EN 50325-5:2010

SLOVENSKI STANDARD
01-september-2010
Industrijski komunikacijski podsistemi, ki temeljijo na ISO 11898 (CAN) za
vmesnike krmilnikov - 5. del: Funkcionalno varna komunikacija na osnovi EN
50325-4
Industrial communications subsystem based on ISO 11898 (CAN) for controller-device
interfaces - Part 5: Functional safety communication based on EN 50325-4
Industrielles Kommunikationssubsystem basierend auf ISO 11898 (CAN) - Teil 5:
Funktional sichere Kommunikation basierend auf EN 50325–4
Sous-système de communications industriel basé sur l'ISO 11898 (CAN) pour les
interfaces des dispositifs de commande - Partie 5: Communication de sécurité
fonctionnelle basée sur EN 50325-4
Ta slovenski standard je istoveten z: EN 50325-5:2010
ICS:
35.240.50 Uporabniške rešitve IT v IT applications in industry
industriji
43.040.15 $YWRPRELOVNDLQIRUPDWLND Car informatics. On board
9JUDMHQLUDþXQDOQLãNLVLVWHPL computer systems
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN 50325-5
NORME EUROPÉENNE
July 2010
EUROPÄISCHE NORM
ICS 43.040.15
English version
Industrial communications subsystem based on ISO 11898 (CAN)
for controller-device interfaces -
Part 5: Functional safety communication based on EN 50325-4

Sous-système de communications Industrielles Kommunikationssubsystem
industriel basé sur l'ISO 11898 (CAN) basierend auf ISO 11898 (CAN) -
pour les interfaces des dispositifs Teil 5: Funktional sichere Kommunikation
de commande - basierend auf EN 50325-4
Partie 5: Communication de sécurité
fonctionnelle basée sur EN 50325-4

This European Standard was approved by CENELEC on 2010-07-01. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus,
the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
Spain, Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Management Centre: Avenue Marnix 17, B - 1000 Brussels

© 2010 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 50325-5:2010 E
Foreword
This European Standard was prepared by the Technical Committee CENELEC TC 65CX, Fieldbus.
It was submitted to the formal vote and was approved by CENELEC as EN 50535-5 on 2010-07-01.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN and CENELEC shall not be held responsible for identifying any or all such patent rights.
The following dates were fixed:
– latest date by which the EN has to be implemented

at national level by publication of an identical

national standard or by endorsement
(dop) 2011-07-01
– latest date by which the national standards conflicting

with the EN have to be withdrawn
(dow) 2013-07-01
__________
- 3 - EN 50325-5:2010
Contents
Introduction . 5
1 Scope . 8
2 Normative references . 8
3 Terms, definitions, symbols, abbreviated terms and conventions . 9
3.1 Terms and definitions . 9
3.2 Symbols and abbreviated terms. 9
3.3 Conventions . 10
4 Overview of CANopen Safety . 10
5 General . 11
5.1 External documents providing specifications for the profile . 11
5.2 Safety functional requirements. 11
5.3 Safety measures . 12
5.4 Safety communication layer structure . 12
5.5 Relationships with FAL . 13
6 Safety communication layer services . 13
6.1 Introduction . 13
6.2 SR data object (SRDO) . 13
6.3 Global fail-safe command (GFC) . 14
6.4 SR communication objects . 15
7 Safety communication layer protocol . 26
7.1 SRDO . 26
7.2 GFC . 28
8 Safety communication layer management . 28
8.1 Overview . 28
8.2 SR network initialization and system boot-up . 28
8.3 SR device and network configuration . 29
9 System requirements . 29
9.1 Indicators and switches . 29
9.2 Installation guidelines . 29
9.3 Safety function response time . 29
9.4 Constraints for the calculation of system characteristics . 31
9.5 Maintenance . 31
9.6 Safety manual . 31
10 Assessment . 31
11 Conformance . 32
Annex A (informative) Example SR communication models . 33
A.1 General . 33
A.2 Model I . 33
A.3 Model II . 33
A.4 Model III . 34
A.5 Model IV . 34
Bibliography . 35

Figures
Figure 1 — Safety-related definitions in this standard . 5
Figure 2 — Relationships of EN 50325–5 with other standards (machinery) . 6
Figure 3 — Relationships of EN 50325–5 with other standards (process) . 7
Figure 4 — Relationship of SR data objects. 11
Figure 5 — Communication layers . 13
Figure 6 — Example of SRDO transmission . 14
Figure 7 — Example of SCT timing . 26
Figure 8 — Example of SRVT timing . 27
Figure 9 — SRDO write . 27
Figure 10 — GFC write . 28
Figure 11 — Safety function response time . 30
Figure A.1 — Model I . 33
Figure A.2 —Model II . 33
Figure A.3 — Model III . 34
Figure A.4 — Model IV . 34
Tables
Table 1 — Communication errors and safety measures matrix . 12
Table 2 — SRDO write . 14
Table 3 — SRDO communication parameter record . 15
Table 4 — Object definition . 16
Table 5 — Entry definition . 17
Table 6 — Value definition . 19
Table 7 — Object definition . 19
Table 8 — Entry definition . 20
Table 9 — SR parameter data for SRDO 1 for CRC calculation . 23
Table 10 — Object definition . 23
Table 11 — Entry definition . 24
Table 12 — Object definition . 25
Table 13 — Entry definition . 25
Table 14 — Object definition . 26
Table 15 — Entry definition . 26

- 5 - EN 50325-5:2010
Introduction
The EN 50325-4 fieldbus standard defines a communication protocol that enables distributed control of
automated applications. Fieldbus technology is now considered well accepted and well proven. Thus many
fieldbus enhancements are emerging, addressing not yet standardized areas such as real time, safety-
related and security-related applications.
This European Standard specifies a safety communication layer (profile and corresponding protocols) based
on the communication profile and protocol layer of EN 50325-4. The relevant principles for functional safety
communication with reference to EN 61508 series are explained in EN 61784–3. Differently to EN 61784–3
this standard uses a white channel approach. It does not cover electrical safety and intrinsic safety aspects.
Figure 1 shows the safety-related definitions in this standard. In implementing this standard additional
measures to ensure integrity with the requirements of EN 61508 series shall be taken care (marked blue and
dashed-blue in Figure 1).
Figure 1 — Safety-related definitions in this standard

Figure 2 shows the relationships between this standard and relevant safety and fieldbus standards in a
machinery environment.
Product standards
EN ISO 12100–1 and EN ISO 14121
EN 61496 EN 61131–6 EN 61800–5–2 EN ISO 10218–1
Safety of machinery – Principles for
Safety f. e.g. Safety for PLC Safety functions Safety requirements
design and risk assessment
light curtains (under consideration) for drives for robots
Design of safety-related electrical, electronic and programmable
EN 61784–3
electronic control systems (SRECS) for machinery
Industrial communication networks – Profiles
Part 3: Functional safety fieldbuses (common part)
SIL based PL based
Design objective
EN 61918
Installation guide
Applicable standards
(common part)
EN 60204–1
EN ISO 13849–1, –2
Safety of electrical
Safety -related parts
equipment
EN 61000–1–2
of machinery
Methodology EMC & functional safety
(SRPCS)
EN 61326–3–1
EN 50325–5
Non-electrical
Test EMC & functional safety
Functional safety
communication based on
Electrical
EN50325–4 (CANopen Safety) US: NFPA 79
(2006)
EN 62061
Functional safety
EN 50325–4
for machinery
Industrial communication subsystem
(SRECS)
based on ISO 11898 (CAN)
EN 61508 series
(including EMI for
for controller-device interfaces
Functional safety
industrial environment)
Part 4: CANopen
(basic standard)
Key
(yellow) safety-related standards
(blue) fieldbus-related standards
(dashed yellow) this standards

NOTE Subclauses 6.7.6.4 (high complexity) and 6.7.8.1.6 (low complexity) of EN 62061 specify the relationship between PL (category)
and SIL.
Figure 2 — Relationships of EN 50325–5 with other standards (machinery)

- 7 - EN 50325-5:2010
Figure 3 shows the relationships between this standard and relevant safety and fieldbus standards in a
process environment.
Product standards
EN 61496 EN 61131–6 EN 61800–5–2 EN ISO 10218–1
Safety f . e.g. Safety f or PLC Safety f unctions Saf ety requirements
light curtains (under consideration) for drives f or robots
EN 61784–3 See safety standards for machinery
Industrial communication networks – Profiles
(Figure 2)
Part 3: Functional safety f ieldbuses (common part)
Valid also in process industries,
EN 61918 whenever applicable
Installation guide
(common part)
)
EN 61326–3–2*
EMC and
EN 50325–5
functional safety
Functional saf ety
communication based on
EN50325–4 (CANopen Safety)
US:
ISA-84.00.01
(3 parts = modif ied
EN 61511 series
EN 50325–4
IEC 61511)
Functional safety–
Industrial communication subsystem
Safety instrumented
based on ISO 11898 (CAN)
EN 61508 series
systems f or the
for controller-device interfaces
Functional saf ety
process industry sector DE: VDI 2180
Part 4: CANopen
(basic standard)
Part 1 - 4
Key
(yellow) safety-related standards
(blue) fieldbus-related standards
(dashed yellow) this standards

*
For specified electromagnetic environments; otherwise EN 61326-3-1.
Figure 3 — Relationships of EN 50325–5 with other standards (process)
In other environments than machinery and process control, like for example medical devices or railway
systems, other standards instead may apply. The user of this standard has to take care that all related
standards for the corresponding environment are considered.
Safety communication layers, which are implemented as part of safety-related systems according to
EN 61508 series, provide the necessary confidence in the transportation of messages (information) between
two or more participants on a field bus in a safety-related system, or sufficient confidence of safe behaviour
in the event of fieldbus errors or failures.
The safety communication layer specified in this standard do this in such a way that a fieldbus can be used
for applications requiring functional safety up to the Safety Integrity Level (SIL) specified by its corresponding
safety communication profile.
The resulting SIL claim of a system depends on the implementation of the functional safety communication
profile within this system – implementation of the functional safety communication profile in a regular device
is not sufficient to qualify it as a safety device.

This European Standard covers:
— individual description of the functional safety profile for the communication profile defined in
EN 50325-4;
— safety layer extensions to the communication object and object dictionary sections in EN 50325-4.
1 Scope
This European Standard specifies a safety-related communication layer (services and protocol) based on
EN 50325-4.
This European Standard applies to networks based on EN 50325-4 providing safety-related communication
capabilities between devices in a safety-related system in accordance with the requirements of EN 61508
series for functional safety. The services and protocols defined in this standard are intended to extend those
defined in EN 50325-4. These services and protocols may be used in various applications such as
manufacturing, machinery, medical, mobile machinery and process control.
NOTE 1  This European Standard does not cover the procedures for the safety-related configuration and for the safety-related setup of
safety-related systems. The definition and implementation of such procedures depends on the kind of the safety-related system. For
example flexible safety-related systems like operating theatres as found in medical systems require different procedures than for fixed
safety-related systems like cranes in the mobile machinery. This European Standard does not cover electrical safety, intrinsic safety and
security aspects. Electrical safety relates to hazards such as electrical shock. Intrinsic safety relates to hazards associated with
potentially explosive atmospheres. Security relates to enforcing policies to prevent changes in the safety-related system by
unauthorized personnel.
NOTE 2  The resulting safety integrity level claim of a system depends on the implementation of the services and protocols within the
devices and the system. The implementation of the services and protocols defined in this European Standard in a device is not sufficient
to qualify the device as a safety-related device.
2 Normative references
EN 50325-4, Industrial communications subsystem based on ISO 11898 (CAN) for controller-device
interfaces - Part 4: CANopen
EN 61000–6–2, Electromagnetic compatibility (EMC) – Part 6-2: Generic standards – Immunity for industrial
environments (IEC 61000-6-2)
EN 61326–3–1, Electrical equipment for measurement, control and laboratory use – EMC requirements –
Part 3-1: Immunity requirements for safety-related systems and for equipment intended to perform safety-
related functions (functional safety) – General industrial applications (IEC 61326-3-1)
EN 61326–3–2, Electrical equipment for measurement, control and laboratory use – EMC requirements –
Part 3-2: Immunity requirements for safety-related systems and for equipment intended to perform safety-
related functions (functional safety) – Industrial applications with specified electromagnetic environment
(IEC 61326-3-2)
EN 61508 (series), Functional safety of electrical/electronic/programmable electronic safety-related systems
(IEC 61508 series)
EN 61784–3:2008, Industrial communication networks - Profiles – Part 3: Functional safety fieldbuses -
General rules and profile definitions (IEC 61784-3:2007)
EN 61918, Industrial communication networks - Installation of communication networks in industrial premises
(IEC 61918)
EN ISO 13849-1, Safety of machinery – Safety-related parts of control systems – Part 1: General principles
for design
- 9 - EN 50325-5:2010
ISO 11898-1, Road vehicles - Controller area network (CAN) – Part 1: Data link layer and physical signalling
3 Terms, definitions, symbols, abbreviated terms and conventions
For the purposes of this document, the following terms and definitions apply.
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 61784–3, EN 50325-4 and the
following apply.
3.1.1
logical device
representation of a program in terms of its objects from one device profile segment (see EN 50325-4) and
behaviour as viewed through a network
3.1.2
SR application object
application object in accordance with EN 50325-4 that includes all necessary measures to ensure its integrity
with the requirements of EN 61508 series
3.1.3
SR communication profile and protocols
communication profile and protocols that include all the necessary measures to ensure safe transmission of
data and the necessary measures to ensure safe configuration with the requirements of EN 61508 series
3.1.4
SR device
composition of regular communication profile and protocols as defined in EN 50325-4, SR communication
profile and protocols, regular logical devices and SR logical devices
3.1.5
SR logical device
logical device that includes all necessary measures to ensure safe operation with the requirements of
EN 61508 series
3.2 Symbols and abbreviated terms
For the purposes of this document, the following abbreviations apply.
3.2.1 Common symbols
CAN Controller Area Network [ISO 11898-1]
CAN-ID CAN Identifier [ISO 11898-1]
COB Communication Object [EN 50325-4]
COB-ID COB Identifier [EN 50325-4]
CRC Cyclic Redundancy Check
DLL Data Link Layer [ISO/IEC 7498-1]
E/E/PE Electrical/Electronic/Programmable Electronic [EN 61508-4]
EMC Electromagnetic Compatibility
EUC Equipment Under Control [EN 61508-4]
FAL Fieldbus Application Layer [EN 61784–3]
FCS Frame Check Sequence
FSCP Functional Safety Communication Profile [EN 61784–3]

NMT Network Management [EN 50325-4]
NSR Non-safety-related
PDU Protocol Data Unit [ISO/IEC 7498-1]
PES Programmable electronic system [EN 61508 series]
PFD Average probability of failure on demand [EN 61508-6]
PFH Probability of failure per hour [EN 61508-6]
PhL Physical Layer [ISO/IEC 7498-1]
RTR Remote Transmission Request [ISO 11898-1]
SCL Safety Communication Layer [EN 61784–3]
SFRT Safety Function Response Time [EN 61784–3]
SIL Safety Integrity Level [EN 61508 series]
SR Safety-related
3.2.2 Additional symbols
GFC Global Failsafe Command
PDO Process Data Object
SCT Safeguard Cycle Time
SDO Service Data Object
SRCP Safety-related communication profile and protocols
SRD SR device
SRDO SR Data Object
SRLD SR logical device
SRVT SR Validation Time
3.3 Conventions
The conventions used for the descriptions of objects, services and protocols are described in EN 50325-4
and EN 61784–3.
This document follows the document structure as proposed in EN 61784–3, Annex C.
As appropriate this standard uses diagrams in accordance with EN 50325-4.
“Mandatory” categorizes functionalities that shall be used or implemented; “optional” categorizes
functionalities that may be used or implemented.
4 Overview of CANopen Safety
CANopen defines communication profiles based on ISO 11898-1.
The basic profiles are defined in EN 50325-4. The SRCP (CANopen Safety) is based on the basic profiles in
EN 50325-4 and the SCL specification defined in this standard.
The SRCP is based on the producer/consumer model. The pairing of producers and consumers is an
important part of the relationship that provides the high integrity needed for SRLD.
The SCL is specified using SR data objects (SRDO). These objects are serving as the interface between the
SR application objects and the link layer connections, as shown in Figure 4. An SRDO ensures the integrity
of the safety data transfers.
- 11 - EN 50325-5:2010
Producing
SRDO
SRLD
Producer
Data connection
(white channel)
Data Data
Producer Consumer
SRDO
Consuming
Consumer
SRLD
Figure 4 — Relationship of SR data objects
The safety data transfer is executed as follows:
a) the producing SRLD uses the object dictionary to pass the safe data to the SRDO producer;
b) the SRDO producer uses a link data producer to transmit the data;
c) the consuming SRLD uses the object dictionary to receive the safe data from the SRDO consumer;
d) the SRDO consumer uses a link data consumer to receive data.
The SRCP utilizes the white channel concept, which is different to the FSCP protocols defined in
EN 61784–3-X. The link data producers and consumers have no knowledge of the safety packet and
implement no safety function. The link data producers and consumers implementing data integrity check on
per frame basis (see [17]) that are utilized by the SRCP. The responsibility for high-integrity transfer and
checking of safety data lies within the SRDO.
The SRCP uses the following measures to ensure the integrity of safety messaging:
a) time expectation;
b) connection authentication;
c) redundancy with cross checking by means of two CAN messages;
d) different integrity assurance systems.
SR data is sent redundantly and cyclically. Diverse measures for producing SR messages are used to
ensure that NSR messages are not interpreted as SR messages.
5 General
5.1 External documents providing specifications for the profile
The following documents are especially useful in understanding the design of this SRCP:
— EN 61508 series;
— GS-ET-26;
— EN 50325-4;
— EN 61784–3.
5.2 Safety functional requirements
The following requirements shall apply for the implementation of SRDO and safety configuration. The same
requirements are used in the development of this SRCP.
Object Dictionary
Object Dictionary
— The SRCP is designed that SRDO and safety configuration are able to support SRD up to SIL3
(according to EN 61508 series) and up to category 4 (according to EN ISO 13849-1).
— The safe state for discrete data and analogue values shall be defined by the SRLD.
— The SRCP is implemented using the white channel approach.
— Implementations of this SRCP shall comply with EN 61508 series.
— Environmental conditions shall be according to EN 61000-6-2 for the basic levels, and EN 61326-3-1
and EN 61326-3-2 for the increased EMC tests, unless there are other specific product standards.
— SR communication shall be independent from NSR communication. However, NSR communication
defined in EN 50325-4 may use SR communication for transmission.
— Unless specified in this standard, the requirements specified in EN 50325-4 shall be unchanged for
safety communication.
5.3 Safety measures
Table 1 contains the measures used to detect communication errors and the coverage provided by each
measure as used.
Table 1 — Communication errors and safety measures matrix
Safety measures
Communication
errors
Corruption
X
(see EN 61784–3)
Unintended
repetition    X
(see EN 61784–3)
Incorrect sequence
X
(see EN 61784–3)
Loss
X
(see EN 61784–3)
Unacceptable delay
X
(see EN 61784–3)
Insertion
X X
(see EN 61784–3)
Masquerade
X X
(see EN 61784–3)
Addressing
X  X
(see EN 61784–3)
5.4 Safety communication layer structure
The safety protocol is layered on top of the NSR data link layer (the NSR data link layer and the safety
communication layer are building together a “White Channel”, i.e. the SCL takes benefit from the error
detection mechanisms of the underlying NSR data link layer). Figure 5 shows how the SCL is related to the
EN 50325-4 based layers.
The SCL accepts data from the SRLD. The SCL compiles a SR message and transmits it over the white
channel. The SCL on the other SR device receives the SR message over the white channel and decompiles
its content and performs validation checks. After the data is verified it is given to the SRLD.
Sequence number
Time stamp
Time expectation
Connection
authentication
Feedback message
Data integrity
assurance
Redundancy with
cross checking
Different data integrity
assurance system
- 13 - EN 50325-5:2010
CANopen SR CANopen
CANopen Safety CANopen
Application Layer Application Layer
Application Objects Application Objects
CANopen Safety CANopen SR CANopen CANopen Network
Network and and Transport
Communication Objects Communication Objects
Transport Layer Layer
(SRDOs) (SDO, PDO, SYNC, NMT, etc.)
Data Link
CAN Data Link Layer
Layer
Physical
CAN Physical Layer
Layer
Black Channel — NSR components and implementation
White Channel — SR implementation

Figure 5 — Communication layers
5.5 Relationships with FAL
5.5.1 General
This SCL shall only be used in conjunction with EN 50325-4. There are no requirements other than those
defined in this standard.
5.5.2 Data types
Profiles defined in this standard support all of the data types defined in EN 50325-4.
6 Safety communication layer services
6.1 Introduction
This subclause defines the extensions to EN 50325-4 for SR communication. This includes the SR data
objects (SRDO; see 6.2) for use of SR data transfer between SRLD, and the global fail-safe command (GFC;
see 6.3) to switch the SRLDs into the safe state immediately.
NOTE 1  The GFC itself is NSR. If a switch of a SRLD into the safe state is required and requested, then a SRDO should be used in
any case (see 6.3.1).
This subclause defines also the SR communication objects. These SR communication objects are using the
object dictionary as defined in EN 50325-4.
The SR application object shall not exceed a length of 8 octets. The more detailed definition of SR
application objects does not fall into the scope of this standard.
NOTE 2  Depending on the SRLD different standards can apply, e.g. EN 61800-5-2 for a drive application.
6.2 SR data object (SRDO)
6.2.1 Introduction
The SR data transfer is performed by means of an SRDO. An SRDO shall be transmitted cyclically. The
cyclic transmission is monitored. An SRDO may be transmitted event-driven in addition to the cyclic
transmission, if required. An SRDO shall not be transmitted or requested by use of a RTR.
NOTE 1 The event-driven transmission is used to ensure a fast reaction for NSR application. Figure 6 shows a cyclic SRDO
transmission with the cycle time t and an event-driven SRDO in between.
cycle
NOTE 2 The maximum number of SRDO producers in the system is limited to 64.

SRDO SRDO SRDO SRDO SRDO
t
t t t t
cycle cycle event cycle
Figure 6 — Example of SRDO transmission
Two types of SRDOs are distinguished:
— the SRDO producer shall be used to transmit SR application data; and
— the SRDO consumer shall be used to receive SR application data.
An SRDO shall have the following attributes:
— SRDO number: SRDO number [1.64] for every user type on the local SRD;
— user type (6.4.1.3): one of the values {consumer, producer};
— data type (6.4.1.4): according to the SRDO mapping;
— refresh-time (6.4.1.3): n in multiples of millisecond, n > 0, for the user type producer;
— SCT (6.4.1.3): n in multiples of millisecond, n > 0, for the user type consumer;
— validation-time (6.4.1.3): n in multiples of millisecond, n > 0, for the user type consumer.
The SRDO services are defined in 6.2.2 and 6.2.3. The SRDO protocol is defined in 7.1. The SRDO
communication objects are defined in 6.4.1.
6.2.2 SRDO write
The SCL service SRDO write shall use the push model as defined in EN 50325-4 and shall be unconfirmed.
An SRDO shall have exactly one SRDO producer and shall have one or more SRDO consumers. The
successful reception of an SRDO by the SRDO consumer shall be signalled by a local event to the SRLD.
The SCL service SRDO write shall be used to transmit mapped SR application data from the SRDO
producer to the SRDO consumer(s). Table 2 defines the parameters for this service.
Table 2 — SRDO write
Parameter Request / Indication
Argument Mandatory
SRDO number Mandatory
SR application data Mandatory

6.2.3 SRDO read
The SCL service SRDO read is not allowed.
6.3 Global fail-safe command (GFC)
6.3.1 Introduction
The GFC may be used to switch the SRLDs into the safe state. This improves the overall system reaction
time in case of an error. The GFC itself is NSR and shall be transmitted event-driven. The GFC itself is NSR
and as such the SRDO corresponding to the failure shall be transmitted to maintain safety.
EXAMPLE In the detection of a failure the detection SRLD may transmit the GFC. Based on the GFC all SRLDs are switching into the
safe state before the cycle time for the next SRDO has elapsed. Thus the SR system switches into the safe state with an improved
reaction time.
- 15 - EN 50325-5:2010
The GFC shall have the following attributes:
— user type: one of the values {consumer, producer};
— data type: nil.
The GFC service is defined in 6.3.2. The GFC protocol is defined in 7.2. The GFC communication object is
defined in 6.4.2.
6.3.2 GFC write
The SCL service GFC write shall use the push model as defined in EN 50325-4 and shall be unconfirmed.
The GFC shall have one or more SR producers and shall have one or more SR consumers.
The SCL service GFC write shall be used to switch the SRLDs into the safe state. This service has no
parameters.
6.4 SR communication objects
6.4.1 SRDO communication objects
6.4.1.1 Introduction
The SRDO communication objects are used to configure an SRDO on the SRD. An SRDO is configured by
means of its communication behaviour with the SRDO communication parameter and by means of its
content with the SRDO mapping parameter. The validity of the configuration is guaranteed by means of the
safety configuration signature (see 6.4.1.5).
6.4.1.2 SRDO communication parameter record
Table 3 defines the complex data type used to describe the SRDO communication parameter.
Table 3 — SRDO communication parameter record
Index Sub-index Description Data type
0026 00 Highest sub-index supported UNSIGNED8
h h
01 Information direction UNSIGNED8
h
02 Refresh-time / SCT UNSIGNED16
h
03SRVT UNSIGNED8
h
04 Transmission type UNSIGNED8
h
05 COB-ID 1 UNSIGNED32
h
06 COB-ID 2 UNSIGNED32
h
6.4.1.3 SRDO communication parameter
This object indicates the communication behaviour of an SRDO. Each supported SRDO from SRDO 1 to
SRDO 64 shall have its own object with an index from 1301 to 1340 , where SRDO 1 shall correspond to
h h
the object at index 1301 , SRDO 2 shall correspond to the object at index 1302 , and so on.
h h
The sub-index 00 shall indicate the highest supported sub-index and shall be set to 06 .
h h
The sub-index 01 shall indicate if the SRDO shall be produced, shall be consumed, or shall be not valid and
h
deleted. If this entry is set to produce the SRDO the SRLD shall request the SCL service SRDO write with
the mapped SR application data. If this entry is set to consume the SRDO the SRLD shall move the received
SR application data from the SRDO to the SRLD if the reception is indicated from the SCL service SRDO
write and the verification of the SR data is successful.
The sub-index 02 shall indicate the refresh-time and SCT for the SRDO as defined in 7.1.2.
h
The sub-index 03 shall indicate the SRVT for the SRDO as defined in 7.1.2.
h
The sub-index 04 shall indicate the transmission type as defined in EN 50325-4.
h
The sub-index 05 shall indicate the CAN-ID that shall be used by the SRDO for the plain SR data (first CAN
h
data frame). This CAN-ID shall be an odd number (see 7.1.1).
The sub-index 06 shall indicate the CAN-ID that shall be used by the SRDO for the bitwise inverted SR data
h
(second CAN data frame). This CAN-ID shall be the even number following the CAN-ID indicated in sub-
index 05 (see 7.1.1).
h
The objects are defined in Table 4 and the entries of these objects are defined in Table 5.
Table 4 — Object definition
Attribute Definition
Index 1301 to 1340
h h
Name SRDO communication parameter
Object code RECORD
Data type SRDO communication parameter record (0026 )
h
Category Mandatory for each supported SRDO

- 17 - EN 50325-5:2010
Table 5 — Entry definition
Attribute Definition
Sub-index 00
h
Name Highest sub-index supported
Entry category Mandatory
Access ro
PDO mapping No
Value range 06
h
Default value 06
h
Sub-index 01
h
Name Information direction
Entry category Mandatory
Access ro, if NMT state is Operational
rw, if NMT state is Pre-operational
PDO mapping No
Value range 00 — does not exist / is not valid
h
01 — Exists / is valid for transmit (tx, SRDO producer)
h
02 — Exists / is valid for receive (rx, SRDO consumer)
h
03 to FF — reserved
h h
Default value 1301 : Node-ID = 1 to 32 — 01
h d d h
Node-ID = 33 to 64 — 02
d d h
Node-ID = 65 to 127 — 00
d d h
1302 to 1340 : 00
h h h
Sub-index 02
h
Name tx : refresh-time
rx : SCT
Entry category Mandatory
Access ro, if NMT state is Operational
rw, if NMT state is Pre-operational
PDO mapping No
Value range UNSIGNED16
Default value tx : 25
d
rx : 50
d
Table 5 — Entry definition (continued)
Attribute Definition
Sub-index 03
h
Name tx : reserved
rx : SRVT
Entry category Conditional;
Mandatory, if 02 in Sub-index 01 is supported
h h
Access ro, if NMT state is Operational
rw, if NMT state is Pre-operational
PDO mapping No
Value range UNSIGNED8
Default value 20
d
Sub-index 04
h
Name Transmission type
Entry category Mandatory
Access ro
PDO mapping No
Value range 254
d
Default value 254
d
Sub-index 05
h
Name COB-ID 1
Entry category Mandatory
Access ro, if NMT state is Operational
rw, if NMT state is Pre-operational
PDO mapping No
Value range 257 to 383 ; odd values only
d d
Default value 1301 : Node-ID ≤ 64 — 0000 00FF + (2  Node-ID)
h d h
Node-ID > 64 — manufacturer-specific
d
1302 to 1340 : manufacturer-specific
h h
Sub-index 06
h
Name COB-ID 2
Entry category Mandatory
Access ro, if NMT state is Operational
rw, if NMT state is Pre-operational
PDO mapping No
Value range 258 to 384 ; even values only
d d
Default value 1301 : Node-ID ≤ 64 — 0000 0100 + (2  Node-ID)
h d h
Node-ID > 64 — manufacturer-specific
d
1302 to 1340 : manufacturer-specific
h h
- 19 - EN 50325-5:2010
6.4.1.4 SRDO mapping parameter
This object indicates the SR application objects that are mapped into an SRDO. Each supported SRDO from
SRDO 1 to SRDO 64 shall have its own object with an index from 1381 to 13C0 , where the SRDO 1 shall
h h
correspond to the object at index 1301 , the SRDO 2 shall correspond to the object at index 1381 and so
h h
on.
The value of the entry with sub-index 00 shall indicate the highest valid sub-index as defined in Table 6. The
h
SRDO shall be deleted by setting the SRDO invalid before changing sub-index 00 of this object. The
h
structure of the entries with sub-index greater than 00 and the procedure of the mapping are both defined at
h
PDO mapping in EN 50325-4.
The objects are defined in Table 7 and the entries of these objects are defined in Table 8.
Table 6 — Value definition
Value Definition
00 Mapping invalid (disabled)
h
01h reserved
02 Sub-indexes 01 and 02 valid (mapping valid, enabled)
h h h
03 reserved
h
04 Sub-indexes from 01 to 04 valid (mapping valid, enabled)
h h h
05 reserved
h
06 Sub-indexes from 01 to 06 valid (mapping valid, enabled)
h h hh
to
0F reserved
h
10 Sub-indexes from 01 to 10 valid (mapping valid, enabled)
h h h
11 reserved
h
12 Sub-indexes from 01 to 12 valid (mapping valid, enabled)
h h h
to
7F reserved
h
80 Sub-indexes from 01 to 80 valid (mapping valid, enabled)
h h h
Table 7 — Object definition
Attribute Definition
Index 1381 to 13C0
h h
Name SRDO mapping parameter
Object code ARRAY
Data type UNSIGNED32
Category Mandatory for each supported SRDO

Table 8 — Entry definition
Attribute Definition
Sub-index 00
h
Name Highest sub-index supported
Entry category Mandatory
Access ro, if NMT state is Operational or variable mapping is not supported
rw, if NMT state is Pre-operational and variable mapping supported
PDO mapping No
Value range see Table 6
Default value manufacturer-specific

Sub-index 01
h
Name SR application data object 1 (plain data)
Entry category Mandatory
Access ro, if NMT state is Operational, variable mapping is not supported, or
sub-index 00 is set to a valu
...