From ad631907fb7476c392770798fe28da2faef87088 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Wed, 15 Sep 2010 08:49:40 +0100 Subject: [PATCH] CANopen need refs --- statistics/statistics.tex | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/statistics/statistics.tex b/statistics/statistics.tex index c62f6ed..a3895e4 100644 --- a/statistics/statistics.tex +++ b/statistics/statistics.tex @@ -25,7 +25,7 @@ need to determine which system failure modes are dangerous or safe. Were a burner controller to detect a problem with an air pressure switch and refuse to start up (and raise an alarm) we can see this is a safe failure mode. Were a burner controller to pump fuel into the combustion chamber -and then ignite it after long duration\footnote{Most GAS safety timeouts for seeing a flame under ignition conditions specify < 3 seconds} +and then ignite it after long duration\footnote{Most GAS safety timeouts for seeing a flame under ignition conditions specify $<$ 3 seconds\cite{en298}} we would have a clear risk of a dangerous explosion. Here, the picture is further complicated by the environment. If the burner was placed in a remote building and operated @@ -49,13 +49,25 @@ For the Nuclear power station \section{Terms and Concepts in \\ Safety Critical Engineering} +\subsection{Timing And Safety Checking} -\subsection{Safety Relevant Data Object} +\subsubsection{CANopen Timing Definitions} + +CANopen is a protocol suite based on the hardware of the CANbus\cite{canopen}. +It is a hardened differential bus and +is arbitration free\footnote{Implemented at the physical and data link layers using DOMINANT and PASSIVE bits} +It also has a 15 bit\cite{crc15} CRC built into the protocol, which can detect a guaranteed six consecutive bit failures. +This makes it a very safe and robust messaging medium to use for safety critical systems. +CAN is a message based protocol, designed originally for automotive applications but +now also used in other areas such as industrial automation, industrial burner controllers and medical equipment. +CANopen literature discusses some of the concepts based around the timing relevance +of given items of safety critical data. +\paragraph{Safety Relevant Data Object} A Safety Relevant Data Object (SRDO)\cite{caninauto}, is a data structure describing the status of a particular feature or attribute of a safety critical system. For instance, in a burner this could be a flame signal value, or in a nuclear powerstation the measure neutron flux. -\subsection{Safety relevant Object Validation Time} +\paragraph{Safety relevant Object Validation Time} Safety times can be given for SRDO's; these are termed Safety Related Object Validation Times (SROVT's)\cite{caninauto}. For instance were a flame to fail in operation in a gas burner standards state \cite{en298} that the gas may not continue to be fed into the @@ -64,7 +76,7 @@ We can say that the SROVT for a flame signal in a gas burner is 3 seconds. \subsection{Single and Double Failure Modes} A Safety critical system must self check within the relevant SROVT's. On detecting a failure mode it must react appropriately. -Consider the case though where two failures occurr within the +Consider the case though where two failures occurr within overlapping time windows of their SROVT's. We can term this a double simultaneous failure mode. To take an extreme example, were the checking function/mechanism and the object under supervision to fail within the SROVT, it may be impossible to detect the failure.