5 Model

5.1 General

The Alarm and Condition model extends the OPC UA base Event model by defining various Event Types based on the BaseEventType. All of the Event Types defined in this document can be further extended from domain to Server specific Alarm and Condition Types.

Instances of Alarm and Condition Types may be optionally exposed in the AddressSpace in order to allow direct access to the state of an Alarm or Condition. Instances not exposed in the AddressSpace still have a ConditionId (NodeId). This NodeId can be the target of references in the AddressSpace even though the target node does not exist in the AddressSpace. For example, an AlarmGroup might reference a number of Conditions that do not exist in the AddressSpace.

The following sub clauses define the OPC UA Alarm and Condition Types. Figure 8 informally describes the hierarchy of these Types. Subtypes of the LimitAlarmType and the DiscreteAlarmType are not shown.

5.2 Two-state state machines

Most states defined in this document are simple – i.e. they are either True or False. The TwoStateVariableType is introduced specifically for this use case. More complex states are modelled by using a StateMachineType defined in 10000-16.

The TwoStateVariableType is derived from the StateVariableType defined in 10000-16. and formally defined in Table 1.

The Value Attribute of an instance of TwoStateVariableType contains the current state as a human readable name. The EnabledState for example, might contain the name “Enabled” when True and “Disabled” when False.

Id is inherited from the StateVariableType and overridden to reflect the required DataType (Boolean). The value shall be the current state, i.e. either True or False.

TransitionTime specifies the time when the current state was entered.

EffectiveTransitionTime specifies the time when the current state or one of its sub states was entered. If, for example, a LevelAlarm is active and – while active – switches several times between High and HighHigh, then the TransitionTime stays at the point in time where the Alarm became active whereas the EffectiveTransitionTime changes with each shift of a sub state.

The optional Property EffectiveDisplayName from the StateVariableType is used if a state has sub states. It contains a human readable name for the current state after taking the state of any SubStateMachines in account. As an example, the EffectiveDisplayName of the EnabledState could contain “Active/HighHigh” to specify that the Condition is active and has exceeded the HighHigh limit.

Other optional Properties of the StateVariableType have no defined meaning for TwoStateVariableType.

TrueState and FalseState contain the localized string for the TwoStateVariableType value when its Id Property has the value True or False, respectively. Since the two Properties provide meta-data for the Type, Servers shall not allow these Properties to be selected in the Event filter for a MonitoredItem. The TrueState Property and FalseState Property shall only exist on InstanceDeclarations. See Figure 9 for an illustration. Clients can use the Read Service to get the values of the TrueState and FalseState Property.

A HasTrueSubState Reference is used to indicate that the True state has sub states.

A HasFalseSubState Reference is used to indicate that the False state has sub states.

5.3 ConditionVariable

Various information elements of a Condition are not considered to be states. However, a change in their value is considered important and supposed to trigger an Event Notification. These information elements are called ConditionVariable.

ConditionVariables are represented by a ConditionVariableType, formally defined in Table 2.

SourceTimestamp indicates the time of the last change of the Value of this ConditionVariable. It shall be the same time that would be returned from the Read Service inside the DataValue structure for the ConditionVariable Value Attribute.

5.4 ReferenceTypes

5.4.1 General

This Clause defines ReferenceTypes that are needed beyond those already specified as part of 10000-3 and 10000-5. This includes extending TwoStateVariableType state machines with sub states and the addition of Alarm grouping. TwoStateVariableTypes can be extended with subordinate state machines in a similar fashion to the StateMachineType defined in 10000-16.

The TwoStateVariableType References will only exist when sub states are available. For example, if a TwoStateVariableType machine is in a False State, then any sub states referenced from the True state will not be available and will be reported as a NULL.

5.4.2 HasTrueSubState ReferenceType

The HasTrueSubState ReferenceType is a concrete ReferenceType that can be used directly. It is a subtype of the NonHierarchicalReferences ReferenceType.

The semantics indicate that the sub state (the target Node) is a subordinate state of the True super state. If more than one state within a Condition is a sub state of the same super state (i.e. several HasTrueSubState References exist for the same super state) they are all treated as independent sub states. The representation in the AddressSpace is specified in Table 3.

The SourceNode of the Reference shall be an instance of a TwoStateVariableType and the TargetNode shall be either an instance of a TwoStateVariableType or an instance of a subtype of a StateMachineType.

It is not required to provide the HasTrueSubState Reference from super state to sub state, but it is required that the sub state provides the inverse Reference (IsTrueSubStateOf) to its super state.

5.4.3 HasFalseSubState ReferenceType

The HasFalseSubState ReferenceType is a concrete ReferenceType that can be used directly. It is a subtype of the NonHierarchicalReferences ReferenceType.

The semantics indicate that the sub state (the target Node) is a subordinate state of the False super state. If more than one state within a Condition is a sub state of the same super state (i.e. several HasFalseSubState References exist for the same super state) they are all treated as independent sub states. The representation in the AddressSpace is specified in Table 4.

The SourceNode of the Reference shall be an instance of a TwoStateVariableType and the TargetNode shall be either an instance of a TwoStateVariableType or an instance of a subtype of a StateMachineType.

It is not required to provide the HasFalseSubState Reference from super state to sub state, but it is required that the sub state provides the inverse Reference (IsFalseSubStateOf) to its super state.

5.4.4 HasAlarmSuppressionGroup ReferenceType

The HasAlarmSuppressionGroup ReferenceType is a concrete ReferenceType that can be used directly. It is a subtype of the HasComponent ReferenceType. The representation in the AddressSpace is specified in Table 5

This ReferenceType binds an AlarmSuppressionGroup to an Alarm.

The SourceNode of the Reference shall be an instance of an AlarmConditionType or sub type. The TargetNode shall be an instance of an AlarmGroupType.

5.4.5 AlarmGroupMember ReferenceType

The AlarmGroupMember ReferenceType is a concrete ReferenceType that can be used directly. It is a subtype of the Organizes Reference Type.

This ReferenceType is used to indicate the Alarm instances that are part of an Alarm Group. The representation in the AddressSpace is specified in Table 6

The SourceNode of the Reference shall be an instance of an AlarmGroupType or sub type of it. The TargetNode shall be an instance of an AlarmConditionType or a subtype of it.

5.4.6 AlarmSuppressionGroupMember ReferenceType

The AlarmSuppressionGroupMember ReferenceType is a concrete ReferenceType that can be used directly. It is a subtype of the AlarmGroupMember ReferenceType.

This ReferenceType is used to indicate the Alarm instances or Boolean Variables that are part of an Alarm Group. The representation in the AddressSpace is specified in Table 7

The SourceNode of the Reference shall be an instance of an AlarmGroupType or sub type of it. The TargetNode shall be an instance of an AlarmConditionType or a subtype of it, or an instance of BaseDataVariableType that has a DataType of Boolean.

5.5 Condition Model

5.5.1 General

The Condition model extends the Event model by defining the ConditionType. The ConditionType introduces the concept of states differentiating it from the base Event model. Unlike the BaseEventType, Conditions are not transient. The ConditionType is further extended into Dialog and AcknowledgeableConditionType, each of which has their own sub-types.

The Condition model is illustrated in Figure 10 and formally defined in the subsequent tables. It is worth noting that this figure, like all figures in this document, is not intended to be complete. Rather, the figures only illustrate information provided by the formal definitions.

5.5.2 ConditionType

The ConditionType defines all general characteristics of a Condition. All other ConditionTypes derive from it. It is formally defined in Table 8 and Table 9. The False state of the EnabledState shall not be extended with a sub state machine.

The empty “Others” column indicates that no ModellingRule applies.

The ConditionType inherits all Properties of the BaseEventType. Their semantic is defined in 10000-5. SourceNode Property identifies the ConditionSource. See 5.12 for more details. If the ConditionSource is not a Node in the AddressSpace, the NodeId is set to NULL. The SourceNode Property is the Node, which the Condition is associated with, it may be the same as the InputNode for an Alarm, but it may be a separate node. For example, a motor, which is a Variable with a Value that is an RPM, may be the ConditionSource for Conditions that are related to the motor as well as a temperature sensor associated with the motor. In the former the InputNode for the High RPM Alarm is the value of the Motor RPM, while in the later the InputNode of the High Alarm would be the value of the temperature sensor that is associated with the motor.

ConditionClassId, ConditionClassName, ConditionSubClassId and ConditionSubClassName originally defined in ConditionType are now defined in the BaseEventType (from which this type is derived). They are optional in the BaseEventType, but ConditionClassId, and ConditionClassName are Mandatory in ConditionType and thus listed (to update the modelling rule).

ConditionName identifies the Condition instance that the Event originated from. It can be used together with the SourceName in a user display to distinguish between different Condition instances. If a ConditionSource has only one instance of a ConditionType, and the Server has no instance name, the Server shall supply the name element of the BrowseName of the ConditionType.

BranchId is NULL for all Event Notifications that relate to the current state of the Condition instance. If BranchId is not NULL, it identifies a previous state of this Condition instance that still needs attention by an Operator. If the current ConditionBranch is transformed into a previous ConditionBranch then the Server shall assign a non-NULL BranchId. An initial Event for the branch shall be generated with the values of the ConditionBranch and the new BranchId. The ConditionBranch can be updated many times before it is no longer needed. When the ConditionBranch no longer requires Operator input the final Event will have Retain set to False. The retain bit on the current Event is True, as long as any ConditionBranches require Operator input. See 4.2 for more information about the need for creating and maintaining previous ConditionBranches and Clause B.1 for an example using branches. The BranchId DataType is NodeId although the Server is not required to have ConditionBranches in the AddressSpace. The use of a NodeId allows the Server to use simple numeric identifiers, strings or arrays of bytes.

Retain when True describes a Condition (or ConditionBranch) as being in a state that is interesting for a Client wishing to synchronize its state with the Server’s state. The logic to determine how this flag is set is Server specific. Typically, all Active Alarms would have the Retain flag set; however, it is also possible for inactive Alarms to have their Retain flag set to True.

In normal processing when a Client receives an Event with the Retain flag set to False, the Client should consider this as a ConditionBranch that is no longer of interest, in the case of a “current Alarm display” the ConditionBranch would be removed from the display.

SupportsFilteredRetain Property is only provided on the ConditionType. When this Property is set to True on the Type, then the Server provides a Client specific Retain flag value taking into account any Client provided filter. When the property is False on the ConditionType then the Server does not provide a Client specific the value of the Retain flag. For example, if a Client applies a filter to exclude Alarms that are shelved, and the SupportsFilteredRetain is set to True, the Client receives an Alarm (it is not shelved, Retain is true). The Client (or another Client) shelves the Alarm. At this point the Alarm no longer passes the filter, but since the previous event was sent, this event is transmitted with Retain = False. For an example see B.1.4

Figure 11 provides an illustration of the processing a Server shall follow for processing Retain flag when SupportsFilteredRetain flag is set to True.

EnabledState indicates whether the Condition is enabled. EnabledState/Id is True if enabled, False otherwise. EnabledState/TransitionTime defines when the EnabledState last changed. Recommended state names are described in A.1.

A Condition’s EnabledState effects the generation of Event Notifications and as such results in the following specific behaviour:

• When the Condition instance enters the Disabled state, the Retain Property of this Condition shall be set to False by the Server to indicate to the Client that the Condition instance is currently not of interest to Clients. This includes all ConditionBranches if any branches exist.

• When the Condition instance enters the enabled state, the Condition shall be evaluated and all of its Properties updated to reflect the current values. If this evaluation causes the Retain Property to transition to True for any ConditionBranch, then an Event Notification shall be generated for that ConditionBranch.

• The Server may choose to continue to test for a Condition instance while it is Disabled. However, no Event Notifications will be generated while the Condition instance is disabled.

• For any Condition that exists in the AddressSpace the Attributes and the following Variables will continue to have valid values even in the Disabled state; EventId, Event Type, SourceNode, SourceName, Time, and EnabledState. Other Properties may no longer provide current valid values. All Variables that are no longer provided shall return a status of Bad_ConditionDisabled. The Event that reports the Disabled state should report the Properties as NULL or with a status of Bad_ConditionDisabled.

When enabled, changes to the following Variables shall cause a ConditionType Event Notification:

• Quality

• Severity (inherited from BaseEventType)

• Comment

Subtypes of ConditionType may define additional Variables that trigger Event Notifications. In general, changes to Variables of the types TwoStateVariableType, ConditionVariableType, StateMachineType or any of their subtypes trigger Event Notifications and are not explicitly described in subtypes.

In the event of a restart of an AlarmManager, the AlarmManager shall recover the Enabled/Disabled states of all current conditions. If the system can not determine if the Condition is Enabled or Disabled, it shall be Enabled.

Quality reveals the status of process values or other resources that this Condition instance is based upon. If, for example, a process value is “Uncertain”, the associated “LevelAlarm” Condition is also questionable. Values for the Quality can be any of the OPC StatusCodes defined in 10000-8 as well as Good, Uncertain and Bad as defined in 10000-4. These StatusCodes are similar to but slightly more generic than the description of data quality in the various field bus specifications. It is the responsibility of the Server to map internal status information to these codes. A Server that supports no quality information shall return Good. This quality can also reflect the communication status associated with the system that this value or resource is based on and from which this Alarm was received. For communication errors to the underlying system, especially those that result in some unavailable Event fields, the quality shall be Bad_NoCommunication error.

Events are only generated for Conditions that have their Retain field set to True and for the initial transition of the Retain field from True to False.

LastSeverity provides the previous severity of the ConditionBranch. Initially this Variable contains a zero value; it will return a value only after a severity change. The new severity is supplied via the Severity Property, which is inherited from the BaseEventType.

Comment contains the last comment provided for a certain state (ConditionBranch) of a Condition. It may have been provided by an AddComment Method, some other Method or in some other manner. Any change in this field, shall trigger a new event to be generated. The initial value of this Variable is NULL, unless it is provided in some other manner. The Comment field may reference a MaxStringLength Property which would limit the length of the string. This MaxStringLength may be added to the individual Alarm instance, in which case it would apply only to that Alarm instance, but it can also be added to the Comment Variable in the ConditionType, which would limit the size of the Comment string for all Alarm instances. If the Property is provided on both the instance and the type, the instance takes precedence over the type. All Methods that can provide a Comment argument shall restrict Comment to this limit. If a Comment is provided that exceeds this limit, a Bad_InvalidArgument shall be returned from the Method.

ClientUserId is related to the Comment field and contains the identity of the user who inserted the most recent Comment. The logic to obtain the ClientUserId is defined in 10000-5.

The NodeId of the Condition instance is used as ConditionId. It is not explicitly modelled as a component of the ConditionType. However, it can be requested with the following SimpleAttributeOperand (see Table 10) in the SelectClause of the EventFilter: See 10000-4 for a detailed definition of the SelectClause in an Event Subscription.

5.5.3 Condition and branch instances

Conditions are Objects which have a state which changes over time. Each Condition instance has a ConditionId as an identifier which uniquely identifies it within the Server. This Condition (and it representative ConditionId) follows the same rules associated with Nodes (and their representative NodeIds) in the AddressSpace (see 10000-3). Therefore, once a Condition is created in a system that does not expose instances, any time that Condition is active it shall always have the same ConditionId. This allows higher level alarm management systems to operate on Conditions and to perform analysis of them.

A Condition instance may be an Object that appears in the Server Address Space. If this is the case the ConditionId shall be the NodeId for the Object.

The state of a Condition instance at any given time is the set values for the Variables that belong to the Condition instance. If one or more Variable values change the Server generates an Event with a unique EventId.

If a Client calls Refresh the Server will report the current state of a Condition instance by re-sending the last Event (i.e. the same EventId and Time is sent).

A ConditionBranch is a copy of the Condition instance state that can change independently of the current Condition instance state. Each Branch has an identifier called a BranchId which is unique among all active Branches for a Condition instance. Branches are typically not visible in the Address Space and this document does not define a standard way to make them visible.

5.5.4 Disable Method

The Disable Method is used to change a Condition instance to the Disabled state. Normally, the NodeId of the object instance as the ObjectId is passed to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, all Servers shall allow Clients to call the Disable Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the ConditionType Node. Since Condition instances are not required to be defined in the AddressSpace, the MethodId that is passed in the Call Service shall be the NodeId of the Disable Method on the ConditionType.

Signature

	Disable();

Method Result Codes in Table 11 (defined in Call Service)

Table 12 specifies the AddressSpace representation for the Disable Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionEnableEventType for all invocations of the Method.

5.5.5 Enable Method

The Enable Method is used to change a Condition instance to the enabled state. Normally, the NodeId of the object instance as the ObjectId is passed to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, all Servers shall allow Clients to call the Enable Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the ConditionType Node. If the Condition instance is not exposed, then it may be difficult for a Client to determine the ConditionId for a disabled Condition. Since Condition instances are not required to be defined in the AddressSpace, the MethodId that is passed in the Call Service shall be the NodeId of the Enable Method on the ConditionType.

Signature

	Enable();

Method result codes in Table 13 (defined in Call Service)

Table 14 specifies the AddressSpace representation for the Enable Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionEnableEventType for all invocations of the Method.

5.5.6 AddComment Method

The AddComment Method is used to apply a comment to a specific state of a Condition instance. Normally, the NodeId of the Object instance is passed as the ObjectId to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, all Servers shall also allow Clients to call the AddComment Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the ConditionType Node.

Signature

	AddComment(
		[in] ByteString EventId
		[in] LocalizedText Comment
		);

The parameters are defined in Table 15

Method result codes in Table 16 (defined in Call Service)

Comments

Comments are added to Event occurrences identified via an EventId. EventIds where the related EventType is not a ConditionType (or subtype of it) and thus does not support Comments are rejected.

If the Comment field is NULL (both locale and text are empty) it shall be ignored, and any existing comments will remain unchanged, and an error (Bad_InvalidArgument) shall be returned. To reset the Comment an empty text with a locale shall be provided.

A ConditionEvent with all Condition values, where the Comment Variable contains the added text, will be sent for the \state identified by the EventId. If a comment is added to a previous state (i.e. a state for which the Server has created a branch), the BranchId and all Condition values of this branch will be sent.

Table 17 specifies the AddressSpace representation for the AddComment Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionCommentEventType for all invocations of the Method.

5.5.7 ConditionRefresh Method

ConditionRefresh allows a Client to request a Refresh of all Condition instances that currently are in an interesting state (they have the Retain flag set). This includes previous states of a Condition instance for which the Server maintains Branches. A Client would typically invoke this Method when it initially connects to a Server and following any situations, such as communication disruptions, in which it would require resynchronization with the Server. This Method is only available on the ConditionType. To invoke this Method, the call shall pass the well-known MethodId of the Method on the ConditionType and the ObjectId shall be the well-known NodeId of the ConditionType ObjectType.

Signature

	ConditionRefresh(
		[in] IntegerId SubscriptionId
		);

The parameters are defined in Table 18

Method result codes in Table 19 (defined in Call Service)

Comments

Sub clause 4.5 describes the concept, use cases and information flow in more detail.

The input argument provides a Subscription identifier indicating which Client Subscription shall be refreshed. If the Subscription is accepted the Server will react as follows:

1. The Server issues an event of RefreshStartEventType (defined in 5.11.2) marking the start of Refresh. A copy of the instance of RefreshStartEventType is queued into the Event stream for every Notifier MonitoredItem in the Subscription. Each of the Event copies shall contain the same EventId.

2. The Server issues Event Notifications of any Retained Conditions and Retained Branches of Conditions that meet the Subscriptions content filter criteria. Note that the EventId for such a refreshed Notification shall be identical to the one for the original Notification, the values of the other Properties are Server specific, in that some Servers could replay the exact Events with all Properties/Variables maintaining the same values as originally sent, but other Servers would only regenerate the Event. The regenerated Event might contain some updated Property/Variable values. For example, if the Alarm limits associated with a Variable were changed after the generation of the Event without generating a change in the Alarm state, the new limit could be reported. In another example, if the HighLimit was 100 and the Variable is 120. If the limit were changed to 90 no new Event would be generated since there is no change to the StateMachine, but the limit on a Refresh would indicate 90, when the original Event had indicated 100.

3. The Server may intersperse new Event Notifications that have not been previously issued to the Notifier along with those being sent as part of the Refresh request. Clients shall check for multiple Event Notifications for a ConditionBranch to avoid overwriting a new state delivered together with an older state from the Refresh process.

4. The Server issues an instance of RefreshEndEventType (defined in 5.11.3) to signal the end of the Refresh. A copy of the instance of RefreshEndEventType is queued into the Event stream for every Notifier MonitoredItem in the Subscription. Each of the Events copies shall contain the same EventId.

It is important to note that if multiple Event Notifiers are in a Subscription all Event Notifiers are processed. If a Client does not want all MonitoredItems refreshed, then the Client should place each MonitoredItem in a separate Subscription or call ConditionRefresh2 if the Server supports it.

If the refresh of more than one Subscription is desired, then the standard call Service array processing can be used.

As mentioned above, ConditionRefresh shall also issue Event Notifications for prior states if they still need attention. In particular, this is True for Condition instances where previous states still need acknowledgement or confirmation.

Table 20 specifies the AddressSpace representation for the ConditionRefresh Method.

5.5.8 ConditionRefresh2 Method

ConditionRefresh2 allows a Client to request a Refresh of all Condition instances that currently are in an interesting state (they have the Retain flag set) that are associated with the given Monitored item. In all other respects it functions as ConditionRefresh. A Client would typically invoke this Method when it initially connects to a Server and following any situations, such as communication disruptions where resynchronization is only for a single MonitoredItem in the Server. This Method is only available on the ConditionType. To invoke this Method, the call shall pass the well-known MethodId of the Method on the ConditionType and the ObjectId shall be the well-known NodeId of the ConditionType ObjectType.

This Method is optional and as such Clients shall be prepared to handle Servers which do not provide the Method. If the Method returns Bad_MethodInvalid, the Client shall revert to ConditionRefresh.

Signature

	ConditionRefresh2(
		[in] IntegerId SubscriptionId
		[in] IntegerId MonitoredItemId
		);

The parameters are defined in Table 21

Method result codes in Table 22(defined in Call Service)

Comments

Sub clause 4.5 describes the concept, use cases and information flow in more detail.

The input argument provides a Subscription identifier and MonitoredItem identifier indicating which MonitoredItem in the selected Client Subscription shall be refreshed. If the Subscription and MonitoredItem is accepted the Server will react as follows:

1. The Server issues a RefreshStartEvent (defined in 5.11.2) marking the start of Refresh. The RefreshStartEvent is queued into the Event stream for the Notifier MonitoredItem in the Subscription.

2. The Server issues Event Notifications of any Retained Conditions and Retained Branches of Conditions that meet the Subscriptions content filter criteria. Note that the EventId for such a refreshed Notification shall be identical to the one for the original Notification, the values of the other Properties are Server specific, in that some Servers could replay the exact Events with all Properties/Variables maintaining the same values as originally sent, but other Servers would only regenerate the Event. The regenerated Event might contain some updated Property/Variable values. For example, if the Alarm limits associated with a Variable were changed after the generation of the Event without generating a change in the Alarm state, the new limit could be reported. In another example, if the HighLimit was 100 and the Variable is 120. If the limit were changed to 90 no new Event would be generated since no change to the StateMachine, but the limit on a Refresh would indicate 90, when the original Event had indicated 100.

3. The Server may intersperse new Event Notifications that have not been previously issued to the notifier along with those being sent as part of the Refresh request. Clients shall check for multiple Event Notifications for a ConditionBranch to avoid overwriting a new state delivered together with an older state from the Refresh process.

4. The Server issues a RefreshEndEvent (defined in 5.11.3) to signal the end of the Refresh. The RefreshEndEvent is queued into the Event stream for the Notifier MonitoredItem in the Subscription.

If the refresh of more than one MonitoredItem or Subscription is desired, then the standard call Service array processing can be used.

As mentioned above, ConditionRefresh2 shall also issue Event Notifications for prior states if those states still need attention. In particular, this is True for Condition instances where previous states still need acknowledgement or confirmation.

Table 23 specifies the AddressSpace representation for the ConditionRefresh2 Method.

5.6 Dialog Model

5.6.1 General

The Dialog Model is an extension of the Condition model used by a Server to request user input. It provides functionality similar to the standard Message dialogs found in most operating systems. The model can easily be customized by providing Server specific response options in the ResponseOptionSet and by adding additional functionality to derived Condition Types.

5.6.2 DialogConditionType

The DialogConditionType is used to represent Conditions as dialogs. It is illustrated in Figure 12 and formally defined in Table 24 and Table 25.

The empty “Others” column indicates that no ModellingRule applies.

The DialogConditionType inherits all Properties of the ConditionType.

DialogState/Id when set to True indicates that the Dialog is active and waiting for a response. Recommended state names are described in A.2.

Prompt is a dialog prompt to be shown to the user.

ResponseOptionSet specifies the desired set of responses as array of LocalizedText. The index in this array is used for the corresponding fields like DefaultResponse, LastResponse and SelectedOption in the Respond Method. The recommended localized names for the common options are described in A.1.

Typical combinations of response options are

• OK

• OK, Cancel

• Yes, No, Cancel

• Abort, Retry, Ignore

• Retry, Cancel

• Yes, No

DefaultResponse identifies the response option that should be shown as default to the user. It is the index in the ResponseOptionSet array. If no response option is the default, the value of the Property is -1.

LastResponse contains the last response provided by a Client in the Respond Method. If no previous response exists, then the value of the Property is -1.

OkResponse provides the index of the OK option in the ResponseOptionSet array. This choice is the response that will allow the system to proceed with the operation described by the prompt. This allows a Client to identify the OK option if a special handling for this option is available. If no OK option is available, the value of this Property is -1.

CancelResponse provides the index of the response in the ResponseOptionSet array that will cause the Dialog to go into the inactive state without proceeding with the operation described by the prompt. This allows a Client to identify the Cancel option if a special handling for this option is available. If no Cancel option is available, the value of this Property is -1.

5.6.3 Respond Method

Respond is used to pass the selected response option and end the dialog. DialogState/Id will return to False.

Signature

	Respond(
		[in] Int32 SelectedResponse
		);

The parameters are defined in Table 26

Method result codes in Table 27 (defined in Call Service)

Table 28 specifies the AddressSpace representation for the Respond Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionRespondEventType for all invocations of the Method.

5.6.4 Respond2 Method

Respond2 Method extends the respond method by adding a comment field. For other functionality see the Respond Method definition.

Signature

	Respond2(
		[in] Int32			SelectedResponse
		[in] LocalizedText	Comment
		);

The parameters are defined in Table 29

If the Comment argument is NULL (both locale and text are empty) it shall be ignored and any existing comments will remain unchanged. To reset the comment, an empty text with a locale shall be provided.

Method result codes in Table 30 (defined in Call Service)

Table 31 specifies the AddressSpace representation for the Respond2 Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionRespondEventType for all invocations of the Method.

5.7 Acknowledgeable Condition Model

5.7.1 General

The Acknowledgeable Condition Model extends the Condition model. States for acknowledgement and confirmation are added to the Condition model.

AcknowledgeableConditions are represented by the AcknowledgeableConditionType which is a subtype of the ConditionType. The model is formally defined in the following sub clauses.

5.7.2 AcknowledgeableConditionType

The AcknowledgeableConditionType extends the ConditionType by defining acknowledgement characteristics. The AcknowledgeableConditionType is illustrated in Figure 13 and formally defined in Table 32 and Table 33.

The empty “Others” column indicates that no ModellingRule applies.

The AcknowledgeableConditionType inherits all Properties of the ConditionType.

AckedState when False indicates that the Condition instance requires acknowledgement for the reported Condition state. When the Condition instance is acknowledged the AckedState is set to True. ConfirmedState indicates whether it requires confirmation. Recommended state names are described in A.1. The two states are sub-states of the True EnabledState. See 4.3 for more information about acknowledgement and confirmation models. The EventId used in the Event Notification is considered the identifier of this state and has to be used when calling the Methods for acknowledgement or confirmation.

A Server may require that previous states be acknowledged. If the acknowledgement of a previous state is still open and a new state also requires acknowledgement, the Server shall create a branch of the Condition instance as specified in 4.2. Clients are expected to keep track of all ConditionBranches where AckedState/Id is False to allow acknowledgement of those. See also 5.5.2 for more information about ConditionBranches and the examples in Clause B.1. The handling of the AckedState and branches also applies to the ConfirmedState.

In the event of a restart of an AlarmManager, the AlarmManager should recover the AckedState and ConfirmedState (if supported) of all current conditions. If the system can not determine if the condition is Acknowledged or Confirmed, they shall be set to false (not Acknowledged and not Confirmed).

5.7.3 Acknowledge Method

The Acknowledge Method is used to acknowledge an Event Notification for a Condition instance state where AckedState is False. Normally, the NodeId of the object instance is passed as the ObjectId to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, Servers shall allow Clients to call the Acknowledge Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the AcknowledgeableConditionType Node.

Signature

	Acknowledge(
		[in] ByteString EventId
		[in] LocalizedText Comment
		);

The parameters are defined in Table 34

Method result codes in Table 35 (defined in Call Service)

Comments

A Server is responsible to ensure that each Event has a unique EventId. This allows Clients to identify and acknowledge a particular Event Notification.

The EventId identifies a specific Event Notification with an acknowledgeable state was reported. Acknowledgement and the optional comment will be applied to the state identified with the EventId. If the comment field is NULL (both locale and text are empty) it will be ignored and any existing comments will remain unchanged. To reset the comment, an empty text with a locale shall be provided.

A valid EventId will result in an Event Notification where AckedState/Id is set to True and the Comment Property contains the text of the optional comment argument. If a previous state is acknowledged, the BranchId and all Condition values of this branch will be reported. Table 36 specifies the AddressSpace representation for the Acknowledge Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionAcknowledgeEventType for all invocations of the Method.

5.7.4 Confirm Method

The Confirm Method is used to confirm an Event Notifications for a Condition instance state where ConfirmedState is False. Normally, the NodeId of the object instance is passed as the ObjectId to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, Servers shall allow Clients to call the Confirm Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the AcknowledgeableConditionType Node.

Signature

	Confirm(
		[in] ByteString		EventId
		[in] LocalizedText	Comment
		);
The parameters are defined in Table 37

Method result codes in Table 38 (defined in Call Service)

Comments

A Server is responsible to ensure that each Event has a unique EventId. This allows Clients to identify and confirm a particular Event Notification.

The EventId identifies a specific Event Notification with a confirmable state was reported.

A Comment can be provided which will be applied to the state identified with the EventId. If the comment argument is NULL (both locale and text are empty) it will be ignored and any existing comments will remain unchanged. If the comment is to be reset, an empty text with a locale shall be provided.

A valid EventId will result in an Event Notification where ConfirmedState/Id is set to True and the Comment Property contains the text of the optional comment argument. If a previous state is confirmed, the BranchId and all Condition values of this branch will be reported. A Client can confirm only events that have a ConfirmedState/Id set to False. The logic for setting ConfirmedState/Id to False is Server specific and may even be event or condition specific.

Table 39 specifies the AddressSpace representation for the Confirm Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionConfirmEventType for all invocations of the Method.

5.8 Alarm model

5.8.1 General

Figure 14 informally describes the AlarmConditionType, its sub-types and where it is in the hierarchy of Event Types.

5.8.2 AlarmConditionType

The AlarmConditionType extends the AcknowledgeableConditionType by introducing an ActiveState, SuppressedState and ShelvingState. It also adds the ability to set a delay time, re-alarm time, Alarm groups and audible Alarm settings. The Alarm model is illustrated in Figure 15. This illustration is not intended to be a complete definition. It is formally defined in Table 40 and Table 41.

The empty “Others” column indicates that no ModellingRule applies.

The AlarmConditionType inherits all Properties of the AcknowledgeableConditionType. The following states are sub-states of the True EnabledState.

ActiveState/Id when set to True indicates that the situation the Condition is representing currently exists. When a Condition instance is in the inactive state (ActiveState/Id when set to False) it is representing a situation that has returned to a normal state. The transitions of Conditions to the inactive and Active states are triggered by Server specific actions. Subtypes of the AlarmConditionType specified later in this document will have sub-state models that further define the Active state. Recommended state names are described in A.1. In the event of a restart of an AlarmManager, the AlarmManager shall recover the ActiveState.

The InputNode Property provides the NodeId of the Variable the Value of which is used as primary input in the calculation of the Alarm state. If this Variable is not in the AddressSpace, a NULL NodeId shall be provided. In some systems, an Alarm may be calculated based on multiple Variables Values; it is up to the system to determine which Variable’s NodeId is used.

SuppressedState, OutOfServiceState and ShelvingState together allow the suppression of Alarms on display systems. These three suppressions are generally used by different personnel or systems at a plant, i.e. automatic systems, maintenance personnel and Operators.

SuppressedState is used internally by a Server to automatically suppress Alarms due to system specific reasons. For example, a system may be configured to suppress Alarms that are associated with machinery that is in a state such as shutdown. For example, a low level Alarm for a tank that is currently not in use might be suppressed. Recommended state names are described in A.1. In the event of a restart of an AlarmManager, the AlarmManager should recover the SuppressedState. If the system cannot determine if the alarm is Suppressed, the state shall be set to false (not Suppressed).

OutOfServiceState is used by maintenance personnel to suppress Alarms due to a maintenance issue. For example, if an instrument is taken out of service for maintenance or is removed temporarily while it is being replaced or serviced the item would have the OutOfServiceState set. Recommended state names are described in A.1. In the event of a restart of an AlarmManager, the AlarmManager should recover the OutOfServiceState. If the system cannot determine if the alarm is OutOfService, the state shall be set to false (not OutOfService).

ShelvingState suggests whether an Alarm shall (temporarily) be prevented from being displayed to the user. It is quite often used by Operators to block nuisance Alarms. The ShelvingState is defined in 5.8.17.

When an Alarm has any or all of the SuppressedState, OutOfServiceState or ShelvingState set to True, the SuppressedOrShelved property shall be set True and this Alarm is then typically not displayed by the Client. State transitions associated with the Alarm do occur, but they are not typically displayed by the Clients as long as the Alarm remains in any of the SuppressedState, OutOfServiceState or Shelved state.

The optional Property MaxTimeShelved is used to set the maximum time that an Alarm Condition may be shelved. The value is expressed as duration. Systems can use this Property to prevent permanent Shelving of an Alarm. If this Property is present, it will be an upper limit on the duration passed into a TimedShelve Method call. If a value that exceeds the value of this Property is passed to the TimedShelve Method, then a Bad_ShelvingTimeOutOfRange error code is returned on the call. If this Property is present, it will also be enforced for the OneShotShelved state, in that an Alarm Condition will transition to the Unshelved state from the OneShotShelved state if the duration specified in this Property expires following a OneShotShelve operation without a change of any of the other items associated with the Condition.

The optional Property AudibleEnabled is a Boolean that indicates if the current state of this Alarm includes an audible Alarm.

The optional Property AudibleSound contains the sound file that shall be played when an audible Alarm is generated. This file would be play/generated as long as the Alarm is active and unacknowledged, unless the silence StateMachine is included, in which case it may also be silenced by this StateMachine.

The SilenceState is used to suppress the generation of the audible sound. Typically, it is used when an Operator silences all Alarms on a screen, but will acknowledge the Alarms individually. Silencing an Alarm shall silence the Alarm on all systems (screens) that it is being reported on. Not all Clients will make use of this StateMachine, but it allows multiple Clients to synchronize audible Alarm states. Acknowledging an Alarm shall automatically silence an Alarm. In the event of a restart of an AlarmManager, the AlarmManager should recover the SilenceState. If the system cannot determine if the Alarm is silenced, it shall set the SilenceState, based on the AcknowledgeState. If it is Acknowledged, it is silenced, If it has not been Acknowledged, it shall not be silenced.

The OnDelay and OffDelay Properties can be used to eliminate nuisance Alarms. The OnDelay is used to avoid unnecessary Alarms when a signal temporarily overshoots its setpoint, thus preventing the Alarm from being triggered until the signal remains in the Alarm state continuously for a specified length of time (OnDelay time). The OffDelay is used to reduce chattering Alarms by locking the Alarm indication for a certain holding period after the condition has returned to normal. I.e., the Alarm shall stay active for the OffDelay time and shall not regenerate if it returns to active in that period. If the Alarm remains in the inactive zone for OffDelay it will then become inactive.

The optional variable FirstInGroupFlag is used together with the FirstInGroup object. The FirstInGroup Object is an instance of an AlarmGroupType that groups a number of related Alarms. The FirstInGroupFlag is set on the Alarm instance that was the first Alarm to trigger in a FirstInGroup. If this variable is present, then the FirstInGroup shall also be present. These two nodes allow an alarming system to determine which Alarm in the list was the trigger. It is commonly used in situations where Alarms are interrelated and usually multiple Alarms occur. For example, vibration sensors in a turbine, usually all sensors trigger if any one triggers, but what is important for an Operator is the first sensor that triggered.

The LatchedState Object, if present, indicates that this Alarm supports being latched. The Alarm will remain with a retain bit of True until it is no longer active, is acknowledged, is confirmed (if ConfirmedState is provided) and is reset. The Reset Method, if called while active has no effect on the Alarm and is ignored and an error of Bad_InvalidState is return on the call. The Object indicates the current state, latched or not latched. Recommended state names are described in A.1. If this Object is provided the Reset Method shall be provided. In the event of a restart of an AlarmManager, the AlarmManager shall recover the LatchedState.

An Alarm instance may contain HasAlarmSuppressionGroup reference(s) to instance(s) of AlarmGroupType (or subtype of it). Each instance is an AlarmSuppressionGroup. When an AlarmSuppressionGroup goes active, the Server shall set the SuppressedState of the Alarm containing the HasAlarmSuppressionGroup reference to True. When all of referenced AlarmSuppressionGroups are no longer active, then the Server shall set SuppressedState to False. A single AlarmSuppressionGroup can manage multiple Alarms. AlarmSuppressionGroups are used to control Alarm floods and to help manage Alarms.

ReAlarmTime if present sets a time that is used to bring an Alarm back to the top of an Alarm list. If an Alarm has not returned to normal within the provided time (from when it last was alarmed), the Server will generate a new Alarm for it (as if it just went into alarm). If it has been silenced it shall return to an un-silenced state, if it has been acknowledged it shall return to unacknowledged. The Alarm active time is set to the time of the re-alarm.

ReAlarmRepeatCount if present counts the number times an Alarm was re-alarmed. Some smart alarming system would use this count to raise the priority or otherwise generate additional or different annunciations for the given Alarm. The count is reset when an Alarm returns to normal.

Silence Method can be used to silence an instance of an Alarm. It is defined in 5.8.7.

Suppress and Suppress2 Method can be used to suppress an instance of an Alarm. Most Alarm suppression occurs via advanced alarming, but this method allows additional access to suppress a particular Alarm instance. Additional details are provided in the definition in 5.8.8 and 5.8.9

Unsuppress and Unsuppress2 Method can be used to remove an instance of an Alarm from SuppressedState. Additional details are provided in the definition in 5.8.10 and 5.8.11.

PlaceInService and PlaceInService2 Method can be used to remove an instance of an Alarm from OutOfServiceState. It is defined in 5.8.14 and 5.8.15.

RemoveFromService and RemoveFromService2 Method can be used to place an instance of an Alarm in OutOfServiceState. It is defined in 5.8.12 and 5.8.13.

Reset Method is used to clear a latched Alarm. It is defined in 5.8.5. If this Object is provided the LatchedState Object shall also be provided.

More details about the Alarm Model and the various states can be found in Sub clause 4.8. and in Annex E.

5.8.3 AlarmGroupType

The AlarmGroupType provides a simple manner of grouping Alarms. This grouping can be used for Alarm suppression or for identifying related Alarms. The actual usage of the AlarmGroupType is specified where it is used.

The instance of an AlarmGroupType should be given a name and description that describes the purpose of the Alarm group.

The AlarmGroupType instance will contain a list of instances of AlarmConditionType or sub type of AlarmConditionType referenced by AlarmGroupMember references. At least one instance of AlarmConditionType (or a subtype of it) shall be present in an instance of an AlarmGroupType.

5.8.4 AlarmSuppressionGroupType

This is a subtype of AlarmGroupType that can be used to suppress other alarms. This subtype of AlarmGroup extends the AlarmGroupType to allow the addition of Variables that have a Boolean DataType. The Variable can be thought of as representing the Id of the ActiveState of an Alarm, i.e. when any of the included Variables have a value of true the AlarmSuppressionGroup is active.

The instance of an AlarmSuppressionGroupType should be given a name and description that describes the purpose of the Alarm group.

The AlarmSuppressionGroupType instance will contain a list of instances of AlarmConditionType or sub type of AlarmConditionType or BaseDataVariableType with a DataType of Boolean referenced by AlarmSuppressionGroupMember references. At least one these instances shall be present in an instance of an AlarmSupressionGroupType.

5.8.5 Reset Method

The Reset Method is used reset a latched Alarm instance. It is only available on an instance of an AlarmConditionType that exposes the LatchedState. Normally, the NodeId of the Object instance is passed as the ObjectId to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, Servers shall allow Clients to call the Reset Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the AlarmConditionType Node.

Signature

	Reset();

This method has no arguments.

Method result codes in Table 44 (defined in Call service)

Table 45 specifies the AddressSpace representation for the Reset Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionResetEventType for all invocations of the Method.

5.8.6 Reset2 Method

The Reset2 Method extends the Reset Method, by adding an optional Comment. For other functionality see the Reset Method definition.

Signature

	Reset2(
		[in] LocalizedText	Comment
		);

The parameters are defined in Table 46.

If the Comment argument is NULL (both locale and text are empty) it shall be ignored and any existing comments will remain unchanged. To reset the comment, an empty text with a locale shall be provided.

Method result codes in Table 47 (defined in Call service)

Table 48 specifies the AddressSpace representation for the Reset2 Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionResetEventType for all invocations of the Method.

5.8.7 Silence Method

The Silence Method is used silence a specific Alarm instance. It is only available on an instance of an AlarmConditionType that also exposes the SilenceState. Normally, the NodeId of the Object instance is passed as the ObjectId to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, Servers shall allow Clients to call the Silence Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the AlarmConditionType Node.

Signature

	Silence();

This method has no arguments.

Method result codes in Table 49 (defined in Call service)

Comments

If the instance is not currently in an audible state, the command is ignored.

Table 50 specifies the AddressSpace representation for the Silence Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionSilenceEventType for all invocations of the Method.

5.8.8 Suppress Method

The Suppress Method is used to suppress a specific Alarm instance. It is only available on an instance of an AlarmConditionType that also exposes the SuppressedState. This Method can be used to change the SuppressedState of an Alarm and overwrite any suppression caused by an associated AlarmSuppressionGroup. This Method works in parallel with any suppression triggered by an AlarmSuppressionGroup, in that if the Method is used to suppress an Alarm, an AlarmSuppressionGroup might clear the suppression.

Normally, the NodeId of the object instance is passed as the ObjectId to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, Servers shall allow Clients to call the Suppress Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the AlarmConditionType Node.

Signature

	Suppress();

Method Result Codes in Table 51 (defined in Call Service)

Comments

Suppress Method applies to an Alarm instance, even if it is not currently active.

Table 52 specifies the AddressSpace representation for the Suppress Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionSuppressionEventType for all invocations of the Method.

5.8.9 Suppress2 Method

The Suppress2 Method extends the Suppress Method, by adding an optional Comment. For other functionality see the Suppress Method definition.

Signature

	Suppress2(
		[in] LocalizedText	Comment
		);

The parameters are defined in Table 53

If the Comment argument is NULL (both locale and text are empty) it shall be ignored and any existing comments will remain unchanged. To reset the comment an empty text with a locale shall be provided.

Method Result Codes in Table 51 (defined in Call Service)

Table 55 specifies the AddressSpace representation for the Suppress2 Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionSuppressionEventType for all invocations of the Method.

5.8.10 Unsuppress Method

The Unsuppress Method is used to clear the SuppressedState of a specific Alarm instance. It is only available on an instance of an AlarmConditionType that also exposes the SuppressedState. This Method can be used to overwrite any suppression cause by an associated AlarmSuppressionGroup. This Method works in parallel with any suppression triggered by an AlarmSuppressionGroup, in that if the Method is used to clear the SuppressedState of an Alarm, any change in an AlarmSuppressionGroup might again suppress the Alarm.

Normally, the NodeId of the ObjectInstance is passed as the ObjectId to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, Servers shall allow Clients to call the Unsuppress Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the AlarmConditionType Node.

Signature

	Unsuppress();

Method Result Codes in Table 56 (defined in Call Service).

Comments

Unsuppress Method applies to an Alarm instance, even if it is not currently active.

Table 57 specifies the AddressSpace representation for the Suppress Method.

If Auditing is supported, this Method shall generate and event of AuditConditionSuppressionEventType for all invocations of the Method.

5.8.11 Unsuppress2 Method

The Unsuppress2 Method extends the Suppress Method, by adding an optional Comment. For other functionality see the Unsuppress Method definition.

Signature

	Unsuppress2(
		[in] LocalizedText	Comment
		);

The parameters are defined in Table 58.

If the Comment argument is NULL (both locale and text are empty) it shall be ignored and any existing comments will remain unchanged. To reset the comment an empty text with a locale shall be provided.

Unsuppress2 Method applies to an Alarm instance, even if it is not currently active.

Method Result Codes in Table 56 (defined in Call Service).

Table 60 specifies the AddressSpace representation for the Unsuppress2 Method.

If Auditing is supported, this Method shall generate an Event of AuditConditionSuppressionEventType for all invocations of the Method.

5.8.12 RemoveFromService Method

The RemoveFromService Method is used to suppress a specific Alarm instance. It is only available on an instance of an AlarmConditionType that also exposes the OutOfServiceState. Normally, the NodeId of the object instance is passed as the ObjectId to the Call Service. However, some Servers do not expose Condition instances in the AddressSpace. Therefore, Servers shall allow Clients to call the RemoveFromService Method by specifying ConditionId as the ObjectId. The Method cannot be called with an ObjectId of the AlarmConditionType Node.

Signature

	RemoveFromService();

Method result codes in Table 61 (defined in Call Service).

Comments

Instances that do not expose the OutOfServiceState shall reject RemoveFromService calls. RemoveFromService Method applies to an Alarm instance, even if it is not currently in the Active State.

Table 62 specifies the AddressSpace representation for the RemoveFromService Method.