In order to prevent and protect the manufacturers and vendors of OPC UA Safety products from possibly misleading understandings or wrong expectations and gross negligence actions regarding safety-related developments and applications the following items must be observed and explained in each training, seminar, workshop and consultancy.
- Any device will not be automatically applicable for safety-related applications just by implementing OPC UA Safety.
- In contrast, appropriate development processes according to safety standards must be observed for safety-related products (see IEC 61508, IEC 61511, IEC 602041, IEC 62061, and ISO 13849-2) and/or an assessment from a notified assessment body is required.
- The manufacturer of a safety product is responsible for the correct implementation of the safety communication layer technology, as well as the correctness and completeness of the product documentation and information.
- Additional important information including corrigenda and errata published by the OPC Foundation and/or PI must be considered for implementation and assessment.
- The OPC Foundation will publish an automated test tool which must be used for verification. The test implements the OPC UA Safety test specification described in a separate document. For an overview, see Clause 12.3. The test must be successfully run at a test laboratory accredited by the OPC UA or PI.
As a rule, the international safety standards are accepted (ratified) globally. However, since safety technology in automation is relevant to occupational safety and the concomitant insurance risks in a country, recognition of the rules pointed out here is still a sovereign right. The national "Authorities" (notified bodies) decide on the recognition of assessment reports.
NOTE Examples of such “Authorities” are the IFA (Institut für Arbeitsschutz der Deutschen Gesetzlichen Unfallversicherung / Institute for Occupational Safety and Health of the German Social Accident Insurance) in Germany, HSE (Health and Safety Executive) in UK, FM (Factory Mutual / Property Insurance and Risk Management Organization), UL (Underwriters Laboratories Inc. / Product Safety Testing and Certification Organization), or the INRS (Institut National de Recherche et de Sécurité) in France.
For details, see the OPC UA Safety test specification.
An exemplary test principle for OPC UA Safety is presented. The OPC UA Safety test is a fully automated verification based on test patterns covering all paths of the OPC UA Safety finite state machines. All kinds of possible correct and incorrect SPDUs, parameters, and interactions with the upper interface of the SafetyProvider / SafetyConsumer driver are taken into account. These test patterns together with the expected responses/stimulations are stored as an XML document and imported into the test tool software. The test tool executes the complete test patterns while connected to the OPC UA Safety layer under test, compares the nominal with the actual reactions and is recording the results that can be printed out for the test report.
The automated OPC UA Safety layer tester will be approved by a Notified Body.
Figure 25 shows the structure of the layer tester for the SafetyProvider and SafetyConsumer.
Figure 25 – Automated SafetyProvider / SafetyConsumer test
The SafetyProvider / SafetyConsumer tester "simulates" the behavior of an opposite SafetyProvider / SafetyConsumer Layer. Thus, it must be configured according to the deployed OPC UA communication system. This can be done with the help of an XML file associated with the tester.
A so-called “upper tester” runs on top of the SafetyProvider or SafetyConsumer within the device under test (DUT). It transfers data from the SafetyProvider or SafetyConsumer via its SAPI and makes them visible to the test tool via an OPC UA interface that is specified in the OPC UA Safety test specification (“Set Data” in Figure 26 and Figure 27). In a similar way, the upper tester enables the test-tool to set inputs of the SAPI (“Get Data” in Figure 26 and Figure 27).
The upper tester is implemented by the vendor of the DUT using standard program languages such as C/C++, IEC 61131-3 or Structured Text and does not need to be executed in a safety-related way.
Detailed requirements for the upper tester are described in the OPC UA Safety test specification.
Figure 26 –"Upper Tester" within the SafetyProvider
