Safety of Distributed Machine Control Systems

7 Validation of Safety in Distributed Control Systems

7.1 Validation basics

The functions important for the safety of the operator must be identified. This can be fairly easy for machines which have an obvious main risk. It will be harder to identify all dangerous situations for machines which contain multiple risks. Information of the risk analysis is presumed to be available as input to the assessment method discussed in this report.

Before an assessment can be made of any control system, the machinery has to be identified and delimited. The functionality and the safety principles must be understood by the engineers who are to perform the assessment. Important questions are;

What shall be assessed?
Which are the main functions of the machinery?
How is the safety implemented?

The first step of the assessment will then be to check if the required safety-related functions exist. All machinery are affected by requirements from directives and standards. The assessment must answer the questions;

Are the requirements of the machinery directive fulfilled?
Has the functions suggested by the standards been implemented?

A design fault may adversely affect the required function. Even if the intention is to have the function implemented correctly in the machinery, it will have to be checked.

Is the implementation correct?

Requirements for behaviour at fault will be made. Fault simulation, analysis of redundancy, hardware analysis and test and software analysis and test will answer the question

Is the required behaviour at fault achieved?

Figure 14. Questions during the assessment.

7.2 Objective of an Assessment Method

The validation of a machine control system based on distributed control requires the evaluation of aspects not present in a conventional control system. That will raise new questions of what has to be evaluated to verify adequate safety of the machinery. The objective is to develop an assessment method which is capable of answering these specific questions.

This study has grouped the errors into node errors, bus errors, timing errors, data consistency errors, initialisation or restart errors, 'babbling idiot' errors and configura-tion errors. An assessment method has to address all these errors.

Node errors have been subject for many scientific papers and research. The operation of the control system is depending on the correct operation of all nodes. Examples of questions to address are:

Does a node in the system know the status (operational, idle, incorrect) of the other related nodes?
What happens if a node is involuntarily disconnected, e.g. by a damaged cable.
What action is taken when a node detects an internal error?
What action is taken when a node detects an error in the surrounding system?
Will a node continue to run its application software also when a large number of input signals are changed within a short time?

Bus errors

Are there mechanisms to assure that an erroneous message is detected as it is sent from one node to another node?
What action is taken when a node detects an erroneous message?
What happens if the communication cannot be properly started?
Can fault tolerance be achieved by use of double busses?
Will a node continue to run its application software also when a large number of incorrect messages are sent on the bus?

Timing errors are perhaps most commonly addressed when discussing errors in distributed systems. An evaluation will have to answer at least following questions:

How can you tell if the specified response time of the machinery is kept?
Can the transfer time of a message be guaranteed?
Are there guarantees that a node is not processing old data?
Is the system robust for old data as odd events?
How is a delayed message handled?
How long is the start-up time on the distributed system?
Can control algorithms be processed with adequate speed?

Data consistency errors occur when co-operating nodes use data of different age. Useful checks include;

Are there mechanisms to guarantee that a message will arrive at all destinations?
Is there some mechanism to read back and compare important data between the nodes?

Initialisation or restart errors occur at the start up sequence of the control system. To verify the restart procedure, the following questions may be asked:

Is correct priority given to every node?
Will all operation of the system not start before complete initialisation?
Which nodes may send out a request for restart?

'Babbling idiot' is the phrase used to describe when a node is constantly transmitting and occupying the bus.

How is a node which is constantly transmitting and occupying the bus handled?

Configuration errors are the result of user faults when connecting and configuring the nodes on the bus. Examples of questions of configuration errors are:

Are all nodes of correct type?
If parametrisation is used; are all parameters correct?
Is the used bit rate correct?
Are all nodes using the correct communication protocol?

The assessment method will probably consist of several validation methods which can be used to answer one or several of the questions above. These validation methods should be possible to use as tools for assessment of many different types of machinery.

The validation methods will all require documentation of the control system. Suggestions for what information the different documents must include will be required.

Back to Contents Continue to read the report; Chapter 8

Direct link to this page: