Example of how to use CompactRIO for fail-safe control
British Encoder Products Company
Posted to News on 3rd Aug 2008, 21:17

Example of how to use CompactRIO for fail-safe control

One of the most recent (30 July 2008) additions to the National Instruments FPGA IPNet resource is a design pattern for CompactRIO fail-safe control. This example provides a framework for control systems that are required to behave predictably in the event of a hardware or software failure. It demonstrates FPGA safe states and FPGA-monitored watchdogs for the real-time controller. Although the example was designed for use with CompactRIO, it can be applied to a PXI RIO or any FPGA-based control application with only minor modifications.

Example of how to use CompactRIO for fail-safe control

The NI RIO architecture is said to be suitable for fail-safe control systems because most I/O is channelled through the FPGA, which is also the most reliable component of the system. By defining a safe state for all control outputs within the FPGA itself, it is possible to create a control system with a high degree of immunity from hardware or software problems in the HMI, real-time controller or input modules. In order to maintain all outputs at a safe state, the only requirements are that the FPGA itself must be functioning, and that any output modules must be functioning.

The FPGA should implement a simple state machine in all loops that produce a critical output. At a minimum, the state machine should have a primary safe state and a state for normal operation. The reference example uses a single safe state to respond to all failures. Multiple safe states for responding differently to different failures are also possible; however, users should still define a primary safe state that represents the most basic operation. The primary safe state should be the default state for the state machine, so that the system boots into a safe state. All safe states should define a safe value or algorithm for each output. Note that the example uses a simple static value for each output, but users can define more complex algorithms, such as ramping down an output, by using shift registers or memory to store the current output value. In the primary safe state users should not rely on inputs from other modules or the real-time controller. Other safe states can use inputs as long as they are verified to be functioning correctly. In each iteration of the output loop, all possible failure conditions should be checked for and, if any have occurred, the state machine should be transistioned to a safe state in the next iteration.

The reference example defines four failure conditions:

  • RT Safe - indicates that the real-time system is ready
  • Emergency Safe - is tied to an external digital input
  • Watchdog Safe - monitors the Real-Time system via the RT Watchdog loop
  • Control Inputs Valid - monitors the health of the inputs to the control algorithm

Additional failure conditions can be defined as necessary.

The design pattern for CompactRIO fail-safe control can be accessed free of charge at zone.ni.com/devzone/cda/epd/p/id/5984 and the IPNet resource for LabVIEW FPGA functions and example IP is at zone.ni.com/devzone/cda/tut/p/id/4799.

Alternatively, use the form on this page to request a callback or more information.


National Instruments Corporation (UK) Ltd

Measurement House, Newbury Business Park
London Road
RG14 2PZ
UNITED KINGDOM

+44 (0)1635 523545

Bosch Rexroth ABSSAC Ltd SICK (UK) LTD Procter Machine Safety Mechan Controls Ltd Pilz Automation Ltd Kawasaki Robotics (UK) Ltd FATH Components Ltd Rittal Ltd M Buttkereit Ltd STOBER Drives Ltd Dold Industries Ltd Machinesafe Compliance Ltd Servo Components & Systems Ltd AutomateUK WEG (UK) Ltd Smartscan Ltd Leuze electronic Ltd Euchner (UK) Heidenhain (GB) Ltd Spelsberg Els UK Ltd HARTING Ltd Micro Epsilon UK Limited PI (Physik Instrumente) Ltd Murrelektronik Ltd AutomateUK Aerotech Ltd Phoenix Contact Ltd