The assessment of periodic deterministic communication services is based on the assessment of successful message transmission over a logical communication link. Message transmission is either:
successful, if it is correctly and timely received, or
unsuccessful, if it is incorrectly received, lost or untimely.
A lost message is a message which left the source application and never reached the target application.
Up time and down time can be derived from received messages. As far as timely received messages are correct, the logical communication link status is up. If a message loss or an incorrectly or untimely received message is detected the logical communication link status is down. To denote up and down states the terms "up time interval"
and "down time interval"
, or alternatively "available"
may be used. An example of the relation between logical communication link status, communication service status and application status is presented in Figure C.3-1
The flow of events in Figure C.3-1
is as follows:
The logical communication link is up and running (blue line is UP). A source device starts sending periodic messages to a target device (orange arrows), on which an automation function (application) is running. The communication service is, from the point of view of the target application, in an up state (violet line is UP) and so is the application (green line is UP).
The logical communication link status changes to down state if it no longer can support end-to-end transmission of the source device's messages to the target device in agreement with the negotiated communication requirements. Once the application on the target device senses the absence (or unsuccessful reception) of expected messages ("Deadline for expected message" in Figure C.3-1), it will wait a pre-set period before it considers the communication service to be unavailable; this is the so-called survival time. The survival time can be expressed as
a period or,
especially with cyclic traffic, as maximum number of consecutive incorrectly received or lost messages.
If the survival time has been exceeded, both the communication service and the application transition into a down state (violet and green lines change to DOWN in Figure C.3-1). The application will usually take corresponding actions for handling such situations of unavailable communication services. For instance, it will commence an emergency shutdown. Note that this does not imply that the target application is "shut off"; rather it transitions into a pre-defined state, e.g. a safe state. In the safe state, the target application might still listen to incoming packets or may try to send messages to the source application.
Once the logical communication link status is in the up state again (blue line in Figure C.3-1 changes to UP), the communication service state as perceived by the target application will change to the up state. The communication service is thus again perceived as available (violet line changes to UP in Figure C.3-1). The state of the application, however, depends on the counter measures taken by the application. The application might stay in down state if it is in a safe state due to an emergency shutdown. Or, the application may do a recovery and change to up state again. The time needed for the application to return to the up state after the communication service is restored is shown as "Application recovery time" in Figure C.3-1.
The availability of the communication service is calculated using the accumulated down time. For instance, in case the communication service is expected to run for a time T, the unavailability U of the communication service can be calculated as
is the length of the i-th downtime interval of the communication service within the time period T
. The communication service availability A
can then be calculated as