CANopen need refs

statistics/statistics.tex

@@ -25,7 +25,7 @@ need to determine which system failure modes are dangerous or safe.
 Were a burner controller to detect a problem with an air pressure switch
 and refuse to start up (and raise an alarm) we can see this is a safe failure mode.
 Were a burner controller to pump fuel into the combustion chamber 
-and then ignite it after long duration\footnote{Most GAS safety timeouts for seeing a flame under ignition conditions specify < 3 seconds} 
+and then ignite it after long duration\footnote{Most GAS safety timeouts for seeing a flame under ignition conditions specify $<$ 3 seconds\cite{en298}} 
 we would have a clear risk of a dangerous explosion.
 Here, the picture is further complicated by the environment.
 If the burner was placed in a remote building and operated
@@ -49,13 +49,25 @@ For the Nuclear power station
 
 
 \section{Terms and Concepts in \\ Safety Critical Engineering}
+\subsection{Timing And Safety Checking}
 
-\subsection{Safety Relevant Data Object}
+\subsubsection{CANopen Timing Definitions}
+
+CANopen is a protocol suite based on the hardware of the CANbus\cite{canopen}.
+It is a hardened differential bus and 
+is arbitration free\footnote{Implemented at the physical and data link layers using DOMINANT and PASSIVE bits}
+It also has a 15 bit\cite{crc15} CRC built into the protocol, which can detect a guaranteed six consecutive bit failures.
+This makes it a very safe and robust messaging medium to use for safety critical systems.
+CAN is a message based protocol, designed originally for automotive applications but 
+now also used in other areas such as industrial automation, industrial burner controllers and medical equipment.
+CANopen literature discusses some of the concepts based around the timing relevance
+of given items of safety critical data.
+\paragraph{Safety Relevant Data Object}
 A Safety Relevant Data Object (SRDO)\cite{caninauto}, is a data structure describing the status of
 a particular feature or attribute of a safety critical system.
 For instance, in a burner this could be a flame signal value, or in a nuclear powerstation
 the measure neutron flux.
-\subsection{Safety relevant Object Validation Time}
+\paragraph{Safety relevant Object Validation Time}
 Safety times can be given for SRDO's; these are termed Safety Related Object Validation Times (SROVT's)\cite{caninauto}. For instance were
 a flame to fail in operation in a gas burner
 standards state \cite{en298} that the gas may not continue to be fed into the
@@ -64,7 +76,7 @@ We can say that the SROVT for a flame signal in a gas burner is 3 seconds.
 \subsection{Single and Double Failure Modes}
 A Safety critical system must self check within the relevant SROVT's.
 On detecting a failure mode it must react appropriately.
-Consider the case though where two failures occurr within the
+Consider the case though where two failures occurr within overlapping
 time windows of their SROVT's. We can term this a double simultaneous failure mode.
 To take an extreme example, were the checking function/mechanism and the object under supervision
 to fail within the SROVT, it may be impossible to detect the failure.