SimpleCAN Safety requirements¶
This document lists all the requirements specified in FSD350, with numbers for referencing.
Requirements¶
All requirements in SimpleCAN shall be fulfilled. |
N/A. |
FSD350 5.2 (page 6) The SRCP defined in FSD350v5 (SimpleCAN) shall fulfill the requirements to be able to support SIL3 (according to EN 61508 series) and up to category 4 (according to EN ISO 13849-1). |
SimpleCAN shall only be used with devices operating in high demand continuous mode. FSD350 5.2 (page 6) |
The SRCP shall contribute to at most 1% of the maximum PFH or PFHDavg of SIL3. FSD350 5.2 (page 6) |
The safe state for digital and analog values shall be defined as 0. FSD350 5.2 (page 6) |
Implementations of this SRCP shall comply with EN 61508 series. FSD350 5.2 (page 6) |
Safety devices shall comply with the increased test levels and durations, as well as corresponding performance criteria specified in IEC 61326-3-1 or the generic standard IEC 61000-6-7. FSD350 5.2 (page 6) |
SR communication shall be independent from NSR communication. However, NSR communication may use SR communication for transmission. FSD350 5.2 (page 6) |
No acknowledgment of SR data shall be used. Producers shall not implement any safety function that depend on successful reception in consumers. FSD350 5.3 (page 7) |
Only one field-bus shall be used as the communication channel. From the models considered in 61784-3:2021 annex A, Model A (A.2) shall be used for transmission. For reception, model A or model C shall be used. FSD350 5.4 (page 9) |
SimpleCAN shall only be used in conjunction with EN 11989-1. There are no requirements other than those defined in this standard. FSD350 5.5.1 (page 10) |
The safety data dictionary (SDD) contains the SR data to be sent and received by the SCL. The SDD shall contain up to 80 entries. FSD350 6.2 (page 11) |
The SCL shall be able to signal to the SRLD to enter safe state. The maximum reaction time of the SRLD entering safe state shall be defined. FSD350 6.3 (page 11) |
Each SC-ID shall have a corresponding node hash that is generated by the SR configuration tool. The node hash is included in the CRC calculation of each SCL to sign the data. Consumers must know the node hash of the message to be able to calculate the CRC. The node hash shall be generated using application appropriate information. FSD350 6.5 (page 11) |
The safety configuration shall be generated by the SR configuration tool and verified by the SRD before initializing normal operation. If the configuration is invalid the SRD shall enter safe state.
FSD350 6.6 (page 12) |
The SRD and the SR configuration tool shall use the CRC algorithm with the generator polynomial 04c11db7h, or another suitable CRC algorithm/polynomial. The CRC shall be calculated by the SR configuration tool and downloaded to the SRD after downloading the configuration. FSD350 6.6.1 (page 12) |
The network cycle is split into slots, where each slot is 1 millisecond. Producers shall transmit their SR data in their configured slot index. FSD350 7.3 (page 16) |
N/A. |
Consumers shall keep track of the age of the SR data. If the age of the data exceeds the configured safety timeout, the data shall be set to safe state (0). FSD350 7.3 (page 16) |
The network cycle shall have at least two empty slots in the end of the cycle where no producers are configured to transmit. If a master wants to transmit a time sync packet, it shall be sent in the last slot of the cycle. FSD350 7.3 (page 16) |
The active master shall not send time sync packets more often than once per 100ms. The active master shall not send time sync packets less often than once per 500ms. FSD350 7.3.1 (page 17) |
The active master SCL shall verify that the time sync packet has been successfully transmitted on the bus at most 2ms after transmitting the packet. If the transmission has failed or not started after 2ms (for example due to CAN-arbitration or other external errors), the transmission shall be aborted and any buffers cleared. FSD350 7.3.1 (page 17) |
If only one SCL is connected to the bus (model A), the SCL shall forward the packet to the other SCL without unpacking (CAT3, HFT=1). FSD350 7.3.3 (page 18) |
There shall only be one active master on the bus at a given time. If multiple SCLs can act as master, the SCL with the lowest transmitted SC-ID shall take the role of master. If a potential master joins the network late, before taking over the role as active master, the potential master shall first synchronize its global time to the current network global time. FSD350 7.4.1 (page 19) |
If an SCL on the bus detects multiple active masters, it shall signal to the SRLD to enter safe state. FSD350 7.4.1 (page 19) |
To avoid collisions between the first time sync packet, potential masters shall wait and listen before sending the first time sync packet. The following formula specifies how long the potential master shall wait before sending the first time sync packet:
\[t_{wait} = (ID - 0x30) * 5 ms\]
where ID is the lowest transmitted SC-ID of the potential master. FSD350 7.3.4 (page 18) |
If any CAN error occurs during transmission of the time sync packet (for example, in case two masters try to transmit sync packets at the same time and a collision occurs), they shall back off and try again after \(t_{wait}\) milliseconds. FSD350 7.4.1 (page 19) |
All SCLs shall start in the unsynced state. In the unsynced state, producers shall not transmit any SR data, and consumers shall discard all received SR data. FSD350 7.4.2 (page 20) |
To enter synced state, at least two time sync packets from the same master shall be received, and the time difference between these shall be at most ±2ms of the receivers internal time. FSD350 7.4.2 (page 20) |
The time base in SRLDs shall have a maximum inaccuracy of 50ppm. FSD350 7.4.2 (page 20) |
If no time sync is received for 2000ms, the SCL shall go to unsynced mode. FSD350 7.4.2 (page 20) |
Receivers shall specify the guaranteed maximum time a received packet can be buffered for, and add this time to the age all received time sync packets when calculating the global time. FSD350 7.4.2 (page 20) |
The SRD shall perform the SR device configuration verification before entering normal operation. The SR device shall calculate a CRC signature as defined in 6.6.1. The calculated CRC signature shall be compared with the safety configuration signature (see 6.6.1). If both values are equal the configuration shall be valid. FSD350 8.1 (page 22) |
The SR configuration tool shall perform the configuration download to the SR devices in the network. FSD350 8.1.1 (page 22) |
After downloading, the SR configuration tool shall read back the configuration and verify that it is correct before writing the configuration checksum. FSD350 8.1.1 (page 22) |
The user is responsible for correctly addressing the SR devices on the network during configuration download. The safety manual of the SR devices shall contain instructions on how the user can achieve this (see 9.6). FSD350 8.1.1 (page 22) |
The SR configuration tool shall have measures to help the user correctly address the SR devices. FSD350 8.1.1 (page 22) |
Setup or change of the SCP configuration in an SRLD shall only be possible if the SRLD is in safe state. FSD350 8.3 (page 22) |
No safety communication shall be possible in safe state. FSD350 8.3 (page 22) |
Warm start after fault shall only be possible with a complete reset and initialization of the SRLD. FSD350 8.3 (page 22) |
If the safe 24-bit CRC is invalid for 1000 packets in one hour, the SCL shall signal to the SRLD to enter safe state. Note An algorithm to achieve this is suggested:
FSD350 8.3 (page 22) |
The SRLDs implementing SimpleCAN shall implement measures against unauthorized access. FSD350 8.4 (page 22) |
The following requirements shall be explained to the user in the safety manual:
FSD350 9.2 (page 23) |
The safety reaction time of SimpleCAN shall be the application configured safety timeout. This timeout shall account for all components of the SCL. Note This does not take into account other external delays, such as output relays switching time, input/output filtering, other communication interfaces, etc. FSD350 9.3 (page 23) |
Implementers of SimpleCAN shall supply a safety manual with the following information at a minimum:
|