[RQ6.1] Each server shall have a singleton folder called SafetyACSet with a fixed NodeId in the namespace of this document. Because all SafetyProviders and SafetyConsumers on this server contain a hierarchical reference from this object to themselves, it can be used to directly access all SafetyProviders and/or SafetyConsumers. SafetyACSet is intended for safety-related purposes only. It should not reference to non-safety-related items.
Table 3 – SafetyACSet definition
|
Attribute |
Value |
||
|
BrowseName |
SafetyACSet |
||
|
References |
NodeClass |
BrowseName |
Comment |
|
OrganizedBy by the Objects Folder defined in OPC 10000-5. |
|||
|
HasTypeDefinition |
ObjectType |
FolderType |
Entry point for all SafetyProviders and SafetyConsumers |
|
Conformance Units |
|||
|
SafetyACSet |
|||
[RQ6.2] In addition, a server shall comprise one OPC UA object derived from type SafetyProviderType for each SafetyProvider it implements, and one OPC UA object derived from type SafetyConsumerType for each SafetyConsumer it implements. The corresponding information models shown in Figure 3 and Figure 4 shall be used.
A description of the graphical notation for the different types of nodes and references (shown in Figure 3, Figure 4, and Figure 6) can be found in OPC 10000-3.
Figure 3 describes the SafetyProvider and the SafetyConsumer.
NOTE 1 This document assumes (atomic) consistent data exchange between OPC mappers of the two endpoints.
[RQ6.3a] For implementations supporting OPC UA Client/Server, the Call Service of the Method Service Set (see OPC 10000-4) shall be used. The Method "ReadSafetyData" has a set of input arguments that make up the RequestSPDU and a set of output arguments that make up the ResponseSPDU. The SafetyConsumer uses the OPC UA Client with the OPC UA Service Call.
[RQ6.3b] For implementations supporting OPC UA PubSub, the OPC UA object SafetyPDUs with its properties RequestSPDU and ResponseSPDU shall be used. RequestSPDU is published by the SafetyConsumer and subscribed by the SafetyProvider. ResponseSPDU is published by the SafetyProvider and subscribed by the SafetyConsumer.
NOTE 2 The terms “request” and “response” refer to the behavior on the layer of this document. Within the PubSub context, both requests and responses are realized by repeatedly publishing and subscribing datagrams, see Figure 14.
[RQ6.4] For diagnostic purposes, the SPDUs received and sent shall be accessible by calling the method ReadSafetyDiagnostics.
Figure 3 – Server Objects for OPC UA Safety
NOTE For the input/output arguments of the methods ReadSafetyData and ReadSafetyDiagnostics, see 6.2.2.3 and 6.2.2.4. For the parameters of the SafetyProvider and SafetyConsumer, see Figure 6, Table 12, and Table 13. For RequestSPDU and ResponseSPDU, see Table 7, Table 18, Table 20, and 7.2.1.
Figure 4 shows the instances of server objects for this document. The ObjectType for the SafetyProviderType contains methods having outputs of the abstract data type ”Structure”. Each instance of a SafetyProvider needs its own copy of the methods which contain the concrete DataTypes for “OutSafetyData” and “OutNonSafetyData”.
Figure 4 – Instances of server objects for this document
[RQ6.5] To reduce the number of variations and to alleviate validation testing, the following restrictions apply to instances of SafetyProviderType and SafetyConsumerType (or instances of types derived from SafetyProviderType or SafetyConsumerType):
- The references shown in Figure 4 originating at SafetyProviderType or SafetyConsumerType and below shall be of type HasComponent (and shall not be derived from HasComponent) for object references or HasProperty (and shall not be derived from HasProperty) for property references.
- As BrowseNames (i.e. name and namespace) are used to find methods, the names of objects and properties shall be locally unique.
- The DataType of both Properties and MethodArguments shall be used as specified, and no derived DataTypes shall be used (exception: OutSafetyData and OutNonSafetyData).
- In OPC UA, the sequence of MethodArguments is relevant.
Table 4 – SafetyObjectsType Definition
|
Attribute |
Value |
||||
|
BrowseName |
SafetyObjectsType |
||||
|
IsAbstract |
True |
||||
|
References |
Node Class |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of BaseObjectType |
|||||
|
Conformance Units |
|||||
|
SafetySupport |
|||||
Table 5 – SafetyProviderType Definition
|
Attribute |
Value |
||||
|
BrowseName |
SafetyProviderType |
||||
|
IsAbstract |
False |
||||
|
References |
Node Class |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of SafetyObjectsType |
|||||
|
HasComponent |
Method |
ReadSafetyData |
|
|
Optional |
|
HasComponent |
Method |
ReadSafetyDiagnostics |
|
|
Optional |
|
HasComponent |
Object |
SafetyPDUs |
|
SafetyPDUsType |
Optional |
|
HasComponent |
Object |
Parameters |
|
SafetyProviderParametersType |
Mandatory |
|
Conformance Units |
|||||
|
SafetyProviderParameters |
|||||
[RQ6.6] Instances of SafetyProviderType shall use non-abstract DataTypes for the arguments OutSafetyData and OutNonSafetyData.
Table 6 – SafetyConsumerType Definition
|
Attribute |
Value |
||||
|
BrowseName |
SafetyConsumerType |
||||
|
IsAbstract |
False |
||||
|
References |
Node Class |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of SafetyObjectsType |
|||||
|
HasComponent |
Object |
SafetyPDUs |
|
SafetyPDUsType |
Optional |
|
HasComponent |
Object |
Parameters |
|
SafetyConsumerParametersType |
Mandatory |
|
Conformance Units |
|||||
|
SafetyConsumerParameters |
|||||
This method is mandatory for the profile SafetyProviderServerMapper (see https://profiles.opcfoundation.org/). It is used to read SafetyData from the SafetyProvider. It is in the responsibility of the safety application, that this method is not concurrently called by multiple SafetyConsumers. Otherwise, the SafetyConsumer may receive invalid responses resulting in a safe reaction which may lead to spurious trips and/or system unavailability.
The method argument OutSafetyData has an application-specific type derived from Structure. This type (including the type identifier) is expected to be the same in both the SafetyProvider and the SafetyConsumer. Otherwise, the SafetyConsumer will not accept the transferred data and switch to fail-safe values instead (see state S16 in Table 34 – SafetyConsumer states as well as 7.2.3.2 and 7.2.3.4).
Signature
ReadSafetyData (
[in]UInt32InSafetyConsumerID,
[in]UInt32InMonitoringNumber,
[in]InFlagsTypeInFlags,
[out] StructureOutSafetyData,
[out]OutFlagsTypeOutFlags,
[out]UInt32OutSPDU_ID_1,
[out]UInt32OutSPDU_ID_2,
[out]UInt32OutSPDU_ID_3,
[out]UInt32OutSafetyConsumerID,
[out]UInt32OutMonitoringNumber,
[out]UInt32OutCRC,
[out] StructureOutNonSafetyData)
;
Table 7 – ReadSafetyData Method Arguments
|
Argument |
Description |
|
InSafetyConsumerID |
“Safety Consumer Identifier”, see SafetyConsumerID in Table 23. |
|
InMonitoringNumber |
“Monitoring Number of the RequestSPDU”, see 7.2.1.3 and MonitoringNumber in Table 23. |
|
InFlags |
“Byte with non-safety-related flags from SafetyConsumer”, see 6.2.3.1. |
|
OutSafetyData |
“Safety Data”, see 7.2.1.5. |
|
OutFlags |
“Byte with safety-related flags from SafetyProvider”, see 6.2.3.2. |
|
OutSPDU_ID_1 |
“Safety PDU Identifier Part1”, see 7.2.3.2. |
|
OutSPDU_ID_2 |
“Safety PDU Identifier Part2”, see 7.2.3.2. |
|
OutSPDU_ID_3 |
“Safety PDU Identifier Part3”, see 7.2.3.2. |
|
OutSafetyConsumerID |
“Safety Consumer Identifier”, see SafetyConsumerID in Table 23 and Table 26. |
|
OutMonitoringNumber |
Monitoring Number of the ResponseSPDU, see 7.2.1.9, 7.2.3.1, and Figure 11. |
|
OutCRC |
CRC-checksum over the ResponseSPDU, see 7.2.3.5. |
|
OutNonSafetyData |
“Non-safe data” see 7.2.1.11. |
Table 8 – ReadSafetyData Method AddressSpace definition
|
Attribute |
Value |
||||
|
BrowseName |
ReadSafetyData |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
HasProperty |
Variable |
InputArguments |
Argument[] |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
OutputArguments |
Argument[] |
PropertyType |
Mandatory |
|
Conformance Units |
|||||
|
ReadSafetyData |
|||||
This method is mandatory for the profile SafetyProviderServerMapper and optional for the profile SafetyProviderPubSubMapper (see https://profiles.opcfoundation.org/). It is provided for each SafetyProvider serving as a diagnostic interface, see 6.4.3.
Signature
ReadSafetyDiagnostics (
[out]UInt32InSafetyConsumerID,
[out]UInt32InMonitoringNumber,
[out]InFlagsTypeInFlags,
[out] StructureOutSafetyData,
[out]OutFlagsTypeOutFlags,
[out]UInt32OutSPDU_ID_1,
[out]UInt32OutSPDU_ID_2,
[out]UInt32OutSPDU_ID_3,
[out]UInt32OutSafetyConsumerID,
[out]UInt32OutMonitoringNumber,
[out]UInt32OutCRC,
[out] StructureOutNonSafetyData)
;
Table 9 – ReadSafetyDiagnostics Method Arguments
|
Argument |
Description |
|
InSafetyConsumerID |
see Table 7 |
|
InMonitoringNumber |
see Table 7 |
|
InFlags |
see Table 7 |
|
OutSafetyData |
see Table 7 |
|
OutFlags |
see Table 7 |
|
OutSPDU_ID_1 |
see Table 7 |
|
OutSPDU_ID_2 |
see Table 7 |
|
OutSPDU_ID_3 |
see Table 7 |
|
OutSafetyConsumerID |
see Table 7 |
|
OutMonitoringNumber |
see Table 7 |
|
OutCRC |
see Table 7 |
|
OutNonSafetyData |
see Table 7 |
Table 10 – ReadSafetyDiagnostics Method AddressSpace definition
|
Attribute |
Value |
||||
|
BrowseName |
ReadSafetyDiagnostics |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
HasProperty |
Variable |
OutputArguments |
Argument[] |
PropertyType |
Mandatory |
|
Conformance Units |
|||||
|
ReadSafetyDiagnostics |
|||||
This object is mandatory for the profile SafetyProviderPubSubMapper and the profile SafetyConsumerPubSubMapper (see https://profiles.opcfoundation.org/). It is used by the SafetyProvider to subscribe to the RequestSPDU and to publish the ResponseSPDU. The data type of RequestSPDU is structured in the same way as the input arguments of ReadSafetyData. The data type of ResponseSPDU is structured in the same way as the output arguments of ReadSafetyData.
Both variables have a counterpart within the information model of the SafetyConsumer. The SafetyConsumer publishes the RequestSPDU and subscribes to the ResponseSPDU.
Table 11 – SafetyPDUsType Definition
|
Attribute |
Value |
||||
|
BrowseName |
SafetyPDUsType |
||||
|
IsAbstract |
False |
||||
|
References |
Node Class |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of BaseObjectType |
|||||
|
HasComponent |
Variable |
<RequestSPDU> |
RequestSPDUDataType |
BaseDataVariableType |
Mandatory Placeholder |
|
HasComponent |
Variable |
<ResponseSPDU> |
ResponseSPDUDataType |
BaseDataVariableType |
Mandatory Placeholder |
|
Conformance Units |
|||||
|
SafetyPDUs |
|||||
The object SafetyPDUS shall contain exactly one reference to a variable of a type RequestSPDUDataType and exactly one reference to a variable of a subtype of type ResponseSPDUDataType.
For example, Figure 5 shows a distributed safety application with four automation components. It is assumed that Automation Component 1 sends a value to the other three components using three SafetyProviders, each comprising a pair of SafetyPDUs. Note that for each recipient, there is an individual pair of SafetyPDUs.
Figure 5 – Safety Multicast with three recipients using OPC UA PubSub
Figure 6 shows the safety parameters for the SafetyProvider and the SafetyConsumer.
Figure 6 – Safety Parameters for the SafetyProvider and the SafetyConsumer
Table 12 – SafetyProviderParametersType Definition
|
Attribute |
Value |
||||
|
BrowseName |
SafetyProviderParametersType |
||||
|
IsAbstract |
False |
||||
|
References |
Node Class |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of BaseObjectType |
|||||
|
HasProperty |
Variable |
SafetyProviderIDConfigured |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyProviderIDActive |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyBaseIDConfigured |
Guid |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyBaseIDActive |
Guid |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyProviderLevel |
Byte |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyStructureSignature |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyStructureSignatureVersion |
UInt16 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyStructureIdentifier |
String |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyProviderDelay |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyServerImplemented |
Boolean |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyPubSubImplemented |
Boolean |
PropertyType |
Mandatory |
|
Conformance Units |
|||||
|
SafetyProviderParameters |
|||||
NOTE Refer to 6.3.3.3 for more details on the Safety Parameter Interface (SPI) of the SafetyProvider.
NOTE The parameters for SafetyProviderID and SafetyBaseID exist in pairs for “Configured” and “Active” states:
- SafetyProviderIDConfigured and SafetyProviderIDActive,
- SafetyBaseIDConfigured and SafetyBaseIDActive.
The “[...]Configured” parameters shall always deliver the values as configured via the SPI. The “[...]Active” parameters shall deliver
- the corresponding “[...]Configured” values if the system is still offline;
- the values which have been set during runtime via the SAPI parameters (SafetyProviderID, SafetyBaseID);
- the corresponding “[...]Configured” values if the active values have been set to zero via the SAPI parameters (SafetyProviderID, SafetyBaseID).
The Property SafetyBaseIDConfigured is shared for all SafetyProviders with the same SafetyBaseIDConfigured value. If multiple instances of SafetyObjectsType are running on the same node, it is a viable optimization that a property “SafetyBaseIDConfigured” is referenced by multiple SafetyProviders and/or SafetyConsumers.
For releases up to Release 2.0 of the document, the value for the SafetyStructureSignatureVersion shall be 0x0001 (see RQ7.21 in 7.2.3.4).
Table 13 – SafetyConsumerParametersType Definition
|
Attribute |
Value |
||||
|
BrowseName |
SafetyConsumerParametersType |
||||
|
IsAbstract |
False |
||||
|
References |
Node Class |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
Subtype of BaseObjectType |
|||||
|
HasProperty |
Variable |
SafetyProviderIDConfigured |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyProviderIDActive |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyBaseIDConfigured |
Guid |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyBaseIDActive |
Guid |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyConsumerIDConfigured |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyConsumerIDActive |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyProviderLevel |
Byte |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyStructureSignature |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyStructureSignatureVersion |
UInt16 |
PropertyType |
Optional |
|
HasProperty |
Variable |
SafetyStructureIdentifier |
String |
PropertyType |
Optional |
|
HasProperty |
Variable |
SafetyConsumerTimeout |
UInt32 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyOperatorAckNecessary |
Boolean |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyErrorIntervalLimit |
UInt16 |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyClientImplemented |
Boolean |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
SafetyPubSubImplemented |
Boolean |
PropertyType |
Mandatory |
|
Conformance Units |
|||||
|
SafetyConsumerParameters |
|||||
NOTE 1 Refer to 6.3.4.4 for more details on the Safety Parameter Interface (SPI) of the SafetyConsumer.
NOTE 2 The parameters for SafetyProviderID, SafetyBaseID and SafetyConsumerID exist in pairs for “Configured” and “Active” states: SafetyProviderIDConfigured and SafetyProviderIDActive, SafetyBaseIDConfigured and SafetyBaseIDActive, and SafetyConsumerIDConfigured and SafetyConsumerIDActive.
The “[...]Configured” parameters shall always deliver the values as configured via the SPI. The “[...]Active” parameters shall deliver
- the corresponding “[...]Configured” values if the system is still offline;
- the values which have been set during runtime via the SAPI parameters (SafetyProviderID, SafetyBaseID, SafetyConsumerID);
- the corresponding “[...]Configured” values if the active values have been set to zero via the SAPI parameters (SafetyProviderID, SafetyBaseID, SafetyConsumerID).
NOTE 3 The nodes SafetyStructureIdentifier and SafetyStructureSignatureVersion are optional, because SafetyStructureSignature is typically calculated in an offline engineering tool. For small devices, it might be beneficial to only upload the SafetyStructureSignature to the device, but not SafetyStructureIdentifier and SafetyStructureSignatureVersion in order to save bandwidth and/or memory.