Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 67
Текст из файла (страница 67)
The frequency of the pulses is an indication of the speed. If thewheel travels past a defined calibration point, an additional digital input is signaled2289 Real-Time Operating SystemsFig. 9.6 Contact bounce of amechanical switchswitch opencontactbounceswitch closedtimeto the computer to set the pulse counter to a defined value. It is good practice toconvert the relative event values to absolute state values as soon as possible.Time Encoded Signals. Many output devices, e.g., power semiconductors such asIGBTs (insulated-gate-bipolar transistors), are controlled by pulse sequences ofwell-specified shape (pulse width modulation – PWM).
A number of microcontrollers designed for I/O provide special hardware support for generating thesedigital pulse shapes.9.5.3InterruptsThe interrupt mechanism empowers a device outside the sphere of control of thecomputer to govern the temporal control pattern inside the computer. This is apowerful and potentially dangerous mechanism that must be used with great care.Interrupts are needed when an external event requires a reaction time from thecomputer (time as control) that cannot be implemented efficiently with a trigger task.A trigger task extends the response time of an RT transaction that is initiated byan external event by at most one period of the trigger task.
Increasing the triggertask frequency can reduce this additional delay at the expense of an increasedoverhead. [Pol95b] has analyzed this increase in the overhead for the periodicexecution of a trigger task as the required response time approaches the WCETof the trigger task. As a rule of thumb, only if the required response time is less thanten times the WCET of the trigger task, the implementation of an interrupt shouldbe considered.If information about the precise instant of arrival of a message is required, but noimmediate action has to be taken, an interrupt-controlled time-stamping mechanismimplemented in hardware should be used. Such a mechanism works autonomouslyand does not interfere with the control structure of tasks at the operating system level.Example: In the hardware implementation of the IEEE 1,588 clock synchronizationprotocol, a hardware mechanism autonomously generates the time-stamp of an arrivingsynchronization message [Eid06].In an interrupt-driven software system, a transient error on the interrupt line mayupset the temporal control pattern of the complete node and may cause the violationof important deadlines.
Therefore, the time interval between the occurrence of anytwo interrupts must be continuously monitored, and compared to the specifiedminimum duration between interrupting events.9.5 Process Input/Outputtime window is openedby the first dynamic TTtask if no interrupt hasoccured229interrupt may occur in thistime window; the third task,the ET interrupt service task,is activated and closesthe time windowtime window is closedby the second dynamicTT task if no interrupthas occuredtimeFig. 9.7 Time window of an interruptMonitoring the occurrence of an interrupt. There are three tasks in the computerassociated with every monitored interrupt [Pol95b] (Fig. 9.7).
The first and secondone are dynamically planned TT tasks that determine the interrupt window. Thefirst one enables the interrupt line and thus opens the time window during which aninterrupt is allowed to occur. The third task is the interrupt service task that isactivated by the interrupt.
Whenever the interrupt has occurred, the interrupt servicetask closes the time window by disabling the interrupt line. It then deactivates thescheduled future activation of the second task. In case the third task was notactivated before the start of the second task, the second task, a dynamic TT taskscheduled at the end of the time window, closes the time window by disabling theinterrupt line. The second task then generates an error flag to inform the applicationof the missing interrupt.The two time-triggered tasks are needed for error detection. The first task detectsa sporadic interrupt that should not have occurred.
The second task detects amissing interrupt that should have occurred. These different errors require differenttypes of error handling. The more we know about the regularity of the controlledobject, the smaller we can make the time window in which an interrupt may occur.This leads to better error-detection coverage.Example: An engine controller of an automotive engine has such a stringent requirementregarding the point of fuel injection relative to the position of the piston in the cylinder thatthe implementation must use an interrupt for measuring the position [Pol95b]. The positionof the piston and the rotational speed of the crankshaft are measured by a number of sensorsthat generate rising edges whenever a defined section of the crankshaft passes the positionof the sensor.
Since the speed and the maximum angular acceleration (or deceleration) ofthe engine is known, the next correct interrupt must arrive within a small dynamicallydefined time window from the previous interrupt. The interrupt logic is only enabled duringthis short window and disabled at all other times to reduce the impact of sporadic interruptson the temporal control pattern within the host software. Such a sporadic interrupt, if notdetected, may cause a mechanical damage to the engine.9.5.4Fault-Tolerant ActuatorsAn actuator must transform the signal generated at the output interface ofthe computer into some physical action in the controlled object (e.g., opening ofa valve). The actuators form the last element in the chain between sensing thevalues of an RT-entity and realizing the intended effect in the environment. In a230Fig.
9.8 Fault-tolerantactuators9 Real-Time Operating Systemsabmovingrodpoint of actionpoint of actionfail-silent actuatorTMR actuatorelectric orhydraulicmotorfault-tolerant system, the actuators must perform the final voting on the outputsignals received on the replicated channels. Figure 9.8 shows an example where theintended action in the environment is the positioning of a mechanical lever. At theend of the lever there may be any mechanical device that acts on the controlledobject, e.g., there may be a piston of a control valve mounted at the point of action.In a replica-determinate architecture, the correct replicated channels produceidentical results in the value and in the time domains. We differentiate betweenthe cases where the architecture supports the fail-silent property (Fig.
9.8a), i.e., allfailed channels are silent, and where the fail-silence property is not supported(Fig. 9.8b), i.e., a failed channel can show an arbitrary behavior in the value domain.Fail-Silent Actuator. In a fail-silent architecture, all subsystems must support thefail-silence property. A fail-silent actuator will either produce the intended (correct)output action or no result at all. In case a fail-silent actuator fails to produce anoutput action, it may not hinder the activity of the replicated fail-silent actuator.
Thefail-silent actuator of Fig. 9.8a consists of two motors where each one has enoughpower to move the point of action. Each motor is connected to one of the tworeplica-determinate output channels of the computer system. If one motor fails atany location, the other motor is still capable to move the point of action to thedesired position.Triple Modular Redundant Actuator. The triple modular redundant (TMR) actuator (Fig. 9.8b) consists of three motors, each one connected to one of the threereplica-determinate output channels of the fault-tolerant computer.
The force of anytwo motors must be strong enough to override the force of the third motor, however,any single motor may not be strong enough to override the other two. The TMRactuator can be viewed as a mechanical voter that will place the point of action intoa position that is determined by the majority of the three channels, outvoting thedisagreeing channel.Actuator with a Dedicated Stateless Voter. In many applications where redundantactuators are already in place, a voting actuator can be constructed by combiningthe physical actuator with a small microcontroller that accepts the three inputchannels from the three lanes of a TMR system and votes on the messages receivedfrom the three lanes. This voter can be stateless, i.e., after every cycle the circuitryof the voter is reset in order to eliminate the accumulation of state errors caused bytransient faults (Fig.
9.9).9.5 Process Input/OutputFig. 9.9 Stateless voterassociated with an actuator231outputs from thethree channels ofa TMR systemstatelessvoteractuatorExample: In a car, a stateless voter can be placed at the brake actuator at each one of thefour wheels. The voter will mask the failure in any one of the TMR channels. A statelessvoter is an example for an intelligent instrumentation.9.5.5Intelligent InstrumentationThere is an increasing tendency to encapsulate a sensor/actuator and the associatedmicrocontroller into a single physical housing to provide a standard abstractmessage interface to the outside world that produces measured values at a fieldbus, e.g., a CAN bus (Fig. 9.10).
Such a unit is called an intelligent instrument.The intelligent instrument hides the concrete sensor interface. Its single chipmicrocontroller provides the required control signals to the sensor/actuator, performs signal conditioning, signal smoothing and local error detection, and presents/takes a meaningful RT image in standard measuring units to/from the field busmessage interface. Intelligent instruments simplify the connection of the plantequipment to the computer.Example: A MEMS acceleration sensor, micro machined into silicon, mounted with theappropriate microcontroller and network interface into a single package, forms an intelligent sensor.To make the measured value fault-tolerant, a number of independent sensors can bepacked into a single intelligent instrument.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
