Design of intelligent distributed control systems: a dependability point of view

The use of fieldbuses and the emergence of intelligent sensors and actuators are opening up new possibilities for distributed control systems, but are also introducing additional constraints in terms of achieving dependability objectives. The type of production environment will greatly determine the predominant criterion for an automatic control system, i.e. reliability, availability, maintainability, safety, etc. On the other hand, the choice of a fieldbus system will also depend on factors such as application size, data throughput, and integration of time considerations. Other important criteria include cost, confidentiality, and compatibility with existing equipment. Therefore, it appears essential that designers be given the means to assess dependability at each design step by integrating feedback from experience. Assessing dependability is too often limited to an evaluation at the end of the design process, which often involves reselecting previous choices. The main topic of this paper is to focus on the communication function which is a pivotal of intelligent distributed control systems. So this article is a synthesis of different aspects linked to the design of fieldbus based applications thanks to the contributors, who come from various fields. Consequently it highlights the main problem and give some ways to solve them.     

The Safe-SADT method for aiding designers to choose and improve dependable architectures for complex automated systems

Dependability evaluation is crucial to controlling the risks associated with system failure, and for this reason, it is one of the fundamental steps in automated system design. However, the dependability evaluation methods that are currently exploited are not appropriate, given the level of complexity of such industrial systems. The ineffectiveness of the existing methods led us to develop and propose the Safe-SADT (structured analysis and design technique) method. Our method allows the explicit formalization of functional interactions, the identification of the characteristic values affecting the dependability of complex systems, the quantification of the reliability, availability, maintainability, and safety (RAMS) parameters of the system's operational architecture, and the validation of that operational architecture in terms of the dependability objectives and constraints set down in the functional requirement specifications (FRS). The results presented in this paper are limited to RAM quantification.     

An analytical methodology for the dependability evaluation of non-Markovian systems with multiple components

Very often, in dependability evaluation, the systems under study are assumed to have a Markovian behavior. This assumption highly simplifies the calculations, but introduces significant errors when the systems contain deterministic or quasi-deterministic processes, as it often happens with industrial systems. Existing methodologies for non-Markovian systems, such as device stage method [1], the supplementary variables method or the imbedded Markov chain method [2] do not provide an effective solution to deal with this class of systems, since their usage is restricted to relatively simple and small systems.This paper presents an analytical methodology for the dependability evaluation of non-Markovian discrete state systems, containing both stochastic and deterministic processes, along with an associated systematic resolution procedure suitable for numerical processing. The methodology was initially developed in the context of a research work [3] addressing the dependability modeling, analysis and evaluation of large industrial information systems. This paper, extends the application domain to the evaluation of reliability oriented indexes and to the assessment of multiple components systems. Examples will be provided throughout the paper, in order to illustrate the fundamental concepts of the methodology, and to demonstrate its practical usefulness.     

Reliability evaluation of the power supply of an electrical power net for safety-relevant applications

In this paper, we introduce a methodology for the dependability analysis of new automotive safety-relevant systems. With the introduction of safety-relevant electronic systems in cars, it is necessary to carry out a thorough dependability analysis of those systems to fully understand and quantify the failure mechanisms in order to improve the design. Several system level FMEAs are used to identify the different failure modes of the system and, a Markov model is constructed to quantify their probability of occurrence. A new power net architecture with application to new safety-relevant automotive systems, such as Steer-by-Wire or Brake-by-Wire, is used as a case study. For these safety-relevant loads, loss of electric power supply means loss of control of the vehicle. It is, therefore, necessary and critical to develop a highly dependable power net to ensure power to these loads under all circumstances.     

Diagnosis Modelling for Dependability Assessment of Fault‐Tolerant Systems Based on Stochastic Activity Networks

The growing demand for safety, reliability, availability and maintainability in modern technological systems has led these systems to become more and more complex. To improve their dependability, many features and subsystems are employed like the diagnosis system, control system, backup systems, and so on. These subsystems have all their own dynamic, reliability and performances and interact with each other in order to provide a dependable and fault‐tolerant system. This makes the dependability analysis and assessment very difficult. This paper proposes a method to completely model the diagnosis procedure in fault‐tolerant systems using stochastic activity networks. Combined with Monte Carlo simulation, this will allow the dependability assessment by including the diagnosis parameters and performances explicitly. Copyright © 2014 John Wiley & Sons, Ltd.     

On Cost‐effective Reuse of Components in the Design of Complex Reconfigurable Systems

Design strategies that benefit from the reuse of system components can reduce costs while maintaining or increasing dependability—we use the term dependability to tie together reliability and availability. D3H2 (aDaptive Dependable Design for systems with Homogeneous and Heterogeneous redundancies) is a methodology that supports the design of complex systems with a focus on reconfiguration and component reuse. D3H2 systematizes the identification of heterogeneous redundancies and optimizes the design of fault detection and reconfiguration mechanisms, by enabling the analysis of design alternatives with respect to dependability and cost. In this paper, we extend D3H2 for application to repairable systems. The method is extended with analysis capabilities allowing dependability assessment of complex reconfigurable systems. Analysed scenarios include time‐dependencies between failure events and the corresponding reconfiguration actions. We demonstrate how D3H2 can support decisions about fault detection and reconfiguration that seek to improve dependability while reducing costs via application to a realistic railway case study. Copyright © 2017 John Wiley & Sons, Ltd.     

Fuzzy approach to dependability performance evaluation

This paper presents a model for dependability performance evaluation by fuzzy sets utilization. Basic dependability indicators (reliability, maintainability and maintenance support) are used for the analysis of technical systems' conditions from the aspects of design, construction, maintenance and logistics. These indicators as well as associated dependability expressions itself are described by linguistic variables, which are characterized by a membership function to the defined classes. The proposed model is primarily appropriate for introduction, analysis and synthesis of information related to quality of systems in operation. Such data are often available only as experts' judgment and estimations. A practical engineering example (mechanical system at bucket wheel excavator) has been presented to demonstrate the proposed dependability analysis and synthesis model. Copyright © 2008 John Wiley & Sons, Ltd.     

Study of Dependability Evaluation for Multi‐hierarchical Systems Based on Max–Min Composition

This article presents the model for calculating the performance of dependability for complex technical systems. According to ISO‐IEC 300, dependability is an overall indicator for the quality of service and considers simultaneously reliability, maintainability, and maintenance support. For a proper understanding of the quality of service for any technical system, it is important to define dependability performance at the level of single component as well as at the upper levels—levels of subsystems and entire system. As dependability indicators (reliability, maintainability, and maintenance support) have been defined as linguistic variables, the fuzzy max–min composition has been used for the dependability determination and integration of its indicators. A procedure for the synthesis of single components dependability performance to upper levels in complex technical system is proposed. Max–min composition is again used as a tool for fuzzy synthesis because it enables obtaining the comprehensive and synergetic effect in a process of dependability evaluation. A practical engineering example (mechanical systems at bucket wheel excavator) has been used to demonstrate the proposed dependability synthesis model. Copyright © 2012 John Wiley & Sons, Ltd.     

An Enhanced Transcribing Scheme for the Numerical Solution of a Class of Optimal Control Problems

An enhanced scheme of transcribing the system dynamics for the numerical solution of optimal control problems is proposed. This new scheme is based on the standard method of direct collocation that converts an optimal control problem into a nonlinear programming problem via simultaneous state and control discretization. When compared with the standard method, the enhanced scheme has the advantage of higher solution accuracy with minimal additional computational effort. It is particularly suited for systems with states that are related to each other in a special form. For such systems, the ensuing nonlinear programming problem has the same number of constraints as those using the standard method. Numerical results on several optimal control problems using the enhanced scheme are presented, together with comparisons with the results obtained from the standard scheme.     

Modelling the effects of input correlation in iterative software

This paper deals with the dependability evaluation of software programs of an iterative nature. In this work we define a model that is able to account for both dependencies between input values of successive iterations and the effects of sequences of consecutive software failures on the reliability of the controlled system. Differently from previously proposed models, some effort is devoted to address the problem of how to get accurate estimates for the basic parameters. A model is thus proposed that, requiring the designers or users to provide information usually obtainable by experimental techniques, e.g. testing, is more useful and more generally applicable. A thorough analysis is then performed to highlight the effects of the different parameters on the dependability attributes. This analysis allows us to appreciate which effects (and their extent) have variations of both correlation between successive inputs and different structural characteristics of the software at hand. Moreover, the robustness of the model against imprecise assessments of the starting parameters is also shown.     

Discontinuous variational time integrators for complex multibody collisions

The objective of the present work is to formulate a new class of discontinuous variational time integrators that allow the system to adopt two possibly different configurations at each sampling time t_k, representing predictor and corrector configurations of the system. The resulting sequence of configuration pairs then represents a discontinuous—or non‐classical—trajectory. Continuous or classical trajectories are recovered simply by enforcing a continuity constraint at all times. In particular, in systems subject to one‐sided contact constraints simulated via discontinuous variational time integrators, the predictor configuration is not required to satisfy the one‐sided constraints, whereas the corrector configuration is obtained by a closest‐point projection (CPP) onto the admissible set. The resulting trajectories are generally discontinuous, or non‐classical, but are expected to converge to classical or continuous solutions for decreasing time steps. We account for dissipation, including friction, by means of a discrete Lagrange–d'Alembert principle, and make extensive use of the spacetime formalism in order to ensure exact energy conservation in conservative systems, and the right rate of energy decay in dissipative systems. The structure, range and scope of the discontinuous variational time integrators, and their accuracy characteristics are illustrated by means of examples of application concerned with rigid multibody dynamics. Copyright © 2014 John Wiley & Sons, Ltd.     

Software qualification in safety applications

The developers of safety-critical instrumentation and control systems must qualify the design of the components used, including the software in the embedded computer systems, in order to ensure that the component can be trusted to perform its safety function under the full range of operating conditions. There are well known ways to qualify analog systems using the facts that: (1) they are built from standard modules with known properties; (2) design documents are available and described in a well understood language; (3) the performance of the component is constrained by physics; and (4) physics models exist to predict the performance. These properties are not generally available for qualifying software, and one must fall back on extensive testing and qualification of the design process. Neither of these is completely satisfactory.The research reported here is exploring an alternative approach that is intended to permit qualification for an important subset of instrumentation software. The research goal is to determine if a combination of static analysis and limited testing can be used to qualify a class of simple, but practical, computer-based instrumentation components for safety application. These components are of roughly the complexity of a motion detector alarm controller. This goal is accomplished by identifying design constraints that enable meaningful analysis and testing. Once such design constraints are identified, digital systems can be designed to allow for analysis and testing, or existing systems may be tested for conformance to the design constraints as a first step in a qualification process. This will considerably reduce the cost and monetary risk involved in qualifying commercial components for safety-critical service.     

Architectural design and reliability analysis of a fail-operational brake-by-wire system from ISO 26262 perspectives

Next generation drive-by-wire automotive systems enabling autonomous driving will build on the fail-operational capabilities of electronics, control and software (ECS) architectural solutions. Developing such architectural designs that would meet dependability requirements and satisfy other system constraints is a challenging task and will possibly lead to a paradigm shift in automotive ECS architecture design and development activities. This aspect is becoming quite relevant while designing battery-driven electric vehicles with integrated in-wheel drive-train and chassis subsystems.In such highly integrated dependable systems, many of the primary features and functions are attributed to the highest safety critical ratings. Brake-by-wire is one such system that interfaces with active safety features built into an automobile, and which in turn is expected to provide fail-operational capabilities. In this paper, building up on the basic concepts of fail-silent and fail-operational systems design we propose a system-architecture for a brake-by-wire system with fail-operational capabilities. The design choices are supported with proper rationale and design trade-offs. Safety and reliability analysis of the proposed system architecture is performed as per the ISO 26262 standard for functional safety of electrical/electronic systems in road vehicles.     

Improved relaxation time coverage in ramp-strain histories

Standard methods for deriving relaxation data from measurements invariably involve some form of ramp-type deformation history, the initial portion of which is typically not employed for modulus evaluation. In fact, the “ten-times-rule” or a variant thereof is widely used at the expense of short term data acquisition. This paper suggests a simple if (not) obvious method to extend the range of relaxation data that can be acquired from a single test at a single temperature. The method draws on new computational developments for inverting ill-conditioned systems of equations which allows the determination of relaxation parameters nearly routinely and trouble-free. We demonstrate this process for extraction of relaxation characterization from ramp strain histories through (a) numerical evaluation with a virtual test sequence, as well as through (b) data measured in the laboratory. Limitations regarding the time range over which the relaxation modulus can be extracted from laboratory measurements in terms of equipment resolution and stability are discussed. With these constraints in mind it appears feasible to extend the time range by three to four decades towards shorter times when compared with the application of the “ten-times-rule”. Similar treatments apply to the acquisition of creep compliance data.     

Human communication, mutual awareness and system dependability. Lessons learnt from air-traffic control field studies

The dependability of many complex and critical systems strongly relies on human operators, both through human reliability and human ability to handle adequately the unexpected events. This paper focuses on ergonomics field studies of air traffic control activities, and more specifically on the analyses of communication within teams of controllers. We show how operators use spontaneously the natural redundancy and diversity of human communication (multimodality, addressing features,…), so as to successfully maintain mutual awareness. This is the key for reliable cooperation, for the sake of global system dependability that rests on mechanisms such as error detection, recovery, and prevention (by anticipation and regulation). This study helps in providing specifications for the design of systems efficiently supporting both human cooperation and human ability to contribute to dependability.     

Materials selection for a cooling plate using control area diagrams

Merit indices are used to rank materials and are of fundamental importance in materials selection. Traditionally, merit indices have only been available for elementary design cases. In the present paper merit indices are generalised to cooling systems where heat flow and strength are design criteria in a materials optimisation framework. A cooling tube and a cooling plate are considered. A new concept, merit exponent is used that is related to the merit indices. A definition of the merit exponent is given also for cases with many design variables. In each design case a number of merit exponents are involved. It is a nontrivial task to identify which they are and when each of them is applicable. For this purpose control area diagrams (CAD) are used. A CAD is a diagram with the controlling properties on the axes, and areas where one or more constraints are active. For the cooling systems the controlling properties are heat conductivity and strength. The active constraints define the relevant merit exponent. The constraints involve the controlling properties and geometrical variables. Principles are established for how to set up the CAD and to derive the merit exponents.     

The design and analysis of AVTMR (all voting triple modular redundancy) and dual–duplex system

In this paper, we design AVTMR (All Voting Triple Modular Redundancy) and dual–duplex system which have a fault-tolerant characteristic, and two systems are compared in the evaluation of RAMS (Reliability, Availability, Maintainability and Safety) and MTTF (Mean Time To Failure).AVTMR system is designed in a triplicated voter technique and dual–duplex system in a comparator, and two systems are based on MC68000. To evaluate system characteristic, Markov modeling method is designed for reliability, availability, safety and MTTF (Mean Time To Failure), and RELEX6.0 tool is used for the calculation of failure rate of electrical components that is based on MILSPEC-217F.In this paper, we can see two systems are more high dependability than a single system, and AVTMR or dual–duplex system can be selected for a specific application system. Especially, because AVTMR and dual–duplex system have high RAMS better than a single system, they can be applied to life critical system such as an airplane and a high-speed railway system.     

Coherence region of the Priority‐AND gate: Analytical and numerical examples

In recent years, the need for a more accurate dependability modelling (encompassing reliability, availability, maintenance, and safety) has favoured the emergence of novel dynamic dependability techniques able to account for temporal and stochastic dependencies of a system. One of the most successful and widely used methods is Dynamic Fault Tree that, with the introduction of the dynamic gates, enables the analysis of dynamic failure logic systems such as fault‐tolerant or reconfigurable systems. Among the dynamic gates, Priority‐AND (PAND) is one of the most frequently used gates for the specification and analysis of event sequences. Despite the numerous modelling contributions addressing the resolution of the PAND gate, its failure logic and the consequences for the coherence behaviour of the system need to be examined to understand its effects for engineering decision‐making scenarios including design optimization and sensitivity analysis. Accordingly, the aim of this short communication is to analyse the coherence region of the PAND gate so as to determine the coherence bounds and improve the efficacy of the dynamic dependability modelling process.     

Dependability analysis of semi-Markov systems

This paper presents a dependability analysis (Availability-Reliability-Maintainability, Mean times) for semi-Markov systems with finite state space, by a new method, based on algebraic calculus within a convolution algebra. This method permits us to obtain, by simple matrix calculus, closed form solutions of transition probabilities and dependability measures. It is a quite general method that does not need the semi-Markov kernel to be absolutely continuous. Thus we obtain, as an example, the classical availability formulae modelled by an alternating renewal process, by a simple algebraic calculus without probabilistic argument. A detailed application of the method is given.     

Parallel Solution of Linear Systems

Computational scientists generally seek more accurate results in shorter times, and to achieve this a knowledge of evolving programming paradigms and hardware is important. In particular, optimising solvers for linear systems is a major challenge in scientific computation, and numerical algorithms must be modified or new ones created to fully use the parallel architecture of new computers. Parallel space discretisation solvers for Partial Differential Equations (PDE) such as Domain Decomposition Methods (DDM) are efficient and well documented. At first glance, parallelisation seems to be inconsistent with inherently sequential time evolution, but parallelisation is not limited to space directions. In this article, we present a new and simple method for time parallelisation, based on partial fraction decomposition of the inverse of some special matrices. We discuss its application to the heat equation and some limitations, in associated numerical experiments.