC 8802-3 - SNpTYPE
3 Terms, definitions, symbols, abbreviated terms and conventions
3.1 Terms and definitions
3.1.1 Common terms and definitions
3.1.1.1
availability
probability for an automated system that for a given period of time there are no unsatisfactory
system conditions such as loss of production
NOTE Availability depends on MTBF (mean time between failure) and MDT (mean down time):
Availability = MTBF / (MTBF + MDT).
3.1.1.2
black channel
communication channel without available evidence of design or validation according to
IEC 61508 series
3.1.1.3
communication channel
logical connection between two end-points within a communication system
3.1.1.4
communication system
arrangement of hardware, software and propagation media to allow the transfer of messages
(ISO/IEC 7498 application layer) from one application to another
3.1.1.5
connection
logical binding between two application objects within the same or different devices
3.1.1.6
Cyclic Redundancy Check (CRC)
redundant data derived from, and stored or transmitted together with, a block of data
in order to detect data corruption procedure used to calculate the redundant data
NOTE See also [2], [3] .
3.1.1.7
error
discrepancy between a computed, observed or measured value or condition and the true,
specified or theoretically correct value or condition
NOTE 1 An error can be caused by a faulty item, for example a computing error made by faulty computer
equipment.
[IEV 191-05-24], [IEC 61508-4:1998], [IEC 61158]
___________
Figures in square brackets refer to the bibliography.

– 10 – PAS 61784-3-18 © IEC:2009(E)
NOTE 2 Errors may be due to design mistakes within hardware/software and/or corrupted information due to
electromagnetic interference and/or other effects.
NOTE 3 Errors do not necessarily result in a failure or a fault.
3.1.1.8
failure
termination of the ability of a functional unit to perform a required function
NOTE 1 The definition in IEV 191-04-01 is the same, with additional notes.
[IEC 61508-4:1998], [ISO/IEC 2382-14.01.11]
NOTE 2 Failure may be due to an error (for example, problem with hardware/software design or message
disruption)
3.1.1.9
fault
abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit
to perform a required function
NOTE IEV 191-05-01 defines “fault” as a state characterized by the inability to perform a required function,
excluding the inability during preventative maintenance or other planned actions, or due to lack of external
resources.
[IEC 61508-4:1998], [ISO/IEC 2382-14.01.10]
3.1.1.10
fieldbus
communication system based on serial data transfer and used in industrial automation or
process control applications
3.1.1.11
frame
denigrated synonym for DLPDU
3.1.1.12
Frame Check Sequence (FCS)
redundant data derived from a block of data within a DLPDU (frame), using a hash function,
and stored or transmitted together with the block of data, in order to detect data corruption
NOTE 1 An FCS can be derived using for example a CRC or other hash function.
NOTE 2 See also [2], [3].
3.1.1.13
hash function
(mathematical) function that maps values from a (possibly very) large set of values into a
(usually) smaller range of values
NOTE 1 Hash functions can be used to detect data corruption.
NOTE 2 Common hash functions include parity, checksum or CRC.
[IEC 62210, modified]
3.1.1.14
hazard
state or set of conditions of a system that, together with other related conditions will inevitably
lead to harm to persons, property or environment
3.1.1.15
message
ordered series of octets intended to convey information

PAS 61784-3-18 © IEC:2009(E) – 11 –
[ISO/IEC 2382-16.02.01, modified]
3.1.1.16
message sink
part of a communication system in which messages are considered to be received
[ISO/IEC 2382-16.02.03]
3.1.1.17
message source
part of a communication system from which messages are considered to originate
[ISO/IEC 2382-16.02.02]
3.1.1.18
nuisance trip
spurious trip with no harmful effect
NOTE Internal abnormal errors can be caused in communication systems such as wireless transmission, for
example by too many retries in the presence of interferences.
3.1.1.19
proof test
periodic test performed to detect failures in a safety-related system so that, if necessary, the
system can be restored to an “as new” condition or as close as practical to this condition
NOTE A proof test is intended to confirm that the safety-related system is in a condition that assures the specified
safety integrity.
[IEC 61508-4 and IEC 62061, modified]
3.1.1.20
redundancy
existence of means, in addition to the means which would be sufficient for a functional unit to
perform a required function or for data to represent information
EXAMPLE Duplicated functional components and the addition of parity bits are both instances of redundancy.
NOTE 1 Redundancy is used primarily to improve reliability or availability.
NOTE 2 The definition in IEV 191-15-01 is less complete.
[IEC 61508-4:1998], [ISO/IEC 2382-14.01.12]
3.1.1.21
reliability
probability that an automated system can perform a required function under given conditions
for a given time interval (t1,t2)
NOTE 1 It is generally assumed that the automated system is in a state to perform this required function at the
beginning of the time interval.
NOTE 2 The term "reliability" is also used to denote the reliability performance quantified by this probability.
NOTE 3 Within the MTBF or MTTF period of time, the probability that an automated system will perform a
required function under given conditions is decreasing.
NOTE 4 Reliability differs from availability.
[IEC 62059-11, modified]
3.1.1.22
risk
combination of the probability of occurrence of harm and the severity of that harm

– 12 – PAS 61784-3-18 © IEC:2009(E)
[IEC 61508-4:1998]
3.1.1.23
safety communication layer (SCL)
communication layer that includes all the necessary measures to ensure safe transmission of
data in accordance with the requirements of IEC 61508
3.1.1.24
safety data
data transmitted across a safety network using a safety protocol
NOTE The Safety Communication Layer does not ensure safety of the data itself, only that the data is transmitted
safely.
3.1.1.25
safety device
device designed in accordance with IEC 61508 and which implements the functional safety
communication profile
3.1.1.26
safety function
function to be implemented by an E/E/PE safety-related system, other technology safety-
related system or external risk reduction facilities, which is intended to achieve or maintain a
safe state for the EUC, in respect of a specific hazardous event
[IEC 61508-4:1998]
3.1.1.27
safety function response time
worst case elapsed time following an actuation of a safety sensor connected to a fieldbus,
before the corresponding safe state of its safety actuator(s) is achieved in the presence of
errors or failures in the safety function channel
NOTE This concept is introduced in IEC 61784-3, 5.2.4 and addressed by the functional safety communication
profiles defined in this part of the IEC 61784-3 series .
3.1.1.28
safety integrity level (SIL)
discrete level (one out of a possible four) for specifying the safety integrity requirements of
the safety functions to be allocated to the E/E/PE safety-related systems, where safety
integrity level four has the highest level of safety integrity and safety integrity level one has
the lowest
NOTE The target failure measures for the four safety integrity levels are specified in Tables 2 and 3 of
IEC 61508-1.
[IEC 61508-4:1998]
3.1.1.29
safety measure
measure to control possible communication errors that is designed and
implemented in compliance with the requirements of IEC 61508
NOTE 1 In practice, several safety measures are combined to achieve the required safety integrity level.
NOTE 2 Communication errors and related safety measures are detailed in IEC 61784-3, 5.3 and 5.4.
3.1.1.30
safety-related application
programs designed in accordance with IEC 61508 to meet the SIL requirements of the
application
PAS 61784-3-18 © IEC:2009(E) – 13 –
3.1.1.31
safety-related system
system performing safety functions according to IEC 61508
3.1.1.32
spurious trip
trip caused by the safety system without a process demand
3.1.2 CPF X: Additional terms and definitions
3.1.2.1
consecutive number
means to ensure completeness and the right order of transmitted safety PDUs
NOTE Instance of "sequence number" as described in IEC 61784-3.
3.1.2.2
cycle
interval at which a list of instructions or an activity is repetitively and continuously executed
3.1.2.3
delay
transmission time of PDUs which is dynamically caused by network properties like traffic,
switching devices and topology
3.1.2.4
fail-safe
ability of a system that by adequate technical or organizational measures prevents from
hazards either deterministically or by reducing the risk to a tolerable measure
3.1.2.5
gateway
device acting as a linking element between different protocols
3.1.2.6
real time frame line (RTFL)
communication model for communication with high real time requirements
3.1.2.7
real time frame network (RTFN)
communication model for communication with low real time requirements
3.1.2.8
safe application layer management (SALMT)
mechanism to control the safe application layer sate of safe devices
3.1.2.9
safe delay monitoring (SDM)
safe mechanism to cyclically monitor the delay of transmitted PDUs
3.1.2.10
safe heartbeat (SHB)
mechanism to cyclically monitor the state of safe devices
3.1.2.11
safe process data object (SPDO)
mechanism to cyclically exchange safe process data between devices

– 14 – PAS 61784-3-18 © IEC:2009(E)
3.2 Symbols and abbreviated terms
3.2.1 Common symbols and abbreviated terms
CP Communication profile [IEC 61784-1]
CPF Communication profile family [IEC 61784-1]
CRC Cyclic redundancy check
DLL Data link layer [ISO/IEC 7498-1]
DLPDU Data link protocol data unit
EMI Electro-magnetic interference
EUC Equipment under control [IEC 61508-4:1998]
FAL Fieldbus application layer [IEC 61158-5]
FCS Frame check sequence
FSCP Functional safety communication profile
HD Hamming distance
E/E/PE Electrical/Electronic/Programmable electronic [IEC 61508-4:1998]
NSR Non safety relevant
PDU Protocol data unit [ISO/IEC 7498-1]
PELV Protective extra low voltage
PES Programmable electronic system [IEC 61508-4:1998]
PFD Average probability of failure on demand [IEC 61508-6:2000]
PFH Probability of failure per hour [IEC 61508-6:2000]
PhL Physical layer [ISO/IEC 7498-1]
PLC Programmable logic controller
SCL Safety communication layer
SELV Safety extra low voltage
SFRT Safety function response time
SIL Safety integrity level [IEC 61508-4:1998]
SR Safety relevant
PAS 61784-3-18 © IEC:2009(E) – 15 –
3.2.2 CPF SNpFAMILY: Additional abbreviated terms
AL Application layer
AP Application process
FS Fail-safe
ID Identification
MSB Most significant bit
OS Operating system
PDO-ID Process data object ID
PID Packet ID
RTFL Real time frame line
RTFN Real time frame network
SALMT Safe application layer management
SDM Safe delay monitoring
SHB Safe heartbeat
SID Safe-ID
SPDO Safe process data object
– 16 – PAS 61784-3-18 © IEC:2009(E)
3.2.3 CPF SNpFAMILY: Additional symbols
Symbol Definition Unit
T Actuator time μs
A
T Worst case actuator time μs
Awc
T Cycle time of communication
μs
cycle
T Input time
μs
I
T Worst case input time μs
Iwc
T Logic processing time
μs
L
T Worst case logic processing time
μs
Lwc
T Output time μs
O
T Worst case output time
μs
Owc
T Sensor time
μs
S
T Safety function response time μs
SFR
T Worst case sensor time
μs
Swc
T Transmission time
μs
T
T Timeout time of component
μs
TOi
T FSCP SNpFAMILY timeout time μs
TOS
T Worst case transmission time
μs
Twc
∆T Timeout margin
μs
3.3 Conventions
The attributes of an object are described in the form as shown in Table 1. The meaning of the
attributes is described in the following list.
• Index describes the position within the object dictionary of an object.
• Sub-index describes a single element of the object.
• Name denotes a name string for this attribute.
• Object type denotes the characterizing type for each object as specified in
IEC/PAS 61158-6-22.
• Data Type denotes the data type of this element.
• Category indicates whether the element is mandatory (M), optional (O) or depends upon
setting of other attributes (C).
• Access attribute shows the access right to this element. RO means read access right, RW
means read and write access right, WO means write access right, while FS denotes no
access rights except for the safety application and optional read access by SDO services
as specified in IEC/PAS 61158-5-22 and IEC/PAS 61158-6-22.
• SPDO mapping denotes the possibility to map this attribute to TxSPDO or RxSPDO or to
indicate that this parameter is not mappable.
• Value range contains the value range of a dedicated element or “No” for no pre-defined
value range.
• Value contains the constant value(s) and/or the meaning of the parameter or “No” for no
pre-defined value.
PAS 61784-3-18 © IEC:2009(E) – 17 –
Table 1 – Object definition
Attribute Value
Index
Sub-index
Name
Object type
Data type
Category
Access attribute
SPDO mapping
Value range
Value
The FSCP syntax elements related to PDU structure are described as shown in Table 2. The
meaning of the table columns is described in the following list.
• Octet offset denotes the offset of the frame part relative to the start of the safety PDU.
• Data field is the name of the element.
• Value/Description contains the constant value or the meaning of the parameter.
Table 2 – Safety PDU element definition
Octet offset Data field Description

4 Overview of FSCP SNpFAMILY/1 (SafetyNET p™)
Communication Profile Family SNpFAMILY (commonly known as SafetyNET p™ ) defines
communication profiles based on IEC/PAS 61158-3-22, IEC/PAS 61158-4-22,
IEC/PAS 61158-5-22 and IEC/PAS 61158-6-22. The basic profile(s) CP SNpFAMILY/1 and CP
SNpFAMILY/2 are defined in IEC/PAS 62633. The CPF SNpFAMILY functional safety
communication profile FSCP SNpFAMILY/1 is based on the CPF SNpFAMILY basic profiles in
IEC/PAS 62633 and the safety communication layer specifications defined in this part of the
IEC 61784-3 series.
FSCP SNpFAMILY/1 describes a safe protocol for transferring safe process data up to SIL 3
between FSCP SNpFAMILY/1 devices. For the transfer of the safe protocol a subordinated
fieldbus is used that is not included in the safety considerations (black channel approach).
Safe data exchanged between communicating partners is regarded as cyclic process data
exchanged between them by the subordinated fieldbus.
FSCP SNpFAMILY/1 uses a dedicated 1:n producer-consumer interaction model for safe
process data communication and a 1:1 interaction model for the purpose of safety device
monitoring. Figure 1 depicts possible communication relationships based on a CP
___________
SafetyNET p is a trade name of the Pilz GmbH & Co. KG. This information is given for the convenience of users
of this International Standard and does not constitute an endorsement by IEC of the trade name holder or any
of its products. Compliance to this profile does not require use of the trade name SafetyNET p. Use of the trade
name SafetyNET p requires permission of the trade name holder.

– 18 – PAS 61784-3-18 © IEC:2009(E)
SNpFAMILY/1 and CP SNpFAMILY/2 network. Safety-related communication within cells is
possible as well as inter-cell communication.
Safety Standard Safety Standard Safety Standard
appl. appl. appl. appl. appl.
appl.
Root Ordinary Gateway Ordinary Ordinary Ordinary Ordinary
device device device device
device device
CP SNpFAMILY/1
CP SNpFAMILY/2
Safety Safety
appl. appl.
RTFN RTFN
device device
Switch Switch
Safety
Standard
appl.
appl.
RTFN
RTFN
device
device
CP SNpFAMILY/1
Safety Safety Safety Safety
Standard
appl. appl. appl. appl.
appl.
Root Ordinary Ordinary Gateway
Ordinary Ordinary
device device
device device device
Safety communication relation
Figure 1 – FSCP SNpFAMILY/1 system
For the realization of FSCP SNpFAMILY/1, the following safety measures have been chosen.
• Session number (consecutive number).
• Time expectation for communication monitoring.
• Unique identification of senders.
• Cyclic redundancy checking for data integrity.
• Different data integrity assurance systems for safe and non-safe communication.
• Packet delay monitoring for dedicated communication relationships.
Each device maintains a safety layer state machine, which is coordinated by the safe
application. Safety is ensured based on the fail-safe application layer switching to the system
error state (i.e. safe state) as soon as an error is detected.
5 General
5.1 External documents providing specifications for the profile
The following documents are useful in understanding the design of FSCP SNpFAMILY/1
protocol:
PAS 61784-3-18 © IEC:2009(E) – 19 –
• GS-ET-26 [1]
5.2 Safety functional requirements
The following requirements shall apply to the development of devices that implement the
FSCP SNpFAMILY/1 protocol. The same requirements were used in the development of
FSCP SNpFAMILY/1.
• Requirements of IEC 61508 (see IEC 61508) shall be fulfilled to meet the Safety Integrity
Level of the device.
• The FSCP SNpFAMILY/1 protocol is designed to support Safety Integrity Level 3 (SIL 3)
(see IEC 61508).
• FSCP SNpFAMILY/1 protocol is implemented using a black channel approach; there is no
safety related dependency on the standard CPF SNpTYPE communication profiles.
Transmission equipment shall remain unmodified.
• Safety communication and standard communication shall be independent. Safety devices
and standard devices shall be able to use the same communication channel.
• There shall always be a 1:1 communication relationship between communicating devices
for device monitoring purpose.
• Safety communication shall use a single-channel communication system. Redundancy
may only be used optionally for increased availability.
• Implementation of the safe protocol shall be restricted to the communication end devices.
• The transmission duration time shall be monitored.
• Devices documentations shall indicate the Safety Integrity Level (SIL) they are designed
for.
5.3 Safety measures
The safety measures used in the FSCP SNpFAMILY/1 to detect communication errors are
listed in Table 3. All safety measures shall be applied and monitored within each safety
device.
Table 3 – Communication errors and detection measures
Safety measures
Sequence Time Connection Data Diff. data
a b
number expectation ID integrity integrity
Communication errors
assurance assurance
systems
Corruption — — — X —
Unintended repetition X — — — —
Incorrect sequence X — — — —
Loss X X — — —
Unacceptable delay — X — — —
Insertion X — X — —
Masquerade X — X — X
Addressing X — X — —
Revolving memory X — X X —
failures within switches
a
In this standard called “T ”.
TOS
b
In this standard realized by “SID” and “PID”.

– 20 – PAS 61784-3-18 © IEC:2009(E)
5.4 Safety communication layer structure
The FSCP SNpFAMILY/1 protocol is layered on top of the data link layer protocol. Figure 2
shows how the protocol is related to the CPF SNpFAMILY layer. The safety-related
functionality is implemented within the applica
...