...

and with universal

application

...with many and diverse benefits for...

Production
A second, separate bus is still widely used
for safety-relevant applications in production
automation. As a contribution to protecting
the investment, PROFIsafe also supports this
concept, thereby offering a good retrofit
solution for replacing relay technology. The
advantages of the standard and safety technologies combined on a single bus cable for
PROFIsafe become apparent for remote I/O
devices and particularly for drives with integrated safety functions: In addition to the
STOP functions mentioned above, this
applies to monitoring functions in accordance with IEC 61800-5-2, e.g.:

Simple and cost-efficient system design with a broad product spectrum from all
types of manufacturers

Integrated technology for production and process automation (inbound/outbound

and mainstream)

Training, documentation, and maintenance required for only one bus technology

Programming of standard and safety-oriented applications with only one tool and
certified function modules

High flexibility in the replacement of existing relay technology as well as expansion

and retrofit of existing installations

Simplified system acceptance due to certified devices

International acceptance through IEC 61508-conforming technology. Positive

assessments by BGIA and TV

SLS: Safely-Limited Speed

SLT: Safely-Limited Torque
SLP: Safely-Limited Position
SDI: Safe Direction

Integrating these functions allows for

improved coordination of standard and safety components and, therefore, simplified
handling in addition, a very fast emergency
off shutdown in case of a failure of the standard component.

The new types of drives are a perfect fit for intelligent sensors, such as
laser scanners, which initiate a slowdown of the production if persons
approach and issue a warning but do not switch off until the person
enters the protective field. The slower machine masses can then be
stopped much faster.
Additional rationalization effects are the result of, e.g., saving hardware
limit switches and continuous monitoring of the machine's overtravel
after a STOP.

Safety
program

User
program

F-host
PROFIsafe
Bus interface

Bus interface

Bus interface

PROFIsafe

PROFIsafe

Standard operation
PROFIsafe Off

Safety operation
PROFIsafe On!

One field device

with two operating modes
Proven-in-use and conforming to NE 97

Process automation,
Safety-relevant applications demand a consideration that goes beyond the functional
safety: The required high availability of the
sensor technology affects the development
of devices, and the proven-in-use (IEC
61511) is of high significance in this context.
User guidelines, such as the NAMUR recommendations NE 79 and NE 97, define corresponding prerequisites for this purpose
(www.namur.de).
The current connection technologies, such
as 4-20 mA, already required the use of
proven-in-use field devices for safety applications. To be able to allow this for the more
complex fieldbus communication, the relevant devices can now be fitted with a bus
interface and also provided with a PROFIsafe
layer that can be switched on or off. This
allows the user to continue working with only
one device type for both standard and safety applications.

... device
and system
manufacturers

TV-certified software allows for

easy implementation and cost-efficient reproduction of a PROFIsafe
solution.

Different architectures of safety-relevant controls can adapt the

PROFIsafe communication.

Trailblazer for new innovative device

functions

...your future
investments

PROFIBUS/PROFINET organizations and support centers are present worldwide

Use of all existing and future standards defined by PROFIBUS

International also for safety-relevant
applications.

Platform-wide safety communication by means of the black channel principle (PROFIBUS DP/
PROFINET IO)

PROFIBUS Nutzerorganisation e.V.

PROFIBUS International Support Center

Haid-und-Neu-Strae 7, D-76131 Karlsruhe / Germany

Phone +49 721 96 58 590, Fax +49 721 96 58 589
info@profibus.com, www.profibus.com

Safety Technology for PROFIBUS and PROFINET

copyright by PNO 04/06 all rights reserved part number PNO-06-052

PROFIsafe

...integrators and end users

Open Solutions for the World of Automation

Safety-oriented
automation ...
Risks of injuring persons, destroying production
systems, or harming the environment is present in
all industrial processes. For this reason, there is hardly
a machine or system for which an Emergency off (Stop)
button does not point to a safety feature. While standard
automation technology is oriented towards availability with an acceptable
failure probability, the safety-oriented automation technology requires
orders of magnitude in increased safety. This also applies to the fieldbus
communication involved, which is comparable to the registered mail
service as opposed to regular mail.

New technologies

Standard
automation

Safety
automation

Experience
Time

Fieldbus and functional safety

The standard automation technology has
made tremendous progress in efficiency and
flexibility through microcontrollers, software,
and fieldbus technology. Until now, the safety-oriented automation technology has been
severely hampered in the use of such established innovations due to its dependence on
established standards. In view of the
demonstrated increase in reliability of the
new technologies, the willingness to consider them in standards is increasing. For this
reason, nothing is any longer in the way of
using it in safety-relevant applications. The
replacement of fixed wiring and relay circuits
for safety functions can now take place. This
change to the process is supported by the
international basic standard for functional
safety, IEC 61508.

This standard describes measures for fault

recognition and fault management as well as
the steps of a systematic software development. Focusing on safety functions and their
failure probability (Safety Integrity Level =
SIL) results in a clear procedure, which also
meets the requirements for a safe communication.
PROFIBUS and PROFINET, standardized in
IEC 61158 and IEC 61784, are the first open
fieldbuses to integrate the standard and
safety-oriented automation technology and,
therefore, make a large rationalization potential and countless new functions accessible
to the user.

Safety
application

The solution: PROFIsafe

The error-free transfer of data can be
impaired by a multitude of causes.
PROFIsafe recognizes errors in data transfer
by using four proven measures:

Consecutive numbering
Expected update in a specific time period
Unique identification of partners
Separate data security (CRC).

These safety measures are implemented in

the devices as an additional security layer
(software) above the unmodified communication layers. The PROFIsafe layer transfers
the safety-relevant process data in parallel to
non-critical values, such as diagnostics data.

Safety
application

Standard
application

Standard
application

PROFIsafe
layer

PROFIsafe
layer

Communication
protocol

PROFIsafe
layer with
V1 mode or
V2 mode

Communication
protocol
Black
channel

1:1 communication relation

PROFINET IO, PROFIBUS, backplane buses

Safety-oriented
automation ...

... with platform

uniformity

Risks of injuring persons, destroying production

systems, or harming the environment is present in
all industrial processes. For this reason, there is hardly
a machine or system for which an Emergency off (Stop)
button does not point to a safety feature. While standard
automation technology is oriented towards availability with an acceptable
failure probability, the safety-oriented automation technology requires
orders of magnitude in increased safety. This also applies to the fieldbus
communication involved, which is comparable to the registered mail
service as opposed to regular mail.

PROFIsafe Islands
The communicating stations in safety functions require a unique addressing to ensure
the authenticity of the messages. A safe control and the associated devices (e.g. drives,
light grids, robots) form a PROFIsafe island
which can also extend across PROFINET/
PROFIBUS boundaries. As a result of the
more powerful communication functions
for PROFINET (Ethernet), the PROFIsafe
measures of Numbering and CRC were
increased for this operating mode (V2 mode).
This mode is also required for radio transmission lines.

New technologies

Standard
automation

Safety
automation

Experience
Time

Fieldbus and functional safety

The standard automation technology has
made tremendous progress in efficiency and
flexibility through microcontrollers, software,
and fieldbus technology. Until now, the safety-oriented automation technology has been
severely hampered in the use of such established innovations due to its dependence on
established standards. In view of the
demonstrated increase in reliability of the
new technologies, the willingness to consider them in standards is increasing. For this
reason, nothing is any longer in the way of
using it in safety-relevant applications. The
replacement of fixed wiring and relay circuits
for safety functions can now take place. This
change to the process is supported by the
international basic standard for functional
safety, IEC 61508.

This standard describes measures for fault

recognition and fault management as well as
the steps of a systematic software development. Focusing on safety functions and their
failure probability (Safety Integrity Level =
SIL) results in a clear procedure, which also
meets the requirements for a safe communication.
PROFIBUS and PROFINET, standardized in
IEC 61158 and IEC 61784, are the first open
fieldbuses to integrate the standard and
safety-oriented automation technology and,
therefore, make a large rationalization potential and countless new functions accessible
to the user.

The solution: PROFIsafe

The error-free transfer of data can be
impaired by a multitude of causes.
PROFIsafe recognizes errors in data transfer
by using four proven measures:

Consecutive numbering
Expected update in a specific time period
Unique identification of partners
Separate data security (CRC).

These safety measures are implemented in

the devices as an additional security layer
(software) above the unmodified communication layers. The PROFIsafe layer transfers
the safety-relevant process data in parallel to
non-critical values, such as diagnostics data.

F-host

F-host

PROFIsafe:
V1 mode
V2 mode

PROFIBUS DP

PROFIsafe:
V2 mode

PROFIBUS DP
or
PROFINET IO

External
safety
technology

External
safety
technology

PROFIsafe
on PROFIBUS DP

PROFIsafe
on PROFINET IO and PROFIBUS DP

PROFIsafe island 1

PROFIsafe island 2

Motor

F-host

From end point to end point

PROFIsafe covers the entire transmission path from sensor to processing in a safety controller (F host) and from there to the actuator (F
device). This path can also lead along the backplane buses in a
remote I/O or in the safety control. Even the change from the
PROFINET to the PROFIBUS platform or to a PROFIBUS PA segment
is supported. The mechanisms for fault detection operate completely
independent on those of the lower-level transmission channel (black
channel principle). The additional PROFIsafe safety code is added to
the safety-relevant input/output data and together they form a
PROFIsafe frame.
The coupling to other safety protocols is carried out via safety-oriented gateways (e.g. AS-i Safety at Work).

PROFIsafe layer

IO
controller

Other safety layer

Proprietary communication

PROFINET IO
PROFIBUS DP

RS 485
F F
D D
I O

Gateway

PA
(MBP-IS)

F
device

F
device

Communication
protocol
Black
channel

1:1 communication relation

PROFINET IO, PROFIBUS, backplane buses

Encoder

Emergency Off

to

Emergency Stop and more...

Standardization
PROFIsafe is based on the IEC 61508 standard and is standardized itself in IEC 61784-3.
Product standards such as IEC 61496,
among others for light grids, laser scanner,
etc., and IEC 61800-5-2, functional safety in
variable-speed drives, incorporate the new
PROFIsafe features, and also the EMC

PROFIsafe and data security

These concepts complement each other. By
integrating PROFINET (Ethernet), the protection against unauthorized access to
PROFIsafe islands is of special concern. For
this purpose, the entire network is structured
in subsegments (security zones), which provide only a single point of access. This
access is secured by a security gate (component) which employs proven security
measures for this purpose, e.g., virtual private network, packet filtering, or logging (of
access attempts). Corresponding software
solutions even exist for portable devices,
e.g., service PC (Security Client).

STO: Safe Torque Off

(disconnect; category 0)
SS1: Safe Stop 1 (controlled braking ramp,
followed by STO; category 1)
SS2: Safe Stop 2 (controlled braking ramp,
followed by SOS; category 2)
SOS: Safe Operating Stop (motor is held
in stop position by drive controller)

requirements for functional safety, as

defined in IEC 61326-3-1/2. The safety life
cycle for applications in the production
industry, from risk analysis to decommissioning, is described by IEC 62061 and ISO
13849 and in the process industry by IEC
61511 or NAMUR NE 97.

F
device

Standard
application

PROFIsafe
layer

Motor

Availability

PROFIsafe
layer with
V1 mode or
V2 mode

Safety
functions

From Emergency Off to

Emergency Stop
A key role in the new safety technology is
played by drives and motors. After activating
an Emergency Off pushbutton or a Dead
Man's button, disconnecting the current
supply was previously the only possible
action. Because of the undefined motor position, the restart of a system could correspondingly turn out to be quite difficult.
Today, safety functions integrated in the
drive controllers and controllable via the
fieldbus allow for a significantly more flexible
approach by using various STOP and monitoring functions.
The former include:

IO
device
(head
station)

PROFIsafe
layer

Drive
controller

Drive
controller

Safety
application

Standard
application

Communication
protocol

PROFINET IO

From

Remote I/O

Safety
application

... as a trailblazer
for new functionality

Production PC
with security
client software

Service PC with
security client
software

Internet

Firewall

IEC 61508
conformity

Tests:
DP-V1
PROFIsafe layer*
Reference host

Security Gate

Security Zone

Security Zone
PROFINET IO

PROFIBUS
conformity

Industrial Ethernet Backbone

Security Gate

Noise immunity
(EMC)

Safety

PROFINET IO

yes

yes

yes
PI certificate

PROFIBUS DP
PROFIBUS DP
PROFIsafe island

PROFIsafe island

* on behalf of a testing agency

Certificate from
testing agency

The PROFIsafe policy

This policy is a commitment by the members
of PROFIBUS International (PI) to adhere to a
constant high quality and safety standard for
PROFIsafe products across their entire
development and operating lifetime.
Availability
This is a basic prerequisite for safety.
PROFIsafe, as part of the PROFIBUS/
PROFINET activities, utilizes proven procedures, such as testing and certification or the
guideline for installation, and thereby ensures
a high degree of availability. Devices that are
certified and installed according to the guideline support the user during the safety-related acceptance of his systems. Detailed diagnostics functions support preventative measures for maintaining a high availability until
the end of the life cycle of the system or
machine.

Safety-oriented
automation ...

... with platform

uniformity

Risks of injuring persons, destroying production

systems, or harming the environment is present in
all industrial processes. For this reason, there is hardly
a machine or system for which an Emergency off (Stop)
button does not point to a safety feature. While standard
automation technology is oriented towards availability with an acceptable
failure probability, the safety-oriented automation technology requires
orders of magnitude in increased safety. This also applies to the fieldbus
communication involved, which is comparable to the registered mail
service as opposed to regular mail.

PROFIsafe Islands
The communicating stations in safety functions require a unique addressing to ensure
the authenticity of the messages. A safe control and the associated devices (e.g. drives,
light grids, robots) form a PROFIsafe island
which can also extend across PROFINET/
PROFIBUS boundaries. As a result of the
more powerful communication functions
for PROFINET (Ethernet), the PROFIsafe
measures of Numbering and CRC were
increased for this operating mode (V2 mode).
This mode is also required for radio transmission lines.

New technologies

Standard
automation

Safety
automation

Experience
Time

Fieldbus and functional safety

The standard automation technology has
made tremendous progress in efficiency and
flexibility through microcontrollers, software,
and fieldbus technology. Until now, the safety-oriented automation technology has been
severely hampered in the use of such established innovations due to its dependence on
established standards. In view of the
demonstrated increase in reliability of the
new technologies, the willingness to consider them in standards is increasing. For this
reason, nothing is any longer in the way of
using it in safety-relevant applications. The
replacement of fixed wiring and relay circuits
for safety functions can now take place. This
change to the process is supported by the
international basic standard for functional
safety, IEC 61508.

This standard describes measures for fault

recognition and fault management as well as
the steps of a systematic software development. Focusing on safety functions and their
failure probability (Safety Integrity Level =
SIL) results in a clear procedure, which also
meets the requirements for a safe communication.
PROFIBUS and PROFINET, standardized in
IEC 61158 and IEC 61784, are the first open
fieldbuses to integrate the standard and
safety-oriented automation technology and,
therefore, make a large rationalization potential and countless new functions accessible
to the user.

The solution: PROFIsafe

The error-free transfer of data can be
impaired by a multitude of causes.
PROFIsafe recognizes errors in data transfer
by using four proven measures:

Consecutive numbering
Expected update in a specific time period
Unique identification of partners
Separate data security (CRC).

These safety measures are implemented in

the devices as an additional security layer
(software) above the unmodified communication layers. The PROFIsafe layer transfers
the safety-relevant process data in parallel to
non-critical values, such as diagnostics data.

F-host

F-host

PROFIsafe:
V1 mode
V2 mode

PROFIBUS DP

PROFIsafe:
V2 mode

PROFIBUS DP
or
PROFINET IO

External
safety
technology

External
safety
technology

PROFIsafe
on PROFIBUS DP

PROFIsafe
on PROFINET IO and PROFIBUS DP

PROFIsafe island 1

PROFIsafe island 2

Motor

F-host

From end point to end point

PROFIsafe covers the entire transmission path from sensor to processing in a safety controller (F host) and from there to the actuator (F
device). This path can also lead along the backplane buses in a
remote I/O or in the safety control. Even the change from the
PROFINET to the PROFIBUS platform or to a PROFIBUS PA segment
is supported. The mechanisms for fault detection operate completely
independent on those of the lower-level transmission channel (black
channel principle). The additional PROFIsafe safety code is added to
the safety-relevant input/output data and together they form a
PROFIsafe frame.
The coupling to other safety protocols is carried out via safety-oriented gateways (e.g. AS-i Safety at Work).

PROFIsafe layer

IO
controller

Other safety layer

Proprietary communication

PROFINET IO
PROFIBUS DP

RS 485
F F
D D
I O

Gateway

PA
(MBP-IS)

F
device

F
device

Communication
protocol
Black
channel

1:1 communication relation

PROFINET IO, PROFIBUS, backplane buses

Encoder

Emergency Off

to

Emergency Stop and more...

Standardization
PROFIsafe is based on the IEC 61508 standard and is standardized itself in IEC 61784-3.
Product standards such as IEC 61496,
among others for light grids, laser scanner,
etc., and IEC 61800-5-2, functional safety in
variable-speed drives, incorporate the new
PROFIsafe features, and also the EMC

PROFIsafe and data security

These concepts complement each other. By
integrating PROFINET (Ethernet), the protection against unauthorized access to
PROFIsafe islands is of special concern. For
this purpose, the entire network is structured
in subsegments (security zones), which provide only a single point of access. This
access is secured by a security gate (component) which employs proven security
measures for this purpose, e.g., virtual private network, packet filtering, or logging (of
access attempts). Corresponding software
solutions even exist for portable devices,
e.g., service PC (Security Client).

STO: Safe Torque Off

(disconnect; category 0)
SS1: Safe Stop 1 (controlled braking ramp,
followed by STO; category 1)
SS2: Safe Stop 2 (controlled braking ramp,
followed by SOS; category 2)
SOS: Safe Operating Stop (motor is held
in stop position by drive controller)

requirements for functional safety, as

defined in IEC 61326-3-1/2. The safety life
cycle for applications in the production
industry, from risk analysis to decommissioning, is described by IEC 62061 and ISO
13849 and in the process industry by IEC
61511 or NAMUR NE 97.

F
device

Standard
application

PROFIsafe
layer

Motor

Availability

PROFIsafe
layer with
V1 mode or
V2 mode

Safety
functions

From Emergency Off to

Emergency Stop
A key role in the new safety technology is
played by drives and motors. After activating
an Emergency Off pushbutton or a Dead
Man's button, disconnecting the current
supply was previously the only possible
action. Because of the undefined motor position, the restart of a system could correspondingly turn out to be quite difficult.
Today, safety functions integrated in the
drive controllers and controllable via the
fieldbus allow for a significantly more flexible
approach by using various STOP and monitoring functions.
The former include:

IO
device
(head
station)

PROFIsafe
layer

Drive
controller

Drive
controller

Safety
application

Standard
application

Communication
protocol

PROFINET IO

From

Remote I/O

Safety
application

... as a trailblazer
for new functionality

Production PC
with security
client software

Service PC with
security client
software

Internet

Firewall

IEC 61508
conformity

Tests:
DP-V1
PROFIsafe layer*
Reference host

Security Gate

Security Zone

Security Zone
PROFINET IO

PROFIBUS
conformity

Industrial Ethernet Backbone

Security Gate

Noise immunity
(EMC)

Safety

PROFINET IO

yes

yes

yes
PI certificate

PROFIBUS DP
PROFIBUS DP
PROFIsafe island

PROFIsafe island

* on behalf of a testing agency

Certificate from
testing agency

The PROFIsafe policy

This policy is a commitment by the members
of PROFIBUS International (PI) to adhere to a
constant high quality and safety standard for
PROFIsafe products across their entire
development and operating lifetime.
Availability
This is a basic prerequisite for safety.
PROFIsafe, as part of the PROFIBUS/
PROFINET activities, utilizes proven procedures, such as testing and certification or the
guideline for installation, and thereby ensures
a high degree of availability. Devices that are
certified and installed according to the guideline support the user during the safety-related acceptance of his systems. Detailed diagnostics functions support preventative measures for maintaining a high availability until
the end of the life cycle of the system or
machine.

...and with universal

application
Production
A second, separate bus is still widely used
for safety-relevant applications in production
automation. As a contribution to protecting
the investment, PROFIsafe also supports this
concept, thereby offering a good retrofit
solution for replacing relay technology. The
advantages of the standard and safety technologies combined on a single bus cable for
PROFIsafe become apparent for remote I/O
devices and particularly for drives with integrated safety functions: In addition to the
STOP functions mentioned above, this
applies to monitoring functions in accordance with IEC 61800-5-2, e.g.:

SLS: Safely-Limited Speed

SLT: Safely-Limited Torque
SLP: Safely-Limited Position
SDI: Safe Direction

Integrating these functions allows for

improved coordination of standard and safety components and, therefore, simplified
handling in addition, a very fast emergency
off shutdown in case of a failure of the standard component.

The new types of drives are a perfect fit for intelligent sensors, such as
laser scanners, which initiate a slowdown of the production if persons
approach and issue a warning but do not switch off until the person
enters the protective field. The slower machine masses can then be
stopped much faster.
Additional rationalization effects are the result of, e.g., saving hardware
end-of-travel switches and continuous monitoring of the machine's
overtravel after a STOP.

Safety
program

User
program

F-host
PROFIsafe
Bus interface

Bus interface

Bus interface

PROFIsafe

PROFIsafe

Standard operation
PROFIsafe Off

Safety operation
PROFIsafe On!

One field device

with two operating modes
Proven-in-use and conforming to NE 97

Process automation,
Safety-relevant applications demand a consideration that goes beyond the functional
safety: The required high availability of the
sensor technology affects the development
of devices, and the proven-in-use (IEC
61511) is of high significance in this context.
User guidelines, such as the NAMUR recommendations NE 79 and NE 97, define corresponding prerequisites for this purpose
(www.namur.de).
The current connection technologies, such
as 4-20 mA, already required the use of
proven-in-use field devices for safety applications. To be able to allow this for the more
complex fieldbus communication, the relevant devices can now be fitted with a bus
interface and also provided with a PROFIsafe
layer that can be switched on or off. This
allows the user to continue working with only
one device type for both standard and safety applications.

...with many and diverse benefits for...

...integrators and end users

Simple and cost-efficient system design with a broad product spectrum from all
types of manufacturers

Integrated technology for production and process automation

Training, documentation, and maintenance required for only one bus technology

Programming of standard and safety-oriented applications with only one tool and
certified function modules

High flexibility in the replacement of existing relay technology as well as expansion

and retrofit of existing installations

Simplified system acceptance due to certified devices

International acceptance through IEC 61508-conforming technology. Positive

assessments by BGIA and TV

... device
and system
manufacturers
TV-certified software allows for
easy implementation and cost-efficient reproduction of a PROFIsafe
solution.

Different architectures of safety-relevant controls can adapt the

PROFIsafe communication.

Trailblazer for new innovative device

functions

PROFIBUS/PROFINET organizations and support centers are present worldwide

Use of all existing and future standards defined by PROFIBUS

International also for safety-relevant
applications.

Platform-wide safety communication by means of the black channel principle (PROFIBUS DP/
PROFINET IO)

PROFIBUS Nutzerorganisation e.V.

PROFIBUS International Support Center

Haid-und-Neu-Strae 7, D-76131 Karlsruhe / Germany

Phone +49 721 96 58 590, Fax +49 721 96 58 589
info@profibus.com, www.profibus.com

copyright by PNO 04/06 all rights reserved 4.142 (5/hbs/06038)

...your future
investments