Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC PAS 62162: Fieldbus Safety Guidelines — Functional Safety for Industrial Communication
Understanding the safety-related communication requirements for fieldbus systems in industrial automation
IEC PAS 62162 provides essential guidelines for implementing functional safety over fieldbus communication systems in industrial automation environments. Published as a publicly available specification, this document addresses the growing need for safe data transmission in distributed control systems where field devices, sensors, and actuators communicate over digital networks rather than traditional point-to-point wiring. As industrial facilities increasingly adopt networked architectures for flexibility and reduced installation costs, ensuring that safety-related data maintains its integrity throughout the communication chain has become a critical engineering challenge.
The standard specifically targets fieldbus systems used in applications up to SIL 3 (Safety Integrity Level 3) as defined by IEC 61508, the umbrella standard for functional safety. It establishes requirements for the transmission of safety-related messages between devices connected to a fieldbus, covering aspects such as error detection capabilities, reaction times, and the communication behavior under fault conditions. The PAS status reflects its role as a pre-standard that captures industry best practices, drawing heavily from established safety fieldbus profiles such as PROFIsafe, which has become the dominant implementation for PROFIBUS and PROFINET safety communication.
IEC PAS 62162 applies to all types of fieldbus systems, not only PROFIBUS/PROFINET but also other communication networks used for safety-related applications. The key principle is that safety functions must be maintained even when the underlying communication channel experiences faults, including bit errors, message repetition, message loss, message insertion, incorrect sequencing, message corruption, delay, and masquerade.
Safety Communication Model and Error Detection
The standard defines a layered safety communication model where a safety layer sits above the standard fieldbus communication stack. This safety layer is responsible for adding safety-related information to each message, including sequence numbers, time stamps, and CRC (Cyclic Redundancy Check) codes. The recipient safety layer validates each incoming message before passing the data to the safety application. This separation ensures that the safety function is independent of the underlying fieldbus protocol, allowing the same safety communication principles to be applied across different bus systems.
Error detection is the cornerstone of safety fieldbus communication. IEC PAS 62162 requires that the safety protocol detect a comprehensive set of communication failures with high probability. The Hamming distance of the safety code must be sufficient to detect multiple-bit errors, and the residual error rate for undetected dangerous failures must be below 10-9 per hour of operation for SIL 3 applications. This is achieved through a combination of techniques including CRC codes with at least 16-bit polynomials, consecutive number monitoring, time expectation monitoring, and sender/receiver cross-checking using a unique device identifier in each message.
| Failure Type | Description | Detection Mechanism |
|---|---|---|
| Message repetition | Same message received twice | Consecutive number check |
| Message loss | Expected message not received | Timeout monitoring + consecutive number |
| Message insertion | Foreign message injected | Source/destination ID + CRC |
| Incorrect sequence | Messages in wrong order | Consecutive number sequencing |
| Message corruption | Data altered in transit | CRC-16/CRC-32 integrity check |
| Delay | Message arrives too late | Time expectation + watchdog timer |
| Masquerade | Fake sender identity | Unique sender ID in each message |
A critical aspect of the safety model is the “black channel” principle. The safety layer treats the underlying fieldbus as a completely unreliable transmission medium — a black channel — without relying on any safety properties of the bus protocol itself. This conservative assumption means that the safety communication must be self-sufficient in detecting all possible errors, regardless of what protections the fieldbus protocol provides. This principle dramatically simplifies certification because the safety layer can be independently assessed without requiring changes to the standard fieldbus components.
When designing safety-related fieldbus systems, engineers must be aware that the “black channel” assumption requires the safety layer to detect even errors that the fieldbus protocol already handles. For example, if the fieldbus CRC detects a corrupt message and discards it, the safety layer must still detect this as message loss through its own timeout mechanism. This redundancy is intentional and essential for achieving the required safety integrity level.
System Design and Performance Requirements
IEC PAS 62162 establishes quantitative requirements for safety communication performance. The safety reaction time — the maximum time between a dangerous condition occurring and the safety system initiating the appropriate response — must be specified for each application. For typical industrial applications, reaction times range from 10 ms for high-speed protective functions (such as light curtains on packaging machinery) to several seconds for process safety functions (such as emergency shutdown valves in chemical plants). The standard also requires that the safety communication be proven to meet the target SIL under worst-case delay conditions, including bus loading at maximum capacity, device processing delays, and retransmission due to detected errors.
Fault handling and system behavior on error detection are equally important. When a safety-related message fails its integrity check, the receiver must enter a defined safe state within the specified fail-safe time. The standard defines two approaches: “fail-safe” where the device transitions to a predefined safe condition (e.g., opening all safety contacts), and “fail-operational” where the device maintains safe operation using the last valid data while attempting retransmission. The choice between these approaches depends on the application: fail-safe is appropriate when any uncertainty should result in a shutdown, while fail-operational is preferred for processes where unnecessary shutdowns create significant economic or safety risks of their own, such as in petrochemical refining or power generation.
| Parameter | Typical Range | SIL 3 Requirement |
|---|---|---|
| Safety reaction time | 10 ms – 5 s | Application-dependent |
| Residual error rate | < 10-9 failures/h | SIL 3: < 10-8 to < 10-7 (PFD/PFH) |
| CRC polynomial | 16-bit to 32-bit | Minimum 16-bit for SIL 3 |
| Maximum bus devices | 32 – 125 nodes | Depends on bus system |
| Safe state transition | < 2 x watchdog time | Must be deterministic |
A well-engineered safety fieldbus system can significantly reduce total cost of ownership compared to conventional hardwired safety circuits. The savings come from reduced cabling (a single fieldbus cable replaces dozens of individual safety wires), simplified diagnostics (the bus provides continuous health monitoring of all connected devices), and greater flexibility (safety logic can be modified through software rather than rewiring). These advantages typically yield 30-50% reduction in installation costs and 20-30% reduction in commissioning time for complex safety systems.
Engineering Design Insights for Safety Fieldbus Implementation
When implementing IEC PAS 62162 guidelines in practical systems, several engineering considerations merit careful attention. First, the topology of the fieldbus network directly affects safety reaction time. In a daisy-chain configuration, each device introduces processing latency of typically 0.1-1 ms per node. For a line with 20 devices, this adds up to 20 ms of cumulative delay — potentially exceeding the safety reaction time requirement for fast applications. Star topologies using active infrastructure components can reduce this cumulative delay but introduce additional failure modes because the switch or hub becomes a single point of failure that must itself be safety-qualified.
Second, the coexistence of safety-related and non-safety communication on the same fieldbus cable must be carefully managed. IEC PAS 62162 requires that non-safety traffic must not degrade the safety communication performance below the required level. This is typically achieved through bandwidth reservation or priority-based scheduling. In practice, engineers should allocate no more than 50-60% of the available bus bandwidth to non-safety traffic to ensure that safety messages always have sufficient margin for retransmission under worst-case conditions. For PROFINET systems, this means carefully sizing the isochronous real-time (IRT) window to guarantee safe communication timing.
Third, device qualification and certification require documented evidence that the safety communication stack meets the requirements. This includes fault injection testing where every type of communication failure is systematically introduced to verify that the detection mechanisms work correctly. The standard recommends at least 107 test messages for statistical confidence in the residual error rate measurement, making automated test frameworks essential for practical certification programs. Engineering teams should budget approximately 3-6 months for the certification process of a new safety fieldbus device, with the communication stack validation representing roughly 40% of the total certification effort.
Fourth, long-term maintenance must account for the fact that safety-related parameters may drift over time. The standard recommends periodic proof testing of safety communication at intervals determined by the required SIL and the device’s failure rate. For SIL 3 applications, proof testing intervals typically range from 1 to 5 years, and the test must verify that the residual error rate remains within the required bounds. Modern safety fieldbus systems include built-in diagnostic functions that continuously monitor communication statistics, significantly reducing the burden of manual proof testing.
One of the most common design errors in safety fieldbus systems is inadequate consideration of common-cause failures. If a single event — such as a power supply failure, electromagnetic interference pulse, or physical cable damage — can simultaneously corrupt both the fieldbus communication and the safety logic, then the system’s immunity to common-cause failures must be verified. Design measures include physically separated cable routing for redundant buses, galvanic isolation of bus interfaces, and diversity in communication protocols or CRC algorithms.
Q1: Can any fieldbus be used for safety applications?
A: Not directly. The fieldbus protocol provides the physical transport, but a safety layer (such as PROFIsafe or CIP Safety) must be added on top. IEC PAS 62162 provides the guidelines for designing this safety layer, regardless of the underlying bus system.
A: Not directly. The fieldbus protocol provides the physical transport, but a safety layer (such as PROFIsafe or CIP Safety) must be added on top. IEC PAS 62162 provides the guidelines for designing this safety layer, regardless of the underlying bus system.
Q2: What is the difference between a “black channel” and a “white channel”?
A: A black channel treats the communication medium as completely unreliable, relying solely on the safety layer for error detection. A white channel assumes some properties of the underlying bus can be trusted, reducing the safety layer requirements. The black channel approach is more conservative and simplifies certification because the safety layer can be assessed independently.
A: A black channel treats the communication medium as completely unreliable, relying solely on the safety layer for error detection. A white channel assumes some properties of the underlying bus can be trusted, reducing the safety layer requirements. The black channel approach is more conservative and simplifies certification because the safety layer can be assessed independently.
Q3: How does the safety reaction time affect system design?
A: The safety reaction time determines how quickly the system must detect and respond to a dangerous condition. It affects the choice of bus topology (star vs. daisy-chain), the watchdog timer settings, and the maximum number of devices per bus segment. Faster reaction times require more aggressive monitoring and typically reduce the maximum network size.
A: The safety reaction time determines how quickly the system must detect and respond to a dangerous condition. It affects the choice of bus topology (star vs. daisy-chain), the watchdog timer settings, and the maximum number of devices per bus segment. Faster reaction times require more aggressive monitoring and typically reduce the maximum network size.
Q4: What SIL levels can be achieved with safety fieldbus?
A: With proper implementation, safety fieldbus systems based on IEC PAS 62162 can achieve SIL 3 (per IEC 61508). Achieving SIL 4 would require additional measures beyond what the PAS specifies, as SIL 4 typically demands redundant communication channels with diverse implementations.
A: With proper implementation, safety fieldbus systems based on IEC PAS 62162 can achieve SIL 3 (per IEC 61508). Achieving SIL 4 would require additional measures beyond what the PAS specifies, as SIL 4 typically demands redundant communication channels with diverse implementations.
