IEC 62439-1:2010

IEC 62439-1 ®
Edition 1.0 2010-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Industrial communication networks – High availability automation networks –
Part 1: General concepts and calculation methods

Réseaux industriels de communication – Réseaux d’automatisme à haute
disponibilité–
Partie 1: Concepts généraux et méthodes de calcul

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni
utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les
microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.

IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.

A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.

Liens utiles:
Recherche de publications CEI - www.iec.ch/searchpub Electropedia - www.electropedia.org
La recherche avancée vous permet de trouver des Le premier dictionnaire en ligne au monde de termes
publications CEI en utilisant différents critères (numéro de électroniques et électriques. Il contient plus de 30 000
référence, texte, comité d’études,…). termes et définitions en anglais et en français, ainsi que
Elle donne aussi des informations sur les projets et les les termes équivalents dans les langues additionnelles.
publications remplacées ou retirées. Egalement appelé Vocabulaire Electrotechnique
International (VEI) en ligne.
Just Published CEI - webstore.iec.ch/justpublished
Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications de la CEI.
Just Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur
Disponible en ligne et aussi une fois par mois par email. cette publication ou si vous avez des questions
contactez-nous: csc@iec.ch.
IEC 62439-1 ®
Edition 1.0 2010-02
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Industrial communication networks – High availability automation networks –

Part 1: General concepts and calculation methods

Réseaux industriels de communication – Réseaux d’automatisme à haute

disponibilité–
Partie 1: Concepts généraux et méthodes de calcul

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
CODE PRIX XA
ICS 25.040, 35.040 ISBN 978-2-8322-0846-5

– 2 – 62439-1  IEC:2010
CONTENTS
FOREWORD . 5
INTRODUCTION . 7
1 Scope . 8
2 Normative references . 8
3 Terms, definitions, abbreviations, acronyms, and conventions . 9
3.1 Terms and definitions . 9
3.2 Abbreviations and acronyms . 16
3.3 Conventions . 17
3.3.1 General conventions . 17
3.3.2 Conventions for state machine definitions . 17
3.3.3 Conventions for PDU specification . 17
3.4 Reserved network addresses . 18
4 Conformance requirements (normative) . 18
4.1 Conformance to redundancy protocols. 18
4.2 Conformance tests . 19
4.2.1 Concept . 19
4.2.2 Methodology . 19
4.2.3 Test conditions and test cases . 20
4.2.4 Test procedure and measuring . 20
4.2.5 Test report . 20
5 Concepts for high availability automation networks (informative) . 21
5.1 Characteristics of application of automation networks. 21
5.1.1 Resilience in case of failure . 21
5.1.2 Classes of network redundancy . 22
5.1.3 Redundancy maintenance . 22
5.1.4 Comparison and indicators . 23
5.2 Generic network system . 24
5.2.1 Network elements . 24
5.2.2 Topologies . 26
5.2.3 Redundancy handling . 32
5.2.4 Network recovery time . 32
5.2.5 Diagnosis coverage . 32
5.2.6 Failures . 32
5.3 Safety . 34
5.4 Security . 34
6 Classification of networks (informative) . 34
6.1 Notation . 34
6.2 Classification of robustness . 35
7 Availability calculations for selected networks (informative) . 35
7.1 Definitions . 35
7.2 Reliability models . 36
7.2.1 Generic symmetrical reliability model . 36
7.2.2 Simplified symmetrical reliability model . 38
7.2.3 Asymmetric reliability model . 38
7.3 Availability of selected structures . 39

62439-1  IEC:2010 – 3 –
7.3.1 Single LAN without redundant leaves . 39
7.3.2 Network without redundant leaves . 40
7.3.3 Single LAN with redundant leaves . 41
7.3.4 Network with redundant leaves . 41
7.3.5 Considering second failures . 42
7.4 Caveat . 44
8 RSTP for High Availability Networks: configuration rules, calculation and
measurement method for deterministic recovery time in a ring topology . 44
8.1 General . 44
8.2 Deployment and configuration rules for the ring topology . 44
8.3 Calculations for fault recovery time in a ring . 45
8.3.1 Dependencies and failure modes . 45
8.3.2 Calculations for non-considered failure modes. 45
8.3.3 Calculations for the considered failure modes . 45
8.4 Timing measurement method . 46
8.4.1 Measurement of T . 46
PA
8.4.2 Measurement of T . 47
L
8.4.3 Measurement of (T + T ) . 48
TC F
8.4.4 System test example . 50
Bibliography . 52

Figure 1 – Conformance test overview . 19
Figure 2 – General network elements (tree topology) . 24
Figure 3 – Link Redundancy Entity in a Doubly Attached Node (DAN) . 26
Figure 4 – Example of tree topology. 27
Figure 5 – Example of linear topology . 28
Figure 6 – Example of ring topology . 28
Figure 7 – Example of a partially meshed topology . 29
Figure 8 – Example of fully meshed topology . 30
Figure 9 – Single LAN structure without redundant leaf links . 30
Figure 10 – Single LAN structure with redundant leaf links . 31
Figure 11 – Redundant LAN structure without redundant leaf links . 31
Figure 12 – Redundant LAN structure with redundant leaf links . 31
Figure 13 – General symmetrical fault model . 37
Figure 14 – Simplified fault model . 38
Figure 15 – Asymmetric fault model . 39
Figure 16 – Network with no redundancy . 40
Figure 17 – Network with no single point of failure . 41
Figure 18 – Network with resiliency to second failure . 43
Figure 19 –Test rig for T measurement. 47
PA
Figure 20 –Test rig for T measurement . 48
L
Figure 21 –Test rig for (T + T ) measurement . 49
TC F
Figure 22 –Test rig for system test . 50

– 4 – 62439-1  IEC:2010
Table 1 – Examples of application grace time . 21
Table 2 – Examples of redundancy protocols . 23
Table 3 – Code assignment for the field . 34
Table 4 – Code assignment for the field . 34
Table 5 – Code assignment for the field . 35
Table 6 – Code assignment for the field . 35

62439-1  IEC:2010 – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL COMMUNICATION NETWORKS –
HIGH AVAILABILITY AUTOMATION NETWORKS –

Part 1: General concepts and calculation methods

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard 62439-1 has been prepared by subcommittee 65C: Industrial Networks,
of IEC technical committee 65: Industrial-process measurement, control and automation.
This standard cancels and replaces IEC 62439 published in 2008. This first edition constitutes
a technical revision.
This edition includes the following significant technical changes with respect to IEC 62439
(2008):
– adding a calculation method for RSTP (rapid spanning tree protocol, IEEE 802.1Q),
– adding two new redundancy protocols: HSR (High-availability Seamless Redundancy)
and DRP (Distributed Redundancy Protocol),
– moving former Clauses 1 to 4 (introduction, definitions, general aspects) and the
Annexes (taxonomy, availability calculation) to IEC 62439-1, which serves now as a
base for the other documents,
– moving Clause 5 (MRP) to IEC 62439-2 with minor editorial changes,

– 6 – 62439-1  IEC:2010
– moving Clause 6 (PRP) was to IEC 62439-3 with minor editorial changes,
– moving Clause 7 (CRP) was to IEC 62439-4 with minor editorial changes, and
– moving Clause 8 (BRP) was to IEC 62439-5 with minor editorial changes,
– adding a method to calculate the maximum recovery time of RSTP in a restricted
configuration (ring) to IEC 62439-1 as Clause 8,
– adding specifications of the HSR (High-availability Seamless Redundancy) protocol,
which shares the principles of PRP to IEC 62439-3 as Clause 5, and
– introducing the DRP protocol as IEC 62439-6.
This bilingual version (2013-07) corresponds to the monolingual English version, published in
2010-02.
The text of this standard is based on the following documents:
FDIS Report on voting
65C/583/FDIS 65C/589/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
The French version of this standard has not been voted upon.
This publication has been drafted in accordance with ISO/IEC Directives, Part 2.
A list of the IEC 62439 series can be found, under the general title Industrial communication
networks – High availability automation networks, on the IEC website.
The committee has decided that the contents of this amendment and the base publication will
remain unchanged until the stability date indicated on the IEC web site under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the
publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The “colour inside” logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this publication using a colour printer.

62439-1  IEC:2010 – 7 –
INTRODUCTION
The IEC 62439 series specifies relevant principles for high availability networks that meet the
requirements for industrial automation networks.
In the fault-free state of the network, the protocols of the IEC 62439 series provide
ISO/IEC 8802-3 (IEEE 802.3) compatible, reliable data communication, and preserve
determinism of real-time data communication. In cases of fault, removal, and insertion of a
component, they provide deterministic recovery times.
These protocols retain fully the typical Ethernet communication capabilities as used in the
office world, so that the software involved remains applicable.
The market is in need of several network solutions, each with different performance
characteristics and functional capabilities, matching diverse application requirements. These
solutions support different redundancy topologies and mechanisms which are introduced in
IEC 62439-1 and specified in the other Parts of the IEC 62439 series. IEC 62439-1 also
distinguishes between the different solutions, giving guidance to the user.
The IEC 62439 series follows the general structure and terms of IEC 61158 series.

– 8 – 62439-1  IEC:2010
INDUSTRIAL COMMUNICATION NETWORKS –
HIGH AVAILABILITY AUTOMATION NETWORKS –

Part 1: General concepts and calculation methods

1 Scope
The IEC 62439 series is applicable to high-availability automation networks based on the
ISO/IEC 8802-3 (IEEE 802.3) (Ethernet) technology.
This part of the IEC 62439 series specifies
• the common elements and definitions for other parts of the IEC 62439 series;
• the conformance test specification (normative);
• a classification scheme for network characteristics (informative);
• a methodology for estimating network availability (informative);
• the configuration rules, calculation and measurement method for a deterministic recovery
time in RSTP.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60050-191:1990, International Electrotechnical Vocabulary – Chapter 191: Dependability
and quality of service
IEC 61158 (all parts), Industrial communication networks – Fieldbus specifications
IEC 61158-6-10, Industrial communication networks – Fieldbus specifications – Part 6-10:
Application layer protocol specification – Type 10 elements
ISO/IEC 8802-3:2000, Information technology – Telecommunications and information
exchange between systems – Local and metropolitan area networks – Specific requirements –
Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and
physical layer specifications
IEEE 802.1Q, IEEE standards for local and metropolitan area network. Virtual bridged local
area networks
IEEE 802.1D:2004, IEEE standard for local Local and metropolitan area networks Media
Access Control (MAC) Bridges
IETF RFC 791, Internet Protocol; available at

62439-1  IEC:2010 – 9 –
3 Terms, definitions, abbreviations, acronyms, and conventions
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 60050-191, as well
as the following, apply
3.1.1
availability (performance)
ability of an item to be in a state to perform a required function under given conditions at a
given instant of time or over a given time interval, assuming that the required external
resources are provided
NOTE 1 This ability depends on the combined aspects of the reliability performance, the maintainability
performance, and the maintenance support performance.
NOTE 2 Required external resources, other than maintenance resources, do not affect the availability
performance of the item.
[IEV 191-02-05]
3.1.2
channel
layer 2 connection between two end nodes which consists of one or more paths (for
redundancy) between end nodes
3.1.3
common mode failure
failure that affects all redundant elements for a given function at the same time
3.1.4
complete failure
failure which results in the complete inability of an item to perform all required functions
[IEV 191-04-20]
3.1.5
connection
logical relationship between two nodes
3.1.6
coverage
probability that a failure is discovered within a time short enough for redundancy to handle it,
also expressing the percentage of failures caught up by redundancy vs. total number of
failures
3.1.7
cut-through switching
a technology in which a switching node starts transmitting a received frame before this frame
has been fully received
3.1.8
degradation failure
failure which is both a gradual failure and a partial failure
[IEV 191-04-22]
– 10 – 62439-1  IEC:2010
3.1.9
dependability
collective term used to describe the availability performance and its influencing factors:
reliability performance, maintainability performance and maintenance support performance
NOTE Dependability is used only for general descriptions in non-quantitative terms.
[IEV 191-02-03]
3.1.10
device
physical entity connected to the network composed of communication element and possibly
other functional elements
NOTE Devices are for instance nodes, routers and switches.
3.1.11
doubly attached node
node that has two ports for the purpose of redundant operation
3.1.12
edge port
port of a switch connected to a leaf link
3.1.13
end node
node which is producer or consumer of application data
NOTE For the purpose of the IEC 62439 series, further specification is given in 0.
3.1.14
error
discrepancy between a computed, observed or measured value or condition and the specified
or theoretically correct value or condition
NOTE 1 An error can be caused by a faulty item, e.g. a computing error made by faulty computer equipment.
NOTE 2 The French term “erreur” may also designate a mistake (see IEV 191-05-25).
[IEV 191-05-24, modified]
3.1.15
failure
termination of the ability of an item to perform a required function
NOTE 1 After a failure, the item has a fault.
NOTE 2 "Failure" is an event, as distinguished from "fault", which is a state.
NOTE 3 This concept as defined does not apply to items consisting of software only.
[IEV 191-04-01]
3.1.16
fault
state of an item characterized by its inability to perform a required function, excluding the
inability during preventive maintenance or other planned actions, or due to lack of external
resources
NOTE A fault is often the result of a failure of the item itself, but may exist without prior failure.
[IEV 191-05-01]
62439-1  IEC:2010 – 11 –
3.1.17
fault recovery time
time from the fault event, to the time when the network regains its required communication
function in the presence of the fault
NOTE After fault recovery, the network is operating in a degraded mode using some of the redundancy elements,
so it has reduced fault resilience, and may not be able to recover from a second fault.
3.1.18
frame
unit of data transmission on an ISO/IEC 8802-3 MAC (Media Access Control) that conveys a
protocol data unit (PDU) between MAC service users
[IEEE 802.1Q, modified]
3.1.19
(instantaneous) failure rate
limit, if it exists, of the quotient of the conditional probability that the instant of a failure of a
non-repaired item falls within a given time interval (t, t + Δt) and the duration of this time
interval, Δt, when Δt tends to zero, given that the item has not failed up to the beginning of
the time interval
[IEV 191-12-02]
NOTE The failure rate is the reciprocal number of the MTTF when the failure rate is constant over the lifetime of
one item.
3.1.20
inter-switch link
link between two switches
3.1.21
inter-switch port
port of a switch connected to another switch via an inter-switch link
3.1.22
LAN
A layer 2 broadcast domain in which MAC addresses are unique and can be addressed from
any other device belonging to that broadcast domain
NOTE 1 A VLAN allows multiplexing several LANs on the same network infrastructure.
NOTE 2 In the context of redundancy, a network may consist of several LANs operated in redundancy, in which
case it is called a redundant LAN.
3.1.23
leaf link
link between an end node and the LAN
NOTE For the purpose of the IEC 62439 series, further specification is given in 5.2.1.3.
3.1.24
linear topology
topology where the switches are connected in series, with two switches each connected to
only one other switch and all other switch each connected to two other switches (that is,
connected in the shape of a line)
NOTE 1 This topology corresponds to that of an open ring.
NOTE 2 This configuration is sometimes named “daisy chain”. The IEC 62439 series does not use the term “daisy
chain” because of possible confusion with the term “daisy chain” used elsewhere for busses. From the wiring point
of view they require two different implementations.

– 12 – 62439-1  IEC:2010
[IEC 61918, 3.1.39, modified]
3.1.25
link
physical, point-to-point, generally duplex connection between two adjacent nodes
[ISO/IEC 11801, 3.1.51, modified]
NOTE “Link” is different from “bus”, which is a broadcast physical medium.
3.1.26
Link Redundancy Entity
entity at layer 2 that hides port redundancy from the upper layers, by forwarding to the upper
layers the frames received from the active redundant ports as if they came from a single port,
and by forwarding to the active redundant ports a frame coming from the upper layers
3.1.27
link service data unit
data transported within a protocol layer on behalf of the upper layer
NOTE The link service data unit in an Ethernet frame is the content of the frame located between the Length/Type
field and the Frame Check Sequence.
3.1.28
mean failure rate
mean of the instantaneous failure rate over a given time interval λ(t , t ).
1 2
[IEV 191-12-03]
NOTE The IEC 62439 series uses “failure rate” for the meaning of “mean failure rate” defined by IEV 191-12-03.
3.1.29
mean operating time between failures
MTBF
expectation of the operating time between failures
[IEV 191-12-09]
3.1.30
mean time to failure
MTTF
expectation of the time to failure
[IEV 191-12-07]
3.1.31
mean time to recovery
MTTR
expectation of the time to recovery
[IEV 191-13-08, modified]
3.1.32
mesh topology
topology where each node is connected with three or more inter-switch links
3.1.33
message
ordered series of octets intended to convey information
NOTE Normally used to convey information between peers at the application layer.

62439-1  IEC:2010 – 13 –
[IEC 61784-2, 3.1.14]
3.1.34
network
communication system consisting of end nodes, leaf links and LAN(s)
NOTE A network may have more than one LAN for the purpose of redundancy.
3.1.35
node
network entity connected to one or more links
NOTE Nodes may be either a switch or an end node or both.
[IEC 61784-2, 3.1.16, modified]
3.1.36
partial failure
failure which results in the inability of an item to perform some, but not all, required functions
3.1.37
path
set of links and switches joined in series
NOTE There may be two or more paths between two switches to provide redundancy.
3.1.38
plant
system that depends on the availability of the automation network to operate
EXAMPLE Plants can be power plants, printing machines, manufacturing systems, substations, vehicles.
3.1.39
port
connection point of a node to the network
[ISO/IEC 8802-3, modified]
NOTE 1 This definition is different from a TCP port or a UDP port, which the IEC 62439 series qualifies explicitly
if necessary.
NOTE 2 A port includes the layer 1 and 2 implementation.
3.1.40
recovery
event when the network regains the ability to perform its required communication function
after a disruption
NOTE Examples of disruptions could be a fault or removal and reinsertion of a component.
3.1.41
recovery time
time period between disruption and recovery
3.1.42
redundancy
existence in an item of two or more means for performing a required function
[IEV 191-15-01]
NOTE In the IEC 62439 series, the existence of more than one path (consisting of links and switches) between
end nodes.
– 14 – 62439-1  IEC:2010
3.1.43
reinstatement recovery time
time to reinstate the original, or pre-fault, network configuration, including original operating
and management states in each device
3.1.44
reliability
ability of an item to perform a required function under given conditions for a given time
interval
[IEV 191-02-06]
NOTE 1 It is generally assumed that the item is in a state to perform this required function at the beginning of the
time interval.
NOTE 2 The term “reliability” is also used as a measure of reliability performance (see IEV 191-12-01).
3.1.45
repair
action taken for the re-establishment of the specified condition
3.1.46
repair recovery time
delay between the start of the repair action and the completion of repair of the faulty element
such that the network has regained both its required communication function and its required
fault resilience
NOTE 1 This time includes any network down time caused by the repair process, for example a network outage to
replace a switch with several good ports and one faulty port.
NOTE 2 This time does not include re-instatement time to return the network from its backup mode of operation to
the original mode of operation.
3.1.47
ring link
link that connects two switches of a ring
3.1.48
ring port
port of a switch to which a ring link is attached
3.1.49
ring topology
topology in which each node is connected in series to two other nodes
NOTE 1 Nodes are connected to one another in the logical shape of a circle.
NOTE 2 Frames are passed sequentially between active nodes, each node being able to examine or modify the
frame before forwarding it.
3.1.50
robustness
behaviour of the network in face of failures
3.1.51
root bridge
switch with the lowest value of an RSTP Bridge Identifier parameter in the network
[IEEE 802.1D]
62439-1  IEC:2010 – 15 –
3.1.52
route
layer 3 communication path between two nodes
3.1.53
single failure criterion
capacity of a system that includes redundant components to maintain its full functionality upon
one failure of any of its components, prior to maintenance or automatic recovery
3.1.54
single point of failure
single failure point
component whose failure would result in failure of the system and is not compensated for by
redundancy or alternative operational procedure
NOTE A single point of failure or single failure point causes a common mode failure. It may be caused by a
design error in the redundant elements or by an external cause that affects all redundant elements in the same way,
e.g. extreme temperature.
3.1.55
singly attached node
node that has only one port to a LAN
3.1.56
stand-by redundancy
redundancy wherein a part of the means for performing a required function is intended to
operate, while the remaining part(s) of the means are inoperative until needed
[IEV 191-15-03]
NOTE This is also known as dynamic redundancy.
3.1.57
star topology
topology in which all devices are connected to a central node
3.1.58
store-and-forward switching
a technology in which a switching node starts transmitting a received frame only after this
frame has been fully received
3.1.59
switch
switch node
MAC bridge as defined in IEEE 802.1D
NOTE The term “switch” is used as a synonym for the term “switch node”.
3.1.60
switching end node
an end node and a switch combined in one device
3.1.61
systematic failure
failure related in a deterministic way to a certain cause, which can only be eliminated by a
modification of the design or of the manufacturing process, operational procedures,
documentation or other relevant factors
NOTE 1 Corrective maintenance without modification will usually not eliminate the failure cause.
NOTE 2 A systematic failure can be induced by simulating the failure cause.

– 16 – 62439-1  IEC:2010
[IEV 191-04-19]
3.1.62
topology
pattern of the relative positions and interconnections of the individual nodes of the network
[derived from IEC 61918, 3.1.67]
NOTE Additional aspects such as the delay, attenuation and physical media classes of the paths connecting
network nodes are sometimes also considered to be properties of the topology.
3.1.63
tree topology
topology in which any two nodes have only one path between them and at least one switch is
attached to more than two inter-switch links
3.1.64
trunk portion
part of a switched LAN that carry traffic for several end nodes
3.1.65
upper layer entity
parts of the protocol stack immediately above the redundancy handling layer
3.1.66
worst case recovery time
maximum expected recovery time amongst all faults and for all allowed configurations
NOTE This delay is important for a network designer to indicate which aspects of the network need special
treatment to minimize communication disruption.
3.2 Abbreviations and acronyms
BRP Beacon Redundancy Protocol, IEC 62439-5
BPDU Bridge management Protocol Data Unit, according to IEEE 802.1D
CRP Cross-network Redundancy Protocol, see IEC 62439-4
DAN Doubly Attached Node
DRP Distributed Redundancy Protocol, see IEC 62439-6
DUT Device Under Test
HSR High-availability Seamless Redundancy, see IEC 62439-3
IP Internet Protocol, layer 3 of the Internet Protocol suite
IT Information Technology
LAN Local Area Network
LRE Link Redundancy Entity
MAC Media Access Control
MRP Medium Redundancy Protocol, see IEC 62439-2
MTBF Mean Time Between Failure
MTTF Mean Time To Failure
MTTFN Mean Time To Failure of Network

62439-1  IEC:2010 – 17 –
MTTFS Mean Time To Failure of System
MTTR Mean Time To Repair
MTTRP Mean Time To Repair Plant
OUI Organizational Unique Identifier
PDU Protocol Data Unit
PICS Protocol Implementation Conformance Statement
PRP Parallel Redundancy Protocol, see IEC 62439-3
QAN Quadruply Attached Node
RSTP Rapid Spanning Tree Protocol, see IEEE 802.1D
RFC Request For Comments of the Internet Society
SAN Singly Attached Node
SRP Serial Redundancy Protocol, see IEC 62439-3
STP Spanning Tree Protocol
TCP Transmission Control Protocol, layer 4 of the Internet Protocol suite
UDP User Datagram Protocol, layer 4 of the Internet Protocol suite
3.3 Conventions
3.3.1 General conventions
The protocols specified in the IEC 62439 series follow the structure defined in
IEC/TR 61158-1.
General guidelines are specified in IEC 61158-6-10, 3.7.
3.3.2 Conventions for state machine definitions
The IEC 62439 series follows the conventions used in IEC 61158-6-10, 3.8. The following is a
summary.
• Each state is described by one table, with a separate row for each transition that may
cause a state change.
• Transitions are defined as events that may carry arguments and be subject to conditions.
• The action field expresses the action that takes place in case the event is fired.
• For space reasons, the event and the actions are in the same cell.
• The right column indicates the next state that is entered after the action is finished.
3.3.3 Conventions for PDU specification
PDUs are described according to specification RFC 791, Appendix B.
In particular:
• bits, octets and arrays are numbered starting with 0;
• the “Network Byte Ordering” (big-endian, most significant octet first) convention is
observed.
– 18 – 62439-1  IEC:2010
IEC 61158-6-10 distinguishes bit identification from the bit offset.
EXAMPLE In a bit string of 8 bits, the rightmost bit (Least Significant Bit) is labelled bit 0, but it has bit offset 7
within the bit string octet.
When specifying data objects rather than PDUs, the bit identification according to
IEC 61158-6 series is used. Consequently, bits of a bit string are specified in ascending bit
identification, although they are transmitted in the opposite order.
3.4 Reserved network addresses
The following is a summary of the network addresses reserved for the purpose of the
IEC 62439 series, whilst the prescribed values are specified in the respective parts of the
IEC 62439 series.
For the purpose of the IEC 62439 series, the OUI 00-15-4E has been reserved by IEEE. All
bands within this OUI are reserved for the IEC 62439 series. The following bands are
assigned:
• MRP (see IEC 62439-2) uses 00-15-4E, band 00-00-xx.
• PRP (see IEC 62439-3) uses 00-15-4E, band 00-01-xx.
• CRP (see IEC 62439-4) uses an IP multicast MAC address.
• BRP (see IEC 62439-5) uses 00-15-4E, band 00-02-xx.
• DRP (see IEC 62439-6) uses 00-15-4E, band 00-03-xx.
For the purpose of the IEC 62439 series, the following Ethertypes (see IEEE 802a) have been
reserved by IEEE:
• MRP (see IEC 62439-2) uses 0x88E3.
• PRP (see IEC 62439-3) uses 0x88FB.
• CRP (see IEC 62439-4) uses 0x0800 (IP) with UDP port 3622.
• BRP (see IEC 62439-5) uses 0x80E1.
• DR
...

IEC 62439-1 ®
Edition 1.2 2016-02
CONSOLIDATED VERSION
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Industrial communication networks – High availability automation networks –
Part 1: General concepts and calculation methods

Réseaux de communication industriels – Réseaux de haute disponibilité pour
l'automatisation –
Partie 1: Concepts généraux et méthodes de calcul

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 20 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 15 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.

IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 65 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and

CISPR.
IEC Just Published - webstore.iec.ch/justpublished

Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Catalogue IEC - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
Application autonome pour consulter tous les renseignements
Le premier dictionnaire en ligne de termes électroniques et
bibliographiques sur les Normes internationales,
électriques. Il contient 20 000 termes et définitions en anglais
Spécifications techniques, Rapports techniques et autres
et en français, ainsi que les termes équivalents dans 15
documents de l'IEC. Disponible pour PC, Mac OS, tablettes
langues additionnelles. Egalement appelé Vocabulaire
Android et iPad.
Electrotechnique International (IEV) en ligne.

Recherche de publications IEC - www.iec.ch/searchpub
Glossaire IEC - std.iec.ch/glossary
La recherche avancée permet de trouver des publications IEC
65 000 entrées terminologiques électrotechniques, en anglais
en utilisant différents critères (numéro de référence, texte,
et en français, extraites des articles Termes et Définitions des
comité d’études,…). Elle donne aussi des informations sur les
publications IEC parues depuis 2002. Plus certaines entrées
projets et les publications remplacées ou retirées.
antérieures extraites des publications des CE 37, 77, 86 et

CISPR de l'IEC.
IEC Just Published - webstore.iec.ch/justpublished

Restez informé sur les nouvelles publications IEC. Just Service Clients - webstore.iec.ch/csc
Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur cette
Disponible en ligne et aussi une fois par mois par email. publication ou si vous avez des questions contactez-nous:
csc@iec.ch.
IEC 62439-1 ®
Edition 1.2 2016-02
CONSOLIDATED VERSION
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Industrial communication networks – High availability automation networks –

Part 1: General concepts and calculation methods

Réseaux de communication industriels – Réseaux de haute disponibilité pour

l'automatisation –
Partie 1: Concepts généraux et méthodes de calcul

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040; 35.040; 35.100.01 ISBN 978-2-8322-3220-0

IEC 62439-1 ®
Edition 1.2 2016-02
CONSOLIDATED VERSION
REDLINE VERSION
VERSION REDLINE
colour
inside
Industrial communication networks – High availability automation networks –
Part 1: General concepts and calculation methods

Réseaux de communication industriels – Réseaux de haute disponibilité pour
l'automatisation –
Partie 1: Concepts généraux et méthodes de calcul

– 2 – IEC 62439-1:2010+AMD1:2012
+AMD2:2016 CSV  IEC 2016
CONTENTS
FOREWORD. 5
INTRODUCTION . 7
1 Scope . 8
2 Normative references . 8
3 Terms, definitions, abbreviations, acronyms, and conventions . 9
3.1 Terms and definitions . 9
3.2 Abbreviations and acronyms . 16
3.3 Conventions . 17
3.3.1 General conventions . 17
3.3.2 Conventions for state machine definitions . 18
3.3.3 Conventions for PDU specification . 18
3.4 Reserved network addresses . 18
4 Conformance requirements (normative) . 19
4.1 Conformance to redundancy protocols . 19
4.2 Conformance tests . 19
4.2.1 Concept . 19
4.2.2 Methodology . 20
4.2.3 Test conditions and test cases . 20
4.2.4 Test procedure and measuring . 21
4.2.5 Test report . 21
5 Concepts for high availability automation networks (informative) . 22
5.1 Characteristics of application of automation networks . 22
5.1.1 Resilience in case of failure . 22
5.1.2 Classes of network redundancy . 22
5.1.3 Redundancy maintenance . 23
5.1.4 Comparison and indicators . 23
5.2 Generic network system . 25
5.2.1 Network elements . 25
5.2.2 Topologies . 27
5.2.3 Redundancy handling . 32
5.2.4 Network recovery time . 33
5.2.5 Diagnosis coverage . 33
5.2.6 Failures . 33
5.3 Safety . 34
5.4 Security . 34
6 Classification of networks (informative) . 34
6.1 Notation . 34
6.2 Classification of robustness . 35
7 Availability calculations for selected networks (informative) . 36
7.1 Definitions . 36
7.2 Reliability models . 37
7.2.1 Generic symmetrical reliability model . 37
7.2.2 Simplified symmetrical reliability model . 38
7.2.3 Asymmetric reliability model . 39
7.3 Availability of selected structures . 40

+AMD2:2016 CSV  IEC 2016
7.3.1 Single LAN without redundant leaves . 40
7.3.2 Network without redundant leaves . 40
7.3.3 Single LAN with redundant leaves . 41
7.3.4 Network with redundant leaves . 41
7.3.5 Considering second failures . 42
7.4 Caveat . 44
8 RSTP for High Availability Networks: configuration rules, calculation and
measurement method for deterministic predictible recovery time in a ring topology . 44
8.1 General . 44
8.2 Deployment and configuration rules for the ring topology . 45
8.3 Calculations for fault recovery time in a ring . 45
8.3.1 Dependencies and failure modes . 45
8.3.2 Calculations for non-considered failure modes . 45
8.3.3 Calculations for the considered failure modes . 45
8.4 Timing measurement method . 46
8.4.1 Measurement of T . 46
PA
8.4.2 Measurement of T . 47
L
8.4.3 Measurement of (T + T ) . 48
TC F
8.4.4 System test example . 50
8.5 RSTP topology limits and maximum recovery time . 51
8.5.1 RSTP protocol parameters . 51
8.5.2 RSTP-specific terms and definitions . 51
8.5.3 Example of a small RSTP tree . 53
8.5.4 Assumption on TxHoldCount . 54
8.5.5 Worst case topology and radius determination . 54
8.5.6 Method to determine the worst case radius in case of a ring-ring
architecture. 55
8.5.7 Worst case radius of an optimized multilayer architecture . 56
8.5.8 Approximated upper bond reconfiguration time for RSTP networks . 57
Bibliography . 60

Figure 1 – Conformance test overview . 20
Figure 2 – General network elements (tree topology) . 25
Figure 3 – Link Redundancy Entity in a Doubly Attached Node (DAN) . 26
Figure 4 – Example of tree topology . 28
Figure 5 – Example of linear topology . 28
Figure 6 – Example of ring topology . 29
Figure 7 – Example of a partially meshed topology . 30
Figure 8 – Example of fully meshed topology . 30
Figure 9 – Single LAN structure without redundant leaf links . 31
Figure 10 – Single LAN structure with redundant leaf links . 31
Figure 11 – Redundant LAN structure without redundant leaf links . 32
Figure 12 – Redundant LAN structure with redundant leaf links . 32
Figure 13 – General symmetrical fault model . 37
Figure 14 – Simplified fault model . 38
Figure 15 – Asymmetric fault model . 39
Figure 16 – Network with no redundancy . 40

– 4 – IEC 62439-1:2010+AMD1:2012
+AMD2:2016 CSV  IEC 2016
Figure 17 – Network with no single point of failure . 42
Figure 18 – Network with resiliency to second failure . 43
Figure 19 –Test rig for T measurement . 47
PA
Figure 20 –Test rig for T measurement . 48
L
Figure 21 –Test rig for (T + T ) measurement . 49
TC F
Figure 22 –Test rig for system test . 50
Figure 23 – Diameter and Bridge Max Age . 53
Figure 24 – Worst path determination . 55
Figure 25 – Example ring-ring topology . 55
Figure 26 – Example multilayer topology . 57

Table 1 – Examples of application grace time . 22
Table 2 – Examples of redundancy protocols . 24
Table 3 – Code assignment for the field . 35
Table 4 – Code assignment for the field . 35
Table 5 – Code assignment for the field . 35
Table 6 – Code assignment for the field . 36

+AMD2:2016 CSV  IEC 2016
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL COMMUNICATION NETWORKS –
HIGH AVAILABILITY AUTOMATION NETWORKS –
Part 1: General concepts and calculation methods
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
This consolidated version of the official IEC Standard and its amendments has been prepared
for user convenience.
IEC 62439-1 edition 1.2 contains the first edition (2010-02) [documents 65C/583/FDIS and
65C/589/RVD], its amendment 1 (2012-06) [documents 65C/684/FDIS and 65C/691/RVD] and its
amendment 2 (2016-02) [documents 65C/834/FDIS and 65C/841/RVD].
In this Redline version, a vertical line in the margin shows where the technical content is
modified by amendments 1 and 2. Additions are in green text, deletions are in strikethrough
red text. A separate Final version with all changes accepted is available in this publication.

– 6 – IEC 62439-1:2010+AMD1:2012
+AMD2:2016 CSV  IEC 2016
International Standard 62439-1 has been prepared by subcommittee 65C: Industrial Networks,
of IEC technical committee 65: Industrial-process measurement, control and automation.
This edition includes the following significant technical changes with respect to IEC 62439
(2008):
– adding a calculation method for RSTP (rapid spanning tree protocol, IEEE 802.1Q),
– adding two new redundancy protocols: HSR (High-availability Seamless Redundancy)
and DRP (Distributed Redundancy Protocol),
– moving former Clauses 1 to 4 (introduction, definitions, general aspects) and the
Annexes (taxonomy, availability calculation) to IEC 62439-1, which serves now as a
base for the other documents,
– moving Clause 5 (MRP) to IEC 62439-2 with minor editorial changes,
– moving Clause 6 (PRP) was to IEC 62439-3 with minor editorial changes,
– moving Clause 7 (CRP) was to IEC 62439-4 with minor editorial changes, and
– moving Clause 8 (BRP) was to IEC 62439-5 with minor editorial changes,
– adding a method to calculate the maximum recovery time of RSTP in a restricted
configuration (ring) to IEC 62439-1 as Clause 8,
– adding specifications of the HSR (High-availability Seamless Redundancy) protocol,
which shares the principles of PRP to IEC 62439-3 as Clause 5, and
– introducing the DRP protocol as IEC 62439-6.
The French version of this standard has not been voted upon.
This publication has been drafted in accordance with ISO/IEC Directives, Part 2.
A list of the IEC 62439 series can be found, under the general title Industrial communication
networks – High availability automation networks, on the IEC website.
The committee has decided that the contents of the base publication and its amendments will
remain unchanged until the stability date indicated on the IEC web site under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the
publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
+AMD2:2016 CSV  IEC 2016
INTRODUCTION
The IEC 62439 series specifies relevant principles for high availability networks that meet the
requirements for industrial automation networks.
In the fault-free state of the network, the protocols of the IEC 62439 series provide
ISO/IEC 8802-3 (IEEE 802.3) compatible, reliable data communication, and preserve
determinism of real-time data communication. In cases of fault, removal, and insertion of a
component, they provide deterministic recovery times.
These protocols retain fully the typical Ethernet communication capabilities as used in the
office world, so that the software involved remains applicable.
The market is in need of several network solutions, each with different performance
characteristics and functional capabilities, matching diverse application requirements. These
solutions support different redundancy topologies and mechanisms which are introduced in
IEC 62439-1 and specified in the other Parts of the IEC 62439 series. IEC 62439-1 also
distinguishes between the different solutions, giving guidance to the user.
The IEC 62439 series follows the general structure and terms of IEC 61158 series.

– 8 – IEC 62439-1:2010+AMD1:2012
+AMD2:2016 CSV  IEC 2016
INDUSTRIAL COMMUNICATION NETWORKS –
HIGH AVAILABILITY AUTOMATION NETWORKS –

Part 1: General concepts and calculation methods

1 Scope
The IEC 62439 series is applicable to high-availability automation networks based on the
ISO/IEC 8802-3 (IEEE 802.3) (Ethernet) technology.
This part of the IEC 62439 series specifies
• the common elements and definitions for other parts of the IEC 62439 series;
• the conformance test specification (normative);
• a classification scheme for network characteristics (informative);
• a methodology for estimating network availability (informative);
• the configuration rules, calculation and measurement method for a deterministic recovery
time in RSTP.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60050-191:1990, International Electrotechnical Vocabulary – Chapter 191: Dependability
and quality of service
IEC 61158 (all parts), Industrial communication networks – Fieldbus specifications
IEC 61158-6-10, Industrial communication networks – Fieldbus specifications – Part 6-10:
Application layer protocol specification – Type 10 elements
ISO/IEC 8802-3:2000, Information technology – Telecommunications and information
exchange between systems – Local and metropolitan area networks – Specific requirements –
Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and
physical layer specifications
IEEE 802.1Q, IEEE standards for local and metropolitan area network. Virtual bridged local
area networks
IEEE 802.1D:2004, IEEE standard for local Local and metropolitan area networks Media
Access Control (MAC) Bridges
IETF RFC 791, Internet Protocol; available at

+AMD2:2016 CSV  IEC 2016
3 Terms, definitions, abbreviations, acronyms, and conventions
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 60050-191, as well
as the following, apply
3.1.1
availability (performance)
ability of an item to be in a state to perform a required function under given conditions at a
given instant of time or over a given time interval, assuming that the required external
resources are provided
NOTE 1 This ability depends on the combined aspects of the reliability performance, the maintainability
performance, and the maintenance support performance.
NOTE 2 Required external resources, other than maintenance resources, do not affect the availability
performance of the item.
[IEV 191-02-05]
3.1.2
channel
layer 2 connection between two end nodes which consists of one or more paths (for
redundancy) between end nodes
3.1.3
common mode failure
failure that affects all redundant elements for a given function at the same time
3.1.4
complete failure
failure which results in the complete inability of an item to perform all required functions
[IEV 191-04-20]
3.1.5
connection
logical relationship between two nodes
3.1.6
coverage
probability that a failure is discovered within a time short enough for redundancy to handle it,
also expressing the percentage of failures caught up by redundancy vs. total number of
failures
3.1.7
cut-through switching
a technology in which a switching node starts transmitting a received frame before this frame
has been fully received
3.1.8
degradation failure
failure which is both a gradual failure and a partial failure
[IEV 191-04-22]
– 10 – IEC 62439-1:2010+AMD1:2012
+AMD2:2016 CSV  IEC 2016
3.1.9
dependability
collective term used to describe the availability performance and its influencing factors:
reliability performance, maintainability performance and maintenance support performance
NOTE Dependability is used only for general descriptions in non-quantitative terms.
[IEV 191-02-03]
3.1.10
device
physical entity connected to the network composed of communication element and possibly
other functional elements
NOTE Devices are for instance nodes, routers and switches.
3.1.11
doubly attached node
node that has two ports for the purpose of redundant operation
3.1.12
edge port
port of a switch connected to a leaf link
3.1.13
end node
node which is producer or consumer of application data
NOTE For the purpose of the IEC 62439 series, further specification is given in 0.
3.1.14
error
discrepancy between a computed, observed or measured value or condition and the specified
or theoretically correct value or condition
NOTE 1 An error can be caused by a faulty item, e.g. a computing error made by faulty computer equipment.
NOTE 2 The French term “erreur” may also designate a mistake (see IEV 191-05-25).
[IEV 191-05-24, modified]
3.1.15
failure
termination of the ability of an item to perform a required function
NOTE 1 After a failure, the item has a fault.
NOTE 2 "Failure" is an event, as distinguished from "fault", which is a state.
NOTE 3 This concept as defined does not apply to items consisting of software only.
[IEV 191-04-01]
3.1.16
fault
state of an item characterized by its inability to perform a required function, excluding the
inability during preventive maintenance or other planned actions, or due to lack of external
resources
NOTE A fault is often the result of a failure of the item itself, but may exist without prior failure.
[IEV 191-05-01]
+AMD2:2016 CSV  IEC 2016
3.1.17
fault recovery time
time from the fault event, to the time when the network regains its required communication
function in the presence of the fault
NOTE After fault recovery, the network is operating in a degraded mode using some of the redundancy elements,
so it has reduced fault resilience, and may not be able to recover from a second fault.
3.1.18
frame
unit of data transmission on an ISO/IEC 8802-3 MAC (Media Access Control) that conveys a
protocol data unit (PDU) between MAC service users
[IEEE 802.1Q, modified]
3.1.19
(instantaneous) failure rate
limit, if it exists, of the quotient of the conditional probability that the instant of a failure of a
non-repaired item falls within a given time interval (t, t + Δt) and the duration of this time
interval, Δt, when Δt tends to zero, given that the item has not failed up to the beginning of
the time interval
[IEV 191-12-02]
NOTE The failure rate is the reciprocal number of the MTTF when the failure rate is constant over the lifetime of
one item.
3.1.20
inter-switch link
link between two switches
3.1.21
inter-switch port
port of a switch connected to another switch via an inter-switch link
3.1.22
LAN
A layer 2 broadcast domain in which MAC addresses are unique and can be addressed from
any other device belonging to that broadcast domain
NOTE 1 A VLAN allows multiplexing several LANs on the same network infrastructure.
NOTE 2 In the context of redundancy, a network may consist of several LANs operated in redundancy, in which
case it is called a redundant LAN.
3.1.23
leaf link
link between an end node and the LAN
NOTE For the purpose of the IEC 62439 series, further specification is given in 5.2.1.3.
3.1.24
linear topology
topology where the switches are connected in series, with two switches each connected to
only one other switch and all other switch each connected to two other switches (that is,
connected in the shape of a line)
NOTE 1 This topology corresponds to that of an open ring.
NOTE 2 This configuration is sometimes named “daisy chain”. The IEC 62439 series does not use the term “daisy
chain” because of possible confusion with the term “daisy chain” used elsewhere for busses. From the wiring point
of view they require two different implementations.

– 12 – IEC 62439-1:2010+AMD1:2012
+AMD2:2016 CSV  IEC 2016
[IEC 61918, 3.1.39, modified]
3.1.25
link
physical, point-to-point, generally duplex connection between two adjacent nodes
[ISO/IEC 11801, 3.1.51, modified]
NOTE “Link” is different from “bus”, which is a broadcast physical medium.
3.1.26
Link Redundancy Entity
entity at layer 2 that hides port redundancy from the upper layers, by forwarding to the upper
layers the frames received from the active redundant ports as if they came from a single port,
and by forwarding to the active redundant ports a frame coming from the upper layers
3.1.27
link service data unit
data transported within a protocol layer on behalf of the upper layer
NOTE The link service data unit in an Ethernet frame is the content of the frame located between the Length/Type
field and the Frame Check Sequence.
3.1.28
mean failure rate
mean of the instantaneous failure rate over a given time interval λ(t , t ).
1 2
[IEV 191-12-03]
NOTE The IEC 62439 series uses “failure rate” for the meaning of “mean failure rate” defined by IEV 191-12-03.
3.1.29
mean operating time between failures
MTBF
expectation of the operating time between failures
[IEV 191-12-09]
3.1.30
mean time to failure
MTTF
expectation of the time to failure
[IEV 191-12-07]
3.1.31
mean time to recovery
MTTR
expectation of the time to recovery
[IEV 191-13-08, modified]
3.1.32
mesh topology
topology where each node is connected with three or more inter-switch links
3.1.33
message
ordered series of octets intended to convey information
NOTE Normally used to convey information between peers at the application layer.

+AMD2:2016 CSV  IEC 2016
[IEC 61784-2, 3.1.14]
3.1.34
network
communication system consisting of end nodes, leaf links and LAN(s)
NOTE A network may have more than one LAN for the purpose of redundancy.
3.1.35
node
network entity connected to one or more links
NOTE Nodes may be either a switch or an end node or both.
[IEC 61784-2, 3.1.16, modified]
3.1.36
partial failure
failure which results in the inability of an item to perform some, but not all, required functions
3.1.37
path
set of links and switches joined in series
NOTE There may be two or more paths between two switches to provide redundancy.
3.1.38
plant
system that depends on the availability of the automation network to operate
EXAMPLE Plants can be power plants, printing machines, manufacturing systems, substations, vehicles.
3.1.39
port
connection point of a node to the network
[ISO/IEC 8802-3, modified]
NOTE 1 This definition is different from a TCP port or a UDP port, which the IEC 62439 series qualifies explicitly
if necessary.
NOTE 2 A port includes the layer 1 and 2 implementation.
3.1.40
recovery
event when the network regains the ability to perform its required communication function
after a disruption
NOTE Examples of disruptions could be a fault or removal and reinsertion of a component.
3.1.41
recovery time
time period between disruption and recovery
3.1.42
redundancy
existence in an item of two or more means for performing a required function
[IEV 191-15-01]
NOTE In the IEC 62439 series, the existence of more than one path (consisting of links and switches) between
end nodes.
– 14 – IEC 62439-1:2010+AMD1:2012
+AMD2:2016 CSV  IEC 2016
3.1.43
reinstatement recovery time
time to reinstate the original, or pre-fault, network configuration, including original operating
and management states in each device
3.1.44
reliability
ability of an item to perform a required function under given conditions for a given time
interval
[IEV 191-02-06]
NOTE 1 It is generally assumed that the item is in a state to perform this required function at the beginning of the
time interval.
NOTE 2 The term “reliability” is also used as a measure of reliability performance (see IEV 191-12-01).
3.1.45
repair
action taken for the re-establishment of the specified condition
3.1.46
repair recovery time
delay between the start of the repair action and the completion of repair of the faulty element
such that the network has regained both its required communication function and its required
fault resilience
NOTE 1 This time includes any network down time caused by the repair process, for example a network outage to
replace a switch with several good ports and one faulty port.
NOTE 2 This time does not include re-instatement time to return the network from its backup mode of operation to
the original mode of operation.
3.1.47
ring link
link that connects two switches of a ring
3.1.48
ring port
port of a switch to which a ring link is attached
3.1.49
ring topology
topology in which each node is connected in series to two other nodes
NOTE 1 Nodes are connected to one another in the logical shape of a circle.
NOTE 2 Frames are passed sequentially between active nodes, each node being able to examine or modify the
frame before forwarding it.
3.1.50
robustness
behaviour of the network in face of failures
3.1.51
root bridge
switch with the lowest value of an RSTP Bridge Identifier parameter in the network
[IEEE 802.1D]
+AMD2:2016 CSV  IEC 2016
3.1.52
route
layer 3 communication path between two nodes
3.1.53
single failure criterion
capacity of a system that includes redundant components to maintain its full functionality upon
one failure of any of its components, prior to maintenance or automatic recovery
3.1.54
single point of failure
single failure point
component whose failure would result in failure of the system and is not compensated for by
redundancy or alternative operational procedure
NOTE A single point of failure or single failure point causes a common mode failure. It may be caused by a
design error in the redundant elements or by an external cause that affects all redundant elements in the same way,
e.g. extreme temperature.
3.1.55
singly attached node
node that has only one port to a LAN
3.1.56
stand-by redundancy
redundancy wherein a part of the means for performing a required function is intended to
operate, while the remaining part(s) of the means are inoperative until needed
[IEV 191-15-03]
NOTE This is also known as dynamic redundancy.
3.1.57
star topology
topology in which all devices are connected to a central node
3.1.58
store-and-forward switching
a technology in which a switching node starts transmitting a received frame only after this
frame has been fully received
3.1.59
switch
switch node
MAC bridge as defined in IEEE 802.1D
NOTE The term “switch” is used as a synonym for the term “switch node”.
3.1.60
switching end node
an end node and a switch combined in one device
3.1.61
systematic failure
failure related in a deterministic way to a certain cause, which can only be eliminated by a
modification of the design or of the manufacturing process, operational procedures,
documentation or other relevant factors
NOTE 1 Corrective maintenance without modification will usually not eliminate the failure cause.
NOTE 2 A systematic failure can be induced by simulating the failure cause.

– 16 – IEC 62439-1:2010+AMD1:2012
+AMD2:2016 CSV  IEC 2016
[IEV 191-04-19]
3.1.62
topology
pattern of the relative positions and interconnections of the individual nodes of the network
[derived from IEC 61918, 3.1.67]
NOTE Additional aspects such as the delay, attenuation and physical media classes of the paths connecting
network nodes are sometimes also considered to be properties of the topology.
3.1.63
tree topology
topology in which any two nodes have only one path between them and at least one switch is
attached to more than two inter-switch links
3.1.64
trunk portion
part of a switched LAN that carry traffic for several end nodes
3.1.65
upper layer entity
parts of the protocol stack immediately above the redundancy handling layer
3.1.66
worst case recovery time
maximum expected recovery time amongst all faults and for all allowed configurations
NOTE This delay is important for a network designer to indicate which aspects of the network need special
treatment to minimize communication disruption.
3.1.67
bridge
device connecting LAN segments at layer 2 according to IEEE 802.1D
NOTE The words “switch” and “bridge” are considered synonyms, the word “bridge” is used in the context of
standards such as RSTP (IEEE 802.1D), PTP (IEC 61588) or IEC 62439-3 (PRP & HSR).
3.1.68
network recovery time
time span from the moment of the first failure
...

IEC 62439-1 ®
Edition 1.1 2013-07
CONSOLIDATED
VERSION
VERSION
CONSOLIDÉE
colour
inside
Industrial communication networks – High availability automation networks –
Part 1: General concepts and calculation methods

Réseaux de communication industriels – Réseaux de haute disponibilité pour
l'automatisation –
Partie 1: Concepts généraux et méthodes de calcul

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni
utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les
microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.

IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.

A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.

Liens utiles:
Recherche de publications CEI - www.iec.ch/searchpub Electropedia - www.electropedia.org
La recherche avancée vous permet de trouver des Le premier dictionnaire en ligne au monde de termes
publications CEI en utilisant différents critères (numéro de électroniques et électriques. Il contient plus de 30 000
référence, texte, comité d’études,…). termes et définitions en anglais et en français, ainsi que
Elle donne aussi des informations sur les projets et les les termes équivalents dans les langues additionnelles.
publications remplacées ou retirées. Egalement appelé Vocabulaire Electrotechnique
International (VEI) en ligne.
Just Published CEI - webstore.iec.ch/justpublished
Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications de la CEI.
Just Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur
Disponible en ligne et aussi une fois par mois par email. cette publication ou si vous avez des questions
contactez-nous: csc@iec.ch.
IEC 62439-1 ®
Edition 1.1 2013-07
CONSOLIDATED
VERSION
VERSION
CONSOLIDÉE
colour
inside
Industrial communication networks – High availability automation networks –

Part 1: General concepts and calculation methods

Réseaux de communication industriels – Réseaux de haute disponibilité pour

l'automatisation –
Partie 1: Concepts généraux et méthodes de calcul

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 25.040; 35.040; 35.100.01 ISBN 978-2-8322-1002-4

IEC 62439-1 ®
Edition 1.1 2013-07
REDLINE VERSION
VERSION REDLINE
colour
inside
Industrial communication networks – High availability automation networks –
Part 1: General concepts and calculation methods

Réseaux de communication industriels – Réseaux de haute disponibilité pour
l'automatisation –
Partie 1: Concepts généraux et méthodes de calcul

– 2 – 62439-1  IEC:2010+A1:2012
CONTENTS
FOREWORD . 5
INTRODUCTION . 7

1 Scope . 8
2 Normative references . 8
3 Terms, definitions, abbreviations, acronyms, and conventions . 9
3.1 Terms and definitions . 9
3.2 Abbreviations and acronyms . 16
3.3 Conventions . 17
3.3.1 General conventions . 17
3.3.2 Conventions for state machine definitions . 18
3.3.3 Conventions for PDU specification . 18
3.4 Reserved network addresses . 18
4 Conformance requirements (normative) . 19
4.1 Conformance to redundancy protocols. 19
4.2 Conformance tests . 19
4.2.1 Concept . 19
4.2.2 Methodology . 20
4.2.3 Test conditions and test cases . 20
4.2.4 Test procedure and measuring . 21
4.2.5 Test report . 21
5 Concepts for high availability automation networks (informative) . 22
5.1 Characteristics of application of automation networks. 22
5.1.1 Resilience in case of failure . 22
5.1.2 Classes of network redundancy . 22
5.1.3 Redundancy maintenance . 23
5.1.4 Comparison and indicators . 23
5.2 Generic network system . 25
5.2.1 Network elements . 25
5.2.2 Topologies . 27
5.2.3 Redundancy handling . 32
5.2.4 Network recovery time . 33
5.2.5 Diagnosis coverage . 33
5.2.6 Failures . 33
5.3 Safety . 34
5.4 Security . 34
6 Classification of networks (informative) . 34
6.1 Notation . 34
6.2 Classification of robustness . 35
7 Availability calculations for selected networks (informative) . 36
7.1 Definitions . 36
7.2 Reliability models . 37
7.2.1 Generic symmetrical reliability model . 37
7.2.2 Simplified symmetrical reliability model . 38
7.2.3 Asymmetric reliability model . 39

62439-1  IEC:2010+A1:2012 – 3 –
7.3 Availability of selected structures . 40
7.3.1 Single LAN without redundant leaves . 40
7.3.2 Network without redundant leaves . 40
7.3.3 Single LAN with redundant leaves . 41
7.3.4 Network with redundant leaves . 41
7.3.5 Considering second failures . 42
7.4 Caveat . 44
8 RSTP for High Availability Networks: configuration rules, calculation and
measurement method for deterministic predictible recovery time in a ring topology . 44
8.1 General . 44
8.2 Deployment and configuration rules for the ring topology . 45
8.3 Calculations for fault recovery time in a ring . 45
8.3.1 Dependencies and failure modes . 45
8.3.2 Calculations for non-considered failure modes. 45
8.3.3 Calculations for the considered failure modes . 45
8.4 Timing measurement method . 46
8.4.1 Measurement of T . 46
PA
8.4.2 Measurement of T . 47
L
8.4.3 Measurement of (T + T ) . 48
TC F
8.4.4 System test example . 50
8.5 RSTP topology limits and maximum recovery time. 51
8.5.1 RSTP protocol parameters . 51
8.5.2 RSTP-specific terms and definitions . 51
8.5.3 Example of a small RSTP tree . 53
8.5.4 Assumption on TxHoldCount. 54
8.5.5 Worst case topology and radius determination . 54
8.5.6 Method to determine the worst case radius in case of a ring-ring
architecture . 55
8.5.7 Worst case radius of an optimized multilayer architecture . 56
8.5.8 Approximated upper bond reconfiguration time for RSTP networks . 57
Bibliography . 60

Figure 1 – Conformance test overview . 20
Figure 2 – General network elements (tree topology) . 25
Figure 3 – Link Redundancy Entity in a Doubly Attached Node (DAN) . 26
Figure 4 – Example of tree topology. 28
Figure 5 – Example of linear topology . 28
Figure 6 – Example of ring topology . 29
Figure 7 – Example of a partially meshed topology . 30
Figure 8 – Example of fully meshed topology . 30
Figure 9 – Single LAN structure without redundant leaf links . 31
Figure 10 – Single LAN structure with redundant leaf links . 31
Figure 11 – Redundant LAN structure without redundant leaf links . 32
Figure 12 – Redundant LAN structure with redundant leaf links . 32
Figure 13 – General symmetrical fault model . 37
Figure 14 – Simplified fault model . 38
Figure 15 – Asymmetric fault model . 39

– 4 – 62439-1  IEC:2010+A1:2012
Figure 16 – Network with no redundancy . 40
Figure 17 – Network with no single point of failure . 41
Figure 18 – Network with resiliency to second failure . 43
Figure 19 –Test rig for TPA measurement . 47
Figure 20 –Test rig for TL measurement . 48
Figure 21 –Test rig for (TTC + TF) measurement . 49
Figure 22 –Test rig for system test . 50
Figure 23 – Diameter and Bridge Max Age . 53
Figure 24 – Worst path determination . 55
Figure 25 – Example ring-ring topology . 55
Figure 26 – Example multilayer topology . 57

Table 1 – Examples of application grace time . 22
Table 2 – Examples of redundancy protocols . 24
Table 3 – Code assignment for the field . 35
Table 4 – Code assignment for the field . 35
Table 5 – Code assignment for the field . 35
Table 6 – Code assignment for the field . 36

62439-1  IEC:2010+A1:2012 – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
INDUSTRIAL COMMUNICATION NETWORKS –
HIGH AVAILABILITY AUTOMATION NETWORKS –

Part 1: General concepts and calculation methods

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.

This Consolidated version of IEC 62439-1 bears the edition number 1.1. It consists of
the first edition (2010) [65C/583/FDIS and 65C/589/RVD] and its amendment 1 (2012)
[documents 65C/684/FDIS and 65C/691/RVD]. The technical content is identical to the
base edition and its amendment.
In this Redline version, a vertical line in the margin shows where the technical content
is modified by amendment 1. Additions and deletions are displayed in red, with
deletions being struck through. A separate Final version with all changes accepted is
available in this publication.
This publication has been prepared for user convenience.

– 6 – 62439-1  IEC:2010+A1:2012
International Standard 62439-1 has been prepared by subcommittee 65C: Industrial Networks,
of IEC technical committee 65: Industrial-process measurement, control and automation.
This edition includes the following significant technical changes with respect to IEC 62439
(2008):
– adding a calculation method for RSTP (rapid spanning tree protocol, IEEE 802.1Q),
– adding two new redundancy protocols: HSR (High-availability Seamless Redundancy)
and DRP (Distributed Redundancy Protocol),
– moving former Clauses 1 to 4 (introduction, definitions, general aspects) and the
Annexes (taxonomy, availability calculation) to IEC 62439-1, which serves now as a
base for the other documents,
– moving Clause 5 (MRP) to IEC 62439-2 with minor editorial changes,
– moving Clause 6 (PRP) was to IEC 62439-3 with minor editorial changes,
– moving Clause 7 (CRP) was to IEC 62439-4 with minor editorial changes, and
– moving Clause 8 (BRP) was to IEC 62439-5 with minor editorial changes,
– adding a method to calculate the maximum recovery time of RSTP in a restricted
configuration (ring) to IEC 62439-1 as Clause 8,
– adding specifications of the HSR (High-availability Seamless Redundancy) protocol,
which shares the principles of PRP to IEC 62439-3 as Clause 5, and
– introducing the DRP protocol as IEC 62439-6.
The bilingual version (2013-07) of this standard corresponds to the monolingual English
version published in 2010-02.
The French version of this standard has not been voted upon.
This publication has been drafted in accordance with ISO/IEC Directives, Part 2.
A list of the IEC 62439 series can be found, under the general title Industrial communication
networks – High availability automation networks, on the IEC website.
The committee has decided that the contents of the base publication and its amendment will
remain unchanged until the stability date indicated on the IEC web site under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the
publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
IMPORTANT – The “colour inside” logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this publication using a colour printer.

62439-1  IEC:2010+A1:2012 – 7 –
INTRODUCTION
The IEC 62439 series specifies relevant principles for high availability networks that meet the
requirements for industrial automation networks.
In the fault-free state of the network, the protocols of the IEC 62439 series provide
ISO/IEC 8802-3 (IEEE 802.3) compatible, reliable data communication, and preserve
determinism of real-time data communication. In cases of fault, removal, and insertion of a
component, they provide deterministic recovery times.
These protocols retain fully the typical Ethernet communication capabilities as used in the
office world, so that the software involved remains applicable.
The market is in need of several network solutions, each with different performance
characteristics and functional capabilities, matching diverse application requirements. These
solutions support different redundancy topologies and mechanisms which are introduced in
IEC 62439-1 and specified in the other Parts of the IEC 62439 series. IEC 62439-1 also
distinguishes between the different solutions, giving guidance to the user.
The IEC 62439 series follows the general structure and terms of IEC 61158 series.

– 8 – 62439-1  IEC:2010+A1:2012
INDUSTRIAL COMMUNICATION NETWORKS –
HIGH AVAILABILITY AUTOMATION NETWORKS –

Part 1: General concepts and calculation methods

1 Scope
The IEC 62439 series is applicable to high-availability automation networks based on the
ISO/IEC 8802-3 (IEEE 802.3) (Ethernet) technology.
This part of the IEC 62439 series specifies
• the common elements and definitions for other parts of the IEC 62439 series;
• the conformance test specification (normative);
• a classification scheme for network characteristics (informative);
• a methodology for estimating network availability (informative);
• the configuration rules, calculation and measurement method for a deterministic recovery
time in RSTP.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60050-191:1990, International Electrotechnical Vocabulary – Chapter 191: Dependability
and quality of service
IEC 61158 (all parts), Industrial communication networks – Fieldbus specifications
IEC 61158-6-10, Industrial communication networks – Fieldbus specifications – Part 6-10:
Application layer protocol specification – Type 10 elements
ISO/IEC 8802-3:2000, Information technology – Telecommunications and information
exchange between systems – Local and metropolitan area networks – Specific requirements –
Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and
physical layer specifications
IEEE 802.1Q, IEEE standards for local and metropolitan area network. Virtual bridged local
area networks
IEEE 802.1D:2004, IEEE standard for local Local and metropolitan area networks Media
Access Control (MAC) Bridges
IETF RFC 791, Internet Protocol; available at

62439-1  IEC:2010+A1:2012 – 9 –
3 Terms, definitions, abbreviations, acronyms, and conventions
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 60050-191, as well
as the following, apply
3.1.1
availability (performance)
ability of an item to be in a state to perform a required function under given conditions at a
given instant of time or over a given time interval, assuming that the required external
resources are provided
NOTE 1 This ability depends on the combined aspects of the reliability performance, the maintainability
performance, and the maintenance support performance.
NOTE 2 Required external resources, other than maintenance resources, do not affect the availability
performance of the item.
[IEV 191-02-05]
3.1.2
channel
layer 2 connection between two end nodes which consists of one or more paths (for
redundancy) between end nodes
3.1.3
common mode failure
failure that affects all redundant elements for a given function at the same time
3.1.4
complete failure
failure which results in the complete inability of an item to perform all required functions
[IEV 191-04-20]
3.1.5
connection
logical relationship between two nodes
3.1.6
coverage
probability that a failure is discovered within a time short enough for redundancy to handle it,
also expressing the percentage of failures caught up by redundancy vs. total number of
failures
3.1.7
cut-through switching
a technology in which a switching node starts transmitting a received frame before this frame
has been fully received
3.1.8
degradation failure
failure which is both a gradual failure and a partial failure
[IEV 191-04-22]
– 10 – 62439-1  IEC:2010+A1:2012
3.1.9
dependability
collective term used to describe the availability performance and its influencing factors:
reliability performance, maintainability performance and maintenance support performance
NOTE Dependability is used only for general descriptions in non-quantitative terms.
[IEV 191-02-03]
3.1.10
device
physical entity connected to the network composed of communication element and possibly
other functional elements
NOTE Devices are for instance nodes, routers and switches.
3.1.11
doubly attached node
node that has two ports for the purpose of redundant operation
3.1.12
edge port
port of a switch connected to a leaf link
3.1.13
end node
node which is producer or consumer of application data
NOTE For the purpose of the IEC 62439 series, further specification is given in 0.
3.1.14
error
discrepancy between a computed, observed or measured value or condition and the specified
or theoretically correct value or condition
NOTE 1 An error can be caused by a faulty item, e.g. a computing error made by faulty computer equipment.
NOTE 2 The French term “erreur” may also designate a mistake (see IEV 191-05-25).
[IEV 191-05-24, modified]
3.1.15
failure
termination of the ability of an item to perform a required function
NOTE 1 After a failure, the item has a fault.
NOTE 2 "Failure" is an event, as distinguished from "fault", which is a state.
NOTE 3 This concept as defined does not apply to items consisting of software only.
[IEV 191-04-01]
3.1.16
fault
state of an item characterized by its inability to perform a required function, excluding the
inability during preventive maintenance or other planned actions, or due to lack of external
resources
NOTE A fault is often the result of a failure of the item itself, but may exist without prior failure.
[IEV 191-05-01]
62439-1  IEC:2010+A1:2012 – 11 –
3.1.17
fault recovery time
time from the fault event, to the time when the network regains its required communication
function in the presence of the fault
NOTE After fault recovery, the network is operating in a degraded mode using some of the redundancy elements,
so it has reduced fault resilience, and may not be able to recover from a second fault.
3.1.18
frame
unit of data transmission on an ISO/IEC 8802-3 MAC (Media Access Control) that conveys a
protocol data unit (PDU) between MAC service users
[IEEE 802.1Q, modified]
3.1.19
(instantaneous) failure rate
limit, if it exists, of the quotient of the conditional probability that the instant of a failure of a
non-repaired item falls within a given time interval (t, t + Δt) and the duration of this time
interval, Δt, when Δt tends to zero, given that the item has not failed up to the beginning of
the time interval
[IEV 191-12-02]
NOTE The failure rate is the reciprocal number of the MTTF when the failure rate is constant over the lifetime of
one item.
3.1.20
inter-switch link
link between two switches
3.1.21
inter-switch port
port of a switch connected to another switch via an inter-switch link
3.1.22
LAN
A layer 2 broadcast domain in which MAC addresses are unique and can be addressed from
any other device belonging to that broadcast domain
NOTE 1 A VLAN allows multiplexing several LANs on the same network infrastructure.
NOTE 2 In the context of redundancy, a network may consist of several LANs operated in redundancy, in which
case it is called a redundant LAN.
3.1.23
leaf link
link between an end node and the LAN
NOTE For the purpose of the IEC 62439 series, further specification is given in 5.2.1.3.
3.1.24
linear topology
topology where the switches are connected in series, with two switches each connected to
only one other switch and all other switch each connected to two other switches (that is,
connected in the shape of a line)
NOTE 1 This topology corresponds to that of an open ring.
NOTE 2 This configuration is sometimes named “daisy chain”. The IEC 62439 series does not use the term “daisy
chain” because of possible confusion with the term “daisy chain” used elsewhere for busses. From the wiring point
of view they require two different implementations.

– 12 – 62439-1  IEC:2010+A1:2012
[IEC 61918, 3.1.39, modified]
3.1.25
link
physical, point-to-point, generally duplex connection between two adjacent nodes
[ISO/IEC 11801, 3.1.51, modified]
NOTE “Link” is different from “bus”, which is a broadcast physical medium.
3.1.26
Link Redundancy Entity
entity at layer 2 that hides port redundancy from the upper layers, by forwarding to the upper
layers the frames received from the active redundant ports as if they came from a single port,
and by forwarding to the active redundant ports a frame coming from the upper layers
3.1.27
link service data unit
data transported within a protocol layer on behalf of the upper layer
NOTE The link service data unit in an Ethernet frame is the content of the frame located between the Length/Type
field and the Frame Check Sequence.
3.1.28
mean failure rate
mean of the instantaneous failure rate over a given time interval λ(t , t ).
1 2
[IEV 191-12-03]
NOTE The IEC 62439 series uses “failure rate” for the meaning of “mean failure rate” defined by IEV 191-12-03.
3.1.29
mean operating time between failures
MTBF
expectation of the operating time between failures
[IEV 191-12-09]
3.1.30
mean time to failure
MTTF
expectation of the time to failure
[IEV 191-12-07]
3.1.31
mean time to recovery
MTTR
expectation of the time to recovery
[IEV 191-13-08, modified]
3.1.32
mesh topology
topology where each node is connected with three or more inter-switch links
3.1.33
message
ordered series of octets intended to convey information
NOTE Normally used to convey information between peers at the application layer.

62439-1  IEC:2010+A1:2012 – 13 –
[IEC 61784-2, 3.1.14]
3.1.34
network
communication system consisting of end nodes, leaf links and LAN(s)
NOTE A network may have more than one LAN for the purpose of redundancy.
3.1.35
node
network entity connected to one or more links
NOTE Nodes may be either a switch or an end node or both.
[IEC 61784-2, 3.1.16, modified]
3.1.36
partial failure
failure which results in the inability of an item to perform some, but not all, required functions
3.1.37
path
set of links and switches joined in series
NOTE There may be two or more paths between two switches to provide redundancy.
3.1.38
plant
system that depends on the availability of the automation network to operate
EXAMPLE Plants can be power plants, printing machines, manufacturing systems, substations, vehicles.
3.1.39
port
connection point of a node to the network
[ISO/IEC 8802-3, modified]
NOTE 1 This definition is different from a TCP port or a UDP port, which the IEC 62439 series qualifies explicitly
if necessary.
NOTE 2 A port includes the layer 1 and 2 implementation.
3.1.40
recovery
event when the network regains the ability to perform its required communication function
after a disruption
NOTE Examples of disruptions could be a fault or removal and reinsertion of a component.
3.1.41
recovery time
time period between disruption and recovery
3.1.42
redundancy
existence in an item of two or more means for performing a required function
[IEV 191-15-01]
NOTE In the IEC 62439 series, the existence of more than one path (consisting of links and switches) between
end nodes.
– 14 – 62439-1  IEC:2010+A1:2012
3.1.43
reinstatement recovery time
time to reinstate the original, or pre-fault, network configuration, including original operating
and management states in each device
3.1.44
reliability
ability of an item to perform a required function under given conditions for a given time
interval
[IEV 191-02-06]
NOTE 1 It is generally assumed that the item is in a state to perform this required function at the beginning of the
time interval.
NOTE 2 The term “reliability” is also used as a measure of reliability performance (see IEV 191-12-01).
3.1.45
repair
action taken for the re-establishment of the specified condition
3.1.46
repair recovery time
delay between the start of the repair action and the completion of repair of the faulty element
such that the network has regained both its required communication function and its required
fault resilience
NOTE 1 This time includes any network down time caused by the repair process, for example a network outage to
replace a switch with several good ports and one faulty port.
NOTE 2 This time does not include re-instatement time to return the network from its backup mode of operation to
the original mode of operation.
3.1.47
ring link
link that connects two switches of a ring
3.1.48
ring port
port of a switch to which a ring link is attached
3.1.49
ring topology
topology in which each node is connected in series to two other nodes
NOTE 1 Nodes are connected to one another in the logical shape of a circle.
NOTE 2 Frames are passed sequentially between active nodes, each node being able to examine or modify the
frame before forwarding it.
3.1.50
robustness
behaviour of the network in face of failures
3.1.51
root bridge
switch with the lowest value of an RSTP Bridge Identifier parameter in the network
[IEEE 802.1D]
62439-1  IEC:2010+A1:2012 – 15 –
3.1.52
route
layer 3 communication path between two nodes
3.1.53
single failure criterion
capacity of a system that includes redundant components to maintain its full functionality upon
one failure of any of its components, prior to maintenance or automatic recovery
3.1.54
single point of failure
single failure point
component whose failure would result in failure of the system and is not compensated for by
redundancy or alternative operational procedure
NOTE A single point of failure or single failure point causes a common mode failure. It may be caused by a
design error in the redundant elements or by an external cause that affects all redundant elements in the same way,
e.g. extreme temperature.
3.1.55
singly attached node
node that has only one port to a LAN
3.1.56
stand-by redundancy
redundancy wherein a part of the means for performing a required function is intended to
operate, while the remaining part(s) of the means are inoperative until needed
[IEV 191-15-03]
NOTE This is also known as dynamic redundancy.
3.1.57
star topology
topology in which all devices are connected to a central node
3.1.58
store-and-forward switching
a technology in which a switching node starts transmitting a received frame only after this
frame has been fully received
3.1.59
switch
switch node
MAC bridge as defined in IEEE 802.1D
NOTE The term “switch” is used as a synonym for the term “switch node”.
3.1.60
switching end node
an end node and a switch combined in one device
3.1.61
systematic failure
failure related in a deterministic way to a certain cause, which can only be eliminated by a
modification of the design or of the manufacturing process, operational procedures,
documentation or other relevant factors
NOTE 1 Corrective maintenance without modification will usually not eliminate the failure cause.
NOTE 2 A systematic failure can be induced by simulating the failure cause.

– 16 – 62439-1  IEC:2010+A1:2012
[IEV 191-04-19]
3.1.62
topology
pattern of the relative positions and interconnections of the individual nodes of the network
[derived from IEC 61918, 3.1.67]
NOTE Additional aspects such as the delay, attenuation and physical media classes of the paths connecting
network nodes are sometimes also considered to be properties of the topology.
3.1.63
tree topology
topology in which any two nodes have only one path between them and at least one switch is
attached to more than two inter-switch links
3.1.64
trunk portion
part of a switched LAN that carry traffic for several end nodes
3.1.65
upper layer entity
parts of the protocol stack immediately above the redundancy handling layer
3.1.66
worst case recovery time
maximum expected recovery time amongst all faults and for all allowed configurations
NOTE This delay is important for a network designer to indicate which aspects of the network need special
treatment to minimize communication disruption.
3.1.67
bridge
device connecting LAN segments at layer 2 according to IEEE 802.1D
NOTE The words “switch” and “bridge” are considered synonyms, the word “bridge” is used in the context of
standards such as RSTP (IEEE 802.1D), PTP (IEC 61588) or IEC 62439-3 (PRP & HSR).
3.1.68
network recovery time
time span from the moment of the first failure of a component or media inside the network to
the moment the network reconfiguration is finished and from which all devices that are still
able to participate in network communication are able to reach all other such devices in the
network again
NOTE When a network redundancy control protocol (like RSTP) reconfigures the network due to a fault, parts of
the network may still be available and communication outages may vary in time and location over the whole
network. In the calculations, only the worst case scenario is considered.
3.2 Abbreviations and acronyms
BRP Beacon Redundancy Protocol, IEC 62439-5
BPDU Bridge management Protocol Data Unit, according to IEEE 802.1D
CRP Cross-network Redundancy Protocol, see IEC 62439-4
DAN Doubly Attached Node
DRP Distributed Redundancy Protocol, see IEC 62439-6
DUT Device Under Test
62439-1  IEC:2010+A1:2012 – 17 –
HSR High-availability Seamless Redundancy, see IEC 62439-3
IP Internet Protocol, layer 3 of the Internet Protocol suite
IT Information Technology
LAN Local Area Network
LRE Link Redundancy Entity
MAC Media Access Control
MRP Medium Redundancy Protocol, see IEC 62439-2
MTBF Mean Time Between Failure
MTTF Mean Time To Failure
MTTFN Mean Time To Failure of Network
MTTFS Mean Time To
...