One of the most recent (30 July 2008) additions to the National Instruments FPGA IPNet resource is a design pattern for CompactRIO fail-safe control. This example provides a framework for control systems that are required to behave predictably in the event of a hardware or software failure. It demonstrates FPGA safe states and FPGA-monitored watchdogs for the real-time controller. Although the example was designed for use with CompactRIO, it can be applied to a PXI RIO or any FPGA-based control application with only minor modifications.
The NI RIO architecture is said to be suitable for fail-safe control systems because most I/O is channelled through the FPGA, which is also the most reliable component of the system. By defining a safe state for all control outputs within the FPGA itself, it is possible to create a control system with a high degree of immunity from hardware or software problems in the HMI, real-time controller or input modules. In order to maintain all outputs at a safe state, the only requirements are that the FPGA itself must be functioning, and that any output modules must be functioning.
The FPGA should implement a simple state machine in all loops that produce a critical output. At a minimum, the state machine should have a primary safe state and a state for normal operation. The reference example uses a single safe state to respond to all failures. Multiple safe states for responding differently to different failures are also possible; however, users should still define a primary safe state that represents the most basic operation. The primary safe state should be the default state for the state machine, so that the system boots into a safe state. All safe states should define a safe value or algorithm for each output. Note that the example uses a simple static value for each output, but users can define more complex algorithms, such as ramping down an output, by using shift registers or memory to store the current output value. In the primary safe state users should not rely on inputs from other modules or the real-time controller. Other safe states can use inputs as long as they are verified to be functioning correctly. In each iteration of the output loop, all possible failure conditions should be checked for and, if any have occurred, the state machine should be transistioned to a safe state in the next iteration.
The reference example defines four failure conditions:
- RT Safe - indicates that the real-time system is ready
- Emergency Safe - is tied to an external digital input
- Watchdog Safe - monitors the Real-Time system via the RT Watchdog loop
- Control Inputs Valid - monitors the health of the inputs to the control algorithm
Additional failure conditions can be defined as necessary.
The design pattern for CompactRIO fail-safe control can be accessed free of charge at zone.ni.com/devzone/cda/epd/p/id/5984 and the IPNet resource for LabVIEW FPGA functions and example IP is at zone.ni.com/devzone/cda/tut/p/id/4799.
Alternatively, use the form on this page to request a callback or more information.