Following IEC 61784-3, OPC UA Safety detects all communication errors which can possibly occur in the underlying standard communication channel including the OPC UA stack. If an error is detected, the erroneous data is discarded. Moreover, OPC UA Safety is designed in such a way that a safety function becomes practically unusable if the failure rate in the underlying, standard communication channel is higher than one error per safety error interval limit (6, 60, or 600 minutes), depending on the desired SIL of the safety function (see Table 27 and Table 39).
Thus, for operational safety functions a failure rate of 0,1 h-1, 1 h-1, or 10 h-1 can be assumed for communication errors occurring in the OPC UA stack. In order to obtain the communication’s contribution to the PFH-value of the safety function, this value has to be multiplied by the so-called conditional residual error probability Pre,cond. For the CRC-mechanism used in OPC UA Safety, it holds:
Pre,cond ≤ 4.0 x 10-10
This leads to the PFH and PFD values shown in Table 39.
The value 4.0 x 10-10 was justified by extensive numerical evaluation of the 32-bit CRC generator polynomial in use (0x F4ACFB13). The results of this evaluation - executed for all relevant data lengths and all relevant values for the bit error probability p - is shown in Figure 26. As can be seen, Pre,cond never exceeds the value 4.0 x 10-10.
An explanation that it is indeed necessary to calculate Pre,cond for all data lengths and all relevant values of p can be found in Figure 27. For the data lengths shown in this figure, Pre,cond exceeds the desired value by several orders of magnitudes. Note that the maximum value of Pre,cond is not obtained when p becomes maximal.
The boundary conditions and assumptions for safety assessments and calculations of residual error rates are listed here.
- Number of retries in the underlying standard communication channel:No restrictions
- CRC polynomials used inside the underlying standard communication channel (e.g. Ethernet, TCP, …):No restrictions
- Message storing elements:No restrictions; any number of message storing elements is permitted
- Size of SafetyData within one SPDU:≤ 1500 bytes
NOTE: Even for safety functions that do not require manual operator acknowledgment for restart, manual operator acknowledgment is mandatory whenever the SafetyConsumer has detected certain types of errors and indicates this using OperatorAckRequested. Hence, operator acknowledgment is expected to be implemented by the safety application whenever OPC UA Safety is used. For details, see Clause 7.4.2 and Annex B.2.