- Email: [email protected]
Safe, Fast and Cheap Programmable Control
Copyright 6th IFAC Symposium on Cost Oriented Automation Berlin, Germany, 2001
SAFE, FAST AND CHEAP PROGRAMMABLE CONTROL W.A. Halang, P. Vogrin and S. Lu
FemUniversitiit Faculty of Electrical Engineering 58084 Hagen, Germany [email protected]
Abstract: A programmable (logic) controller especially suited for automation applications of highest safety criticality, Le., on Safety Integrity Level 4, is presented. Its main characteristics are input conditioning by low resolution analogue-to-digital converters and inference by look-up in cause/effect tables or rule set tables. This programmable electronic system consists of a few industry standard components, only. Thus, it is reliable, safe, verifiable, cheap and small. Owing to the simplicity of both its hardware and software, safety licensing of the controller is facilitated . With regard to software, this can easily be carried out by inspection of the table content. As a result, the approach is particularly cost effective with respect to software development. The controller is very fast, with its speed mainly determined by the table access time, and works almost jitter free . Operating in a strictly cyclic fashion , the controller exhibits fully predictable real time behaviour. Its hardware operation is supervised by a fail safe logic immediately initiating an emergency shut-down in case of a malfunction. Keywords: Programmable logic control , Safety Integrity Level 4, fail safe behaviour, predictable real time behaviour, low software costs, high operation speed.
1. INTRODUCTION
Safety related devices and control systems are employed in many application areas of vital importance. For the following two main reasons, however, the performance of state-of-the-art programmable logic controllers employed in safety critical systems is often very unsatisfying: (1) In general, safety licensing is still an unsolved problem due to the complexity of hardware and software. Hitherto, it was impossible to establish that safety critical systems consisting of hardware and, particularly, software were error free. Therefore, the guidelines of the licensing authorities state quite elementary design principles for control equipment. In particular, according t.o the
List of Type Approved Programmable Electronic Systems published by TDv Rheinland (Melchers, 1998) , it is prohibited to use PID or other more complex control algorithms in safety related applications. (2) Another detriment to present controllers is their inherent lack of two aspects of speed: • Owing to their mathematical models, control systems react slowly after modifications of their set-points, and after the occurrence of unforeseen events, such as disturbances, defects and alterations of parameters of the technical processes being controlled. • The loop execution times are rather long due to the need for sequential calculations.
These are then subjected to an inference engine co-operating with a rule base. The outputs from the inference engine are directly provided to an action interface, which finally performs process actuation.
Fig. 1. Block diagram of a programmable logic controller A novel programmable logic controller is described addressing safety issues not by diversity but by perfection. Therefore, it is highly suitable for control tasks as t.ypically found in applicat.ions having to meet the requirements of Safety Integrity Level 4 as defined in IEC 61508 (IEC, 1998) . The presented design fascinates by its simplicity as, in contrast to conventional controllers, it avoids any kind of sequential programs and arithmetic calculations allowing for extremely short loop execution times and, hence, high speed. Nevertheless , the controller's behaviour is easily programmable by just inserting other memory modules containing different tables. Thus, the controller can, in principle, approximate any control algorithm with sufficient precision (Vogrin, 2000). The programmable logic controller conditions its input domains by relatively coarse rastering carried out in hardware, viz., by linear or non-linear low resolut.ion analogue-to-digit.al converters. This leads to an inference scheme which does not require any numerical or Boolean computations, but just look-ups in tables containing rule sets. Thus, the controller neither needs a general purpose processor nor software in form of sequential computer programs, both of which would make the controller's safety licensing practically impossible considering the present state-of-the-art. Instead, software only takes the form of rules in tables or of cause/effect tables, lending itself to rigorous verification by inspection (Fagan , 1976) in a highly cost effective way. By design, the controller consists of a rather limited number of inexpensive, relatively simple and long established hardware modules whose correct operation is permanently supervised by an inherently fail safe circuitry. Upon any irregularity, this supervisor immediately causes an emergency shut-down of the controller and the technical process. Thus, safety licensing of the hardware can follow well understood and already proven procedures.
2. AN ELECTRONIC SYSTEM PROGRAMMED BY RULE SETS As shown in Figure 1, a programmable logic controller is designed with a condition interface producing rast.ered values of several input variables.
As inputs several analogue signals, such as speed and angle of rotation, are provided to the controller in form of control errors, Le., differences between actual measured values and desired values. For reasons of algorithmic simplification in the controller, and to use proven hardware as widely as possible, these differences are determined in analogue form with operational amplifiers. The transfer behaviour of the programmable logic controller can be described by the static relations between its input and output values. Thus, if the raster intervals of the inputs are small enough, it is possible to approximate any static control algorit.hm with this type of cont.roller. Moreover, dynamic controllers can be composed by adding integrators and differentiators. The main component of the controller is the inference engine. It operates under a strictly cyclic regime, such as indust.rial programmable logic controllers. In contrast to the latter, however, each loop execution takes exactly the same amount of time, because the same operations are carried out in every iteration . Thus, the controller's real time behaviour is fully deterministic and easily predictable. Every loop execution comprises three steps: (1) input data generation by analogue-to-digital conversion in the condition interface, (2) inference by determining appropriate cont.rol rules, and (3) control actuation via digital-to-analogue converters in the action interface. These steps as well as the overall operation cycle are strictly synchronised with a system clock.
2.1 Condition Interface The cont.rol errors are fed int.o the condition interface. The domains of the input variables are subdivided into intervals and, thus, a (coarse) discretisation of the input data is obtained. As the input values are given in analogue form, the most simple and straightforward way to directly obtain the corresponding digital coding is to employ analogue-to-digital converters. Thus, if the intervals are equally long, the condition interface reduces to a set of standard AID converters, whose number equals the number of input variables.
Fig. 2. Basic principle of the programmable logic controller By discrete implementation of the AID converters, or by non-linear pre-amplification ill the input stage, non-equidistant domain partitions can be realised, thus providing different precision in different ranges. Typically, higher precision is selected around reference points. Employing unequally spaced input intervals of the AID converters, the size of the rule base tables can be reduced by orders of magnitude.
2.2 Inference Engine
The inference operation of the programmable logic controller is based on a scheme which does not require any computations, but just look-ups in rule base tables (Hampel et al., 1999). Such a rule base table might be interpreted as a cause effect table. Each rule of the cause effect table has, in principle, the elementary form : if {cause;} then {effectj}
The inference engine's rule base consists of one table for each output variable to be determined. Logically, these tables have the form as shown in Table 1: A value of an output variable is assigned to any conjunctive combination of the values corresponding input variables can assume. Such tables are most easily implemented as random access memories which, for safety reasons, should be readable only, i.e., as ROMs, PROMs, or EPROMs. Actually, Boolean conjunction of input variables is not performed. Instead, the binary codes of the input values are concatenated (Hampel et ILL., 1999) to form addresses of table entries, i.e., memory locations, containing digital equivalents of the desired actuations.
Trigger signal forshul-offrelay
Fig. 3. Dynamisation principle for fail safe supervision
Figure 2 shows the principle of the controller. An input latch is needed to prevent jitter on address lines. The state of inputs is sampled and latched to provide the address bits of an EPROM. The thus read out data represent the output value associated with the given inputs. Latches hold the output values until new ones are provided. A sequencer, implemented with a PAL and consisting of a clock generator and dividers (counters), controls the latching of inputs, the generation of outputs, and their latching in a sequential way.
2.3 Action Interface
The EPROM read-outs are finally provided to the action interface. In the design presented here any further transformations are avoided by directly storing in the rule base tables (EPROM) the digital equivalents of the desired actuations. Hence, the action interface reduces to a standard digitalto-analogue converter for each output signal to be generated by the controller. It operates cyclically, starting conversion every fourth controller cycle.
2.4 Fail Safe Supervision
In order to make the programmable logic controller apt for utilisation in safety critical or vital environments, it is endowed by a device supervising correct operation. In case of a malfunction this supervisor generates a signal which can be used to initiate an emergency shut-down of both the controller and the technical process being automated. Owing to these requirements, the supervisor must be implemented in a fail safe logic. To this end, a dynamisation principle is applied. As shown in Figure 4, a detailed functional diagram of the programmable logic controller, each functional unit provides a ready signal indicating successful operation. These signals are logically conjugated, by fail safe And gates, with the clock signals initiating the particular operations to form enable signals provided to the subsequent operation each. The last digital-to-analogue conversion performed in the action interface enables the first analogueto-digital conversion in the condition interface to realise cyclic control operation. All enable signals are also input to a fail safe Or gate whose output drives an RC element. The temporal behaviour of the voltage at the capacitor C is depicted in Figure 3. Only when the enable signals continue to permanently re-load the capacitor via the Or gate and the resistor R, the voltage at C remains higher than a certain threshold. If the signals cease for any reason whatsoever, the capacitor discharges causing a relay to switch to emergency-off.
J Enable D :-
I--
Enable
~cp
Rule base table I
Enable D
I Electromagnetic valve
'---";
Rule base table 2
Enable D I--
A Ready
A Ready
CP '~ f
cp "LP
T
~'cp ystem clock
Heater control
A Ready
Enable D
Enable
:'cp
T :-
cp ')CP
r- -
-~
.
¥
f-
Enable D
cp :~
~
-I--
f---------
A Ready
-
~
T :-
[,
J
A Ready
1
cp ':!
11
(I)
>~I
I
R -.
c
I
General enable signal
Fig. 4. Fail safe supervision of the programmable logic controller's operation
3. SOFTWARE SAFETY LICENSING The contents of the rule base tables is the only "software" contained in the programmable logic controller. All other functions are implemented in hardware. Here software does not mean executable sequential programs fetched from writable memory as in the classical von Neumann computer architecture. Instead, it is better described as a parametrisation with which a general purpose controller is configured to perform a specific function . Since coded rule bases should always reside in some kind of read-only memories, the software takes on the form of firmware.
Owing to the software's very limited complexity, it is feasible to employ the safety licensing method of inspection. This method was developed by a licensing authority, viz., TUV Rheinland, and consists of reading loaded object code out of a machine and having it analysed and checked by human licensors (Krebs and Haspel, 1984) . If they work without mutual interaction, the process fulfills the requirements of diversity. Inspection is essentially informal, easily understandable, and immediately applicable without training. Its ease of understanding and use inherently fosters error free application of the method.
Rigorous software verification is, in general, still an unsolved problem due to the complexity of software. Moreover, for purposes of safety licensing object code, i.e. , the only version of a program actually visible to and executed by a machine, must be considered, because the transformation of a program's representation from source to object code by a compiler or assembler may introduce errors into the object code. The architecture of the programmable logic controller presented here greatly facilitates the rigorous verification of the software contained under the constraint that object code needs to be examined.
Since rule base tables are machine executable on one hand, but also constitute formal problem specifications on the other, there is, by design, no semantic gap, except coding, in the programmable logic controller's architecture between the levels relating to humans and to the machine. Inspecting object code thus means to verify an implementation and to validate a problem specification at the same time. The effort and cost to verify rule base tables and their correct implementation is by orders of magnitude less than for licensing sequential software and is, therefore, also economically feasible.
r
j ......
'FJ
4. CASE STUDY: ROTATION CONTROL OF A POINTER
o
The following simple example shows, in principle, the way to construct a rule based controller. Angle of rotation control of a pointer without friction or any other damping is considered, to provide for the most difficult case to control. As the pointer moves on a vertical plane, the gravity needs to be considered, and usually a torque is needed to hold the pointer at the desired angle. Let the pointer's mass be 1 kg and its length 1 m. Therefore, the rotation of the pointer is mathematically described by the following differential equation for the angle tP as a function of time:
~~ =3·(Mc+ M D+4.9· sin tP)
2
4
6
I I I I I I ·1000
·2
·0 .2
·0,02
0.02
1000
0.2
Fig. 6. Input intervals of the control deviation of the rotation angle (AD--2) For the domains of the input variables nonequidistant partitionings with higher precision around zero as shown in Figures 6 and 7 are selected, which can be implemented using corresponding analogue-to-digital converters or nonlinear input pre-amplification.
o
4
6
I I I I I I I I I I
and
-100
Mc = 5· I
XI
-15
·10
·0.2
0.2
10
IS
100
x!
Fig. 7. Input intervals of the angular velocity (A36)
with Mc being the torque controlling the pointer, MD the torque disturbing it , and I the current leading to the torque Mc . If the control deviation is larger than 2 rad and MD is not too big, the pointer moves to the desired rotation angle with an angular velocity between 10 and 15 rad/s, and the controller works as speed controller. After the acceleration period the pointer moves to the desired angle nearly without actuations. Therefore, if the control error is 2 rad, the angular velocity is between 10 and 15 rad/s. It is easy to construct and to improve a rule based controller for this narrow speed range. If the control deviation is smaller than 2 rad, the controller works as angle of rotation cont.roller. It is also possible to control the speed of the pointer dependent on the control deviation . This approach could reduce the regulating time. Higher speed, however, cert.ainly leads to higher mechanical forces . These considerations lead to the structure of a rule based controller as shown in Figure 5.
Fig. 5. Structure of a rule based rotation controller of a pointer
Jo
The number of words required in the EPROM corresponds to the product of the numbers of input intervals. In this example 63 words are needed. Table 1 shows a part of the rule base table, in which ID is the digital equivalent of the current leading to the torque Mc. These values are stored in the EPROM. Table 1. Section of a rule base table for one output variable Interval of input Xl 2 2 2 3 3 3 3 3
Interval of input X2 6 7
8 0 1
2 3 4
Actuation ID 1.3 3 5 -5 -4 -1.8 -0.3 0
Experiments and measurements were carried out (Vogrin, 2000) to compare the performance of a rule based controller as described above and of the best possible classical PID controller. They revealed that, in addition to the ones already mentioned, the rule based controller has many advantages as compared to controllers with conventional structures such as PID: • The overshoot after a set-point jump is much smaller (less than 0.1 rad) independent ofthe set-point. • The output error is smaller than 0.1 rad in a much shorter time. • If the disturbing torque MD is not too large, it is possible to freely determine the maximum speed of the pointer.
This case study also shows that it is possible to build a rule based controller with an EPROM of a very small capacity, only. Nevertheless, its performance turns out to be much better than the performance of a conventional approach. Moreover, it is easily feasible to improve the performance of the rule based controller. The range of permanent control errors can, for instance, be reduced by • providing more input intervals, especially for the control deviation Xl, close to zero, or by • providing an additional controller input for the integral of the rotation angle's control deviation.
5. CONCLUSION The major advantages of the programmable logic controller described in this paper are its inherent safety and speed. Its main characteristics are input conditioning by analogue-to-digital converters and inference by look-up in rule tables. The controller consists of a few relatively simple and cheap industry standard hardware modules. Hence, safety licensing of the hardware can follow well understood and long established procedures. The main task of a safety proof is to verify an implemented rule set's correctness by inspection. This method leads back in one easy step from machine code to problem specifications. For the design presented, the effort required to utilise inspection to safety license control software is by several orders of magnitude smaller than to verify sequential programs running on von Neumann computers, thus making safety licensing economically feasible. Owing to its simple construction and its software form's utmost simplicity, the controller can be licensed for applications with the highest safety requirements, i.e., those of Safety Integrity Level 4. Working in a strictly periodic fashion with (almost) no jitter, the controller's real time behaviour can be predicted in full. Its hardware operation is supervised by a fail safe logic immediately initiating an emergency shutdown in case of a malfunction. Since the kind of software employed in the controller has not the form of sequential programs but of decision tables and parametrisations, the costs of developing and verifying it are much lower as compared to sequential software with the same functionality. These savings outweigh by far the higher expenditure for analogue components meeting increased quality standards as may be required by certain applications.
Basically, it is possible to approximate any control algorithm by this type of rule based controller. In general, the better the approximation and the larger the number of inputs the higher is the EPROM capacity needed, which may be very large. Fortunately, there exist possibilities to reduce these capacity requirements, e.g., by cascading rule base tables. Surprisingly, in practice it turns out that this space is often very small. The programmable logic controller presented here is, therefore, able to solve difficult control tasks very easily and transparently. It can be adapted to the requirements of any technical process. We have built a prototype of the programmable logic controller with a 64 Kword EPROM. It is cheap and small, and runs very fast with a loop execution time of 800 ns. Controllers often need to provide certain functions such as timers, counters, or internal storage. Also, digital and analogue inputs and outputs must be dealt with. A range of such modules was implemented which can be plugged into the prototype.
6. REFERENCES Fagan, M.E. (1976). Design and Code Inspection to Reduce Errors in Program Development. IBM Systems JoumallS(3), 182-211. Hampel, R., H. Stegemann, F. Worlitz and N. Chaker (1999). Verfahren zur Regelung zeitkritischer Prozesse durch einen High Speed Matrix Controller. (German) PatentOffenlegungsschrift DE 19756507 A 1. Draft International Standard IEC 61508-1 (1998). Functional Safety of Electrical/Electronic/ Programmable Electronic Systems: Generic Aspects - Part 1: General Requirements. International Electrotechnical Commission, Geneva. Krebs, H., and U. Haspel (1984). Ein Verfahren zur Software-Verifikation. Regelnngstechnische Praxis rtp 26, 73-78. Melchers, W. (1998). List of Type Approved Programmable Electronic Systems (PES), Version 3.2. TUV Rheinland Sicherheit und Umweltschutz GmbH, Institute for Software, Electronics, Railroad Technology (ISEB), Cologne. Vogrin, P. (2000). Safety Licensable and High Speed Programmable Digital Controllers Providing Any Required Control Behaviour. Fortschr.-Ber. VDI Reihe 8 Nr. 814. VDI Verlag, Diisseldorf.
SAFE, FAST AND CHEAP PROGRAMMABLE CONTROL W.A. Halang, P. Vogrin and S. Lu
FemUniversitiit Faculty of Electrical Engineering 58084 Hagen, Germany [email protected]
Abstract: A programmable (logic) controller especially suited for automation applications of highest safety criticality, Le., on Safety Integrity Level 4, is presented. Its main characteristics are input conditioning by low resolution analogue-to-digital converters and inference by look-up in cause/effect tables or rule set tables. This programmable electronic system consists of a few industry standard components, only. Thus, it is reliable, safe, verifiable, cheap and small. Owing to the simplicity of both its hardware and software, safety licensing of the controller is facilitated . With regard to software, this can easily be carried out by inspection of the table content. As a result, the approach is particularly cost effective with respect to software development. The controller is very fast, with its speed mainly determined by the table access time, and works almost jitter free . Operating in a strictly cyclic fashion , the controller exhibits fully predictable real time behaviour. Its hardware operation is supervised by a fail safe logic immediately initiating an emergency shut-down in case of a malfunction. Keywords: Programmable logic control , Safety Integrity Level 4, fail safe behaviour, predictable real time behaviour, low software costs, high operation speed.
1. INTRODUCTION
Safety related devices and control systems are employed in many application areas of vital importance. For the following two main reasons, however, the performance of state-of-the-art programmable logic controllers employed in safety critical systems is often very unsatisfying: (1) In general, safety licensing is still an unsolved problem due to the complexity of hardware and software. Hitherto, it was impossible to establish that safety critical systems consisting of hardware and, particularly, software were error free. Therefore, the guidelines of the licensing authorities state quite elementary design principles for control equipment. In particular, according t.o the
List of Type Approved Programmable Electronic Systems published by TDv Rheinland (Melchers, 1998) , it is prohibited to use PID or other more complex control algorithms in safety related applications. (2) Another detriment to present controllers is their inherent lack of two aspects of speed: • Owing to their mathematical models, control systems react slowly after modifications of their set-points, and after the occurrence of unforeseen events, such as disturbances, defects and alterations of parameters of the technical processes being controlled. • The loop execution times are rather long due to the need for sequential calculations.
These are then subjected to an inference engine co-operating with a rule base. The outputs from the inference engine are directly provided to an action interface, which finally performs process actuation.
Fig. 1. Block diagram of a programmable logic controller A novel programmable logic controller is described addressing safety issues not by diversity but by perfection. Therefore, it is highly suitable for control tasks as t.ypically found in applicat.ions having to meet the requirements of Safety Integrity Level 4 as defined in IEC 61508 (IEC, 1998) . The presented design fascinates by its simplicity as, in contrast to conventional controllers, it avoids any kind of sequential programs and arithmetic calculations allowing for extremely short loop execution times and, hence, high speed. Nevertheless , the controller's behaviour is easily programmable by just inserting other memory modules containing different tables. Thus, the controller can, in principle, approximate any control algorithm with sufficient precision (Vogrin, 2000). The programmable logic controller conditions its input domains by relatively coarse rastering carried out in hardware, viz., by linear or non-linear low resolut.ion analogue-to-digit.al converters. This leads to an inference scheme which does not require any numerical or Boolean computations, but just look-ups in tables containing rule sets. Thus, the controller neither needs a general purpose processor nor software in form of sequential computer programs, both of which would make the controller's safety licensing practically impossible considering the present state-of-the-art. Instead, software only takes the form of rules in tables or of cause/effect tables, lending itself to rigorous verification by inspection (Fagan , 1976) in a highly cost effective way. By design, the controller consists of a rather limited number of inexpensive, relatively simple and long established hardware modules whose correct operation is permanently supervised by an inherently fail safe circuitry. Upon any irregularity, this supervisor immediately causes an emergency shut-down of the controller and the technical process. Thus, safety licensing of the hardware can follow well understood and already proven procedures.
2. AN ELECTRONIC SYSTEM PROGRAMMED BY RULE SETS As shown in Figure 1, a programmable logic controller is designed with a condition interface producing rast.ered values of several input variables.
As inputs several analogue signals, such as speed and angle of rotation, are provided to the controller in form of control errors, Le., differences between actual measured values and desired values. For reasons of algorithmic simplification in the controller, and to use proven hardware as widely as possible, these differences are determined in analogue form with operational amplifiers. The transfer behaviour of the programmable logic controller can be described by the static relations between its input and output values. Thus, if the raster intervals of the inputs are small enough, it is possible to approximate any static control algorit.hm with this type of cont.roller. Moreover, dynamic controllers can be composed by adding integrators and differentiators. The main component of the controller is the inference engine. It operates under a strictly cyclic regime, such as indust.rial programmable logic controllers. In contrast to the latter, however, each loop execution takes exactly the same amount of time, because the same operations are carried out in every iteration . Thus, the controller's real time behaviour is fully deterministic and easily predictable. Every loop execution comprises three steps: (1) input data generation by analogue-to-digital conversion in the condition interface, (2) inference by determining appropriate cont.rol rules, and (3) control actuation via digital-to-analogue converters in the action interface. These steps as well as the overall operation cycle are strictly synchronised with a system clock.
2.1 Condition Interface The cont.rol errors are fed int.o the condition interface. The domains of the input variables are subdivided into intervals and, thus, a (coarse) discretisation of the input data is obtained. As the input values are given in analogue form, the most simple and straightforward way to directly obtain the corresponding digital coding is to employ analogue-to-digital converters. Thus, if the intervals are equally long, the condition interface reduces to a set of standard AID converters, whose number equals the number of input variables.
Fig. 2. Basic principle of the programmable logic controller By discrete implementation of the AID converters, or by non-linear pre-amplification ill the input stage, non-equidistant domain partitions can be realised, thus providing different precision in different ranges. Typically, higher precision is selected around reference points. Employing unequally spaced input intervals of the AID converters, the size of the rule base tables can be reduced by orders of magnitude.
2.2 Inference Engine
The inference operation of the programmable logic controller is based on a scheme which does not require any computations, but just look-ups in rule base tables (Hampel et al., 1999). Such a rule base table might be interpreted as a cause effect table. Each rule of the cause effect table has, in principle, the elementary form : if {cause;} then {effectj}
The inference engine's rule base consists of one table for each output variable to be determined. Logically, these tables have the form as shown in Table 1: A value of an output variable is assigned to any conjunctive combination of the values corresponding input variables can assume. Such tables are most easily implemented as random access memories which, for safety reasons, should be readable only, i.e., as ROMs, PROMs, or EPROMs. Actually, Boolean conjunction of input variables is not performed. Instead, the binary codes of the input values are concatenated (Hampel et ILL., 1999) to form addresses of table entries, i.e., memory locations, containing digital equivalents of the desired actuations.
Trigger signal forshul-offrelay
Fig. 3. Dynamisation principle for fail safe supervision
Figure 2 shows the principle of the controller. An input latch is needed to prevent jitter on address lines. The state of inputs is sampled and latched to provide the address bits of an EPROM. The thus read out data represent the output value associated with the given inputs. Latches hold the output values until new ones are provided. A sequencer, implemented with a PAL and consisting of a clock generator and dividers (counters), controls the latching of inputs, the generation of outputs, and their latching in a sequential way.
2.3 Action Interface
The EPROM read-outs are finally provided to the action interface. In the design presented here any further transformations are avoided by directly storing in the rule base tables (EPROM) the digital equivalents of the desired actuations. Hence, the action interface reduces to a standard digitalto-analogue converter for each output signal to be generated by the controller. It operates cyclically, starting conversion every fourth controller cycle.
2.4 Fail Safe Supervision
In order to make the programmable logic controller apt for utilisation in safety critical or vital environments, it is endowed by a device supervising correct operation. In case of a malfunction this supervisor generates a signal which can be used to initiate an emergency shut-down of both the controller and the technical process being automated. Owing to these requirements, the supervisor must be implemented in a fail safe logic. To this end, a dynamisation principle is applied. As shown in Figure 4, a detailed functional diagram of the programmable logic controller, each functional unit provides a ready signal indicating successful operation. These signals are logically conjugated, by fail safe And gates, with the clock signals initiating the particular operations to form enable signals provided to the subsequent operation each. The last digital-to-analogue conversion performed in the action interface enables the first analogueto-digital conversion in the condition interface to realise cyclic control operation. All enable signals are also input to a fail safe Or gate whose output drives an RC element. The temporal behaviour of the voltage at the capacitor C is depicted in Figure 3. Only when the enable signals continue to permanently re-load the capacitor via the Or gate and the resistor R, the voltage at C remains higher than a certain threshold. If the signals cease for any reason whatsoever, the capacitor discharges causing a relay to switch to emergency-off.
J Enable D :-
I--
Enable
~cp
Rule base table I
Enable D
I Electromagnetic valve
'---";
Rule base table 2
Enable D I--
A Ready
A Ready
CP '~ f
cp "LP
T
~'cp ystem clock
Heater control
A Ready
Enable D
Enable
:'cp
T :-
cp ')CP
r- -
-~
.
¥
f-
Enable D
cp :~
~
-I--
f---------
A Ready
-
~
T :-
[,
J
A Ready
1
cp ':!
11
(I)
>~I
I
R -.
c
I
General enable signal
Fig. 4. Fail safe supervision of the programmable logic controller's operation
3. SOFTWARE SAFETY LICENSING The contents of the rule base tables is the only "software" contained in the programmable logic controller. All other functions are implemented in hardware. Here software does not mean executable sequential programs fetched from writable memory as in the classical von Neumann computer architecture. Instead, it is better described as a parametrisation with which a general purpose controller is configured to perform a specific function . Since coded rule bases should always reside in some kind of read-only memories, the software takes on the form of firmware.
Owing to the software's very limited complexity, it is feasible to employ the safety licensing method of inspection. This method was developed by a licensing authority, viz., TUV Rheinland, and consists of reading loaded object code out of a machine and having it analysed and checked by human licensors (Krebs and Haspel, 1984) . If they work without mutual interaction, the process fulfills the requirements of diversity. Inspection is essentially informal, easily understandable, and immediately applicable without training. Its ease of understanding and use inherently fosters error free application of the method.
Rigorous software verification is, in general, still an unsolved problem due to the complexity of software. Moreover, for purposes of safety licensing object code, i.e. , the only version of a program actually visible to and executed by a machine, must be considered, because the transformation of a program's representation from source to object code by a compiler or assembler may introduce errors into the object code. The architecture of the programmable logic controller presented here greatly facilitates the rigorous verification of the software contained under the constraint that object code needs to be examined.
Since rule base tables are machine executable on one hand, but also constitute formal problem specifications on the other, there is, by design, no semantic gap, except coding, in the programmable logic controller's architecture between the levels relating to humans and to the machine. Inspecting object code thus means to verify an implementation and to validate a problem specification at the same time. The effort and cost to verify rule base tables and their correct implementation is by orders of magnitude less than for licensing sequential software and is, therefore, also economically feasible.
r
j ......
'FJ
4. CASE STUDY: ROTATION CONTROL OF A POINTER
o
The following simple example shows, in principle, the way to construct a rule based controller. Angle of rotation control of a pointer without friction or any other damping is considered, to provide for the most difficult case to control. As the pointer moves on a vertical plane, the gravity needs to be considered, and usually a torque is needed to hold the pointer at the desired angle. Let the pointer's mass be 1 kg and its length 1 m. Therefore, the rotation of the pointer is mathematically described by the following differential equation for the angle tP as a function of time:
~~ =3·(Mc+ M D+4.9· sin tP)
2
4
6
I I I I I I ·1000
·2
·0 .2
·0,02
0.02
1000
0.2
Fig. 6. Input intervals of the control deviation of the rotation angle (AD--2) For the domains of the input variables nonequidistant partitionings with higher precision around zero as shown in Figures 6 and 7 are selected, which can be implemented using corresponding analogue-to-digital converters or nonlinear input pre-amplification.
o
4
6
I I I I I I I I I I
and
-100
Mc = 5· I
XI
-15
·10
·0.2
0.2
10
IS
100
x!
Fig. 7. Input intervals of the angular velocity (A36)
with Mc being the torque controlling the pointer, MD the torque disturbing it , and I the current leading to the torque Mc . If the control deviation is larger than 2 rad and MD is not too big, the pointer moves to the desired rotation angle with an angular velocity between 10 and 15 rad/s, and the controller works as speed controller. After the acceleration period the pointer moves to the desired angle nearly without actuations. Therefore, if the control error is 2 rad, the angular velocity is between 10 and 15 rad/s. It is easy to construct and to improve a rule based controller for this narrow speed range. If the control deviation is smaller than 2 rad, the controller works as angle of rotation cont.roller. It is also possible to control the speed of the pointer dependent on the control deviation . This approach could reduce the regulating time. Higher speed, however, cert.ainly leads to higher mechanical forces . These considerations lead to the structure of a rule based controller as shown in Figure 5.
Fig. 5. Structure of a rule based rotation controller of a pointer
Jo
The number of words required in the EPROM corresponds to the product of the numbers of input intervals. In this example 63 words are needed. Table 1 shows a part of the rule base table, in which ID is the digital equivalent of the current leading to the torque Mc. These values are stored in the EPROM. Table 1. Section of a rule base table for one output variable Interval of input Xl 2 2 2 3 3 3 3 3
Interval of input X2 6 7
8 0 1
2 3 4
Actuation ID 1.3 3 5 -5 -4 -1.8 -0.3 0
Experiments and measurements were carried out (Vogrin, 2000) to compare the performance of a rule based controller as described above and of the best possible classical PID controller. They revealed that, in addition to the ones already mentioned, the rule based controller has many advantages as compared to controllers with conventional structures such as PID: • The overshoot after a set-point jump is much smaller (less than 0.1 rad) independent ofthe set-point. • The output error is smaller than 0.1 rad in a much shorter time. • If the disturbing torque MD is not too large, it is possible to freely determine the maximum speed of the pointer.
This case study also shows that it is possible to build a rule based controller with an EPROM of a very small capacity, only. Nevertheless, its performance turns out to be much better than the performance of a conventional approach. Moreover, it is easily feasible to improve the performance of the rule based controller. The range of permanent control errors can, for instance, be reduced by • providing more input intervals, especially for the control deviation Xl, close to zero, or by • providing an additional controller input for the integral of the rotation angle's control deviation.
5. CONCLUSION The major advantages of the programmable logic controller described in this paper are its inherent safety and speed. Its main characteristics are input conditioning by analogue-to-digital converters and inference by look-up in rule tables. The controller consists of a few relatively simple and cheap industry standard hardware modules. Hence, safety licensing of the hardware can follow well understood and long established procedures. The main task of a safety proof is to verify an implemented rule set's correctness by inspection. This method leads back in one easy step from machine code to problem specifications. For the design presented, the effort required to utilise inspection to safety license control software is by several orders of magnitude smaller than to verify sequential programs running on von Neumann computers, thus making safety licensing economically feasible. Owing to its simple construction and its software form's utmost simplicity, the controller can be licensed for applications with the highest safety requirements, i.e., those of Safety Integrity Level 4. Working in a strictly periodic fashion with (almost) no jitter, the controller's real time behaviour can be predicted in full. Its hardware operation is supervised by a fail safe logic immediately initiating an emergency shutdown in case of a malfunction. Since the kind of software employed in the controller has not the form of sequential programs but of decision tables and parametrisations, the costs of developing and verifying it are much lower as compared to sequential software with the same functionality. These savings outweigh by far the higher expenditure for analogue components meeting increased quality standards as may be required by certain applications.
Basically, it is possible to approximate any control algorithm by this type of rule based controller. In general, the better the approximation and the larger the number of inputs the higher is the EPROM capacity needed, which may be very large. Fortunately, there exist possibilities to reduce these capacity requirements, e.g., by cascading rule base tables. Surprisingly, in practice it turns out that this space is often very small. The programmable logic controller presented here is, therefore, able to solve difficult control tasks very easily and transparently. It can be adapted to the requirements of any technical process. We have built a prototype of the programmable logic controller with a 64 Kword EPROM. It is cheap and small, and runs very fast with a loop execution time of 800 ns. Controllers often need to provide certain functions such as timers, counters, or internal storage. Also, digital and analogue inputs and outputs must be dealt with. A range of such modules was implemented which can be plugged into the prototype.
6. REFERENCES Fagan, M.E. (1976). Design and Code Inspection to Reduce Errors in Program Development. IBM Systems JoumallS(3), 182-211. Hampel, R., H. Stegemann, F. Worlitz and N. Chaker (1999). Verfahren zur Regelung zeitkritischer Prozesse durch einen High Speed Matrix Controller. (German) PatentOffenlegungsschrift DE 19756507 A 1. Draft International Standard IEC 61508-1 (1998). Functional Safety of Electrical/Electronic/ Programmable Electronic Systems: Generic Aspects - Part 1: General Requirements. International Electrotechnical Commission, Geneva. Krebs, H., and U. Haspel (1984). Ein Verfahren zur Software-Verifikation. Regelnngstechnische Praxis rtp 26, 73-78. Melchers, W. (1998). List of Type Approved Programmable Electronic Systems (PES), Version 3.2. TUV Rheinland Sicherheit und Umweltschutz GmbH, Institute for Software, Electronics, Railroad Technology (ISEB), Cologne. Vogrin, P. (2000). Safety Licensable and High Speed Programmable Digital Controllers Providing Any Required Control Behaviour. Fortschr.-Ber. VDI Reihe 8 Nr. 814. VDI Verlag, Diisseldorf.