• No results found

Embedded Real-Time Systems (TI-IRTS) Safety and Reliability Patterns B.D. Chapter

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Embedded Real-Time Systems (TI-IRTS) Safety and Reliability Patterns B.D. Chapter"

Copied!
39
0
0

Loading.... (view fulltext now)

Download now ( 39 Page )

Full text

(1)

Safety and Reliability Patterns

B.D. Chapter 9. 405-456

Embedded Real-Time

Systems (TI-IRTS)

(2)

Agenda

• Introduction to safety

• Patterns:

1. Protected Single Channel Pattern 2. Homogeneous Redundancy Pattern 3. Triple Modular Redundancy Pattern 4. Heterogeneous Redundancy Pattern 5. Monitor-Actuator Pattern

6. Sanity Check Pattern 7. Watchdog Pattern

(3)

Safety and Reliability

• Safety

– defined as freedom from accident and losses

• Reliability

– refers to the probability that a system will

continue to function for a specified period of time

• Both requires some kind of redundancy

– to identify the dangerous condition or fault

(4)

Safety versus Reliability

Reliability Safety Systems without safety impacts Systems with a fail-safe state Systems without a fail-safe state

(5)

Safety is a System Issue

• The system is either safe or it isn’t

– not the software, not the electronics, not the mechanics

• It is the interactions of all these

(6)

Single Point Failures

Most experts consider a device

safe

:

only when any single-point failure

cannot lead to an incident

(7)

Common Mode Failures

• A common mode failure:

– is a failure in multiple control paths due to a common or shared fault

• Example:

– a cardiac pacemaker with a watchdog

circuit controlling a CPU – both driven by the same crystal

• if the crystal fails e.g. doubling the frequency the heart could be paced by 210 beats per min.

(8)

Example: Unsafe Linear Accelerator

«processor» Linear Accelerator «actuator» Beam Emitter «sensor» Beam Detector Beam Intensity Beam Duration Set Intensity Start Beam End Beam

The CPU can be a

(9)

Safe Linear Accelerator

«processor» Linear Accelerator «actuator» Beam Emitter «sensor» Beam Detector Set Intensity Start Beam End Beam Beam Intensity Beam Duration «processor» Safety Processor «actuator» Mechanical Curtain «switch» Cut-off Switch on off on off off Set Intensity Self-test status Start Beam End Beam Emergency Shutdown Self-test status Radiation Sensor watchdog service

(10)

Faults and Fail-Safe State

• Faults come in two flavors:

– Systematic faults (errors or design faults)

– Random faults (failures)

• Fail-safe state

– Many, but not all, safety-critical systems have a condition of existence known to be safe

(11)

Fail-Safe State

• Different types of safe failure modes:

– Off state

• Emergency stop (cutting power)

• Production stop (finish current task)

• Protection stop (shuts down immediately)

– Partial shutdown (degraded functional level) – Hold (no functionality)

– Manual, or external control (via external input) – Restart (reboot or restart)

(12)

Achieving Safety

• Mechanisms to identify data corruption:

– Parity

• simple 1-bit parity identifies single-bit errors

– Hamming codes

• multiple parity bits to identify n-bit errors and repair (n-1)-bit errors

– Checksums

– Cyclic Redundancy Checks (CRCs) – Homogenous multiple storage

– Complement multiple storage

(13)
(14)

1. Protected Single Channel Pattern

The Protected Single Channel Pattern uses a single channel to handle sensing and

actuation.

Will not be able to continue to function in the presence of persistent faults, but it may be able to handle transient faults.

(15)
(16)
(17)

2. Homogeneous Redundancy Pattern

The Homogeneous Redundancy Pattern uses replicated channels with a switch-to-backup policy in the case of an error.

The pattern improves reliability by addressing random faults (failures).

Provides no protection against systematic faults.

(18)

Homogeneous Redundancy Pattern Structure

Backup channel

(19)
(20)

3. Triple Modular Redundancy Pattern

The Triple Modular Redundancy Pattern operates three channels in parallel used

to enhance reliability and safety in situations where there is

(21)
(22)
(23)

4. Heterogeneous Redundancy Pattern

The Heterogeneous Redundancy Pattern uses multiple channels that have

independent designs and/or implementations.

(24)

Heterogeneous Redundancy Pattern Structure

(25)

Heterogeneous Redundancy Pattern Example

(26)

5. Monitor-Actuator Pattern

In the Monitor-Actuator Pattern an

independent sensor maintains a watch on the actuation channel looking for an

indication that the system should be commanded to its fail-safe state.

(27)
(28)
(29)

6. Sanity Check Pattern

The Sanity Check Pattern is a variant of the Monitor-actuator pattern. The pattern

exists to ensure that the actuation is approximately correct.

(30)
(31)
(32)

7. Watchdog Pattern

The Watchdog Pattern checks that the internal computational processing is

proceeding as expected.

Can detect timebase faults and deadlocks. It may be combined with any other safety

(33)
(34)
(35)
(36)

8. Safety Executive Pattern

The Safety Executive Pattern provides a safety executive to oversee the

coordination of potentially multiple

channels when safety measures must be actively applied.

(37)
(38)

Safety Executive Pattern Example

(39)

Summary

Safety is a system architecture/design issue

1. Protected Single Channel Pattern 2. Homogeneous Redundancy Pattern 3. Triple Modular Redundancy Pattern 4. Heterogeneous Redundancy Pattern 5. Monitor-Actuator Pattern

6. Sanity Check Pattern 7. Watchdog Pattern

References

Download now ( PDF - 39 Page - 1.11 MB )

Related documents

Survey of Disk Image Storage Formats

SMART and FTK Imager What types of digital evidence can it store (i.e. disk images, files, network packets, tool output, arbitrary). Disk images, including hard drives and

Southern Route or Northern Sea Route--Whether seaworthiness impacts a ship-owners decision on what route to travel

The applicable test to determine if a vessel is seaworthy and if due diligence has been exercised to make the ship seaworthy is whether a prudent ship- owner in

Frugal Topology Construction for Stream Aggregation in the Cloud

In the context of shared stream aggregation for non-overlapping time windows, under ingest rate constraints at aggregation nodes, derive a systematic approach to determining a

Overview of the labour market [November 2011]

Table 5 outlines the changing patterns of full time and part time employment, and highlights the growth in the numbers of part-time workers in Scotland, the latest data (April 2010

ELIS Multimedia Lab. Linked Open Data. Sam Coppens MMLab IBBT - UGent

These links enable Linked Data browsers and crawlers to navigate between data sources and to discover additional

Accelerator Physics. G. A. Krafft Jefferson Lab Old Dominion University Lecture 4

Beam energy where speed increment effect balances path length change effect on accelerator revolution frequency.. Revolution frequency independent of beam energy to

Bar Code Reader Series BCL 20 A flexible reader for a variety of applications

Safety Sensors Safety Systems Safety Services Safety Laser Scanners Safety Light Curtains. Transceivers and Multiple Light Beam Safety Devices Single Light Beam

Understanding Laser Beam Parameters Leads to Better System Performance and Can Save Money

The most commonly measured laser beam parameters besides power or energy are beam diameter (or radius), spatial intensity distribution (or profile), divergence and the beam