PROFIsafe-Environments 2232 V25 Mar07

PROFIsafe Environmental Requirements
related to
PROFIsafe Profile for Safety Technology on PROFIBUS DP and PROFINET IO (IEC 61784-3-3)
Guideline
for PROFIBUS and PROFINET

Version 2.5 March 2007
Order No: 2.232
Version 2.5
Document Identification: TC3-05-0006 File name: PROFIsafe-Environments_2 232_V25_Mar07.doc
PROFIsafe - Requirements for Installation, Immunity, electrical Safety and Security for PROFIBUS DP and PROFINET IO
Version 2.5 March 2007
Prepared by the PROFIBUS Working Group 5 PROFIsafe within the Technical Committee 3 Application Profiles.
The attention of adopters is directed to the possibility that compliance with or adoption of PI (PROFIBUS International) specifications may require use of an invention covered by patent rights. PI shall not be responsible for identifying patents for which a license may be required by any PI specification, or for conducting legal inquiries into the legal validity or scope of those patents that are brought to its attention. PI specifications are prospective and advisory only. Prospective users are responsible for protecting themselves against liability for infringement of patents. NOTICE: The information contained in this document is subject to change without notice. The material in this document details a PI specification in accordance with the license and notices set forth on this page. This document does not represent a commitment to implement any portion of this specification in any company's products. WHILE THE INFORMATION IN THIS PUBLICATION IS BELIEVED TO BE ACCURATE, PI MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS MATERIAL INCLUDING, BUT NOT LIMITED TO ANY WARRANTY OF TITLE OR OWNERSHIP, IMPLIED WARRANTY OF MERCHANTABILITY OR WARRANTY OF FITNESS FOR PARTICULAR PURPOSE OR USE. In no event shall PI be liable for errors contained herein or for indirect, incidental, special, consequential, reliance or cover damages, including loss of profits, revenue, data or use, incurred by any user or any third party. Compliance with this specification does not absolve manufacturers of PROFIBUS or PROFINET equipment, from the requirements of safety and regulatory agencies (TV, BGIA, UL, CSA, etc.).
PROFIBUS and PROFINET logos are registered trade marks. The use is restricted for members of Profibus International. More detailed terms for the use can be found on the web page www.profibus.com/libraries.html. Please select button "Presentations & logos".
Publisher: PROFIBUS Nutzerorganisation e.V. Haid-und-Neu-Str. 7 D-76131 Karlsruhe Germany Phone: ++49 (0) 721 / 96 58 590 Fax: ++49 (0) 721 / 96 58 589 E-mail: pi@profibus.com http://www.profibus.com
No part of this publication may be reproduced or uitilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the publisher.
Copyright PNO 2007 All Rights Reserved
Page 2 of 43
PROFIsafe Environmental Requirements Revision Log: Version

0.91 0.95 Team Team
Version 2.5
Date
04-Nov-2002 18-Dec-2002
Changes/History
Working draft th Working draft after internal review on Dec, 6 2002 Minor editorial changes: safety extra low voltage, protective extra low voltage, electromagnetic immunity and alike. Chapters 1.2 and 3: Term "nuisance trip" added. Chapter 4.1: Voltage levels for SELV and PELV defined Chapter 1.3.2 and 4.1: IEC 61010-1 added Figure 4-1and Figure 4-3: "60VAC/75VDC" changed to "SELV/PELV" Chapter 3.3: table with test levels added Figure 3-2 "construction sketch of test bed" added Several editorial changes for unambiguousness Chapter 1.3.3: IEC 61131-2 just finished new FDIS (new test levels); Chapter 3.3: Table complemented by standard test levels Chapter 3.4.1: Table for increased immunity levels: frequencies removed in row "HF conducted" The following changes are introduced in version 1.0 according to the th change request database (PROFIsafe environments) as of June 28 , 2004. The CRs can be downloaded from the project database. CR-ID2: Pages 15 and 16: Index for tables added. CR-ID3: Pages 22 and 24: Names for BGIA corrected CR-ID4: Literature: Reference to GS-ET-26 CR-ID5: New chapter 5: No spurs or branch lines with PROFIsafe (RS485) CR-ID6: Chapter 3.1: Test bed to provide decoupling for the EUT and diagnosis reporting. Released by PROFIBUS advisory board Extended for PROFINET IO and updated according to new IEC activities. Updated version according to WG meeting and BGIA meeting Incorporated changes from project database ID=8 through ID=69 Incorporated changes from project database ID=70 through ID=122 th All CRs accepted by PROFIsafe WG on October 5 , 2006 Chapter 6 (data security) extended by more detailed specifications due to delayed other PNO guidelines. Conclusion by PROFIsafe WG th on November 8 , 2006. Changes to chapter 6 (data security) due to approval discussions with th BGIA on December 14 , 2006. Additional changes due to an "Open th Issue List" from BGIA on December 11 , 2006 (CR 126 140). Changes to chapter 6 (data security) and to Ch. 3.3 (EMC) due to comments from BGIA (CR141151).
0.96 0.97 1.0 1.1
Team Team Plenum Plenum
07-Jan-2003 30-Jan-2003 26-Feb-2003 28-Jun-2004
2.0
Team1
01-Oct-2004 27-Jun-2006 28-Jun-2006 29-Sep-2006 05-Oct-2006 08-Nov-2006
2.1 2.2 2.3
Team1 Team1 Team1
2.4
Team1
03-Jan-2007
2.5
Team1
22-Feb-2007
Team1: PROFIsafe core team founded in 2004.
Page 3 of 43
Version 2.5
Contents
1 Management summary scope of this document............................................................7 PROFIBUS DP, PROFINET IO, and PROFIsafe.....................................................7 Terms and Definitions ..........................................................................................8 Standards and Directives .....................................................................................8 1.3.1 Functional Safety ................................................................................... 10 1.3.2 Electrical Safety ..................................................................................... 10 1.3.3 Electromagnetic immunity ....................................................................... 11 1.3.4 Installation Guidelines ............................................................................ 14 1.3.5 Security aspects ..................................................................................... 15 1.3.6 Test Principles of BGIA........................................................................... 15 Safety Functions according to IEC 61508..................................................................... 16 Immunity against electromagnetic phenomena ............................................................. 17 Test Bed ........................................................................................................... 17 (Safety) Performance criteria for functional safety ............................................... 19 Generic increased immunity levels for PROFIsafe devices ................................... 19 3.3.1 General industrial environments (IEC 61326-3-1) ..................................... 19 3.3.2 Specified electromagnetic environment (IEC 61326-3-2)........................... 21 3.4 Product family specifics...................................................................................... 21 3.4.1 F-Sensor (ESPE/AOPD) ......................................................................... 21 3.4.2 PA Devices for functional safety .............................................................. 22 3.4.3 F-PLC and F-I/O ..................................................................................... 22 3.4.4 F-Actuator (drives with integrated safety)................................................. 22 3.5 Non-safety PROFIBUS and PROFINET devices .................................................. 23 Overvoltages and Shock Protection ............................................................................. 24 4.1 Definitions ......................................................................................................... 24 4.2 Device Model including Power Supplies .............................................................. 24 4.3 Specifications for Standard-PROFIBUS Devices .................................................. 26 4.4 SIL3 Considerations........................................................................................... 26 Installation constraints ................................................................................................ 28 Overview on PROFIBUS/PROFINET and international installation guidelines ........ 28 Topology ........................................................................................................... 28 Planning of cabling and wiring ............................................................................ 28 5.3.1 NFPA 79 (2006) ..................................................................................... 28 5.3.2 Hybrid cables ......................................................................................... 29 5.3.3 Wiring .................................................................................................... 30 5.4 EMC aspects of power supply networks (TN-C, TN-S) ......................................... 30 5.5 Shielding and grounding (earthing) ..................................................................... 32 5.5.1 Single-ended versus double-ended grounding .......................................... 32 5.5.2 IP20....................................................................................................... 32 5.5.3 IP67....................................................................................................... 33 5.6 Electrical safety with drives with integrated safety ............................................... 33 5.7 High frequency currents with drives .................................................................... 34 Data security .............................................................................................................. 35 6.1 6.2 6.3 Dangerous threats ............................................................................................. 35 PROFIsafe data security requirements ................................................................ 35 General data security concept of PROFINET IO .................................................. 35 Page 4 of 43 5.1 5.2 5.3 3.1 3.2 3.3 1.1 1.2 1.3
2 3
PROFIsafe Environmental Requirements 6.4
Version 2.5
Security measures ............................................................................................. 36 6.4.1 Administration of firewalls ....................................................................... 36 6.4.2 Administration of security gates (devices) and VPN clients ....................... 36 6.4.3 Security protocols................................................................................... 37 6.4.4 Authentication of security gates and VPN clients ...................................... 37 6.4.5 Encryption algorithms ............................................................................. 37 6.4.6 Message authentication codes ................................................................ 38 6.4.7 Key change ............................................................................................ 38 6.5 Constraints ........................................................................................................ 38 6.6 Software update ................................................................................................ 38 6.7 Robustness ....................................................................................................... 38 6.8 Test and certification of data security components (gates and VPN client software) ......................................................................................................................... 38 6.9 Obligations ........................................................................................................ 38 International specifics ................................................................................................. 39 Europe .............................................................................................................. 39 USA .................................................................................................................. 39 7.2.1 UL508/508C ........................................................................................... 39 7.2.2 Values for SELV/PELV ........................................................................... 40 7.3 Asia .................................................................................................................. 40 Appendix.................................................................................................................... 41 8.1 8.2 Applicable Documents........................................................................................ 41 Abbreviations .................................................................................................... 42 7.1 7.2
Figures
Figure 1-1 The PROFIsafe Vision ......................................................................................7 Figure 1-2 Safety for machinery and fieldbus standards ......................................................9 Figure 1-3 Safety for PA and fieldbus standards .................................................................9 Figure 1-4 Overview on safety related IEC/ISO standards ................................................. 10 Figure 1-5 EMC Standards referenced by IEC 61508 for industrial Environments ............... 12 Figure 1-6 Overview on device related EMC standards ..................................................... 14 Figure 2-1 Influences on Safety Functions ....................................................................... 16 Figure 3-1 PROFIsafe test bed for immunity testing .......................................................... 18 Figure 3-2 Construction sketch for a test bed ................................................................... 18 Figure 3-3 Increased immunity test levels ........................................................................ 20 Figure 3-4 Modified test bed for PA devices ..................................................................... 22 Figure 4-1 Typical structure of a PROFIsafe/PROFIBUS DP device ................................... 25 Figure 4-2 Typical structure of a PROFIsafe/PROFINET IO device .................................... 25 Figure 4-3 SIL3 Considerations on Overvoltages .............................................................. 27 Figure 5-1 Overview on PROFIBUS and international installation guidelines ...................... 28 Figure 5-2 IEC 61508-2, excerpt of table A.13 .................................................................. 29 Figure 5-3 IEC 61508-2, excerpt of table A.17 .................................................................. 29 Figure 5-4 IEC 61508-7, Explanation A.11.1..................................................................... 29 Figure 5-5 Power-over-Ethernet (modulation) ................................................................... 30 Figure 5-6 Four conductor power network (TN-C) ............................................................. 31
Page 5 of 43
Version 2.5
Figure 5-7 Five conductor power network (TN-S) .............................................................. 31 Figure 5-8 Effect of shielding and twisting of cables ......................................................... 32 Figure 5-9 Electrical safety with drives with integrated safety ............................................ 33 Figure 5-10 High frequency currents with drives ............................................................... 34 Figure 6-1 Security concept of PROFIBUS/PROFINET ..................................................... 36 Figure 7-1 UL 508 C considerations ................................................................................. 40
Tables
Table 1 Performance criteria of GS-ET-26........................................................................ 19 Table 2 Immunity levels per phenomenon (e.g. machinery) ............................................... 20 Table 3 Immunity levels per phenomenon (e.g. process industries) ................................... 21
Page 6 of 43
Version 2.5
Management summary scope of this document
PROFIsafe is a supplementary technology for standard PROFIBUS and PROFINET. This technology reduces the residual error probability of data transmissions between fail-safe controllers and fail-safe field devices to the level required by the relevant standards, or better. In addition, PROFIsafe describes fail-safe solutions for configuration, parameter assignment, and maintenance. The PROFIsafe technology is described in a profile specification for PROFIBUS DP [1] that will remain valid besides a new specification for PROFIBUS DP and PROFINET IO [11]. Both BGIA and TV as notified bodies have issued positive technical reports. In the meantime certain PROFIBUS working groups had been defining safety amendments for their device families on how to use PROFIsafe. One is covering drives with integrated safety [13] and the other PA devices for safety applications [12]. Since the above mentioned notified bodies only can issue the safety certifications on the basis of actual implementations in products or systems, open issues have been arising in the course of individual approvals of different devices in the new fieldbus environment in contrast to the relay technology. These are to be coordinated between the TV, BGIA, other notified bodies and the PROFIBUS WG5 "PROFIsafe". The open issues are partially depending on standards that are not yet covering fieldbus operations. The BGIA, with the strong support of the fieldbus organizations (including PROFIsafe) and the TV, has started early to fill this gap with so-called test principles [2]. It is the purpose of this PROFIBUS guideline to collect agreed upon requirements and constraints for the design of PROFIsafe devices and for PROFIsafe specific operations within normal industrial environment as defined e.g. in IEC 61000-6-2. It is the responsibility of device manufacturers to define the test conditions for their intended product deployments. 1.1 PROFIBUS DP, PROFINET IO, and PROFIsafe
It is the declared objective of the PROFIBUS community to integrate the safety technology into the Standard PROFIBUS and PROFINET; that means to communicate on one cable without having an impact on the installed base of devices and systems. In addition, no separate power supply shall be required for the safety devices.
Safety controller conventional, e.g. E-Stop Standard controller
Safety input / output
Coexistence of Safety- and Standard Communication

PA
Standard input / output Drives Limit switch Laser scanner Light curtains Robots
Figure 1-1 The PROFIsafe Vision
Page 7 of 43
Version 2.5
The electrical safety is a precondition for a PROFIBUS/PROFINET system. Thus, for functional safety, a defined situation for using fail-safe devices can only be provided through corresponding: Compliance to the installation guidelines (cables, cable installation, shields, shield connections, grounding, power supply, etc.) including constraints for PROFIsafe operations (5.1) Defined requirements for the standard bus devices (conformance to IEC 61158/ 61784-1 and -2 [3], certification) Defined safety requirements for the power supplies (SELV, PELV) The overall steps required for such a network may differ regarding the different safety integrity levels (SIL). Wherever it is economically possible, the adherence to the capability for SIL3 is the aim. The steps taken must be compliant and/or conforme to the existing standards. There are cases where the standards do not yet cover the state-of-the-art. This is frequently the case with fieldbus operations. Here, ways and means are to be found that are based on basic standards such as IEC 61508 [4] and proven principles and that ensure the required safety performance (e.g. EN954-1 [5], NFPA 79 [6], etc.). These ways and means must retain their validity for a suitable transitional period even if new standards are published in the meantime. 1.2 EMI Terms and Definitions Electromagnetic Interference. Safety aspects (increased immunity) are not covered by the EMC-requirements for normal use. While the EMC requirements for normal use as defined in e.g. IEC61000-6-2 aim to support sufficient operation under normal conditions the aim of the safety requirements only is to assure safe operations of the equipment or the equipment under control (Figure 3-3). Fail-safe Nuisance Trip Performance Criterion Increased Level pertaining to a system or device that automatically places itself in a safe operating mode in the event of a failure trip with no harmful effect caused by the safety system without a process demand ("false alarm"). During immunity tests the equipment under test shall react in a way that is defined by a performance criterion. EMC standards like IEC 61000-6-2 are defining normal immunity test levels for sufficient operation of equipment under control. Increased Levels are related to functional safety aspects only and for some phenomena exceed the normal immunity levels. During these tests only the performance criteria for functional safety apply. Safety Extra Low Voltage, Protective Extra Low Voltage as defined in IEC 60364-4-41. A special feature of PROFIsafe monitoring the number of corrupted messages per safety function during a certain period of time that depends on the SIL class. If more than 1 corrupted message is discovered the system will turn the safety function into a fail-safe state.
SELV, PELV SIL Monitor
See IEC 61508-4 [7], IEC 61000-1-1 [8], and the PROFIsafe profiles [1] and [11] for further terms and definitions. 1.3 Standards and Directives
Regarding the issues in this paper which deal with industrial environments, the following international standards for functional and electrical safety shall be taken into account, as well as the PROFIBUS installation guidelines [9] and [9a]. It is highly recommended to consider the testing principles of BGIA [2]. Figure 1-2 and Figure 1-3 are providing an overview on safety and fieldbus standards for both machinery and process automation (PA) applications.
Page 8 of 43
Version 2.5
For this PROFIsafe "environment" specification the data security aspects are relevant for safety considerations (see 6). General issues are covered by IEC 62443 and the PROFIBUS/ PROFINET IO specifics by IEC 61784-4-3.
Product Standards Safety f. e.g. Safety f. e.g. light curtains light curtains
IEC 61496 IEC 61496
IEC 61131-6 IEC 61131-6

Safety for Safety for PLC PLC
IEC 61800-5-2 IEC 61800-5-2

Safety functions Safety functions for drives for drives
Safety of machinery Principles for Safety of machinery Principles for design and risk assessment design and risk assessment
ISO 12100-1 and ISO 14121 ISO 12100-1 and ISO 14121
IEC 61784-4 IEC 61784-4

Security Security
Security (common) Security (common)
IEC 62443 IEC 62443
Design of safety-related electrical, electronic and programmable electronic control systems (SRECS) for machinery
SIL based
Installation guide Installation guide (profile-specific) (profile-specific)
PL based
IEC 61784-5 IEC 61784-5
Installation guide Installation guide (common part) (common part)
IEC 61918 IEC 61918
Design objective Applicable standards
IEC 61326-3-1 IEC 61326-3-1

Functional safety Functional safety communication communication profiles profiles
IEC 61784-3 IEC 61784-3
EMC and EMC and functional safety functional safety
Safety of electrical Safety of electrical equipment equipment
IEC 60204-1 IEC 60204-1
Safety-related parts Safety-related parts of machinery of machinery (SRPCS) (SRPCS) Non-electrical Non-electrical
ISO 13849-1, -2 ISO 13849-1, -2
US: NFPA 79 US: NFPA 79 (2006) (2006)
Electrical Electrical
IEC 61158 // IEC 61158 61784-1/2 61784-1/2

Fieldbus for use in Fieldbus for use in industrial control systems industrial control systems
Functional safety Functional safety (basic standard) (basic standard)
IEC 61508 IEC 61508
Functional safety Functional safety for machinery for machinery (SRECS) (SRECS) (including EMI for (including EMI for industrial environment) industrial environment)
IEC 62061 IEC 62061
Figure 1-2 Safety for machinery and fieldbus standards

Throughout this document the term "machinery" is including "discrete manufacturing" also.
Product Standards Safety f. e.g. Safety f. e.g. light curtains light curtains
IEC 61496 IEC 61496
IEC 61131-6 IEC 61131-6

Safety for Safety for PLC PLC
IEC 61800-5-2 IEC 61800-5-2

Safety functions Safety functions for drives for drives
IEC 61784-4 IEC 61784-4

Security Security
Security (common) Security (common)
IEC 62443 IEC 62443
See safety standards for machinery (Figure 1) Valid also in process industries, whenever applicable
Installation guide Installation guide (profile-specific) (profile-specific)
IEC 61784-5 IEC 61784-5
Installation guide Installation guide (common part) (common part)
IEC 61918 IEC 61918
IEC 61326-3-2a) IEC 61326-3-2a)

Functional safety Functional safety communication communication profiles profiles
IEC 61784-3 IEC 61784-3
EMC and EMC and functional safety functional safety
IEC 61158 // IEC 61158 61784-1/2 61784-1/2

Fieldbus for use in Fieldbus for use in industrial control systems industrial control systems
Functional safety Functional safety (basic standard) (basic standard)
IEC 61508 IEC 61508
Functional safety Functional safety Safety instrumented Safety instrumented systems for the systems for the process industry sector process industry sector
IEC 61511 IEC
b) 61511b)
(3 parts = modified (3 parts = modified IEC 61511) IEC 61511)
US: US: ISA-84.00.01 ISA-84.00.01
DE: VDI 2180 DE: VDI 2180

Part 1-4 Part 1-4
a) for specified electromagnetic environments; otherwise IEC 61326-3-1. b) EN ratified.
Figure 1-3 Safety for PA and fieldbus standards
Page 9 of 43
PROFIsafe Environmental Requirements 1.3.1 Functional Safety
Version 2.5
Sector Standards
Product Standard Extensions
IEC 61511 Process Industry
IEC 62061 Machinery (SIL)
ISO 13849-1 1) Machinery (PL)
IEC 61496-1 Safety sensors
IEC 61513 Nuclear Sector
IEC 61800-5-2 Safety drives
IEC 61784-3-3 PROFIsafe

2)
IEC 61508 Functional Safety

ISO/IEC Guide 51 (el., mech)
1)
Limited correlation to IEC 61508
Medical...
In preparation
Figure 1-4 Overview on safety related IEC/ISO standards

The basic standard for functional safety is the IEC 61508, which covers the functional safety of electrical equipment and the basic principles and procedures. The sector standards, IEC 61511, for example, describe the specific requirements of industries; in this case, the process industry. Product standards, IEC 61496, for example, deal with the requirements for individual device classes such as light curtains and laser scanners. Both the future release of IEC 61508 and the new IEC 61784-3 will address the safety technology profiles for field busses. Subpart IEC 61784-3-3 holds the content of the PROFIsafe specification V2.0 including some extensions such as conformance classes, wireless transmissions, reaction times, etc. IEC 62061 covers safety related electrical control systems for machinery. ISO 13849-1 1, the successor of the EN954-1 introduces a different classification of safety ranges (performance levels) and covers non-electrical systems also. The annex of the EC "Machinery Directive 98/37/EC" [23] lists the machines and parts which legally require certification by a "Notified Body" (BGIA, TV, FM (Factory Mutual), etc.). If there is a harmonized corresponding product standard (for example, IEC 61496), a declaration by the manufacturer is sufficient. PROFIsafe as a means for safe communication always is part of an overall safety system. It therefore should be noted that this guideline will not be able to cover all kinds of safety applications and their appropriate standards and directives. It only is possible to provide an overview and to describe the most important minimum requirements for safety applications with PROFIBUS/PROFINET. It is up to the device manufacturer to define higher levels of electrical safety or immunity than described in this guideline in order to meet various markets with their particular requirements. 1.3.2 Electrical Safety
General requirements for the communication ports of every PROFIBUS/PROFINET and PROFIsafe device are laid down in IEC 60364-4-41 (2005) Electrical installations of buildings - Part 4-41: Protection for safety - Protection against electric shock This standard deals with extra low voltages (SELV/PELV).
1 Currently in FDIS state and not yet harmonized (Europe)
IEC 61131-6 2) Safety PLC
Railway...
Page 10 of 43
Version 2.5
General safety information, which may be useful for all kinds of safety products, can be retrieved from 5.6 and from IEC 60204-1 (2005) Safety of machinery - Electrical equipment of machines - Part 1: General requirements For "Programmable Logic Controllers" (PLC) and fieldbus devices like remote I/O terminals the following applies IEC 61131-2 (2003) Programmable controllers - Part 2: Equipment requirements and tests
IEC 61010-1 (2003)

Safety requirements for electrical equipment for measurement, control, and laboratory use - Part 1: General requirements
For "Electro Sensitive Protective Equipment" (ESPE or AOPD) the following applies IEC 61496-1 (2004) Safety of machinery Electro sensitive protective equipment - Part 1: General requirements and tests For electrical power drives the following applies IEC 61800-5-1 (2003) Adjustable speed electrical power drive systems - Part 5-1: Safety Requirements Electrical, thermal and energy 1.3.3 Electromagnetic immunity
IEC 61508-2 requires specifying all requirements for the safety related system in the safety requirements specification (SRS) of the E/E/PES. In clause 7.2.3.2 it states: The E/E/PES safety integrity requirements specification shall contain: e) The electromagnetic immunity limits (see IEC 61000-1-1) which are required to achieve electromagnetic compatibility. the electromagnetic immunity limits should be derived taking into account both the electromagnetic environment (see IEC 61000-2-5) and the required safety integrity levels. It should be clearly stated in the SRS, which of the assumed electromagnetic immunity levels are general values for non safety functions (standard levels) and which electromagnetic immunity levels are required for the safety functions. It should be stated wether the specified value already includes an increased level. This PROFIBUS guideline provides advice how different electromagnetic immunity requirements for PROFIsafe devices connected to PROFIBUS should be handled within normal industrial environments2 for PROFIBUS automation equipment. Heavier industrial environments as defined in IEC 61000-2-5 are not subject of this guideline. In such a case appropriate measures shall be taken to achieve the according electromagnetic immunity (e.g. extra housing, fibre optics, etc.). Thus the generic standard for this guideline at hand is IEC 61000-6-2 (2005) Electromagnetic compatibility (EMC) - Part 6-2: Generic standards - Immunity for industrial environments
2 In contrast to residential or commercial environments or outdoors
Page 11 of 43

IEC 61508-2 (Requirements for electrical/electronic/ programmable electronic safety-related systems) references: IEC 61000-1-1 (Electromagnetic compatibility (EMC)) - Part 1: General - Section 1: Application and interpretation of fundamental definitions and terms IEC 61000-2-5 Electromagnetic compatibility (EMC) - Part 2: Environment - Section 5: Classification of electromagnetic environments. Basic EMC publication industrial environments: IEC 61000-6-2 Electromagnetic compatibility (EMC) - Part 6-2: Generic standards - Immunity for industrial environments IEC 61000-4-1 Electromagnetic compatibility (EMC) - Part 4-1: Testing and measurement techniques - Overview of IEC 61000-4 series phenomena relevant for safety: -2: ESD -8: 50/60 Hz magnetic Field -3: HF Field -11: Voltage dips & interruptions -4: Burst -16: Conducted, common mode, 0-150 kHz *) -5: Surge -29: DC power port dips & interruptions *) -6: HF Conducted medical and others ...
Version 2.5
*) not included in IEC 61000-6-2
Figure 1-5 EMC Standards referenced by IEC 61508 for industrial Environments
It defines requirements and test levels. It is important to note that this standard for industrial environment does not include two phenomena, which are considered to be relevant for safety applications: conducted common mode disturbances, and DC power port dips & interruptions. The test and measurement techniques are defined in IEC 61000-4-1 (2000) Electromagnetic compatibility (EMC) - Part 4-1: Testing and measurement techniques - Overview of IEC 61000-4 series Part 4-1 gives applicability assistance to the users and manufacturers of electrical and electronic equipment on EMC standards within the IEC 61000-4 series on testing and measurement techniques. It provides general recommendations concerning the choice of relevant tests. The subsequent parts (-4-2 -4-29) are defining the measurement techniques for the phenomena relevant for safety applications such as electrostatic discharge ESD (-4-2), HF Field (-4-3), Burst (-4-4), Surge (-4-5), HF Conducted (-4-6), Magnetic Fields (-4-8), Voltage Dips & Interruptions (-4-11), Conducted common mode disturbances (-4-16), DC power port dips & interruptions (-4-29). The first standard defining EMC requirements for functional safety for machinery is IEC 62061 (2005) Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems Its EMC requirements are in line with the requirements of the previous version 1.1 of this PROFIsafe "environment" guideline. Conducted common mode disturbances (-4-16) are not covered within both. Current activities on EMC requirements for functional safety are concentrated on
Page 12 of 43
Version 2.5
IEC 61326-3-1 (CDV) Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 3-1: Immunity requirements for equipment performing or intended to perform safety related functions (functional safety) - General industrial applications This standard is still in progress. It will become the main source of information for all industrial applications and hence for PROFIsafe applications whenever no particular product standard exists. Conducted common mode disturbances (IEC 61000-4-16) and DC power port dips & interruptions are covered within this standard. See 3. For the PROFIBUS area, additional "product standards" apply: For PLCs (normally also covers all PROFIBUS-certified devices) IEC 61131-2 (2004) Programmable controllers - Part 2: Equipment requirements and tests This standard does not define any EMC requirements for functional safety and thus either IEC 62061 or the new IEC 61326-3-1 apply. For electro sensitive protective equipment (ESPE or AOPD) such as light curtains: IEC 61496-1 (2004) Safety of machinery Electro sensitive protective equipment - Part 1: General requirements and tests IEC 61496-2 (2006) Safety of machinery - Electro-sensitive protective equipment - Part 2: Particular requirements for equipment using active opto-electronic protective devices (AOPD) For electrical power drives: IEC 61800-3 (2004) Adjustable speed electrical power drive systems - Part 3: EMC product standard including specific test methods (Revision of IEC 61800-3) This standard does not define any EMC requirements for functional safety and thus either IEC 62061 or the new IEC 61326-3-1 apply. [10] defines for electrical power drives with functional safety the EMC requirements, which are to be certified by BGIA. These are based on the IEC 61800-3 using the methodology of duplication of the standard levels or the next category. Thus, for some phenomena the levels are higher than in IEC 61326-3-1. For robots: ISO/TR 11062 (1994) (withdrawn) Manipulating industrial robots -- EMC test methods and performance evaluation criteria Guidelines ISO 10218-1 (2006) Robots for industrial environments -- Safety requirements -- Part 1: Robot This standard is not defining any increased EMI requirements for functional safety other than IEC 61000-6-2. It is highly recommended to apply either IEC 62061 or the new IEC 61326-3-1 (see 3.4.4). For PA devices: IEC 61326-1 (2005) Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 1: General requirements IEC 61326-2-5 (2006) Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 2-5: Particular requirements - Test configurations, operational conditions and performance criteria for field devices with interfaces according to communication profile Family 3 Profile
Page 13 of 43
Version 2.5
3/2 ( PROFIBUS PA. The other subparts within this -2-x series are covering different device families) IEC 61326-3-2 (CDV) Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 3-2: Immunity requirements for equipment performing or intended to perform safety related functions (functional safety) - Industrial applications with specified EM environment Figure 1-6 provides an overview on the current standards, which are of main interest for PROFIsafe.
Background: IEC 61508-2 requires "increased immunity" and requires IEC 61000-2-5 as source for phenomena to consider in safety requirement specifications (SRS) EMC standards (TC77): EMC standards (TC77): IEC 61000-6-2 is defining standard industrial environments (separate transformer, switching of high currents, etc. and IEC 61000-6-2 is defining standard industrial environments (separate transformer, switching of high currents, etc. and accordingly neccesary test levels). accordingly neccesary test levels). IEC 61000-4-1 provides an overview on immunity test procedures IEC 61000-4-1 provides an overview on immunity test procedures IEC 61000-1-2 is a technical specification describing a methodology for the achievement of functional safety IEC 61000-1-2 is a technical specification describing a methodology for the achievement of functional safety IEC 61326-3-1 product standard for EMC and functional safety IEC 61326-3-1 product standard for EMC and functional safety Product family standards: IEC 61496-1 IEC 61496-1 (TC44) (TC44) (Light curtain, (Light curtain, laser scanner) laser scanner) Specialties: Specialties: -- muting functions muting functions -- HF level: 30V/m HF level: 30V/m IEC 61800-5-2 IEC 61800-5-2 (TC22) (TC22) (Drives with (Drives with integrated safety) integrated safety) Specialties: Specialties: -- no levels defined no levels defined IEC 61131-2 IEC 61131-2 (TC65) (TC65) (PLC and (PLC and subsystems) subsystems) Specialties: Specialties: -- FS not defined FS not defined ISO 10218 ISO 10218 (TC184) (TC184) (Robots for industrial (Robots for industrial environment) environment) -- no increased no increased immunity defined immunity defined IEC 61326-3-1 IEC 61326-3-1 (TC65) (TC65) Generic industrial environGeneric industrial environment (whenever appliment (whenever applicable), else: cable), else: IEC 61326-3-2 IEC 61326-3-2 Distinct process environDistinct process environment: ment: EMC and FS EMC and FS
Sector standards: IEC 62061 (TC44) IEC 62061 (TC44) (Safety of machinery: design, integration and validation of safety related systems); (Safety of machinery: design, integration and validation of safety related systems); EMI-levels of industrial environments EMI-levels of industrial environments IEC 61511 (TC65) IEC 61511 (TC65) (FS for the process (FS for the process industry sector) industry sector)
Figure 1-6 Overview on device related EMC standards

The environmental conditions within the process industries can be different from those of normal industrial environments and thus the specific levels and performance criteria described in IEC 613263-2 can be used for PA devices with functional safety (3.3.2). PROFIsafe will stay with the already defined levels, which correspond to those of IEC 61326-3-1, for all devices not having individual level specifications until final agreements in IEC are becoming effective. In respect to performance criteria the more elaborated scenarios of IEC 61326-3-1 will become effective (3.2). 1.3.4 Installation Guidelines
For PROFIBUS and PROFINET more than seven specifications exist that are related to installation aspects. These existing documents have been created at different times and therefore feature different stages in the course of PROFIBUS /PROFINET development. In addition, they contain extensive specifications aimed at the needs of device developers. The PNO decided to publish a comprehensible summary as a handbook for users [9]. The content of this handbook has been incorporated in the IEC 61784-5-3 3 [9a] and IEC 61918 4 [9b]. These installation guidelines shall be observed as a precondition for decentralized safety applications using PROFIBUS, PROFINET, and PROFIsafe equipment especially regarding shielding, grounding, and cable routing. Additional hints in Chapter 3.4.2, 4.1, 4.3, 4.4, 5, and 7.2.1.
3 work in progress 4 work in progress
Page 14 of 43
PROFIsafe Environmental Requirements 1.3.5 Security aspects
Version 2.5
IEC 62443 [15] and IEC 61784-4-3 [16] are not yet published and cannot be taken as reference. PNO has published PROFINET security guidelines [14] for the intervening period. 1.3.6 Test Principles of BGIA
In May 2002, the final version of a recommendation -prepared by BGIA together with numerous bus organizations- called "Principle for testing and certifying bus systems for the transmission of safetyrelevant messages has been published. It now is available for public use by BG [2]. Essential statements regarding the PROFIsafe scope are made in this paper due to the: Zone distribution of the bus stations (close to the process, control cabinet or office) Validity of area separation of station and bus (electrical isolation of the data lines)
Page 15 of 43
Version 2.5
Safety Functions according to IEC 61508
To further discuss this matter, it is necessary to refer to a model that is generally accepted and to detail it in steps for the respective problem area. In principle, the IEC 61508 defines so-called safety functions. A hazardous final element -for example a drive as actuator- is controlled by program logic in a PLC which in turn receives signals from encoders. All elements are embedded in the environmental conditions and depend on their "suppliers, for example, power supplies.
Power Supply (e.g. 24 VDC)
within one PLC
e.g. SIL3
Sensor
Bin. I Anal. I
logic operations
Bin. O
Actuator
Safety Integrity Level (SIL) 3 : 10-7 / h
Figure 2-1 Influences on Safety Functions

To this model, the safety considerations listed in IEC 61508 and corresponding failure probabilities are to be applied. In the present case, for example, these would be: Requirements for power supplies Increased Immunity (several phenomena) IEC 61508 makes no quantitative statements about "Increased Immunity Levels". Depending on particular deployments and the corresponding threats, the requirements for e.g. general purpose factory automation and machinery are defined in IEC 62061 or IEC 61326-3-1, for process industries in IEC 61326-3-2. Product standards such as IEC 61496-1 require stronger electromagnetic immunity to withstand very likely special threats such as mobile phones operated very closely to light curtains.
Page 16 of 43
Version 2.5
Immunity against electromagnetic phenomena
Regarding the electromagnetic immunity of automated facilities based on bus systems, PROFIBUS can point to more than 10 years of operational experience and thousands of different operational conditions as the necessary prerequisite for the use of safety technology (proven-in-use). The economic success proves to be a well-maintained balance between the technical effort for immunity and the availability obtained with it. It is a matter of course for PROFIBUS and PROFINET that this is based on the relevant standards related to this communication profile family (CPF3). Because there is no overreaching standard for bus systems, IEC 61131-2 and/or IEC 61000-6-2 was viewed as binding for all devices on PROFIBUS within standard industrial environments. It also was the basis for the PROFIsafe devices certified so far. IEC 61131-2 is defining test levels as well as performance criteria; that is, descriptions of the system or device setpoint behavior during the test. With the advent of safety devices on PROFIBUS and PROFINET new requirements arose from standards and certifying bodies (Figure 3-3): 1. Normal functions and safety functions are expected to work correctly when applying standard (IEC 61131-2 or IEC 61000-6-2) test levels thus guaranteeing functionality and availability. No nuisance trips are to be perceived. Safety functions are expected to work either correctly or at least to switch into a safe state (for "performance criteria" see 3.2) when applying increased test levels for the safety relevant phenomena thus guaranteeing safety.
2.
The main phenomena to be covered are: 1. 2. 3. 4. 5. 6. ESD (IEC 61000-4-2) HF Field (IEC 61000-4-3) Burst (IEC 61000-4-4) Surge (IEC 61000-4-5) HF Conducted (IEC 61000-4-6) DC voltage dips (IEC 61000-4-29)
IEC 61326-3-1 recommends considering an additional phenomenon: 7. Conducted common mode disturbances (IEC 61000-4-16)
This phenomenon appears in the industrial practice in conjunction with power-electronic systems (see 5.7). IEC 61326-3-1 restricts the safety relevant tests to short time power frequency phenomena limited to the rated voltage of the power supply. Others are to be observed according to the requirements of a particular safety application. It should be noted that PROFIsafe already provides a high degree of safety for data transmission via its SIL-Monitor mechanism [1]. 3.1 Test Bed
The following reference model has been agreed upon to be used as the basis for a "test bed". It is to be set up for the acceptance of PROFIsafe devices and consists of a minimum configuration with an F-sensor, an F-actuator, an F-PLC and a standard PROFIBUS device. As long as there is no Factuator, a safe motor starter can be used. A monitoring device such as a diagnosis repeater can be included in this test bed.
Page 17 of 43

EMC-Test acc. IEC 62061 Levels or IEC61326-3-1 (Safety) Performance Criteria Fieldbus components assembly acc. IEC 61918 and 61784-5-3
Version 2.5
F-PLC (F-I/O)
EMC-Test acc. IEC 61496 (Safety) Performance criteria:
F-System shall not fail to danger!
" Safety Function "
F Actuator e.g. Drive
Standard Field Device e.g. Barcode Reader
F Sensor *) e.g. Laserscanner (ESPE)
EMC-Test acc. IEC 61800-3 and 61326-3-1 or BGIA levels (Safety) Performance Criteria
EMC-Test acc. IEC 61131-2 or Product Standard Performance Criteria: acc. IEC 61131-2
EMC-Test acc. IEC 61496 Performance criteria acc. IEC 61496 *) other F Sensors: like F-I/O IEC 61326-3-1
Figure 3-1 PROFIsafe test bed for immunity testing

The test levels to be applied to these devices are provided in the respective product standards. Additional notes are included in the chapters below regarding the test instructions for PROFIsafe operation. Figure 3-2 shows a construction sketch of the test bed. Cable lengths of 1m are critical and should not be changed. The PROFIsafe devices and one standard PROFINET IO / PROFIBUS DP device are to be mounted on a copper plate, about 2mm thick. The equipment under test (EUT), a PROFIsafe device, shall be mounted considering the test requirements of the different IEC 61000-4-x standards.
Cu, 2mm
1)
One device to be a standard PROFINET IO / PROFIBUS DP device 2) Example for electric discharge test PROFIsafe Device (EUT) Cu, 2mm
2)
PROFIsafe Device 1) 1m
PROFIsafe Device 1)
1m PROFIsafe Device 1) >=1m 1m PROFIsafe Device 1)
PROFINET IO or PROFIBUS DP
10 cm
Decoupling for absence of reaction
Figure 3-2 Construction sketch for a test bed

The test bed is to be grounded. The test bed and the additional engineering equipment will provide the necessary means to decouple the EUT from the network (special shielding or other means) to report diagnosis messages of the devices (programming device or alike) Page 18 of 43
PROFIsafe Environmental Requirements See 3.4.2 for modifications of the test bed for PA devices. 3.2 (Safety) Performance criteria for functional safety
Version 2.5
While performing the tests with increased levels the behaviour of the EUT shall be according to the required performance criterion. The following criteria 5 are specified in the BGIA test principles [2]:
Criterion A B Description The bus system must continue working according to its normal use during and after interference. The bus system must work according to its normal use after interference. If the (safety relevant) time-out time is exceeded because of interference, the safety-relevant stations must initiate the safe mode (state). Restart is automatic -depending on the application- or it is to be implemented through an explicit enable *). Bus communication automatically resumes after interference. The safety-relevant stations initiate the safe mode. Communication may fail. All safety-relevant stations must remain in the safe mode during and after the interference. Normal operation is restored through setting devices/operating controls (such as power off/power on).
*) In the case of PROFIsafe, "Enable" is usually called "Operator Acknowledge".
Table 1 Performance criteria of GS-ET-26

Criterion "D", which is currently under discussion, is not permissible for PROFIsafe regarding the test instructions and test levels defined in this document (and not required if the installation guidelines are adhered to). It permits the destruction of components if the facility responds safely. IEC 61326-3-1 states that the criteria A, B, and C are already defined for tests with normal levels according to IEC 61326-1. It rather defines a performance criterion "FS", which allows any of the behaviors of Table 1 if specified for the particular device, even the destruction of components.
3.3
Generic increased immunity levels for PROFIsafe devices
There are two main industrial environments for the deployment of PROFIBUS and PROFINET IO: one is the electromagnetic environment of manufacturing industries and machinery and the other is the electromagnetic environment of the process industries. Both have very different constraints in respect to EMC and thus the two different IEC 61326-3-1 and IEC 61326-3-2 apply. It should be noted that PROFIsafe technology can be used in other application areas as well. These areas may have their own standards defining environmental and immunity conditions. Examples are burner management with EN 298 or trains with EN 50121-3-2. 3.3.1 General industrial environments (IEC 61326-3-1)
According to chapter 1.3.3 PROFIsafe is referring to normal industrial environments and thus IEC 61000-6-2. Within the scope of this standard, the following test requirements are specified in IEC 61326-3-1as "Increased Immunity Level for testing all PROFIsafe devices that do not have their own product standard. Table 2 contains an overview of the safety relevant phenomena and the test levels. See IEC 613263-1 for the complete information, especially for the ports of the EUT to be tested. The increased immunity levels of Table 2 are minimum requirements and shall not be under-run by any PROFIsafe product.
5 These criteria are derived but deviate from the criteria in IEC 61000-6-2.
Page 19 of 43

IEC Phenomenon 610004-x -2 ESD (electrostatic discharge) Standard level (Zone B) 4/8 kV IEC 61326-3-1 Increased immunity level 4/8 kV
1)
Version 2.5
Constraint
(no safety margin) 6/8 kV

1) 1)
Safety device ("open type") within separate control room; Safety device within cabinet or housing "Enclosed type controller" 80MHz bis 1GHz (particular frequencies only) 1,4-2,0 GHz 2,0-2,7 GHz Power Supply Cabling PROFIBUS /PROFINET cable shielding
6/15 kV -3 HF Field 10 V/m 3 V/m 1 V/m -4 -5 Burst Surge 2 kV 1 kV 1 kV 1 kV -6 -8 -16

5) 2)
20 V/m 10 V/m 3 V/m 4 kV 2 kV 2 kV 2 kV

4) 3)
Power Supply Cabling; external measures permitted, e.g. centralised lightning conductor PROFIBUS /PROFINET cable shielding 3,39 MHz 40,68 MHz (only) 1,5kHz to 15kHz: 1V to 10V with 20dB/Dec 15kHz to 150kHz: 10V DC and 50Hz/60Hz: 10V continuous 100V short duration (1s) 150Hz/180Hz: 10V continuous
2)
HF conducted 50/60 Hz magnetic field Conducted common mode disturbance
10 V (3V) 30 A/m
20 V (10V) No increased levels No increased levels
not required
-29
Voltage dips: Voltage interruptions: Voltage deviations:
60% for 10ms 100% for 20ms -15% / +20%

2)
No increased levels
3)
1) 4)
First value: contact, second value: air
Common Mode (CM)
DC power; 4 kV for AC power
Current versions of the IEC 61131-2 are specifying a reduced value of 3 V. It is highly recommended to stay with 10 V and the increased level of 20 V instead of 10 V.
5)
This test can be omitted if it can be guaranteed through system design and instructions that no conducted common mode situation such as coupling of sensor signals and power supply currents can occur, e.g. by following IEC 60204-1 (see 5.4).
Table 2 Immunity levels per phenomenon (e.g. machinery)

Figure 3-3 shows the relationship between increased immunity test levels and the performance criteria according to IEC 61326-3-1.
Immunity levels
for ESPE (AOPD) for F-PLC, F-I/O, etc.
IEC 61496-1 (2004) Levels:

(see Table 2) Performance Criterion FS (Functional Safety) Increased Levels
Current standard level: IEC 61131-2 IEC 61000-6-2 ( level 3 resp. level 4 )
Performance Criteria A,B,C
No negative impact on safety of personnel! No negative impact on availability of facilities
Figure 3-3 Increased immunity test levels
Page 20 of 43
PROFIsafe Environmental Requirements 3.3.2 Specified electromagnetic environment (IEC 61326-3-2)
Version 2.5
The measurement of very small analog voltages, currents or other physical quantities and the processing of explosive chemicals are the main characteristics of the process industries. Accordingly, special care is taken to achieve a high level of availability and safety: Industrial area with limited access Highly meshed metal constructions of the buildings Excellent grounding /earthing systems Explosion and overvoltage / lightning protection areas Restricted use of mobile phones Safety requirement specifications (SRS) based on long term statistics Professional staff Continuous maintenance
Based on these preconditions it is possible to deal with a different set of immunity levels for PA devices such as in Table 3. See IEC 61326-3-2 for details. Additional information can be retrieved from [19] and [20].
IEC 610004-x -2 Phenomenon IEC 61326-1 (industrial) ESD (electrostatic discharge) -3 HF Field 4/8 kV 10 V/m 3V/m 1V/m -4 -5 Burst Surge 2 kV 1 kV 1 kV
3)
IEC 61326-3-2 (industrial)
Constraint
6/8 kV 10 V/m 10V/m 3V/m 2 kV 1 kV 1 kV

2)
1)
"Enclosed type controller" 80-1000MHz ISM/GSM, mobile phone 1,4 2,0 GHz 2,0 2,7 GHz Power Supply Cabling PROFIBUS cable shielding Power supply cabling; external measures permitted, e.g. centralised lightning conductor; line to ground PROFIBUS cable shielding 10kHz-80MHz enclosure only DC supply lines
3) + 4)
1 kV -6 -8 -29 HF conducted 50/60 Hz magnetic field Voltage dips: Voltage interruptions: Voltage deviations: 3V
3)
1 kV 10 V
3) + 2)
30 A/m
100 A/m
60% for 1s, 100% for 1s 100% for 20ms -15% / +20%
2)
1)
First value: contact, second value: air Current versions of the IEC 61326-3-2 are specifying a value of 1kV. 3) 4) For PROFIsafe it is highly recommended to test with 2kV Common Mode (CM) DC power; 2 kV for AC power
Table 3 Immunity levels per phenomenon (e.g. process industries)

3.4 Product family specifics
Some of the PROFIsafe device families are totally new designs and do not have their own specific product standard. In these cases IEC 61326-3-1 applies. For some of the devices product standards already existed for relay technologies. In the meantime updated versions have been published taking the fieldbus situation into account. 3.4.1 F-Sensor (ESPE/AOPD)
The new version of the IEC 61496-1 is covering now the safety communication across a fieldbus. The communication interface is supposed to provide galvanic insulation from the device. Hint: An increased immunity level of 30 V/m for the "HF Field" test is required.
Page 21 of 43
PROFIsafe Environmental Requirements 3.4.2 PA Devices for functional safety
Version 2.5
The increased immunity levels of Table 3 apply. See IEC 61326-3-2 for more details. Figure 3-4 illustrates the modifications of the test beds for PA devices.
EMC-Test acc. IEC 62061 Levels or IEC 61326-3-1 (Safety) Performance Criteria Fieldbus components assembly acc. IEC 61918 and 61784-5-3
EMC-Test acc. IEC 61496 (Safety) Performance criteria:
F-PLC (F-I/O)
F-System shall not fail to danger!
Normal environment
Explosive environment
" Safety Function "
MBP-IS
F Actuator e.g. Drive
Standard Field Device e.g. Barcode Reader
PA Device e.g. Pressure transmitter
EMC-Test acc. IEC 61800-3 and 61326-3-1 or BGIA levels (Safety) Performance Criteria
EMC-Test acc. IEC 61131-2 or Product Standard Performance Criteria: acc. IEC 61131-2
EMC-Test acc. IEC 61326-3-2 Performance criteria acc. IEC 61326-3-2
Figure 3-4 Modified test bed for PA devices

3.4.3 F-PLC and F-I/O
The normal EMC requirements for these devices are based on the IEC 61000-6-2 or IEC 61131-2. No product standard exist defining increased immunity levels for functional safety. Thus, 3.2, 3.3.1, Table 2 and the IEC 61326-3-1 apply. It should be noted that F-PLC and F-I/O can be deployed in particular applications such as burner management or trains with their own set of standards to be observed. 3.4.4 F-Actuator (drives with integrated safety)
Here, different "device types" are to be distinguished: F-I/O with motor starters F-I/O with integrated frequency converters Drives with integrated safety
In case of F-I/O, the information provided in 3.3 applies. For drives with integrated safety, no IEC standards with dedicated electromagnetic immunity testing have been published. Thus, either IEC 61326-3-1 or the levels defined by BGIA [10] are to be considered for normal industrial use. The levels defined by BGIA are set up according to the following rule: wherever a level is defined in IEC 61800-3 the doubled value or next level is taken, wherever no phenomenon is specified the first level is taken (e.g. signal lines: 500V). No surge on DC lines. For SIL 3 the duration of tests is increased: ESD: 3 times; bursts: 5 Min; surge: pulses 3 times longer. Design hint: Regarding inverter-fed drives, it should be noted that the DC supply voltage for the electronics usually is derived from the electric power supply of the motor (DC intermediate circuit). A
Page 22 of 43
Version 2.5
switch-off of the electrical power shall not abandon the power supply of the termination impedance of the communication system as it will lead into a malfunction of the bus system. This is not a safety but an availability issue. 3.5 Non-safety PROFIBUS and PROFINET devices
When testing these devices according to IEC 61131-2 or IEC 61000-6-2 their performance criteria A and B apply. PROFIsafe applications shall use (PNO) certified standard devices in order to ensure proper communication, conformant to PROFIBUS and/or PROFINET standards. This is not a safety but an availability issue.
Page 23 of 43
Version 2.5
Overvoltages and Shock Protection
Safety regarding PROFIsafe devices is considered on the assumption that no impermissibly high voltages occur on neither the power supply cables nor the data communication cables or only with a permissibly low probability under normal and single fault conditions. On the other hand, these cables are hazardous to humans if touched, regardless of whether these are safety devices or not. Therefore, we apply this shock protection to our safety electronics: it must be able to "tolerate the voltage that a human being is expected to tolerate and then respond safely. 4.1 SELV: Definitions Safety Extra-Low Voltage
Being specified as a SELV system includes a limitation of voltage and a protective measure against direct and indirect contact with hazardous voltages through "safe separation implemented in the device. However, a SELV system must not be grounded (in contrast to a PELV system). PELV: Protective Extra-Low Voltage ("Function voltage")
Protective extra low voltage is a grounded variant of SELV. Being specified as a PELV system according to IEC 60364-4-41 (originally DIN VDE 0100-410:1997-01) or IEC 61010-1 includes a limitation of voltage and a protective measure against direct and indirect contact with hazardous voltages through "safe separation of the primary and secondary side implemented in the device. The above mentioned isolation testing voltages only refer to the SELV/PELV voltages or data lines respectively. Current Sources for SELV and PELV The following are permissible: Transformers with safe isolation Power sources with the same degree of safety; for example, motor generators with corresponding separated windings or Diesel units Electro-chemical power sources; for example, batteries, galvanic elements On the same level are electronic devices if, in case of normal conditions, the voltage on the output terminals and against ground is no higher than 30V AC, 42,4V peak or 60V DC. In case of a single fault no higher than 50V AC, 70V peak or 120V DC.
Arrangement of the Power Circuits for Safety Extra Low Voltage (SELV) Active parts of safety extra low voltage power circuits are not to be connected to ground or with protective conductors of other power circuits. They must be safely separated from active parts with higher voltage. Exposed conductive parts must not be connected intentionally. Cables are to be installed separated from the cables of other power circuits, or special isolation steps must be taken. See IEC 61918 [9b] and IEC 61784-5-3 [9a] for further hints. Special plugs, socket outlets and couplers that do not fit the plugs, socket outlets and couplers of higher voltages are to be used for safety extra low voltage. They must not have ground contact.
4.2
Device Model including Power Supplies
Figure 4-1 and Figure 4-2 below show the typical structure of PROFIsafe devices. In Figure 4-1 the data lines are connected via a "Line Driver" to an optocoupler or a transformer and are therefore galvanically separated from the remaining device electronics. The "Line Drivers" power supply is also decoupled.
Page 24 of 43
Version 2.5
If another station should apply a SELV or PELV voltage to the data line, the PROFIsafe station can perform its safety response unharmed.
Standard or F-Slave connected to PROFIBUS
PROFIBUS
Test Voltage: DC 500 V (1 min)
e.g. opto coupler ProfibusASIC galvanic insulation e.g. DC 5V
F Slave Electronic
Power Supply DC 24V, e.g. 40A
Line driver RS485
SELV / PELV (SIL2+3)
high voltage e.g. AC 230V

SELV / PELV
DC 24V
SELV / PELV (Shock Protection)
e.g. transformer housing
Figure 4-1 Typical structure of a PROFIsafe/PROFIBUS DP device

Every PROFIBUS and PROFIsafe device must be designed and built in a way that despite all possible internal voltages (including high voltages) in the worst case only SELV/PELV voltages reach the data lines and the outside. In Figure 4-2 the PROFINET IO data lines are isolated from the transceiver via transformers.
Test Voltage: AC 1,5 k V 50/60Hz (1 min) 1) RJ45
PROFINET IO
Standard or F-Device connected to PROFINET IO
Power Supply Transceiver/ Switch F Slave Electronic DC 24V, e.g. 40A
SELV / PELV (SIL2+3)
Galvanic insulation
e.g. DC 5V
high voltage e.g. AC 230V DC 24V
SELV / PELV (Shock Protection)
SELV / PELV
housing
1)
For other possibilities see IEEE 802.3 (ISO/IEC 8802.3)
Figure 4-2 Typical structure of a PROFIsafe/PROFINET IO device

As a rule, the safety systems are set up with a 24 VDC power supply (load power supply unit, batteries, etc.) providing SELV/PELV.
Page 25 of 43
PROFIsafe Environmental Requirements 4.3 Specifications for Standard-PROFIBUS Devices
Version 2.5
Before a standard PROFIBUS /PROFINET IO or PROFIsafe device is accepted for certification in a PI test laboratory, it must prove its general capability by a manufacturer declaration of conformity to the appropriate EMC standards. In Europe it shall be signed with a CE mark. PROFIBUS certification is then performed based on the international standards IEC 61158 and IEC 61784-1/-2 (Communication Profiles). The latter one specifies the following: "PROFIBUS-DP (PROFIBUS-PA) devices shall comply with the legal requirements of that country where they are deployed (e.g , within Europe, indicated by the CE mark). The measures for protection against electrical shocks (i.e., electrical safety) within industrial applications shall be based on IEC 61010 or IEC 61131-2 depending on a device type specified therein." 4.4 SIL3 Considerations
Regarding the safety functions according to SIL3, the behavior of the devices must be considered if two errors occur that are weighted with respect to time. This is necessary if the errors are undetected. In this chapter, the influences of power supplies are discussed as well as the influences of data transfer lines. Power Supplies with Double Fault Safety Since we are aiming for the use of one and the same 24V power supply for all devices, the request for double fault safety would be a problem since there are no power supplies with this corresponding qualification. From the PROFIsafe perspective, the requirement does not present itself due to the following: 1. The quality and the prevalence of industrial power supplies according to IEC 61010/61131-2 with SELV/PELV is so high that such error cases are not known. The fact that such an error would jeopardize a high investment volume in a standard plant should be sufficient motivation for such high quality. The failure of such a power supply beyond SELV/PELV would already jeopardize human life because when working with power supply cables, the cable ends are not contact-protected. Only PROFIsafe devices with output functions would be affected. They must be able to handle their safety functions autonomously in any case, even if impermissibly high voltages occur. Here, it may be useful to increase the test voltage in Chapter 4.2 to 1500 VDC for final elements such as drives or devices with power supplies exceeding 60V unless proven otherwise. F-PLC and PROFIsafe input/output devices must be toughened up against overvoltages according to IEC 61508-2, table A9, i.e. they must detect all errors caused by overvoltage and respond in a safe manner. Conformance to the safety regulations can be shown through type testing.
2. 3.
4.
Voltages above SELV/PELV on Data Lines Here, it is a question of whether PROFIsafe devices must be tested for voltages above SELV/PELV levels. From the PROFIsafe viewpoint, this requirement does not present itself due to the following: 1. If the installation guidelines are adhered to (cable types and cable installation 6) and certified devices are used, the occurrence of voltages higher than SELV/PELV on data lines because of second errors can be estimated as extremely unlikely (probability of cable error multiplied with the probability of a SELF/PELV error).
6 PROFIBUS installation guide requires data lines to be kept separate from power lines. In case of crossings they shall be protected from each other by distance or a separator.
Page 26 of 43
PROFIsafe Environmental Requirements 2. 3.
Version 2.5
In this case again, humans would be in danger, because when working with data cables, the cable ends are not contact protected. Only PROFIsafe devices with output functions would be affected. They must be able to handle their safety functions autonomously in any case, even if impermissibly high voltages occur. Here, it may be useful to increase the test voltage in Chapter 4.2 to 1500 VDC for final elements such as drives or devices with power supplies exceeding 60V unless proven otherwise. F-PLC and PROFIsafe input devices must detect all errors caused by overvoltage and respond in a safe manner. Conformance to the safety regulations can be shown through type testing .
Test Voltage: DC 500 V (1 min) Line driver RS485
4.
PROFIBUS DP Slave
e.g. opto coupler ProfibusASIC Slave Electronic
SELV / PELV
e.g. DC 5V DC 24V
Power Supply e.g. IEC 61010, IEC 61131-2 DC 24V, e.g. 40A e.g. AC 230V
SELV / PELV
IEC 61784 SELV / PELV
single fault prove

Test Voltage: DC 500 V (1 min) Line driver RS485 e.g. opto coupler
F Slave / F Host (SIL3)

ProfibusASIC Safety Electronic
SELV / PELV
e.g. DC 5V DC 24V
single fault prove P*)
single fault prove
*) Input protection for SIL3
Figure 4-3 SIL3 Considerations on Overvoltages

The following conclusions regarding hazards from overvoltages for a PROFIsafe device ("safety electronic") can be drawn out of Figure 4-3: 1. If the main power supply fails above SELV/PELV the PROFIsafe slave in case of SIL3 must be able to protect the "slave electronic" by special precautions (not within the scope of the PROFIsafe profile and guidelines). Thus this power supply port is 2 error prove. 2. If the main power supply fails above SELV/PELV (2 errors) the galvanic isolation (opto coupler, transformer) of a standard PROFIBUS slave (1 error) and the galvanic isolation of the PROFIsafe slave (1 error) must fail before the "slave electronic" will be damaged. Thus the communication port of a PROFIsafe slave is more than 2 error prove.
Page 27 of 43
Version 2.5
5
5.1
Installation constraints
Overview on PROFIBUS/PROFINET and international installation guidelines
Figure 5-1 is presenting an overview on various PROFIBUS / PROFINET and international guidelines that are going to be integrated in the IEC standards. This "PROFIsafe Environmental Requirements" are intended to be integrated in IEC 61784-5-3. The most important and very helpful document for the user of PROFIsafe equipment is the "Guideline Assembly", order no. 8.022.
"Guideline Planning" *) "Guideline Planning" *)
Order No. 8.012 Order No. 8.012
"Guideline Assembly" "Guideline Assembly"

V1.06, Order No. 8.022, May 2006 V1.06, Order No. 8.022, May 2006
ISO/IEC 24702 ISO/IEC 24702 "Information technology Generic "Information technology Generic cabling Industrial premises "" cabling Industrial premises
FDIS, 2006 FDIS, 2006
"Guideline Commissioning" "Guideline Commissioning"

V1.01, Order No. 8.032, February 2006 V1.01, Order No. 8.032, February 2006
"Installation Guideline for "Installation Guideline for PROFIBUS DP/FMS" PROFIBUS DP/FMS"
V1.0, Order No. 2.112, September 1998 V1.0, Order No. 2.112, September 1998
IEC IEC 61918 61918
ISO/IEC 11801 ISO/IEC 11801 "Information technology Generic "Information technology Generic cabling for customer premises" cabling for customer premises"
Edition 2, 2002 Edition 2, 2002
"PROFIBUS Interconnection "PROFIBUS Interconnection Technology" Technology"

dV1.21, Order No. 2.112, September 2005 dV1.21, Order No. 2.112, September 2005
"Installation Guideline PROFINET" "Installation Guideline PROFINET"

V1.8, Order No. 2.252, November 2002 V1.8, Order No. 2.252, November 2002
"PROFIBUS PA User and "PROFIBUS PA User and Installation Guidline" Installation Guidline"
V2.2, Order No. 2.092, February 2003 V2.2, Order No. 2.092, February 2003
IEC IEC 61784-5-3 61784-5-3
"Installation Guideline PROFINET "Installation Guideline PROFINET Part2: Network Components" Part2: Network Components"
V1.01, Order No. 2.252p2, February 2004 V1.01, Order No. 2.252p2, February 2004
"Profibus RS 485-IS User and "Profibus RS 485-IS User and Installation Guideline" Installation Guideline"
dV2.0, Order No. 2.021, July 1999 dV2.0, Order No. 2.021, July 1999
"Fibre optical data transfer "Fibre optical data transfer for PROFIBUS" for PROFIBUS"
dV2.0, Order No. 2.021, July 1999 dV2.0, Order No. 2.021, July 1999
"PROFIsafe Environmental "PROFIsafe Environmental Requirements for Requirements for PROFIBUS DP and PROFINET IO" PROFIBUS DP and PROFINET IO"
dV2.0, Order No. 2.232, June 2006 dV2.0, Order No. 2.232, June 2006
Figure 5-1 Overview on PROFIBUS and international installation guidelines

5.2 Topology
PROFIsafe communication shall not be operated on RS485 transmission technology based PROFIBUS DP networks with spurs or branch lines. 5.3 Planning of cabling and wiring
For the planning of projects the different cable types (power, signal, communication, etc.) to be considered should be classified and the appropriate specifications and rules should be assigned (bending radius, shield type, field of application, minimum distances to other categories, etc.). 5.3.1 NFPA 79 (2006)
In its clause 13.2.6 (shielded conductors), NFPA 79 [6] requests:
Page 28 of 43
Version 2.5
"Where shielding is used around conductors in single or multiconductor cables, a foil shield shall be permitted for nonflexing applications. A continuous drain wire shall be provided for foil shield types. A braided shield shall be used where subject to longitudinal flexing. Torsional flexing applications (e.g. robot arm) shall require shields designed specifically for their use. The shields and drain wire shall be covered with an outer jacket that is suitable for the environment. In all cases the shield shall provide a continuous conduction surface in the presence of bending and flexing." There are PROFIBUS DP and PROFINET IO cable types with foil shields. However, they provide an additional braided shield that allows omitting the drain wire. In case of doubt, a more flexible and robust cable type should be used. 5.3.2 Hybrid cables
According to IEC 61508-2, tables A.13 and A.17 and the appropriate explanation in 61508-7 A.11.1 it is highly recommended or mandatory respectively to use separate cables for information lines and electrical energy lines (Figure 5-2, Figure 5-3, and Figure 5-4).
Figure 5-2 IEC 61508-2, excerpt of table A.13
Figure 5-3 IEC 61508-2, excerpt of table A.17
Figure 5-4 IEC 61508-7, Explanation A.11.1

However, NOTE 4 in Figure 5-3 states that this separation is not "necessary for low power energy lines, which are designed for energising components of the E/E/PES and carrying information from or to these components". For PROFIsafe systems the following applies: PROFIsafe communication is permitted on PROFIBUS PA transmission systems (MBP-IS = Manchester Bus Powered Intrinsically Safe) PROFIsafe communication is permitted on PROFINET IO transmission systems using hybrid connectors and copper cables: a four-wire shielded information line part and a separate fourwire 24 VDC energy line part as specified in [22]. A device manufacturer shall ensure that no electromagnetic disturbances will be injected in these energy lines, e.g. through switching re-
Page 29 of 43
Version 2.5
lays in output modules. Devices currently in the field with hybrid technology comprise e.g. wireless access points. PROFIsafe communication on PROFINET IO transmission systems using PoE (Power-overEthernet according IEEE 802.3af) based on modulation shall not be used for F-Devices (Figure 5-5). A PROFINET IO network with safety functions may comprise PoE for active network components such as wireless access points, switches, etc.
1
2 3
PHY
PHY
DC 48 VDC
PSE (Power Sourcing Equipment)
Application DC
PD (Powered Device)
Figure 5-5 Power-over-Ethernet (modulation)

5.3.3 Wiring
In addition to the guidelines in [9] the following rules appy: 5.4 It is highly recommended for power supply cables to provide both the supply and return conductor as twisted pair to avoid uncertain current flow and interferences. Power rails are not compensating in the same manner and thus should be used very carefully. All safety projects shall provide wiring schematics with cable types, cable categories, type of cable twist, type of cable shielding, and the locations of cable shield groundings. EMC aspects of power supply networks (TN-C, TN-S)
A major source of electromagnetic interference is based on the wiring of power lines between decentralized automation systems communicating via fieldbus. So far it was common practice and permitted by standards to use a combined PE (protection earth) and N (neutral lead) conductor between main racks and sub racks. This kind of grounding is also called a TN-C power network. This method is acceptable if no extended fieldbus networks are involved and the currents within the power lines L1, L2, L3 are balanced out (Figure 5-6). Modern drive electronics and power supplies are using high frequency switching technology, which causes unbalanced (injected high frequency) currents flowing through the combined PEN conductor of the system (I 1 ). The low impedance shielding of a fieldbus cable in parallel to the PEN conductor (I 2 ) will take over these high frequency currents and thus perturb the transmission of messages.
Page 30 of 43

Main Rack L1 L2 L3 PEN Subrack
Version 2.5
I1
Power Supply
+ 24V -
Clip-on Ammeter
I2
Remote IO
Equipotential Bonding
I3
Protective Earth (PE) terminal. Provided for connection of the protective earth (green or green/yellow) supply system conductor Functional Earth terminal. Used for non-safety purposes such as noise immunity improvement. Note: This connection shall be bonded to protective earth at the source of supply in accordance with national local electrical code requirements. Earth Ground. Functional earth connection. Note: This connection shall be bonded to protective earth at the source of supply in accordance with national local electrical code requirements.
Permitted acc. IEC 60364
Figure 5-6 Four conductor power network (TN-C)
It is highly recommended to use separate PE and N conductors ("5 conductors") in order to avoid fieldbus communication errors and possible retries, which will affect the efficiency and probably the availability of the whole system as shown in Figure 5-7. The corresponding types of power networks are called TN-S. More complete information about the design of power networks in respect to electromagnetic interference can be retrieved from [17] and [21].
Main Rack L1 L2 L3 N PE
Subrack
I
Power Supply Clip-on Ammeter +24V -
Remote IO Equipotential Bonding Central earth ground
M
Figure 5-7 Five conductor power network (TN-S)
Page 31 of 43
PROFIsafe Environmental Requirements 5.5 Shielding and grounding (earthing)
Version 2.5
Two basic methods exist to protect data transmission wires. One is shielding, which keeps electromagnetic fields away from the sensitive high speed transmission signals. The other is twisting of the symmetrical signal wires, thus compensating the positive and negative induced voltages. Figure 5-8 is demonstrating the effects of twisting and shielding of cables.
Magnetic field I (noise) Bus cable
20/m
+ 0 dB
+ 10 dB
0 dB /x dB
10 dB /x dB
20 dB
30 dB
Figure 5-8 Effect of shielding and twisting of cables

Correct shielding provides an attenuation of the interfered voltage of around 20 dB. Twisted pair wires with 20 twists per m are providing attenuation of around 10 dB. A combination of twisting and correct shielding leads to 30 dB attenuation. These values for shielding attenuation should be considered typical values only. 5.5.1 Single-ended versus double-ended grounding
In Figure 5-8 the power wire that is carrying a noisy current and a corresponding magnetic field is interfering with a shielded communication cable. Grounding the shield on one end causes the other (open) end to become a sending antenna. There is no doubt for high speed digital transmissions that a low impedance connection between shield and the equipment chassis "at both ends" is required in order for the shield to be effective, i.e. to compensate the interfering magnetic field [18]. However, this two-ended grounding only achieves its purpose, if there is no difference between the potentials on both ends. In order to establish equal potential, it is highly recommended to use sufficient equipotential bonding within the facility (Figure 5-7). If this is not possible, the use of optical fibre transmission is recommended. In case of the transmission of analog signals such as in process industries, a capacitor with sufficient low impedance within the frequency range of the interference may be used (Figure 5-8). Normally in this case noise loops are the primary source of interference. 5.5.2 IP20
Components with an ingress protection of IP20 usually are located inside an enclosure/rack. Even in case of low shield transfer impedance across a connector housing to the chassis it is recommended to ground the shield at the entrance of the enclosure in order to keep the interior of the enclosure/rack free from noise.
Page 32 of 43
PROFIsafe Environmental Requirements 5.5.3 IP67
Version 2.5
Components with an ingress protection of IP65 or higher usually are mounted directly on good conducting metal parts of the machine, which provide sufficient grounding. In this case low shield transfer impedance across a connector housing to the chassis is required (e.g. M12 connector). 5.6 Electrical safety with drives with integrated safety
The drives with integrated safety are able to go into a safe state (SOS = safe operating stop) without separation from power. Figure 5-9 is showing an example of such a configuration 7.
Main Rack 3 L1 L2 L3 N PE
Power Power Supply Supply
Subrack L1 L2 L3 N PE +
24V
"Emergency Stop" Remote IO Remote IO
"Emergency Stop"
FC FC
(Safety) (Safety)
Equipotential Bonding Central earth ground
Figure 5-9 Electrical safety with drives with integrated safety

In order to protect personnel from being hurt by electrical shock, motor protection circuit breakers , , and circuit breakers /fuses that all can be locked shall be used. See IEC main switches 60204-1 for more details.
7 NFPA 79 requires separate deenergizing of the motor in case of failures
Page 33 of 43
PROFIsafe Environmental Requirements 5.7 High frequency currents with drives

RCD/ GFCI *) Filter DC bridge DC link Inverter Shield
Version 2.5
L1 L2 L3 N PE
Motor
Transformer Transformer
M
6
DC sensitive, 300 mA
Central earth ground

*)
3 Equipotential Bonding
RCD = residual current detector GFCI = ground fault circuit interrupter
Figure 5-10 High frequency currents with drives

More and more industrial automation systems are using variable speed drives. Due to the inverter function and its switching operation parasitic high frequency currents are emerging on the cables to the motor and on the motor housing. According to Kirchhof's law these currents are looking for the shortest way to close the loop to the source of these currents, the DC link. Figure 5-10 is illustrating these effects ( ). Since there is no path to the DC link available in nowadays drives, the next possibility can be a filter at the entrance of the drives . Without such a filter the parasitic current is flowing across the equipotential bonding back to the grounded transformer (central earth ground). for the protection of humans (30mA) cannot be used with Normally ground fault circuit interrupters drives due to the unbalanced and high frequency current situation. In order to fulfil the requirements of fire protection (300mA) DC sensitive ground fault circuit interrupters can be used. A connection of could improve the situation. the neutral lead (N) with the central point in the filter It is within the drive manufacturer's responsibility to specify the correct planning and installation of drives with integrated safety.
Page 34 of 43
Version 2.5
6
6.1
Data security
Dangerous threats
Plant operators shall always be aware of attacks on communications across networks that are not completely under their control. The Internet or WAN (Wide Area Networks) are examples for networks completely beyond the control of plant operators. Office networks are assumed to be only partly under control of plant operators. All of these networks are called "open networks". In contrast, networks being completely under control of the plant operator are called "closed networks". PROFIsafe does not require any additional measures in respect to data security for distributed safety functions based on "closed networks". The following chapters are defining the PROFIsafe requirements for distributed safety functions with "open networks" being involved and the necessary features of the PROFINET IO data security concepts. 6.2 PROFIsafe data security requirements
In principle the security requirements for PROFIsafe applications with "open networks" being involved do not differ from those of standard applications. However, the safety considerations according IEC 61508 require that the user is executing an analysis of the potential security threats for the safety functions of the application and is establishing appropriate data security in case. These potential threats in case of PROFIsafe comprise the following operations: Parameterization: intentional changes to dangerous parameter values Cyclic exchange of safety PDUs: maskerade of a series of PROFIsafe frames e.g. hampering a motor from being deenergized (simulation)
In order to prevent data packages that have been manipulated within an "open network" from intrusion into the "closed network" any safety related data (parameterization) or communication (cyclic PROFIsafe data exchange) shall be secured in a safe manner. These manipulations can have an impact on the safety of communication and/or the F-Devices within "closed networks".
NOTE Remote write access of Service PCs even when protected via secured communication may cause dangerous situations. It is the task of system and device manufacturers to describe this risk and provide protective HW and/or SW measures or to describe appropriate measures.
Plant operators will not be able to always guarantee the availability of safety related communication across "open networks" as it is not under their control. Attacks on the availability of networks and the secrecy of data are not relevant for safety considerations of PROFIsafe (espionage). 6.3 General data security concept of PROFINET IO
The safety concepts of PROFIsafe and the data security concepts of PROFIBUS/PROFINET complement each other [14]. By integrating PROFINET (Ethernet), the protection against unauthorized access to PROFIsafe islands is of special concern. For this purpose, the entire network is structured into subsegments, which provide only a single point of access. This access shall be secured by a Security Gate (PROFINET security device) employing proven security measures for this purpose, at least Virtual Private Network (VPN) tunneling (on the basis of IPSec), IP packet filtering (firewall), Logging of violations of the firewall rules.
The security gates are discrete network devices separating the "open network" from the "closed network", which also is called a "security zone". The separation inside a security gate is realized via a firewall that only allows network traffic secured by VPN tunneling. Only within the security zone one or more secured PROFIsafe islands with several F-Devices may exist (Figure 6-1). In contrast to discrete devices corresponding software solutions (Security VPN Client) exist for supervisor devices (configuration, parameterization, and diagnosis tools), e.g., for production PC or service PC with similar tasks. This software establishes VPN tunnels to the security gates. It does
Page 35 of 43
Version 2.5
not comprise a firewall, which shall be installed and activated separately and in addition. This firewall shall support logging of violations of the firewall rules. Access to the establishing of any VPN connection shall be passphrase protected. The security gates are using VPN for the data exchange from one security zone to another. Figure 6-1 is demonstrating the concepts, which are covering satelite communication also.
Internet Internet VPN Firewall Firewall
Service PC with Security VPN Client Software
Production PC with Security VPN Client Software
VPN
Industrial Ethernet Backbone
VPN
VPN
S S
PROFINET IO
Security Gate Security Zone
S S
Security Gate Security Zone PROFINET IO
PROFIBUS DP
PROFIBUS DP
PROFIsafe Island
PROFIsafe Island
Figure 6-1 Security concept of PROFIBUS/PROFINET

It is assumed that the devices (including F-Devices) within a closed network (security zone) are trustable and not causing any dangerous threat. The origin of attacks is always assumed to be located in the "open network". 6.4 Security measures
The two main features of data security are authentication and encryption. The subsequent chapters are describing the tasks of project and application engineers in order to establish the appropriate level of data security. 6.4.1 Administration of firewalls
The firewalls within the security gates shall be configured such that only network traffic based on VPN tunneling is permitted. The logging of violations of firewall rules shall be possible. This information can be stored on the security device itself or on a separate server ("syslog"). It should be noted that the security VPN client software does not comprise the firewall function. Thus, protection software including firewall function shall be installed separately and in addition and activated during commissioning. This protection software establishes another VPN (Figure 6-1, marked in blue colour) to the protected company network, from where controlled access to standard network services is permitted, e.g. e-mail and internet. 6.4.2 Administration of security gates (devices) and VPN clients
The administration of security gates (devices) is being performed via an associated configuration tool. The communication channel between both shall be secured using SSL (secure socket layer). The user only can get access to a particular security gate after an authentication via login and password/ passphrase (6.4.4.1). The security gate keeps user administration information defining those users with the permission to change the configuration. This configuration project within a particular
Page 36 of 43
Version 2.5
security gate determines the VPN tunnels to its associated security gates and thus allows network traffic from one "closed network" (security zone) to another across "open networks". The security VPN client (PC) receives its configuration via a configuration file from the configuration tool. The user only can get access to the security VPN client after an authentication via password/ passphrase. 6.4.3 Security protocols
There are several possible solutions for realising a "VPN tunnel". PROFINET IO is using the protocol set of IPsec, which is defined by the following suite of IETF standards [24]: RFC 2401 Security Architecture for IPsec RFC 2403 Use of HMAC-MD5-96 within ESP and AH RFC 2404 Use of HMAC-SHA-1-96 within ESP and AH RFC 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV 8 RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) RFC 2409 The Internet Key Exchange (IKE) Protocol RFC 2412 The OAKLEY Key Determination Protocol RFC 1851 The AES-CBC Cipher Algorithm and Its Use with IPsec VPN needs two phases to be established. In phase 1 the two partner security gates and/or VPN clients are exchanging keys using the so-called "Main Mode" and the "Quick Mode". The algorithms for encryption thereby are described in 6.4.5 and for method authentication codes in 6.4.6. For the data exchange over a secured connection in phase 2 only ESP (Encapsulating Security Payload) in "Tunnel Mode" shall be deployed. 6.4.4 Authentication of security gates and VPN clients
Prior the completion of an exchange of keys in phase 1 the partner security gates and/or VPN clients shall authenticate themselves. Permitted methods for this authentication are "Preshared Keys" or "Certificates". 6.4.4.1 Pass phrases
Length of passwords or passphrases (preferred) shall be >= 20 characters. Characters shall be a mix of alphabetical, numerical, and special signs.
NOTE This requirement should be acceptable since passwords or passphrases are to be entered only once during a commissioning session.
6.4.4.2
Certificates
Certificates according X.509 also can be used for authentification of the security gates. 6.4.5 Encryption algorithms
Encryption algorithms according AES with CBC mode shall be used. In order to insure compatibility with other IPsec implementations Triple DES (3DES) can be used for encryption. Usage of simple DES is not permitted.
8 see 6.4.5
Page 37 of 43
PROFIsafe Environmental Requirements 6.4.6 Message authentication codes
Version 2.5
The hash algorithm MD5 shall be used for message authentication code. In order to insure compatibility with other IPsec implementations SHA-1 can also be used for message authentication code. 6.4.7 Key change
IPsec defines keys for phase 1 (key agreement). The assignment of the keys for phase 2 (data exchange) is protected by the encryption of a phase 1 connection. Within IPsec both keys for phase 1 and phase 2 are changed. However, as the amount of data is much less than in phase 2, and thus the threat is less, the keys for phase 1 need not be changed so often. In IPsec a key change can be triggered via a time limit (in the order of seconds) or via an amount of transferred data limit (in the order of 210 octets). Key exchanges within IPsec are consuming computational power and should not be executed too often. 6.4.7.1 Key change for phase 1
A key exchange in phase 1 depending on the amount of exchanged data does not make sense in phase 1 due to the small amount of data. In case of PROFIsafe applications a time triggered key change is used. The time frame for a key change shall be 1209600 s (14 days). 6.4.7.2 Key change for phase 2
In phase 2 the process data are exchanged. PROFIsafe here also requires a time triggered key change. The time frame for a key change shall be 86400 s (1 day). 6.5 Constraints
The security gates only permit authorized access to devices within security zones. Thus PC-based systems inside security zones not necessaryly need to run virus scanner software. This only is required for client systems communicating from outside a security zone. The virus scanner software only can be omitted inside a security zone if other threats such as a USB memory stick can be precluded. 6.6 Software update
The security gates and the security VPN client software on a PC shall provide a possibility for software updates and upgrades. 6.7 Robustness
Devices such as security gates shall be suitable for standard industrial environment as defined e.g. in IEC 61131-2. 6.8 Test and certification of data security components (gates and VPN client software)
PROFIBUS International will not specify any test and certification procedures for data security components. However, it is highly recommended for users of those products to request certificates of competent bodies confirming conformance at least with the PROFIsafe requirements specified herein. Manufacturer declarations are possible. 6.9 Obligations
Whenever an analysis of the safety of automation equipment is unveiling potential security threats the user can rely on the described PROFIsafe security requirements herein as the "accepted current state of the art" or "accepted current best practice" providing sufficient data security for normal industrial applications.
Page 38 of 43
Version 2.5
International specifics
As a rule, the international safety standards are accepted (ratified) globally. However, since safety technology in automation is relevant to work safety and the concomitant insurance risks in a country, recognition of the rules pointed out here is still a sovereign right! The national "Notified Bodies (similar to BGIA) decide on the recognition of certificates. 7.1 Europe
The previous chapter also applies to the different countries of Europe. However the national "Notified Bodies" in Europe cooperate closely, e.g.: BGIA HSE INRS SUVA Berufsgenossenschaftliches Institut fr Arbeitsschutz - BGIA (BG-Institute for Occupational Safety and Health) in Germany Health & Safety Executive in the UK Institut national de Recherche et de Scurit (National research and safety institute for the prevention of occupational accidents and diseases in France) Schweizerische Unfallversicherungsanstalt (swiss accident insurance company in Switzerland)
In addition to BGIA, other "Notified Bodies" are approved; for example, TV. However, "double acceptance is not required by law. The recognition of TV certificates that are based on the EN standards is customary. 7.2 USA
A facility comparable to TV is FM (Factory Mutual). TV and FM have agreed on the mutual recognition of certificates. However, this is not sufficient for market acceptance because of the insurance risk. The following are to be noted: Legal requirements (such as OSHA) UL requirements NFPA (for example, NFPA 79) Labor union requirements Etc. 7.2.1 UL508/508C
In the US, UL508 is generally applied to PROFIBUS devices (not only to fail-safe devices). In this case, it is a question of the fire hazards that a facility may present. The requirements for a communication interface (communication port) are considered as having been met if the device is listed as "Class 2. For this, the power supplied to the device must be no more than 100VA or the PROFIsafe device has additional means inside to limit the power. Short circuits are to be limited with a fuse. Further recommendations: World wide expectation is that typical computer equipment is touch-safe and that computer data communications circuits are not hazardous. Typical computer equipment provides no safety isolation between the internal logic circuits, data communication circuits and operator accessible parts (keyboard, mouse, touch panel, etc.). Any equipment that interconnects with commercial/consumer IT (Information Technology) equipment should not violate the presumed safety of the IT equipment. As an example, Figure 7-1 shows the communication and power supply port conditions. The communication port shall be rated "class 2" and the 24V DC power supply shall have a current limitation of 8A.
Page 39 of 43

Standard Slave
Version 2.5
PROFIBUS Cable
US: UL508 Test "Class 2" *)
60VAC/ 75VDC
e.g. DC 5V DC 24V
Power Supply US: isolated; IEC 61010 DC 24V, 8A (max)
F Slave
e.g. AC 230V
SELV / PELV
60VAC/ 75VDC
e.g. DC 5V DC 24V
*) Communication Port: Low voltage/low current <100VA, Class 2
Figure 7-1 UL 508 C considerations

7.2.2 Values for SELV/PELV
It is presently being investigated whether the voltage limits mentioned in chapter 4.1 are accepted in the US. 7.3 Asia
In China, PROFIBUS is one of the very few global bus standards that are nationally recognized. PROFIsafe currently is in the process of being standardized in China.
Page 40 of 43
Version 2.5
8
8.1 [1] [2]
Appendix
Applicable Documents PROFIBUS Profile: "PROFIsafe Profile for Safety Technology", V1.30, 2004. Order No. 3.092 GS-ET-26; "Grundsatz fr die Prfung und Zertifizierung von Bussystemen fr die bertragung sicherheitsrelevanter Nachrichten", May 2002. HVBG, Gustav-Heinemann-Ufer 130, D50968 Kln IEC 61784: 2001, Communication profiles for field bus profile sets for continuous and discrete manufacturing, type 3 (PROFIBUS) IEC 61508: Functional Safety of Electrical/Electronic/Programmable El. Safety-Related Systems EN 954-1 Safety of Machinery Safety-related Parts of Control Systems and ISO 13849-2 (954-2) .-Validation NFPA 79 - Electrical Standard for Industrial Machinery, Edition 2006 IEC 61508: Functional Safety of Electrical/Electronic/Programmable El. Safety-Related Systems, Part 4 Definitions and Abbreviations IEC 61000-1-1, Electromagnetic Compatibility (EMC) Part1: General Section 1: Application and interpretation of fundamental definitions and terms PROFIBUS technical handbook: "Installation Guideline for Cabling and Assembly", V1.0.6, May 2006. Order No. 8.022 IEC 61784-5-3: Digital data communication for measurement and control: Installation profiles for communication networks in industrial control systems CPF3 IEC 61918: Digital data communications for measurement and control - Profiles covering installation practice for fieldbus communications media within and between the Automation Islands BGIA: "EMV und Funktionale Sicherheit fr Leistungsantriebssysteme mit integrierten Sicherheitsfunktionen (PDS (SR): Power Drive System Safety Related)", 07.2006 PROFIBUS Profile: "PROFIsafe Profile for Safety Technology on PROFIBUS DP and PROFINET IO", V2.4, 2007; Order No. 3.192 PROFIBUS Specification: "PROFIsafe for PA Devices", V1.0, December 2004; Order No. 3.042 PROFIBUS Specification: "PROFIdrive on PROFIsafe, Interface for Functional Safety", V1.0, June 2005. Order No. 3.272 PROFIBUS Guideline: "PROFINET Security Guideline", V1.0, March 2005; Order No. 7.002 IEC 62443: Security for industrial process measurement and control - Network and system security. Work in progress IEC 61784-4-3: Security for industrial process measurement and control - Communication profile specific requirements for CPF 3. Work in progress IEC 60364-4-44 (2003): Electrical installations of buildings - Part 4-44: Protection for safety Protection against voltage disturbances and electromagnetic disturbances E.g. www.sigcon.com NAMUR Recommendation NE 21: "Electromagnetic compatibility of industrial process and laboratory control equipment, 2006 NAMUR Recommendation NE 98: "Installation Requirements for achieving EMC in production sites, 2005 Kohling, A. (Hrsg.): "EMV von Gebuden, Anlagen und Gerten", 1998, VDE-Verlag, ISBN 38007-2261-5 PROFINET Guideline: "Installation Guideline PROFInet", V1.8, 2002. Order No. 2.252 http://ec.europa.eu/enterprise/mechan_equipment/machinery/index.htm RFCs: http://www.rfc-editor.org)
[3] [4] [5] [6] [7] [8] [9] [9a] [9b]
[10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24]
Page 41 of 43
PROFIsafe Environmental Requirements 8.2 Abbreviations
Version 2.5
AC AES AH AOPD BGIA DC DES DKE-AK EC EMC EMI EN, prEN ESD ESP ESPE EUT F FM FS HSE IEC IETF IKE I/O INRS IPsec ISO MBP-IS MD5 PELV PLC PoE SELV SHA-1 SIL SRS SSL SUVA TDES TV UL VPN WAN X.509
Alternating current Advanced Encryption Standard Authentication Header (IPsec) Active opto-electronic Protection Device BG German Institute for Occupational Safety and Health Direct Current Data Encryption Standard Working Group of the German Electrotechnical Commission within DIN and VDE European Community Electromagnetic Compatibility Electromagnetic Interference European Norm, preliminary ... Electrostatic Discharge Encapsulating Security Payload (IPsec) Electro sensitive Protection Equipment Equipment under Test Fail-safe Factory Mutual (Property Insurance and Risk Management Organization) Functional Safety Health and Safety Executive (United Kingdom) International Electrotechnical Commission Internet Engineering Task Force Internet Key Exchange Input / Output Institut national de Recherche et de Scurit Internet Protocol security International Standards Organization Manchester Bus Powered Intrinsically Safety Message-Digest algorithm 5 (hash algorithm in RFC 1321) Protective extra low voltage Programmable Logic Controller Power over Ethernet Safety extra low voltage Secure Hash Algorithm Safety Integrity Level Safety requirement specification Secure Sockets Layer Schweizerische Unfallversicherungsanstalt Tripple Data Encryption Standard (also known as "3DES") Technischer berwachungsverein (Organization for global certification) Underwriters Laboratories Inc. (Product Safety Testing and Certification Organization) Virtual Private Network Wide Area Network Standard for public key infrastructure: standard formats for public key certificates and a certification path validation algorithm
Page 42 of 43
Version 2.5
Copyright by: PROFIBUS Nutzerorganisation e.V. Haid-und-Neu-Str. 7 D-76131 Karlsruhe Phone: +49 (0) 721 / 96 58 590 Fax: +49 (0) 721 / 96 58 589 E-mail: pi@profibus.com http://www.profibus.com
Page 43 of 43

PROFIsafe-Environments 2232 V25 Mar07

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

PROFIsafe-Environments 2232 V25 Mar07

Загружено:

Авторское право:

Доступные форматы

PROFIsafe Environmental Requirements

for PROFIBUS and PROFINET

Order No: 2.232

PROFIsafe Environmental Requirements

Document Identification: TC3-05-0006 File name: PROFIsafe-Environments_2 232_V25_Mar07.doc

Copyright PNO 2007 All Rights Reserved

PROFIsafe Environmental Requirements Revision Log: Version

0.96 0.97 1.0 1.1

Team Team Plenum Plenum

07-Jan-2003 30-Jan-2003 26-Feb-2003 28-Jun-2004

01-Oct-2004 27-Jun-2006 28-Jun-2006 29-Sep-2006 05-Oct-2006 08-Nov-2006

2.1 2.2 2.3

Team1 Team1 Team1

Team1: PROFIsafe core team founded in 2004.

Copyright PNO 2007 All Rights Reserved

PROFIsafe Environmental Requirements

Copyright PNO 2007 All Rights Reserved

PROFIsafe Environmental Requirements 6.4

Copyright PNO 2007 All Rights Reserved

PROFIsafe Environmental Requirements

Copyright PNO 2007 All Rights Reserved

PROFIsafe Environmental Requirements

Management summary scope of this document

Safety input / output

Coexistence of Safety- and Standard Communication

Figure 1-1 The PROFIsafe Vision

Copyright PNO 2007 All Rights Reserved

PROFIsafe Environmental Requirements

SELV, PELV SIL Monitor

Copyright PNO 2007 All Rights Reserved

PROFIsafe Environmental Requirements

IEC 61496 IEC 61496

IEC 61131-6 IEC 61131-6

IEC 61800-5-2 IEC 61800-5-2

IEC 61784-4 IEC 61784-4

Security (common) Security (common)

IEC 62443 IEC 62443

IEC 61784-5 IEC 61784-5

Installation guide Installation guide (common part) (common part)

IEC 61918 IEC 61918

Design objective Applicable standards

IEC 61326-3-1 IEC 61326-3-1

IEC 61784-3 IEC 61784-3

EMC and EMC and functional safety functional safety

Safety of electrical Safety of electrical equipment equipment

IEC 60204-1 IEC 60204-1

ISO 13849-1, -2 ISO 13849-1, -2

US: NFPA 79 US: NFPA 79 (2006) (2006)

IEC 61158 // IEC 61158 61784-1/2 61784-1/2

Functional safety Functional safety (basic standard) (basic standard)

IEC 61508 IEC 61508

IEC 62061 IEC 62061

Figure 1-2 Safety for machinery and fieldbus standards

IEC 61496 IEC 61496

IEC 61131-6 IEC 61131-6

IEC 61800-5-2 IEC 61800-5-2

IEC 61784-4 IEC 61784-4

Security (common) Security (common)

IEC 62443 IEC 62443

Installation guide Installation guide (profile-specific) (profile-specific)

IEC 61784-5 IEC 61784-5

Installation guide Installation guide (common part) (common part)

IEC 61918 IEC 61918