This chapter describes in detail the protocol that is used for the safety communication layer.

Figure 11 shows the structure of a RequestSPDU which originates at the SafetyConsumer and contains a SafetyConsumerID, a MonitoringNumber (MNR), and one byte of (non-safety-related) flags.

NOTE The RequestSPDU does not contain a CRC checksum.

image016.png

Figure 11 – RequestSPDU

Figure 12 shows the structure of a ResponseSPDU which originates at the SafetyProvider and contains the safety data (1 – 1500 Bytes), an additional 25 Byte safety code (STrailer) as described in the subsequent clauses, and the non-safety related data (see also 6.2.3.4 for details).

image017.png

Figure 12 – ResponseSPDU

NOTE To avoid spurious trips, the ResponseSPDU is transmitted in an atomic (consistent) way from the OPC UA platform interface of the SafetyProvider to the OPC UA platform interface of the SafetyConsumer. This is the task of the respective OPC UA mapper, see Figure 2.

Identifier of the SafetyConsumer instance, for diagnostic purposes, see 9.1.2.

The SafetyConsumer uses the MNR to detect mis-timed SPDUs, e.g., such SPDUs which are continuously repeated by an erroneous network element which stores data. A different MNR is used in every RequestSPDU of a given SafetyConsumer, and a ResponseSPDU will only be accepted if its MNR is matching the MNR of the corresponding RequestSPDU.

The checking for correctness of the MNR is only performed by the SafetyConsumer.

[RQ7.1] The flags of the Safety Consumer (RequestSPDU.Flags) shall be used as shown in 6.2.3.1.

[RQ7.2] SafetyData shall contain the safety-related application data transmitted from the SafetyProvider to the SafetyConsumer. It may comprise multiple basic OPC UA variables (see 6.2.5). For the sake of reducing distinctions of cases, SafetyData shall always be a structure, even if it only contains a single basic OPC UA variable.

For the calculation of the CRC Signature, the order in which this data is processed by the calculation is important. SafetyProvider and SafetyConsumer must agree upon the number, type and order of application data transmitted in SafetyData. The sequence of SafetyData is fixed.

NOTE SafetyData may contain qualifier bits for a fine-grained activation of fail-safe substitute values. For a valid process value, the respective qualifier is set to 1 (good), whereas the value 0 (bad) is used for invalid values. Invalid process values are replaced by a fail-safe substitute value in the consumer’s safety application. See 6.3.6.

[RQ7.3] The flags of the SafetyProvider (ResponseSPDU.Flags) shall be used as shown in 6.2.3.2.

[RQ7.4] Flags in the ResponseSPDU.Flags which are reserved for future use shall be set to zero by the SafetyProvider and shall not be evaluated by the SafetyConsumer.

This field is used by the SafetyConsumer to check whether the ResponseSPDU is coming from the correct SafetyProvider. For details, see 7.2.3.1.

[RQ7.5] The SafetyConsumerID in the ResponseSPDU shall be a copy of the SafetyConsumerID received in the corresponding RequestSPDU. See 7.2.3.1.

[RQ7.6] The MonitoringNumber in the ResponseSPDU shall be a copy of the MonitoringNumber received in the corresponding RequestSPDU. See 7.2.3.1.

NOTE The SafetyConsumer uses the ResponseSPDU.MonitoringNumber to detect mis-timed SPDUs, e.g., such SPDUs which are continuously repeated by an erroneous network element which stores data. A different MonitoringNumber is used in every RequestSPDU of a given SafetyConsumer, and a ResponseSPDU will only be accepted if its MonitoringNumber matches the MonitoringNumber in the corresponding RequestSPDU.

[RQ7.7] This CRC-checksum shall be used to detect data corruption. See 7.2.3.5 on how it is calculated in the SafetyProvider and how it is checked in the SafetyConsumer.

[RQ7.8] This structure shall be used to transmit non-safety data values (e.g., diagnostic information) together with safe data consistently. Non-safety data is not CRC-protected and may stem from an unsafe source.

[RQ7.9] When presented to the safety application (e.g., at an output of the SafetyConsumer), non-safety values shall clearly be indicated as “non-safety”, by an appropriate vendor-specific mechanism (e.g. by using a different color).

To avoid possible problems with empty structures, the dummy structure NonSafetyDataPlaceholder shall be used when no non-safety data is used (see requirement RQ6.8).

The two SCL-services “SafetyProvider” and “SafetyConsumer” are specified using state diagrams.

Figure 13 and Figure 14 show sequences of requests and responses with SafetyData for this document using OPC UA Client/Server and PubSub communication mechanisms, respectively. Please note that the figures show selected scenarios only and are therefore informative.

image018.png

Figure 13 (informative) – Sequence diagram for requests and responses (Client/Server)

[RQ7.10] In the case of Client/Server communication, a SafetyConsumer’s OPC UA mapper may call a SafetyProvider (either the state machine implementation itself or the SafetyProvider’s OPC UA mapper) with an identical RequestSPDU multiple times in a row. In that case, the SafetyProvider (state machine or OPC UA mapper) shall answer all requests.

NOTE 1 The returned ResponseSPDUs may contain different values (e.g., currently available process values) or contain the initially returned values.

[RQ7.11] For each SafetyProvider, the implemented choice of behavior according to RQ7.10 (i.e., whether currently available process values or initially returned values will be used) shall be documented in the corresponding safety manual.

NOTE 2 Since a SafetyConsumer checks for changed MNRs in ResponseSPDUs (see SafetyConsumer state S14_WaitForChangedSPDU in Table 34 and transition T17 in Table 35), and therefore will use only the first evaluated ResponseSPDU for a given MNR. All further ResponseSPDUs with the same MNR will be ignored.

image019.png

NOTE The bold arrows represent communication with new data values, whereas dashed arrows contain repeated data values.

Figure 14 (informative) – Sequence diagram for requests and responses (PubSub)

NOTE 3 The state machines according to this document do not contain any retry-mechanisms to increase fault tolerance. In contrast, it is assumed that retry is already handled within the OPC UA stack (e.g., when using Client/Server, or by choosing a higher update rate for PubSub). The dashed lines therefore are not part of this document, but rather symbolize the repeated sending of data implemented in the OPC UA stack.

The SafetyConsumerTimeout is the watchdog time checked in the SafetyConsumer. The watchdog is restarted immediately before a new RequestSPDU is generated (transitions T14 and T28 of the SafetyConsumer in Table 35). If an appropriate ResponseSPDU is received in time, and the checks for data integrity, authenticity, and timeliness are all valid, the timer will not expire before it is restarted.

Otherwise, the watchdog timer expires, and the SafetyConsumer triggers a safe reaction. To duly check its timer, the SafetyConsumer is executed cyclically, with period ConsumerCycleTime. ConsumerCycleTime is expected to be smaller than SafetyConsumerTimeout.

The ConsumerCycleTime is the maximum time for the cyclic update of the SafetyConsumer. It is the timeframe from one execution of the SafetyConsumer to the next execution of the SafetyConsumer. The implementation of the monitoring of the ConsumerCycleTime and the reaction in case of exceeding the ConsumerCycleTime are not part of this document; these are vendor-specific.

[RQ7.12] The ConsumerCycleTime shall be monitored in a safety-related way.

[RQ7.13] Figure 15 shows a simplified representation of the state diagram of the SafetyProvider. The exact behavior is described in Table 30, Table 31, and Table 32. The SafetyProvider shall implement that behavior. It is not required to literally follow the entries given in the tables, if the externally observable behavior does not change.

image020.png

Figure 15 – Simplified representation of the state diagram for the SafetyProvider

Table 29 – Symbols used for state machines

Graphical representation

Type

Description

image021.png

Activity State

Within these interruptible activity states the SafetyProvider waits for new input.

image022.png

Action State

Within these non-interruptible action states events like new requests are deferred until the next activity state is reached, see [1].

The transitions are fired in case of an event. “Event” in this context means either a method call in the case of Client/Server communication or the detection of a changed RequestSPDU by the OPC UA mapper in the case of PubSub communication.

In case of several possible transitions, so-called guard conditions (refer to […] in UML diagrams) define which transition to fire.

The diagram consists of activity and action states. Activity states are surrounded by bold lines, action states are surrounded by thin lines. While activity states may be interruptible by new events, action states are not. External events occurring while the state machine is in an action state, are deferred until the next activity state is reached.

NOTE The details on how to implement activity states and action states are vendor-specific. Typically, in a real-time system the task performing the SafetyProvider or SafetyConsumer state machine is executed cyclically (see 6.3.5). Whenever the task is woken up by the scheduler of the operating system while it is in an action state, it executes action states until its time slice is used up, or an activity state is reached. Whenever a task being in an activity state is woken up, it checks for input. If no new input is available, it immediately returns to the sleep state without changing state.

If input is available, it starts executing action states until its time-slice is up or until the next activity state is reached.

Table 30 – SafetyProvider instance internal items

INTERNAL ITEMS

TYPE

DEFINITION

RequestSPDU_i

Variable

Local Memory for RequestSPDU (required to react on changes).

SPDU_ID_1_i

UInt32

Local variable to store SPDU_ID_1

SPDU_ID_2_i

UInt32

Local variable to store SPDU_ID_2

SPDU_ID_3_i

UInt32

Local variable to store SPDU_ID_3

BaseID_i

GUID

Local variable containing the BaseID (taken either from the SPI or SAPI).

ProviderID_i

UInt32

Local variable containing the ProviderID (taken either from the SPI or SAPI).

<Get RequestSPDU>

Macro

Instruction to take the whole RequestSPDU from the OPC UA Mapper.

<Set ResponseSPDU>

Macro

Instruction to transfer the whole ResponseSPDU to the OPC UA Mapper

<Calc SPDU_ID_i>

Macro

const uint32 SafetyProviderLevel_ID := … // see 7.2.3.3

If(SAPI.SafetyBaseID == 0) thenBaseID_i := SPI.SafetyBaseIDConfiguredElse BaseID_i := SAPI.SafetyBaseID

Endif If(SAPI.SafetyProviderID == 0) thenProviderID_i := SPI.SafetyProviderIDConfiguredElse ProviderID_i := SAPI.SafetyProviderID

Endif

SPDU_ID_1_i := BaseID_i (bytes 0…3) XOR SafetyProviderLevel_ID

SPDU_ID_2_i := BaseID_i (bytes 4…7) XOR SPI.SafetyStructureSignature

SPDU_ID_3_i := BaseID_i (bytes 8…11) XOR BaseID_i (bytes 12…15) XOR ProviderID_i

// see 7.2.3.2 for clarification

<build ResponseSPDU>

Macro

Take the MNR and the SafetyConsumerID of the received RequestSPDU. Add the SPDU_ID_1_i, SPDU_ID_2_i, SPDU_ID_3_i, Flags, the SafetyData and the NonSafetyData, as well as the calculated CRC.

See 7.2.3.1

Table 31 – States of SafetyProvider instance

STATE NAME

STATE DESCRIPTION

Initialization

// Initial state

SAPI.SafetyData := 0

SAPI.NonSafetyData := 0SAPI.MonitoringNumber := 0SAPI.SafetyConsumerID := 0

SAPI.OperatorAckRequested := 0

RequestSPDU_i := 0

S1_WaitForRequest

// waiting on next RequestSPDU from SafetyConsumer

<Get RequestSPDU>

S2_PrepareSPDU

ResponseSPDU.Flags.ActivateFSV := SAPI.ActivateFSVResponseSPDU.Flags.OperatorAckProvider := SAPI.OperatorAckProvider ResponseSPDU.Flags.TestModeActivated := SAPI.EnableTestMode

<Calc SPDU_ID_i>

<build ResponseSPDU> // see 7.2.3.1

Table 32 – SafetyProvider transitions

TRAN-SITION

SOURCE STATE

TARGET STATE

GUARD CONDITION

ACTIVITY

T1

Init

S1

T2

S1

S2

// RequestSPDU received1

-

// Process Request

RequestSPDU_i := RequestSPDU

SAPI.MonitoringNumber := RequestSPDU.MonitoringNumber

SAPI.SafetyConsumerID := RequestSPDU.SafetyConsumerID

SAPI.OperatorAckRequested := RequestSPDU.Flags.OperatorAckRequested

T3

S2

S1

// SPDU is prepared

-

<Set ResponseSPDU>

1 See the preceding explanation in this Subclause 7.2.2.3 of what constitutes events which may trigger this transition.

NOTE The SafetyProvider does not check for correct configuration. It will reply to requests even if it is incorrectly configured (e.g., its SafetyProviderID is zero). However, SafetyConsumers will never try to communicate with SafetyProviders having incorrect parameters, see Transitions T13/T27 in Table 35 and the macro <ParametersOK?> in Table 33.

[RQ7.14] Figure 16 shows a simplified representation of the state diagram of the SafetyConsumer. The exact behavior is described in Table 33, Table 34, and Table 35. The SafetyConsumer shall implement this behavior. It is not required to literally follow the entries given in the tables, if the externally observable behavior does not change.

NOTE In order to avoid unnecessary spurious trips requiring operator acknowledgment, the SafetyConsumers should only be started after an OPC UA connection to a running SafetyProvider has been established, or setting the input SAPI.Enable should be delayed until the SafetyProvider is running.

image023.png

Figure 16 – Principle state diagram for SafetyConsumer

Table 33 – SafetyConsumer internal items

INTERNAL ITEMS

TYPE

DEFINITION

Constants

MNR_min := 0x100

UInt32

// 0x100 is the start value for MNR, also used after wrap-around

// The values 0…0xFF are reserved for future use

Variables

FaultReqOA_i

Boolean

Local memory for errors which request operator acknowledgment

OperatorAckConsumerAllowed_i

Boolean

Auxiliary flag indicating that operator acknowledgment is allowed. It is true if the input SAPI.OperatorAckConsumer has been ‘false’ since FaultReqOA_i was set

MNR_i

UInt32

Local Monitoring Number (MNR)

prevMNR_i

UInt32

Local memory for previous MNR

ConsumerID_i

UInt32

Local memory for SafetyConsumerID in use

CRCCheck_i

Boolean

Local variable used to store the result of the CRC-check

SPDUCheck_i

Boolean

Local variable used to store the result of the additional SPDU-checks

SPDU_ID_1_i

UInt32

Local variable to store the expected SPDU_ID_1

SPDU_ID_2_i

UInt32

Local variable to store the expected SPDU_ID_2

SPDU_ID_3_i

UInt32

Local variable to store the expected SPDU_ID_3

SPI_SafetyConsumerID_i

UInt32

Local variable to store the parameter SafetyConsumerID

SPI_SafetyProviderID_i

UInt32

Local variable to store the parameter SafetyProviderID

SPI_SafetyBaseID_i

UInt128

Local variable to store the parameter SafetyBaseID

SPI_SafetyStructureSignature_i

UInt32

Local variable to store the parameter SafetyStructureSignature

SPI_SafetyOperatorAckNecessary_i

Boolean

Local variable to store the parameter SafetyOperatorAckNecessary

SPI_SafetyErrorIntervalLimit_i

UInt16

Local variable to store the parameter SafetyErrorIntervalLimit

MNR_re_sync_i

Boolean

Local variable used to support re-synchronization of

MNR after detected error

Timers

ConsumerTimer

Timer

This timer is used to check whether the next valid ResponseSPDU has arrived on time. It is initialized using the parameter SPI.SafetyConsumerTimeout

NOTE As opposed to other parameters, a modification of the parameter value SafetyConsumerTimeout takes effect immediately, i.e., not only when state S11 is visited.

ErrorIntervalTimer

Timer

This timer is used to check the elapsed time between errors. If the elapsed time between two consecutive errors is smaller than the value SafetyErrorIntervalLimit, FSV will be activated. Otherwise, the ResponseSPDU is discarded and the SafetyConsumer waits for the next ResponseSPDU.

This timer is initialized using the local variable SPI_SafetyErrorIntervalLimit_i.

See Table 26, 6.3.4.3, and 9.4 for more information.

NOTE Tthe local variable SPI_SafetyErrorIntervalLimit_i should not be confused with the parameter SPI.SafetyErrorIntervalLimit. The local variable is copied from the parameter in state S11 (restart). Hence, if the parameter value changes during runtime, the new value will only be used after the connection has been restarted.

Macros <...><...>

<risingEdge x>

Macro

// detection of a rising edge:

If x==true && tmp==false Then result := trueElse result := falseEndif

tmp := x

<Get ResponseSPDU>

Macro

Instruction to take the whole ResponseSPDU from the OPC UA Mapper.

<Use FSV>

Macro

SAPI.SafetyData is set to binary 0

If [<ConsumerTimer expired || SAPI.Enable==0 ?>]Then SAPI.NonSafetyData is set to binary 0

Else SAPI.NonSafetyData is set to ResponseSPDU.NonSafetyData

Endif

SAPI.FSV_Activated := 1

RequestSPDU.Flags.FSV_Activated := 1

NOTE If a safety application prefers fail-safe values other than binary 0, this can be implemented in the safety application by querying SAPI.FSV_Activated.

NOTE The non-safety data is always updated if data is available. In case of a timeout, no data is available, which is indicated using binary zero. If an application needs to distinguish between “no data available” and “binary zero received”, it can add a Boolean variable to the NonSafetyData. This value is set to ‘one’ during normal operation, and to ‘zero’ for indicating that no data is available.

<Use PV>

Macro

SAPI.SafetyData is set to ResponseSPDU. SafetyData

SAPI.NonSafetyData is set to ResponseSPDU.NonSafetyData

SAPI.FSV_Activated := 0

RequestSPDU.Flags.FSV_Activated := 0

RequestSPDU.Flags.CommunicationError := 0

<Set RequestSPDU>

Macro

Instruction to transfer the whole RequestSPDU to the OPC UA Mapper

<(Re)Start ConsumerTimer>

Macro

Restarts the consumer timer.

<(Re)Start ErrorIntervalTimer>

Macro

Restarts the error interval timer.

<ConsumerTimer expired?>

Macro

Yields “true” if the timer is running longer than SPI.SafetyConsumerTimeout since last restart, “false” otherwise.

<ErrorIntervalTimer expired?>

Macro

Yields “true” if the timer is running longer than SPI.SafetyErrorIntervalLimit since last restart, “false” otherwise.

<Assign ConsumerID>

Macro

If SAPI.SafetyConsumerID != 0

Then

ConsumerID_i := SAPI.SafetyConsumerID

Else

ConsumerID_i := SPI_SafetyConsumerID_i

EndifRequestSPDU.SafetyConsumerID := ConsumerID_i

<Calc SPDU_ID_i>

Macro

uint128 BaseID

uint32 ProviderID

const uint32 SafetyProviderLevel_ID := … // see 7.2.3.3

If(SAPI.SafetyBaseID == 0)

Then BaseID := SPI_SafetyBaseID_iElse BaseID := SAPI.SafetyBaseID

Endif If(SAPI.SafetyProviderID == 0)

Then ProviderID := SPI_SafetyProviderID_iElse ProviderID := SAPI.SafetyProviderID

Endif

SPDU_ID_1_i := BaseID (bytes 0…3) XOR SafetyProviderLevel_ID

SPDU_ID_2_i := BaseID (bytes 4…7) XOR SPI_SafetyStructureSignature_i

SPDU_ID_3_i := BaseID (bytes 8…11) XOR BaseID (bytes 12…15) XOR ProviderID

// see 7.2.3.2 for clarification

<ParametersOK?>

Macro

Boolean result := trueIf(SAPI.SafetyBaseID == 0 && SPI_SafetyBaseID_i==0)Thenresult := falseElseEndif

If(SAPI.SafetyProviderID == 0 && SPI_SafetyProviderID_i==0)Thenresult := falseElseEndif

If(SAPI.SafetyConsumerID == 0 && SPI_SafetyConsumerID_i==0)Thenresult := falseElseEndif

If(SPI_SafetyStructureSignature_i==0)Thenresult := falseElseEndif

yield result

<Set Diag(ID,

Boolean isPermanent)>

Macro

// ID is the identifier for the type of diagnostic output, see Table 28// Parameter "isPermanent" is used to indicate a permanent error// Only one diagnostic message is created for multiple permanent // errors in sequence

If(RequestSPDU.Flags.CommunicationError == 0) Then <do vendor-specific function for diagnostic output using ID>Else //do nothingEndif

RequestSPDU.Flags.CommunicationError := isPermanent

// NOTE See Table 28 for possible values for “ID” and their codes.

<ResponseSPDUready for checks>

Macro

Boolean result := false

If MNR_re_sync_i == false

Then If ResponseSPDU.MNR <> prevMNR_i

Then result := true

Else //do nothingEndif

Else

If ResponseSPDU.MNR == MNR_i

Then result := true

Else //do nothingEndif

Endif

yield result

<Handle WDTimeout>

Macro

<Set Diag(CommErrTO,isPermanent:=true)><Use FSV>

If SPI_SafetyOperatorAckNecessary_i == 1Then FaultReqOA_i := 1SAPI.OperatorAckRequested := 0RequestSPDU.Flags.OperatorAckRequested := 0Else // do nothingEndif

External Event

Restart Cycle

Event

The external call of SafetyConsumer can be interpreted as event “Restart Cycle”

NOTE A macro is a shorthand representation for operations described in the according definition.

Table 34 – SafetyConsumer states

STATE NAME

STATE DESCRIPTION

Initialization

// Initial state of the SafetyConsumer instance.

<Use FSV> SAPI.OperatorAckRequested := 0RequestSPDU.Flags.OperatorAckRequested := 0SAPI.OperatorAckProvider := 0FaultReqOA_i := 0OperatorAckConsumerAllowed_i := 0SAPI.TestModeActivated := 0RequestSPDU.Flags.CommunicationError := 0

MNR_re_sync_i:= false

S11_Wait for (Re)Start

// Safety Layer is waiting (Re)Start

// Changes to these parameters are only considered in this state

// Exception: a change of SafetyConsumerTimeout is possible during operation

// Read parameters from the SPI and store them in local variables:

SPI_SafetyConsumerID_i := SPI.SafetyConsumerID

SPI_SafetyProviderID_i := SPI.SafetyProviderIDConfigured

SPI_SafetyBaseID_i := SPI.SafetyBaseIDConfigured

SPI_SafetyStructureSignature_i := SPI.SafetyStructureSignature

SPI_SafetyOperatorAckNecessary_i := SPI.SafetyOperatorAckNecessary

SPI_SafetyErrorIntervalLimit_i := SPI_SafetyErrorIntervalLimit

S12_initialize MNR

// Use previous MNR if known// or random MNR within the allowed range (e.g., after cold start), see 9.2.

MNR_i := (previous MNR_i if known) or (random MNR)

MNR_i := max(MNR_i, MNR_min)1

S13_PrepareRequest

// Build RequestSPDU and send (done in T16)

S14_WaitForChangedSPDU

// Safety Layer is waiting for next ResponseSPDU from SafetyProvider.

// A new ResponseSPDU is characterized by a change in the MNR.

S15_CRCCheckSPDU

// Check CRC

uint32 CRC_calcCRCCheck_i := (CRC_calc == ResponseSPDU.CRC)

// see 7.2.3.5 on how to calculate CRC_calc

S16_CheckResponseSPDU

// Check SafetyConsumerID and SPDU_ID and MNR (see T22, T23, T24)

SPDUCheck_i := ResponseSPDU.SPDU_ID_1 == SPDU_ID_1_i && ResponseSPDU.SPDU_ID_2 == SPDU_ID_2_i && ResponseSPDU.SPDU_ID_3 == SPDU_ID_3_i && ResponseSPDU.SafetyConsumerID == ConsumerID_i && ResponseSPDU.MNR == MNR_i

S17_Error

SAPI.TestModeActivated := 0

S18_ProvideSafetyData

// Provide SafetyData to the application program

S19_SecondWDT_Check

// Second check of WDTimeout

// Prevents restarting of ConsumerTimer if it expired since initial check

1 This ensures that the MNR is greater or equal to MNR_min, in cases the random number generator yielded a smaller value.

NOTE The consumer parameters are accessed only in state S11. In this state, a copy is made, and in all other states and transitions, the copied values are used. This ensures that a change of one of these parameters takes effect only when a new safety connection is established. The only exception from this rule is the parameter SafetyConsumerTimeout. A change of this parameter may become effective immediately. If this is not the desired behavior, i.e., if parameters should be changeable during runtime, this can be accomplished by establishing a second safety connection according to this document with the new parameters, and then switch between these two safety connections at runtime.

Table 35 – SafetyConsumer transitions

TRAN-SITION

SOURCE STATE

TARGET STATE

GUARD CONDITION

ACTIVITY

T12

Init

S11

-

T13

S11

S12

//Start

[SAPI.Enable==1 && <ParametersOK?>]

<(Re)Start ErrorIntervalTimer><calc SPDU_ID_i> // see 7.2.3.2 for clarification

T14

S12

S13

// MNR initialized

<(Re)Start ConsumerTimer>

<Assign ConsumerID>

T15

S18

S11

// Termination

[SAPI.Enable==0]

<Use FSV>

RequestSPDU.Flags.CommunicationError := 0

// necessary to make sure that no diagnostic

// message is lost, see macro <Set Diag ...>

// NOTE Depending on its implementation, it might

// be necessary to stop the ConsumerTimer here.

T16

S13

S14

// Build Request SPDU // and send it

prevMNR_i := MNR_i

If MNR_i == 0xFFFFFFFFFThen MNR_i := MNR_minElse

MNR_i := MNR_i + 1Endif

RequestSPDU.MonitoringNumber := MNR_i

<Set RequestSPDU>

T17

S14

S15

// Changed ResponseSPDU// is received1

<Get ResponseSPDU>2

<ResponseSPDU ready for checks>

// A changed ResponseSPDU is characterized by a change in the MNR.

T18

S14

S17

// WDTimeout

[<ConsumerTimer expired?>]

<Handle WDTimeout>

T19

S15

S13

// When CRC err and SafetyErrorIntervalTimer expired[(crcCheck_i == 0) && <ErrorIntervalTimer expired?>]

MNR_re_sync_i := true

<(Re)Start ErrorIntervalTimer><Set Diag(CRCerrIgn, isPermanent:=false)>

T20

S15

S17

// When CRC err and SafetyErrorIntervalTimer not expired

[(crcCheck_i == 0) && not <ErrorIntervalTimer expired?>]

<(Re)Start ErrorIntervalTimer><Set Diag(CRCerrOA, isPermanent:=true)><Use FSV>

FaultReqOA_i := 1SAPI.OperatorAckRequested := 0RequestSPDU.Flags.OperatorAckRequested := 0

T21

S15

S16

// When CRCCheckOK

[crcCheck_i == 1]

-

T22

S16

S18

// SPDU OK

[SPDUCheck_i==true]

// For clarification, refer to Figure 17;

MNR_re_sync_i := false

// indicate OA from provider

SAPI.OperatorAckProvider := ResponseSPDU.Flags.OperatorAckProvider

// OA requested due to rising edge at ActivateFSV?

If (<risingEdge ResponseSPDU.Flags.ActivateFSV>&& SPI_SafetyOperatorAckNecessary_i == true)Then FaultReqOA_i := 1;<Set Diag(FSV_Requested,isPermanent:=true)> Else // do nothing

Endif

// Set Flags if OA requested:

If FaultReqOA_i==1 Then SAPI.OperatorAckRequested := 1, RequestSPDU.Flags.OperatorAckRequested := 1, OperatorAckConsumerAllowed_i := 0,FaultReqOA_i := 0Else //do nothingEndif

// Wait until OperatorAckConsumer is not active

If SAPI.OperatorAckConsumer==0

Then

OperatorAckConsumerAllowed_i := 1

Else

//do nothing

Endif

// Reset flags after OA:

If SAPI.OperatorAckConsumer ==1 && OperatorAckConsumerAllowed_i == 1

Then

SAPI.OperatorAckRequested := 0, RequestSPDU.Flags.OperatorAckRequested := 0Else

// do nothing

Endif

If SAPI.OperatorAckRequested==1 || ResponseSPDU.Flags.ActivateFSV==1Then <Use FSV> Else <Use PV>Endif

// Notify safety application that SafetyProvider is in test mode:

SAPI.TestModeActivated := ResponseSPDU.Flags.TestModeActivated

T23

S16

S13

// SPDU NOK and SafetyErrorIntervalTimer expired[SPDUCheck_i == false && <ErrorIntervalTimer expired?>]

<(Re)Start ErrorIntervalTimer>,

MNR_re_sync_i := true

// Send diagnostic message according the// detected error:

If ResponseSPDU.SafetyConsumerID <> ConsumerID_iThen <Set Diag(CoIDerrIgn, isPermanent:=false)>ElseIf ResponseSPDU.MNR<>MNR_iThen <Set Diag(MNRerrIgn,isPermanent:=false)> Else //do nothing EndIf If ResponseSPDU.SPDU_ID_1<> SPDU_ID_1_i || ResponseSPDU.SPDU_ID_2<> SPDU_ID_2_i || ResponseSPDU.SPDU_ID_3<> SPDU_ID_3_iThen <Set Diag(SD_IDerrIgn,

isPermanent:=false)>3 Else // do nothing Endif Endif

T24

S16

S17

// SPDU NOK and SafetyErrorIntervalTimer not expired

[SPDUCheck_i == 0 && not <ErrorIntervalTimer expired?>]

<(Re)Start ErrorIntervalTimer>// Send diagnostic message according the // detected error:

If ResponseSPDU.SafetyConsumerID<> ConsumerID_iThen <Set Diag(CoIDerrOA, isPermanent:=true)>Else If ResponseSPDU.MNR<>MNR_iThen <Set Diag(MNRerrOA,isPermanent:=true)> Else //do nothing Endif If ResponseSPDU.SPDU_ID_1<> SPDU_ID_1_i || ResponseSPDU.SPDU_ID_2<> SPDU_ID_2_i || ResponseSPDU.SPDU_ID_3<> SPDU_ID_3_iThen <Set Diag(SD_IDerrOA,isPermanent:=true)> Else //do nothing Endif Endif

FaultReqOA_i := 1

SAPI.OperatorAckRequested := 0RequestSPDU.Flags.OperatorAckRequested := 0<Use FSV>

T25

S17

S18

// SPDU NOK

-

MNR_re_sync_i := true

T26

S18

S19

// Restart Cycle

[SAPI.Enable==1]

-

T27

S11

S11

// Invalid parameters

[SAPI.Enable==1 && not <ParametersOK?>]

<Set Diag(ParametersInvalid, isPermanent:=true)>

T28

S19

S13

// No WDTimeout

<(Re)Start ConsumerTimer>

T29

S19

S17

// WDTimeout

[<ConsumerTimer expired?>]

<Handle WDTimeout>

1 Another event like “Method completion successful” can be used as guard condition of “Changed ResponseSPDU received” as well.

2 SPDUs with all values (incl. CRC signature) being zero shall be ignored, see requirement RQ5.6.

3 See Table 28.

Figure 17 shows the sequence after the detection of an error requiring operator acknowledge until communication returns to delivering process values again.

image024.png

Figure 17 – Sequence diagram for OA

After the error is gone the sequence follows the logic of T22 in Table 35.

[RQ7.15] The ResponseSPDU shall be built by the SafetyProvider by copying RequestSPDU.MonitoringNumber and RequestSPDU.SafetyConsumerID into the ResponseSPDU. After this, SPDU_ID, Flags, the SafetyData and the NonSafetyData shall be updated. Finally, ResponseSPDU.CRC shall be calculated and appended.

image025.png

Figure 18 – Overview of task for SafetyProvider

For the ResponseSPDU.Flags, see 7.2.1.6. For the calculation of the SPDU_ID, see 7.2.3.2. For the calculation of CRC, see 7.2.3.5.

[RQ7.16] SPDU_ID_1, SPDU_ID_2 and SPDU_ID_3 shall be calculated according to Figure 19 and Table 36.

image026.png

Figure 19 – Calculation of the SPDU_ID

Table 36 – Presentation of the SPDU_ID

SPDU_ID_1 := SafetyBaseID (bytes 0…3) XOR SafetyProviderLevel_ID (bytes 0…3)

SPDU_ID_2 := SafetyBaseID (bytes 4…7) XOR SafetyStructureSignature (bytes 0…3)

SPDU_ID_3 := SafetyBaseID (bytes 8…11) XOR SafetyBaseID (bytes 12…15) XOR SafetyProviderID (bytes 0…3)

In case of a mismatch between expected SPDU_ID and actual SPDU_ID, the following rules can be used for diagnostic purposes:

  • If all of SPDU_ID1, SPDU_ID2, and SPDU_ID3 differ, there probably is a mismatching SafetyBaseID.
  • If SPDU_ID3 differs, but SPDU_ID1 and SPDU_ID2 do not, there is a mismatching SafetyProviderID.
  • If SPDU_ID2 differs, but SPDU_ID1 and SPDU_ID3 do not, the structure or identifier of the safety data do not match.
  • If SPDU_ID1 differs, but SPDU_ID2 and SPDU_ID3 do not, the SafetyProviderLevel does not match.

By these rules, there is a very low probability (<10-9) that a mismatching SafetyBaseID will be misinterpreted. From a practical view, this probability can be ignored.

The SafetyProviderLevel is the SIL the SafetyProvider implementation (hardware & software) is capable of.

Table 37 – Coding for the SafetyProviderLevel_ID

SafetyProviderLevel

Value of SafetyProviderLevel_ID

SIL1SIL2SIL3SIL4

0x119128810x647C46540xDEAA9DEE0xAB47F33B

[RQ7.17] Exactly one of the values provided in Table 37 shall be used as constant code value for SafetyProviderLevel_ID. They were chosen in such a way that the hamming distance becomes maximal (hamming distance of 21).

[RQ7.18] Measures shall be taken to avoid that a SafetyProvider is erroneously using a code-value belonging to a SIL that is higher than the SIL it is capable of. For instance, a SafetyProvider capable of SIL1-3 should not be able to accidently use the value 0xAB47F33B used for SIL4. One way to achieve this is to avoid that this constant appears in the source code of the SafetyProvider at all.

The SafetyProviderLevel is independent to the SIL capability of the provided SafetyData, see 3.1.

SafetyStructureSignature is used to check the number, data types, and order of application data transmitted in SafetyData. If the SafetyConsumer is expecting anything different than what the SafetyProvider actually provides, SafetyStructureSignature will differ, allowing the SafetyConsumer to enable fail-safe substitute values.

In addition, the identifier of the structure type (SafetyStructureIdentifier) is also taken into account when calculating SafetyStructureSignature. This ensures that the SafetyProvider and the SafetyConsumer are using the same identifier for the structure type, effectively avoiding any confusion.

For instance, if a SafetyProvider defines a structure with identifier “vec3D_m” comprising three floats containing a three-dimensional vector in the metric system, this structure could not be used by a SafetyConsumer expecting a structure of type “vec3D_in” where the vector components are given in inch, or even at a SafetyConsumer expecting a structure of type “orientation”, containing three floats to define an orientation using Euler angles.

[RQ7.19] SafetyStructureSignature shall be calculated as CRC32-signature (polynomial: 0x F4ACFB13, see Clause B.1) over SafetyStructureIdentifier (encoding: UTF-8), SafetyStructureSignatureVersion and the sequence of the DataType IDs. After each datatype ID, a 16-bit zero-value (0x0000) shall be inserted. All integers shall be encoded using little endian byte ordering. Data shall be processed in reverse order, see Clause B.1. The value “0” shall not be used as signature. Instead, the value “1” shall be used in this case.

The terminating zero of SafetyStructureIdentifier shall not be considered when calculating the CRC.

[RQ7.20] SafetyStructureIdentifier may be visible in the OPC UA information model for diagnostic purposes but shall not be evaluated by the SafetyConsumer during runtime.

[RQ7.21] For all releases up to Release 2.0 of the specification, the value for SafetyStructureSignatureVersion shall be 0x0001.

Example:

SafetyStructureIdentifier,e.g. “Motörhead” = 0x4d 0x6f 0x74 0xc3 0xb6 0x72 0x68 0x65 0x61 0x64

SafetyStructureSignatureVersion := 0x0001

1. DataType Int16: (Id = 0x0004), // see 6.2.5

2. DataType Boolean: (Id = 0x0001),

3. DataType Float32: (Id =0x000A)

SafetyStructureSignature =

= CRC32_Backward(0x4d, 0x6f, 0x74, 0xc3, 0xb6, 0x72, 0x68, 0x65, 0x61, 0x64,

0x01,0x00,

0x04,0x00, 0x00,0x00,

0x01,0x00, 0x00,0x00,

0x0A, 0x00, 0x00, 0x00) =

= CRC32_Forward(

0x00, 0x00, 0x00, 0x0A,0x00, 0x00, 0x00, 0x01,

0x00, 0x00, 0x00, 0x04,

0x00,0x01,0x64,0x61,0x65,0x68,0x72,0xb6,0xc3,0x74,0x6f,0x4d)

= 0xe2e86173

NOTE 1 The insertion of 0x0000 values after the DataType ID, allows for introducing arrays in later version of this document.

NOTE 2 SafetyStructureSignatureVersion is the version of the procedure used to calculate the signature, as defined in requirement RQ7.19. If future releases of this document define an alternative procedure, they will indicate this by using a different version number.

OPC 10000-3, 5.8.2 defines different categories of DataTypes. Regarding the DataType ID which is to be used within the StructureSignature, the following holds:

  • For Built-in DataTypes, the ID from Table 1 of OPC 10000-6 is used as DataType ID.
  • For Simple DataTypes, the ID of the Built-in DataType from which they are derived is used.
  • As of now, Structured DataTypes (including OptionSets) shall not be used within Safety Data. Arrays are not supported. Instead, multiple variables of the same type are used.
  • Enumeration DataTypes are encoded on the wire as Int32 and therefore shall use the ID of the Int32 Built-in DataType.

The SafetyProvider calculates the CRC signature (ResponseSPDU.CRC) and sends it to the SafetyConsumer as part of SPDU. This enables the SafetyConsumer to check the correctness of the SPDU including the SafetyData, Flags, MNR, SafetyConsumerID and SPDU_ID by recalculating the CRC signature (CRC_calc).

[RQ7.22] The generator polynomial 0x F4ACFB13 shall be used for the 32-Bit CRC signature.

[RQ7.23] If SafetyData is longer than one byte (e.g., if it is of data type UInt16, Int16 or Float32), it shall be decoded and encoded using little endian order in which the least significant byte appears first in the incremental memory address stream.

[RQ7.24] The calculation sequence shall begin with the highest memory address (n) of the STrailer counting back to the lowest memory address (0) and then include also the SafetyData beginning with the highest memory address.

Figure 20 shows the calculation sequence of a CRC_SPDU on a little-endian machine, using an example SafetyData with the following fields:

Int32 var1

UInt32var2

UInt16var3

Int16 var4

Booleanvar5

For the example given above, the STrailer (without CRC) and SafetyData have a combined length of 34 bytes (16 bytes STrailer without CRC, 12 bytes of SafetyData). The calculation of ResponseSPDU.CRC (SafetyProvider) or CRC_calc (SafetyConsumer) is done in reverse order, from bottom to top. In the example shown in Figure 20, CRC calculation starts at byte index 33 (most significant byte of the MNR) and ends at byte index 0.

NOTE The reverse order ensures that the effectiveness of the CRC mechanism remains independent of any CRCs used within the underlying OPC UA channel, even if it would coincidentally use the same CRC polynomial.

image027.png

Figure 20 – Calculation of the CRC (on little-endian machines, CRC32_Backward)

An alternative way to calculate the CRC (particularly useful on big-endian machines) is shown in Figure 21. Here, the individual elements of the ResponseSPDU are already arranged in memory in reversed order, and CRC calculation is executed from byte 0 to byte 33.

image028.png

Figure 21 – Calculation of the CRC (on big-endian machines, CRC32_Forward)

[RQ7.25] On the SafetyConsumer, CRC_calc shall be calculated using data received in the ResponseSPDU, and not from expected values.