- Email: [email protected]
Safety in a Microcomputer Controller of the Diesel Engine
Copyright 0 IFAC Intelligent Components and Instruments for Control Applications, Annecy, France, 1997
SAFETY IN A MICROCOMPUTER CONTROLLER OF THE DIESEL ENGINE
Rafal Klaus, Andrzej Urbaniak
Institute ofComputing Science Poznan University of Technology ul. Piotrowo 3a, 60-965 Poznan, Poland tel. +4861 782-574,fax. +4861 771-525 E-mail: [email protected] E-mail: [email protected]
Abstract: Redundancy techniques and self-diagnostics while making use of mechatronics contribute to enlargement of safety and dependability in the Diesel engines. The paper shows a systematic way of safety requirements defmition based on formalized model of fault trees. Some of the aspects of redundancy's implementation in electronic controllers of the Diesel engines have been presented in this article. The demonstrated system was implemented in excavator. Keywords: Computer control, Diesel engines, Automating testing, Redundancy, Safety analysis
controlling systems or developing of measurement and diagnostical systems. One of the research's direction deals with systems of engine's controlling where instead of centrifugal governer there is an injection pump that possesses microprocessor-based regulator. The research was made on the systems constructed on the basis of one-module computer MJ8b (1989-1990), on the controller equipped with microprocessor Z80 (1990-1991 ), on the programmed specialisational stand for examining of controlling algorithms with implementation of PCclass computers (1992-1996), on the controller with a 16-bite NEC flPD 78310 (1993-1994) microcontroller and on the controller with a Siemens 80C535 (1994-1995) microcontroller.
I. INTRODUCTION The Diesel engine is an object of astatic character. It is equipped with a rotational speed's controller to ensure the engine's stable work. Such controller is to counteract exceeding the speed limit and to maintain a constant rotational speed while on the idle running and during the work with a load, as well. Conventional regulators used in the Diesel engines ensure obtaining an optimal work in the narrow range of tractional, exploatational and controlling parameters. At the present stage of combustion engines' development, mechanical controllers of rotational speed are more and more replaced by controllers that enable digital controlling of the engines. Progress made in the implementation of microprocessors leads to the construction of controllers which do not possess flaws of mechanical controllers (Ochocki et aI., 1993).
Informations in this article are presented concerning protection and self-diagnostics of SW 400 engine's controlling system that makes use of DP 535 controller with Siemens 80C535 microcontroller. The being presented controlling system is successfully tested in an excavator.
In the Institute of Computing Science that collaborates with the Institute of Combustion Engines (both Institutes are part of the Poznan University of Technology) a research into the automatisation of the Diesel engines' work is being made for several years now. The research is conducted in different directions, e.g. developing controlling algorithms for an adequate regulational criterion, construction of microprocessor-based
2. THE AIMS OF A MICROPROCESSOR-BASED CONTROLLER The aim of a microprocessor-based controller is to introduct a fuel rod position of injection pump and to
89
4. CONSTRUCTION OF THE SYSTEM
introduct injection advance angle determined by the actual point of the engine's work. One can relatively easily change their structure, in the microprcessorbased controllers, dynamical characteristics of regulator and settings as far as the desired criterion is concerned. In the being conducted research into controlling algorithms, it is understood as a criterion: • speed stabilisation during dynamical changes of loading • minimalisation of the smoke level, • minimalisation of the fuel consumption • minimalisation of the settling time • minimalisation of the overshoot. Since the object is astatic the exceeding of the maximum speed could cause a serious enginne's damage. That is why the most essential aim of security system in the controlling figuration is to prevent the engine's overspeeding and its secure stoppage in different states of damage.
In the proposed solution we can select three basic modules: 1. module of mechatronics that contains: • injection pump without a centrifugal governer • measurement sensors of n speed and of injection advance angle llww • performance elements of fuel sample controlling and of injection angle • safety-valve 2. DP 535 controlling module 3. host computer's module of working machine. The module-based construction system among other advantages has a relatively easy service, that boils down to replacement of the damaged module. In the controler module the implementation of microprocessor-based technology enabled the sofware realisation of some system's functions. It increases flexibility of the system and its facility to accomodate to various engines and energy receivers (Klaus, 1996).
3. SAFETY, DEPENDABILITY, RELIABILITY The dependability of controlling system is determined by three aspects, i.e. it has to be : • reliable (should ensure a constant work) • safe (should prevent coming up of the defects that leads to catastrophes) • secure (should have protection against purposeful defects). We understand safety as a feature of the system which prevent dangerous situations, i.e. situations that endanger human life, health or that could cause huge material losses. The reliability of controlling system is conceived as approximity that the given system will succesfully operate in the particular environment during the specified time of mission (Redrnill, 1993).
t!i~r I
host computer
I
~
diesel engine
control coo diagnosis
systems
mlcrocontroller ot dIeeeI enghe
The basic task during designing safety system in the controlling configuration is to analyse hazards and risks. Hazard is understood here as a collection of conditions that could lead to accident in the specified environmental conditions. Risk is probability function of hazard's existence, probability that hazard would lead to accident and make the worst afteraccident losses possible. The analysis of safety is conducted while using formal methods. Making use of Faults' Tree Analysis the controlling system has been described as the one that ensure the safety of Diesel engine's work. The constructed system belongs to the fault tolerance systems. The system, having completed the identification of the defect (its kind) is making a decision concerning the further work: • it fluently diminishes efficiency (graceful degradation), i.e. partly diminishes mission's range (for reparation) • safety protection (jail-safe), i.e. the system safely stops the mission.
1
§J =m~ ree
r
JI ROD
D
STEP
MOTORS
nnnnnn PUMP
J
I[I] HVDRAUUC MECHANSM a_
Fig.I. The block scheme of controlling system's modules. The implementation of redundacy techniques makes it possible to work even after the detection and signalisation of a defect. Redundancy comprises: • software and additional diagnostical configurations for fast detection of defects
90
•
•
maximum, admissible engine's rotary velocity in time. Existence of the V2 is constantly checked during the whole time of the controller's performance; the lack of V2 causes immediate ceasing of the engine's working and leads to display of the respective message informing about the cause of emergency engine's stopping (Er3). The Ul voltage feeds the engine's rotary speed detector which is also applied by the programming safety procedure, while the V2 voltage feeds advance injection angle detector. The latter is also used to specify the engine's rotary velocity (double measunnent of the engine's rotary velocity while making use of the seperated feeding enables to protect the engine when the feeding ceases in the controller's microprocessorial segment).
supervlsmg (being performed by working machine's on-board computer) of Diesel engine's controlling system mechatronics' systems that prevent overspeeding of the engine.
5. DIFFERENT KINDS OF PROTECTION Electronic regulators, because of using a large number of electronic elements, have as their characteristic feature smaller dependability in comparison with mechanical govemers. It creates additional dangers of engine's overspeeding. On the basis of hazards' analysis there were selected the most crucial points of the controlling system and they were served to determine the safety system. For example damage of such elements as : • microprocessor-based controller • speed sensor and injection advance angle's sensor • stepping motor • gears connecting stepping motor to fuel rod position • supply • connections between elements could lead to engine's overspeeding and its lasting damage. It explains why in these cases the main task of the protection system is a safe stoppage of the engine in an emergency situation (Klaus and Vrbaniak, 1994).
5.2. Checking ofrotary velocity impulses' detectors andfuel's advance injection angle During the engine's working and before it starts (before fuel board is pulled out) proximity detectors (which measure the engine's rotary velocity and advance injection angle) are being tested. These detectors are installed on the fuel pump's shaft and the detectors' impulses have to come in respective sequence, i. e. after one impulse sent by detector of the advance injection angle it is due to be followed by six impulses coming from rotary velocity detector.
When, for example, only one of the sensors is damaged (n or aww), the system immediately suspends controlling of the injection advance angle (while informing an operator), and the readout is conducted by the working sensor. The presented system is equipped with the protection means as follows : • check controller's feeding • check of rotational speed's impulses' sensors and of injection advance angle • programmed check of exceeding engine's limit velocity • check (by equipment) of exceeding engine's limit velocity • check of outside feeding ( + 24 V ) • supervisional activity of the host computer.
speace test sensors speed start
I speed rod position
time Fig.2. Starting of an engine. Lack of both of them makes the signalisation of error appear and the engine to stop. Nonexistence of impulses coming from rotary velocity detector is signalled by the Er 1 message. Lack of impulses which were to be sent by fuel's advance injection angle detector is signalled by the Er2 message. The appearance of the respective impulses' sequence from the detectors is absolutely necessary to start the engine, when the starter is already switched on. The former's lack makes pulling out of fuel board (which is to deliver fuel's dose to the engine) by the stepping motor quite impossible.
5.1. Monitoring ofthe controller's feeding DP535 controller of the ZS engine needs two independent + 5V V 1 and V2 voltages. These voltages are obtained from the + 24V voltage making use of two seperate stabilizing systems. The former (VI) is applied to the feeding of microcontroller's system; the lack of the former makes the starting of the engine impossible. V2 voltage is to feed instrumental safety system which monitors
91
due to a defect of microprocessorial segment, but of operational element, then the Er5 message is displayed.
5.3. Programming check of the crossing engine's limit velocity
The controller is equipped with programming check of the engine's crossing 2500 rotations per minute velocity (working velocity: 500 - 2200 rotations per minute). This monitoring is conducted on the lowest programming level while handling failures caused by rotary velocity detector. The former enables to avoid reaching dangerous velocity by the engine, e. g. the latter caused by an error in the main module of the controlling program (error in algorithm or an error in its implementation; effectiveness of the checking was experienced by the authors during several endeavours to make the algorithm of the engine's work controlling work better) or as far as engine's failures are concerned in the situation of the changing engine's parameters and when the effectvely performing algorithm could lead to the engine's overspeeding. Due to the operating of the checking described above, working of the engine is stopped as result of drawing in fuels pump to its resting position and of display of the controllers emergency stoppage (Er4).
sPeed
2700
n~;;~t
L 2500
work
I\ protection
break do~ . DP535
I t-'
I
~
software protection
I
rod
1position time
Fig.3 . The overspeeding protection system.
5.5. Checking of the + 24V exterior feeding
DP 535 controller is fed from the 24V electrical instalation of the engine; the instalation is equipped with acumulators and an alternator. The former is able to operate with no error, even when the voltage drop occurs, because of its feeding by stabilizers' system decreasing voltage to +5V. The operational system (stepping motor), however, needs at least 13V for its correct working. That is why during working time, particularly during the starting (the worst case is a severe frost and the acumulators being discharged), the value of the voltage existing in the object's electrical instalation is monitored. If this value drops below 13V, there occurs stoppage of the engine the Er6 message is being displayed, which indicates defect of the object's electrical instalation.
5.4. Instrumental checking of crossing engine's limit velocity
Instrumental checking was introduced in case of the occurring of the defect associated with microprocessorial controller (defect of a microcomputer, electronical systems, ceasing of voltage feeding the microprocessorial segment, etc.) or with its performing device, i. e. stepping motor (defect of stepping motor, defect of conductors connecting the stepping motor to the controller, failure of mechanical gear influencing fuel board, etc.). The described checking makes an ample use of the fuel's advance injection angle detector (which is fed by different voltage rather than that one used by the controller's microprocessorial system), whose impulses make the monostable multivibrator work. This multivibrator generates impulses of the determined lasting time; the latter is calculated accordingly to the engine's rotary velocity on the 2700 rotations per minute level. If the fIrst sent impulse is followed by another impulse coming from the advance injection angle detector, it is the clear indication of the engine's too high velocity. Then the stoppage of the engine occurs, due to disconnection of feeding from the stepping motor (release of fuel board) from hydraulic rectifIer. The latter opens the inflow of fuel into actuator which - in its turn pushes fuel board to its resting position that closes inflow of fuel to the engine. The setting of particular threshold, which puts checking to work, on the 2700 rotations per minute level is entirely due to hierarchy of the safety checks. The programming safety is due to act as the first one. If the cause of a failure is not
5.6. Supervisional working of the master computer
DP 535 controller has been equipped with a joint enabling its connection to the master computer. The latter enables the controller to work autonomically or subordinately and to decide on the commanded velocity and on the stoppage of the engine. The master computer has informations that come from many points unavailable for the controller and has capability of making decision to stop the engineprotecting in this way the machine from destruction.
6. MESSAGES OF DP535 CONTROLLER The controller contains four-positional digital display which demonstrates essential information about work's state. During emergency-free work there only appear messages about the commanded rotational speed (rotations per minute) and a message STOP -
92
when the STOP button is pressed on the controller's enclosure or the STOP command is received from the host computer. Other messages inform about the appearance of the emergency situation and enable an easy localisation of error. The displayed errors messages: Erl - no impulses from the rotational speed sensor Er2 - no impulses from the injection advance angle's sensor Er3 - no feeding on the equipped feeding of the maximum speed Er4 - the engine's stoppage caused by the exceeding of the threshold value of the engine's velocity (2500 rotations per minute) performed by the software protection Er5 - the engine's stoppage caused by the exceeding of the threshold rotational value of the engine (2700 rotations per minute) performed by the hardware protection. Er6 - the engine's stoppage when the voltage on the accumulators during starting or working dropped to the level below 13V which endangers the correct work of the controller.
last resort the operator could use a special strand to stop the engine.
7. CONCLUSION
REFERENCES
The safety checks already mentioned have been meticulously tested in the laboratorial conditions, while considering different possible incidents. Performance of some of these safety checks lived up to their task connected with the controller's modernizing (programming threshold of maximal rotary velocity accompanied by changes in the engine's control program, control of detectors while modernizing cabling). At present a prototype of the controller is installed in the excavator. The latter is being tested in the open- field conditions by Warsaw Polytechnic, Institute of Heavy Working Machines (D~browski and Szlagowski, 1997). The tests' results already obtained do not indicate coming up of any dangerous situation that could put human life at risk or destroy the equippment. An additional advantage (which is due to the thorough controller's selfdiagnosis) is presented by the available access to informations enabling identification of the failure's cause.
The being presented DP535 controlling system has been equipped with a multi-level protection system with an ample making use of machatronics and an inbuilt self-diagnostics. We can estimate that thanks to the implementation of mechatronical system with a multi-level protection hierarchy, the engine's damage caused by the exceeding limit velocity is very small indeed. The implementation of the self-diagnosis system alows to short the mean time to repair (MTrR) in comparison to the same time for systems without self-diagnosis (e.g. with Z80 microprocessor from 1991). When the superordinated computer is damaged, the DP535 controller after revealing this damage (no connection messages) proceeds to autonomical work. When either the measurement sensors or their connections or electronical protection's feeding are damaged, the DP535 controller (making use of the software protection) stops the Diesel engine. When either the DP535 controller, or its feeding or performance elements of fuel rod position are damaged, the independent electronical protection is activated and with the help of the safety valve stops the engine. Of course, as his
D~browski
D, 1. Szlagowski (1997). Test of the excavator with working equipment localization system, Conference on Engineering Machines Problems, Zakopane, vol.2, pp.77-79 Klaus R., A. Urbaniak (1994). Self-diagnosis and redundancy for electronic control of Diesel engine, 2nd IFAC Symposium SICICA, Budapeszt, pp.167-171 Klaus R. (1996). Microcomputer Control System for Diesel Engines, J2th International Confrerence on Process Control and Simulation, ASRTP'96, Kosice, Vol. 1, pp.218-222 Ochocki W., R. Klaus, P. Rybarczyk (1993). Selected results of numerically and conventinally controlled Diesel engine research. Symposium Engines Control, Stawiska, pp.6875 Redmill F., T.Anderson (1993). Directions in safetycritical systems, First Safety-Critical Systems Symposium, Springer-Verlag, Bristol
93
SAFETY IN A MICROCOMPUTER CONTROLLER OF THE DIESEL ENGINE
Rafal Klaus, Andrzej Urbaniak
Institute ofComputing Science Poznan University of Technology ul. Piotrowo 3a, 60-965 Poznan, Poland tel. +4861 782-574,fax. +4861 771-525 E-mail: [email protected] E-mail: [email protected]
Abstract: Redundancy techniques and self-diagnostics while making use of mechatronics contribute to enlargement of safety and dependability in the Diesel engines. The paper shows a systematic way of safety requirements defmition based on formalized model of fault trees. Some of the aspects of redundancy's implementation in electronic controllers of the Diesel engines have been presented in this article. The demonstrated system was implemented in excavator. Keywords: Computer control, Diesel engines, Automating testing, Redundancy, Safety analysis
controlling systems or developing of measurement and diagnostical systems. One of the research's direction deals with systems of engine's controlling where instead of centrifugal governer there is an injection pump that possesses microprocessor-based regulator. The research was made on the systems constructed on the basis of one-module computer MJ8b (1989-1990), on the controller equipped with microprocessor Z80 (1990-1991 ), on the programmed specialisational stand for examining of controlling algorithms with implementation of PCclass computers (1992-1996), on the controller with a 16-bite NEC flPD 78310 (1993-1994) microcontroller and on the controller with a Siemens 80C535 (1994-1995) microcontroller.
I. INTRODUCTION The Diesel engine is an object of astatic character. It is equipped with a rotational speed's controller to ensure the engine's stable work. Such controller is to counteract exceeding the speed limit and to maintain a constant rotational speed while on the idle running and during the work with a load, as well. Conventional regulators used in the Diesel engines ensure obtaining an optimal work in the narrow range of tractional, exploatational and controlling parameters. At the present stage of combustion engines' development, mechanical controllers of rotational speed are more and more replaced by controllers that enable digital controlling of the engines. Progress made in the implementation of microprocessors leads to the construction of controllers which do not possess flaws of mechanical controllers (Ochocki et aI., 1993).
Informations in this article are presented concerning protection and self-diagnostics of SW 400 engine's controlling system that makes use of DP 535 controller with Siemens 80C535 microcontroller. The being presented controlling system is successfully tested in an excavator.
In the Institute of Computing Science that collaborates with the Institute of Combustion Engines (both Institutes are part of the Poznan University of Technology) a research into the automatisation of the Diesel engines' work is being made for several years now. The research is conducted in different directions, e.g. developing controlling algorithms for an adequate regulational criterion, construction of microprocessor-based
2. THE AIMS OF A MICROPROCESSOR-BASED CONTROLLER The aim of a microprocessor-based controller is to introduct a fuel rod position of injection pump and to
89
4. CONSTRUCTION OF THE SYSTEM
introduct injection advance angle determined by the actual point of the engine's work. One can relatively easily change their structure, in the microprcessorbased controllers, dynamical characteristics of regulator and settings as far as the desired criterion is concerned. In the being conducted research into controlling algorithms, it is understood as a criterion: • speed stabilisation during dynamical changes of loading • minimalisation of the smoke level, • minimalisation of the fuel consumption • minimalisation of the settling time • minimalisation of the overshoot. Since the object is astatic the exceeding of the maximum speed could cause a serious enginne's damage. That is why the most essential aim of security system in the controlling figuration is to prevent the engine's overspeeding and its secure stoppage in different states of damage.
In the proposed solution we can select three basic modules: 1. module of mechatronics that contains: • injection pump without a centrifugal governer • measurement sensors of n speed and of injection advance angle llww • performance elements of fuel sample controlling and of injection angle • safety-valve 2. DP 535 controlling module 3. host computer's module of working machine. The module-based construction system among other advantages has a relatively easy service, that boils down to replacement of the damaged module. In the controler module the implementation of microprocessor-based technology enabled the sofware realisation of some system's functions. It increases flexibility of the system and its facility to accomodate to various engines and energy receivers (Klaus, 1996).
3. SAFETY, DEPENDABILITY, RELIABILITY The dependability of controlling system is determined by three aspects, i.e. it has to be : • reliable (should ensure a constant work) • safe (should prevent coming up of the defects that leads to catastrophes) • secure (should have protection against purposeful defects). We understand safety as a feature of the system which prevent dangerous situations, i.e. situations that endanger human life, health or that could cause huge material losses. The reliability of controlling system is conceived as approximity that the given system will succesfully operate in the particular environment during the specified time of mission (Redrnill, 1993).
t!i~r I
host computer
I
~
diesel engine
control coo diagnosis
systems
mlcrocontroller ot dIeeeI enghe
The basic task during designing safety system in the controlling configuration is to analyse hazards and risks. Hazard is understood here as a collection of conditions that could lead to accident in the specified environmental conditions. Risk is probability function of hazard's existence, probability that hazard would lead to accident and make the worst afteraccident losses possible. The analysis of safety is conducted while using formal methods. Making use of Faults' Tree Analysis the controlling system has been described as the one that ensure the safety of Diesel engine's work. The constructed system belongs to the fault tolerance systems. The system, having completed the identification of the defect (its kind) is making a decision concerning the further work: • it fluently diminishes efficiency (graceful degradation), i.e. partly diminishes mission's range (for reparation) • safety protection (jail-safe), i.e. the system safely stops the mission.
1
§J =m~ ree
r
JI ROD
D
STEP
MOTORS
nnnnnn PUMP
J
I[I] HVDRAUUC MECHANSM a_
Fig.I. The block scheme of controlling system's modules. The implementation of redundacy techniques makes it possible to work even after the detection and signalisation of a defect. Redundancy comprises: • software and additional diagnostical configurations for fast detection of defects
90
•
•
maximum, admissible engine's rotary velocity in time. Existence of the V2 is constantly checked during the whole time of the controller's performance; the lack of V2 causes immediate ceasing of the engine's working and leads to display of the respective message informing about the cause of emergency engine's stopping (Er3). The Ul voltage feeds the engine's rotary speed detector which is also applied by the programming safety procedure, while the V2 voltage feeds advance injection angle detector. The latter is also used to specify the engine's rotary velocity (double measunnent of the engine's rotary velocity while making use of the seperated feeding enables to protect the engine when the feeding ceases in the controller's microprocessorial segment).
supervlsmg (being performed by working machine's on-board computer) of Diesel engine's controlling system mechatronics' systems that prevent overspeeding of the engine.
5. DIFFERENT KINDS OF PROTECTION Electronic regulators, because of using a large number of electronic elements, have as their characteristic feature smaller dependability in comparison with mechanical govemers. It creates additional dangers of engine's overspeeding. On the basis of hazards' analysis there were selected the most crucial points of the controlling system and they were served to determine the safety system. For example damage of such elements as : • microprocessor-based controller • speed sensor and injection advance angle's sensor • stepping motor • gears connecting stepping motor to fuel rod position • supply • connections between elements could lead to engine's overspeeding and its lasting damage. It explains why in these cases the main task of the protection system is a safe stoppage of the engine in an emergency situation (Klaus and Vrbaniak, 1994).
5.2. Checking ofrotary velocity impulses' detectors andfuel's advance injection angle During the engine's working and before it starts (before fuel board is pulled out) proximity detectors (which measure the engine's rotary velocity and advance injection angle) are being tested. These detectors are installed on the fuel pump's shaft and the detectors' impulses have to come in respective sequence, i. e. after one impulse sent by detector of the advance injection angle it is due to be followed by six impulses coming from rotary velocity detector.
When, for example, only one of the sensors is damaged (n or aww), the system immediately suspends controlling of the injection advance angle (while informing an operator), and the readout is conducted by the working sensor. The presented system is equipped with the protection means as follows : • check controller's feeding • check of rotational speed's impulses' sensors and of injection advance angle • programmed check of exceeding engine's limit velocity • check (by equipment) of exceeding engine's limit velocity • check of outside feeding ( + 24 V ) • supervisional activity of the host computer.
speace test sensors speed start
I speed rod position
time Fig.2. Starting of an engine. Lack of both of them makes the signalisation of error appear and the engine to stop. Nonexistence of impulses coming from rotary velocity detector is signalled by the Er 1 message. Lack of impulses which were to be sent by fuel's advance injection angle detector is signalled by the Er2 message. The appearance of the respective impulses' sequence from the detectors is absolutely necessary to start the engine, when the starter is already switched on. The former's lack makes pulling out of fuel board (which is to deliver fuel's dose to the engine) by the stepping motor quite impossible.
5.1. Monitoring ofthe controller's feeding DP535 controller of the ZS engine needs two independent + 5V V 1 and V2 voltages. These voltages are obtained from the + 24V voltage making use of two seperate stabilizing systems. The former (VI) is applied to the feeding of microcontroller's system; the lack of the former makes the starting of the engine impossible. V2 voltage is to feed instrumental safety system which monitors
91
due to a defect of microprocessorial segment, but of operational element, then the Er5 message is displayed.
5.3. Programming check of the crossing engine's limit velocity
The controller is equipped with programming check of the engine's crossing 2500 rotations per minute velocity (working velocity: 500 - 2200 rotations per minute). This monitoring is conducted on the lowest programming level while handling failures caused by rotary velocity detector. The former enables to avoid reaching dangerous velocity by the engine, e. g. the latter caused by an error in the main module of the controlling program (error in algorithm or an error in its implementation; effectiveness of the checking was experienced by the authors during several endeavours to make the algorithm of the engine's work controlling work better) or as far as engine's failures are concerned in the situation of the changing engine's parameters and when the effectvely performing algorithm could lead to the engine's overspeeding. Due to the operating of the checking described above, working of the engine is stopped as result of drawing in fuels pump to its resting position and of display of the controllers emergency stoppage (Er4).
sPeed
2700
n~;;~t
L 2500
work
I\ protection
break do~ . DP535
I t-'
I
~
software protection
I
rod
1position time
Fig.3 . The overspeeding protection system.
5.5. Checking of the + 24V exterior feeding
DP 535 controller is fed from the 24V electrical instalation of the engine; the instalation is equipped with acumulators and an alternator. The former is able to operate with no error, even when the voltage drop occurs, because of its feeding by stabilizers' system decreasing voltage to +5V. The operational system (stepping motor), however, needs at least 13V for its correct working. That is why during working time, particularly during the starting (the worst case is a severe frost and the acumulators being discharged), the value of the voltage existing in the object's electrical instalation is monitored. If this value drops below 13V, there occurs stoppage of the engine the Er6 message is being displayed, which indicates defect of the object's electrical instalation.
5.4. Instrumental checking of crossing engine's limit velocity
Instrumental checking was introduced in case of the occurring of the defect associated with microprocessorial controller (defect of a microcomputer, electronical systems, ceasing of voltage feeding the microprocessorial segment, etc.) or with its performing device, i. e. stepping motor (defect of stepping motor, defect of conductors connecting the stepping motor to the controller, failure of mechanical gear influencing fuel board, etc.). The described checking makes an ample use of the fuel's advance injection angle detector (which is fed by different voltage rather than that one used by the controller's microprocessorial system), whose impulses make the monostable multivibrator work. This multivibrator generates impulses of the determined lasting time; the latter is calculated accordingly to the engine's rotary velocity on the 2700 rotations per minute level. If the fIrst sent impulse is followed by another impulse coming from the advance injection angle detector, it is the clear indication of the engine's too high velocity. Then the stoppage of the engine occurs, due to disconnection of feeding from the stepping motor (release of fuel board) from hydraulic rectifIer. The latter opens the inflow of fuel into actuator which - in its turn pushes fuel board to its resting position that closes inflow of fuel to the engine. The setting of particular threshold, which puts checking to work, on the 2700 rotations per minute level is entirely due to hierarchy of the safety checks. The programming safety is due to act as the first one. If the cause of a failure is not
5.6. Supervisional working of the master computer
DP 535 controller has been equipped with a joint enabling its connection to the master computer. The latter enables the controller to work autonomically or subordinately and to decide on the commanded velocity and on the stoppage of the engine. The master computer has informations that come from many points unavailable for the controller and has capability of making decision to stop the engineprotecting in this way the machine from destruction.
6. MESSAGES OF DP535 CONTROLLER The controller contains four-positional digital display which demonstrates essential information about work's state. During emergency-free work there only appear messages about the commanded rotational speed (rotations per minute) and a message STOP -
92
when the STOP button is pressed on the controller's enclosure or the STOP command is received from the host computer. Other messages inform about the appearance of the emergency situation and enable an easy localisation of error. The displayed errors messages: Erl - no impulses from the rotational speed sensor Er2 - no impulses from the injection advance angle's sensor Er3 - no feeding on the equipped feeding of the maximum speed Er4 - the engine's stoppage caused by the exceeding of the threshold value of the engine's velocity (2500 rotations per minute) performed by the software protection Er5 - the engine's stoppage caused by the exceeding of the threshold rotational value of the engine (2700 rotations per minute) performed by the hardware protection. Er6 - the engine's stoppage when the voltage on the accumulators during starting or working dropped to the level below 13V which endangers the correct work of the controller.
last resort the operator could use a special strand to stop the engine.
7. CONCLUSION
REFERENCES
The safety checks already mentioned have been meticulously tested in the laboratorial conditions, while considering different possible incidents. Performance of some of these safety checks lived up to their task connected with the controller's modernizing (programming threshold of maximal rotary velocity accompanied by changes in the engine's control program, control of detectors while modernizing cabling). At present a prototype of the controller is installed in the excavator. The latter is being tested in the open- field conditions by Warsaw Polytechnic, Institute of Heavy Working Machines (D~browski and Szlagowski, 1997). The tests' results already obtained do not indicate coming up of any dangerous situation that could put human life at risk or destroy the equippment. An additional advantage (which is due to the thorough controller's selfdiagnosis) is presented by the available access to informations enabling identification of the failure's cause.
The being presented DP535 controlling system has been equipped with a multi-level protection system with an ample making use of machatronics and an inbuilt self-diagnostics. We can estimate that thanks to the implementation of mechatronical system with a multi-level protection hierarchy, the engine's damage caused by the exceeding limit velocity is very small indeed. The implementation of the self-diagnosis system alows to short the mean time to repair (MTrR) in comparison to the same time for systems without self-diagnosis (e.g. with Z80 microprocessor from 1991). When the superordinated computer is damaged, the DP535 controller after revealing this damage (no connection messages) proceeds to autonomical work. When either the measurement sensors or their connections or electronical protection's feeding are damaged, the DP535 controller (making use of the software protection) stops the Diesel engine. When either the DP535 controller, or its feeding or performance elements of fuel rod position are damaged, the independent electronical protection is activated and with the help of the safety valve stops the engine. Of course, as his
D~browski
D, 1. Szlagowski (1997). Test of the excavator with working equipment localization system, Conference on Engineering Machines Problems, Zakopane, vol.2, pp.77-79 Klaus R., A. Urbaniak (1994). Self-diagnosis and redundancy for electronic control of Diesel engine, 2nd IFAC Symposium SICICA, Budapeszt, pp.167-171 Klaus R. (1996). Microcomputer Control System for Diesel Engines, J2th International Confrerence on Process Control and Simulation, ASRTP'96, Kosice, Vol. 1, pp.218-222 Ochocki W., R. Klaus, P. Rybarczyk (1993). Selected results of numerically and conventinally controlled Diesel engine research. Symposium Engines Control, Stawiska, pp.6875 Redmill F., T.Anderson (1993). Directions in safetycritical systems, First Safety-Critical Systems Symposium, Springer-Verlag, Bristol
93