Clause 6 describes the integration of this document into the OPC UA Information Models in 6.2 and the resulting Service interfaces in 6.3. Diagnostic services are described in 6.4.

Subclause 6.2 describes the identifiers, types and structure of the Objects and Methods that are used to implement the OPC UA mappers defined in this document. This implementation serves three purposes:

  • support of the safe exchange of SPDUs at runtime
  • online browsing, to identify SafetyConsumers and SafetyProviders, and to check their parameters for diagnostic purposes
  • offline engineering: the Information Model of one controller can be exported in a standardized file on its engineering system, be imported in another engineering system, and finally deployed on another controller. This allows for a vendor-independent exchange of the communication interfaces of safety applications, e.g. for establishing connections between devices.

NOTE Neither online browsing nor offline engineering currently supports any features to detect errors. Hence, no guarantees with respect to functional safety are made. This means that online browsing can only be used for diagnostic purposes, and not for exchanging safety-relevant data. It is assumed that errors can occur during the transfer of the Information Model from one engineering system to another in the context of offline engineering. Therefore, the programmer of the safety application is responsible for the verification and validation of the safety application.

Consequently, all type values described in 6.2 are defined as read-only, i.e. they cannot be written by general OPC UA write commands.

[RQ6.1] Each Server shall have a singleton Folder called SafetyACSet with a fixed NodeID in the Namespace of this document. Because all SafetyProviders and SafetyConsumers on this Server contain a hierarchical Reference from this Object to themselves, it can be used to directly access all SafetyProviders and SafetyConsumers. SafetyACSet is intended for safety-related purposes only. It should not reference non-safety-related items.

See Table 3 for the definition of the SafetyACSet.

Table 3 – SafetyACSet definition

Attribute

Value

BrowseName

SafetyACSet

References

NodeClass

BrowseName

Comment

OrganizedBy by the Objects Folder defined in OPC 10000-5.

HasTypeDefinition

ObjectType

FolderType

Entry point for all SafetyProviders and SafetyConsumers

Conformance Units

SafetyACSet

[RQ6.2] In addition, a Server shall comprise one OPC UA Object derived from DataType SafetyProviderType for each SafetyProvider it implements, and one OPC UA Object derived from DataType SafetyConsumerType for each SafetyConsumer it implements. The corresponding Information Models shown in Figure 3 and Figure 4 shall be used.

A description of the graphical notation for the different types of Nodes and References (shown in Figure 3, Figure 4, and Figure 6) can be found in OPC UA 10000-3.

Figure 3 describes the SafetyProvider and the SafetyConsumer.

NOTE 1 This document assumes (atomic) consistent data exchange between OPC mappers of the two endpoints.

[RQ6.3a] For implementations supporting OPC UA Client/Server, the Call Service of the Method Service Set (see OPC UA 10000-4) shall be used. The Method ReadSafetyData has a set of input arguments that make up the RequestSPDU and a set of output arguments that make up the ResponseSPDU. The SafetyConsumer uses the OPC UA Client with the OPC UA Service Call.

[RQ6.3b] For implementations supporting OPC UA PubSub, the OPC UA Object SafetyPDUs with its Properties RequestSPDU and ResponseSPDU shall be used. RequestSPDU is published by the SafetyConsumer and subscribed by the SafetyProvider. ResponseSPDU is published by the SafetyProvider and subscribed by the SafetyConsumer.

NOTE 2 The terms “request” and “response” refer to the behaviour on the layer of this document. Within the PubSub context, both requests and responses are realized by repeatedly publishing and subscribing Messages, see Figure 14.

[RQ6.4] For diagnostic purposes, the SPDUs received and sent shall be accessible by calling the Method ReadSafetyDiagnostics.

image008.png

Figure 3 – Server Objects for OPC UA Safety

NOTE 3 For the input/output arguments of the Methods ReadSafetyData and ReadSafetyDiagnostics, see 6.2.2.3 and 6.2.2.4. For the parameters of the SafetyProvider and SafetyConsumer, see Figure 6, Table 12, and Table 13. For RequestSPDU and ResponseSPDU, see Table 7, Table 18, Table 20, and 7.2.1.

Figure 4 shows the instances of Server Objects for this document. The ObjectType for the SafetyProviderType contains Methods having outputs of the abstract DataType Structure. Each instance of a SafetyProvider requires its own copy of the Methods which contain the concrete DataTypes for OutSafetyData and OutNonSafetyData.

image009.png

Figure 4 – Instances of Server Objects for this document

[RQ6.5] To reduce the number of variations and to alleviate validation testing, the following restrictions apply to instances of SafetyProviderType and SafetyConsumerType (or instances of DataTypes derived from SafetyProviderType or SafetyConsumerType):

The references shown in Figure 4 originating at SafetyProviderType or SafetyConsumerType and below shall be of ReferenceType HasComponent (and shall not be derived from ReferenceType HasComponent) for Object References or ReferenceType HasProperty (and shall not be derived from ReferenceType HasProperty) for Property References.

As BrowseNames (i.e. name and Namespace) are used to find Methods, the names of Objects and Properties shall be locally unique.

The DataType of both Properties and MethodArguments shall be used as specified, and no derived DataTypes shall be used (exception: OutSafetyData and OutNonSafetyData).

In IEC 62541, the order of Method arguments is relevant.

See Table 4 for the definition of the SafetyObjectsType.

Table 4 – SafetyObjectsType definition

Attribute

Value

BrowseName

SafetyObjectsType

IsAbstract

True

References

Node class

BrowseName

DataType

TypeDefinition

Modelling rule

Subtype of BaseObjectType

Conformance units

SafetySupport

See Table 5 for the definition of the SafetyProviderType.

Table 5 – SafetyProviderType definition

Attribute

Value

BrowseName

SafetyProviderType

IsAbstract

False

References

Node class

BrowseName

DataType

TypeDefinition

Modelling rule

Subtype of SafetyObjectsType

HasComponent

Method

ReadSafetyData

Optional

HasComponent

Method

ReadSafetyDiagnostics

Optional

HasComponent

Object

SafetyPDUs

SafetyPDUsType

Optional

HasComponent

Object

Parameters

SafetyProviderParametersType

Mandatory

Conformance units

SafetyProviderParameters

[RQ6.6] Instances of SafetyProviderType shall use non-abstract DataTypes for the arguments OutSafetyData and OutNonSafetyData.

See Table 6 for the definition of the SafetyConsumerType.

Table 6 – SafetyConsumerType definition

Attribute

Value

BrowseName

SafetyConsumerType

IsAbstract

False

References

Node class

BrowseName

DataType

TypeDefinition

Modelling rule

Subtype of SafetyObjectsType

HasComponent

Object

SafetyPDUs

SafetyPDUsType

Optional

HasComponent

Object

Parameters

SafetyConsumerParametersType

Mandatory

Conformance units

SafetyConsumerParameters

This Method is mandatory for the Facet SafetyProviderServerMapper. It is used to read SafetyData from the SafetyProvider. It is in the responsibility of the safety application that this Method is not concurrently called by multiple SafetyConsumers. Otherwise, the SafetyConsumer can receive invalid responses resulting in a safe reaction which can lead to either spurious trips or system unavailability, or both.

See Table 7 for Method ReadSafetyData’s arguments and Table 8 for its AdressSpace definition.

The Method argument OutSafetyData has an application-specific DataType derived from Structure. This DateType (including the DataTypeID) is expected to be the same in both the SafetyProvider and the SafetyConsumer. Otherwise, the SafetyConsumer will not accept the transferred data and switch to fail-safe substitute values instead (see state S16 in Table 34 as well as 7.2.3.2 and 7.2.3.5). The Method argument OutNonSafetyData has an application-specific DataType derived from Structure.

Signature

ReadSafetyData (

[in]UInt32InSafetyConsumerID,

[in]UInt32InMonitoringNumber,

[in]InFlagsTypeInFlags,

[out]StructureOutSafetyData,

[out]OutFlagsTypeOutFlags,

[out]UInt32OutSPDU_ID_1,

[out]UInt32OutSPDU_ID_2,

[out]UInt32OutSPDU_ID_3,

[out]UInt32OutSafetyConsumerID,

[out]UInt32OutMonitoringNumber,

[out]UInt32OutCRC,

[out]StructureOutNonSafetyData)

;

Table 7 – ReadSafetyData Method arguments

Argument

Description

InSafetyConsumerID

“Safety Consumer Identifier”, see SafetyConsumerID in Table 23.

InMonitoringNumber

MonitoringNumber of the RequestSPDU”, see 7.2.1.3 and MonitoringNumber in Table 23.

InFlags

“Octet with non-safety-related flags from SafetyConsumer”, see 6.2.3.1.

OutSafetyData

SafetyData”, see 7.2.1.5.

OutFlags

“Octet with safety-related flags from SafetyProvider”, see 6.2.3.2.

OutSPDU_ID_1

“Safety PDU Identifier Part1”, see 7.2.3.2.

OutSPDU_ID_2

“Safety PDU Identifier Part2”, see 7.2.3.2.

OutSPDU_ID_3

“Safety PDU Identifier Part3”, see 7.2.3.2.

OutSafetyConsumerID

“Safety Consumer Identifier”, see SafetyConsumerID in Table 23 and Table 26.

OutMonitoringNumber

MonitoringNumber of the ResponseSPDU, see 7.2.1.9, 7.2.3.1, and Figure 11.

OutCRC

CRC over the ResponseSPDU, see 7.2.3.6.

OutNonSafetyData

“Non-safe data” see 7.2.1.11.

Table 8 – ReadSafetyData Method AddressSpace definition

Attribute

Value

BrowseName

ReadSafetyData

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

Conformance units

ReadSafetyData

This Method is mandatory for the Facet SafetyProviderServerMapper and optional for the Facet SafetyProviderPubSubMapper. It is provided for each SafetyProvider serving as a Diagnostic Interface, see 6.4.3.

See Table 9 for the arguments of Method ReadSafetyDiagnostics and Table 10 for its AddressSpace definition.

The Method arguments OutSafetyData and OutNonSafetyData are application-specific types derived from Structure.

Signature

ReadSafetyDiagnostics (

[out]UInt32InSafetyConsumerID,

[out]UInt32InMonitoringNumber,

[out]InFlagsTypeInFlags,

[out]StructureOutSafetyData,

[out]OutFlagsTypeOutFlags,

[out]UInt32OutSPDU_ID_1,

[out]UInt32OutSPDU_ID_2,

[out]UInt32OutSPDU_ID_3,

[out]UInt32OutSafetyConsumerID,

[out]UInt32OutMonitoringNumber,

[out]UInt32OutCRC,

[out]StructureOutNonSafetyData)

;

Table 9 – ReadSafetyDiagnostics Method arguments

Argument

Description

InSafetyConsumerID

see Table 7

InMonitoringNumber

see Table 7

InFlags

see Table 7

OutSafetyData

see Table 7

OutFlags

see Table 7

OutSPDU_ID_1

see Table 7

OutSPDU_ID_2

see Table 7

OutSPDU_ID_3

see Table 7

OutSafetyConsumerID

see Table 7

OutMonitoringNumber

see Table 7

OutCRC

see Table 7

OutNonSafetyData

see Table 7

Table 10 – ReadSafetyDiagnostics Method AddressSpace definition

Attribute

Value

BrowseName

ReadSafetyDiagnostics

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

Conformance units

ReadSafetyDiagnostics

This Object is mandatory for the Facet SafetyProviderPubSubMapper and the Facet SafetyConsumerPubSubMapper It is used by the SafetyProvider to subscribe to the RequestSPDU and to publish the ResponseSPDU. The DataType of RequestSPDU is structured in the same way as the input arguments of ReadSafetyData. The DataType of ResponseSPDU is structured in the same way as the output arguments of ReadSafetyData.

See Table 11 for the definition of the SafetyPDUsType.

Both variables in the SafetyPDUsType have a counterpart within the Information Model of the SafetyConsumer. The SafetyConsumer publishes the RequestSPDU and subscribes to the ResponseSPDU.

Table 11 – SafetyPDUsType definition

Attribute

Value

BrowseName

SafetyPDUsType

IsAbstract

False

References

Node class

BrowseName

DataType

TypeDefinition

Modelling rule

Subtype of BaseObjectType

HasComponent

Variable

<RequestSPDU>

RequestSPDUDataType

BaseDataVariableType

Mandatory Placeholder

HasComponent

Variable

<ResponseSPDU>

ResponseSPDUDataType

BaseDataVariableType

Mandatory Placeholder

Conformance units

SafetyPDUs

The Object SafetyPDUs shall contain exactly one Reference to a Variable of DataType RequestSPDUDataType and exactly one Reference to a Variable of a subtype of DataType ResponseSPDUDataType.

For example, Figure 5 shows a distributed safety application with four SafetyAutomationComponents. It is assumed that SafetyAutomationComponent 1 sends a value to the other three SafetyAutomationComponents using three SafetyProviders, each comprising a pair of SPDUs. For each recipient, there is an individual pair of SPDUs.

image010.png

Figure 5 – Safety multicast with three recipients using IEC 62541 PubSub

Figure 6 shows the safety parameters for the SafetyProvider and the SafetyConsumer.

image011.png

Figure 6 – Safety parameters for the SafetyProvider and the SafetyConsumer

Table 12 shows the definition for the SafetyProviderParametersType. Refer to 6.3.3.3 for more details on the Safety Parameter Interface (SPI) of the SafetyProvider.

Table 12 – SafetyProviderParametersType definition

Attribute

Value

BrowseName

SafetyProviderParametersType

IsAbstract

False

References

Node class

BrowseName

DataType

TypeDefinition

Modelling rule

Subtype of BaseObjectType

HasProperty

Variable

SafetyProviderIDConfigured

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyProviderIDActive

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyBaseIDConfigured

Guid

PropertyType

Mandatory

HasProperty

Variable

SafetyBaseIDActive

Guid

PropertyType

Mandatory

HasProperty

Variable

SafetyProviderLevel

Byte

PropertyType

Mandatory

HasProperty

Variable

SafetyStructureSignature

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyStructureSignatureVersion

UInt16

PropertyType

Mandatory

HasProperty

Variable

SafetyStructureIdentifier

String

PropertyType

Mandatory

HasProperty

Variable

SafetyProviderDelay

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyServerImplemented

Boolean

PropertyType

Mandatory

HasProperty

Variable

SafetyPubSubImplemented

Boolean

PropertyType

Mandatory

Conformance units

SafetyProviderParameters

The parameters for SafetyProviderID and SafetyBaseID exist in pairs for “Configured” and “Active” states:

The “[...]Configured” parameters shall always deliver the values as configured via the SPI. The “[...]Active” parameters shall deliver:

  • the corresponding “[...]Configured” values if the system is still offline;
  • the values which have been set during runtime via the SAPI parameters (SafetyProviderID, SafetyBaseID);
  • the corresponding “[...]Configured” values if the active values have been set to zero via the SAPI parameters (SafetyProviderID, SafetyBaseID).

The Property SafetyBaseIDConfigured is shared for all SafetyProviders with the same SafetyBaseIDConfigured value. If multiple instances of SafetyObjectsType are running on the same Node, it is a viable optimization that a Property SafetyBaseIDConfigured is referenced by either multiple SafetyProviders or SafetyConsumers, or both.

For releases up to Release 2.0 of the document, the value for the SafetyStructureSignatureVersion shall be 0x0001 (see RQ7.21 in 7.2.3.5).

Table 13 shows the definition of the SafetyConsumerParametersType. The Properties SafetyStructureIdentifier and SafetyStructureSignatureVersion are optional, because SafetyStructureSignature is typically calculated in an offline engineering tool. For small devices, it could be beneficial to only upload the SafetyStructureSignature to the device, but not SafetyStructureIdentifier and SafetyStructureSignatureVersion in order to save either bandwidth or memory, or both. Refer to 6.3.4.4 for more details on the Safety Parameter Interface (SPI) of the SafetyConsumer.

Table 13 – SafetyConsumerParametersType definition

Attribute

Value

BrowseName

SafetyConsumerParametersType

IsAbstract

False

References

Node class

BrowseName

DataType

TypeDefinition

Modelling rule

Subtype of BaseObjectType

HasProperty

Variable

SafetyProviderIDConfigured

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyProviderIDActive

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyBaseIDConfigured

Guid

PropertyType

Mandatory

HasProperty

Variable

SafetyBaseIDActive

Guid

PropertyType

Mandatory

HasProperty

Variable

SafetyConsumerIDConfigured

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyConsumerIDActive

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyProviderLevel

Byte

PropertyType

Mandatory

HasProperty

Variable

SafetyStructureSignature

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyStructureSignatureVersion

UInt16

PropertyType

Optional

HasProperty

Variable

SafetyStructureIdentifier

String

PropertyType

Optional

HasProperty

Variable

SafetyConsumerTimeout

UInt32

PropertyType

Mandatory

HasProperty

Variable

SafetyOperatorAckNecessary

Boolean

PropertyType

Mandatory

HasProperty

Variable

SafetyErrorIntervalLimit

UInt16

PropertyType

Mandatory

HasProperty

Variable

SafetyClientImplemented

Boolean

PropertyType

Mandatory

HasProperty

Variable

SafetyPubSubImplemented

Boolean

PropertyType

Mandatory

Conformance units

SafetyConsumerParameters

The parameters for SafetyProviderID, SafetyBaseID and SafetyConsumerID exist in pairs for “Configured” and “Active” states: SafetyProviderIDConfigured and SafetyProviderIDActive, SafetyBaseIDConfigured and SafetyBaseIDActive, and SafetyConsumerIDConfigured and SafetyConsumerIDActive.

The “[...]Configured” parameters shall always deliver the values as configured via the SPI. The “[...]Active” parameters shall deliver:

The InFlagsType a subtype of the Byte DataType with the OptionSetValues Property defined. The InFlagsType is formally defined in Table 14.

CommunicationError can be used as a trigger, e.g. for a communication analysis tool. It is not forwarded to the safety application by the SafetyProvider. If CommunicationError is necessary in the safety application, bidirectional communication can be implemented and the value of CommunicationError can be put into the user data.

Table 14 – InFlagsType values

Value

Bit no.

Description

CommunicationError

0

0: No error

1: An error was detected in the previous ResponseSPDU.

OperatorAckRequested

1

Used to inform the SafetyProvider that operator acknowledgment is requested.

FSV_Activated

2

Used for conformance test of SafetyConsumer.SAPI.FSV_Activated.

Bits 3 to 7 are reserved for future use and shall be set to zero by the SafetyConsumer. They shall not be evaluated by the SafetyProvider.

The InFlagsType representation in the AddressSpace is defined in Table 15.

Table 15 – InFlagsType dDefinition

Attribute

Value

BrowseName

InFlagsType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the Byte DataType defined in OPC 10000-3

0:HasProperty

Variable

0:OptionSetValues

0:LocalizedText []

0:PropertyType

Conformance units

SafetySupport

The OutFlagsType is a subtype of the Byte DataType with the OptionSetValues Property defined. The OutFlagsType is formally defined in Table 16.

Table 16 – OutFlagsType values

Value

Bit no.

Description

OperatorAckProvider

0

Operator acknowledgment at the provider, hereby forwarded to the SafetyConsumer, see OperatorAckProvider in the SAPI of the SafetyProvider, 6.3.3.2.

ActivateFSV

1

Activation of fail-safe values by the safety application at the SafetyProvider, hereby forwarded to the SafetyConsumer, see ActivateFSV in the SAPI of the SafetyProvider, 6.3.3.2.

TestModeActivated

2

Enabling and disabling of test mode in the SafetyProvider, hereby forwarded to the SafetyConsumer, see EnableTestMode in the SAPI of the SafetyProvider, 6.3.3.2.

Bits 3 to 7 are reserved for future use and shall be set to zero by the SafetyProvider. They shall not be evaluated by the SafetyConsumer.

The OutFlagsType representation in the AddressSpace is defined in Table 17.

Table 17 – OutFlagsType dDefinition

Attribute

Value

BrowseName

OutFlagsType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the Byte DataType defined in OPC 10000-3

0:HasProperty

Variable

0:OptionSetValues

0:LocalizedText []

0:PropertyType

Conformance units

SafetySupport

Table 18 shows the definition of the RequestSPDUDataType. The Prefix “In” is interpreted from the SafetyProvider’s point of view and is used in a consistent manner to the parameters of the Method ReadSafetyData (see 6.2.2.3).

Table 18 – RequestSPDUDataType structure

Name

Type

Description

RequestSPDUDataType

structure

InSafetyConsumerID

UInt32

See corresponding Method argument in Table 7.

InMonitoringNumber

UInt32

See corresponding Method argument in Table 7.

InFlags

InFlagsType

See corresponding Method argument in Table 7.

The representation in the AddressSpace of the RequestSPDUDataType is defined in Table 19.

Table 19 – RequestSPDUDataType definition

Attributes

Value

BrowseName

RequestSPDUDataType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of Structure defined in OPC 10000-3.

Conformance units

SafetyPDUs

Table 20 shows the ResponseSPDUDataType Structure. The Prefix “Out” is interpreted from the SafetyProvider’s point of view and is used in a consistent manner to the parameters of the Method ReadSafetyData (see 6.2.2.3).

Table 20 – ResponseSPDUDataType structure

Name

Type

Description

ResponseSPDUDataType

structure

OutFlags

OutFlagsType

See corresponding Method argument in Table 7.

OutSPDU_ID_1

UInt32

See corresponding Method argument in Table 7.

OutSPDU_ID_2

UInt32

See corresponding Method argument in Table 7.

OutSPDU_ID_3

UInt32

See corresponding Method argument in Table 7.

OutSafetyConsumerID

UInt32

See corresponding Method argument in Table 7.

OutMonitoringNumber

UInt32

See corresponding Method argument in Table 7.

OutCRC

UInt32

See corresponding Method argument in Table 7.

[RQ6.7] To define the concrete DataType for the ResponseSPDU (which specifies the concrete DataTypes for SafetyData and NonSafetyData, respectively), proceed as follows: (1) Derive a concrete DataType from the abstract ResponseSPDUDataType. (2) In doing so, add the following fields to the Structure in the given order: (a) First, field OutSafetyData with the concrete Structure DataType for the SafetyData (see 7.2.1.5). (b) Second, field NonSafetyData with the concrete Structure DataType for the NonSafetyData (or a placeholder DataType, see requirement RQ6.8).

[RQ6.8] To avoid possible problems with empty Structures, the dummy Structure NonSafetyDataPlaceholder shall be used as DataType for OutNonSafetyData when no NonSafetyData is used. The DataType Node defining this Structure has a fixed NodeID and contains a single Boolean.

The representation in the AddressSpace of the ResponseSPDUDataType is defined in Table  21.

Table  21 – ResponseSPDUDataType definition

Attributes

Value

BrowseName

ResponseSPDUDataType

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of Structure defined in OPC 10000-3

Conformance units

SafetyPDUs

Table 22 shows the definition of the NonSafetyDataPlaceholderDataType. The receiver shall not evaluate the value of ‘dummy’.

Table 22 – NonSafetyDataPlaceholderDataType structure

Name

Type

Description

NonSafetyDataPlaceholderDataType

Structure

Dummy

Boolean

Dummy Variable to avoid empty structures.

Future versions may use different identifiers (such as ReadSafetyDataV2 for the Method when using Client/Server communication or RequestSPDUV2DataType and ResponseSPDUV2DataType for the SPDU DataTypes when using PubSub communication), allowing a SafetyProvider to implement multiple versions of this document at the same time. Hence, the same SafetyProvider can be accessed by SafetyConsumers of different versions.

This document supports sending of the Built-in and Simple DataTypes specified in OPC UA (see OPC 10000-3 and OPC 10000-6) within SafetyData. The supported DataTypes are vendor-specific.

[RQ6.9] Only scalar DataTypes shall be used. Arrays are currently not supported by this document.

The supported maximum length of the SafetyData is vendor-specific but still limited to 1 500 octets. Typical values for the maximum length include 1 octet, 16 octets, 64 octets, 256 octets, 1 024 octets, and 1 500 octets.

[RQ6.10] For controller-like devices, the supported DataTypes and the maximum length of the SafetyData shall be listed in the user manual.

[RQ6.11] For the DataType Boolean, the value 0x01 shall be used for ‘true’ and the value 0x00 shall be used for ‘false’.

It is recommended to send multiple Booleans in separate variables. However, in small devices, it can be necessary to combine a set of 8 Booleans in one Variable for performance reasons. In this case, the DataType Byte can be used.

This document uses the OPC UA services for connection establishment, it poses no additional requirement to these services.

This version of the document describes configuration only at engineering time. This means that the parameters defined in the SPI (see 6.3.3.3 and 6.3.4.4) are read-only via the interface described in this document. Changing of parameters is expected to be done in a safety-related way, using the respective tools and interfaces provided by the vendor. Future versions of this document may specify a vendor-independent interface for configuration.

Figure 7 gives an overview of the safety communication layer and its interfaces. It thereby also shows the scope of this document. The main function of the layer services is the state machine which handles the protocol. The state machines interact with the following interfaces:

The OPC UA Platform Interface (OPC UA PI) connects the SCL to the non-safe OPC UA stack and is used during runtime.

The interfaces (SAPI, SPI, DI and OPC UA PI) described in 6.3 are abstract and informative. They represent logical data inputs and outputs to this layer that are necessary for the proper operation of the state machine. No normative, concrete mappings are specified. The concrete implementations are vendor-specific and do no necessarily exactly match the abstract interfaces described in this document.

image012.png

Figure 7 – Safety communication layer overview

The state machines of this document are independent from the actual OPC UA services used for data transmission. This is accomplished by introducing a so-called OPC UA Mapper, serving as an interface between the safety communication layer and the OPC UA stack.

The mapper can either make use of OPC UA Client/Server and remote Method invocation or the publishing of and subscribing to remote Variables as defined in OPC 10000-14. The requirements on the implementation of the mapper are implicitly given in 6.2.

Figure 8 shows an overview of the SafetyProvider interfaces. The SAPI is specified in 6.3.3.2, the SPI is specified in 6.3.3.3.

image013.png

Figure 8 – SafetyProvider interfaces

[RQ6.12] The SAPI of the SafetyProvider represents the safety communication layer services of the SafetyProvider. Table 23 lists all inputs and outputs of the SAPI of the SafetyProvider. Each SafetyProvider shall implement the SAPI as shown in Table 23, however, the details are vendor-specific.

Table 23 – SAPI of the SafetyProvider

SAPI Term

Type

I/O

Definition

SafetyData

Structure

I

This input is used to accept the user data which is then transmitted as SafetyData in the SPDU.

NOTE Whenever a new MNR is received from a SafetyConsumer, the state machine of the SafetyProvider will read a new value of the SafetyData from its corresponding Safety Application and use it until the next MNR is received.

If no valid user data is available at the Safety Application, ActivateFSV can be set to “1” by the Safety Application.

NonSafetyData

Structure

I

Used to consistently transmit NonSafetyData values (e.g. diagnostic information) together with safe data, see 7.2.1.11

EnableTestMode

Boolean

I

By setting this input to “1” the remote SafetyConsumer is informed (by Bit 2 in ResponseSPDU.Flags, see 6.2.3.2) that the SafetyData are test data, and are not to be used for safety-related decisions.

NOTE This document is intended for implementation in safety devices exclusively, see requirement RQ4.1.

OperatorAckProvider

Boolean

I

This input is used to implement an operator acknowledgment on the SafetyProvider side. The value will be forwarded to the SafetyConsumer, where it can be used to trigger a return from fail-safe substitute values (FSV) to actual process values (PV), see B.3.4.

OperatorAckRequested

Boolean

O

Indicates that an operator acknowledge is requested by the SafetyConsumer. This flag is received within the RequestSPDU.

ActivateFSV(Fail-safe substitutevalues)

Boolean

I

By setting this input to “1” the SafetyConsumer is instructed (via Bit 1 in ResponseSPDU.Flags, see 6.2.3.2) to deliver FSV instead of PV to the safety application program.

NOTE If the replacement of process values by FSV is to be controllable in a more fine-grained way, this can be realized by using qualifiers within the SafetyData, see 6.3.6.

SafetyConsumerID

UInt32

O

This output yields the ConsumerID used in the last access to this SafetyProvider by a SafetyConsumer (see 6.2.2.3).

Since all safety-related checks are executed by an implementation of this document, the safety application is not required to check this SafetyConsumerID.

MonitoringNumber

UInt32

O

This output yields the MonitoringNumber (MNR). It is updated whenever a new request comes in from the SafetyConsumer.

Since all safety-related checks are executed by an implementation of this document, the safety application is not required to check this MonitoringNumber.

SafetyProviderID

UInt32

I

For dynamic systems, this input can be set to a non-zero value. In this case, the SafetyProvider uses this value instead of the value from the SPI parameter SafetyProviderIDConfigured. If the value is changed to “0”, the value of parameter SafetyProviderIDConfigured from the SPI will be used (again).

See Figure 8, 3.1.2.15, and 9.1.1.

For static systems, this input is usually always kept at value “0”.

SafetyBaseID

Guid

I

For dynamic systems, this input can be set to a non-zero value. In this case, the SafetyProvider uses this value instead of the value of the SPI parameter SafetyBaseIDConfigured. If the value is changed to “0”, the value of parameter SafetyBaseIDConfigured from the SPI will be used (again).

See Figure 8, 3.1.2.14, and 9.1.1.

For static systems, this input is usually always kept at value “0”.

[RQ6.13a] Each SafetyProvider shall implement the parameters and constants [RQ6.13b] as shown in Table 24. The parameters (R/W in column “Access”) can be set via the SPI, whereas the constants (R in column “Access”) are read-only. The mechanisms for setting the parameters are vendor-specific. The attempt of setting a parameter to a value outside its range, or of the setting of a read-only parameter, shall not become effective, and a diagnostic message should be shown when appropriate. The values of the constants depend on the way the SafetyProvider is implemented. They never change and are therefore not writable via any of the interfaces.

Table 24 – SPI of the SafetyProvider

Identifier

Type

Range

Initial value

(before configuration)

Access

Note

SafetyProviderIDConfigured

UInt32

0x0 to 0xFFFFFFFF

0x0

R/W

SafetyProviderID of the SafetyProvider that is normally used, see 3.1.2.15 and 9.1.1.

For dynamic systems, the safety application program can overwrite this ID by providing a non-zero value at the input SafetyProviderID of the SafetyProvider’s SAPI. This runtime value can be queried using the SafetyProviderIDActive parameter. See 6.2.2.6 for details on configured and active values.

NOTE If both the values provided at the SPI and the SAPI are 0x0, this means that the SafetyProvider is not properly configured. SafetyConsumers will never try to communicate with SafetyProviders having a SafetyProviderID of 0x0, see Transitions T13/T27 in Table 35 and the macro <ParametersOK?> in Table 33.

SafetyBaseIDConfigured

Guid

Any value which can be represented with sixteen octets

All sixteenoctets are 0x00

R/W

SafetyBaseID of the SafetyProvider that is normally used, see 3.1.2.14 and 9.1.1.

For dynamic systems, the safety application program can overwrite this ID by providing a non-zero value at the input SafetyBaseID of the SafetyProvider’s SAPI. This runtime value can be queried using the SafetyBaseIDActive parameter. See 6.2.2.6 for details on configured and active values.

NOTE If both the values provided at the SPI and the SAPI are 0x0, this means that the SafetyProvider is not properly configured. SafetyConsumers will never try to communicate with SafetyProviders having a SafetyBaseID of 0x0, see Transitions T13/T27 in Table 35 and the macro <ParametersOK?> in Table 33.

See 9.1.1 for more information on GUID.

SafetyProviderLevel

Byte

0x01 to 0x04

n.a.

R

The SIL the SafetyProvider implementation (hardware and software) is capable of, see Figure 9.

NOTE 1 It is independent from the generation of the SafetyData at SAPI.

NOTE 2 The SafetyProviderLevel is used to distinguish devices of a different SIL. As a result, SPDUs coming from a device with a low SIL will never be accepted when a SafetyConsumer is parameterized to implement a safety function with a high SIL.

SafetyStructureSignature

UInt32

0x0 to 0xFFFFFFFF

0x0

R/W

Signature of the SafetyData structure, for calculation see 7.2.3.5.

NOTE “0” would not be a valid signature and thus indicates a SafetyProvider which is not properly configured. SafetyConsumers will never try to communicate with SafetyProviders having a SafetyStructureSignature of 0x0, see Transitions T13/T27 in Table 35 and the macro <ParametersOK?> in Table 33.

SafetyStructureSignatureVersion

UInt16

0x1

0x1

R/W

Version used to calculate SafetyStructureSignature, see 7.2.3.5

SafetyStructureIdentifier

String

all strings

“” (the empty string)

R/W

Identifier describing the DataType of the SafetyData, see 7.2.3.5.

SafetyProviderDelay

UInt32

0x0 to 0xFFFFFFFF

0x0

R/W

In microseconds (µs). It can be set during the engineering phase of the SafetyProvider or set during online configuration as well.

SafetyProviderDelay is the maximum time at the SafetyProvider from receiving the RequestSPDU to start the transmission of ResponseSPDU, see 8.1.

The parameter SafetyProviderDelay has no influence on the functional behaviour of the SafetyProvider. Therefore, it is not necessary for this value to be generated in a safety-related way. However, it will be provided in the OPC UA Information Model of a SafetyProvider to inform about its worst-case delay time. The value can be used during commissioning to check whether the timing behaviour of the SafetyProvider is suitable to fulfill the watchdog delay of the corresponding SafetyConsumer.

SafetyServerImplemented

Boolean

0x0 or 0x1

n.a.

R

This read-only parameter indicates whether the SafetyProvider has implemented the Server part of OPC UA Client/Server communication (see 5.4):

1: Server for OPC UA Client/Server communication is implemented.

0: Server for OPC UA Client/Server communication is not implemented.

The corresponding Facets are SafetyProviderServer and SafetyProviderServerMapper.

SafetyPubSubImplemented

Boolean

0x0 or 0x1

n.a.

R

This read-only parameter indicates whether the SafetyProvider has implemented the necessary publishers and subscribers for OPC UA PubSub communication (see 5.4):

1: OPC UA PubSub communication is implemented.

0: OPC UA PubSub communication is not implemented.

The corresponding Facets are SafetyProviderPubSub and SafetyProviderPubSubMapper.

image014.png

Figure 9 – Example combinations of SIL capabilities

The constant SafetyProviderLevel determines the value that is used for SafetyProviderLevel_ID when calculating the SPDU_ID, see 7.2.3.4.

NOTE SafetyProviderLevel is defined as the SIL the SafetyProvider implementation (hardware and software) is capable of, not to be confused with the SIL of the implemented safety function. For instance, Figure 9 shows a safety function which is implemented using a SIL 2-capable sensor, a SIL 3-capable PLC, and a SIL 1-capable actuator. The overall SIL of the safety function is considered to be SIL 1. Nevertheless, the SafetyProvider implemented on the sensor will use the constant value “2” as SafetyProviderLevel, whereas the SafetyProvider implemented on the PLC will use the constant value “3” as SafetyProviderLevel.

It is necessary for the respective SafetyConsumers (on the PLC and the actuator) to know the SafetyProviderLevel of their SafetyProviders in order to check the SPDU_ID (see 7.2.3.2).

Figure 10 shows an overview of the SafetyConsumer interfaces. The Safety Application Program Interface (SAPI) is specified in 6.3.4.2, the Safety Parameter Interface (SPI) is specified in 6.3.4.4.

image015.png

Figure 10 – SafetyConsumer interfaces

The SAPI of the SafetyConsumer represents the safety communication layer services of the SafetyConsumer. Table 25 lists all inputs and outputs of the SAPI of the SafetyConsumer.

[RQ6.14] Each SafetyConsumer shall implement the SAPI as shown in Table 25, however, the details are vendor-specific.

Table 25 – SAPI of the SafetyConsumer

SAPI Term

Type

I/O

Definition

SafetyData

Structure

O

This output either delivers the process values received from the SafetyProvider in the SPDU field SafetyData, or FSV.

NonSafetyData

Structure

O

This output delivers the non-safety process values (e.g. diagnostic information) which were sent together with safe data, see 7.2.1.11

Enable

Boolean

I

By changing this input to “0” the SafetyConsumer will change each and every Variable of the SafetyData to “0”1 and stop sending requests to the SafetyProvider. When changing Enable to “1” the SafetyConsumer will restart safe communication. The variable can be used to delay the start of the safety communication according to this document, after power on until “OPC UA connection ready” is set.The delay time is not monitored while enable is set to “0”.

FSV_Activated

Boolean

O

This output indicates via “1” that on the output SafetyData FSV (all binary “0”) are provided1.

NOTE A ResponseSPDU which is checked with an error results in FSV_Activated being set to “1”, see T24 in Table 35. There could be other reasons.

OperatorAckConsumer

Boolean

I

For motivation, see 6.3.4.3.

After an indication of OperatorAckRequested this input can be used to signal an operator acknowledgment. By changing this input from “0” to “1” (rising edge) the SafetyConsumer is instructed to switch SafetyData from FSV to PV. OperatorAckConsumer is processed only if this rising edge arrives after OperatorAckRequested was set to “1”, see Figure 19.

If a rising edge of OperatorAckConsumer arrives before OperatorAckRequested becomes 1, this rising edge is ignored.

OperatorAckRequested

Boolean

O

This output indicates the request for operator acknowledgment. The bit is set to “1” by the SafetyConsumer, when three conditions are met:

1)Too many communication errors were detected in the past, so the SafetyConsumer decided to switch to fail-safe substitute values.

2)Currently, no communication errors occur, and hence operator acknowledgment is possible.

3)Operator acknowledgment (rising edge at input OperatorAckConsumer) has not yet occurred.

The bit is reset to “0” when a rising edge at OperatorAckConsumer is detected.

OperatorAckProvider

Boolean

O

This output indicates that an operator acknowledgment has taken place on the SafetyProvider. If operator acknowledgment at the SafetyProvider should be allowed, this output is connected to OperatorAckConsumer, see B.3.4 and B.3.5.

NOTE If the ResponseSPDU is checked with error, this output remains at its last value, see T24 in Table 35.

TestModeActivated

Boolean

O

The safety application program is expected to evaluate this output for determining whether the communication partner is in test mode or not. A value of “1” indicates that the communication partner (source of data) is in test mode, e.g. during commissioning. Data coming from a device in test mode may be used for testing but is not intended to be used to control safety-critical processes. A value of “0” represents the “normal” safety-related mode.

The test mode enables the programmer and commissioner to validate the safety application using test data.

NOTE If the ResponseSPDU check results in an error and the ErrorIntervalTimer (see 6.3.4.4) is also not expired, TestModeActivated is reset, see state S17_Error in Table 34.

SafetyProviderID

UInt32

I

For dynamic systems, this input can be set to a non-zero value. In this case, the SafetyConsumer uses this variable instead of the SPI parameter SafetyProviderIDConfigured. This input is only read in the first cycle, or when a rising edge occurs at the input Enable. See also Table 26. If it is changed to “0”, the value of SPI parameter SafetyProviderIDConfigured will be used (again).

For static systems, this input is usually always kept at value “0”.

SafetyBaseID

Guid

I

For dynamic systems, this input can be set to a non-zero value. In this case, the SafetyConsumer uses this variable instead of the SPI parameter SafetyBaseIDConfigured. This input is only read in the first cycle, or when a rising edge occurs at the input Enable. See also Table 26. If it is changed to “0”, the SPI parameter SafetyBaseIDConfigured will become activated.

For static systems, this input is usually always kept at value “0”.

SafetyConsumerID

UInt32

I

For dynamic systems, this input can be set to a non-zero value. In this case, the SafetyConsumer uses this variable instead of the SPI parameter SafetyConsumerID. This input is only read in the first cycle, or when a rising edge occurs at the input Enable. See also Table 26. If it is changed to “0”, the SPI parameter SafetyConsumerID will become activated.

For static systems, this input is usually always kept at value “0”.

1 If an application requires different FSV than “all binary 0”, it is expected to use appropriate constants and ignore the output of SafetyData whenever FSV_Activated is set.

The safety argumentation assumes that random errors in the underlying OPC UA stack including its communication links are not too frequent, i.e. that its failure rate is lower than a given threshold, depending on the desired SIL (see 9.3.1).

Whenever the SafetyConsumer detects a faulty message, it checks whether the assumption is still valid, and switches to fail-safe substitute values otherwise. Returning to process values then requires an operator acknowledgment.

Operator Acknowledge is expected to be initiated by a human operator who is responsible to check the installation, see Table 40, row “Operator Acknowledge”. For this reason, the parameter OperatorAckRequested is delivered by the SafetyConsumer to the safety application. See Clause B.2 for details on operator acknowledgment scenarios.

Timeout errors do only require an operator acknowledgment if operator acknowledgment is required by the safety function itself. In this case, SafetyOperatorAckNecessary is set to indicate that operator acknowledgments are required. See 6.3.4.5 for details.

[RQ6.15a] Each SafetyConsumer shall implement the parameters and constants [RQ6.15b] as shown in Table 26. The parameters (R/W in column “Access”) can be set via the SPI, whereas the constants (R in column “Access”) are read-only. The mechanisms for setting these parameters are vendor-specific. The attempt of setting a parameter to a value outside its range, or of the setting of a read-only parameter, shall not become effective, and a diagnostic message should be shown when appropriate. The SPI of the SafetyConsumer represents the parameters of the safety communication layer management of the SafetyConsumer. The values of the constants depend on the way the SafetyConsumer is implemented. They never change and are therefore not writable via any of the interfaces.

Table 26 – SPI of the SafetyConsumer

Identifier

Type

Valid range

Initial value

(before configuration)

Access

Note

SafetyProviderIDConfigured

UInt32

0x0 to 0xFFFFFFFF

0x0

R/W

The default SafetyProviderID of the SafetyProvider this SafetyConsumer uses to make a connection, see Figure 8 and 3.1.2.15.

For dynamic systems, the safety application program can overwrite this ID by providing a non-zero value at the input SafetyProviderID of the SafetyConsumer’s SAPI. This runtime value can be queried using the SafetyProviderIDActive parameter. See 6.2.2.6 for details on configured and active values.

SafetyBaseIDConfigured

Guid

Any value which can be represented with sixteen octets.

All sixteen octets are 0x0

R/W

The default SafetyBaseID of the SafetyProvider this SafetyConsumer uses to make a connection, see 3.1.2.14.

For dynamic systems, the safety application program can overwrite this ID by providing a non-zero value at the input SafetyBaseID of the SafetyConsumer’s SAPI. This runtime value can be queried using the SafetyBaseIDActive parameter. See 6.2.2.6 for details on configured and active values.

See 9.1.1 for more information on GUID.

SafetyConsumerIDConfigured

UInt32

0x0 to 0xFFFFFFFF

0x0

R/W

SafetyConsumerID of the SafetyConsumer, see 9.1.2.

For dynamic systems, the safety application program can overwrite this ID by providing a non-zero value at the input SafetyConsumerID of the SafetyConsumer’s SAPI. This runtime value can be queried using the SafetyConsumerIDActive parameter. See 6.2.2.6 for details on configured and active values.

SafetyProviderLevel

Byte

0x01 to 0x04

0x04

R/W

SafetyConsumer’s expectation on the SIL the SafetyProvider implementation (hardware and software) is capable of. See 3.1, 7.2.3.4, and Figure 9.

SafetyStructureSignature

UInt32

0x0 to 0xFFFFFFFF

0x0

R/W

Signature over the SafetyData structure, see 7.2.3.5.

SafetyStructureSignatureVersion

UInt16

0x1

0x1

R/W

Version used to calculate SafetyStructureSignature, see 7.2.3.5.

For the SafetyConsumer, this parameter is optional.

SafetyStructureIdentifier

String

“”

R/W

Identifier describing the DataType of the SafetyData, see 7.2.3.5.

For the SafetyConsumer, this parameter is optional.

SafetyConsumerTimeout

UInt32

0x0 to 0xFFFFFFFF

0x0

R/W

Watchdog-time in microseconds (µs).

Whenever the SafetyConsumer sends a request to a SafetyProvider, its watchdog timer is set to this value. The expiration of this timer prior to receiving an error-free reply by the SafetyProvider indicates an unacceptable delay.

See 8.1

SafetyOperatorAckNecessary

Boolean

0x0 or 0x1

0x1

R/W

This parameter controls whether an operator acknowledgment (OA) is necessary in case of errors of type “unacceptable delay” or “loss”, or when the SafetyProvider has activated FSV (ActivateFSV). 1: FSV are provided at the output SafetyData of the SAPI until OA. 0: PV are provided at SafetyData of the SAPI as soon as the communication is free of errors. In case of ActivateFSV the values change from FSV to PV as soon as ActivateFSV returns to “0”.

NOTE This parameter does not have an influence on the behaviour of the SafetyConsumer following the detection of other types of communication errors, such as data corruption or an error detected by the SPDU_ID. For these types of errors, OA is mandatory, see 6.3.4.3.

SafetyErrorIntervalLimit

UInt16

6, 60, 600

600

R/W

Value in minutes.

The parameter SafetyErrorIntervalLimit determines the minimal time interval between two consecutive communication errors so that they do not trigger a switch to FSV in the SafetyConsumer, see 6.3.4.3.

It affects the availability and either the PFH or PFDavg, or both, of the safety communication link according to this document, see 9.4.

SafetyClientImplemented

Boolean

0x0 or 0x1

n.a.

R

This read-only parameter indicates whether the SafetyConsumer has implemented the client part of OPC UA Client/Server communication (see 5.4):

1: Client for OPC UA Client/Server communication is implemented.

0: Client for OPC UA Client/Server communication is not implemented.

The corresponding Facet is SafetyConsumerClient.

SafetyPubSubImplemented

Boolean

0x0 or 0x1

n.a.

R

This read-only parameter indicates whether the SafetyConsumer has implemented the necessary publishers and subscribers for OPC UA PubSub communication (see 5.4):

1: OPC UA PubSub communication is implemented.

0: OPC UA PubSub communication is not implemented.

The corresponding Facets are SafetyConsumerPubSub and SafetyConsumerPubSubMapper.

This parameter determines whether automatic restart (i.e. automatically switching back from fail-safe values to process values) is possible for the safety function or not. It is expected to be set to 1 for safety functions where automatic restart is not allowed and restart always requires human interaction.

If automatic restart of the safety function is safe, the parameter can be set to 0.

This document supports cyclic and acyclic safety communication.

For most safety functions it is necessary to react in a timely manner to external events, such as an emergency stop button being pressed or a light curtain being interrupted. In these applications, cyclic safety communication is established. That means the SafetyConsumer is executed cyclically, and the time between two consecutive executions is safely bounded. The maximum time between two executions of the SafetyConsumer will contribute to the safety function response time (SFRT).

Some safety functions, such as the transfer of safe configuration data at startup, do not have to react on external events. In this case, it is not required to execute the SafetyConsumer cyclically.

Qualifiers allow the SafetyProvider to indicate the correctness of values on a fine-grained level. It is good practice to attach qualifiers to each individual value sent within an SPDU. The qualifiers are part of the SafetyData and hence not within the scope of this document.

[RQ6.16] However, whenever qualifiers are used, the values shown in Table 27 shall be used, i.e. 0x1 for a valid value (“good”), and 0x0 for an invalid value (“bad”).

Table 27 – Example “application variables with qualifier”

Value

Qualifier

valid

0x1 (= good)

invalid

0x0 (= bad)

Checking of the qualifiers is done in the safety application.

Diagnostics according to this document may be implemented in a non-safety-related way. This allows for categorization and localization of safety communication errors.

This document provides two types of diagnostics:

[RQ6.17] Every time the macro <Set Diag(SD_IDerrOA, isPermanent)> is executed within the SafetyConsumer, the textual representation shown in Table 28 shall be presented. The details and location of this representation (display, logfile, etc.) are vendor-specific.

Table 28 – Safety layer diagnostic messages

Internal identifier

(as used in the state-machines)

General error type(String)

Extended error type (String)

Error code(offset)1

Classification *)(optional)

Mandatory

SD_IDerrIgn

The SafetyConsumer has discarded a message due to an incorrect ID.

0x01

A

Yes

SD_IDerrOA

The SafetyConsumer has switched to fail-safe substitute values due to an incorrect ID. Operator acknowledgment is required.

Mismatch of SafetyBaseID.2

0x11

B, E

Yes

SD_IDerrOA

The SafetyConsumer has switched to fail-safe substitute values due to an incorrect ID. Operator acknowledgment is required.

Mismatch of SafetyProviderID.

0x12

B, E

Yes

SD_IDerrOA

The SafetyConsumer has switched to fail-safe substitute values due to an incorrect ID. Operator acknowledgment is required.

Mismatch of SafetyData structure or identifier.3

0x13

B, E

Yes

SD_IDerrOA

The SafetyConsumer has switched to fail-safe substitute values due to an incorrect ID. Operator acknowledgment is required.

Mismatch of SafetyProviderLevel.4

0x14

B, E

Yes

CRCerrIgn

The SafetyConsumer has discarded a message due to a CRC error (data corruption).

0x05

A

Yes

CRCerrOA

The SafetyConsumer has switched to fail-safe substitute values due to a CRC error (data corruption). Operator acknowledgment is required.

0x15

B, C

Yes

CoIDerrIgn

The SafetyConsumer has discarded a message due to an incorrect ConsumerID.

0x06

A

Yes

CoIDerrOA

The SafetyConsumer has switched to fail-safe substitute values due to an incorrect SafetyConsumerID. Operator acknowledgment is required.

0x16

B

Yes

MNRerrIgn

The SafetyConsumer has discarded a message due to an incorrect MonitoringNumber.

0x07

A

Yes

MNRerrOA

The SafetyConsumer has switched to fail-safe substitute values due to an incorrect monitoring number. Operator acknowledgment is required.

0x17

B, C

Yes

CommErrTO

The SafetyConsumer has switched to fail-safe substitute values due to timeout.

0x08

B

Yes

ApplErrTO

The SafetyConsumer has switched to fail-safe substitute values at the request of the safety application.

0x09

D

No

ParametersInvalid

The SafetyConsumer has been configured with invalid parameters.

0x0A

B, E

Yes

FSV_Requested

The SafetyConsumer has switched to fail-safe substitute values at the request of the SafetyProvider. Operator acknowledgment is required.5

0x20

F

Yes

1An offset of 0x10 or larger indicates an error requiring operator acknowledgment.

2This text may also be shown when the error in the SPDU_ID is due to an incorrect SafetyBaseID.

3This text may also be shown when the error in the SPDU_ID is due to an incorrect SafetyStructureID.

4This text may also be shown when the error in the SPDU_ID is due to an incorrect SafetyProviderLevel.

5A diagnostic message is generated only if the parameter SPI.SafetyOperatorAckNecessary is true, see transition T22 in Table 35.

*)The following classification is specified:

A)Transient communication error

B)Permanent communication error

C)Transmission quality seems not to be sufficient

D)Application error

E)Parameter error

F)Error does not affect communication itself.

To avoid a flood of diagnostic messages in case of transmission errors, only up to two messages are shown even if multiple communication errors occur in sequence. This is ensured by the behaviour defined in the SafetyConsumer’s state machine.

Optional features (vendor-specific):

This Method (as part of the OPC UA Mapper) serves as a Diagnostic Interface and exists for each SafetyProvider. For time series observation, this interface can be polled, e.g. by a diagnostic device. For details, refer to the OPC UA Information Model described, see 6.2.2.4.

The Diagnostic Interface Method does not take any input parameters and returns both the input and output parameters of the last call of the Method ReadSafetyData.

Additionally, a 2-octet sequence number is added to the Diagnostic Interface, allowing for a detection of missed calls due to polling. The sequence number counts the number of accesses to ReadSafetyData.

A best practice recommendation is to store all input and output parameters if SComErr_diag is <> 0.