CiA Draft Standard 304
CANopen
Framework for safety-relevant communication
Version 1.0.1
01 January 2005
© CAN in Automation (CiA) e. V.
DS 304 V1.0.1
CANopen framework for safety-relevant communication
CiA
History
Date
2001-01-01
2005-01-01
Version Changes
1.0
1.0.1
Release as Draft Standard Proposal
Publication as Draft Standard
• Editorial corrections
•
• Harmonization of terminology
Inclusion of errata
General information on licensing and patents
CAN in AUTOMATION (CiA) calls attention to the possibility that some of the elements of this CiA
specification may be subject of patent rights. CiA shall not be responsible for identifying any or all such
patent rights.
Because this specification is licensed free of charge, there is no warranty for this specifica-
tion, to the extent permitted by applicable law. Except when otherwise stated in writing the
copyright holder and/or other parties provide this specification “as is” without warranty of any
kind, either expressed or implied, including, but not limited to, the implied warranties of mer-
chantability and fitness for a particular purpose. The entire risk as to the correctness and
completeness of the specification is with you. Should this specification prove failures, you
assume the cost of all necessary servicing, repair or correction.
© CiA 2008
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or util-
ized in any form or by any means, electronic or mechanical, including photocopying and microfilm,
without permission in writing from CiA at the address below.
CAN in Automation e. V.
Kontumazgarten 3
DE - 90429 Nuremberg, Germany
Tel.: +49-911-928819-0
Fax: +49-911-928819-79
Url: www.can-cia.org
Email: headquarters@can-cia.org
2
© CiA 2008 – All rights reserved
DS 304 V1.0.1
CANopen framework for safety-relevant communication
CiA
Contents
1 Scope ...................................................................................................................................................... 5
2 References ............................................................................................................................................. 6
2.1 Normative references ...................................................................................................................... 6
2.2
Informative references ..................................................................................................................... 6
3 Abbreviations and definitions ............................................................................................................ 7
3.1 Abbreviations.................................................................................................................................... 7
3.2 Definitions ......................................................................................................................................... 7
4 Operating principle............................................................................................................................... 8
4.1 Theory of safe operation.................................................................................................................. 8
4.2 Standard CANopen functions.......................................................................................................... 8
4.3 Safety-relevant communication....................................................................................................... 9
4.3.1
Introduction................................................................................................................................ 9
4.3.2 Timing requirements ................................................................................................................. 9
5 SRDO definition................................................................................................................................... 11
5.1 SRDO services............................................................................................................................... 11
5.1.1 General .................................................................................................................................... 11
5.1.2 Write SRDO............................................................................................................................. 11
5.1.3 Read SRDO............................................................................................................................. 11
5.2 SRDO protocol ............................................................................................................................... 11
5.2.1 Write SRDO protocol .............................................................................................................. 11
6 Global fail-safe command.................................................................................................................. 13
6.1 GFC usage ..................................................................................................................................... 13
6.2 GFC service.................................................................................................................................... 13
6.2.1 Write GFC................................................................................................................................ 13
6.3 GFC protocol .................................................................................................................................. 13
6.3.1 Write GFC................................................................................................................................ 13
7 Network initialisation and system boot-up..................................................................................... 14
7.1
Initialisation procedure for safety networks.................................................................................. 14
7.2 NMT states for safety devices....................................................................................................... 15
7.2.1 General .................................................................................................................................... 15
7.2.2 Pre-operational........................................................................................................................ 15
7.2.3 Operational .............................................................................................................................. 15
7.2.4 Stopped.................................................................................................................................... 15
7.2.5 Relation of NMT states and COBs......................................................................................... 15
8 Pre-defined connection set ............................................................................................................... 16
© CiA 2008 – All rights reserved
3
DS 304 V1.0.1
CANopen framework for safety-relevant communication
CiA
9 Object dictionary................................................................................................................................. 17
9.1 Complex data type ......................................................................................................................... 17
9.1.1 SRDO communication parameter record .............................................................................. 17
9.2 Object dictionary specifications..................................................................................................... 17
9.2.1 Object 1300h: Global fail-safe command parameter............................................................. 17
9.2.2 Object 1301h to 1340h: SRDO communication parameter................................................... 17
9.2.3 Object 1381h to 13C0h: SRDO mapping parameter ............................................................. 21
9.2.4 Object 13FEh: Configuration valid.......................................................................................... 22
9.2.5 Object 13FFh: Safety configuration checksum...................................................................... 23
10 Annex A (informative) ...................................................................................................................... 25
10.1 Hardware architecture ................................................................................................................. 25
10.2 Configuration mechanism............................................................................................................ 25
10.3 Mathematical analysis of CANopen safety ................................................................................ 26
10.4 Limits and recommendations ...................................................................................................... 26
10.5 Rules of implementation.............................................................................................................. 26
11 Annex B (informative) ...................................................................................................................... 27
11.1 Overview on objects for safety communication ......................................................................... 27
4
© CiA 2008 – All rights reserved
DS 304 V1.0.1
CANopen framework for safety-relevant communication
CiA
1
Scope
The services and protocols defined in this document are intended to be an add-on to the CANopen
application layer and communication profile.
Safety-relevant communication is an additional property of such devices. The manufacturer and the
system integrator shall take care, that the safety requirements are allocated to safe communication
objects, that the hardware and software of the device support the safety function and that the device is
operated within its safe limits.
This specification describes only the data transport mechanism on a CANopen network, that allows
the exchange of safety-relevant data.
Due to CANopen compatibility communication is limited to 64 safe communication objects, so up to 64
suppliers of safety-relevant objects can operate in a CANopen network. The number of consumers of
the safety-relevant objects is not defined (at least one receiver is necessary).
© CiA 2008 – All rights reserved
5
DS 304 V1.0.1
CANopen framework for safety-relevant communication
CiA
2 References
2.1 Normative references
/CiA301/
/EN954-1/
CiA DS 301, CANopen application layer and communication profile
EN 954-1, Safety related parts of control systems - Part 1: General principles
of design
IEC 61508, Functional safety of electrical/electronic/programmable electronic
safety-related systems
DIN V VDE 0801, Grundsätze für Rechner in Systemen mit Sicherheitsauf-
gaben
Informative references
/IEC61508/
/DIN801/
2.2
/CHAR/
/FAET/
Charzinsiki:1991, Bewertung der Fehlersicherungsverfahren
Protokoll, Universität Stuttgart
Grundsatz für die Prüfung und Zertifizierung von “Bussystemen für die Über-
tragung sicherheitsrelevanter Nachrichten”, Fachausschuss Elektrotechnik,
Köln, Ausgabe 05.02, GS-ET-26
im CAN-
6
© CiA 2008 – All rights reserved
DS 304 V1.0.1
CANopen framework for safety-relevant communication
CiA
3 Abbreviations and definitions
3.1 Abbreviations
AK
BIA
CAN
CAN-ID
COB
COB-ID
GFC
NMT
PLC
RTR
SCT
SIL
SRDO
SRVT
TÜV
Anforderungsklassen - requirement classes
Berufsgenossenschaftliches Institut für Arbeitssicherheit - Institute for occupa-
tional safety of accident insurance institutions
Controller area network
CAN identifier
Communication object
COB identifier
Global failsafe command
Network management
Programmable logic controller
Remote transmission request
Safeguard cycle time
Safety integrity level
Safety-relevant data object
Safety-relevant object validation time
Technischer Überwachungsverein - German association for technical inspection
3.2 Definitions
The definitions given in /CiA301/ apply for this framework, too.
Safety controller
device that consumes safety-relevant data
© CiA 2008 – All rights reserved
7
DS 304 V1.0.1
CANopen framework for safety-relevant communication
CiA
4 Operating principle
4.1
Theory of safe operation
It is absolutely essential for a safe system, that there is a safe state. A reaction to an emergency
command, an alarm or an error, the safe-state is entered.
It is also important, that the functionality of the safeguard measures is regularly checked. A single
defect in a safety-relevant communication shall not override the safety circuitry! If such an error oc-
curs, it shall be detected within a short period of time in which a second error is unlikely to happen.
All the systems, especially the safety-relevant circuitry shall have a high reliability in order to extend
the time-span between the safety-tests and minimize the down-time of the whole system (e.g. if one of
redundant components fails, the system shall be shut-off). So the need for safety decreases the avail-
ability of a system.
The idea of safety in CAN communication is not to ensure, that there are absolutely no errors and
faults. This would be rather hard to proof - anyway. The goal is to detect all possible errors and react
in a predictable (safe) way.
In a safe CAN system there are sources of safe information (e.g. safety switches, light barriers, emer-
gency stop buttons) and consumers of such information (e.g. relay, valve or drive controlling a possi-
bly dangerous movement, safety PLC). As the "consumers" control the possible dangerous situation it
is responsible for entering the safe-state after any safety-relevant interference. It also shall check the
data integrity of the safety-relevant communication.
As the sources (safety inputs) are the origin of safe communication objects (SRDOs), their number is
limited to 64. The number of safety controllers is not limited in theory, as CAN allows many consumers
to listen to the same SRDO(s), i.e. many actuator devices use the same information.
As the safety controllers are responsible for the data integrity and actuality, every safety-relevant out-
put device shall to survey all corresponding sources of safety-relevant data.
4.2 Standard CANopen functions
It is intended, that the additional safe communication is not affecting the normal operation and serv-
ices on a CANopen network. Safe communication is not related to a special class of devices, so no
special device profile is required.
Figure 1: Example of a CANopen network with safety-relevant devices
8
© CiA 2008 – All rights reserved
PLCS1N1S2N2N3D1MEmergencyPush ButtonSLMDriveControllCANSafety PowerSwitchS3Sx Safety Node (S3: Saftey controller)Nx Normal NodeDx Drive Controll