Following IEC61784-3, OPC UA Safety uses a black-channel-approach to detect all communication errors which can possibly occur in the underlying OPC UA stack. If an error is detected, the erroneous data is discarded. Moreover, OPC UA Safety is designed in such a way that a safety function becomes practically unusable if the failure rate in the Black Channel is higher than one error per safety error interval limit (6,60, or 600 minutes), depending on the desired SIL of the safety function, see Table 17 and Table 31).

Thus, for operational safety functions a failure rate of 0,1h-1, 1h-1, or 10h-1 can be assumed for communication errors occurring in the black channel. In order to obtain the communication’s contribution to the PFH-value of the safety function, this value has to be multiplied by the so-called conditional residual error probability Pre,cond. For the CRC-mechanism used in OPC UA Safety, it holds:

Pre,cond ≤ 4.0 x 10-10

This leads to the PFH and PFD values shown in Table 31.

The value 4.0 x 10-10 was justified by extensive numerical evaluation of the 32-bit CRC generator polynomial in use (0x F4ACFB13). The results of this evaluation - executed for all relevant data lengths and all relevant values for the bit error probability p - is shown in Figure 23. As can be seen, Pre,cond never exceeds the value 4.0 x 10-10.

image028.jpg

Figure 23 – Conditional residual error probability of the CRC-check.

An explanation that it is indeed necessary to calculate Pre,cond for all user data lengths and all relevant values of p can be found in Figure 24. For the data lengths shown in this figure, Pre,cond exceeds the desired value by several orders of magnitudes. Note that the maximum value of Pre,cond is not obtained when p becomes maximal.

image029.jpg

Figure 24 – Counter example: data lengths not supported by OPC Safety.