CANopen safeguards: Mapping process data objects
Application level safeguards and services in CANopen can decrease the chance of protocol level residual errors without introducing additional lifecycle costs. Ways to do that include process data object mapping, use of signal validity mechanisms, and managing instrumentation information. Part 1 (linked at the bottom) discusses devices profiles, network management, and device state machines.
CANopen is a communication protocol and device profile specification for embedded systems used in automation.
Process data objects (PDO) mapping
Analog signals are sensitive to deviations, making it impossible to connect a single analog sensor to multiple input devices without additional active components. Thus, entirely parallel sensor channels are commonly used for monitoring.
PDO mapping is generally understood as a signal routing function only, but it may also be utilized for decreasing the residual error probability of the CANopen communication. In the case of programmable logic controls (PLCs), most likely there are free objects left in the process image and receive process data objects (RPDOs) not used for the control application signals. Signals to and from control applications of other PLCs may be mapped from PDOs into the local object dictionary of a PLC, which makes the PLC monitor the structure of those PDOs. This way, more PLCs are able to perform PDO message length checking and increase the spatial coverage of the potential residual errors passing the CAN layer 2 consistency check. The main constraint of this kind of RPDO monitoring is that only the PDOs that are too short can be detected, not the ones that are too long.
In traditional instrumentation, only primary signals are used without redundant services providing validity information of the primary signals or consistency of the system structure. Analog sensors and actuators cannot be identified, and it is not possible to verify the structure and configuration. Using two analog sensors in parallel may enable the identification of a failure, but not necessarily which of the two sensors failed. A third one is needed to enable the detection of a single failing sensor, but still it remains unclear whether the failure is in the sensor or cabling.
Membership monitoring provides a basic level monitoring of signal producers. Faster and more detailed validity monitoring of received signals can be based on RPDO timeout monitoring. Combining the information from membership monitoring and RPDO monitoring enables the identification of the error type and error location. If a signal plausibility checking is required, a CANopen design process can provide the necessary information. Additionally, most CANopen devices contain comprehensive self-monitoring functions and detected local failures are reported to the rest of the system by the emergency protocol.
Parameterization is a tool to reduce the number of different product items and increase reuse by adapting standard products to various system locations. A misunderstanding in the industry is that there are no configurable parameters in analog sensors and actuators. There are typically vendor-specific and device-specific mechanisms for adjusting calibration, filtering, and so forth in sensors. Such services are often for the vendor’s use only, limiting the usage. In the case of actuators, it is totally different, especially in hydraulic valves. There are plenty of slightly different main spools; various springs with different spring forces; or spring force adjustments with washers, pressure compensators, load-pins, and optional valve elements for protection purposes.
Some of those parameters that have traditionally been configured by changing the spools and springs may currently be adjusted by changing the parameter values of the internal valve controller. Pure mechanical and hydraulic options, which cannot be changed over a CANopen network, are still identified in the device identity, providing a detailed checking during the network start-up phase. However, good quality assurance is required o avoid assembly failures, which cause mismatches between planned and realized constructions.
From a safety point of view, it is essential to be able to check that the correct sensors and actuators are used. Based on experience, end users are "quite innovative" and instructions can never be enough on why the control system must be able to perform the membership and configuration monitoring.
A clear division between factory calibration and user configuration is highly recommended. During the download process, these also need to be separated to prevent messing up the categories. To make parameters manageable, the configuration management process supports flexible production arrangements between system integrators, subcontractors, and component vendors. Storing parameters in numeric values enables a constant production quality and the possibility to verify the assigned values after set and store.
There is no uniform approach to the management of analog sensor and actuator interfaces. Instead, various written documents are used, and each input and output must be configured manually in design-time and calibrated after the assembly, before full operation. Any component change leads to the need for a recalibration. The major problem is the significance of human effort in each phase of the process.
The comprehensively standardized CANopen design process supports most of the listed safeguards. It is important to manage design information systematically to avoid errors. Human mistakes can be avoided by using the appropriate tools instead of human work. An appropriate tool chain enables the validation and reuse of information to and from a CANopen system project.
The design process can be considered as a procedure that provides consistent information for configuration management and various other monitoring functions. Not all of the required information is necessarily available in CANopen projects, which leads to interactions with other disciplines. Information sharing is not possible if information content is not well defined and structured.
In addition to its reliable communication services, CANopen provides further safeguards to decrease the residual error probability of communication and to increase the diagnostic coverage. Device profiles enable the efficient reuse of standardized basic sensing and actuation functions. Implemented in off-the-shelf devices, such functions have already been tested and certified without additional cost or effort. Device state-machines provide protection against communication errors, causing problems such as unintentional error recovery, which violates one of the main safety design principles.
Detailed membership monitoring is a function that cannot be implemented in analog sensors and actuators. It is intrinsically available in each CANopen system.
Receiving PDOs by multiple devices, regardless of the need of included signal values, can be used to increase error detection performance by extending the spatial distribution. The more receiving devices there are, the more reliable the operation will become due to spatial coverage.
CANopen defines a comprehensive configuration management, which applies equally for all kinds of compliant devices. A harmonized principle enables an efficient and reliable systemwide configuration management. The standardized design process supports configuration management. It provides a systematic approach for the management of design information, including meta-information of signals and parameters, throughout the system’s lifecycle. A well-defined design process also maximizes the possible reuse of design information.
Determining the exact residual error probability of CANopen communication analytically is challenging due to the message structure of CAN messages. However, based on the existing information, the residual error probability is low enough for most applications. When compared with old analog instrumentation, the difference is significant. Based on the existing analyses made by following the related standards and using real failure statistics, it might not make sense to use analog sensors and actuators in safety relevant control system functions. While CANopen is not considered a safety bus, most of its basic concepts follow "inherently safe design measures."
In addition to the communication, the dependability of applications is critical. The main methods for improving the dependability of application programs are a managed design process and testing. As long as additional costs are not acceptable, the reuse of applications enables a more complete testing. One of the best reuse methods is to use standardized basic functions, which are defined in device profiles in CANopen. From a system point of view, a higher dependability typically results in a better availability and profitability of target systems.
When analog instrumentation and CANopen networking are compared, the latter can be achieved more simply, while providing the same performance level. Analog instrumentation is more traditional, typically has fewer functions, and seems simple to design. One reason for its virtual simplicity is that lots of systematics have not been defined in a very detailed level. Therefore, the assembly and service of analog instrumentation is error-prone and needs a great deal of human effort. However, defined methods must be followed to get the benefits of CANopen.
– Dr. Heikki Saha, M. Sc Automation, Dr. Tech. Electronics, is chief technology officer, TK Engineering, Oy; edited by Anisa Samarxhiu, digital project manager, Control Engineering, email@example.com.
- PDO mapping is generally understood as a signal routing function only, but it may also be used for decreasing the residual error probability of the CANopen communication.
- Parameterization is a tool to reduce the number of different product items and increase reuse by adapting standard products to various system locations.
- As long as additional costs are not acceptable, the reuse of applications enables a more complete testing.
What do you think is needed to improve the dependability of application programs?
See additional stories about CANopen, including the first part of this story, linked below.