Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC TR 62685: Industrial Communication Networks — Communication Profile for Functional Safety
Safety communication protocol profiles for industrial networks enabling reliable data exchange in safety-related control systems
IEC TR 62685, published as a Technical Report in 2010, provides guidance on communication profiles for functional safety in industrial communication networks. Developed by IEC Technical Committee 65 (Industrial-Process Measurement, Control and Automation), this document addresses the critical challenge of transmitting safety-related information over standard industrial communication networks. As modern industrial automation systems increasingly rely on networked control architectures, the need to integrate safety functions — emergency stop, light curtain monitoring, safety gate interlock, two-hand control, and safe torque-off — into the same communication infrastructure as standard control data has become paramount for reducing system complexity, wiring costs, and machine footprint.
The Technical Report describes how different safety communication profiles implement the requirements of IEC 61784-3 (Functional safety fieldbuses) and the general functional safety standard IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems). The key innovation of industrial safety communication is the “black channel” principle, where the safety communication layer operates independently of the underlying standard communication network. This means that the safety protocol treats the standard communication channel as a “black box” — it does not rely on the standard network’s error detection mechanisms but instead implements its own comprehensive error detection at the safety layer. This principle allows safety and standard data to share the same physical network without safety certification of the entire network infrastructure, dramatically reducing implementation complexity and cost.
IEC TR 62685 provides the communication profile framework that enables safety-related devices from different manufacturers to interoperate over standard industrial networks. The key safety communication profiles covered include PROFIsafe (for PROFIBUS and PROFINET), CIP Safety (for EtherNet/IP and DeviceNet), and Safety over open communication protocols. The Technical Report defines how each profile achieves the required Safety Integrity Level (SIL) through specific error detection mechanisms, transmission formats, and protocol timing requirements.
Safety Communication Principles and Error Detection Mechanisms
The foundation of all industrial safety communication profiles is the set of error detection mechanisms specified in IEC 61784-3. These mechanisms address the potential communication failures that could lead to hazardous situations: repetition (unintended re-transmission of a message), deletion (loss of a message), insertion (introduction of spurious messages), corruption (alteration of message content), sequence (messages arriving in wrong order), delay (messages arriving too late), and masquerade (a message from a non-safety source appearing to come from a safety source). Each safety communication profile implements a combination of error detection measures to achieve the required residual error probability — typically less than 10^-9 per hour for SIL 3 applications, as derived from the overall risk reduction requirements of IEC 61508.
The standard error detection measures used across all profiles include: sequence numbering with consecutive message numbers to detect repetition, deletion, insertion, and sequence failures; time expectation with a watchdog timer at the receiver to detect delay failures using a defined transmission interval (typically 1-100 ms depending on the application safety requirements); source and destination addressing (connection identifier) to prevent masquerade and cross-communication between different safety domains; data integrity assurance using a Cyclic Redundancy Check that is computed over the safety-critical data fields and includes the sequence number and addressing information in the CRC calculation scope to protect against corruption; and an optional authenticity assurance mechanism using a cryptographic signature in higher-SIL applications where additional protection against systematic failures is required. The CRC length used by the common safety profiles ranges from 16 bits to 32 bits, with the longer CRC employed for higher SIL levels and longer safety data payloads.
| Feature | PROFIsafe | CIP Safety | Safety over Open |
|---|---|---|---|
| Base network | PROFIBUS / PROFINET | EtherNet/IP, DeviceNet | Various (Ethernet-based) |
| Maximum SIL | SIL 3 (IEC 61508) | SIL 3 (IEC 61508) | SIL 3 (IEC 61508) |
| CRC length | 3-4 bytes (CRC) | 4 bytes (CRC) | 4 bytes (CRC) |
| Sequence number | 16-bit consecutive | 8-bit consecutive | 16-bit consecutive |
| Watchdog timeout | 1-65535 ms (configurable) | 1-65535 ms (configurable) | 1-65535 ms (configurable) |
| Safety data payload | 1-12 bytes typical | 1-32 bytes typical | 1-512 bytes max |
| Black channel | Yes | Yes | Yes |
| Certification body | TÜV (PI) | TÜV (ODVA) | TÜV (various) |
| Typical application | Factory automation, process | Factory automation, motion | Process, machinery |
Each safety communication profile packages these error detection measures into a specific protocol data unit (PDU) structure. In PROFIsafe, for example, the safety PDU consists of a control byte (containing sequence number, control/status bits, and toggle bit), the safety data bytes (user-specific safety process data), and a CRC checksum covering both the control byte and the data bytes. The CRC polynomial for PROFIsafe at SIL 3 uses a 32-bit checksum derived from the IEEE 802.3 CRC-32 polynomial, further enhanced by an individual device-specific CRC initialization value (CRC seed) that is assigned during device commissioning and serves as a unique communication identifier. This CRC seed, combined with the device F-parameter set, ensures that even if two safety devices on the same network have identical hardware, their communication cannot cross-interfere at the safety layer. The F-parameter set includes watchdog time, PROFIsafe address, SIL level, CRC length, and behavior after communication failure — each parameter verified by CRC and acknowledged during connection establishment.
| Error Detection Measure | Repetition | Deletion | Insertion | Corruption | Sequence | Delay | Masquerade |
|---|---|---|---|---|---|---|---|
| Sequence number | ✓ | ✓ | ✓ | ✓ | |||
| Time expectation (watchdog) | ✓ | ✓ | |||||
| Source/destination address | ✓ | ✓ | |||||
| CRC / data integrity | ✓ | ✓ | |||||
| Authenticity (cryptographic) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
The black channel principle does NOT mean that safety certification of the standard network is unnecessary — it means the safety layer does not depend on the standard network’s error detection for its safety function. However, the standard network must still be properly installed and maintained according to its own specifications. Common configuration errors include incorrect PROFIsafe addresses (duplicate addresses within the same safety domain), mismatched F-parameter sets between the F-host and F-device, and improperly configured watchdog times that are too short (causing spurious safety trips during normal communication jitter) or too long (reducing the safety reaction time and potentially increasing the hazardous fault exposure window). Thorough verification of F-parameter configuration using manufacturer-specific commissioning tools is essential before placing any safety-related system into operation.
PROFIsafe, CIP Safety, and Engineering Design Insights
PROFIsafe, the most widely deployed safety communication profile in factory automation, operates on the black channel principle over PROFIBUS DP and PROFINET IO. The key design principle is the “safety isolation layer” between the standard communication stack and the safety application. The F-host (safety controller) and F-device (safety field device) each implement a safety layer that adds and evaluates the safety protocol information before passing data to the safety application. PROFIsafe was originally developed by Siemens and subsequently standardized as IEC 61784-3-2 (Additional fieldbus profiles for PROFIBUS and PROFINET). The safety data exchange operates on a cyclic basis with a configurable “F-monitoring time” (watchdog), which defines the maximum acceptable gap between successive safety telegrams. If the safety receiver does not receive a valid safety telegram within this monitoring window, it transitions to the configured safe state — typically removing power from actuators, engaging brakes, or halting motion. The transition to the safe state must be completed within the specified “F-parameter safe reaction time,” which is the maximum time allowed from fault detection to reaching the safe state and accounts for both the residual telegram timeout and the internal processing and output delay of the safety device.
CIP Safety, developed by Rockwell Automation and standardized as IEC 61784-3-3 (Additional fieldbus profiles for DeviceNet and EtherNet/IP), follows similar principles but with adaptations for the Common Industrial Protocol (CIP) application layer. CIP Safety uses a “Safety-over-CIP” architecture where safety data is encapsulated within standard CIP messages but marked with a safety-specific header that triggers processing by the safety layer in the end device rather than by standard CIP connections. One key difference from PROFIsafe is that CIP Safety uses an 8-bit sequence number instead of 16-bit, reducing protocol overhead for the typically shorter safety data payloads common in discrete manufacturing applications. The shorter sequence space requires more careful handling of the wrap-around condition — CIP Safety uses a “ping-pong” toggle bit to distinguish between consecutive passes through the sequence number space, effectively extending the sequence detection capability. CIP Safety also supports a “connectionless” safety communication mode for certain applications, including safety interlocks between CIP Safety controllers without requiring a pre-configured safety connection, simplifying system configuration for distributed safety architectures.
From an engineering design perspective, the implementation of safety communication profiles requires careful attention to several key factors. The safety system design must begin with a thorough risk assessment per ISO 12100 and IEC 62061 to determine the required SIL for each safety function. The safety communication profile must then be selected based on the application requirements, network topology, and compatibility with the chosen safety controller and field devices. The system designer must verify the F-parameter configuration, particularly the watchdog time setting, which must be long enough to accommodate the worst-case communication delay including network load, device processing time, and retransmission delays, but short enough to achieve the required safety reaction time for each specific safety function. The residual error probability of the complete safety communication channel must be calculated and documented per IEC 61508-2, demonstrating that the target SIL failure measure is achieved.
For multi-vendor systems, interoperability testing is critical even when all devices claim compliance with the same safety communication profile. Manufacturers may implement profile options differently, particularly in areas such as F-parameter range support, safe state behavior during communication loss, and diagnostic data reporting. The IEC TR 62685 recommends that system integrators conduct a comprehensive factory acceptance test (FAT) of all safety communication between the safety controller and each safety device before site installation, including verification of data consistency, timing performance, error injection testing to validate proper fault response, and safe state verification under all expected failure scenarios. For process industry applications, additional considerations include the integration of safety communication with the process safety time requirements per IEC 61511, ensuring that the communication cycle time is sufficiently shorter than the process safety time to allow multiple communication attempts before the process safety time elapses.
A well-designed safety communication system according to IEC TR 62685 can achieve SIL 3 with a residual error probability below 10^-9 per hour, while reducing wiring costs by 50-70% compared to conventional hardwired safety circuits. Modern safety controllers with integrated safety communication can manage hundreds of safety devices over a single network cable, with safety reaction times from fault detection to safe state of 10-50 ms for PROFINET-based systems and 20-100 ms for EtherNet/IP-based systems depending on network load, device count, and configuration parameters. For applications with more stringent timing requirements, specialized high-speed safety communication profiles with isochronous real-time (IRT) operation can achieve reaction times below 5 ms.
Diagnostic data is an often underutilized but critical feature of safety communication profiles. PROFIsafe provides extensive diagnostic capabilities through the standard PROFINET alarm mechanism, enabling safety devices to communicate maintenance-related information such as the remaining lifetime of safety contactors or redundancy degradation in dual-channel sensor configurations. CIP Safety provides similar diagnostics through the CIP object model, with safety device object classes defining standardized diagnostic data fields accessible by higher-level maintenance and asset management systems. The integration of safety diagnostic data into overall plant condition monitoring systems enables predictive maintenance of safety functions, reducing the risk of undetected safety device failures while avoiding unnecessary functional safety tests that require machine downtime. Engineers should specify diagnostic data requirements early in the safety system design process to ensure that the selected safety communication profile and devices provide the necessary diagnostic coverage.
A common pitfall in safety communication design is improper handling of the “safe state” during communication restoration after a transient fault. When communication resumes after a watchdog timeout, the system must not automatically resume normal operation without explicit confirmation that the safe conditions have been restored. IEC TR 62685 specifies that safety communication profiles must implement a “re-integration” procedure requiring a deliberate restart command from the safety controller after any communication interruption, preventing automatic restart that could create a hazardous situation — for example, restarting a conveyor system after a light curtain fault without operator acknowledgment. Engineers must ensure that the restart behavior is configured to require manual reset and that the system design accounts for the restart sequencing requirements of all interconnected safety zones, preventing cascade startups that could introduce unexpected motion or energy release during the re-integration phase.
Q1: What is the difference between IEC TR 62685 and IEC 61784-3?
A: IEC TR 62685 is a Technical Report that provides guidance on how different safety communication profiles implement the requirements of IEC 61784-3. IEC 61784-3 is the normative standard that defines the fundamental principles, error detection mechanisms, and general requirements for safety communication on industrial networks. In essence, IEC 61784-3 specifies the “what” (the requirements that safety communication must meet), while IEC TR 62685 describes the “how” (example implementations using PROFIsafe, CIP Safety, and other profiles). The TR also includes practical guidance on system design, parameter configuration, and interoperability testing that goes beyond the normative requirements of IEC 61784-3.
A: IEC TR 62685 is a Technical Report that provides guidance on how different safety communication profiles implement the requirements of IEC 61784-3. IEC 61784-3 is the normative standard that defines the fundamental principles, error detection mechanisms, and general requirements for safety communication on industrial networks. In essence, IEC 61784-3 specifies the “what” (the requirements that safety communication must meet), while IEC TR 62685 describes the “how” (example implementations using PROFIsafe, CIP Safety, and other profiles). The TR also includes practical guidance on system design, parameter configuration, and interoperability testing that goes beyond the normative requirements of IEC 61784-3.
Q2: Can safety and non-safety data share the same network cable?
A: Yes, this is the fundamental advantage of the black channel principle. Safety data is encapsulated in standard communication frames with additional safety protocol information (sequence number, CRC, address, watchdog) that the safety layer evaluates independently of the standard network stack. The standard network treats safety and non-safety frames identically, and the safety layer detects any errors introduced by the communication channel. This allows both types of data to share the same physical network, switches, routers, and communication infrastructure, provided that the total network load does not exceed the network capacity and that the communication timing meets the safety reaction time requirements. However, the non-safety portion of the network must still be properly designed and maintained to avoid excessive delays or frame loss that could cause spurious safety trips.
A: Yes, this is the fundamental advantage of the black channel principle. Safety data is encapsulated in standard communication frames with additional safety protocol information (sequence number, CRC, address, watchdog) that the safety layer evaluates independently of the standard network stack. The standard network treats safety and non-safety frames identically, and the safety layer detects any errors introduced by the communication channel. This allows both types of data to share the same physical network, switches, routers, and communication infrastructure, provided that the total network load does not exceed the network capacity and that the communication timing meets the safety reaction time requirements. However, the non-safety portion of the network must still be properly designed and maintained to avoid excessive delays or frame loss that could cause spurious safety trips.
Q3: What are the consequences of an incorrectly configured watchdog time?
A: An incorrect watchdog time (F-monitoring time) has serious consequences. If set too short, the safety system will trip unnecessarily during normal communication jitter, causing production downtime that may be difficult to diagnose. If set too long, the safety system will take too long to detect an actual communication failure, potentially exceeding the required safety reaction time and violating SIL requirements. The correct watchdog time must account for: maximum network propagation delay (including switch forwarding latency), device processing time (including input sampling and output update cycles), worst-case retransmission delay (for standard network error recovery), and safety margin (typically 20-50% added to the calculated maximum delay). Engineers should measure actual communication timing under worst-case network load conditions during commissioning to validate the watchdog time setting.
A: An incorrect watchdog time (F-monitoring time) has serious consequences. If set too short, the safety system will trip unnecessarily during normal communication jitter, causing production downtime that may be difficult to diagnose. If set too long, the safety system will take too long to detect an actual communication failure, potentially exceeding the required safety reaction time and violating SIL requirements. The correct watchdog time must account for: maximum network propagation delay (including switch forwarding latency), device processing time (including input sampling and output update cycles), worst-case retransmission delay (for standard network error recovery), and safety margin (typically 20-50% added to the calculated maximum delay). Engineers should measure actual communication timing under worst-case network load conditions during commissioning to validate the watchdog time setting.
Q4: How is the residual error probability calculated for safety communication?
A: The residual error probability for a safety communication channel is calculated per IEC 61508-2 and IEC 61784-3 as a function of: the bit error rate of the physical transmission medium (typically 10^-7 to 10^-10 for copper Ethernet and 10^-9 to 10^-12 for fiber optic), the number of bits in the safety protocol data unit, the CRC polynomial characteristics (Hamming distance and undetected error patterns), and the effectiveness of additional measures such as sequence numbering and time expectation. For a typical PROFIsafe SIL 3 configuration with 32-bit CRC on PROFINET, the residual error probability is approximately 10^-11 per telegram, far below the 10^-9 per hour requirement for SIL 3. The calculation must account for all possible error patterns and is typically performed using manufacturer-provided safety manuals and certification documentation. System designers are advised to consult certified safety manuals from the device manufacturers for the validated residual error probability values applicable to their specific system configuration.
A: The residual error probability for a safety communication channel is calculated per IEC 61508-2 and IEC 61784-3 as a function of: the bit error rate of the physical transmission medium (typically 10^-7 to 10^-10 for copper Ethernet and 10^-9 to 10^-12 for fiber optic), the number of bits in the safety protocol data unit, the CRC polynomial characteristics (Hamming distance and undetected error patterns), and the effectiveness of additional measures such as sequence numbering and time expectation. For a typical PROFIsafe SIL 3 configuration with 32-bit CRC on PROFINET, the residual error probability is approximately 10^-11 per telegram, far below the 10^-9 per hour requirement for SIL 3. The calculation must account for all possible error patterns and is typically performed using manufacturer-provided safety manuals and certification documentation. System designers are advised to consult certified safety manuals from the device manufacturers for the validated residual error probability values applicable to their specific system configuration.
