13.Safety

The Safety service periodically receives Set Estop messages from the Safety client. The Set Estop message carries state of the e-stop condition, such as the e-stop button is pressed. The Safety service raises EMERGENCY when the e-stop condition is set in the Set Estop messages.

Safety service also periodically queries the Health Summary from Status Monitor service. When Health Summary is at Error or Fatal, the Safety service raises EMERGENCY.

Figure 17 Safety Service queries Health Summary from Status Monitor Service

For redundancy, Safety client also queries Health Summary from Status Monitor service of the subsystem and sets Set Estop message if the health summary is at error or fatal.

To raise EMERGENCY, the Safety service gains Access Control and sets the Subsystem State service to Emergency. This results in all the Management services enter EMERGENCY and stop processing command messages.

When EMERGENCY condition is cleared, the Safety service set the Subsystem State to Operational and releases control from the Subsystem State service.

Figure 18 Safety service message interaction

The component, which hosts the Safety service, also needs to host Access Control service. The Safety Client needs to obtain access control before sending the Set Estop messages.