Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > FPGAs/PLDs

Enhance functional safety in embedded designs

Posted: 22 May 2013 ?? ?Print Version ?Bookmark and Share

Keywords:Embedded networked systems? Process control? Ethernet Switch?

Embedded networked systems are increasingly employed for the control of vast sections of the industrial infrastructure in the modern economy. Some systems require extraordinary safety and reliability to eliminate, as much as possible, failures that can result in dramatic financial losses or loss of life. Familiar examples of these safety critical applications are mass transportation, power generation and oil drilling/transport. Embedded systems are also used in applications where the results of failures are not catastrophic, but can still result in significant losses in process or manufacturing efficiency. When faults are detected and failures avoided significant material losses or manufacturing efficiency losses can be avoided. Additionally, a networked system is not really safe if it is not secure. Malicious users can hijack an embedded system or an embedded system can become the (perhaps unintentional) target of a virus or worm. These types of attacks can damage or render inoperable an entire system or complex. Clearly in many cases both advanced reliability and security capabilities will be requirements in networked embedded designs.

Perhaps looking at an example design can best illustrate some of the key aspects and implementation options when improved reliability and security are required. Process control systems are one of the most useful examples to consider, particularly since the discovery of network transmitted worms that attack not only traditional PC operating systems, but embedded control systems as well (like the so-called Stuxnet computer worm). A block diagram of an example embedded process control system is shown in figure 1.

Figure 1: Example embedded networked process control system.

An Industrial Ethernet Switch is used to connect the controller to the network via an upstream node and a downstream node. A system controller manages the overall operation of the Process Control System, including the Ethernet Switch and the power sub-system. A separate Equipment Controller, supervised by the System Controller, manages the equipment interface. The Equipment Controller implements any low level control loop processes required by the system. Higher-level process management resides within the System Controller under supervision via the network, perhaps by a centralized system that manages the entire manufacturing or chemical processing complex. This separation of control functions simplifies the implementation of the real time aspects of both the equipment control and network traffic management (For example, interrupt response time, memory bandwidth allocation and active task priority determination.) Let's look at ways to make this example system more reliable and secure.

System failure rates
All systems will have the possibility of failing, since it is impossible to design a system with an absolute zero failure rate. Thus each application should be designed with a target acceptable failure rate level. The IEC 61508 standard specifies acceptable failure rates for a variety of Safety Integrity Levels (SILs) based on the consequences of a system failure. The specification originally applied solely at the system level but has also been applied to product and components by addressing Electrical, Electronic, and Programmable Electronics for both hardware and software. We will assume that our design falls within SIL Level 2 (perhaps because the controller manages a hazardous liquid as part of its function).

Looking at the example design shown in figure 1, we can imagine some possible failure modes and their effect on the overall system. An error in the Equipment Controller might allow hazardous liquid to build-up in the system until a rupture takes place, creating a life threatening system failure. Similarly an error in the system controller might miss warnings from the equipment controller that could also result in life threatening failures. An error in the Ethernet Switch (a constant message broadcast for example) could bring down the entire network and threaten the entire complex, not just a single node. Note that the System Controller also manages the power supply sub-system, (not an unusual feature of embedded controllers) so an error associated with the power supply could cause a dramatic system failure. This is also a potential weakness for a malicious attacker to exploit if they wanted to inflict permanent damage on the system.

1???2???3?Next Page?Last Page

Article Comments - Enhance functional safety in embedde...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top