Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 68
Текст из файла (страница 68)
Inside the intelligent instrument, anagreement protocol is executed to arrive at an agreed sensor value, even if one ofthe sensors has failed. This approach assumes that independent measurements canbe taken in close spatial vicinity.The integration of a field bus node with an actuator produces an intelligentactuator device.Example: An actuator of an airbag in an automobile must ignite an explosive charge torelease the gas of a high-pressure container into the airbag at the appropriate moment.A small explosive charge, placed directly on the silicon of a microcontroller, can be ignitedon-chip.
The package is mounted at the proper mechanical position to open the criticalvalve. The microcontroller including the explosive charge forms an intelligent actuator.Because many different field bus designs are available today, and no generallyaccepted industry wide field bus standard has emerged, the sensor manufacturermust cope with the dilemma to provide a different intelligent instrument networkinterface for different field buses.2329 Real-Time Operating Systemscontrolled objectsensorsensorinterfacesignalconversiondigitalinterfacesignalconditioningnetworkcontrollerabstractmessageinterfaceintelligent instrumentationFig.
9.10 Intelligent instrumentation9.5.6Physical InstallationIt is beyond the scope of this book to cover all the issues that must be considered inthe physical installation of a sensor-based real-time control system. These complextopics are covered in books on computer hardware installation. However, a fewcritical issues are highlighted.Power Supply. Many computer failures are caused by power failures, i.e., longpower outages, short power outages of less than a second also called sags, and powersurges (short overvoltage). The provision of a reliable and clean power source is thusof crucial importance for the proper operation of any computer system.Grounding. The design of a proper grounding system in an industrial plant is amajor task that requires considerable experience.
Many transient computer hardware failures are caused by deficient grounding systems. It is important to connectall units in a tree-like manner to a high quality true ground point. Loops in theground circuitry must be avoided because they pick up electromagnetic disturbances.Electric Isolation. In many applications, complete electric isolation of the computerterminals from the signals in the plant is needed. Such isolation can be achieved byopto couplers for digital signals or signal transformers for analog signals.9.6Agreement ProtocolSSensors and actuators have failure rates that are considerably higher than those ofsingle-chip microcomputers.
No critical output action should rely on the input froma single sensor. It is necessary to observe the controlled object by a number ofdifferent sensors and to relate these observations to detect erroneous sensor values,to observe the effects of actuators, and to get an agreed image of the physical stateof the controlled object. In a distributed system agreement (also called consensus in[Bar93]) always requires an information exchange among the agreeing partners.The number of rounds of such an information exchange needed depends on the typeof agreement and the assumptions about the possible failure modes of the partners.9.6 Agreement ProtocolS9.6.1233Raw Data, Measured Data, and Agreed DataIn Sect.
1.2.1, the concepts of raw data, measured data, and agreed data have beenintroduced: raw data are produced at the digital hardware interface of the physicalsensor. Measured data, presented in standard engineering units, are derived fromone or a sequence of raw data samples by the process of signal conditioning.Measured data that are judged to be a correct image of the RT entity, e.g., afterthe comparison with other measured data elements that have been derived bydiverse techniques, are called agreed data. Agreed data form the inputs to controlactions.
In a safety critical system where no single point of failure is allowed toexist, an agreed data element may not originate from a single sensor. The challengein the development of a safety critical input system is the selection and placement ofthe redundant sensors and the design of the agreement algorithms.
We distinguishtwo types of agreement, syntactic agreement and semantic agreement.9.6.2Syntactic AgreementAssume that a two independent sensors measure a single RT entity. When the twoobservations are transformed from the domain of analog values to the domain ofdiscrete values, a slight difference between the two raw values caused by ameasurement error and digitalization error is unavoidable. These different rawdata values will cause different measured values.
A digitalization error also occursin the time domain when the time of occurrence of an event in the controlled objectis mapped into the discrete time of the computer. Even in the fault-free case, thesedifferent measured values must be reconciled in some way to present an agreedview of the RT entity to the possibly replicated control tasks.
In syntactic agreement, the agreement algorithm computes the agreed value without considering thecontext of the measured values. For example, the agreement algorithm always takesthe average of a set of measured data values. If a Byzantine failure of one of thesensors must be tolerated, three additional sensors are needed (see Sect. 6.4.2).9.6.3Semantic AgreementIf the meanings of the different measured values are related to each other by aprocess model based on a priori knowledge about the relationships and thephysical characteristics of the process parameters of the controlled object, wespeak of semantic agreement.
In semantic agreement, it is not necessaryto duplicate or triplicate every sensor. Different redundant sensors observe different RT-entities. A model of the physical process relates these redundant sensorreadings to each other to find a set of plausible agreed values and to identify2349 Real-Time Operating Systemsimplausible values that indicate a sensor failure. Such an erroneous sensor valuemust be replaced by a calculated estimate of the most probable value at thegiven point in time, based on the inherent semantic redundancy in the set ofmeasurements.Example: A number of laws of nature govern a chemical process: the conservation ofmass, the conservation of energy, and some known maximum speed of the chemicalreaction.
These fundamental laws of nature can be applied to check the plausibility of themeasured data set. In case one sensor reading deviates significantly from all other sensors, asensor failure is assumed and the failed value is replaced by an estimate of the correct valueat this instant, to be able to proceed with the control of the chemical process.Semantic agreement requires a fundamental understanding of the applied processtechnology. It is common that an interdisciplinary team composed of processtechnologists, measurement specialists, and computer engineers cooperates to findthe RT entities that can be measured with good precision at reasonable cost.Typically, for every output value, about three to seven input values must beobserved, not only to be able to diagnose erroneous measured data elements, butalso to check the proper operation of the actuators. Independent sensors thatobserve the intended effect of the actuator (see Sect.
6.1.4) must monitor the properoperation of every actuator.In engineering practice, semantic agreement of measured data values is moreimportant than syntactic agreement. As a result of the agreement phase, an agreed(and consistent) set of digital input values is produced. These agreed values, definedin the value domain and in the time domain, are then used by all (replicated) tasks toachieve a replica-determinate behavior of the control system.9.7Error DetectionA real-time operating system must support error detection in the temporal domainand error detection in the value domain by generic methods. Some of these genericmethods are described in this section.9.7.1Monitoring Task Execution TimesA tight upper bound on the worst-case execution time (WCET) of a real-time taskmust be established during software development (see Sect.
10.2). This WCETmust be monitored by the operating system at run time to detect transient orpermanent hardware errors. In case a task does not terminate its operation withinthe WCET, the execution of the task is terminated by the operating system. It is upto the application to specify which action should be taken in case of an error.Points to Remember9.7.2235Monitoring InterruptsAn erroneous external interrupt has the potential to disrupt the temporal controlstructure of the real-time software within the node. At design time, the minimuminter-arrival periods of interrupts must be known to be able to estimate the peak loadthat must be handled by the software system.