.. _fsd213123: SimpleCAN Safety requirements ============================= This document lists all the requirements specified in FSD350, with numbers for referencing. Requirements ------------ .. req:: SimpleCAN requirements :id: SIMPLECAN_ALL_REQS :derived: SC_REQ_01, SC_REQ_02, SC_REQ_03, SC_REQ_04, SC_REQ_05, SC_REQ_06, SC_REQ_07, SC_REQ_08, SC_REQ_09, SC_REQ_10, SC_REQ_11, SC_REQ_12, SC_REQ_14, SC_REQ_15, SC_REQ_16, SC_REQ_17, SC_REQ_18, SC_REQ_19, SC_REQ_20, SC_REQ_21, SC_REQ_22, SC_REQ_23, SC_REQ_24, SC_REQ_25, SC_REQ_26, SC_REQ_27, SC_REQ_28, SC_REQ_29, SC_REQ_30, SC_REQ_31, SC_REQ_32, SC_REQ_33, SC_REQ_34, SC_REQ_35, SC_REQ_36, SC_REQ_37, SC_REQ_38, SC_REQ_39, SC_REQ_40, SC_REQ_41, SC_REQ_42, SC_REQ_43, SC_REQ_44, SC_REQ_45, SC_REQ_46 :tags: simplecan All requirements in SimpleCAN shall be fulfilled. .. req:: Mandatory functions :id: SC_REQ_01 :tags: simplecan :status: PASS N/A. .. req:: SRCP document requirements :id: SC_REQ_02 :tags: simplecan :status: PASS FSD350 5.2 (page 6) The SRCP defined in FSD350v5 (SimpleCAN) shall fulfill the requirements to be able to support SIL3 (according to EN 61508 series) and up to category 4 (according to EN ISO 13849-1). .. req:: high demand continuous mode :id: SC_REQ_03 :derived: MOTIVATION_230_001 :tags: simplecan SimpleCAN shall only be used with devices operating in high demand continuous mode. FSD350 5.2 (page 6) .. req:: SRCP contribution :id: SC_REQ_04 :derived: MOTIVATION_230_002 :tags: simplecan The SRCP shall contribute to at most 1% of the maximum PFH or PFHDavg of SIL3. FSD350 5.2 (page 6) .. req:: safe state definitions :id: SC_REQ_05 :derived: MOTIVATION_230_003 :tags: simplecan The safe state for digital and analog values shall be defined as 0. FSD350 5.2 (page 6) .. req:: SRCP and EN 61508 :id: SC_REQ_06 :derived: MOTIVATION_230_004 :tags: simplecan Implementations of this SRCP shall comply with EN 61508 series. FSD350 5.2 (page 6) .. req:: safety devices compliance with IEC 61326-3-1 and IEC 61000-6-7 :id: SC_REQ_07 :derived: MOTIVATION_230_005 :tags: simplecan Safety devices shall comply with the increased test levels and durations, as well as corresponding performance criteria specified in IEC 61326-3-1 or the generic standard IEC 61000-6-7. FSD350 5.2 (page 6) .. req:: SR communication independance :id: SC_REQ_08 :derived: MOTIVATION_230_006 :tags: simplecan SR communication shall be independent from NSR communication. However, NSR communication may use SR communication for transmission. FSD350 5.2 (page 6) .. req:: SR data acknowledgement :id: SC_REQ_09 :derived: MOTIVATION_230_007 :tags: simplecan No acknowledgment of SR data shall be used. Producers shall not implement any safety function that depend on successful reception in consumers. FSD350 5.3 (page 7) .. req:: single field-bus usage :id: SC_REQ_10 :derived: MOTIVATION_230_008 :tags: simplecan Only one field-bus shall be used as the communication channel. From the models considered in 61784-3:2021 annex A, Model A (A.2) shall be used for transmission. For reception, model A or model C shall be used. FSD350 5.4 (page 9) .. req:: SimpleCAN and EN 11989-1 :id: SC_REQ_11 :derived: MOTIVATION_230_009 :tags: simplecan SimpleCAN shall only be used in conjunction with EN 11989-1. There are no requirements other than those defined in this standard. FSD350 5.5.1 (page 10) .. req:: SDD requirements :id: SC_REQ_12 :derived: MOTIVATION_230_010 :tags: simplecan The safety data dictionary (SDD) contains the SR data to be sent and received by the SCL. The SDD shall contain up to 80 entries. FSD350 6.2 (page 11) .. req:: SRLD safe state :id: SC_REQ_14 :derived: MOTIVATION_230_011 :tags: simplecan The SCL shall be able to signal to the SRLD to enter safe state. The maximum reaction time of the SRLD entering safe state shall be defined. FSD350 6.3 (page 11) .. req:: SC-ID node hash :id: SC_REQ_15 :derived: MOTIVATION_230_012 :tags: simplecan Each SC-ID shall have a corresponding node hash that is generated by the SR configuration tool. The node hash is included in the CRC calculation of each SCL to sign the data. Consumers must know the node hash of the message to be able to calculate the CRC. The node hash shall be generated using application appropriate information. FSD350 6.5 (page 11) .. req:: safety related configuration :id: SC_REQ_16 :derived: MOTIVATION_230_013 :tags: simplecan The safety configuration shall be generated by the SR configuration tool and verified by the SRD before initializing normal operation. If the configuration is invalid the SRD shall enter safe state. The safety configuration shall consist of: - The SC-IDs that the SRLD transmits; - The node hashes of the SC-IDs that the SRLD transmits; - The SC-IDs that the SRLD listens to; - the node hashes of the SC-IDs that the SRLD listens to; - The timeout of the SR data that the SRLD listens to. FSD350 6.6 (page 12) .. req:: CRC algorithm usage :id: SC_REQ_17 :derived: MOTIVATION_230_014 :tags: simplecan The SRD and the SR configuration tool shall use the CRC algorithm with the generator polynomial 04c11db7h, or another suitable CRC algorithm/polynomial. The CRC shall be calculated by the SR configuration tool and downloaded to the SRD after downloading the configuration. FSD350 6.6.1 (page 12) .. req:: SR data transmission :id: SC_REQ_18 :derived: MOTIVATION_230_015 :tags: simplecan The network cycle is split into slots, where each slot is 1 millisecond. Producers shall transmit their SR data in their configured slot index. FSD350 7.3 (page 16) .. req:: SR data transmission producers :id: SC_REQ_19 :tags: simplecan :status: PASS N/A. .. req:: SR data transmission consumers :id: SC_REQ_20 :derived: MOTIVATION_230_016 :tags: simplecan Consumers shall keep track of the age of the SR data. If the age of the data exceeds the configured safety timeout, the data shall be set to safe state (0). FSD350 7.3 (page 16) .. req:: SR data transmission cycle requirement :id: SC_REQ_21 :derived: MOTIVATION_230_017 :tags: simplecan The network cycle shall have at least two empty slots in the end of the cycle where no producers are configured to transmit. If a master wants to transmit a time sync packet, it shall be sent in the last slot of the cycle. FSD350 7.3 (page 16) .. req:: master packet time sync frequencies :id: SC_REQ_22 :derived: MOTIVATION_230_018 :tags: simplecan The active master shall not send time sync packets more often than once per 100ms. The active master shall not send time sync packets less often than once per 500ms. FSD350 7.3.1 (page 17) .. req:: Time sync control packets abort :id: SC_REQ_23 :derived: MOTIVATION_230_019 :tags: simplecan The active master SCL shall verify that the time sync packet has been successfully transmitted on the bus at most 2ms after transmitting the packet. If the transmission has failed or not started after 2ms (for example due to CAN-arbitration or other external errors), the transmission shall be aborted and any buffers cleared. FSD350 7.3.1 (page 17) .. req:: Model A SCL forwarding :id: SC_REQ_24 :derived: MOTIVATION_230_020 :tags: simplecan If only one SCL is connected to the bus (model A), the SCL shall forward the packet to the other SCL without unpacking (CAT3, HFT=1). FSD350 7.3.3 (page 18) .. req:: Master determination :id: SC_REQ_25 :derived: MOTIVATION_230_021 :tags: simplecan There shall only be one active master on the bus at a given time. If multiple SCLs can act as master, the SCL with the lowest transmitted SC-ID shall take the role of master. If a potential master joins the network late, before taking over the role as active master, the potential master shall first synchronize its global time to the current network global time. FSD350 7.4.1 (page 19) .. req:: Multiple masters safe state :id: SC_REQ_26 :derived: MOTIVATION_230_022 :tags: simplecan If an SCL on the bus detects multiple active masters, it shall signal to the SRLD to enter safe state. FSD350 7.4.1 (page 19) .. req:: Master time sync wait before tx :id: SC_REQ_27 :derived: MOTIVATION_230_023 :tags: simplecan To avoid collisions between the first time sync packet, potential masters shall wait and listen before sending the first time sync packet. The following formula specifies how long the potential master shall wait before sending the first time sync packet: .. math:: t_{wait} = (ID - 0x30) * 5 ms where **ID** is the lowest transmitted SC-ID of the potential master. FSD350 7.3.4 (page 18) .. req:: Time sync transmission errors :id: SC_REQ_28 :derived: MOTIVATION_230_024 :tags: simplecan If any CAN error occurs during transmission of the time sync packet (for example, in case two masters try to transmit sync packets at the same time and a collision occurs), they shall back off and try again after :math:`t_{wait}` milliseconds. FSD350 7.4.1 (page 19) .. req:: Startup in unsynced state :id: SC_REQ_29 :derived: MOTIVATION_230_029 :tags: simplecan All SCLs shall start in the unsynced state. In the unsynced state, producers shall not transmit any SR data, and consumers shall discard all received SR data. FSD350 7.4.2 (page 20) .. req:: SCL enter synced state :id: SC_REQ_30 :derived: MOTIVATION_230_026 :tags: simplecan To enter synced state, at least two time sync packets from the same master shall be received, and the time difference between these shall be at most ±2ms of the receivers internal time. FSD350 7.4.2 (page 20) .. req:: Clock drift :id: SC_REQ_31 :derived: MOTIVATION_230_027 :tags: simplecan The time base in SRLDs shall have a maximum inaccuracy of 50ppm. FSD350 7.4.2 (page 20) .. req:: Time sync max delay :id: SC_REQ_32 :derived: MOTIVATION_230_028 :tags: simplecan If no time sync is received for 2000ms, the SCL shall go to unsynced mode. FSD350 7.4.2 (page 20) .. req:: Maximum received packet buffering :id: SC_REQ_33 :derived: MOTIVATION_230_029 :tags: simplecan Receivers shall specify the guaranteed maximum time a received packet can be buffered for, and add this time to the age all received time sync packets when calculating the global time. FSD350 7.4.2 (page 20) .. req:: Configuration verification at startup :id: SC_REQ_34 :derived: MOTIVATION_230_030 :tags: simplecan The SRD shall perform the SR device configuration verification before entering normal operation. The SR device shall calculate a CRC signature as defined in 6.6.1. The calculated CRC signature shall be compared with the safety configuration signature (see 6.6.1). If both values are equal the configuration shall be valid. FSD350 8.1 (page 22) .. req:: SR configuration tool :id: SC_REQ_35 :derived: MOTIVATION_230_031 :tags: simplecan The SR configuration tool shall perform the configuration download to the SR devices in the network. FSD350 8.1.1 (page 22) .. req:: SR configuration tool verification :id: SC_REQ_36 :derived: MOTIVATION_230_032 :tags: simplecan After downloading, the SR configuration tool shall read back the configuration and verify that it is correct before writing the configuration checksum. FSD350 8.1.1 (page 22) .. req:: SR configuration addressing :id: SC_REQ_37 :derived: MOTIVATION_230_033 :tags: simplecan The user is responsible for correctly addressing the SR devices on the network during configuration download. The safety manual of the SR devices shall contain instructions on how the user can achieve this (see 9.6). FSD350 8.1.1 (page 22) .. req:: SR configuration tool aid user for addressing :id: SC_REQ_38 :derived: MOTIVATION_230_034 :tags: simplecan The SR configuration tool shall have measures to help the user correctly address the SR devices. FSD350 8.1.1 (page 22) .. req:: Change of configuration only possible in safe state :id: SC_REQ_39 :derived: MOTIVATION_230_035 :tags: simplecan Setup or change of the SCP configuration in an SRLD shall only be possible if the SRLD is in safe state. FSD350 8.3 (page 22) .. req:: No safety communication in safe state :id: SC_REQ_40 :derived: MOTIVATION_230_036 :tags: simplecan No safety communication shall be possible in safe state. FSD350 8.3 (page 22) .. req:: Warm start after fault :id: SC_REQ_41 :derived: MOTIVATION_230_037 :tags: simplecan Warm start after fault shall only be possible with a complete reset and initialization of the SRLD. FSD350 8.3 (page 22) .. req:: Maximum packets with incorrect CRC :id: SC_REQ_42 :derived: MOTIVATION_230_038 :tags: simplecan If the safe 24-bit CRC is invalid for 1000 packets in one hour, the SCL shall signal to the SRLD to enter safe state. .. note:: An algorithm to achieve this is suggested: * A counter is stored in memory counting the number of invalid CRCs. * If a packet with an invalid CRC is received, the counter is increased by 1. * Every 3600/1000≈3.6 seconds, if the counter is not equal to 0, this counter is decreased by 1. * If the counter reaches 1000, the SCL signals to the SRLD to enter safe state. FSD350 8.3 (page 22) .. req:: Unauthorized access to SRLDs :id: SC_REQ_43 :derived: MOTIVATION_230_039 :tags: simplecan The SRLDs implementing SimpleCAN shall implement measures against unauthorized access. FSD350 8.4 (page 22) .. req:: Installation requirements :id: SC_REQ_44 :derived: MOTIVATION_230_040 :tags: simplecan The following requirements shall be explained to the user in the safety manual: * SimpleCAN shall only be used with ISO 11989. * The PhL shall be continuous without any devices separating SRLDs on a network. * Appropriate standards shall be considered depending on the application field. * In machinery and process environment the principles defined in the common part of EN 61918 shall apply. * Only SimpleCAN compatible devices can be transmitters in a SimpleCAN network. * Silent listeners are allowed to listen to the network in silent mode (according to CAN2.0). FSD350 9.2 (page 23) .. req:: Response time :id: SC_REQ_45 :derived: MOTIVATION_230_041 :tags: simplecan The safety reaction time of SimpleCAN shall be the application configured safety timeout. This timeout shall account for all components of the SCL. .. note:: This does not take into account other external delays, such as output relays switching time, input/output filtering, other communication interfaces, etc. FSD350 9.3 (page 23) .. req:: Safety manual requirements :id: SC_REQ_46 :derived: MOTIVATION_230_042 :tags: simplecan Implementers of SimpleCAN shall supply a safety manual with the following information at a minimum: * Installation guidelines (see :need:`SC_REQ_44`); * the constraints for calculation of system characteristics (see FSD350 9.4); * the responsibilities of the user in the proper parameterization of the devices (FSD350 8.1.1 and 8.2); * how to calculate the maximum reaction time.