Carnegie Mellon University
18-849b Dependable Embedded Systems
Author: Leo Rollins
Most embedded systems contain some type of input or output to control or communicate with the external world. The scope of the I/O subsystem in an embedded system includes sensors and actuators, conversion of signals between the analog and digital realm and delivery to (from) the controlling function. In order to build dependable embedded systems, the designer must consider the requirements that are allocated to the I/O subsystem. For increased dependability, redundancy in the form of multiple or diverse sensors, mechanical interlocks, and manual input from human operators must be considered. Two trends in I/O promise additional features and dependability: Fieldbus and intelligent I/O. These techniques promise lower cost, enhanced maintenance and diagnostic capabilities, and interoperability. However, a slow and fragmentary standardization process presents a challenge to the widespread use of these techniques.
The I/O subsystem is a sometimes overlooked component of the larger embedded control system. It includes devices in the field that convert physical phenomena (such as temperature or flow) into electrical signals (such as voltage or current). Some part of the I/O subsystem must convert these electrical signals into digital representations. Here we are assuming that the embedded control system is a digital system. These digital representations must also be delivered to the portion of the system that is performing the control algorithm. This distinction between analog to digital conversion and delivery to control function is made because recent trends in system design have distributed the components of the embedded system. In this paper a discussion of the I/O system as defined above is considered in the development of dependable embedded control systems.
In building dependable I/O subsystems, two main aspects must be considered: the requirements of individual sensors and actuators and the application of redundancy. The redundancy aspects of I/O are covered briefly. The use of redundancy in general is covered under the topic Distributed Dependability.
Some improvement in the dependability of the I/O hardware in a system can be gained from adding a second sensor or actuator for the same function. For sensors at least, this assumes that there is some algorithm that allows erroneous signals to be excluded from the control function. For actuators, parallel I/O devices may be used control the external device. Another typical scheme is to use majority voting of actuation devices. If some coverage of software is desired, completely diverse measurements and control algorithms may be used. For instance, a holding tank may be protected from overpressurization by monitoring both pressure and temperature. Unfortunately, complete diversity can be costly. This may exclude its use from certain embedded applications such as automobiles.
The replication of sensors and actuators (excluding diversity) does not address software failures of the I/O subsystem. An economical redundancy method that includes some coverage of software errors is to include manual permissives or interlocks. Figure 1 shows an example of the use of a manual interlock in an air-bag control system. This example is taken from [Hollingum96]. A micro-controller has an accelerometer as an input. Other potential inputs may be vehicle speed and whether the driver has their seatbelt fastened. Using these inputs, the microcontroller determines the optimum time to deploy the airbag using its output to a transistor switch. In series with the airbag is a mechanical interlock. This interlock is a switch held open by a spring. On the switch a magnet is mounted. If the car decelerates rapidly, the inertia of the mass of the magnet overcomes the spring force and the switch closes. The magnet serves to hold the switch closed. This interlock is designed to prevent spurious actuation in the presence of some failure in the accelerometer, micro-controller, or transistor switch. Note that this interlock could also prevent unwanted actuation due to some design errors in the micro-controller software. This series example is designed to prevent spurious actuation of the airbag in the presence of failures. A parallel system would be required to assure actuation in the presence of failures.
Figure 1: Air-bag Mechanical Interlock Example
A third redundancy method is to allow manual inputs to the system. This serves to make the human operator the redundant component of the system. Certain foreseen and unforeseen system events can best be handled in this manner. For more information, refer to Human Computer Interfaces.
Many factors go into the design of individual sensors and actuators that are dependable. While all of these factors are important in developing dependable I/O, the factors that present special challenges to embedded systems are of particular interest. Presented below is a list of important factors and a brief discussion.
The method of signaling between sensors and actuators and the rest of the system is an important aspect of I/O design. Several signaling methods have dominated for a period of years. From the early control period before electronic systems (1940's into the 1960's), pneumatic signaling (3-15psi) was used. Latter with the development of analog electronics, current loop signaling (4-20mA) became popular. Current loops were chosen because of their superiority over voltage signaling with respect to noise immunity. Current loops continue to be used today in digital systems. However, it has been recognized that digital signaling presents some advantages in digital systems. An interim standard was developed called Hart that combined digital and analog signaling. Current loops were used as a carrier for digital information. Both the analog current and the impressed digital carried the information about the process value and either could be used. In existing systems, the wiring could be preserved and selected sensors or embedded controllers could be upgraded in a phased manner. In the 1990s an all-digital signaling system known as Fieldbus began gaining in popularity. A discussion of Fieldbus and its properties follows.
Fieldbus is a generic name that describes an all-digital signaling method. Sensors, actuators and controllers are networked together to exchange information. This implies that all sensors and actuators must have some digital component to transmit and receive communication messages. Many Fieldbus components contain a microprocessor, however the digital signaling may be accomplished with special purpose devices such as field programmable gate arrays, ASICs or custom ICs. It is interesting to note that when they contain a microprocessor, the sensors and actuators themselves become embedded systems.
The advantages of Fieldbus communication have been widely publicized by the process control industry. The primary advantages claimed include:
Standardization of presents the largest challenge to Fieldbus in becoming the major signaling method used for I/O. In the pursuit of market share and profit, many vendors have quickly developed their own proprietary protocols or endorsed existing protocols. Standardization efforts have been ongoing for the last 15 years. Some Fieldbus protocols have joined forces in an effort to produce a unified standard. An example of this is the efforts of ISP (Interoperable Standards Project) and WorldFIP (World Factory Information Protocol) which have joined forces to form the Fieldbus Foundation. Vendors have endorsed these protocols while still delivering product based on earlier protocols. This "wait-and-see" attitude has hampered the emergence of a single protocol for Fieldbus. Over 200 Fieldbus protocols are in use today. Some of the popular protocols include Profibus (Europe), Modbus, CAN (auto), and FIP (factory automation). A good introduction to Fieldbus and the challenges of standardization can be found in [Coutinho95].
There is another trend in I/O toward increasing function that is largely compatible with Fieldbus called intelligent I/O. Several loose definitions have been proposed for what constitutes intelligent I/O. Lawrence Holliday characterized them in 1993 as "... highly sophisticated sensing devices capable of signal analysis self-diagnosis, and digital communication." Another view holds that in order to be intelligent, the sensor or actuator must take over some portion of the control function normally allocated to the controller.
Intelligent I/O devices normally include a microprocessor. They almost always use some type of Fieldbus communication. Therefore, they claim all of the advantages that are claimed by Fieldbus. They also claim the following additional benefits:
Many of the design and evaluation techniques associated with the I/O system are well understood. The challenge for the embedded designer is familiarity with the variety of techniques. In particular the embedded I/O designer must be versed in control theory, digital signal processing, filtering, A/D conversion techniques and transducer conversion techniques.
Fortunately there are many high quality computer tools to assist the embedded I/O designer. One widely used example is MATLAB. Various toolboxes within MATLAB exist and are consistently upgraded, such as the control systems toolbox and the signal processing toolbox. There are also many tools that automate the configuration of Fieldbus devices. The good news for Fieldbus is that good configuration tools exist. The bad news is that every vendor has his own. The tool situation for Fieldbus may improve with increasing standardization.
The important metrics for I/O design are primarily associated with A/D conversion and control theory. For A/D conversion, designers are concerned with signal-to-noise ratio, dynamic range of converters, effective number of bits, accuracy, resolution, conversion speed and cost. For control theory the primary interest is with sample rate and its effects on the stability of the control system.
Because of the emerging Fieldbus trend, I/O is closely linked with communication.
I/O is normally used for real-time control.
Robust Control Theory
The sample rate and uncertainty in I/O have implications for the stability of the control system. Uncertainty is covered by robust control.
Intelligent I/O represents a convergence of the microprocessor and the sensing device. MEMS takes this convergence to the extreme where the microprocessor and sensor become co-located on the same physical integrated circuit.
Designing dependable I/O systems has two aspects: individual I/O and redundancy. The design of dependable individual I/O has a variety of aspects including EMC, shock/vibration, environment, A/D and D/A conversion, diagnostics, testing and calibration. Each can present special challenges for the embedded designer in terms of cost or accessibility concerns. All of the redundancy methods, including diversity, interlocks, and human interaction, should be considered to address the safety concerns of an embedded system.
Two new trends in I/O design are important: Fieldbus and Intelligent I/O. These promise increased functionality and lower cost. The primary challenge to acceptance of these techniques is standardization to achieve interoperability.
The embedded I/O designer must be well versed in a variety of techniques to produce dependable cost effective designs.
Notes: Discusses a breakthrough in DSP (digital signal processing) theory which would allow sampling below the Nyquist Rate without aliasing. The primary driver is extended frequency range sampling which would imply sample rates beyond existing technology. The technique focuses on precise but random sampling about some point. Extensive transformation is required after sampling to get the sampled data into a usable form.
Notes: A tutorial on Fieldbus developed by students at the Curtin University of Technology at West Australia. The standardization problem is presented in some detail, along with a definition of the major vendors behind each standard.
Notes: This is an excellent reference source for an explanation of the variety of A/D conversion techniques. Trade-offs between accuracy, resolution and cost are included. All of the terms found on common data sheets are explained.
Notes: Examples of sensors used in automobile airbag systems are discussed. This reference provides the example discussed above for using interlocks in I/O system to achieve greater dependability.
Notes: This is a compendium of articles from experts in the field of process control. Important chapters concern transducer techniques, basic control, and noise minimization techniques.
Notes: Good general introduction to intelligent I/O. Advantages largely overlap with Fieldbus. Also developed by students at the Curtin University of Technology at West Australia.
Notes: Presents a perspective from a vendor (Action Instruments) on the benefits of Fieldbus, and the standarization process to date. Provides a good comparison of Fieldbus standards including SP50, LON, and CAN.
Notes: This paper examines an event-triggered method for recognizing and tolerating responses from I/O systems that occur either to early or two late. The application of this technique may be limited to I/O sensors where the change in response time between samples is limited by physical laws. The example given is motor speed control where the change in speed is limited by physical constraints.
Notes: Presents a short history of what smart has meant for sensors over the years. Has the view that the manufacturers of sensors and actuators will drive what increasing "smartness" will be provided in I/O.
Notes: Presents some of the details about three protocols used for Fieldbus. The author's intent is to show that each protocol is tailored to a particular application. This fact may be what is hindering a unified standard. If a unified standard is developed, it may basically define different classes for different applications.
Notes: News report that gives market data for several popular Fieldbuses in Europe. Profibus is shown with an approximate 41% market share.
Notes: Concerned with combining the design of I/O for control with the design of fault detection. Presents a case that designing these together increases the dependability of the system.
DASP - Digital Alias Free Sampling. Refer to [Bilinskis97]
Go To Project Page