Separate Real-time **

...there is a distributed Control System where Isolated Functionalities pattern has been applied. Thus, there are multiple nodes in the system. Single node's functionality can be implemented by one or more applications. Some functionalities are related to controlling the machine while high level functionalities are related to offering the machine operator graphical user interface or for example, communicating with other remote systems via Remote Access. These high level functionalities might need a lot of resources and their time consumption is unpredictable. On the other hand, the machine controlling functionalities typically have strict real-time requirements and their response times should be deterministic. High level functionality requires data from the machine control to implement its responsibility. For example, Diagnostics application requires data from the nodes in the system. Thus, the high level functionalities need to exchange information with machine control level. If high level functionality is implemented on the same node with the machine control functionality, the fulfillment of real-time requirements needs to be guaranteed somehow.

There always are machine control functionalities in the system. Additionally, to increase productivity and operability of the machine, the system needs to offer high level functionality such as graphical user interface, Diagnostics, etc. These high level functionalities behavior may compromise the real-time requirements of the machine control functionalities.

Real-time applications must meet their timing requirements or otherwise they are considered to be malfunctioning. Thus real-time functionality must not be interfered by other functionality of the system. Typically, the response times of real-time applications range from a few milliseconds to couple of hundred milliseconds and sometimes they can be only few hundred microseconds or even less. On the other hand, high level functionalities do not have strict real-time requirements and response time of seconds is enough. However, high level functionalities may consume resources, e.g. CPU time from the real-time part and cause it to malfunction, i.e. not to meet its real-time requirements, if these two are run on parallel on the same hardware. This kind of behavior could lead to hazardous situations.

It should be possible to have separate teams developing the real-time functionality and high level services. Different developers and teams have different skill sets and are specialized in the development of certain kind of applications. Thus subsetability of the software should be supported by the architecture. Furthermore, different programming languages are normally used in the development of real-time applications than in development of high level services. If different teams can be working on different parts of the system, the tool chain that needs to be installed can be limited to only the parts that team is working on.

In many cases, the high end services are resource greedy and need more processing power than real-time functionality needs. It should be possible to use common low-end hardware in order to save costs for the machine control, but on the other hand, there is a need for high level services and these services would require more sophisticated hardware. This kind of hardware is more error-prone under harsh conditions where the machine is used, so it might not be suitable for machine control applications.

High end services are not mission critical from the machine operator's point of view. They provide additional value, but are not required to control the machine. Malfunction of a high level functionality should not affect the availability of the machine and under any circumstances high level functionality’s malfunction should not prevent the operator from using the machine.

As machinery directive in Section (Machinery directive, 2006) states, the emergency stop of the system must stop the hazardous process as quickly as possible. This requires fast response times and must override the operations which are currently being executed. Therefore, this mechanism needs to be separated from the normal machine control and high level services as it needs to be available even when other parts of the system are malfunctioning.

Divide the system into separate levels according to real-time requirements: e.g. to machine control and to machine operator level. Real-time functionalities are located on the machine control level and non-real-time functionality on the machine operator level. Levels can not interfere with each other as they use message bus or other medium to communicate with each other.

This real-time separation means that all applications having real-time requirements are logically placed on the same level, i.e. machine control level. Despite of this logical division, the applications can still reside on different nodes taking care of Isolated Functionalities. Furthermore, there might be multiple applications running on the same node, but all of those applications are either real-time or non-real-time applications. All non-real-time applications are placed on the operator level and real-time applications on machine control level. Operator level applications should not be able to directly control any actuators and directly cause movements. Operator level applications are typically run on the PC which resides in the cabin of the machine while machine control applications are run on their own dedicated controller, e.g. PLC.

Figure 60 - Example architecture of a system where Separate Real-time has been applied

Emergency stop can be implemented as its own level. Usually it is implemented purely with hardware and it is used to switch the power off from the machine control level and inform the other levels that emergency stop has been activated. Now, the rest of the system can make according state changes (see OPERATING MODES) and inform the machine operator. If emergency stop is implemented as its own level, other safety certified functionalities can be placed on the same level. On the other hand, if emergency stop is implemented on machine control level, it usually means that the whole machine control level needs to be safety certified.

Buy the book