Figure 10 shows an overview of the SafetyProvider interfaces. The SAPI is specified in Clause 7.3.1, the SPI is specified in Clause 7.3.2.

image013.png

Figure 10 – SafetyProvider interfaces

[RQ7.1] The SAPI of the SafetyProvider represents the Safety communication layer services of the SafetyProvider. Table 13 lists all inputs and outputs of the SAPI of the SafetyProvider. Each SafetyProvider shall implement the SAPI as shown in Table 13, however, the details are vendor specific.

Table 13 – SAPI of the SafetyProvider

SAPI Term

Type

Definition

SafetyData

Structure

This input is used to accept the user data which is then transmitted as SafetyData in the SPDU.

NOTE: Whenever a new MNR is received from a SafetyConsumer, the state machine of the SafetyProvider will read a new value of the SafetyData from its corresponding Safety Application and use it until the next MNR is received.

NOTE: If no valid user data is available at the Safety Application, ActivateFSV is expected to be set to "1" by the Safety Application.

NonSafetyData

Structure

Used to consistently transmit non-safety data values (e.g. diagnostic information) together with safe data, see Clause 8.1.1.10

EnableTestMode

Boolean

By setting this input to "1" the remote SafetyConsumer is informed (by Bit 2 in ResponseSPDU.Flags, see Table 19) that the SafetyData are test data, and is not to be used for safety related decisions. NOTE: The OPC UA Safety stack is intended for implementation in safety devices exclusively, see Clause 4.2.

OperatorAckProvider

Boolean

This input to is used to implement an operator acknowledgment on the provider side. The value will be forwarded to the consumer, where it can be used to trigger a return from fail-safe substitute values (FSV) to actual process values (PV), see Annex B.2.4.

ActivateFSV(Fail-safeSubstituteValues)

Boolean

By setting this input to "1" the SafetyConsumer is instructed (via Bit 1 in ResponseSPDU.Flags, see Table 19) to deliver FSV instead of PV to the safety application program.

NOTE: If the replacement of process values by FSV should be controllable in a more fine-grained way, this can be realized by using qualifiers within the SafetyData, see Clause 5.3.

SafetyConsumerID

UInt32

This output yields the ConsumerID used in the last access to this SafetyProvider by a SafetyConsumer see Clause 176.1.1.

NOTE: all safety-related checks are executed by OPC UA Safety. The safety application is not required to check this SafetyConsumerID.

MonitoringNumber

UInt32

This output yields the monitoring number (MNR). It is updated whenever a new request comes in from the SafetyConsumer.

NOTE: all safety-related checks are executed by OPC UA Safety. The safety application is not required to check this Monitoring number.

SafetyProviderID

UInt32

By changing this input to a non-zero-value, the SafetyProvider uses this variable instead of the SPI-Parameter SafetyProviderID. If it is changed to “0”, the parameter SafetyProviderID will become activated.See Figure 10, Clause 3.2.26, and Clause 11.1.1.

SafetyBaseID

GUID

By changing this input to a non-zero-value, the SafetyProvider uses this variable instead of the SPI-Parameter SafetyBaseID. If it is changed to “0”, the parameter SafetyBaseID will become activated.See Figure 10, Clause 3.2.25, and Clause 11.1.1.

[RQ7.2] Each SafetyProvider shall implement the parameters as shown in Table 11 which can be set via the SPI. The mechanisms for setting these parameters are vendor specific.

Table 14 – SPI of the SafetyProvider

Identifier

Type

Range

Note

SafetyBaseID

GUID

See GUID

Base-ID of the SafetyProvider, which is normally used, see Clause 3.2.25. and Clause 11.1.1.

For dynamic systems, the safety application program can overwrite this ID by providing a non-zero value at the input SafetyBaseID of the SafetyProvider’ s SAPI.

SafetyProviderID

UInt32

1 - 0xFFFFFFFF

Provider-ID of the SafetyProvider, see Clause 3.2.26 and Clause 11.1.1.

SafetyStructureSignature

UInt32

1 – 0xFFFFFFFF

Signature of the SafetyData structure, for calculation see Clause 8.1.3.4

[RQ7.3] Each SafetyProvider shall implement constants as shown in Table 12 whose values depend on the way the SafetyProvider is implemented. They never change and are therefore not writable via any of the interfaces. The constant SafetyProviderDelay has no influence on the functional behavior of the SafetyProvider. However, it will be provided in the OPC UA information model of a SafetyProvider to inform about its worst-case delay time. The value can be used during commissioning to check whether the timing behavior of the SafetyProvider is suitable to fulfill the watchdog delay of the corresponding SafetyConsumer.

Table 15 – Properties of SafetyProvider

Identifier

Type

Range

Note

SafetyProviderDelay

UInt32

0x1 – 0xFFFFFFFF

In microseconds (µs). It can be set in the engineering phase of the SafetyProvider or set during online configuration as well.

SafetyProviderDelay is the maximum time at the SafetyProvider from receiving the RequestSPDU to start the transmission of ResponseSPDU, see Clause 10.2.

SafetyProviderLevel

Byte

0x01 - 0x04

The maximal SIL the SafetyProvider implementation (hardware & software) is capable of, see Figure 11.

It is used to inform the SafetyConsumer to parametrize the appropriate SafetyProviderLevel and then to generate the appropriate SafetyProviderLevel_ID.NOTE: It is independent from the generation of the SafetyData at SAPI.

image014.png

Figure 11 – Example combinations of SIL capabilities

The constant SafetyProviderLevel determines the value which is used for SafetyProviderLevel_ID when calculating the SPDU_ID, see Clause 8.1.3.3.

Note: SafetyProviderLevel is defined as the maximal SIL the SafetyProvider implementation (hardware & software) is capable of. It should not be confused with the SIL-level of the implemented safety function. For instance, Figure 11 shows a safety function which is implemented using a SIL2-capable sensor, a SIL3-capable PLC, and a SIL1-capable actuator. The overall SIL of the safety function is considered to be SIL1. Nevertheless, the SafetyProvider implemented on the sensor will use the constant value “2” as SafetyProviderLevel, whereas the SafetyProvider implemented on the PLC will use the constant value “3” as SafetyProviderLevel.

The respective SafetyConsumers (on the PLC and the actuator) need to know the SafetyProviderLevel of their providers for being able to check the SPDU_ID (see Clause 8.1.3.2).