IO-Link Safety System-Extensions 10092 V10 Apr17
IO-Link Safety System-Extensions 10092 V10 Apr17
IO-Link Safety System-Extensions 10092 V10 Apr17
System Extensions
Specification
Version 1.0
April 2017
Any comments, proposals, requests on this document are appreciated through the IO-Link CR
database www.io-link-projects.com. Please provide name and email address.
Login: IOL-Safety10
Password: Report
Important notes:
NOTE 1 The IO-Link Community Rules shall be observed prior to the development and marketing of IO-Link products.
The document can be downloaded from the www.io-link.com portal.
NOTE 2 Any IO-Link device shall provide an associated IODD file. Easy access to the file and potential updates shall
be possible. It is the responsibility of the IO-Link device manufacturer to test the IODD file with the help of the
IODD-Checker tool available per download from www.io-link.com.
NOTE 3 Any IO-Link devices shall provide an associated manufacturer declaration on the conformity of the device with
this specification, its related IODD, and test documents, available per download from www.io-link.com.
Disclaimer:
The attention of adopters is directed to the possibility that compliance with or adoption of IO-Link Community
specifications may require use of an invention covered by patent rights. The IO-Link Community shall not be
responsible for identifying patents for which a license may be required by any IO-Link Community specification, or
for conducting legal inquiries into the legal validity or scope of those patents that are brought to its attention. IO-
Link Community specifications are prospective and advisory only. Prospective users are responsible for protecting
themselves against liability for infringement of patents.
The information contained in this document is subject to change without notice. The material in this document details
an IO-Link Community specification in accordance with the license and notices set forth on this page. This
document does not represent a commitment to implement any portion of this specification in any company's
products.
WHILE THE INFORMATION IN THIS PUBLICATION IS BELIEVED TO BE ACCURATE, THE IO-
LINK COMMUNITY MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS
MATERIAL INCLUDING, BUT NOT LIMITED TO ANY WARRANTY OF TITLE OR OWNERSHIP, IMPLIED
WARRANTY OF MERCHANTABILITY OR WARRANTY OF FITNESS FOR PARTICULAR PURPOSE OR USE.
In no event shall the IO-Link Community be liable for errors contained herein or for indirect, incidental, special,
consequential, reliance or cover damages, including loss of profits, revenue, data or use, incurred by any user
or any third party. Compliance with this specification does not absolve manufacturers of IO-Link equipment,
from the requirements of safety and regulatory agencies (TÜV, BIA, UL, CSA, etc.).
® is registered trade mark. The use is restricted for members of the IO-Link
Community. More detailed terms for the use can be found in the IO-Link Community Rules on
www.io-link.com.
Conventions:
In this specification the following key words (in bold text) will be used:
may: indicates flexibility of choice with no implied preference.
should: indicates flexibility of choice with a strongly preferred implementation.
shall: indicates a mandatory requirement. Designers shall implement such mandatory requirements to ensure
interoperability and to claim conformity with this specification.
Publisher:
IO-Link Community
Haid-und-Neu-Str. 7
76131 Karlsruhe
Germany
Phone: +49 721 / 96 58 590
Fax: +49 721 / 96 58 589
E-mail: [email protected]
Web site: www.io-link.com
© No part of this publication may be reproduced or utilized in any form or by any means, electronic or
mechanical, including photocopying and microfilm, without permission in writing from the publisher.
_________________________________________________________________________________________________________
CONTENTS
0 Introduction ................................................................................................................... 12
0.1 General ................................................................................................................. 12
0.2 Patent declaration ................................................................................................. 13
1 Scope ............................................................................................................................ 14
2 Normative references .................................................................................................... 15
3 Terms, definitions, symbols, abbreviated terms and conventions ................................... 16
3.1 Common terms and definitions .............................................................................. 16
3.2 IO-Link Safety: Additional terms and definitions .................................................... 19
3.3 Symbols and abbreviated terms ............................................................................ 20
3.4 Conventions .......................................................................................................... 21
3.4.1 Behavioral descriptions.................................................................................. 21
3.4.2 Memory and transmission octet order ............................................................ 21
4 Overview of IO-Link Safety ............................................................................................ 22
4.1 Purpose of the technology and feature levels ........................................................ 22
4.1.1 Base IO-Link Safety technology ..................................................................... 22
4.1.2 From "analog" and "switching" to communication ........................................... 23
4.1.3 Minimized paradigm shift from FS-DI to FS-Master ........................................ 24
4.1.4 Following the IO-Link paradigm (SIO vs. OSSDe) .......................................... 24
4.1.5 Port class B (Classic and Combi) ................................................................... 26
4.1.6 "USB-Master" with safety parameterization .................................................... 27
4.1.7 Interoperability matrix of safety devices ......................................................... 27
4.2 Positioning within the automation hierarchy .......................................................... 28
4.3 Wiring, connectors, and power supply ................................................................... 29
4.4 Relationship to IO-Link ......................................................................................... 29
4.5 Communication features and interfaces ................................................................ 29
4.6 Parameterization ................................................................................................... 29
4.7 Role of FS-Master and FS-Gateway ...................................................................... 30
4.8 Mapping to upper level systems ............................................................................ 30
4.9 Structure of the document ..................................................................................... 30
5 Extensions to the Physical Layer (PL)............................................................................ 31
5.1 Overview .............................................................................................................. 31
5.2 Extensions to PL services ..................................................................................... 31
5.2.1 PL_SetMode .................................................................................................. 31
5.2.2 PL_Ready ...................................................................................................... 31
5.3 Transmitter/receiver .............................................................................................. 32
5.3.1 Assumptions for the expansion to OSSDe ...................................................... 32
5.3.2 OSSDe specifics ............................................................................................ 32
5.3.3 Start-up of an FS-Device (Ready pulse) ......................................................... 35
5.3.4 Electric characteristics of a receiver in FS-Device and FS-Master.................. 35
5.4 Electric and dynamic characteristics of an FS-Device ........................................... 36
5.5 Electric and dynamic characteristics of an FS-Master port (OSSDe) ..................... 38
5.6 FS-Master port FS-DI interface ............................................................................. 39
5.7 Wake-up coordination ........................................................................................... 40
5.8 Fast start-up ......................................................................................................... 40
5.9 Power supply ........................................................................................................ 40
IO-Link Safety –4– V1.0
Table 1 – Operational modes of feature level "a" to "c" (port class A).................................... 26
Table 2 – Interoperability matrix of safety devices ................................................................. 27
Table 3 – PL_Ready ............................................................................................................. 31
Table 4 – OSSD states and conditions .................................................................................. 33
Table 5 – Cross connection faults ......................................................................................... 33
Table 6 – Electric characteristics of a receiver ...................................................................... 35
Table 7 – Electric and dynamic characteristics of the FS-Device (OSSDe) ............................ 37
Table 8 – Electric and dynamic characteristics of the Port interface ...................................... 38
Table 9 – Cable characteristics ............................................................................................. 41
Table 10 – State transition tables of the FS-Master DL-mode handler ................................... 42
Table 11 – State transition tables of the FS-Device DL-mode handler ................................... 43
Table 12 – Recommended Data Storage Backup Levels ....................................................... 48
Table 13 – Criteria for backing up parameters ("Backup/Restore") ........................................ 49
Table 14 – Criteria for backing up parameters ("Restore") .................................................... 49
Table 15 – Use case reference table ..................................................................................... 52
Table 16 – Communication errors and safety measures ........................................................ 55
Table 17 – SCL services of FS-Master .................................................................................. 57
Table 18 – SCL services of FS-Device .................................................................................. 58
Table 19 – Protocol phases to consider ................................................................................ 59
Table 20 – Control and counting (Control&MCnt) .................................................................. 61
Table 21 – Status and counting mirror (Status&DCnt) ........................................................... 61
Table 22 – MCount and DCount_i values .............................................................................. 61
Table 23 – FS process I/O data types ................................................................................... 63
Table 24 – Rules for the layout of values and qualifiers ........................................................ 63
IO-Link Safety – 11 – V1.0
1 0 Introduction
2 0.1 General
3 The base technology of IO-Link™ 1 is subject matter of the international standard IEC 61131-9
4 (see [2]). IEC 61131-9 is part of a series of standards on programmable controllers and the
5 associated peripherals and should be read in conjunction with the other parts of the series.
6 It specifies a single-drop digital communication interface technology for small sensors and
7 actuators – named SDCI, which extends the traditional switching input and output interfaces
8 as defined in IEC 61131-2 towards a point-to-point communication link using coded switching.
9 This technology enables the cyclic exchange of digital input and output process data between
10 a Master and its associated Devices (sensors, actuators, I/O terminals, etc.). The Master can
11 be part of a fieldbus communication system or any stand-alone processing unit. The
12 technology enables also the acyclic transfer of parameters to Devices and the propagation of
13 diagnosis information from the Devices to the upper-level automation system (controller, host)
14 via the Master.
15 Physical topology is point-to-point from each Device to the Master using 3 wires over
16 distances up to 20 m. The SDCI physical interface is backward compatible with the usual
17 24 V I/O signalling specified in IEC 61131-2. Transmission rates of 4,8 kbit/s, 38,4 kbit/s and
18 230,4 kbit/s are supported.
Product standards
ISO 12100
ISO 14119 IEC 60947-5-3 IEC 61496 IEC 61131-6 IEC 61800-5-2 General principles for design –
Interlocking Proximity Safety f. e.g. Safety for Safety functions Risk assessment and risk reduction
devices switches light curtains PLC for drives
22 • international standard for dual use of either switching signals (DI/DO) or coded switching
23 communication respectively;
1 IO-Link TM is a trade name of the "IO-Link Community". This information is given for the convenience of users of
this specification and does not constitute an endorsement by the IO-Link Community of the trade name holder or
any of its products. Compliance to this standard does not require use of the registered logos for IO-Link TM . Use
of the registered logos for IO-Link TM requires permission of the "IO-Link Community".
IO-Link Safety – 13 – V1.0
24 • traditional switching sensors and actuators now providing alternatively single drop digital
25 communication within the same Device;
26 • one thin, robust, very flexible cable without shielding for power supply and signalling;
27 • lowest-cost digital communication down to the lowest end sensors and actuators.
28 As a consequence, the market demand for the extension of this technology towards functional
29 safety has been raised.
30 This document provides the necessary extensions to the basic IO-Link interface and system
31 standard for functional safety communication including compatibility to OSSDe based sensors
32 and the necessary configuration management. Figure 1 shows its relationships to internatio-
33 nal fieldbus and safety standards as well as to relevant specifications.
34 This document does not yet provide the necessary specifications for a functional safety
35 interface ("Combi") for actuators based on Port class B and for optional features such as func-
36 tional safety signal processing as required in [11]. This part has been postponed to a later
37 release.
38 The design objective for IO-Link Safety is up to SIL3 according to IEC 61508 and/or up to PLe
39 according to ISO 13849.
40 Parameterization within the domain of safety for machinery requires a "Dedicated Tool" per
41 FS-Device or FS-Device family. The Device Tool Interface (DTI) technology has been chosen
42 for the links between FS-Master Tool, FS-Device, and its "Dedicated Tool" (Device Tool).
44 Conformity with this document cannot be claimed unless the requirements of Annex I are met.
45 Terms of general use are defined in IEC 61131-1 or in the IEC 60050 series. More specific
46 terms are defined in each part.
51 Attention is drawn to the possibility that some of the elements of this document may be the
52 subject of patent rights. The IO-Link Community shall not be held responsible for identifying
53 any or all such patent rights.
54 The IO-Link Community maintains on-line data bases of patents relevant to their standards.
55 Users are encouraged to consult the databases for the most up to date information
56 concerning patents.
IO-Link Safety – 14 – V1.0
57 IO-Link Safety –
58 Functional safety communication and system extensions –
59 based on IEC 61131-9 (SDCI)
60
61 1 Scope
62 For the design of functional safety communication on IO-Link there exist mainly three options:
63 • existing functional safety communication profiles (FSCP) specified within the IEC 61784-3-
64 x series, tunnelling across IO-Link;
65 • a new universal FSCP suitable for all fieldbuses standardized in IEC 61158, also tunnel-
66 ling across IO-Link;
67 • a new lean dedicated functional safety communication interface (IO-Link Safety) solely
68 between Device and Master requiring a safety gateway for the connection to FSCPs.
69 This document specifies only the new lean functional safety communication interface inclu-
70 ding connectivity of OSSDe type safety sensors (FS-Devices).
71 Figure 2 shows four typical fieldbus/FSCP configurations A to D with remote I/Os (RIO) and
72 attached FS-DIs as well as gateways to IO-Link Safety ("IOL-S"). The gateways contain
73 FSCP-specific FS-Masters. FS-Devices with OSSDe can be connected to FS-DIs or FS-
74 Masters. All IO-Link safety sensors (FS-Device) can communicate with any IO-Link Safety
75 Master (FS-Master) using the IO-Link Safety protocol regardless of the upper level FSCP-
76 system. The same is true for IO-Link safety actuators (FS-Devices) such as drives with
77 integrated safety. This means the largest component commonality for sensors and actuators
78 similar to the DI and DO interfaces standardized within IEC 61131-2.
FSCP A FSCP B
Ethernet-based Ethernet-based
"Classic" "Classic"
Ethernet-based "Classic"
Ethernet-based
FSCP C FSCP D
79
81 Safety sensors with OSSDe interfaces – equipped with IO-Link communication – can be
82 parameterized via auxiliary tools such as "USB-Masters", then connected to an FS-DI and
83 operated in OSSDe mode. They also can be operated in OSSDe mode on an FS-Master
84 supporting OSSDe. In case these safety sensors are equipped with IO-Link Safety
85 communication in addition, they can be operated in both modes, either OSSDe or IO-Link
86 Safety. This corresponds to the IO-Link SIO paradigm.
87 The concept of IO-Link Safety allows for local safety signal processing (safety functions) if the
88 FS-Master provides a local safety controller. This document specifies the interfaces if
89 required.
IO-Link Safety – 15 – V1.0
90 The IO-Link specifications [1] and [2] define a Master Port class B with an extra 24 V power
91 supply for actuators using a 5 pin M12 connector. The list of requirements in [11] suggests an
92 extension – called "Combi-Port" –, where the power-down of the extra power supply can be
93 controlled by the FS-Master itself. This document does not yet specify this kind of Master
94 Port class B. It is postponed until a later version.
95 NOTE The illustrations to be valid for all FSCPs.
96 This document does not cover communication interfaces or systems incorporating multi-point
97 or multi-drop linkages, or integration of IO-Link Safety into upper level systems such as
98 fieldbuses.
99 2 Normative references
100 The following documents, in whole or in part, are normatively referenced in this document and
101 are indispensable for its application. For dated references, only the edition cited applies. For
102 undated references, the latest edition of the referenced document (including any
103 amendments) applies.
104 IEC 60947-5-3, Low-voltage switchgear and controlgear – Part 5-3: Control circuit devices
105 and switching elements – Requirements for proximity devices with defined behaviour under
106 fault conditions (PDDB)
107 IEC 61000-1-2, Electromagnetic compatibility (EMC) - Part 1-2: General - Methodology for the
108 achievement of functional safety of electrical and electronic systems including equipment with
109 regard to electromagnetic phenomena
110 IEC 61000-6-7, Electromagnetic compatibility (EMC) - Part 6-7: Generic standards - Immunity
111 requirements for equipment intended to perform functions in a safety-related system
112 (functional safety) in industrial locations
113 IEC 61131-2, Programmable controllers – Part 2: Equipment requirements and tests
114 IEC 61131-9, Programmable controllers – Part 9: Single-drop digital communication interface
115 for small sensors and actuators (SDCI)
116 IEC 61496-1, Safety of machinery – Electro-sensitive protective equipment – Part 1: General
117 requirements and tests
123 IEC 61784-3:2016, Industrial communication networks - Profiles - Part 3: Functional safety
124 fieldbuses - General rules and profile definitions
125 IEC 62061, Safety of machinery – Functional safety of safety-related electrical, electronic and
126 programmable electronic control systems
127 IEC 62443 all, Security for industrial automation and control systems
129 ISO 12100:2010, Safety of machinery – General principles for design – Risk assessment and
130 risk reduction
131 ISO 13849-1:2015, Safety of machinery – Safety-related parts of control systems – Part 1:
132 General principles for design
133 ISO 14119:2013, Safety of machinery – Interlocking devices associated with guards –
134 Principles for design and selection
IO-Link Safety – 16 – V1.0
139 3.1.1
140 address
141 part of the M-sequence control to reference data within data categories of a communication
142 channel
143 3.1.2
144 application layer
145 AL
146 <SDCI> 2 part of the protocol responsible for the transmission of Process Data objects and
147 On-request Data objects
148 3.1.3
149 block parameter
150 consistent parameter access via multiple Indices or Subindices
151 3.1.4
152 checksum
153 <SDCI> complementary part of the overall data integrity measures in the data link layer in
154 addition to the UART parity bit
155 3.1.5
156 CHKPDU
157 integrity protection data within an ISDU communication channel generated through XOR
158 processing the octets of a request or response
159 3.1.6
160 coded switching
161 SDCI communication, based on the standard binary signal levels of IEC 61131-2
162 3.1.7
163 COM1
164 SDCI communication mode with transmission rate of 4,8 kbit/s
165 3.1.8
166 COM2
167 SDCI communication mode with transmission rate of 38,4 kbit/s
168 3.1.9
169 COM3
170 SDCI communication mode with transmission rate of 230,4 kbit/s
171 3.1.10
172 COMx
173 one out of three possible SDCI communication modes COM1, COM2, or COM3
174 3.1.11
175 communication channel
176 logical connection between Master and Device
177 Note 1 to entry: Four communication channels are defined: process channel, page and ISDU channel (for
178 parameters), and diagnosis channel.
179 3.1.12
180 communication error
181 unexpected disturbance of the SDCI transmission protocol
2 Angle brackets indicate validity of the definition for the SDCI (IO-Link) technology
IO-Link Safety – 17 – V1.0
182 3.1.13
183 cycle time
184 time to transmit an M-sequence between a Master and its Device including the following idle
185 time
186 3.1.14
187 Device
188 single passive peer to a Master such as a sensor or actuator
189 Note 1 to entry: Uppercase "Device" is used for SDCI equipment, while lowercase "device" is used in a generic
190 manner.
191 3.1.15
192 Direct Parameters
193 directly (page) addressed parameters transferred acyclically via the page communication
194 channel without acknowledgement
195 3.1.16
196 dynamic parameter
197 part of a Device's parameter set defined by on-board user interfaces such as teach-in buttons
198 or control panels in addition to the static parameters
199 3.1.17
200 Event
201 instance of a change of conditions in a Device
202 Note 1 to entry: Uppercase "Event" is used for SDCI Events, while lowercase "event" is used in a generic manner.
203 Note 2 to entry: An Event is indicated via the Event flag within the Device's status cyclic information, then acyclic
204 transfer of Event data (typically diagnosis information) is conveyed through the diagnosis communication channel.
205 3.1.18
206 fallback
207 transition of a port from coded switching to switching signal mode
208 3.1.19
209 inspection level
210 degree of verification for the Device identity
211 3.1.20
212 interleave
213 segmented cyclic data exchange for Process Data with more than 2 octets through
214 subsequent cycles
215 3.1.21
216 ISDU
217 indexed service data unit used for acyclic acknowledged transmission of parameters that can
218 be segmented in a number of M-sequences
219 3.1.22
220 legacy (Device or Master)
221 Device or Master designed in accordance with [8]
222 3.1.23
223 M-sequence
224 sequence of two messages comprising a Master message and its subsequent Device
225 message
226 3.1.24
227 M-sequence control
228 first octet in a Master message indicating the read/write operation, the type of the
229 communication channel, and the address, for example offset or flow control
230 3.1.25
231 M-sequence error
232 unexpected or wrong message content, or no response
IO-Link Safety – 18 – V1.0
233 3.1.26
234 M-sequence type
235 one particular M-sequence format out of a set of specified M-sequence formats
236 3.1.27
237 Master
238 active peer connected through ports to one up to n Devices and which provides an interface
239 to the gateway to the upper level communication systems or PLCs
240 Note 1 to entry: Uppercase "Master" is used for SDCI equipment, while lowercase "master" is used in a generic
241 manner.
242 3.1.28
243 message
244 <SDCI> sequence of UART frames transferred either from a Master to its Device or vice versa
245 following the rules of the SDCI protocol
246 3.1.29
247 On-request Data
248 acyclically transmitted data upon request of the Master application consisting of parameters
249 or Event data
250 3.1.30
251 physical layer
252 first layer of the ISO-OSI reference model, which provides the mechanical, electrical,
253 functional and procedural means to activate, maintain, and de-activate physical connections
254 for bit transmission between data-link entities
255 Note 1 to entry: Physical layer also provides means for wake-up and fallback procedures.
256 [SOURCE: ISO/IEC 7498-1, 7.7.2, modified – text extracted from subclause, note added]
257 3.1.31
258 port
259 communication medium interface of the Master to one Device
260 3.1.32
261 port operating mode
262 state of a Master's port that can be either INACTIVE, DO, DI, FIXEDMODE, or SCANMODE
263 3.1.33
264 Process Data
265 input or output values from or to a discrete or continuous automation process cyclically
266 transferred with high priority and in a configured schedule automatically after start-up of a
267 Master
268 3.1.34
269 Process Data cycle
270 complete transfer of all Process Data from or to an individual Device that may comprise
271 several cycles in case of segmentation (interleave)
272 3.1.35
273 single parameter
274 independent parameter access via one single Index or Subindex
275 3.1.36
276 SIO
277 port operation mode in accordance with digital input and output defined in IEC 61131-2 that is
278 established after power-up or fallback or unsuccessful communication attempts
279 3.1.37
280 static parameter
281 part of a Device's parameter set to be saved in a Master for the case of replacement without
282 engineering tools
IO-Link Safety – 19 – V1.0
283 3.1.38
284 switching signal
285 binary signal from or to a Device when in SIO mode (as opposed to the "coded switching"
286 SDCI communication)
287 3.1.39
288 system management
289 SM
290 <SDCI> means to control and coordinate the internal communication layers and the
291 exceptions within the Master and its ports, and within each Device
292 3.1.40
293 UART frame
294 <SDCI> bit sequence starting with a start bit, followed by eight bits carrying a data octet,
295 followed by an even parity bit and ending with one stop bit
296 3.1.41
297 wake-up
298 procedure for causing a Device to change its mode from SIO to SDCI
299 3.1.42
300 wake-up request
301 WURQ
302 physical layer service used by the Master to initiate wake-up of a Device, and put it in a
303 receive ready state
304
307 3.2.1
308 error
309 discrepancy between a computed, observed or measured value or condition and the true,
310 specified or theoretically correct value or condition
311 Note 1 to entry: Errors may be due to design mistakes within hardware/software and/or corrupted information due
312 to electromagnetic interference and/or other effects.
313 Note 2 to entry: Errors do not necessarily result in a failure or a fault.
315 3.2.2
316 failure
317 termination of the ability of a functional unit to perform a required function or operation of a
318 functional unit in any way other than as required
319 Note 1 to entry: The definition in IEC 61508-4 is the same, with additional notes.
320 Note 2 to entry: Failure may be due to an error (for example, problem with hardware/software design or message
321 disruption)
323 3.2.3
324 fault
325 abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit
326 to perform a required function
327 Note 1 to entry: IEV 191-05-01 defines “fault” as a state characterized by the inability to perform a required
328 function, excluding the inability during preventive maintenance or other planned actions, or due
329 to lack of external resources.
331 3.2.4
332 FS-Device
333 single passive peer such as a functional safety sensor or actuator to a Master with functional
334 safety capabilities
335 3.2.5
336 FS-Master
337 active peer with functional safety capabilities connected through ports to one up to n Devices
338 or FS-Devices and which provides an interface to the gateway to the upper level
339 communication systems (NSR or SR) or controllers with functional safety capabilities
340 3.2.6
341 FSP parameter
342 parameter set for the administration and operation of the IO-Link Safety protocol
343 3.2.7
344 FST parameter
345 parameter set for the safety-related technology of an FS-Device, for example light curtain
346 3.2.8
347 Safety Protocol Data Unit
348 SPDU
349 protocol data unit transferred through the safety communication channel
351
358 Events to trigger a transition usually can be a signal, service call, or timeout. Logic conditions
359 (true/false) shall be the result of a [guard]. To alleviate the readability and the maintenance of
360 the state machines, the diagrams do not provide the actions associated with a transition.
361 These actions are listed within a separate state-transition table according to IEC 62390 [8].
362 The state diagrams shown in this document are entirely abstract descriptions. They do not
363 represent a complete specification for implementation.
0 t
Transmission time
370
383 The IO-Link Safety communication layer accommodates the functional safe transmission
384 protocol. This protocol generates a safety PDU consisting of the FS-I/O data, protocol control
385 or status data, and a CRC signature. The safety PDU together with optionally non-safety-
386 related data is transmitted as IO-Link Process Data between an FS-Master and one single FS-
387 Device (point-to-point).
388 IO-Link Safety increases the number of Port modes and thus requires changes to the Physical
389 Layer and System Management.
390 Changes are required for the Master-(Software)-Tool to provide the necessary safety-related
391 configuration and parameterization of the protocol (FSP-Parameter) as well as of the
392 particular FS-Device technology (FST-Parameter).
393 IO-Link Safety comprises not only the digital communication; it also supports OSSDe (class A)
394 in this version, similar to the SIO mode.
396 • wireless connections between FS-Master and FS-Device (see Annex H.2);
397 • cascaded FS-Master/FS-Device systems.
IO-Link Safety – 23 – V1.0
"Single-platform":
1 L+ 24 V IEC 61131-2
IOL-OSSDe
L+ 2 I/Q Not connected, IEC 61131-2
DI / IOL-OSSD2e, or DO
I/Q 3 COMx 4,8 / 38,4 / 230,4 kbit/s C "Coded switching" COM1…3 IEC 61131-9
+ new IOL-Safety profile + "Upgrade"
+ "Profile"
L-
408 Measurement of physical quantities such as temperature, pressure, position, or strain (FS-AI-
409 Modules) has several interface solutions such as 4 to 20 mA, 0 to 10 V, or SSI, but no
410 common signal transmission technology (see Figure 6, left).
411 Actuators such as motors can be de-energized via FS-DO-Modules and connected relays as
412 shown in Figure 6 (left).
Fieldbus
0 0 0 0 0 0
7 7 7 7 7 7
415 Without additional interfaces, it was not possible in all cases to configure or parameterize the
416 safety devices or to receive diagnosis information.
IO-Link Safety – 24 – V1.0
417 IO-Link Safety can now provide a functional safe and reliable solution for process data
418 exchange (signal states and measurement values) via single drop digital communication
419 (SDCI), as well as parameterization and diagnosis (see Figure 6, right).
429 IO-Link Safety uses a watchdog timer for the transmission of safety data in time (Timeliness).
430 The system is able to calculate the required watchdog time automatically due to the point-to-
431 point nature of the transmission.
432 FS-Device replacement without tools can be achieved using the original IO-Link Data Storage
433 mechanism.
FS-DI FS-Master
Redundant
signals (OSSD) IO-Link Safety • No tool @ FS-Device replacement
434
436 The FS-Master supports port selective passivation in case of a port fault and signal granular
437 passivation in case of a channel fault within for example a remote I/O terminal ("Hub")
438 connected to an FS-Master Port.
439 Cables are the same as with IO-Link, i.e. unshielded with a maximum of 20 m. However, due
440 to the higher permitted power supply current of 1000 mA per Port, the overall loop resistance
441 RL eff can only be 1,2 Ohm (see Table 9).
442 NOTE Compliance to AIDA rules requires cable color to be any except yellow. However, the connector color shall
443 be yellow (RAL 1004).
444
Feature levels
Level b:
OSSDe tolerated
(4 pins with 5th pin as hole in M12)
Level a:
Safety communication only
(maximum of 3 pins; open wires) FS-Master types
450
452 The original pin layouts of IO-Link for port class A are shown in Figure 9 together with the
453 extensions for level "a" through "c". Table 1 shows the details of these levels.
FS-Device FS-Master
1 Q/OSSD1/C Q/C/FS-DI1 + 1
OSSD 2 + IOLsafety IOLsafety NC/DI/FS-DI2
2 4 4 5 2
3 3
OSSD 1 OSSD 1
OSSD 2 OSSD 2
Possible operations:
- SIO
- OSSDe
- IO-Link
- IO-Link + IOLsafety
454
456 Level "a" provides communication only (Pin 1, 3, and 4). That means support for sensor-type
457 FS-Devices and actuator-type FS-Devices.
458 Due to the redundant nature of most of the safety device interfaces, IO-Link Safety considers
459 pin 2 for the redundant signal path (e.g. OSSD2e) besides pin 4 for the primary signal path
3
460 (e.g. OSSD1e) . Thus, level "b" allows FS-Devices to provide OSSDe outputs besides the IO-
461 Link Safety communication capability. They can be parameterized with the help of a "USB-
462 Master" and be connected to any FS-DI module in switching mode. When connected to an FS-
463 Master, safety and standard non-safety communication is possible.
464 Level "c" corresponds to the SIO level of standard IO-Link Master. In this case, the FS-Master
465 supports an OSSDe mode besides communication (Pin 1, 3, 4 and 2).
3 FS-Devices are based on electronics and not on relays. Thus, the electronic version OSSDe is considered.
IO-Link Safety – 26 – V1.0
466 Table 1 shows the pin layout and possible operational modes for the feature levels "a" to "c"
467 of the port class A FS-Device and FS-Master.
468 Table 1 – Operational modes of feature level "a" to "c" (port class A)
469
471 • No filter adjustments due to fixed maximum test pulse length of 1 ms according to type C
472 and class 1 in [12], and
473 • No discrepancy time adjustments due to fixed maximum discrepancy.
FS-DI FS-Master
0 0 • No filter adjustments
482 The new strategy suggests incorporating the P24- and N24-safety switches into the FS-
483 Master port and controlling them via signals within the FSCP message or by local safety
484 controls. The required technology corresponds to level "d" in Figure 8.
485 It is intended to specify the additional port electronics and control features in a later version of
486 this document.
487 Figure 11 shows the pin layout, signal, and power supply assignment as well as the internal
488 switches for L+, P24, and N24.
IO-Link Safety – 27 – V1.0
FS-Device FS-Master
L+ (24 V) L+ (24 V)
Power switch control
1 Q/C/FS-DI1 + 1
IOLsafety NC/DI/FS-DI2
2 5 4 4 5 2
P24
3 3
N24
L- (0 V) L- (0 V)
489
Remote IO 7 7 7 7 USB
OSSDe "USB.Master"
Parameter Test
FS-Device FS-Device
496
498 Table 2 shows the device types that can be supported by such a "USB-Master".
Sensor with OSSDe and IOL-S IOL-S IOL-S OSSDe or IO-Link OSSDe
IOL-S
Sensor with IOL-S communication only, IOL-S IOL-S IOL-S IO-Link -
e.g. light curtain
Sensor with OSSDm, e.g. E-Stop - - - - OSSDm
IO-Link Safety – 28 – V1.0
Actuator with IOL-S, e.g. 400 V power IOL-S IOL-S IOL-S IO-Link -
drive, low voltage switch gear
Key IOL-S = IO-Link Safety including non-safety USB = Universal Serial Bus, currently the most common
a Pin layout according to [14]. interface amongst possible others for offsite
parameterization tools due to fast communication
b Pin layout may differ combined with power supply
504
Fieldbus
integration
Switching devices
507
509 Classic safety is relay based and thus seemed to be straightforward, easily manageable, and
510 reliable. However, the same criteria that led to the success of fieldbuses, led to the success of
511 functional safety communication profiles (FSCP) on top of the fieldbuses also: reduced wiring,
512 variable parameterization, detailed diagnosis, and more flexibility. IO-Link is the perfect
513 complement to the fieldbus communication and bridges the gap to the lowest cost sensors
514 and actuators. It not only provides communication, but power supply on the same flexible and
515 unshielded cable. One type of sensor can be used in the traditional switching mode or in the
516 coded switching mode (communication). IO-Link Safety follows exactly this paradigm.
517 It aims for two main application areas. One is building up safety functions across the IO-Link
518 Safety communications and the functional safety communications across fieldbuses. The
519 other builds up safety functions "locally" between a safety controller and safety
520 sensors/actuators using IO-Link Safety communication.
521 IO-Link Safety allows for building up power saving FS-Devices ("green-line"), for self-testing
522 safety sensors in order to avoid yearly testing, for the reduction of interface types (e.g. 0 to
523 10 V, 4 to 20 mA, etc.), and for robust and reliable transmission of safety information.
524 Last but not least it is a precondition for new automation concepts such as Industry 4.0 or the
525 Internet-of-Things (IoT).
IO-Link Safety – 29 – V1.0
531 Port class B types (5 wires): Cable, wire gauges, shielding, maximum switched currents,
532 interference, signal levels, etc. are not specified within this document.
537 The independent signal inputs of the SIO mode on Pin 2 and Pin 4 are scanned by an FS-
538 Master simultaneously to achieve an OSSDe interface. The result is propagated to the upper
539 level safety system as one safety signal. A new Safety Layer Manager supports this feature.
540 Another new Port configuration mode enables the IO-Link Safety communication. Standard
541 state machines are slightly extended to support
555 Only a subset of the IO-Link data types is permitted: Boolean (packed as record),
556 IntegerT(16), and IntegerT(32).
557 Parameterization within the domain of safety for machinery requires a "Dedicated Tool" per
558 FS-Device or FS-Device family. The Device Tool Interface (DTI) based on proven technology
559 has been chosen for the links between FS-Master Tool, FS-Device, and its "Dedicated Tool".
560 The FS-Master Tool shall provide communication means for a "Dedicated Tool" to allow for
561 the transmission of safety technology parameters (FST parameters) to and from an FS-
562 Device. The "Dedicated Tool" and the FS-Device are both responsible for sufficient means to
563 secure the transmitted data, for example via CRC signature or read-back.
567 The second tier requires an extension of the IODD for the fixed set of protocol parameters
568 (FSP). These parameters are safety-related and secured via CRC signature against
569 unintended changes of the IODD file. The interpreter of the FS-Master Tool provides a safety-
570 related extension for the handling of the FSP parameters. Usually, the FS-Master Tool is able
571 to determine and suggest the FSP parameter assignments (instance values) automatically
572 and thus relieves the user from assigning these values initially. He can check the plausibility
573 of the values and modify them if required.
IO-Link Safety – 30 – V1.0
574 The third tier deals with technology specific safety parameters (FST) of an FS-Device. IO-Link
575 Safety classifies two types of FS-Devices. Type "basic" requires only a few orthogonal FST
576 parameters, whereas type "complex" can have a number of FST parameters requiring
577 business rules and verification or validation wizards. Usually, the latter comes already with
578 existing PC software ("Dedicated Tool") used for several functional safety communication
579 profiles for fieldbuses.
580 The FST parameters for type "basic" are coded as any non-safety parameter within the IODD.
581 They can be modified and downloaded to the FS-Device as usual. However, a diverse second
582 path allows for checking these assignments for correctness. At the end of a parameterization
583 session, the user launches a safety-related "Dedicated Tool" (FS-IOPD) for the calculation of
584 a CRC signature across all FST instance values provided by the FS-Master Tool.
585 For both types of FS-Devices, the "Dedicated Tool" presents a CRC signature, which the user
586 can copy into one of the FSP parameters. Upon reception of the FSP parameters at start-up,
587 the FS-Device calculates a CRC signature across the locally stored instance values and
588 compares it with the received CRC signature.
589 This method is used also for the check after using the IO-Link Data Storage mechanism.
596 An FS-Master can be equipped by a safety controller, for example according to IEC 61131-6,
597 or vice versa, and thus build-up a stand-alone safety system with its own complete safety
598 functions.
599 With the help of an FS-Gateway in conjunction with the FS-Master, safety functions can be
600 build-up across the upper level FSCP system using the safety sensors and actuators
601 connected to the FS-Master.
614 The core part of this document is the safety communication layer (SCL) in clause 11. It
615 comprises the SCL services, protocol, state machines, and management. In addition it deals
616 with integrity measures, with protocol (FSP) and technology (FST) parameters, with the
617 integration of "Dedicated Tools" via Tool Calling Interface technology, with port selective
618 passivation, and with SCL diagnosis. Clause 12 complements the core part by functional
619 safety processing either through mapping to the upper level system or local.
620 Extensions to parameters and commands are specified in Annex A, those to EventCodes in
621 Annex B, and those to data types in Annex C. CRC polynomial issues are presented in
622 Annex D, the IODD aspects in Annex E, the Device Tool Interface technology in Annex F,
623 main scenarios in Annex G, and the system requirements in Annex H. Assessment issues are
624 described in Annex I. Annex J specifies in more detail the "classic" port B and Annex K test
625 issues.
IO-Link Safety – 31 – V1.0
Mode switch
Medium
629
631 Pin 2 and 4 shall be scanned simultaneously to achieve OSSDe functionality. The FS-Master
632 shall scan the C/Q line for the Ready signal of the FS-Device.
633 Figure 15 shows the adapted physical layer of an FS-Device (class A).
Device
Line handler DL-mode handler Message handler
Pin 4 Pin 2
OSSDe OSSDe
Mode switch
Ready/Wake-up Coded switching Switching signal Option
Physical Layer
Medium
634
636 Pin 2 and 4 carry the OSSDe signals. The FS-Device shall set the Ready signal after internal
637 safety testing.
<none>
648
IO-Link Safety – 32 – V1.0
0 0
7 7
Not OSSDe
specified (L ≤ 20 m)
Type C, OSSDe
class 1 (L *) )
(L *) )
655 The following assumptions are the basis for the design of the OSSDe expansion:
656 • The SIO paradigm of IO-Link shall apply for IO-Link Safety in order to allow manufacturers
657 the combined function of OSSDe and IO-Link Safety communication within one FS-Device.
658 • A Port on the FS-Master (with "FS-DI" according to Figure 9) shall have fixed
659 configurations as either IO-Link Safety or OSSDe interface with no or minor adjustments in
660 respect to addressing, watchdog times, discrepancy times, or filter times.
661 • In order to allow OSSD based sensors on the market to be connected to the FS-Master,
662 the FS-DI interface shall support the necessary adjustments for Type "C", class "1"
663 devices according to [12].
664 • The OSSDe interface shall only be designed as input for the FS-Master port (safety
665 sensors, Class A connectors). Most actuators are supplied by three-phase alternating
666 current such as power drives, low voltage switch gears, motor starters, etc.
667 • Actuators such as valves with diversity and relays shall be supported by FS-Master with
668 Ports "level d" (see clause 6).
669 5.3.2 OSSDe specifics
670 5.3.2.1 General
671 Similar to the SIO approach, FS-Master according to level "c" support connectivity to existing
672 functional safety devices with OSSDe. OSSDe in this document is defined as two outputs with
673 signals that are both switching in equivalent manner as opposed to antivalent manner, where
674 one signal is normally off and the other normally on (OSSDm).
675 The FS-Master port is designed to achieve a maximum of possible compatibility to existing
676 OSSD devices using interface type C, class 1 defined in [12].
677 Figure 17 shows a corresponding reference model from [12], adapted to IO-Link Safety. The
678 information-"source" on the left corresponds for example to a sensor device, whereas the
679 information-"sink" on the right side represents an input of the FS-Master Port class A. Power
680 is supplied by the sink.
IO-Link Safety – 33 – V1.0
+
+
OSSD1
TG1
TE1 Ri Ci Li
FS-Device FS-Master
OSSD2
TG2
TE2 Ri Ci Li
GND
Keys
TG Test pulse generation FS-Device = Information source
TE Test pulse evaluation FS-Master = Information sink
681
683 The worst case values for the line resistance and capacitance are defined in Table 9. In case
684 of IO-Link Safety, line inductance is negligible at a length of 20 m. The design of the FS-
685 Master Port shall ensure values for R i , C i , and L i guaranteeing proper signal behavior
686 according to Table 8.
687 Table 4 shows the OSSD states and conditions defined in IEC 61496-1:2012.
689
691 For this interface, the OFF state is defined as the "powerless" state, where voltage and
692 current of at least one OSSDe shall be within (voltage) and below (current) defined limits (see
693 Table 4). If the safety function is demanded, or the source (the device) detects a fault, the
694 OSSDe signals shall go to the OFF state. Antivalent voltage levels, so-called discrepancy, on
695 both OSSDe outputs of the device shall be treated as OFF state. The duration of this state
696 shall be within a specified discrepancy tolerance time. If the tolerance time is exceeded the
697 port is considered to be faulty.
698 ON state:
699 For this interface, the ON state is defined as the "powered" state, where voltage and current
700 on both OSSDe outputs shall be within the voltage range and above defined current limits,
701 when sinked by IEC 61131-2 inputs (see Table 4). Test pulses within specified ranges in
702 voltage levels, durations and intervals are permitted. Antivalent voltage levels, so-called
703 discrepancy, on both OSSDe outputs of the device shall be treated as OFF state.
Fault Diagnostics
Short circuit between OSSD 1 and OSSD 2 Test pulses (runtime diagnosis)
IO-Link Safety – 34 – V1.0
Fault Diagnostics
Short circuit between OSSD 1 or OSSD 2 and V+ Test pulses (runtime diagnosis)
Short circuit between OSSD 1 or OSSD 2 and V- Test pulses (runtime diagnosis)
Open circuit of the power supply return cable (V-) Type test, maximum leakage current
Open circuit of the functional earth (bonding) conductor Type test, no functional earth
Open circuit of the screen of screened cable Not required due to no shielding
Incorrect wiring Discrete wiring only, organizational issue (test
during commissioning)
708 The means for detecting short circuits are test pulses at runtime. The means for testing the
709 behavior in case of open circuits is the type test during the assessment. Figure 18 shows the
710 test pulses approach for the detection of cross connection faults.
Duration
OSSD 1 Period
OSSD 2
Check:
Cross fault
711
714 • Test pulses at each program cycle of the safety device (dependency on configuration)
715 • Test pulses at fixed times
716 • Test pulses after any commutation OFF ON
717
723 The test pulses are created in a periodic manner on both OSSD lines. In order to detect short
724 circuits between the lines or between the lines and power-supply, the test pulses of both lines
725 can be time-shifted to each other (see Figure 19).
OSSD1
ti
ON
OFF
t
TP
OSSD2
Δt c
ON
OFF
t
726
727 Figure 19 – OSSD timings
728 The following parameters specify the characteristics of the test pulses on the OSSD interface:
VID
Self-test (RAM, ROM, etc.): usually 2 to 5 s Test pulse
ON state Demand
743 Figure 21 shows the start-up of an FS-Device with OSSDe capability connected to a classic
744 FS-DI module.
VID
Self-test (RAM, ROM, etc.): usually 2 to 5 s Test pulse
Ready pulse
ON state Demand
t2R tRO
OFF state OFF state
tRP t
745
747 In contrast to a classic sensor, the FS-Device provides only on pin 4 (see Figure 9) a so-
748 called Ready-pulse of a certain length to indicate the FS-Master its readiness after self-
749 testing. After a certain recovery time, the FS-Device switches to ON and starts test pulses like
750 a classic safety sensor.
751 Timings and Wake-up behavior of the FS-Device are specified in 5.7.
757 Figure 22 demonstrates the switching thresholds for the detection of OFF and ON signals.
758 NOTE 'OFF' and 'ON' correspond to 'L' (Low) and 'H' (High) in [1] and [2].
VID,M
V+
Voltage range
'ON'
VTHHMAX
VTHLMAX
Threshold 'ON' VTHHMIN
Threshold 'OFF' VTHLMIN
Voltage range
'OFF'
V0
759
761 The FS-Master ignores pulses below 11 V (max. 15 mA or max. 30 mA) that are shorter than
762 1 ms.
ISD ISM
On/
VRQHD On/
Off IQHD Off
IQPKHD
OVD VRQHM
IQHM
VDQL IQPKHM
H/L C/Q C/Q H/L
VSD VSM
OVD
767 The subsequent illustrations and parameter tables refer to the voltage level definitions in
768 Figure 24.
IO-Link Safety – 37 – V1.0
VRQHD
VSD VSM
VDQL
VID
VIM
VRQLD
771 The electric and dynamic parameters for the OSSDe interface of an FS-Device are specified
772 in Table 7.
774
775 It is the responsibility of the FS-Device designer to select appropriate ASICs according to [1]
776 and/or to provide mitigating circuitry to meet the requirements of IEC 61496-1.
777 The FS-Device shall be able to reach a stable operational state (ready for Wake-up: T RDL )
778 while consuming the maximum charge (see equation (1)).
779
NOTE 1 Currents are compatible with the definition of type 1 digital inputs in IEC 61131-2. However, for the
range 5 V < VI M < 15 V, the minimum current is 5 mA instead of 2 mA in order to achieve short enough slew
rates for pure p-switching Devices.
NOTE 2 Wake-up request current (See 5.3.3.3 in [1] or [2]).
784
785 The Master shall provide a charge of at least 20 mAs within the first 50 ms after power-on
786 without any overload-shutdown (see Figure 25). After 50 ms the current limitations for IS M in
787 Table 8 apply.
ISM
ISIRM min
ISM min
Minimum current the Master shall provide
Device
specific
behavior
50 ms t
788
795 Any state different to both signals "high", except test pulses, shall be interpreted as safe
796 state.
797 NOTE Achievable reaction times: IO-Link non safe: min. 600 μs, PROFINET: 1 ms, non-synchronized system:
798 2 ms
799 The EMC levels shall be taken into account for the layout of an input filter. The
800 communication transmission rate 230 kbit/s conflicts with the input filter. Possible conflict
801 resolution is shown in Figure 26.
IO-Link Safety – 40 – V1.0
Communication
Line with
test pulses
OSSD
802
804 In general, the specified values and ranges of [1] or [2] apply. Basis is interface type 1 of IEC
805 61131-2. Deviating and supplementary electric and dynamic parameters for the FS-DI
806 interfaces are specified in Table 8.
VSD Power-up
18 V min.
Ready for wake-up
t
TRDL = 300 ms max. WURQ:
Ready TREN = 0,5 ms max.
VID
Self-test (RAM, ROM, etc.): pulse
usually 2 to 5 s TDWU = 50 ms max.
Fieldbus + FSCP
0,5 s 1s t
818
820 Current safety devices usually require 2 to 5 seconds for self-testing prior to functional safe
821 operation. The Ready-pulse concept allows for easier achievable realizations of these
822 requirements.
827 The FS-Master port is the only power supply for IO-Link related parts of the FS-Device. Any
828 external power source of the FS-Device shall be totally nonreactive to these parts.
IO-Link Safety – 41 – V1.0
829 FS-Master shall provide all ports with a minimum supply of 200 mA and at least one port with
830 a minimum supply of 1000 mA. The FS-Master shall specify the total maximum current
831 consumption of all its ports and the derating rules.
832 Higher currents can conflict with the power switching components and cause interference with
833 the signal lines. The "ripple" requirement in Table 7 shall be considered. The overall cable
834 loop resistance shall be not more than 1,2 Ω (see Table 8 and Table 9).
NOTE These characteristics can deviate from the original characteristics defined in [1] or [2].
846
859 A new state "WaitOnReadyPulse_10" considers the requirement for the FS-Master to wait on
860 the Ready-pulse of an FS-Device (see 5.7) prior to establish communication via
861 DL_SetMode_STARTUP.
862 The maximum waiting time is t 2R as defined in Table 7. Whenever the time expired, the FS-
863 Master shall run a power-OFF/ON cycle for the connected FS-Device in order to initiate a
864 retry for another Ready-pulse.
865 The criterion to use the extra path is the guard [safety], which is derived from the new port
866 configuration "FS_PortModes" (see 10.2.2).
IO-Link Safety – 42 – V1.0
/Initialization
DL_SetMode_INACTIVE/ DL_SetMode_INACTIVE/
T8 T13
Idle_0
[Safety]/
T20
DL_SetMode_STARTUP WaitOnReadyPulse_10
tm(5000)/
[Non-safety]/
T22
T1
DL_SetMode_STARTUP
[Ready pulse OK]/
T21
EstablishCom_1
[Retry = 3]/
Submachine 1 T5
"WakeUp" enex_4
Startup_2
MHInfo_COMLOST/
T9 DL_SetMode_
STARTUP/
T12
DL_SetMode DL_SetMode_PRE
OPERATE/ DL_SetMode
_STARTUP/
T6 _OPERATE/
T7
T11
PreOperate_3 Operate_4
DL_SetMode_OPERATE/
T10
867
869 Table 10 shows the additional state and transitions as well as internal items considering the
870 Ready-pulse feature.
874
IO-Link Safety – 43 – V1.0
/Initialization
SelfTesting_5
Ready_Pulse[
SelfTesting OK]/
T13
[MCmd_FALLBACK]/ [MCmd_FALLBACK]/
T8 T9
Idle_0
tm(Tdsio)/ PL_WakeUp/
T10 T1
EstablishCom_1
[Successful COMx]/
T2 MHInfo_ILLEGAL_MESSAGETYPE/
T11
Startup_2
MHInfo_ILLEGAL_MESSAGETYPE/ [MCmd_STARTUP]/
T12 T7
[MCmd_OPERATE]/
T5
[MCmd_STARTUP]/
T6 [MCmd_PREOPERATE]/
T3
PreOperate_3 Operate_4
[MCmd_OPERATE]/
T4
878
880 A new state "SelfTesting_5" considers the requirement for the FS-Device to indicate its
881 readiness for a wake-up procedure after its internal safety self-testing via a test pulse in pin 4.
882 Self-testing may actually take more than the maximum permitted start-up time T RDL of a non-
883 safety Device (see 5.7).
Device applications
Technology specific safety application (technology parameter, diagnosis, process data) Safety Layer Manager
Parameter Manager Data Storage Event Dispatcher Process Data Safety Com
OSSDe
(PM) (DS) (ED) Exchange (PDE) Layer (SCL)
AL_NewOutput
AL_GetOutput
AL_PDCycle
AL_SetInput
AL_Control
AL_Event
AL_Read
AL_Abort
AL_Write
DI DI
(OSSDe) (OSSDe)
SM_SetDeviceMode
SM_GetDeviceIdent
AL
SM_GetDeviceCom
SM_SetDeviceCom
DL_PDOutput-
DL_PDInput-
DL_PDCycle
DL_Control
DL_Event-
DL_ISDU-
DL_ISDU-
DL_Read-
DL_Write-
DL_Event
Transport
Transport
Trigger
Update
Param
Param
Abort
DL-B
EventFlag
DL_Read
OD.rsp
OD.ind
PD.rsp
PD.ind
DL-A
DL_Write
Device
System DL_Mode DL-mode MHInfo Message
manage- handler
ment handler
DI DI
PL_SetMode.req PL_Ready.req PL_WakeUp.ind PL_Transfer.ind PL_Transfer.req
Mode switch
Ready/Wake-up Coded switching Switching signals
Physical layer
894
896 An FS-Device comprises first of all the technology specific functional safety application.
897 "Emergency switching off" safety devices for example can be designed such that "classic"
898 OSSDe operation or safety communication can be configured. A Safety Layer Manager is
899 responsible for the handling of a safety bit via the OSSDe building block or a safety PDU
900 using the Safety Communication Layer (see clause 11).
904 That means the FS-Device Index model is split into an NSR and an SR part. Figure 32 shows
905 the areas of concern. The allocation of the SR part ("FSP" parameter) is defined within the
906 IODD of the FS-Device.
IO-Link Safety – 45 – V1.0
907 During commissioning, the assignment of FSP parameter values take place. These instance
908 values are secured by CRC signatures and transferred as a block to the FS-Master and to the
909 FS-Device (see 11.7.5). At each start-up of an FS-Device, the stored FSP block in the FS-
910 Master is transferred again and the FS-Device can check the locally stored instance
911 parameter values for integrity via CRC signatures. This check includes technology specific
912 "FST" parameters, which are not transferred at each start-up. The FS-Device displays its FSP
913 parameters at predefined Indices read-only.
914 Technology specific parameters (FST) could be handled either in an open manner to a certain
915 extend as standard non-safety parameters (see 11.7.8) or in a protected manner in hidden
916 internal memory (see 11.7.9).
Parameter and
commands FST parameters
0...32
octets Via transfer (type "complex")
in 232 0 Index
0xFFFF
Index 0...65535,
232 octets/index
Subindex 1...255
maximum
selective
51 10 5 Event memory
(diagnosis)
FS-IO data
and 0...32
232
Subindex 0
0
0...32
non FS-IO data octets
out
entire record
octets
...
Direct Parameter
0x00 page 1+2
15 0
919 The maximum space for FS-I/O data and non FS-I/O data to share is 32 octets. The space
920 shall be filled with FS-I/O data first followed by the non FS-I/O data. The border is variable.
921 Assuming a maximum safety protocol trailer of 5 octets, the maximum possible space for FS-
922 I/O data is 27 octets.
935 This version of Data Storage requires that Device Access Lock (Index 0x000C) bit "0" and "1"
936 shall always be unlocked (= "0").
IO-Link Safety – 46 – V1.0
948 9.4.3.2 Preconditions for the activation of the Data Storage mechanism
949 The following preconditions shall be observed prior to the usage of Data Storage:
950 (1) Data Storage is only available for Devices and Masters implemented according to [1] or
951 [2] or later releases (> V1.1).
952 (2) The Inspection Level of that Master port the Device is connected to shall be adjusted to
953 "type compatible" (corresponds to "TYPE_COMP" within Table 78 in [1]).
954 (3) The Backup Level of that Master port the Device is connected to shall be either "Back-
955 up/Restore" or "Restore", which corresponds to DS_Enabled in 11.2.2.6 in [1]. See 9.4.5
956 within this document for details on Backup Level.
957 9.4.3.3 Preconditions for the types of Devices to be replaced
958 After activation of a Backup Level (Data Storage mechanism) a "faulty" Device can be re-
959 placed by a type equivalent or compatible other Device. In some exceptional cases, for exam-
960 ple non-calibrated Devices, a user manipulation is required such as teach-in, to guarantee the
961 same functionality and performance.
962 Thus, two types of Devices exist in respect to exchangeability, which shall be described in the
963 user manual of the particular Device:
965 The configured Device supports Data Storage in such a manner that the replacement Device
966 plays the role of its predecessor fully automatically and with the same performance.
968 The configured Device supports Data Storage in such a manner that the replacement Device
969 requires user manipulation such as teach-in prior to operation with the same performance.
974 A replacement of the Device in operation will result in an overwriting of the existing
975 parameters within the newly connected Device by the backup parameters.
976
IO-Link Safety – 47 – V1.0
Parameter
PLC / Host server
(Master backup
parameter)
Master
987 In case of functional safety, commissioning cannot be completed without verification and
988 validation of FSP and FST parameters as well as of entire safety functions according to the
989 relevant safety manuals.
994 The "USB-Master" tool will arm the parameter set after configuration, parameterization, and
995 validation (to become "active") and mark it via a non-volatile flag (see Table 13). After in-
996 stallation in the machine/facility these parameters are uploaded (copied) automatically into
997 the Data Storage within the Master (backup).
"USB Master"
Tool software
IODD
Parameter Test
Device
998
1010 These adjustment possibilities lead for example to drop-down menu entries for "Backup Lev-
1011 el".
Commissioning Master port: Activation state: "DS_Cleared" Any change of active parameters within the
("Disable") Device will not be copied/saved.
Device replacement without automatic/semi-
automatic Data Storage.
Production Master port: Activation state: "DS_Enabled" Changes of active parameters within the
("Backup/Restore") Master port: UploadEnable Device will be copied/saved.
Master port: DownloadEnable Device replacement with automatic/semi-
automatic Data Storage supported.
Production Master port: Activation state: "DS_Enabled" Any change of active parameters within the
("Restore") Master port: UploadDisable Device will not be copied/saved. If the
parameter set is marked to be saved, the
Master port: DownloadEnable "frozen" parameters will be restored by the
Master.
However, Device replacement with auto-
matic/semi-automatic Data Storage of
frozen parameters is supported.
1018 • For Devices according to [1] with preset Inspection Level "NO_CHECK" only the Backup
1019 Level "Commissioning" shall be supported. This should also be the default presetting in
1020 this case.
1021 • For Devices according to [1] with preset Inspection Level "TYPE_COMP", all three Backup
1022 Levels shall be supported. Default presetting in this case should be "Backup/Restore".
1023 • For Devices according to [1] with preset Inspection Level "IDENTICAL", only the Backup
1024 Level "Commissioning" shall be supported.
1025 The following clauses describe the phases in detail.
1037 Criteria for the particular copy activities are listed in Table 13. These criteria are the condi-
1038 tions to trigger a copy process of the active parameters to the backup parameters, thus
1039 ensuring the consistency of these two sets.
Commissioning session Parameterization of the Device via Master Master tool sends ParamDownloadStore;
(see 9.4.4.1) tool (on-line). Transfer of active parame- Device sets "DS_Upload" flag and then
ter(s) to the Device will cause backup triggers upload via "DS_UPLOAD_REQ"
activity. Event. "DS_Upload" flag is deleted as
soon as the upload is completed.
Switching from commis- Restart of Port and Device because Port During system startup, the "DS_Upload"
sioning to production configuration has been changed flag triggers upload (copy).
"DS_Upload" flag is deleted as soon as
the upload is completed
Local modifications Changes of the active parameters through Device technology application sets
teach-in or local parameterization at the "DS_Upload" flag and then triggers up-
Device (on-line) load via "DS_UPLOAD_REQ" Event.
"DS_Upload" flag is deleted as soon as
the upload is completed.
Off-site commissioning Phase 1: Device is parameterized off-site Phase 1: "USB-Master" tool sends
(see 9.4.4.2) via "USB-Master" tool (see Figure 34). ParamDownloadStore; Device sets
Phase 2: Connection of that Device to a "DS_Upload" flag (in non-volatile
Master port. memory) and then triggers upload via
"DS_UPLOAD_REQ" Event, which is
ignored by the "USB-Master".
Phase 2: During system start-up, the
"DS_Upload" flag triggers upload (copy).
"DS_Upload" flag is deleted as soon as
the upload is completed.
Changed port configura- Whenever port configuration has been Change of port configuration to different
tion (in case of "Back- changed via Master tool (on-line): e.g. VendorID and/or DeviceID as stored
up/Restore" or "Re- Configured VendorID (CVID), Configured within the Master triggers "DS_Delete"
store") DeviceID (CDID), see 11.2.2 in [1]. followed by an upload (copy) to Data
Storage (see 11.8.2, 11.2.1 and 11.3.3
in [1]).
PLC program demand Parameter change via user program fol- User program sends SystemCommand
lowed by a SystemCommand ParamDownloadStore; Device sets
"DS_Upload" flag and then triggers up-
load via "DS_UPLOAD_REQ" Event.
"DS_Upload" flag is deleted as soon as
the upload is completed.
1041
1046 Criteria for the particular copy activities are listed in Table 14. These criteria are the condi-
1047 tions to trigger a copy process of the active parameters to the backup parameters, thus ensu-
1048 ring the consistency of these two sets.
Change port configura- Change of port configuration via Master Change of port configuration triggers
tion tool (on-line): e.g. Configured VendorID "DS_Delete" followed by an upload
(CVID), Configured DeviceID (CDID); see (copy) to Data Storage; see 11.8.2,
11.2.2.5 in [1]. 11.2.1 and 11.3.3 in [1].
1050
IO-Link Safety – 50 – V1.0
1074 (1) Set port configurations: amongst others the Backup Level to "Backup/Restore" or "Re-
1075 store"
1076 Master "reset to factory settings": clear backup parameters of all ports within the Data Storage
1077 in case it is not a new Master out of the box
1078 Active parameters of all Devices are automatically uploaded (copied) to Data Storage
1079 (backup)
1080 9.4.6.3.3 Fieldbus support (comfort level)
1081 Any kind of fieldbus specific mechanism to back up the Master parameter set including the
1082 Data Storage of all Devices is used. Even though these fieldbus mechanisms are similar to
1083 the IO-Link approach, they are following their certain paradigm which may conflict with the
1084 described paradigm of the IO-Link back up mechanism (see Figure 33).
1088 This top down concept may conflict with the active parameter setting within the Devices.
1094 Following the concept of 9.4.6.3.4, after supply of the Master by the PLC, the Master can
1095 supply the Devices.
IO-Link Safety – 51 – V1.0
Master applications
Gateway application (configuration, parameterization, diagnosis, on-request, and process data) Safety Layer Manager
Configuration Data Storage On-request Data Diagnosis Unit Process Data Safety Com
OSSDe
Manager (CM) (DS) Exchange (ODE) (DU) Exchange (PDE) Layer (SCL)
AL_SetOutput
AL_NewInput
AL_PDCycle
AL_GetInput
AL_Control
AL_Event
DI
AL_Read
AL_Abort
DI
AL_Write
(OSSDe) (OSSDe)
SM_GetPortConfig
SM_SetPortConfig
SM_PortMode
SM_Operate
DL_PDInput-
DL_PDCycle
DL_PDOut-
DL_Control
DL_Event-
putUpdate
DL_ISDU-
DL_ISDU-
DL_Read-
DL_Write-
DL_Event
Transport
Transport
AL_Read
Param
Param
Port x
Abort
Conf
Handler
PD.req
PDTrig
OD.req
PD.cnf
OD.cnf
DL-A
Master
DL_Mode DL-mode MHInfo Message
System
handler handler
management
DI DI
Mode switch
Inactive Ready/Wake-up Coded switching Switching signal
Physical layer (port)
1099
1101 Core part of an FS-Master is the original standard Master except for the Ready-pulse and its
1102 handling (see 5.3.3 and 7.2). The Master applications have been extended by a Safety Layer
1103 Manager dealing with safety communication (see clause 11) and OSSDe.
1109 It holds the FSP parameter block consisting of the authenticity record and the protocol record
1110 (see 11.7.5) as well as the FS I/O structure description (see Table A.1 and E.5.5).
1113 NonSafetyCom
1114 This setting enables pure IO-Link communication with only NSR Process Data of a port.
1115 SafetyCom
1116 This setting enables pure safety communication without NSR Process Data of a port.
IO-Link Safety – 52 – V1.0
1117 MixedSafetyCom
1118 This setting enables safety communication of SR and NSR Process Data of a port.
1119 OSSDe
1120 This setting enables OSSDe operation of a port.
1121 SIO
1122 This setting enables SIO operation of a port.
1126
1128 Table 15 shows a listing of the items in Figure 36 and references to clauses within this
1129 document or to other IO-Link specifications (bibliography).
1131
1138 The authenticity parameter values carry "0" as default within the IODD of an FS-Device. For
1139 details see 10.2.3.3.
1140 The IODD contains the I/O data structure description of the safety Process Data as a record
1141 secured by CRC signature (see A.2.9 and E.5.6).
1142 Most of the protocol parameter values are preset by default values provided by the FS-Device
1143 manufacturer within the IODD, except for the value of FSP_TechParCRC, which has a
1144 particular responsibility. A value of "0" means commissioning/test (see Annex G). The
1145 consequences are
1170 The user is now able to enter and test the technology specific parameters (see illustration in
1171 Figure 56). After verification and validation, the user launches the Dedicated Tool, confirms
1172 the value assignments and transfers the CRC signature to the FSP_TechParCRC field. With a
1173 value of ≠ "0", the system can be armed:
1174 • Data Storage
1175 • Blocking of FSP authenticity parameter acceptance within the FS-Device (comparison
1176 only)
1177 • Validity check of authenticity and technology parameters at start-up
1178
1184 Dedicated Tools can have additional password mechanisms independent from the FS-Master.
1188 For stand-alone FS-Masters the entry of unique and unambiguous values per FS-Master is
1189 required per machine or production center, if there is a possibility to misconnect FS-Device
1190 amongst different FS-Masters. FS-Devices will accept and store FSP authenticity values only
1191 when FSP_TechParCRC = "0".
1196 Manufacturer/vendor shall determine the pre-set value for the watchdog timer considering the
1197 FS-Device response time at the indicated transmission rate. The FS-Master Tool can
1198 calculate and suggest a value based on the performance data of the used FS-Master and on
1199 the pre-set value from the IODD.
1200 The FS-Master Tool calculates the CRC signature across the FSP protocol parameter record.
1204 The FS-Device can check the validity of the safety PDin/PDout structure via the
1205 FSP_IO_StructCRC signature within the FSP parameter record.
1215
IO-Link Safety – 55 – V1.0
1222 Other major requirements are suitability for up to SIL3/PLe safety functions, port specific
1223 passivation, and parameterization using dedicated tools. Safety measures and residual error
1224 rates for authenticity, timeliness, and data integrity of safety messages (safety PDUs) shall be
1225 compliant with IEC 61784-3, Edition 3.
Corruption – – – X
Unintended repetition X X – –
Incorrect sequence X – – –
Loss X X – –
Unacceptable delay – X – –
Insertion X – – –
Masquerade – – – X
Addressing – – X –
Loop-back of messages X – – –
a Similar procedure as with functional safety digital input modules possible due to point-to-point
communication
1235 It is assumed, that there are no storing elements within the IO-Link communication path
1236 between FS-Master and FS-Device. Thus, a two bit counter is sufficient as a safety measure.
1237 A value 0b000 of this counter indicates a start or reset position of this counter. In cyclic mode
1238 it counts up to 0b111 and returns to 0b001.
1239 The message send and receive concept of IO-Link allows for a simple watchdog timer and
1240 message receipt safety measure concept corresponding to the "de-energize to trip" principle.
1241 It is assumed that an FS-Master is the owner of a functional safety connection ID of the upper
1242 level FSCP communication system similar to an FS-DI-Module within a remote I/O. A
1243 customer is required to perform a validation procedure, whenever a change occurred with the
1244 connected safety devices. IO-Link Safety relies on such a concept. Additionally, due to the
1245 standard "data storage" mechanism of IO-Link and the functional safety nature of the FS-
1246 Master, it is possible to provide a more convenient mechanism.
IO-Link Safety – 56 – V1.0
1247 A CRC signature is used for the data integrity check of transmitted safety PDUs. Two options
1248 can be configured. A 16 bit CRC signature for safety I/O data up to 4 octets or a 32 bit CRC
1249 signature for safety IO data up to 26 octets can be chosen.
PLC / Host
FS-PLC / FS-Host
(FS-Master) Tool:
- configuration, PDout + safety code
- parameterization, IO-Link SCL IO-Link SCL
- diagnosis, for FS-Master per Port for FS-Device
- identification &
PDin + safety code
maintenance
1255 For each port with a connected FS-Device an instance of the IO-Link SCL is required. The
1256 SCLs are exchanging safety PDUs consisting of output Process Data (PDout) together with
1257 safety code to the FS-Device and input Process Data (PDin) together with safety code from
1258 the FS-Device. The SCLs are using standard IO-Link communication as a "black channel".
1259 Sufficient availability through for example correct installations, low-noise power supplies, and
1260 low interferences are preconditions for this "black channel" to avoid so-called nuisance trips.
1261 Nuisance trips cause production stops and subsequently may cause management to remove
1262 safety equipment.
1263 This document does not specify implementation related safety measures such as redundant
1264 microcontrollers, RAM testing, etc. It is the responsibility of the manufacturer/vendor to take
1265 appropriate measures against component failures or errors according to IEC 61508.
1270 Figure 38 shows the FS-Master Safety Communication Layer signals (services) depicted by
1271 arrows in the upper part of the figure. For each FSCP to be connected to, a mapping or
1272 emulation of corresponding SCL services is required.
1273 A service name carries either an extension "_C" (Control), if it controls the safety
1274 communication activities or an extension "_S" (Status), if it is reporting on the activities.
1275 Some of the service names correspond to the signal names of the Control Byte or Status Byte
1276 (see lower part of the figure and 11.4.5). That means they are correlated, but there is some
1277 control logic of the SCL in between. This control logic is time discrete and not continuous
1278 even if it is depicted as logic OR ("≥") box. Definitive are the state charts and the state
1279 transition tables of the SCL (see 11.5.2).
IO-Link Safety – 57 – V1.0
PDin_M
ChFAckReq_S
FAULTS_S
ChFAck_C
setSD_C
SDset_S
PDout_M
PDin
ChFAckReq
DCommErr
DCount2_i
DCount1_i
DCount0_i
DTimeout
MCount0
MCount2
MCount1
setSD
SDset
Safety PDout
PDU
CB1 SB3 CB0 CB7 CB6 CB5 SB7 SB6 SB5 SB1 SB0
FS-PD CRC
Control&MCnt / Status&DCnt Byte
1282 The following services in Table 17 shall be available to the FSCP gateway or to a programmer
1283 of an FS-Master system.
Service/signal Definition
PDin_M, PDout_M These services carry the actual Process Data values, both SDin (all bits "0") and SDout
(all bits "0") in case of safe state or the real process values from or to the FS-Device.
SDin, SDout These services carry Process Data values all zero.
setSD_C In case of emergency, safety control programs usually set output Process Data
(PDout_M) for an actuator to "0". However, in some cases, for example burner
ventilators, shut down may not be a safe state. This service, if set to "1", is additional
information allowing an FS-Device to establish a safe state no matter what the values of
Process Data are.
Independent from PDout_M, this service causes the SCL to send SDout values to the
FS-Device and to send SDin to the FSCP gateway (PDin_M) via SDset_S.
SDset_S This service, if set to "1", causes the qualifier handler to set the qualifier bit for the
Process Data of the connected FS-Device (see 11.10.4). In addition, it causes the SCL
to send SDin to the FSCP gateway (PDin_M).
ChFAckReq_S The FS-Master SCL sets this service to "1" in case of FAULTS or FS-Master timeouts. It
shall be propagated via FSCP and indicated to the operator.
ChFAck_C After check-up and/or repair, the operator is requested to acknowledge a
"ChFAckReq_S" service via a "1". This is a precondition for the SCL to resume regular
operation after 3 transmission cycles with SDin and SDout values.
The SCL-internal signal ChFAck_C_e is used for actual evaluation instead of the
ChFAck_C service. It is only set, whenever the ChFAck_C service changed value (edge-
sensitive) to avoid any continuously pressed acknowledgment button.
Fault_S Any communication error (counter mismatch or CRC signature error) and/or timeouts
cause the qualifier handler to set the qualifier bit for the Process Data of the connected
FS-Device (see 11.10.4).
1285
IO-Link Safety – 58 – V1.0
1286 The lower part of the figure shows a combined input and output safety PDU specified in
1287 11.4.3 and 11.4.5.
Diag- PDout_D
Indication of new
ChFAckReq_DC
nosis "Time
DCount value
Tick"
Read FSP-
SCL_Fault
setSD_DC
Parameter
SDset_DS
FSP-
Para- PDin_D
meter
Diagnosis SCL_Fault
Time
FSP SDset_p Base
FSP-Parameter, diagnosis
(SDcycles) CRC
SDin SDout
out
PDout
CRC signature
ChFAckReq
DCommErr
DCount2_i
DCount1_i
DCount0_i
DTimeout
MCount2
MCount1
MCount0
SDset
setSD
SPDU PDin
CB1 SB2 CB0 CB7 CB6 CB5 SB7 SB6 SB5 SB1 SB0
FS Process Data (PD) CRC
Control&MCnt / Status&DCnt Byte
1293 A service name carries either an extension "_DC" (Device Control) if it controls the FS-Device
1294 technology or an extension "_DS" (Device Status) if it is reporting its status.
1295 Some of the service names correspond to the signal names of the Control Byte or Status Byte
1296 (see lower part of the figure and 11.4.5). That means they are correlated, but there is some
1297 control logic of the SCL in between. This control logic is time discrete and not continuous
1298 even if it is depicted as logic OR ("≥") box. Definitive are the state charts and the state
1299 transition tables of the SCL (see 11.5.3).
1300 The following services in Table 18 shall be available to the safety-related part of the FS-
1301 Device technology. Some services are non-safety-related and shall be available to the non-
1302 safety-related part of the FS-Device.
Service/signal Definition
PDin_D, PDout_D These services carry the actual Process Data values. Real process values from the FS-
Device and SDout (all bits "0") in case of safe state or the real process values to the FS-
Device.
SDin, SDout These services carry Process Data values all zero. Signal Use_SD indicates the usage
of Process Data all zero.
setSD_DC In case of emergency, safety control programs usually set output Process Data (PDout)
for an actuator to "0". However, in some cases, for example burner ventilators, shut
down may not be a safe state. This service, if set to "1", is additional information
allowing an FS-Device to establish a safe state no matter what the values of Process
IO-Link Safety – 59 – V1.0
Service/signal Definition
Data are.
Independent from PDout, this service causes the SCL to send SDout values to the FS-
Device.
SDset_DS This service, if set to "1", indicates that the FS-Device either reacts on a setSD_DC =
"1" when the safe state is established or has been forced to establish safe state due to
error or failure and delivers input Process Data values "0" (PDin_D).
ChFAckReq_DC This service, if set to "1", indicates a pending operator acknowledgment. This signal is
not safety-related and can be used to control an indicator, for example LED (light
emitting diode).
Time tick The SCL can be designed totally hardware independent, if a periodic service call
controls a time base inside the SCL.
Indication of new Short demands of FS-Devices may not trip a safety function due to its chain of
DCount value independent communication cycles across the network. Therefore, a demand shall last
for at least two SCL cycles. This service provides the necessary information to
implement the demand extension if required.
SCL_Fault This service provides faults (errors) of the SCL software.
Read_FSP_Parameter This service allows the FS-Device technology for reading the current FSP (protocol)
parameter
Non-safety-related services:
FSP_Parameter The FS-Master transmits the FSP parameter record (block) at each start-up during
PREOPERATE to the FS-Device. These parameters are propagated to the SCL using
this service.
Diagnosis SCL diagnosis information can be propagated to the IO-Link Event system using this
service.
1304
1305 The lower part of Figure 39 shows a combined input and output safety PDU specified in
1306 11.4.3 and 11.4.5.
Start
Initialization Fault
Warm start
Tolerated
Correct IO-Link Safety operation
error (optional)
1311
1313 The principle protocol phases and the corresponding requirements are listed in Table 19.
1314
1316
From FS-Master:
Output PD CRC signature Control&MCnt FS-PDout
Signature across
Including 0 to 4 octets, or
FS-Output data
3 bit counter 0 to 26 octets
and Control & counting
From FS-Device:
FS-PDin Status&DCnt CRC signature Input PD
1329 The timeliness measure is represented by a 3 bit counter within the protocol management
1330 octets (see 11.4.5).
1331 Inclusion of authenticity code in the cyclic checking is not necessary due to the point to point
1332 communication of IO-Link. This check is performed during commissioning and at start-up.
1333 The design follows also the "de-energize to trip principle". In case of a timeout, or a CRC
1334 error, or a counter error, the associated qualifier bit will be set. It will be only released after an
1335 explicit operator acknowledgment on the FS-Master side.
1341 NOTE Currently the safety trailer consists of only 3 or 5 octets and theoretically 28 octets could be available.
1342 However, since not all design verification steps are passed, a reserve of 1 octet is planned.
1346 Table 20 shows the signals to control the protocol layer of an FS-Device and a counter value
1347 for the timeliness check together with a local watchdog timer adjusted through the
1348 "FSP_Watchdog" parameter (see A.2.6).
1350
1351 Table 21 shows the feedback of the protocol layer of an FS-Device and the inverted counter
1352 value for the timeliness check. The counter values are inverted to prevent from loop-back
1353 errors.
1355
1356 Table 22 shows the values of MCount and DCount_i during protocol operation.
1358
1362 • Explicit transmission of safety measures as opposed to implicit transmission. In this case,
1363 formulas are available within IEC 61784-3, Edition 3.
IO-Link Safety – 62 – V1.0
1364 • The sampling rate of safety PDUs is assumed to be a maximum of 1000 sampled safety
1365 PDUs per second.
1366 • The monitoring times for errors in safety PDUs are listed in Table 30. Any detected CRC
1367 error within the safety communication layer shall trip the corresponding safety function
1368 (safe state). During the monitoring time only one nuisance trip is permitted. Maintenance
1369 is required.
1370 • The generator polynomials in use shall be proven to be proper within the SPDU range.
1371 • The seed value to be used for the CRC signature calculation is "1" (see D.3.6).
1372 • In case the result of the CRC signature calculation leads to a "0", a "1" shall be sent and
1373 evaluated at the receiver side correspondingly.
1374 • The assumed bit error probability for calculations is 10 -2 .
1375 Figure 42 shows the so-called 1 % share rule of the IEC 61784-3. For IO-Link Safety it
1376 means, the residual error rate of an IO-Link Safety logical connection shall not exceed 1 % of
1377 the average probability of a dangerous failure (PFH) of that safety function with the highest
1378 SIL the safety communication is designed for, which is SIL3. This value is 10 -9 /h.
Safety Function
Logical Logical
connection Programmable connection
FS- FS-
electronic
Master Master
system
≤1% ≤1%
FS-Device FS-Device
1379
1381 Calculations under the above conditions have shown the following possibilities (see Annex D):
1382 – For a CRC16 proper polynomial (0x4EAB) 4 octets of process data (safety PDU length = 7
1383 octets);
1384 – For a CRC32 proper polynomial (0xF4ACFB13) 26 octets of process data (safety PDU
1385 length = 32 octets).
1386 Thus, support of two variants is provided: CRC-16 with up to 4 octets of safety I/O data and
1387 CRC-32 with up to 26 octets.
1393 Acyclically exchanged functional safety data structures are transmitted in IO-Link On-request
1394 Data (OD) containers either from a dedicated tool or from a user program within an FS-PLC.
1395 In this case additional securing mechanisms (e.g. CRC signature) are required at each and
1396 every transfer or after a parameter block.
BooleanT/bit BooleanT ("packed form" for efficien- 1 bit Clause E.2.2; Table Proximity switch
cy, no WORD structures); assignment E.22 and Figure E.8
of signal names to bits is possible.
IntegerT(16) IntegerT (enumerated or signed) 2 octets Clause E.2.4; Table Protection fields of
E.4, E.7 and Figure laser scanner
E.2
IntegerT(32) IntegerT (enumerated or signed) 4 octets Clause E.2.4; Table Encoder or length
E.4, E.6, and Figure measurement (≈ ± 2
E.2 km, resolution 1 µm)
1402
1407 In case of FS-Terminals (see 11.10.3) the rules in Table 24 for the layout of binary and digital
1408 data and their qualifier bits apply.
1 Value DI Value DO
2 Value AI Value AO
3 Qualifier DI –
4 Qualifier AI –
5 Qualifier DO –
6 Qualifier AO –
1412
PrepareSPDU_6 PrepareSPDU_1
tm(MTime)/
T8
Send_SPDU/ Send_SPDU/
T9 T2
WaitOnResponse_2
WaitOnResponse_7
CheckSPDU_8
Send_SPDU/ CheckSPDU_3
do CRC_check T5
do Counter_check do CRC_check
do Counter_check
[not FAULTs and PrepareSPDU_4
(not ChFAck_C or
[not FAULTS]/ [FAULTS]/
not ChFAck_C_e)]/
T4 T7
T13 [not FAULTS and
ChFAck_C and
ChFAck_C_e]/
[FAULTS]/
T11
T12
1423
1426 Table 26 – Definition of terms used in SCL state machine of the FS-Master
Term Definition
ChFAck_C Operator acknowledgment for the safety function via the FS-Gateway
FAULTS MTimeout: FS-Master timeout when waiting on an FS-Device SPDU response, or
MCommErr: FS-Master detects a corrupted FS-Device SPDU response (incl. counter error), or
DTimeout: FS-Device reported a timeout of its SCL via Status&DCnt Byte, or
DCommErr: FS-Device reported a CRC (incl. counter error) by its SCL via Status&DCnt Byte
Initialization Initial state of the FS-Master SCL instance upon power-on (one per port).
1 PrepareSPDU Preparation of a (regular) SPDU for the FS-Device. Send SPDU when prepared.
2 WaitOnResponse SCL is waiting on SPDU from FS-Device.
3 CheckSPDU Check received SPDU for not FAULTS ( T4). In case of FAULTS: errors within the
Status&DCnt Byte (DCommErr, DTimeout, SDset) T7
4 PrepareSPDU Preparation of a (regular) SPDU for the FS-Device. Send SPDU when prepared.
IO-Link Safety – 65 – V1.0
5 WaitOnResponse SCL is waiting on next SPDU from FS-Device not carrying the previous DCount_i.
6 PrepareSPDU Preparation of an (exceptional) SPDU for the FS-Device (due to MTimeout, missing OpAck,
or FAULTS).
7 WaitOnResponse SCL is waiting on next SPDU from FS-Device not carrying the previous DCount_i. When
received T10, after MTimeout T14.
8 CheckSPDU Check received SPDU for a CRC error (MCommErr) and for potential FS-Device faults
within the Status&DCnt Byte (DTimeout, DCommErr). Once a fault occurred, no automatic
restart of a safety function is permitted unless an operator acknowledgement signal
(ChFAck_C) arrived (see Figure 38). Hint: A delay time may be required avoiding the
impact of an occasional system shutdown.
1428
TRAN- SOURCE TARGET ACTION
SITION STATE STATE
T5 4 5 restart MTimer
T6 5 3 –
T7 3 6 use SD, setSD =1, SDset_S =1
MCount = MCount + 1
if MCount = 8
then MCount = 1
MTimer Timer This timer checks the arrival of the next valid SPDU from the FS-Device in
time. The FS-Master Tool is responsible to define this watchdog time. Value
range is 0 … 65 535 ms.
ChFAck_C_e Flag By means of this auxiliary variable (bit) it is ensured that the safe state will be
left only after a signal change of ChFAck_C from 0 1 (edge). Without this
mechanism an operator could overrule safe states by permanently actuating
the ChFAck_C signal.
FAULTS Flags Permanent storage of the following errors or failures can be omitted within the
FS-Master, if it can be assumed that the upper level FSCP system prevents
from automatic restart of safety functions (no FS-Device persistence):
- MCommErr
- MTimeout
- DCommErr, including counter error (Status&DCnt Bit 1)
- DTimeout (Status&DCnt Bit 0)
Expected SPDU Guard Mirrored inverted counter (DCount_i = inverted MCount)
Not old SPDU Guard Counter value ≠ value of previous SPDU
do CRC_check Activity SCL calculates CRC signature across received SPDU while signature value =
"0" and compares with received CRC signature
do Counter_check Activity SCL checks whether DCount carries an expected value (mirror)
NOTE Variables within ACTIONs are defined in 11.3
1430
tm(DTime)/
T31 WaitOnSPDU_21
Send_SPDU/
T26
[received]/
WaitOnSPDU_26 T21
[received and
not old SPDU]/
T24
tm(DTime)/ [received and not old
T30 SPDU]/ WaitOnSPDU_24
T27 CheckSPDU_22
do CRC_check
CheckSPDU_27 do Count_check
Send_SPDU/
do CRC_check T23
do Count_check
[No CommErr]/ [CommErr]/
T22 T25
[CommErr or [No CommErr and
SDcycles > 0]/ SDcycles = 0]/ PrepareResponse_23
T29 T28
1433
1436 Table 28 – Definition of terms used in SCL state machine of the FS-Device
Term Definition
CommErr The SCL within the FS-Device detected a CRC or counter error in the received SPDU
IO-Link Safety – 67 – V1.0
Term Definition
1437
Initialization Initialization of the FS-Device upon power-on. Upon power-on, the FS-Device (actuator)
sets the PDout to "0". Upon power-on the FS-Device (sensor) is sending "0".
20 SystemStart Immediately after FSP parameterization the FS-Device sets PDout to SDout values.
Immediately after FSP parameterization it is sending Process Data (PD).
21 WaitOnSPDU SCL is waiting on next SPDU from FS-Master.
22 CheckSPDU Check received SPDU from FS-Master for CRC errors; set ChFAckReq_DC = ChFAckReq.
When guard "No CommErr" = true T22. When guard "CommErr " = true T25
23 PrepareResponse Preparation of (regular) SPDU response for the FS-Master (response message)
24 WaitOnSPDU SCL is waiting on next (regular) SPDU from FS-Master not carrying the previous MCount.
After FSP_WatchdogTime expired T27. When SPDU received and guard
"MCounter_incremented" = true T24 (regular cycle)
25 PrepareResponse Preparation of (exceptional) SPDU response for the FS-Master (due to DTimeout or
DCommErr = error report bits in Status&DCnt Byte)
26 WaitOnSPDU SCL is waiting on next SPDU from FS-Master not carrying the previous MCount. After
FSP_WatchdogTime expired T30. When SPDU received and guard
"MCounter_incremented" = true T27
27 CheckSPDU Check received SPDU from FS-Master for CRC errors; set ChFAckReq_DC = ChFAckReq.
When guard "No CommErr and SDcycles >=1" = true T28. When guard "CommErr or
SDcycles <1" = true T29
1439
TRAN- SOURCE TARGET ACTION
SITION STATE STATE
T20 20 21 –
T21 21 22 –
T22 22 23 use PDin_D,
DCommErr = 0, /*Status&DCnt, Bit 1*/
DTimeout = 0, /*Status&DCnt, Bit 0*/
DCount_i = MCount_inv,
restart DTimer
if SDcycles <> 0
then
use SDout, setSD_DC=1, SDset =1, /*during SDcycles: SDset_p =1*/
SDcycles = SDcycles - 1
else
use PDout, setSD_DC=0, SDset = 0
if setSD =1 /*use_SD =1*/
then
use SDout, setSD_DC=1,
T23 23 24 if SDset_DS = 1 /* FS-Device fault*/
then SDset = 1
T24 24 22 –
T25 22 25 use PDin_D,
use SDout, SDset = 1,
DCommErr =1, /*Status&DCnt, Bit 1*/
CommErrCount = 1,
DCount_i = MCount_inv,
SDcycles = 3,
restart DTimer
T26 25 26 –
IO-Link Safety – 68 – V1.0
T27 26 27 –
T28 27 23 use PDin_D,
use SDout, setSD_DC=0, SDset = 0,
DCount_i = MCount_inv,
DCommErr =0, /*Status&DCnt, Bit 1*/
DTimeout =0, /*Status&DCnt, Bit 0*/
restart DTimer,
T29 27 25 use PDin_D,
use SDout, setSD_DC=1, SDset = 1,
DCount_i = MCount_inv,
restart DTimer
if CommErr
then
DCommErr = 1, /*Status&DCnt, Bit 1*/
CommErrCount = 1,
SDcycles = 3,
else
SDcycles = SDcycles -1
if CommErrCount = 1
then
DCommErr = 1, /*Status&DCnt, Bit 1*/
CommErrCount = 0
else DCommErr = 0 /*Status&DCnt, Bit 1*/
if TimeoutCount = 1
then
DTimeout = 1, /*Status&DCnt, Bit 0*/
TimeoutCount = 0
else DTimeout = 0 /*Status&DCnt, Bit 0*/
1441
1442 It is very unlikely for an FS-Device to receive SPDUs with all octets "0". The SCL within the
1443 FS-Device shall ignore such an SPDU. Normally, at least the CRC signature will be "1" if
1444 Process data and Control Byte are "0" according to the rules in 11.4.6.
IO-Link Safety – 69 – V1.0
FSP_Parameter()
........ 20 SDout
SDin
M_SPDU(SDout, MCount=0, setSD=1, ChFAckReq=0, CRC)
1 21
SDout
D_SPDU(PDin, DCount_i=7, SDset=1, DCommErr=0, DTimeout=0,CRC) SDcycles = 3
SDin 3 23
FS-Device switches from Safe Data (SD) to Process Data (PD) after
three SPDU cycles (SDset=1 to SDset=0). MCount starts with 0 and
wraps over to 1.
1448
1450 Upon power-on both FS-Master and FS-Device are providing SDin (PDin = "0") and SDout
1451 (PDout = "0") respectively. Both keep these values for 3 communication cycles (SDcycles)
1452 before switching to the regular mode, where only the MCounter and DCounter values are
1453 changing.
IO-Link Safety – 70 – V1.0
FS-Master as part of the FSCP device was switched OFF and ON.
Measures against automatic restart are handled by the upper level
FSCP.
1457
1459 The FS-Device communication part is always powered by the FS-Master. Thus, if the FS-
1460 Master is switched OFF and ON, the FS-Device is just following and a regular start-up occurs.
1461 Since the FS-Master is part of an upper level FSCP system, this FSCP system is responsible
1462 to prevent from automatic restart of safety functions in this case.
IO-Link Safety – 71 – V1.0
FSP_Parameter()
M_SPDU(SDout, "IO-Link
MCount=0,Black Channel"
setSD=1, repeats message
ChFAckReq=0, CRC)
20 SDout
M_SPDU(SDout, MCount=0, setSD=1, ChFAckReq=0, CRC)
21
This example shows the case where the FS-Master waits until the
FS-Device is able to react. The FS-Master message will be repeated by
the underlying IO-Link transmission system ("Black Channel")
1465
1467 This diagram shows how an FS-Master SCL waits on the SCL of the FS-Device in case of
1468 delays. The initial SPDU of the FS-Master is repeated by the IO-Link transmission system
1469 (black channel) until the SCL of the FS-Device is ready to process in state 21.
1470 As long as the SCL of the FS-Device is not ready, the response SPDU contains all "0" and the
1471 FS-Master SCL will ignore such an SPDU. PDvalid/invalid of IO-Link is reserved for the non-
1472 safety part of the entire message.
IO-Link Safety – 72 – V1.0
5 PDout
tm(MTimeout)
ChFAck_C=1
D_SPDU(PDin, DCount_i=4, SDset=0, DCommErr=0, DTimeout=0, CRC) SDout
PDin 8 23 SDcycles = 0
Master SCL shall indicate "BAD" via qualifier bit for this particular
signal channel to the FSCP due to MTimeout and initiate the
acknowledgment mechanism.
1475
1477 This case assumes for example a short unplug and plug of the FS-Device causing a FAULT
1478 (MTimeout) on the FS-Master side. This FAULT causes a Qualifier bit to be set that requires
1479 via ChFAckReq (=1) an acknowledgment via ChFAck_C (=1). FS-Master and FS-Device keep
1480 SDin and SDout until this acknowledgment arrived.
1481
IO-Link Safety – 73 – V1.0
PDin
M_SPDU(PDout, MCount=3, setSD=0, ChFAckReq=0, CRC)
4 24 PDout
D_SPDU(PDin, DCount_i=4, SDset=0, DCommErr=0, DTimeout=0, CRC)
SDin 3 23
CRC error
M_SPDU(SDout, MCount=4, setSD=1, ChFAckReq=0, CRC)
6 24 SDout
D_SPDU(PDin, DCount_i=3, SDset=0, DCommErr=0, DTimeout=0, CRC)
SDin 8 23
Qualifier ChFAckReq M_SPDU(SDout, MCount=5, setSD=1, ChFAckReq=1, CRC)
6 24 SDout
ChFAck_C=1
D_SPDU(PDin, DCount_i=0, SDset=0, DCommErr=0, DTimeout=0, CRC)
PDin 8 23
Master SCL shall indicate "BAD" via qualifier bit for this particular
signal channel to the FSCP due to the discovered CRC error and
initiate the acknowledgment mechanism.
1484
1486 FS-Master received an SPDU with falsified data or falsified CRC signature which results in a
1487 "CRC error" (MCommErr). Both FS-Master and FS-Device switch to SDin and SDout
1488 respectively and the FS-Master/Gateway creates a qualifier bit and indicates a ChFAckReq
1489 signal. This signal is indicated also to the FS-Device via ChFAckReq (=1) for indication via
1490 LED (light emitting diode) to the user.
1491 FS-Master and FS-Device keep SDin and SDout until the acknowledgment ChFAck_C (=1)
1492 arrived.
1493
IO-Link Safety – 74 – V1.0
Master SCL shall indicate "BAD" via qualifier bit for this particular
signal channel to the FSCP due to a discovered CRC error and initiate
the acknowledgment mechanism.
1496
1498 FS-Device received an SPDU with falsified data or falsified CRC signature which results in a
1499 "CRC error" (DCommErr). Both FS-Master and FS-Device switch to SDin and SDout
1500 respectively caused by FS-Device Status Byte information (SDset=1 and DCommErr=1). The
1501 FS-Master/Gateway creates a qualifier bit and indicates a ChFAckReq signal. This signal is
1502 indicated also to the FS-Device via ChFAckReq (=1) for indication via LED (light emitting
1503 diode) to the user.
1504 The FS-Device runs through 3 SDcycles and afterwards FS-Master and FS-Device keep SDin
1505 and SDout until the acknowledgment ChFAck_C (=1) arrived.
1506
1507
1508
IO-Link Safety – 75 – V1.0
FS-Device IO-Link
FS-Master
MasterCycleTime
SCL
cycle
time Watch-
Watchdog dog
time time
SCL
cycle
time
Watch-
dog
Watchdog
time
time
1511
1513 The base IO-Link system ("black channel") transmits SPDUs within the IO-Link
1514 MasterCycleTime (see [1], Table B.1) from the FS-Master to the FS-Device and back. The
1515 same SPDU, for example with MCount = 3, may be sent several times before the Safety
1516 Communication Layer (SCL) starts the next SCL cycle with MCount = 4. In the meantime, the
1517 FS-Master received the response SPDU from the FS-Device with DCount_i = 4.
Item Constraints
Synchronization At each start-up and after an FS-Master timeout, the FS-Master SCL uses MCount = 0
SCL cycle time The SCL cycle time comprises the transmission time of the FS-Master SPDU, the FS-
Device processing time, the transmission time of the FS-Device response SPDU, and
the FS-Master processing time until the next FS-Master SPDU (see Figure 51)
Watchdog time The entire SCL cycle time is monitored by the watchdog timer, whose time value is
defined by the parameter FSP_Watchdog (see A.2.6).
Counter check The counter values are included in the cyclic CRC signature calculation. An incorrect
CRC signature value will already lead immediately to a safe state. The immediate
counter check in some states is used for discarding "outdated SPDUs".
Repetition Repetition in case of detected incorrect CRC signatures is not provided
PFH-Monitor The FS-Master holds the information about the reliability of both SPDU transmissions
from the FS-Device and to the FS-Device (see Table 21, bit 1). Thus, the FS-Master
monitors the average probability of a dangerous failure within a given time frame (PFH-
Monitor time). The FS-Master state machine is designed such that any corrupted
SPDU leads always to a safe state. Whenever the unlikely event of a detected
corrupted SPDU occurs during the shift of production or operation, the responsible
operator is assigned to play the role of the PFH-Monitor and can tolerate the indication
and acknowledge it. In case of frequent indications more often than once per PFH-
Monitor time, a check of the installation or the transmission quality should be
performed (see Annex H.6).
PFH-Monitor time (h) 10 FSP_ProtMode = 0x01; 16 bit CRC, see A.2.5
10 FSP_ProtMode = 0x02; 32 bit CRC, see A.2.5
1520
1535 Countermeasures:
1536 The CRC signature as specified in 11.4.6 detects the bit errors in messages between FS-
1537 Master and FS-Device to the extent required for SIL3 applications. The CRC signature is
1538 generated across the SPDU including the PD or SD data, and the Control&MCnt or
1539 Status&DCnt octet for cyclic communication.
1540 At start-up, the FSP parameters are sent once to the FS-Device via ISDU services. They are
1541 secured by the 16 bit FSP_ProtParCRC signature. The frequency of its occurrence is
1542 assumed to be 1/day as parameter for the calculation of the residual error rate.
1543 The CRC signature of the first SPDU sent by the SCL of the FS-Master after start-up includes
1544 the FSP_ProtParCRC signature. All following cyclic SPDUs exclude this signature.
1549 Countermeasures:
1550 The data within the black channel are transferred cyclically. Thus, an incorrect message with
1551 an SPDU that is inserted once will immediately be overwritten by a correct message. The
1552 thereby possible delay of a demand can be one DTime/MTime.
1557 Countermeasures:
1558 The receiver will detect any incorrect sequence due to the stringently sequential expectation
1559 of the MCount and DCount values.
1562 Countermeasures:
1563 Lost information will be detected by stringently changing and examining the MCount/DCount
1564 and/or MTime/DTime within the safety communication layer of the respective receiver.
1572 Countermeasures:
1573 A consecutive counter in each message (MCount/DCount) together with a watchdog timer
1574 (MTime/DTime) will detect unacceptable delays.
1582 Countermeasures:
1583 The receiver will detect any incorrect sequence due to the stringently sequential expectation
1584 of the MCount and DCount values.
1593 Countermeasures:
1594 The receiver will detect any incorrect sequence due to the stringently sequential expectation
1595 of the MCount and DCount values. After changes of wiring, the FS-Devices can detect
1596 misconnections through the FSP_Authenticity1/2 and FSP_Port parameters (see A.2.1 and
1597 A.2.2) at start-up.
1607 Countermeasures:
1608 The receiver will detect any incorrect sequence due to the stringently sequential expectation
1609 of the MCount and DCount values. After changes of wiring, the FS-Devices can detect
1610 misconnections through the FSP_Authenticity1/2 and FSP_Port parameters (see A.2.1 and
1611 A.2.2) at start-up.
1615 Countermeasures:
1616 IO-Link Safety provides for inverted values for MCount and DCount from the FS-Device.
IO-Link Safety – 78 – V1.0
1621 Due to the initial behavior of an FS-Device as an OSSDe, the start-up is coordinated and
1622 specified in 5.7, 7.2, and 7.3.
1623 The start-up of the underlying IO-Link communication system is specified in [1] and Figure 55.
1624 Any deviating FSP authenticity or protocol parameter CRC signature shall lead to a safe state
1625 of the particular FS-Master port.
1632 • Authenticity
1633 • Safety communication
1634 • FS-I/O structure description
1635 • Auxiliary parameters
1636 The authenticity parameters combine the safety connection ID ("A-Code") of the FS-Master
1637 (assigned by the upper level FSCP system) with the port number of the connected FS-Device.
1638 Due to the point-to-point nature of the FS-Device communication with its Master, a one-time
1639 check at start-up is sufficient to ensure authenticity (see 11.7.5).
1640 The Safety Communication Layers (SCL) require parameters for protocol versions, protocol
1641 modes such as CRC-16 or CRC-32, watchdog for timeliness, CRC signature to secure
1642 technology parameters, and a CRC signature to secure the safety communication parameters.
1643 The next group contains a description of the FS I/O data structure, the FS-Device wants to
1644 exchange with the FSCP-Host. This description facilitates the mapping to the description
1645 which some FSCP systems require for set-up. During the mapping process the FS-Master tool
1646 appends the qualifier bits, which are necessary for port-selective passivation.
1647 Auxiliary parameters are specified for several purposes. For example, to secure the functional
1648 safety parameter description within the IODD, to support the automatic calculation of the
1649 minimum watchdog time, to protect parameters from unauthorized access via a password, and
1650 to enable invocation of an associated IOPD tool.
1651 Figure 52 shows an overview of the components and the activities around parameterization.
1652 An FS-Master as a gateway comes with a parameter description file for the FSCP system.
1653 With the help of an engineering tool and these parameters, the FS-Master receives during
1654 commissioning for example its FSCP connection ID ("A-Code" for authenticity) and its FSCP
1655 watchdog time ("T-Code" for timeliness). Thus, the FSCP communication cycles are
1656 independent from the IO-Link safety communication cycles between FS-Master and FS-
1657 Device.
IO-Link Safety – 79 – V1.0
FSCP: FS-Master
Engineering
description file
tool
FS-Master Tool
invocation
FSCP
FS-Master
tool
Proprietary
FS-Master
IO-Link communi-
cation (OD)
Protocol Technology
parameter parameter
FS-
Device IODD IOPD
"Dedicated
Tool"
1658
1660 An FS-Master with its IO-Link side can be configured and parameterized with the help of its
1661 FS-Master tool. The IODD of an FS-Device contains besides the non-safety parameters also
1662 the safety section with the parameters in Annex A. The parameters can be set-up off-line or
1663 online the same way as with a non-safety system. The FSCP authenticity parameter can be
1664 copied from the engineering tool display to the IO-Link system FS-Master tool display (see
1665 A.2.1).
1666 It is possible to describe a small set of technology parameters (FST) in a non-safety manner,
1667 thus allowing the usage of the IO-Link standard data storage mechanism as described in 9.4.
1668 However, a separate dedicated IOPD tool, developed according IEC 61508-3 shall be used to
1669 calculate a CRC signature across the instance of the FST parameters. This CRC signature
1670 shall be entered into the corresponding FSP parameter (see A.2.7).
1671 The IOPD tool uses a new standardized IOPD communication interface and the same path to
1672 the FS-Device as the FS-Master tool itself.
1678 Figure 52 shows a loosely coupled system, where the parameterization is performed within
1679 the IO-Link safety part. Within the FSCP system, predefined FS I/O data structures are
1680 available and can be selected during commissioning.
FS-Master
tool
FS-Master
IO-Link communi-
cation (OD)
Protocol Technology
parameter parameter
FS-
Device IODD IOPD
"Dedicated
Tool"
1685
1687 Due to the fieldbus-independent design of IO-Link and IO-Link safety, all parameters are
1688 mapped into the fieldbus device description file (for example EDS, GSD, etc.) with the help of
1689 a Composer tool. It is one of the objectives of IO-Link safety to optimize the design of safety
1690 parameters such that an efficient mapping is possible.
1701 During the data manipulations within the FS-Master tool as well as within Device Tools/IOPDs
1702 ("Dedicated Tools") such as display, intended modification, storage/retrieval, and
1703 down/upload, parameter values could become incorrect. It is the responsibility of the designer
1704 to develop the tools fulfilling the requirements of IEC 61508-3 or ISO 13849-1 for software
1705 tools classified as T3.
1706 In case of an FSCP-Host-centric system, these requirements apply for the Composer and the
1707 Engineering tool.
4 UIntegerT (32)
5
FSP_Authenticity2
(extension)
6 (FSCP dependent)
7
17 FSP_TechParCRC
UIntegerT (32)
18
19
20
CRC signature to
21 FSP_ProtParCRC
be transfered at
22 UIntegerT (16)
protocol start
End of FSP parameter record
1719
1721 The authenticity parameters are secured by FSP_AuthentCRC for transmission from FS-
1722 Master Tool to FS-Master and further to the FS-Device. The procedure of the FSCP
1723 authenticity acquisition from the FSCP gateway and subsequent handling of the FSP authen-
1724 ticity record is described in 10.2.3.3.
1728 At each start-up, the FS-Master transfers both parameter records to the FS-Device during
1729 PREOPERATE as shown in Figure 55 and described in 10.2.3.1.
1730 The FS-Device will detect a potential mismatch between the downloaded authenticity
1731 parameter set and the already stored values in the FS-Device, for example if FS-Devices are
1732 misconnected to a different port or even to a different FS-Master. The FS-Device stores
1733 authenticity parameters only during commissioning, i.e. when the FSP_TechParCRC signa-
1734 ture value is "0". When the FSP_TechParCRC signature value is ≠ "0", The FS-Device will
1735 only compare the stored authenticity values with the newly transferred values.
IO-Link Safety – 82 – V1.0
1736 The protocol parameters are propagated to the safety communication layer at each start-up.
1737 The protocol engine detects any mismatch between the locally stored parameters (for
1738 example due to falsified bits) and the newly transferred record during initialization and blocks
1739 safety communication.
Communication,
STARTUP
Identification
Standard
START Input/Output
(SIO/OSSD)
Cyclic Configure,
OPERATE Process Data PREOPERATE
Parameterize
exchange
Authent + Protocol
3. Block Authent if
2. Transfer of FSP
1. "Restore" if FS-
TechParCRC <>0
Device replaced
communication
IO-Link Safety
Two cases:
1. Replacement
2. Misconnection
1740
1742 In case the FS-Device has been replaced due to a failure, the technology specific parameters
1743 (FST) and the FSP parameters are "restored" from Data Storage if the FS-Device caries all
1744 Authenticity parameters = "0". If Authenticity is not "0", the FS-Device shall ignore them and
1745 keep the existing (see 9.4, E.5.7, and step 1. in Figure 55). In this case a misconnection can
1746 be assumed or the FS-Device has already been in use and requires testing and a reset of the
1747 Authenticity parameters (see Annex G).
1751 Due to the additional qualifier bits required for port-selective passivation, the original FS-
1752 Device specific data structure is not directly visible within the FSCP I/O data structure
1753 exchanged with the FSCP-Host.
1754 The safety-related interpreter of the FS-Master Tool transfers the entire instance data
1755 together with the CRC signature to the FS I/O data mapper as shown in 10.2.3.1 (see also
1756 A.2.9).
1761 The FST parameters are displayed in this case within the FS-Master tool (see Figure 56, FST-
1762 Parameters section). Values can be assigned as with non-safety parameters.
IO-Link Safety – 83 – V1.0
Filter 26
Discrepancy 5
Redundancy yes
Two hand control THC26
Test cycle 3
Filter 26
Discrepancy 5
Redundancy yes
Confirm values
1765 After test and validation, the Device Tool is invoked via menu (step). Instance values are
1766 transferred via TPF (step) and displayed again. The user compares the instance values and
1767 confirms the correctness via the "Confirm" button (step). The Device Tool then calculates
1768 the CRC signature across the instance data of the FST parameters (see "CRC signature" in
1769 Figure 56), which can be copied and pasted into the "FSP_TechParCRC" field of the FSP
1770 parameters (step ).
1771 Since this parameter is part of the FSP parameter block, the FS-Device can check the
1772 integrity of these FST parameters together with the protocol parameters.
1773 11.7.9 Technology parameter (FST) based on existing dedicated tool (IOPD)
1774 In cases, where existing safety devices already have their PC program with password
1775 protection, wizards, teach-in functions, verification instructions, online monitoring, diagnosis,
1776 special access to device history for the manufacturer, etc., an FST parameter description may
1777 not be available. Figure 57 shows an example.
Transfer network
information via TPF
1778
1780 Such a Device Tool requires communication with its particular FS-Device and therefore
1781 access to a Communication Server (see Annex F.5). It can be invoked via menu entries
1782 (step) and thus jump directly into for example configuration or status/diagnosis functions.
1783 Network information is transferred via TPF (step). After test and validation, it shall provide a
1784 display of the calculated CRC signature across the instance data, which can be copied and
1785 pasted into the "FSP_TechParCRC" field of the FSP parameters (step).
1786 These FS-Devices shall be supported by the data storage mechanism of IO-Link and an FS-
1787 Device replacement without tools is possible.
1788 The Data Storage limit per FS-Device is 2048 octets according to [1].
1793 For FS-Devices with only a few FST parameters, no business logic, and no wizard and help
1794 systems, one particular "Interpreter Framework" should be developed in a safe manner
1795 according to IEC 61508 and equipped with the necessary communication interfaces. The
1796 result will be made available for the whole IO-Link Safety community as a development kit at
1797 a certain fee. The FS-Device developer can create an individual "Internal IODD" for the FST
1798 parameters of a particular FS-Device (Option 1 in Figure 58). The "Interpreter Framework"
1799 together with the individual "Internal IODD" will then be compiled using the brand name,
1800 company and FS-Device identifiers to one dedicated tool (IOPD). This executable software
1801 can be certified by assessment bodies.
1802 For FS-Devices with more complex FST parameters, the IOPD can be developed individually
1803 or existing tools can be used. In both cases the tools can be equipped with the necessary
1804 communication interfaces (Option 2 in Figure 58).
InterpreterSW
Classified
as T3
Development
Compile synergy!? Compile
1807 In any case, the dedicated tool (IOPD) shall calculate and display the CRC signature across
1808 all FST parameters. This signature can be copied into the entry field of the FSP parameter
IO-Link Safety – 85 – V1.0
1809 "FSP_TechParCRC", such that an FS-Device can verify the correctness of locally stored FST
1810 parameters after start-up and download of the FSP parameter set to the FS-Device.
1811 For each and every FS-Device the same set of FSP (protocol) parameters shall be created in
1812 an extended IODD. This IODD is mandatory and contains the usual conventional parameters
1813 and additionally the FSP parameters.
1820 In order for the IOPD to communicate with its FS-Device a new standardized communication
1821 interface is required.
1828 Figure 59 illustrates the communication hierarchy of FDT and others for the fieldbus as well
1829 as the connection via the "Device Tool Interface" and the underlying IO-Link communication.
1830 The FS-Device Tool (IOPD) does not have to know about the fieldbus environment it is
1831 connected to. The example in Figure 59 illustrates how it sends a "Read Index 0x4231"
1832 service and how the FS-Master Tool packs this service into a fieldbus container and passes it
1833 to the fieldbus communication server.
1834 The addressed FS-Master is connected to the fieldbus and receives this container. It unpacks
1835 the IO-Link Read service and performs it with the addressed FS-Device connected to a port.
Example:
Fieldbus container "Read Index 0x4231"
Communication
driver CommServer
Fieldbus
1836
1846 • requires different I/O data structures to exchange with PLCs or hosts;
1847 • has different reaction times due to configured high or low resolutions;
1848 • can have different SIL, PL, category, or PFH values impacting the overall safety level of a
1849 safety function.
1850 The classic "fieldbus device description" to inform an engineering system is not flexible in this
1851 respect. Its advantage is the testability and certification for its interoperability with engineering
1852 tools.
1853 Nevertheless, a "backward channel" within the tool interfaces allows for nowadays flexible
1854 manufacturing and ease of engineering and commissioning. An example is specified in [15]
1855 clause 4.15.5.
1856 Annexes F.3.5 and F.9.4 specify an extension for this "backward channel".
FS-Master
1867 FSCPs usually provide so-called qualifier bits associated to the signal process data, which
1868 enable selectively passivating that particular signal channel and the associated safety
1869 function.
1870 Safety of machinery usually requires an operator acknowledgment after repair of a defect
1871 signal channel to prevent from automatic restart of a machine. It is not necessary to provide
1872 the acknowledgment for each signal channel and it can be one for all the channels.
IO-Link Safety – 87 – V1.0
1877 It can be helpful for the user to provide an indication in each FS-Device that an operator
1878 acknowledgment is required prior to a restart of a safety function. CB0 (ChFAckReq) within
1879 the Control&MCnt octet (see Table 20) shall be used for that purpose. It is not safety-related.
1880 Optionally, in case of FS_PortMode "OSSDe" (see 10.2.2), the signal ChFAckReq can be
1881 connected separately to the corresponding FS-Device indication (see H.1).
1885 For those FS-Devices the design rules in 11.4.7.3 apply. The acknowledgment mechanisms
1886 shall be implemented within the safety Process Data.
FAULTS_S Faults
≥1 "GOOD/BAD" qualifier
SDset_S
Qualifier
handler
FSCP Operator request
ChFAckReq_S
and acknowledgment (AckQ)
ChFAck_C
1891
1893 The qualifier bits "GOOD/BAD" shall be set according to the definitions in Table 31 during the
1894 FSCP mapping procedure.
0 GOOD 1
1 BAD 0
1896
OSSDe FSCP
(FS-Master) (FS-Gateway)
Faults
OSSDe test "GOOD/BAD" qualifier
Qualifier
handler
FSCP Operator request
ChFAckReq and acknowledgment (AckQ)
1900
1902 Figure 63 shows the state machine for the behavior of the qualifier handler (OSSDe).
/Initialization
Port_OSSDe_Check_1
[Faults appeared]/
OSSDe_OK_GOOD_2 T3 OSSDe_Fault_BAD_3
[Faults gone]/
T4
1903
1905 Table 32 shows the state and transition table for the qualifier behavior.
RisingEdge_of_AckQ Flag Means to prevent from permanently actuating the AckQ signal.
AckQ Flag Flag depending on the individual upper level FSCP system and its mapping.
IO-Link Safety – 89 – V1.0
Faults Flag Any detected fault such as a wire break, short circuit.
ChFAckReq Flag Signal set by qualifier handler (see 11.10.2 and H.1)
1909
Host: Safety-PLC
FSCP
Length: 4 x (x+1) octets
Message length: x + 1 octets Message length: x + 1 octets (Each bit has its own safety code)
(Bits packed within one message) (Bits packed within one message)
Safety
Switches, FS-Devices 1 2 3 4
1 2 3 4
OSSDs
Usually 1 data bit per safety device Usually 1 data bit per FS-Device Usually 1 data bit per FS-Device
1920
1926 Annex A
1927 (normative, safety-related)
1928
1929 Extensions to parameters
1930
1933 Table A.1 shows the specified Indices for IO-Link profiles, the protocol parameters (FSP) of
1934 IO-Link Safety, comprising authenticity, protocol, I/O data structures, and auxiliary blocks as
1935 well as the total reserved range for IO-Link Safety, and the second range of Indices for IO-
1936 Link profiles.
Index Sub Object name Access Length Data type M/O/ Purpose/reference
(dec) index C
…
0x4000 Profile specific For example: Smart sensors
to Indices
0x41FF
Authenticity (11 octets)
0x4200 1 FSCP_Authen- R/W 4 octets UIntegerT M "A-Code" from the upper level
(16896) ticity_1 FSCP system; see A.2.1
2 FSCP_Authen- R/W 4 octets UIntegerT M Extended "A-Code" from the
ticity_2 upper level FSCP system
3 FSP_Port R/W 1 octet UIntegerT M PortNumber identifying the
particular FS-Device; see A.2.2
4 FSP_Authent R/W 2 octets UIntegerT M CRC-16 across authenticity
CRC parameters; see A.2.3
Protocol (12 octets)
0x4201 1 FSP_ R/W 1 octet UIntegerT M Protocol version: 0x01; see
(16897) ProtVersion A.2.4
2 FSP_ R/W 1 octet UIntegerT M Protocol modes, e.g. 16/32 bit
ProtMode CRC; see A.2.5
3 FSP_ R/W 2 octets UIntegerT M Monitoring of I/O update;
Watchdog 1 to 65 535 ms; see A.2.6
4 FSP_IO_ R/W 2 octets UIntegerT M CRC-16 signature across I/O
StructCRC structure description block; see
A.2.9
5 FSP_TechParCRC R/W 4 octets UIntegerT M Securing code across FST
(technology specific parameter);
see A.2.7
6 FSP_Prot R/W 2 octets UIntegerT M CRC-16 across protocol
ParCRC parameters; see A.2.8
Auxiliary parameters
0x4210 FS_ W 32 StringT M Password for access protection
(16912) Password octets of FSP parameters and
Dedicated Tools; see A.2.10
0x4211 Reset_FS_ W 32 StringT M Password to reset the FST
(16913) Password octets Parameters to factory settings
and to reset implicitly the FS-
Password; see A.2.11
IO-Link Safety – 91 – V1.0
Index Sub Object name Access Length Data type M/O/ Purpose/reference
(dec) index C
1938
1949 Some FSCPs provide extended authenticity. In those cases, the extended code shall be
1950 included in this parameter.
Value Definition
0x00 Reserved
0x01 This protocol version
0x02 to 0xFF Reserved
1964
IO-Link Safety – 92 – V1.0
Value Definition
0x00 Reserved
0x01 0 to 4 octets of FS I/O Process Data; 16 bit CRC
0x02 0 to 26 octets of FS I/O Process Data; 32 bit CRC
0x03 to 0xFF Reserved
1968
1974 With the help of the parameter default value (I/O update time), the transmission times of the
1975 safety PDUs, and FS-Master processing times, the FS-Master Tool can estimate the total time
1976 and suggest the value of the "FSP_Watchdog" parameter.
1977 The value range is 1 to 65 535 (measured in ms). A value of "0" is not permitted. The SCL of
1978 the FS-Device is responsible to check the validity at start-up and to create an error in case
1979 (see Table B.1).
1984 The method in 11.7.8 is based on IODD and suggests using one of the CRC generator
1985 polynomials in Table D.1. If calculation of the CRC signature value results in "0", a "1" shall
1986 be used.
1987 The method in 11.7.9 depends on the method used within an existing FS-Device Tool
1988 (Dedicated Tool). Whatever method is used, the tool shall display a securing code after
1989 verification and validation that can be copied and pasted into the FSP_TechParCRC
1990 parameter entry field.
1991 During commissioning a value of "0" can be entered to allow for certain behavior of the IO-
1992 Link Safety system (see 10.2.3.1). During production, this value shall be ≠ "0".
1993 For technology specific parameter block transfers > 232 octets, the BLOB mechanism (Binary
1994 Large Objects) specified in [13] can be used.
2003 The safety-related interpreter of the FS-Master Tool transfers the entire instance data
2004 together with the CRC signature to the FS I/O data mapper as shown in 10.2.3.1.
IO-Link Safety – 93 – V1.0
2005 Table A.4 shows Version "1" of the generic FS I/O data structure description for FS-Devices.
2006 With the help of this table, individual instances of FS-Device I/O Process Data can be created
2007 via IODD and, amongst others, used for an automatic mapping of IO-Link Safety data to FSCP
2008 safety data.
2010
2011 Figure A.1 shows the instance of the FS I/O data description of the example in Figure A.2.
2019 Figure A.2 shows an example with FS input Process Data and no FS output Process Data.
Transmission
direction Boolean octet 1 Boolean octet 2 MSO LSO 3 octets
Non-safety
1 1 0 1 1 0 0 1 0 0 0 1 1 0 0 1 IntegerT(16) Safety code
data
Padding bits
2021 Figure A.2 – Example FS I/O data structure with non-safety data
2025 monitors). Maximum size is 32 octets. Encoding shall be ASCII. A mix of upper/lower case
2026 characters, numbers, and special characters shall be possible.
2036 The purpose of this parameter is to secure the relevant descriptions of safety parameters
2037 within the IODD against data falsification during storage and handling as shown in Figure A.3
FS-Master
tool
Proprietary
FS-Master
IO-Link
communication Protocol Technology
parameter parameter
IODD IOPD
"Dedicated
FSP_AuthentCRC, Tool"
FS- FSP_ProtParCRC,
…
Device
FSP_ParamDescCRC
2038
2040
IO-Link Safety – 95 – V1.0
2041 Annex B
2042 (normative, non-safety related)
2043
2044 Extensions to EventCodes
2045 B.1 Additional EventCodes
2046 The Safety Communication Layer (SCL) can create its own EventCodes as shown in Table
2047 B.1.
2049
2050 Usually, "CRC signature" and/or "Counter" transmission errors are caused by seriously
2051 falsified IO-Link messages with SPDUs due to heavy interferences. There is nothing to repair
2052 and an operator acknowledgment is sufficient. This very unlikely warning should inform the
2053 operator and the responsible production manager about possible changes within a machine
2054 requiring an inspection according to the safety manual (see H.6).
IO-Link Safety – 96 – V1.0
2055 Annex C
2056 (normative, safety related)
2057
2058 Extensions to Data Types
2059 C.1 Data types for IO-Link Safety
2060 Table C.1 shows the available data types in IO-Link Safety (see 11.4.7.2).
BooleanT/bit BooleanT ("packed form" for efficien- 1 bit Clause E.2.2; Table Proximity switch
cy, no WORD structures); assignment E.22 and Figure E.8
of signal names to bits is possible.
IntegerT(16) IntegerT (enumerated or signed) 2 octets Clause E.2.4; Table Protection fields of
E.4, E.7 and Figure laser scanner
E.2
IntegerT(32) IntegerT (enumerated or signed) 4 octets Clause E.2.4; Table Encoder or length
E.4, E.6, and Figure measurement (≈ ±
E.2 2 km, resolution 1
µm)
2062
2067
2068 IO-Link Safety uses solely the so-called packed form via RecordT as shown in Table C.3.
2070
2071 Figure C.1 demonstrates an example of a BooleanT data structure. Padding bits are "0".
0 0 0 1 1 0 0 1
Bit offset: 7 6 5 4 3 2 1 0
2072
2074 Only RecordT data structures of 8 bit length are permitted. Longer data structures shall use
2075 multiple RecordT data structures (see Annex C.5).
2076 NOTE Data structures longer than 8 bit can cause mapping problems with upper level FSCP systems (see 3.4.2)
IntegerT(16) -2 15 to 2 15 - 1 1 2 octets
NOTE 1 High order padding bits are filled with the value of the sign bit (SN).
NOTE 2 Most significant octet (MSO) sent first (lowest respective octet number in Table C.5).
2084
Bit 7 6 5 4 3 2 1 0 Container
Octet 1 SN 2 14 2 13 2 12 2 11 2 10 29 28 2 octets
Octet 2 27 26 25 24 23 22 21 20
2087
IntegerT(32) -2 31 to 2 31 - 1 1 4 octets
NOTE 1 High order padding bits are filled with the value of the sign bit (SN).
NOTE 2 Most significant octet (MSO) sent first (lowest respective octet number in Table C.7).
2095
Bit 7 6 5 4 3 2 1 0 Container
Octet 1 SN 2 30 2 29 2 28 2 27 2 26 2 25 2 24 4 octets
Octet 2 2 23 2 22 2 21 2 20 2 19 2 18 2 17 2 16
Octet 3 2 15 2 14 2 13 2 12 2 11 2 10 29 28
Octet 4 27 26 25 24 23 22 21 20
IO-Link Safety – 98 – V1.0
From FS-Master:
CRC signature Control&MCnt FS-PDout
Signature across
Including 0 to 4 octets, or
FS-Output data
3 bit counter 0 to 26 octets
and Control & counting
Safety code
2104
From FS-Device:
FS-PDin Status&DCnt CRC signature
Safety code
2106
2108
IO-Link Safety – 99 – V1.0
2109 Annex D
2110 (normative, safety related)
2111
2112 CRC generator polynomials
2113
2117 If the generator polynomial g(x) = p(x)*(1 + x) is used, where p(x) is a primitive polynomial of
2118 degree (r – 1), then the maximum total block length is 2 (r – 1) - 1, and the code is able to
2119 detect single, double, triple and any odd number of errors (see [19]).
2120 If properness is approved, the residual error probability for the approved data length is 2 -r .
2121 It shall be prohibited that the CRC generator polynomial used in the underlying transmission
2122 systems, for example IO-Link, matches the CRC generator polynomial used for IO-Link
2123 Safety.
2124 Table D.1 shows the CRC-16 and CRC-32 generator polynomials in use for IO-Link Safety:
2126
2128 • to secure cyclic Process Data exchange with a total safety PDU length of up to 7 octets,
2129 i.e. 4 octets for safety Process Data and
2130 • to secure the transfer of up to 16 octets of FSP parameters at start-up or restart.
2131
2133 • to secure cyclic Process Data exchange with a total safety PDU length of up to 32 octets,
2134 i.e. 27 octets for safety Process Data and
2135 • to secure the transfer and data integrity of the entire FST parameter set.
2136 Additional parameters and assumptions for the calculation of residual error probabilities/rates
2137 can be found in 11.4.6.
2141 The REP is less than 0,9×10 -9 for BEPs less than the required 10 -2 at a length of 7 octets.
IO-Link Safety – 100 – V1.0
REP
2-16
10-2
0,9×10-9 (n = 7 octets)
n = 7 octets n = 3 octets
2144 Figure D.2 shows the results of residual error probability (REP) calculations over bit error
2145 probabilities (BEP) for safety PDU lengths from 5 to 128 octets.
2146 The REP is less than 0,5×10 -10 for BEPs less than the required 10 -2 at a length of 26 octets.
REP
10-2
2-32
Residual error probability
0,5×10-10 (n = 26 octets)
BEP
Bit error probability
2147
2158 Figure D.3 shows the algorithm for the innermost loop in "C" programming language.
2159
void crc16_calc(unsigned char x, unsigned long *r)
2160 int i;
for (i = 1; i <= 8; i++)
2161 if ((bool)(*r & 0x8000) != (bool)(x & 0x80))
/* XOR = 1 shift and process polynomial */
2162 *r = (*r << 1) ^ 0x4EAB;
else
2163 /* XOR = 0 shift only */
*r = *r << 1;
2164 x = x << 1;
/* for */
2165
2166 Figure D.3 – Bit shift algorithm in "C" language (16 bit)
2167 The variables used in Figure D.3 are specified in Table D.2.
Variable Definition
2169
2173
r = crctab16 [((r >> 8) ^ *q++) & 0xff] ^(r << 8)
2174
2176 The variables used in Figure D.4 are specified in Table D.3.
Variable Definition
r CRC signature
q q represents the pointer to the actual octet value requiring CRC calculation. After
reading the value this pointer shall be incremented for the next octet via q++.
2178
IO-Link Safety – 102 – V1.0
2179 The function in Figure D.4 uses the lookup in Table D.4.
NOTE This table contains 16 bit values in hexadecimal representation for each value (0 to 255) of the argument a
in the function crctab16 [a]. The table should be used in ascending order from top left (0) to bottom right (255).
2181
2186 Figure D.5 shows the algorithm for the innermost loop in "C" programming language.
2187
IO-Link Safety – 103 – V1.0
2188
2189
void crc32_calc(unsigned char x, unsigned long *r)
int i;
2190
for (i = 1; i <= 8; i++)
2191 if ((bool)(*r & 0x80000000) != (bool)(x & 0x80))
/* XOR = 1 shift and process polynomial */
2192 *r = (*r << 1) ^ 0xF4ACFB13;
else
2193 /* XOR = 0 shift only */
*r = *r << 1;
2194 x = x << 1;
/* for */
2195
2196 Figure D.5 – Bit shift algorithm in "C" language (32 bit)
2197 The variables used in Figure D.5 are specified in Table D.5.
Variable Definition
2199
2203
r = crctab32 [((r >> 24) ^ *q++) & 0xff] ^(r << 8)
2204
2206 The variables used in Figure D.6 are specified in Table D.6.
Variable Definition
r CRC signature
q q represents the pointer to the actual octet value requiring CRC calculation. After
reading the value this pointer shall be incremented for the next octet via q++.
2208
2209 The function in Figure D.6 uses the lookup table in Table D.7.
NOTE This table contains 32 bit values in hexadecimal representation for each value (0 to 255) of the argument a
in the function crctab32 [a]. The table should be used in ascending order from top left (0) to bottom right (255).
2211
2216 In 11.4.6 a seed value of "1" is required for the cyclic data exchange of safety PDUs. The
2217 reason for that is the possibility for the FS-PDout or FS-PDin data to become completely "0".
2218 Since it is a property of CRC-signatures for leading zeros in data strings not to be secured by
2219 CRC signatures whenever the seed value is "0", the requirement in 11.4.6 is justified. Any
2220 value instead of "0" could be used. However, a "1" is sufficient and faster since all of the
2221 operations then are shifting and only the last one consists of shifting and XOR processing.
2222 In A.2.3, A.2.8, A.2.9, A.2.12, and E.5.1, the seed value can be "0" since there are no leading
2223 zeros within the data strings.
IO-Link Safety – 105 – V1.0
2224 Annex E
2225 (normative, safety related)
2226
2227 IODD extensions
2228
2232 In addition, some of the parameters specified in [1] shall be mandatory instead of optional for
2233 this profile (see E.3).
2240 As a general rule, all parameters with Read/Write (R/W) access shall provide a default value
2241 within the IODD (for FSP parameters see E.5.2).
2242 Table E.1 – Constrained Index assignment of data objects for IO-Link Safety
…
0x0001 Direct R/W RecordT - Direct Parameter Page 2 shall not be used
(1) Parameter as well as DirectParameterOverlays
Page 2
0x0002 System W 1 octet UIntegerT M Command code definition as specified in
(2) Command B.2.2 in [1] and in E.3.2 in this document
…
0x000D Profile R variable ArrayT of M Profile characteristic as specified in B.2.5
(13) Charac- UIntegerT16 in [1] and in E.3.3 in this document
teristic
0x000E PDInput R variable ArrayT of M As specified in B.2.6 in [1] and in E.3.4 in
(14) Descriptor OctetStringT3 this document
0x000F PDOutput R variable ArrayT of M As specified in B.2.7 in [1] and in E.3.4 in
(15) Descriptor OctetStringT3 this document
…
0x0013 Product ID R max. 64 StringT M As specified in B.2.11 in [1]
(19) octets
0x0015 Serial- R max. 16 StringT M As specified in B.2.13 in [1]
(21) Number octets
0x0016 Hardware R max. 64 StringT M As specified in B.2.14 in [1]
(22) Revision octets
0x0017 Firmware R max. 64 StringT M As specified in B.2.15 in [1]
(23) Revision octets
0x0018 Application R/W Min. 16, StringT M As specified in B.2.16 in [1]
(24) Specific max. 32
Tag octets
…
IO-Link Safety – 106 – V1.0
2243
…
0x82 130 Restore factory settings M This command shall only be effective
whenever the parameter value of
FSP_TechParCRC is "0" (commissioning
phase)
…
Key M = mandatory; O = optional
2248
2259 1) Naming of non-safety parameters shall be "V_xxx". Prefixes "V_FSP", "V_FST" shall
2260 be omitted for FS-Devices.
IO-Link Safety – 107 – V1.0
2264
2280 1) The IODD shall contain different headlines (menu IDs) for the parameter block types
2281 "Standard", "FST", and "FSP" in this order.
2282 2) The following abbreviations shall be used for the user role menu IDs: Observer ("OR"),
2283 Maintenance ("MR"), Specialist ("SR").
2284
2285 The menu IDs shall be structured and named as follows:
2286 "ME_OR_Param_Standard"
2287 "ME_MR_Param_Standard"
2288 "ME_SR_Param_Standard"
2289 "ME_OR_Param_FST"
2290 "ME_MR_Param_FST"
2291 "ME_SR_Param_FST"
2292 "ME_OR_Param_FSP"
2293 "ME_MR_Param_FSP"
2294 "ME_SR_Param_FSP"
2295
2296 Menus can be omitted for example in case of the observer role. They can be referen-
2297 ced multiple if for example the same menu is used for the maintenance role and the
2298 specialist role.
2299
2302 1) IODD interpreter in Master Tools should show headlines not only for PDin and PDout
2303 but also for safety and non-safety PD. These headlines should use yellow colors.
2304 2) In case of PD observation via ISDU access the variable names should be the same as
2305 with cyclic PDs.
2306
IO-Link Safety – 108 – V1.0
2315 Only one IODD per DeviceID is permitted. A particular FS-Device (hardware) can have two
2316 DeviceIDs for example a current DeviceID and a DeviceID of a previous software version.
2317 Figure E.1 shows the algorithm to build the FSP_ParamDescCRC signature. The algorithm
2318 shall be used across the Authenticity and the Protocol block (see Table A.1). A seed value "0"
2319 shall be used (see D.3.6).
1. General rule: All numerical values are serialized in big-endian octet order (most
significant octet first).
2. Serialize the Index (16 bit unsigned integer) of the FS parameter.
3. Serialize the bitLength (16 bit unsigned integer) of the RecordT.
4. Sort the RecordItems in ascending order by Subindex.
5. For each RecordItem (including the last one) serialize:
a) The Subindex (8 bit unsigned integer)
b) The bitOffset (16 bit unsigned integer)
c) The Datatype (8 bit unsigned integer): 1=UIntegerT(8), 2=UIntegerT(16),
3=UIntegerT(32)
d) If and only if a DefaultValue is given in the IODD: The DefaultValue (8/16/32 bit
unsigned integer according to Datatype).
e) If and only if SingleValues or a ValueRange is given in the IODD: The allowed
values. A list of SingleValues is serialized as a sequence of these values, in
ascending order. A ValueRange is serialized by the sequence of the minimum and
maximum value. Whether SingleValues and/or a ValueRange are allowed depends
on the specific RecordItem. See Table E.4.
6. Calculate the 2 octet CRC across the octet stream using the CRC polynomial 0x4EAB.
2320
2321 Figure E.1 – Algorithm to build the FSP parameter CRC signatures
FSP_Authenticity1/2 During commissioning, the Authenticity values can be acquired from the gateway
and displayed by the Master Tool. SCL will not start with the default value.
FSP_Port The user shall replace the default "0" by an allowed number with the help of the
Master Tool during commissioning. SCL will not start with the default value.
FSP_AuthentCRC Master Tool calculates this CRC signature
IO-Link Safety – 109 – V1.0
FSP_TechParCRC The user parameterizes the FS-Device during commissioning or maintenance and
uses a Dedicated Tool to calculate the actual value (see 11.7.8 and 11.7.9)
FSP_ProtParCRC Master Tool calculates this CRC signature
2327
2335 Table E.4 – RecordItems of FSP_Protocol where allowed values shall be serialized
RecordItem Serialized as
FSP_ProtVersion List of 8-bit unsigned integer containing the allowed values, in ascending order
FSP_ProtMode List of 8-bit unsigned integer containing the allowed values, in ascending order
FSP_Watchdog Minimum value and maximum value of the contiguous range of allowed values
Any other All values according to the data type are allowed, therefore nothing is serialized
2336
0000 42 00 index 42 00 (≠ 0)
0002 00 58 bitLength of index 00 58
0004 01 subindex 01 (Authenticity 1)
0005 00 38 bitOffset 00 38
0007 03 xsi:type=UIntegerT, bitLength=32 03
0008 00 00 00 00 RecordItemInfo/@defaultValue 00 00 00 00
000C 02 subindex 02 (Authenticity 2)
000D 00 18 bitOffset 00 18
000F 03 xsi:type=UIntegerT, bitLength=32 03
0010 00 00 00 00 RecordItemInfo/@defaultValue 00 00 00 00
0014 03 subindex 03 (Port)
0015 00 10 bitOffset 00 10
0017 01 xsi:type=UIntegerT, bitLength=8 01
0018 00 RecordItemInfo/@defaultValue 00
0019 04 subindex 04 (AuthentCRC)
IO-Link Safety – 110 – V1.0
001A 00 00 bitOffset 00 00
001C 02 xsi:type=UIntegerT, bitLength=16 02
001D 00 00 RecordItemInfo/@defaultValue 00 00 (Dummy CRC)
001F 42 01 index 42 01
0021 00 60 bitLength of index 00 60
0023 01 subindex 01 (ProtVersion)
0024 00 58 bitOffset 00 58
0026 01 xsi:type=UIntegerT, bitLength=8 01
0027 01 RecordItemInfo/@defaultValue 01
0028 01 SingleValue/@value 01 (example:16 bit)
0029 02 subindex 02 (ProtMode)
002A 00 50 bitOffset 00 50
002C 01 xsi:type=UIntegerT, bitLength=8 01
002D 01 RecordItemInfo/@defaultValue Vendor defined
002E 01 SingleValue/@value 01
002F 03 subindex 03 (Watchdog)
0030 00 40 bitOffset 00 40
0032 02 xsi:type=UIntegerT, bitLength=16 02
0033 00 64 RecordItemInfo/@defaultValue (Vendor defined)
0035 00 64 ValueRange/@lowerValue 00 64 (example: 100)
0037 13 88 ValueRange/@upperValue 13 88 (example: 5000)
0039 04 subindex 04 (IO_StructCRC)
003A 00 30 bitOffset 00 30
003C 02 xsi:type=UIntegerT, bitLength=16 02
003D 09 52 RecordItemInfo/@defaultValue (see A.2.9) (Vendor defined)
003F 05 Subindex 05 (TechParCRC)
0040 00 10 bitOffset 00 10
0042 03 xsi:type=UIntegerT, bitLength=32 03
0043 00 00 00 00 RecordItemInfo/@defaultValue 00 00 00 00 (Vendor)
0047 06 subindex 06 (ProtParCRC)
0048 00 00 bitOffset 00 00
004A 02 xsi:type=UIntegerT, bitLength=16 02
004B 00 00 RecordItemInfo/@defaultValue 00 00 Dummy CRC
2346
2347 The sample serialization in Table E.5 shows 77 octets to be secured via the CRC-16
2348 polynomial listed in Table D.1. This is only sufficient due to the fact that most of the values
2349 are expected values within the FS-Master Tool importing the IODD. Only a few values are
2350 variable and "Vendor defined" and require securing (see offsets: 0028, 002D,0033 to 0037,
2351 003D, and 0043). The remaining values can be compared with preset values.
2352 The "Dummy CRC" are placeholders to be replaced by the FS-Master Tool once the user
2353 assigned the actual parameter values.
2354
IO-Link Safety – 111 – V1.0
2360 FSP parameters (authenticity and protocol) shall be described within the IODD also and are
2361 part of Data Storage.
2366 This sample IODD contains already calculated CRC signature values:
2367 <?xml version="1.0" encoding="UTF-8"?>
2368 <IODevice xmlns="http://www.io-link.com/IODD/2010/10" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
2369 xsi:schemaLocation="http://www.io-link.com/IODD/2010/10 IODD1.1.xsd">
2370 <DocumentInfo copyright="IO-Link Community" releaseDate="2017-02-25" version="V1.0"/>
2371 <ProfileHeader>
2372 <ProfileIdentification>IO Device Profile</ProfileIdentification>
2373 <ProfileRevision>1.1</ProfileRevision>
2374 <ProfileName>Device Profile for IO Devices</ProfileName>
2375 <ProfileSource>IO-Link Consortium</ProfileSource>
2376 <ProfileClassID>Device</ProfileClassID>
2377 <ISO15745Reference>
2378 <ISO15745Part>1</ISO15745Part>
2379 <ISO15745Edition>1</ISO15745Edition>
2380 <ProfileTechnology>IODD</ProfileTechnology>
2381 </ISO15745Reference>
2382 </ProfileHeader>
2383 <ProfileBody>
2384 <DeviceIdentity deviceId="160" vendorId="65535" vendorName="IO-Link Community">
2385 <VendorText textId="T_VendorText"/>
2386 <VendorUrl textId="T_VendorUrl"/>
2387 <VendorLogo name="IO-Link-logo.png"/>
2388 <DeviceName textId="T_DeviceName"/>
2389 <DeviceFamily textId="T_DeviceFamily"/>
2390 <DeviceVariantCollection>
2391 <DeviceVariant productId="SafetyDeviceVariant" deviceIcon="IO-Link-SafetyDevice-icon.png" deviceSymbol="IO-Link-
2392 SafetyDevice-pic.png">
2393 <Name textId="TN_SafetyDeviceVariant"/>
2394 <Description textId="TD_SafetyDeviceVariant"/>
2395 </DeviceVariant>
2396 </DeviceVariantCollection>
2397 </DeviceIdentity>
2398 <DeviceFunction>
2399 <Features blockParameter="true" dataStorage="true" profileCharacteristic="32800">
2400 <SupportedAccessLocks parameter="true" dataStorage="true" localParameterization="false" localUserInterface="false"/>
2401 </Features>
2402 <DatatypeCollection>
2403 <!-- Data types for IO-Link Safety parameter. See chapter A.1. -->
2404 <Datatype id="D_FSP_Authenticity" xsi:type="RecordT" bitLength="88">
2405 <RecordItem subindex="1" bitOffset="56">
2406 <SimpleDatatype xsi:type="UIntegerT" bitLength="32"/>
2407 <Name textId="TN_FSCP_Authenticity_1"/>
2408 <Description textId="TD_FSCP_Authenticity_1"/>
2409 </RecordItem>
2410 <RecordItem subindex="2" bitOffset="24">
2411 <SimpleDatatype xsi:type="UIntegerT" bitLength="32"/>
2412 <Name textId="TN_FSCP_Authenticity_2"/>
2413 <Description textId="TD_FSCP_Authenticity_2"/>
2414 </RecordItem>
2415 <RecordItem subindex="3" bitOffset="16">
2416 <SimpleDatatype xsi:type="UIntegerT" bitLength="8"/>
2417 <Name textId="TN_FSP_Port"/>
2418 <Description textId="TD_FSP_Port"/>
2419 </RecordItem>
2420 <RecordItem subindex="4" bitOffset="0">
2421 <SimpleDatatype xsi:type="UIntegerT" bitLength="16"/>
2422 <Name textId="TN_FSP_AuthentCRC"/>
2423 <Description textId="TD_FSP_AuthentCRC"/>
IO-Link Safety – 112 – V1.0
2424 </RecordItem>
2425 </Datatype>
2426 <Datatype id="D_FSP_Password" xsi:type="StringT" fixedLength="32" encoding="US-ASCII"/>
2427 </DatatypeCollection>
2428 <VariableCollection>
2429 <StdVariableRef id="V_DirectParameters_1"/>
2430 <!--0-->
2431 <StdVariableRef id="V_DirectParameters_2"/>
2432 <!--1 - TBD delete this once IODD Checker has been changed -->
2433 <StdVariableRef id="V_SystemCommand">
2434 <!--2-->
2435 <StdSingleValueRef value="130"/>
2436 <!-- RestoreFactorySettings -->
2437 </StdVariableRef>
2438 <StdVariableRef id="V_DeviceAccessLocks">
2439 <!--12-->
2440 <StdRecordItemRef subindex="1" defaultValue="false"/>
2441 <!-- TBD delete this once IODD Checker has been changed -->
2442 <StdRecordItemRef subindex="2" defaultValue="false"/>
2443 <!-- TBD delete this once IODD Checker has been changed -->
2444 </StdVariableRef>
2445 <StdVariableRef id="V_VendorName" defaultValue="IO-Link Community"/>
2446 <!--16-->
2447 <StdVariableRef id="V_VendorText" defaultValue="http://www.io-link.com"/>
2448 <!--17 optional -->
2449 <StdVariableRef id="V_ProductName" defaultValue="SafetyDevice"/>
2450 <!--18-->
2451 <StdVariableRef id="V_ProductID" defaultValue="SafetyDeviceVariant"/>
2452 <!--19-->
2453 <StdVariableRef id="V_ProductText" defaultValue="Sample IO-Link Safety"/>
2454 <!--20 optional -->
2455 <StdVariableRef id="V_SerialNumber"/>
2456 <!--21-->
2457 <StdVariableRef id="V_HardwareRevision"/>
2458 <!--22-->
2459 <StdVariableRef id="V_FirmwareRevision"/>
2460 <!--23-->
2461 <StdVariableRef id="V_ApplicationSpecificTag" defaultValue="IO-Link Safety"/>
2462 <!--24-->
2463 <StdVariableRef id="V_ErrorCount"/>
2464 <!--32-->
2465 <StdVariableRef id="V_DeviceStatus"/>
2466 <!--36-->
2467 <StdVariableRef id="V_DetailedDeviceStatus" fixedLengthRestriction="8"/>
2468 <!--37-->
2469 <StdVariableRef id="V_ProcessDataInput"/>
2470 <!--40-->
2471 <!-- V_ProcessDataOutput 41 - only required when "real" output is present (not only F message trailer) -->
2472 <!-- standard (=non-safety) Parameter appear here, e.g. -->
2473 <Variable index="64" id="V_NonSafetyParameter" accessRights="rw">
2474 <Datatype xsi:type="IntegerT" bitLength="16"/>
2475 <Name textId="TN_NonSafetyParameter"/>
2476 </Variable>
2477 <!-- FS Technology Parameter appear here, e.g. -->
2478 <Variable index="65" id="V_FST_DiscrepancyTime" accessRights="rw" defaultValue="0">
2479 <Datatype xsi:type="UIntegerT" bitLength="16"/>
2480 <Name textId="TN_FST_DiscrepancyTime"/>
2481 </Variable>
2482 <Variable index="66" id="V_FST_Filter" accessRights="rw" defaultValue="0">
2483 <Datatype xsi:type="UIntegerT" bitLength="16"/>
2484 <Name textId="TN_FST_Filter"/>
2485 </Variable>
2486 <!-- IO-Link Safety parameter. See chapter A.1. -->
2487 <Variable index="16896" id="V_FSP_Authenticity" accessRights="rw">
2488 <DatatypeRef datatypeId="D_FSP_Authenticity"/>
2489 <RecordItemInfo subindex="1" defaultValue="0"/>
2490 <!-- FSCP_Authenticity_1: 0= invalid -->
2491 <RecordItemInfo subindex="2" defaultValue="0"/>
2492 <!-- FSCP_Authenticity_2: 0= invalid -->
2493 <RecordItemInfo subindex="3" defaultValue="0"/>
2494 <!-- FSP_Port: 0= invalid -->
2495 <RecordItemInfo subindex="4" defaultValue="0"/>
2496 <!-- FSP_AuthentCRC: 0= invalid -->
2497 <Name textId="TN_FSP_Authenticity"/>
2498 <Description textId="TD_FSP_Authenticity"/>
2499 </Variable>
2500 <Variable index="16897" id="V_FSP_Protocol" accessRights="rw">
IO-Link Safety – 113 – V1.0
2578 <!-- See chapter 11.4.3 Safety PDUs, Figure A.65 and Figure A.66 -->
2579 <ProcessData id="P_ProcessData">
2580 <ProcessDataIn bitLength="88" id="PI_ProcessDataIn">
2581 <!-- Safety process data has subindex 1..126 -->
2582 <Datatype xsi:type="RecordT" bitLength="88">
2583 <!-- boolean octet 1 -->
2584 <RecordItem subindex="1" bitOffset="80">
2585 <SimpleDatatype xsi:type="BooleanT"/>
2586 <Name textId="TN_PDin-Bool1"/>
2587 </RecordItem>
2588 <RecordItem subindex="2" bitOffset="81">
2589 <SimpleDatatype xsi:type="BooleanT"/>
2590 <Name textId="TN_PDin-Bool2"/>
2591 </RecordItem>
2592 <RecordItem subindex="3" bitOffset="82">
2593 <SimpleDatatype xsi:type="BooleanT"/>
2594 <Name textId="TN_PDin-Bool3"/>
2595 </RecordItem>
2596 <RecordItem subindex="4" bitOffset="83">
2597 <SimpleDatatype xsi:type="BooleanT"/>
2598 <Name textId="TN_PDin-Bool4"/>
2599 </RecordItem>
2600 <RecordItem subindex="5" bitOffset="84">
2601 <SimpleDatatype xsi:type="BooleanT"/>
2602 <Name textId="TN_PDin-Bool5"/>
2603 </RecordItem>
2604 <RecordItem subindex="6" bitOffset="85">
2605 <SimpleDatatype xsi:type="BooleanT"/>
2606 <Name textId="TN_PDin-Bool6"/>
2607 </RecordItem>
2608 <RecordItem subindex="7" bitOffset="86">
2609 <SimpleDatatype xsi:type="BooleanT"/>
2610 <Name textId="TN_PDin-Bool7"/>
2611 </RecordItem>
2612 <RecordItem subindex="8" bitOffset="87">
2613 <SimpleDatatype xsi:type="BooleanT"/>
2614 <Name textId="TN_PDin-Bool8"/>
2615 </RecordItem>
2616 <!-- boolean octet 2 -->
2617 <!-- There may be no gaps between the booleans, but the last octet may contain less than eight booleans. -->
2618 <RecordItem subindex="9" bitOffset="72">
2619 <SimpleDatatype xsi:type="BooleanT"/>
2620 <Name textId="TN_PDin-Bool9"/>
2621 </RecordItem>
2622 <RecordItem subindex="10" bitOffset="73">
2623 <SimpleDatatype xsi:type="BooleanT"/>
2624 <Name textId="TN_PDin-Bool10"/>
2625 </RecordItem>
2626 <RecordItem subindex="11" bitOffset="74">
2627 <SimpleDatatype xsi:type="BooleanT"/>
2628 <Name textId="TN_PDin-Bool11"/>
2629 </RecordItem>
2630 <RecordItem subindex="12" bitOffset="75">
2631 <SimpleDatatype xsi:type="BooleanT"/>
2632 <Name textId="TN_PDin-Bool12"/>
2633 </RecordItem>
2634 <RecordItem subindex="13" bitOffset="76">
2635 <SimpleDatatype xsi:type="BooleanT"/>
2636 <Name textId="TN_PDin-Bool13"/>
2637 </RecordItem>
2638 <!-- Integer (octets 3 and 4) -->
2639 <RecordItem subindex="14" bitOffset="56">
2640 <SimpleDatatype xsi:type="IntegerT" bitLength="16"/>
2641 <Name textId="TN_PDin-Int1"/>
2642 </RecordItem>
2643 <!-- Status&DCnt and CRC has fixed subindex 127, octets 5-7 -->
2644 <RecordItem subindex="127" bitOffset="32">
2645 <SimpleDatatype xsi:type="OctetStringT" fixedLength="3"/>
2646 <Name textId="TN_PD_FSTrailer"/>
2647 <Description textId="TD_PD_FSTrailer"/>
2648 </RecordItem>
2649 <!-- Non-safety process data has subindex 128..255 -->
2650 <!-- UInteger (octets 8-11) -->
2651 <RecordItem subindex="128" bitOffset="0">
2652 <SimpleDatatype xsi:type="UIntegerT" bitLength="32"/>
2653 <Name textId="TN_PD_Rev"/>
2654 <Description textId="TD_PD_Rev"/>
IO-Link Safety – 115 – V1.0
2655 </RecordItem>
2656 </Datatype>
2657 <Name textId="TN_ProcessDataIn"/>
2658 </ProcessDataIn>
2659 <ProcessDataOut bitLength="24" id="PO_ProcessDataOut">
2660 <Datatype xsi:type="RecordT" bitLength="24">
2661 <!-- Control&MCnt and CRC -->
2662 <RecordItem subindex="1" bitOffset="0">
2663 <SimpleDatatype xsi:type="OctetStringT" fixedLength="3"/>
2664 <Name textId="TN_PD_FSTrailer"/>
2665 <Description textId="TD_PD_FSTrailer"/>
2666 </RecordItem>
2667 </Datatype>
2668 <Name textId="TN_ProcessDataOut"/>
2669 </ProcessDataOut>
2670 </ProcessData>
2671 </ProcessDataCollection>
2672 <EventCollection>
2673 <!-- SCL (Safety Communication Layer) EventCodes. See chapter B.1. -->
2674 <Event code="45056" type="Warning">
2675 <Name textId="TN_TransmissionError_CRCSignature"/>
2676 </Event>
2677 <Event code="45057" type="Warning">
2678 <Name textId="TN_TransmissionError_Counter"/>
2679 </Event>
2680 <Event code="45058" type="Error">
2681 <Name textId="TN_TransmissionError_Timeout"/>
2682 </Event>
2683 <Event code="45059" type="Error">
2684 <Name textId="TN_UnexpectedAuthenticationCode"/>
2685 </Event>
2686 <Event code="45060" type="Error">
2687 <Name textId="TN_UnexpectedAuthenticationPort"/>
2688 </Event>
2689 <Event code="45061" type="Error">
2690 <Name textId="TN_IncorrectFSP_AuthentCRC"/>
2691 </Event>
2692 <Event code="45062" type="Error">
2693 <Name textId="TN_IncorrectFSP_ProtParCRC"/>
2694 </Event>
2695 <Event code="45063" type="Error">
2696 <Name textId="TN_IncorrectFSP_TechParCRC"/>
2697 </Event>
2698 <Event code="45064" type="Error">
2699 <Name textId="TN_IncorrectFSP_IO_StructCRC"/>
2700 </Event>
2701 <Event code="45065" type="Error">
2702 <Name textId="TN_WatchdogTimeOutOfSpec"/>
2703 </Event>
2704 <Event code="6200" type="Error">
2705 <!-- for device test -->
2706 <Name textId="TN_Event1"/>
2707 </Event>
2708 <Event code="6201" type="Error">
2709 <!-- for device test -->
2710 <Name textId="TN_Event2"/>
2711 </Event>
2712 </EventCollection>
2713 <UserInterface>
2714 <MenuCollection>
2715 <Menu id="M_Identification">
2716 <VariableRef variableId="V_VendorName"/>
2717 <VariableRef variableId="V_VendorText"/>
2718 <VariableRef variableId="V_ProductName"/>
2719 <VariableRef variableId="V_ProductID"/>
2720 <VariableRef variableId="V_ProductText"/>
2721 <VariableRef variableId="V_SerialNumber"/>
2722 <VariableRef variableId="V_HardwareRevision"/>
2723 <VariableRef variableId="V_FirmwareRevision"/>
2724 </Menu>
2725 <Menu id="M_OR_Parameter">
2726 <RecordItemRef variableId="V_DeviceAccessLocks" subindex="1" accessRightRestriction="ro"/>
2727 <VariableRef variableId="V_ApplicationSpecificTag"/>
2728 <VariableRef variableId="V_NonSafetyParameter" accessRightRestriction="ro"/>
2729 </Menu>
2730 <Menu id="M_MR_Param_Standard">
2731 <Name textId="TN_MR_Param_Standard"/>
IO-Link Safety – 116 – V1.0
2946 Annex F
2947 (normative, non-safety related)
2948
2949 Device Tool Interface (DTI) for IO-Link
2950
2967 • with the necessity to implement the communication functionality for each supported field
2968 bus system, and
2969 • with the problem of nested communication whenever the target Device is located in a
2970 different network and only a proprietary gateway interconnects the networks..
2971 A solution is the Device Tool Interface (DTI) technology specified herein after. It can be used
2972 for safety (FS-Master/FS-Device) as well as for non-safety (Master/Device) IO-Link devices.
2983 Now, the DTI standard allows for associating Device Tool identification with IO-Link Device
2984 identification. The Master Tool uses DTI specific mechanisms to find the Device Tool for a
2985 given Device. It provides for example in the context menu of a selected Device an entry that
2986 can be used to invoke the Device Tool. As soon as the Device Tool is active, it identifies the
2987 selected Device. The user can instantly establish a communication with the Device without
2988 entering address information and alike and assign parameter values. Assigned values can be
2989 returned to the Master Tool using the Backchannel.
2990 For the communication server part, DTI relies on technology specified in [17]. DTI comprises
2991 mechanisms to store and maintain Device data objects (project data).
IO-Link Safety – 120 – V1.0
3000 Figure F.1 shows the principle of the DTI invocation interface part.
IODD PID
(including Program Interface Device Tool/
SDCI_Device_ Description Dedicated Tool
Identification and ("Tool.xml") ("Tool.exe")
communication Describes supported
parameter) IOPD tool functions
2 6 5
Install Read Delete Read
1
TPF
3 Temporary Parameter File
Invoke
Device Tool
Master Tool (~923tmp.xml)
Create
4
Performed by
Master Tool
3001
3003 Precondition for the mechanism is the availability of the Master Tool and all used Device
3004 Tools on one and the same PC.
3005 For the Tool invocation the following steps are required:
3006 (1) As usual, the IODD file is imported into the Master Tool. The Device is configured and
3007 communication settings are made. With the help of (SDCI) Device Identification data the
3008 Master Tool is able to find the installed Device Tool and the directory path to the "Program
3009 Interface Description" (PID) file. Annex F.3.2 describes this procedure in detail.
3010 (2) The Master Tool reads the content of the PID file. This file contains information about the
3011 interface version and the supported Tool functions. The structure of the PID file is
3012 described in Annex F.3.3.
3013 (3) Before launching the Device Tool, the Master Tool creates a new "Temporary Parameter
3014 File" (TPF) that contains all invocation parameters. See F.3.4 for details.
3015 (4) The Master Tool launches the Device Tool and passes the name of the TPF. See F.3.4.
3016 (5) The Device Tool reads and interprets the content of the TPF file.
3017 (6) The Device Tool deletes the TPF file after processing. See F.3.4.
3018 F.3.2 Detection of Device Tool
3019 F.3.2.1 Registry structure
3020 In order for DTI to identify the type of an IO-Link Device, a specific, unique, and unambiguous
3021 "SDCI_Device_Identifier" is used in the PC system registry and within the Temporary Para-
3022 meter File (TPF).
IO-Link Safety – 121 – V1.0
3023 Figure F.2 shows the structure of the DTI part of the registry. Each class in the diagram
3024 represents a registry key. Each attribute in the diagram represents a string value of the
3025 registry key. The semantics of the attributes is defined in Table F.1 and Table F.2.
DTI
1 1
1 Devices
*
Device_Tools SDCI_Devices
FS_Devices
1 1
1 1..*
1..* VendorID
"xUUID" is used to assign a particular SDCI_
Device_Identifier to an installed Device Tool. SDCI_Device_Identifier
The term "xUUID" is a placeholder for a real
UUID, for example DeviceID
1 1
{1311C965-293B-4121-9148-55DF4AEA1C44}
1..*
1..*
tUUID 1..*
dUUID
ToolPath
PID file
3026
3028 Since for an SDCI_Device_Identifier an unlimited number of "UUID" elements can be inserted,
3029 the Master Tool shall handle all Tools of these "UUID" elements.
3032 The installation program of a Device Tool (32 bit or 64 bit) shall insert this UUID as key under
3033 its appropriate registry path:
3037 Within this key, two attributes with string values shall be used:
3038 • "PIDfile", containing the absolute path and name of the installed PID file, and
3039 • "ToolPath", containing the absolute path and name of the executable Device Tool file
3040 including its file extension (.exe)
3041 Figure F.3 illustrates registry entries for SDCI Devices and Device Tools.
Devices or
FS-Devices
SDCI Device
Identifier
Matching
UUIDs
3042
3044 If different versions of a Device Tool for the same Device type exist (same
3045 SDCI_Device_Identifier), each version requires a separate UUID in the registry. In the PID
3046 files of the Device Tools, different version information shall be provided in the attribute
3047 "ToolDescription" of the element "ToolDescription" (see Table F.1). This leads to multiple
3048 items in the context menu of the Master Tool, differing in the description text.
3049 NOTE The advantage of a separate entry of the “ToolPath” keyword is a simpler installation procedure for the
3050 Device Tool. It can install the PID file without a need to modify this file.
3051 The installation program of a Device Tool shall also insert each UUID as key under the
3052 registry path
3055 IO-Link Devices are identified unambiguously via the following items:
3066 All entries shall be provided by the Device Tool under the following registry path:
3068 Within this path one or more keys can be inserted with the following field structure:
3069 0xvvvv-0xdddddd
3073 The question mark character "?" can be used in the DeviceID as wildcard to replace one
3074 single character. The number of question marks is only limited by the size of the field. If
3075 wildcards are used, the Device Tool is responsible for the check whether it supports the
3076 selected object.
3077 The assignment to the Tool is made by a string value within this key. The UUID shall be used
3078 as name for the string value. The number of string values is not limited, which in turn means
3079 an unlimited number of Tools that can be assigned to the same Device.
3081 0x0A99-0x00880D The Tool can be launched in the context of a Device with a DeviceID
3082 0x00880D from the vendor with the VendorID 0x0A99.
3083 0x0F3B-0x002B?? The Tool can be started in the context of Devices with a DeviceID in the
3084 range of 0x002B00 to 0x002BFF from the vendor with the VendorID
3085 0x0F3B.
IO-Link Safety – 123 – V1.0
3089 Figure F.4 shows an activity diagram illustrating the detection of a Device Tool in the registry
3090 via "SDCI_Device_Identifier".
[No match]
D1 D3
[Another
SDCI_Device_Identifier
key in Registry ] [No other key]
D2
3091
3095 In a first step, the Master Tool gets the SDCI Device Identifier from the IODD of the selected
3096 object in the Master Tool. Then all sub keys in the system registry path …DTI\SDCI Devices
3097 shall be compared with this SDCI Device Identifier. If a sub key matches (excepting
3098 wildcards), the UUID sub key of this key is used to find the PID file name in the registry path
3099 DTI\Device Tools\<UUID>. Since the same PID file name can be found in different locations in
3100 the registry, the context menu of the Master Tool shall only show the Device Tools with
3101 different PID file names. As a last step, the information in the PID file is used to build the
3102 menu items of the Master Tool (Figure F.5).
3109 This PID file shall be provided by the manufacturer of a Device/Device Tool and installed by
3110 the installation program associated with the Device Tool. This installation program shall also
3111 insert the name and installation path in the system registry (see F.3.2).
IO-Link Safety – 124 – V1.0
3112 The PID file allows the Master Tool to extend its GUI menu structure by the name of the
3113 Device Tool such that the user is able to launch the Device Tool for example from the context
3114 menu of a selected Device as illustrated exemplary in Figure F.5.
Filter 26
3115
1 ProgramInterface
1
1 1 1
DocumentInfo
Version
1
EntryPoints
1 1
General ConformanceClass
1
VendorName Name
1..*
EntryPoint
1 1 1
ID
1
1..* 1..* * 1..*
ToolDescription InvocationPrefix OptionalFeature InfoText
3121 The corresponding XML schema can be found in F.9.2. Namespace URI for this file is
3122 "http://www.io-link.com/DTI/2016/06/PID".
3123 The elements of Figure F.6 are specified in Table F.1. The column "SV" indicates the schema
3124 version a particular attribute has been introduced.
IO-Link Safety – 125 – V1.0
3126
3156 Instead, all required parameters are included into an XML file, called Temporary Parameter
3157 File (TPF) by the Master Tool and thus, the name of the XML file is passed as the only
3158 command line argument. If the Device Tool requires a command line switch, this information
3159 can be extracted from the PID file. See "InvocationPrefix" in Table F.1 for details.
3160 The XML schema for the TPF is defined in F.9.3. For character encoding, UTF-8 shall be
3161 used. The Master Tool shall use the newest TPF schema version supported by both the
3162 Master Tool and the Device Tool.
IO-Link Safety – 127 – V1.0
3163 After the TPF is interpreted, the Device Tool shall delete the TPF file.
1 ReturnInterfaceRequest 1
1
DocumentInfo
1
version 1
1
1
General DeviceItem VariableInstanceData
1..*
schemaPath vendorId
projectRelatedPath productId
1
portName deviceId
portId usedConfigFileCRC
1..*
masterName usedConfigFile
masterId reference Variable
displayNameES commReference
currentLanguage variableId
commServerProgID
busCategory 1
selectedEntryPoint
conformanceClass 1..*
Item
subindex
value
state
error
3171
3173 The elements of Figure F.7 are specified in Table F.2. The column "SV" indicates the schema
3174 version a particular attribute has been introduced.
3176
3236 </Variable>
3237 <Variable variableId="V_ApplicationSpecificTag">
3238 <Item subindex="0" state="initial" error="0" value="IO-Link Safety"/>
3239 </Variable>
3240 <Variable variableId="V_ErrorCount">
3241 <Item subindex="0" state="empty" error="0" value=""/>
3242 </Variable>
3243 <Variable variableId="V_DeviceStatus">
3244 <Item subindex="0" state="empty" error="0" value=""/>
3245 </Variable>
3246 <Variable variableId="V_DetailedDeviceStatus">
3247 <Item subindex="1" state="empty" error="0" value=""/>
3248 <Item subindex="2" state="empty" error="0" value=""/>
3249 <Item subindex="3" state="empty" error="0" value=""/>
3250 <Item subindex="4" state="empty" error="0" value=""/>
3251 <Item subindex="5" state="empty" error="0" value=""/>
3252 <Item subindex="6" state="empty" error="0" value=""/>
3253 <Item subindex="7" state="empty" error="0" value=""/>
3254 <Item subindex="8" state="empty" error="0" value=""/>
3255 </Variable>
3256 <Variable variableId="V_ProcessDataInput">
3257 <Item subindex="1" state="empty" error="0" value=""/>
3258 <Item subindex="2" state="empty" error="0" value=""/>
3259 <Item subindex="3" state="empty" error="0" value=""/>
3260 <Item subindex="4" state="empty" error="0" value=""/>
3261 <Item subindex="5" state="empty" error="0" value=""/>
3262 <Item subindex="6" state="empty" error="0" value=""/>
3263 <Item subindex="7" state="empty" error="0" value=""/>
3264 <Item subindex="8" state="empty" error="0" value=""/>
3265 <Item subindex="9" state="empty" error="0" value=""/>
3266 <Item subindex="10" state="empty" error="0" value=""/>
3267 <Item subindex="11" state="empty" error="0" value=""/>
3268 <Item subindex="12" state="empty" error="0" value=""/>
3269 <Item subindex="13" state="empty" error="0" value=""/>
3270 <Item subindex="14" state="empty" error="0" value=""/>
3271 <Item subindex="127" state="empty" error="0" value=""/>
3272 <Item subindex="128" state="empty" error="0" value=""/>
3273 </Variable>
3274 <Variable variableId="V_NonSafetyParameter">
3275 <Item subindex="0" state="initial" error="0" value="0"/>
3276 </Variable>
3277 <Variable variableId="V_FST_DiscrepancyTime">
3278 <Item subindex="0" state="initial" error="0" value="0"/>
3279 </Variable>
3280 <Variable variableId="V_FST_Filter">
3281 <Item subindex="0" state="initial" error="0" value="0"/>
3282 </Variable>
3283 <Variable variableId="V_FSP_Authenticity">
3284 <Item subindex="1" state="initial" error="0" value="0"/>
3285 <Item subindex="2" state="initial" error="0" value="0"/>
3286 <Item subindex="3" state="initial" error="0" value="0"/>
3287 <Item subindex="4" state="initial" error="0" value="0"/>
3288 </Variable>
3289 <Variable variableId="V_FSP_Protocol">
3290 <Item subindex="1" state="initial" error="0" value="0"/>
3291 <Item subindex="2" state="initial" error="0" value="1"/>
3292 <Item subindex="3" state="initial" error="0" value="100"/>
3293 <Item subindex="4" state="initial" error="0" value="444"/>
3294 <Item subindex="5" state="initial" error="0" value="0"/>
3295 <Item subindex="6" state="initial" error="0" value="0"/>
3296 </Variable>
3297 <Variable variableId="V_FSP_ParamDescCRC">
3298 <Item subindex="0" state="initial" error="0" value="444"/>
3299 </Variable>
3300 </VariableInstanceData>
3301 </DeviceItem>
3302 </InvocationInterface>
1 ReturnInterfaceRequest 1 1 VariableInstanceData
1
DocumentInfo 1
version
1..*
Variable
variableId
1..*
Item
subindex
value
state
error
3316
3318 The elements of Figure F.8 are specified in Table F.3. The column "SV" indicates the schema
3319 version a particular attribute has been introduced.
3321
3386 It is not required for the invoking Master Tool to monitor the status of the launched Device
3387 Tools. Even in case an instance of a Device Tool is already running, the Master Tool will
3388 generate a new Device Tool invocation whenever the user launches the same tool again.
3389 Therefore, it is the task of the Device Tool to handle multiple invocations. Table F.4 lists
3390 invocation cases and possible behaviors.
Case Behavior
Device Tool is already running and The behavior depends on the design of the Device Tool:
works on another Device instance – Another Tool instance is launched and creates a new Device instance
as provided by the DTI call. The
provided DeviceReference is not – The active GUI is brought to the foreground of the desktop in order to
known in the Device Tool. create a new Device instance of the selected Device
3392 If a Device Tool is invoked via DTI, this Tool should not call another Device Tool because the
3393 Communication Server cannot interconnect (no nested communication defined for a DTI
3394 Communication Server).
3402 After interpretation of the content of the TPF file, the Device Tool shall delete this file. Since
3403 the Master Tool can also delete this file when it is restarted, it is recommended for the Device
3404 Tool to make a "private" copy of the file when the Device Tool is launched.
3416 Figure F.9 illustrates the activities during Device Tool invocation.
Optional: Update
Display: DDO [No Device Tool installed] DeviceCommReference
D1
[Unknown DeviceReference]
Display: DDO and menu
Get menu entries from PID [No unassigned DDOs]
items for Tool
D3
invocation
[Unassigned DDOs]
Invoke Tool Create TPF
Optional: Trigger GUI to
assign to existing DDO
Save changes
Store
DeviceReference
Optional: Store
DeviceCommReference
3417
3419 The Master Tool shall generate a Device reference for each new instance of a Device, whose
3420 SDCI Device Identification is registered in the registry as described in Annex F.3.2. This
3421 reference shall be unique at least within the Master Tool project. It shall be used in the key-
3422 word “DeviceReference” of the TPF and shall not be changed for the lifetime of the Device.
3423 If the Master Tool supports Conformance Class 3 (see Annex F.8), it can additionally
3424 generate a Device communication reference for each new Device instance. This reference
3425 shall be unique within the PC. It shall be used in the keyword “DeviceCommReference” of the
3426 TPF and shall not be changed for the lifetime of the Device except when copying an entire
3427 Master Tool project or retrieving a Master Tool project. When the copying is done outside of
3428 the Master Tool (for example via the Windows Explorer), the Master Tool shall detect the copy
3429 when opening the project the next time and then issue new, unique Device communication
3430 references.
3431 It is the decision of the Master Tool whether the DDO reference is generated whenever a new
3432 instance is created or upon the first call of the Device Tool after the creation of the DDO.
3433 When a new instance of a DDO is created in the Master Tool, there is no corresponding DDO
3434 in the Device Tool at the first Tool invocation. In this case, the Device Tool shall create an
3435 own instance of the DDO in its own DDO administration. If the user must enter some more
IO-Link Safety – 136 – V1.0
3436 data, the Device Tool can start a wizard in order to guide the user. After this step, the
3437 reference shall be stored in the Device Tool project so that the Tool can select the right DDO
3438 when it is launched again with the same reference.
3439 If a DDO is created initially in the Device Tool, the corresponding DDO in the Master Tool
3440 cannot be created automatically. In this case, the user shall create a new DDO in the Master
3441 Tool manually. If the Device Tool is now launched in the context of the Master Tool, the
3442 Device Tool can show a list of unassigned DDOs of the same type and let the user decide
3443 which DDO of the Device Tool corresponds to the newly created DDO in the Master Tool.
3450 If a complete project is copied in the Master Tool, the DDO references shall not change. Only
3451 the DeviceCommReferences will be changed by the Master Tool to enable different routing
3452 info. The Master Tool shall copy all files in the "ProjectRelatedPath" directory to the new
3453 destination. If a Device Tool is launched from a copied project, it will find all Device Tool
3454 specific data as within the original project.
3458 In order to react in the Device Tool upon moved Devices besides the selected Device, the
3459 option "UsesMultipleDeviceInformation" shall be used.
3464 The Master Tool provides a list of used Device references in the TPF. This list can be
3465 interpreted by the Device Tool to find out, which DDOs of the same PLC in the Device Tool
3466 project are no more part of the TPF. If one or more DDOs are missing in the TPF, the Device
3467 Tool can now ask the user which DDOs to delete automatically or to keep internally as
3468 unassigned DDOs for a later reuse. Since this behavior of the Device Tool is optional, it shall
3469 be described in its PID file with feature name “SupportsObjectDeletion”.
3470 If a Device Tool does not implement this functionality, the Master Tool shall display a
3471 message informing the user that these changes shall be made manually in the Device Tool.
3480 This leads to the problem that a Device Tool either can work only with one particular
3481 communication interface or that the Device Tool has to implement different APIs for Device
3482 driver integration.
3483 Another problem in a plant is that the network structure often requires communication across
3484 network boundaries (Routing). Due to the many fieldbuses and different communication
IO-Link Safety – 137 – V1.0
3485 protocols, it is very cumbersome to achieve an integrated network with routing functions for
3486 Device Tools down to the associated Device (see Figure F.10).
3488 • All Devices/FS-Devices and their Device Tools/Dedicated Tools can rely on one particular
3489 communication interface.
3490 • The chosen communication technology is standardized in IEC 62453 and solves the
3491 routing problem across network boundaries.
FSCP: FS-Master
Engineering
description file
tool
FS-Master Tool
invocation
FSCP
FS-Master
tool
Proprietary
FS-Master
IO-Link communi-
cation (OD)
FS-
Device IODD IOPD
"Dedicated
Tool"
3492
3493 Figure F.10 – Communication routes between Device Tool and Device
IFdtCommunication
or other solution
Communication
driver CommServer
Fieldbus
3500
3502 Figure F.10 shows fieldbus or proprietary networks between the PC and the Device. Figure
3503 F.11 shows the mapping to software and Communication Servers. In this case, the
3504 Communication Server (Fieldbus) requires information about the network protocol. This
3505 routing information is generated by the Engineering System and transferred to the
3506 Communication Server (Fieldbus). Due to the fact that manufacturer specific data has to be
3507 exchanged, the Communication Server and the Engineering System must be provided by the
3508 same manufacturer.
3509 The routing information for the second Communication Server (IO-Link) is generated by the
3510 Master Tool and transferred to this CS. When the Device Tool is started, only a
3511 communication reference to the Device is passed. This reference is forwarded from the
3512 Device Tool to the Communication Server. With the help of the routing information from the
3513 Engineering System, the Communication Server is able to create physical network addresses
3514 and to establish a connection to the Device. Figure F.12 shows the relationships between the
3515 components involved.
DeviceCommReference,
Communication Address
3518 It is always possible for a Device Tool to use its native communication interfaces (for example
3519 serial RS232) as an alternative besides the Communication Server.
IO-Link Safety – 139 – V1.0
3523 The Engineering System, all Device Tools and the Communication Server are located on the
3524 same PC which is connected e.g. via an Ethernet adapter to a network. The target Devices
3525 can be found behind a gateway which can work in different ways. From the Device Tool point
3526 of view, it is irrelevant where the Device is located because the network structure is handled
3527 by the Communication Server.
3528 The Communication Server is potentially able to manage all gateway types which are
3529 supported by the Engineering System itself. The gateway functionalities itself are
3530 encapsulated by the Communication Server. Only gateway types known by the
3531 Communication Server can be supported (no nested communication).
3532 If a device can be reached through multiple paths in the network, it is up to the Engineering
3533 System to decide, which network path is used for communication.
3549 At first, a Device is integrated into the Master Tool with the corresponding configuration file
3550 (IODD). Within the Engineering System, communication addresses and bus parameter are
3551 adjusted. Together with other network data, topology data for the network is the result.
3552 Furthermore, the Master Tool shall build a unique Device communication reference. This
3553 reference is passed to the Device Tool when it is launched with the help of the TPF (keyword
3554 “DeviceCommReference”). The Device Tool is now able to establish a connection to the
3555 Device using the Communication Server and Device communication reference.
3556 The Communication Server itself interprets the Device communication reference and converts
3557 it to network addresses. Therefore it uses the configuration data from the Master Tool.
3558 Because it is up to the CS to decide if the Device communication reference or the
3559 communication address itself is used, the Device Tool shall always pass both attributes in the
3560 ConnectRequest XML document.
3561 If no routing functionality is required, the CS does not require the proprietary configuration. In
3562 order to connect, the CS can use the communication address itself from the Master Tool.
Destroy()
3564
3566 The passed ProgID (Keyword commServer-ProgID) can be used to create a new instance of
3567 the Communication Server by the Device Tool. There is a 1:1 relationship between Device
3568 Tool and Communication Server instance. The Communication Server instance is able to
3569 connect to one or more Devices.
3570 Figure F.14 shows a code fragment in C++ as an example on how to create a new instance.
commServer-ProgID of TPF
r1 = CLSIDFromProgID(L"TCI.MyCommunicationServer", &clsid);
r1 = CoCreateInstance (clsid, NULL, CLSCTX_INPROC_SERVER,
__uuidof (IFdtCommunication), (void**)&m_pITciCommunicationServer);
3571
3573 It is recommended to create the Communication Server instance as "in process server"
3574 (CLSCTX_INPROC_SERVER) due to performance issues.
3575 After a new instance of the Communication Server is created, all methods of the interface
3576 "IFdtCommunication" can be called. At first a Device Tool shall call the
3577 "GetSupportedProtocols" method to find out if the required protocol is supported by the CS. If
3578 not, the Device Tool shall inform the user. A new connection is established with help of the
3579 function "ConnectRequest". Among others, as invocation parameter a pointer to the callback
3580 interface (Interface IFdtCommunicationEvents) is passed. This means that a Device Tool shall
3581 implement this interface.
3582 The Device Tool is responsible to release the Communication Server instance when the Tool
3583 exits. If the Communication Server instance was created in the process of the Device Tool, as
3584 recommended before, this is done automatically since the instance is terminated with the
3585 process of the Device Tool.
3590 The following values are defined for the DTI Communication Server:
3593 A Device Tool is able to find out the ProgID of the Communication Server with the help of the
3594 Standard Component Categories Manager. If more than one component is assigned to this
3595 category, the user of the Device Tool shall select one of the Communication Servers.
3596 If a Communication Server does not support the "Stand-Alone" mode (i.e. a Communication
3597 Server instance cannot be created by a Device Tool), a system registry entry should not be
3598 made.
3599 A Device Tool that supports Conformance Class 3 and is intended for "Stand-Alone" mode
3600 shall store the DeviceCommReferences together with its DDOs. Whenever the
3601 DeviceCommReference is changed by the Master Tool while copying the entire project or
3602 while retrieving the project, the Device Tool shall check and – if changed – update the
3603 DeviceCommReference when called from the Master Tool with DTI. There are two general
3604 possibilities:
3605 1) The Device Tool checks and updates the DeviceCommReference of a particular Device
3606 immediately before connection.
3607 NOTE After copy/retrieval of a Master Tool project, the user should call the Device Tool via DTI and connect to
3608 the particular Device(s) prior to the connection to this/these Device(s) later on in "Stand-Alone" mode.
3609 2) The Device Tool checks and updates the DeviceCommReferences of all Devices
3610 immediately after being called by the Master Tool via DTI.
3611 NOTE After copy/retrieval of a Master Tool project, the user should call the Device Tool via DTI. Then, all
3612 Devices can be connected later in “Stand-Alone” mode.
3615 Table F.5 shows the mapping between the TPF keywords and the attributes in the communi-
3616 cation schema.
fdt:nodeId – Unused
systemTag "DeviceCommReference" attribute
of element "Device".
3618
3619 The communication parameters passed during the Device Tool invocation shall be used as
3620 input for the Connect Request XML document to be used in the connect method. Additionally,
3621 the device communication reference (Keyword "DeviceCommReference" in Table F.5) shall be
3622 entered in the Connect Request XML document as attribute “systemTag”. Figure F.15 shows
3623 an example.
<?xml version="1.0"?>
<FDT xmlns="x-schema:FDTIOLinkCommunicationSchema.xml"
xmlns:fdt="x-schema:FDTDataTypesSchema.xml">
<ConnectRequest systemTag="Controller3/Gateway2/Unit1"/>
</FDT>
DeviceCommReference of TPF
3624
3625 Figure F.15 – Example of a Connect Request XML document for IO-Link
IO-Link Safety – 142 – V1.0
3632 If the Device communication reference is used instead of the communication address between
3633 Device Tool and Communication Server, no relaunch of the Tool is required, because the
3634 Device communication reference does not change whenever the communications address
3635 changes. In this case, the Communication Server itself can reconnect to the Device with the
3636 new communication address (Master, port).
3637 For an existing connection, changed communication parameters in the Master Tool project
3638 shall not have any impact. Changed communication parameters shall be used when a
3639 connection is (re)established.
3643
3651 In order to implement a robust model, the Master Tool and the Device Tools shall ignore any
3652 XML attributes or elements not recognizable in a valid XML document. This means that XML
3653 schema validation shall not be used. The schema files in Annex F.9 are for information
3654 purposes only.
3655 The installation program of the Device Tool can always install the newest PID file version. The
3656 Master Tool shall ignore any unknown XML attributes or elements.
3662 The PID file version of the Device Tool determines the newest supported version of the
3663 corresponding Device Tool. See Annex F.3.3 for details.
3664 If a Device Tool supports a newer version than the Master Tool, the Master Tool uses its
3665 newest TPF version. In this case the Device Tool shall work with the old schema version.
C1 Setup program creates system registry entries as described in Annex F.3.2. This
(Navigation) allows the user to invoke the Device Tool from the context of a selected Device in the
Master Tool without any impact on an existing Device Tool itself.
C2 The Device Tool uses the information of the TPF. In this case, for example, the Tool
(Parameter transfer) is able to read FST parameter instances or to use a communication address for its
proprietary communication channel. This way, the user can be relieved from multiple
entries. The implementation effort is limited to evaluation of the TPF file for internal
initialization of the Device Tool.
C3 The full functionality is available if the Device Tool uses the DTI Communication
(DTI communication with Server. This component enables the Tool to manage all network boundaries
optional backchannel) implemented by the Master Tool. In this case the Device Tool shall support the
IFdtCommunication/IFdtCommunicationEvents/IFdtCommunicationEvents2 interface.
In case of the backchannel option, the Master Tool uses the information of the TBF.
In this case, for example, the Tool is able to read FST parameter instances or to use
the I/O Process Data description. This way, the user can be relieved from multiple
entries. The implementation effort is limited to evaluation of the TBF file for internal
processing of the Master Tool.
3671
3672 Table F.8 shows the DTI relevant features of a Device Tool.
3674
3677
3682
3688
3769 </xsd:element>
3770 <xsd:element name="ProgramInterface">
3771 <xsd:complexType>
3772 <xsd:sequence>
3773 <xsd:element ref="DocumentInfo"/>
3774 <xsd:element ref="General"/>
3775 <xsd:element ref="EntryPoints"/>
3776 <xsd:element ref="ConformanceClass"/>
3777 </xsd:sequence>
3778 </xsd:complexType>
3779 </xsd:element>
3780 </xsd:schema>
3781
3784
3914
3929 <xsd:complexType>
3930 <xsd:sequence>
3931 <xsd:element ref="Item" maxOccurs="unbounded"/>
3932 </xsd:sequence>
3933 <xsd:attribute name="variableId" type="xsd:string" use="required"/>
3934 </xsd:complexType>
3935 </xsd:element>
3936 <xsd:element name="Item">
3937 <xsd:complexType>
3938 <xsd:attribute name="value" type="xsd:string" use="required"/>
3939 <xsd:attribute name="subindex" use="required">
3940 <xsd:simpleType>
3941 <xsd:restriction base="xsd:unsignedShort">
3942 <xsd:maxInclusive value="255"/>
3943 </xsd:restriction>
3944 </xsd:simpleType>
3945 </xsd:attribute>
3946 <xsd:attribute name="state" use="required">
3947 <xsd:simpleType>
3948 <xsd:restriction base="xsd:string">
3949 <xsd:enumeration value="empty"/>
3950 <xsd:enumeration value="initial"/>
3951 <xsd:enumeration value="device"/>
3952 <xsd:enumeration value="read error"/>
3953 <xsd:enumeration value="write error"/>
3954 <xsd:enumeration value="valid"/>
3955 <!--xsd:enumeration value="changed"/-->
3956 <!-- should be transferred to device or stored in database before DTI invocation -->
3957 <!-- could be changed to empty before DTI invocation -->
3958 <!-- could be changed to empty or valid before DTI invocation -->
3959 </xsd:restriction>
3960 </xsd:simpleType>
3961 </xsd:attribute>
3962 <xsd:attribute name="error" type="xsd:integer" use="required"/>
3963 </xsd:complexType>
3964 </xsd:element>
3965 <xsd:element name="Response">
3966 <xsd:complexType>
3967 <xsd:attribute name="value" type="xsd:boolean" use="required"/>
3968 </xsd:complexType>
3969 </xsd:element>
3970 <xsd:element name="ReturnInterfaceRequest">
3971 <xsd:complexType>
3972 <xsd:sequence>
3973 <xsd:element ref="VariableInstanceData"/>
3974 </xsd:sequence>
3975 </xsd:complexType>
3976 </xsd:element>
3977 <xsd:element name="ReturnInterfaceResponse">
3978 <xsd:complexType>
3979 <xsd:sequence>
3980 <xsd:element ref="Response"/>
3981 </xsd:sequence>
3982 </xsd:complexType>
3983 </xsd:element>
3984 <xsd:group name="ReturnInterface">
3985 <xsd:choice>
3986 <xsd:element ref="ReturnInterfaceRequest"/>
3987 <xsd:element ref="ReturnInterfaceResponse"/>
3988 </xsd:choice>
3989 </xsd:group>
3990 </xsd:schema>
3991
3992 F.9.5 Schema of the TAF
3993 The schema of the TAF corresponds to the schema of the TBF in F.9.4.
4000 <xsd:documentation>In this schema, only the necessary types and attributes for DTI are used from the Common Primitives
4001 Schema.</xsd:documentation>
4002 <xsd:appinfo>
4003 <schemainfo versiondate="20170225"/>
4004 </xsd:appinfo>
4005 </xsd:annotation>
4006 <!-- SIMPLE TYPES -->
4007 <xsd:simpleType name="IdT">
4008 <xsd:annotation>
4009 <xsd:documentation>Base Type for Object identifiers</xsd:documentation>
4010 </xsd:annotation>
4011 <xsd:restriction base="xsd:string"/>
4012 </xsd:simpleType>
4013 <xsd:simpleType name="GuidT">
4014 <xsd:annotation>
4015 <xsd:documentation>GUID</xsd:documentation>
4016 </xsd:annotation>
4017 <xsd:restriction base="xsd:string">
4018 <xsd:pattern value="\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}"/>
4019 <xsd:pattern value="[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}"/>
4020 </xsd:restriction>
4021 </xsd:simpleType>
4022 <!-- _____________________________________________________-->
4023 <!-- COMPLEX TYPES -->
4024 <!-- Main Types -->
4025 <xsd:complexType name="DocumentT">
4026 <xsd:annotation>
4027 <xsd:documentation>Type for all top level elements</xsd:documentation>
4028 </xsd:annotation>
4029 <xsd:sequence>
4030 <xsd:element name="DocumentInfo" type="DocumentInfoT"/>
4031 </xsd:sequence>
4032 </xsd:complexType>
4033 <xsd:complexType name="DocumentInfoT">
4034 <xsd:attribute name="Version" type="xsd:string" use="required" fixed="1.1"/>
4035 </xsd:complexType>
4036 <!-- ELEMENT DECLARATIONS -->
4037 <!-- _____________________________________________________-->
4038 <!-- Text Definition Elements-->
4039 <xsd:complexType name="ObjectT">
4040 <xsd:annotation>
4041 <xsd:documentation>Base type</xsd:documentation>
4042 </xsd:annotation>
4043 </xsd:complexType>
4044 <xsd:complexType name="FeatureT">
4045 <xsd:annotation>
4046 <xsd:documentation>Base type</xsd:documentation>
4047 </xsd:annotation>
4048 <xsd:attribute name="Name" type="xsd:string" use="optional"/>
4049 </xsd:complexType>
4050 <xsd:complexType name="ParameterT" mixed="true">
4051 <xsd:attribute name="Name" type="xsd:string" use="required"/>
4052 </xsd:complexType>
4053 <!-- _____________________________________________________-->
4054 <!--Specialized Parameters-->
4055 <xsd:complexType name="StringParameterT">
4056 <xsd:complexContent>
4057 <xsd:extension base="ParameterT">
4058 <xsd:attribute name="Value" type="xsd:string" use="required"/>
4059 </xsd:extension>
4060 </xsd:complexContent>
4061 </xsd:complexType>
4062 <!-- ELEMENT DECLARATIONS -->
4063 <xsd:element name="Document" type="DocumentT">
4064 <xsd:unique name="OBJ-ID">
4065 <xsd:selector xpath=".//*"/>
4066 <xsd:field xpath="@ID"/>
4067 </xsd:unique>
4068 </xsd:element>
4069 <xsd:element name="Object" type="ObjectT"/>
4070 <xsd:element name="Parameter" type="ParameterT"/>
4071 <xsd:element name="StringParameter" type="StringParameterT" substitutionGroup="Parameter"/>
4072 <xsd:element name="Feature" type="FeatureT"/>
4073 <xsd:simpleType name="ConformanceClassEnumT">
4074 <xsd:restriction base="xsd:string">
4075 <xsd:enumeration value="C1"/>
4076 <xsd:enumeration value="C2"/>
IO-Link Safety – 151 – V1.0
4082 Annex G
4083 (normative)
4084
4085 Main scenarios of IO-Link Safety
4086 Table G.1 shows main scenarios, the initial key parameters and the associated system
4087 activities. Its purpose is to provide a brief overview and it contains references to clauses with
4088 detailed descriptions.
OSSD operation Authenticity = 0 1. Modify FST parameter via "USB Master" (option; see
Port = 0 9.4.4.2);
FSP_TechParCRC ≠ 0 2. Adapt FSP_TechParCRC (see 11.7.8)
3. Plug, validate & play (default)
Commissioning Authenticity = 0 1. Set FSP_TechParCRC = 0 temporarily (FS-Device and
(Test = monitored Port = 0 FSP record)
operation) 2. Assign Authenticity and Port (FS-Device and FSP record)
FSP_TechParCRC ≠ 0
3. Assign protocol parameter and FST parameter
4. Run in test mode (Write FSP record: Authenticity +
FSP_TechParCRC not evaluated; other protocol
parameters adopted; Data Storage upload not required)
5. FS-Master Tool responsible to indicate test mode or to
prevent from running in test mode without Tool
connection.
Commissioning Authenticity = FSCP code 1. Assign actual FSP_TechParCRC (FS-Device and FSP
(Arm and validate) Port = port number record)
FSP_TechParCRC = 0 2. Upload parameters to Data Storage (FSP and FST), see
clause 9.4.5.4
3. Run in armed mode (Write FSP record: Authenticity +
FSP_TechParCRC compared but not adopted; other
protocol parameters adopted), see 11.7.6
4. Validate according to safety manual of FS-Device.
Replacement by Authenticity = 0 1. Download and adopt parameters from Data Storage (FSP
FS-Device with Port = 0 and FST) if Authenticity and Port = 0, see 9.4.6.1 and
factory settings w/o 9.4.6.2
tools FSP_TechParCRC ≠ 0
2. Run in armed mode (Write FSP record: Authenticity +
FSP_TechParCRC compared but not adopted; other
protocol parameters adopted), see 11.7.6
3. Validate according to safety manual of FS-Device.
Misconnection of Authenticity = FSCP code 1. No adoption of downloaded parameters from Data
configured FS- Port = port number Storage (FSP and FST) since Authenticity and Port ≠ 0
Devices 2. Run in armed mode (Write FSP record: Authenticity +
FSP_TechParCRC ≠ 0
FSP_TechParCRC compared; nothing adopted), see
11.7.6
3. Error message: "Misconnection" (0xB003 or 0xB004, see
Annex B)
4. Other protocol parameters not adopted.
4090
4091 "Local modification" of FST parameters as described in 9.4.5.4 and Table 13 is possible.
4092 However, the FSP_TechParCRC shall be assigned with the help of FS-Master Tool.
IO-Link Safety – 153 – V1.0
4093 Annex H
4094 (normative)
4095
4096 System requirements
4097 H.1 Indicators
4098 H.1.1 General
4099 Indicators for FS-Devices are not mandatory since for example proximity sensors may be too
4100 small for LEDs (light emitting diode).
4101 FS-Masters and FS-Devices may be used in a mix of different technologies such as
4102 • Fieldbus safety modules for inputs (e.g. F-DI module) or outputs (e.g. F-DO module);
4103 • Safety devices such as light curtains connected to fieldbuses via FSCPs;
4104 • IO-Link Masters and Devices.
4105 Thus, it is the designer's responsibility to layout the indication of the signal status, modes, or
4106 operations for FS-Masters and FS-Devices.
4121 Only FS-Masters and FS-Devices providing a short form functional safety assessment report
4122 according to IEC 61508 or ISO 13849-1 together with a certificate of the assessment body are
4123 permitted. The short form report shall indicate all considered clauses and paragraphs of the
4124 used relevant standards and the corresponding assessment results.
4125 Wireless connection between FS-Master and FS-Device is only permitted if interdependency
4126 with other wireless connections can be precluded, for example via inductive couplers.
4127 No components in the link between FS-Master and FS-Device are permitted that are storing,
4128 inserting, or delaying messages.
4129 Manufacturer/vendor of FS-Masters and/or FS-Devices shall define installation constraints for
4130 the operation of OSSD devices or FS-Devices in OSSDe mode within their safety manuals.
4131 Requirements of IEC 61010-2-201 (see [4]) and IEC 60204-1 with respect to electrical safety
4132 (SELV/PELV) shall be observed.
4133 The zones and conduit concept of IEC 62443 applies for security and/or the rules of the
4134 applicable FSCP system.
IO-Link Safety – 154 – V1.0
4151 Manufacturer/vendor of FS-Masters and/or FS-Devices shall define all constraints for the
4152 operation of OSSD devices or FS-Devices in OSSDe mode within their safety manuals.
4153 Manufacturer/vendor of FS-Masters and/or FS-Devices shall define all constraints for the
4154 operation of FS-Devices in communication mode within their safety manuals such as
4155 limitations with respect to storing elements, inductive or optical couplers, and alike.
4156 Manufacturer/vendor of FS-Masters and/or FS-Devices shall define the maintenance rules
4157 with respect to the PFH-Monitor (see Table 30).
IO-Link Safety – 155 – V1.0
4158 Annex I
4159 (normative)
4160
4161 Assessment
4162 I.1 General
4163 Functional safety assessments can only be performed if hardware and software are provided.
4164 Thus, the actual assessment of IO-Link Safety can only comprise a concept approval as a
4165 precondition for the conformity of implementations. This can result in precertified development
4166 kits to save time and effort.
4172 • Any non-safety-related device automatically will not be applicable for safety-related
4173 applications just by using fieldbus or IO-Link communication and a safety communication
4174 layer.
4175 • In order to enable a product for safety-related applications, appropriate development
4176 processes according to safety standards shall be observed (see IEC 61508, IEC 60204-1,
4177 IEC 62061, ISO 13849) and/or an assessment from a competent assessment body shall
4178 be achieved.
4179 • The manufacturer of a safety product is responsible for the correct implementation of the
4180 safety communication layer technology, the correctness and completeness of the product
4181 documentation and information.
4182 • Additional important information about current corrigendums through concluded change
4183 requests shall be considered for implementation and assessment. This information can be
4184 obtained from the IO-Link Community.
4200 Annex J
4201 (normative)
4202
4203 Details of "Classic" port class B
4204
4210 The technology/application part of a Device/FS-Device can be powered by one of three ways:
4211 • via the power lines of the 3-wire connection system (class A ports), using Power1;
4212 • via the extra power lines of the 5-wire connection system (class B ports), using an extra
4213 power supply (Power2) at the Master/FS-Master;
4214 • via a power supply at the Device/FS-Device (design specific) that shall be nonreactive to
4215 Power 1.
Isolated from Power1
Port Class B (M12)
2 Protection
4218 Figure J.1 shows also an extra power supply (Power2) intended for Devices/FS-Devices
4219 requiring more supply current for their individual technology/application such as actuators.
4220 Class B ports shall be marked to distinguish from Class A ports due to risks deriving from
4221 incompatibilities on pin 2 and pin 5.
4222 The maximum current available from this extra power supply is specified in Table J.1.
a) A minimum voltage shall be guaranteed for testing at maximum recommended supply current. At the FS-
Device side 18 V shall be available in this case.
b) Minimum current in order to guarantee a high degree of interoperability.
c) The recommended maximum current for a wire gauge of 0,34 mm 2 and standard M12 connector is 3,5 A.
Maximum current depends on the type of connector, the wire gauge, maximum temperature, and simultaneity
factor of the ports (check user manual of a Master).
4224
IO-Link Safety – 157 – V1.0
4230 Whenever the Device requires more than the minimum current the capabilities of the
4231 respective Master port and of the cabling shall be checked.
4232 FS-Devices should follow this recommendation also. However, 5.9 and Table 7 show mitiga-
4233 tion means for FS-Devices and FS-Masters to certain extend.
4234 In general, the requirements of Devices/FS-Devices shall be checked whether they meet the
4235 available capabilities of the Master/FS-Master. The simultaneity factor for the Master/FS-
4236 Master ports shall be observed.
4245 Figure J.2 shows a possible layout of a cable for port Class B operation.
4246
4247 Figure J.2 – Possible layout of cable with Power1 and Power2
4248 In case of functional safety, the following standards shall be observed whenever applicable:
4254 Annex K
4255 (normative)
4256
4257 Test of FS-Master and FS-Device
4258 This part will be provided at a later date.
4259
IO-Link Safety – 159 – V1.0
4260 Bibliography
4261 [1] IO-Link Community, IO-Link Interface and System, V1.1.2, July 2013, Order No.
4262 10.002
4263 [2] IEC 61131-9, Programmable controllers – Part 9: Single-drop digital communication
4264 interface for small sensors and actuators (SDCI)
4265 [3] IEC 61784-3 Ed 3.0: Industrial communication networks – Profiles – Part 3: Functional
4266 safety fieldbuses – General rules and profile definitions
4267 [4] IEC 61010-2-201:2017, Safety requirements for electrical equipment for measurement,
4268 control and laboratory use – Part 2-201: Particular requirements for control equipment
4269 [5] ISO/IEC 19505-2:2012, Information technology – Object Management Group Unified
4270 Modeling Language (OMG UML) – Part 2: Superstructure
rd
4271 [6] Bruce P. Douglass, Real Time UML – Advances in the UML for Real-Time Systems, 3
4272 Edition, Addison-Wesley, ISBN 0-321-16076-2
4273 [7] Chris Rupp, Stefan Queins, Barbara Zengler, UML 2 glasklar – Praxiswissen für die
4274 UML-Modellierung. Hanser-Verlag, 2007, ISBN 978-3-446-41118-0
4276 [9] IO-Link Community, IO Device Description (IODD), V1.1, July 2011, Order No. 10.012
4277 [10] IO-Link Community, IO-Link Test, V1.1.2, July 2014, Order No. 10.032
4278 [11] IO-Link Community, IO-Link Safety (Single Platform) – Requirements, Use Cases, and
4279 Concept Baseline, V1.0, November 2014, Order No. 10.062
4280 [12] Position Paper CB24I, Classification of Binary 24V Interfaces – Functional Safety
4281 aspects covered by dynamic testing, Edition 2.0.1:
4282 https://www.zvei.org/verband/fachverbaende/fachverband-automation/schaltgeraete-
4283 schaltanlagen-industriesteuerungen/
4284 [13] IO-Link Community, IO-Link Profile BLOB & FW-Update, V1.0, June 2016, Order No.
4285 10.082
4287 [15] FDT Joint Interest Group, FDT 2.0 – Specification, V1.0, Order No. 0001-0008-000
4288 [16] FDT Joint Interest Group, FDT for IO-Link – Annex to FDT Specification – Based on
4289 FDT Specification Version 1.2.1, V1.0, Order No. 0002-0013-000
4290 [17] IEC 62453 series: Field device tool (FDT) interface specification
4294 [19] Philip Koopman, Cyclic Redundancy Code (CRC) Polynomial Selection For Embedded
4295 Networks, The International Conference on Dependable Systems and Networks, DSN-
4296 2004.
4299 [21] IO-Link Community, IO-Link Design Guideline, V1.0, November 2016, Order No.
4300 10.912
4301 ________
Copyright by:
IO-Link Community
Haid-und-Neu-Str. 7
76131 Karlsruhe
Germany
Phone: +49 (0) 721 / 96 58 590
Fax: +49 (0) 721 / 96 58 589
e-mail: [email protected]
http://www.io-link.com/