The control system of these machines is required to behave in a safe manner, even in the presence of faults. When wireless control is used, analysing the safety performance becomes more complex and some knowledge of the terminology and techniques used can aid in understanding the requirements.
To ensure that only the correct machine is controlled, different radio systems must be distinguished from each other by each having a different ID number, common for each receiver/transmitter pair, but different between systems
A remote control system typically comprises two main components – the transmitter and the receiver. The transmitter accepts operator commands from pushbuttons, joysticks, and other devices and encodes these commands into a message that is sent to the receiver. The receiver detects this message, decodes it to retrieve the commands, and then performs the commands that it was given. In most cases, these messages are sent over a radio link, but other media such as infrared or fibre-optics are sometimes used – most of the design principles discussed here are common to them all.
A wireless control system must protect the link between the transmitter and receiver against several potential hazards. For example:
– External EMI noise or other interference must not cause unwanted motion of the machine
– Each transmitter/receiver pair must be uniquely coded to prevent control of the wrong machine
– There must be a suitable response time for commands to be executed – in particular a maximum guaranteed time for recognition of a STOP command
Importantly, these characteristics must be maintained even when a fault exists in the control system.
The remainder of this article details some of the techniques that can be used to address these risks.
Recent years have seen the rapid proliferation of wireless communication systems, with large increases in both the number of applications, and in the number of units in use
Managing interference
Recent years have seen the rapid proliferation of wireless communication systems, with large increases in both the number of applications, and in the number of units in use. With an increasingly congested radio spectrum, the resolution of interference problems is becoming fundamental to both safety and reliability.
In a wireless control system, the messages sent from the transmitter to the receiver (often referred to as telegrams) contain the commands that the operator is giving to the machine. Obviously it is vital that these commands are understood correctly at the receiver, and any damage or corruption of the telegram does not result in erroneous machine motion. To that end, each telegram must include some additional information to function as an error-check so that the receiver can ensure that the telegram was received correctly.
Error-detection methods are heavily founded in mathematics, and vary in complexity and efficiency. One of the most common methods is the cyclic-redundancy-check (CRC). The CRC is calculated in a complex way, and is designed so that a small error in the telegram causes a large change in the CRC calculation; this minimises furthermore the chance that an error in the telegram goes undetected.
No matter how good or complex an error-detection system is, it is always possible that several errors will combine to make a damaged telegram appear valid. Of course, the more simultaneous errors that can be detected, the less likely it is that a damaged telegram will be accepted. There is a measure of error-detection effectiveness called Hamming Distance, which is defined as the minimum number of simultaneous errors required in a telegram to defeat the error-detection system (and thus cause a corrupted message to be accepted as valid).
Using a common type of cyclic redundancy check it is easy to achieve a Hamming Distance of 4. While this may appear relatively robust, systems are available with Hamming Distances of up to 8, providing far higher protection. With such techniques it is possible to reduce the probability of non-recognition of an error (Pe) to negligible levels, for example <10exp-9 (or less than one in a billion).
Interference from other wireless control systems
So far, we have regarded interference as simply random noise that may damage a telegram. But there is another potentially hazardous type of interference that is not random – messages from other wireless control systems. In some cabled control systems, it is desirable to use standard communication protocols so that different pieces of equipment can communicate, for example, Modbus, Profibus, DeviceNet, Canbus, etc. These are relatively simple to manage, because there are a limited number of devices connected on the network. In a safety radio remote control application, however, the communication medium is open.
This means that we can never guarantee that the receiver will not be exposed to messages being transmitted by other remote control systems. In this case, the use of standard protocols increases the similarity between telegrams on different devices, thus increasing the risk that an overheard telegram from another system may be inadvertently decoded and accepted.
The risk of such non-random interference can be managed by the use of proven proprietary telegram protocols, together with custom error-detection methods different from (and superior to) that of CRC-32. Another vital tool is the use of identity codes for each safety radio control system, discussed next.
Managing identity codes
To ensure that only the correct machine is controlled, different radio systems must be distinguished from each other by each having a different ID number, common for each receiver/transmitter pair, but different between systems. One common method is to use a number of small switches or links to set the code number in the transmitter and receiver – typically about 16 switches are used. The switches may be set in the factory to a different value for each system, or this may be left for the purchaser to do. In either case, there are serious problems with this approach:
– More than one remote control may be set with the same code because the manufacturer re-uses them.
– Two or more users may co-incidentally set their codes the same.
– One of the switches or links may move, or become contaminated, changing the ID number.
– A person may tamper with the ID number of the transmitter or receiver.
– This system may not comply with some regulations, for example, that the address system be ‘failsafe and tamperproof’ (EN IEC 60204-32, AS1418.1).
A safer approach is for the manufacturer to assign an ID code to each system that is guaranteed unique in the world. The ID code may be stored in a removable sealed module to prevent tampering, yet enabling simple exchange if service is required.
Response time
The minimum response time of a radio remote control system is dependant on the data rate, which is itself dependant on the quality of the telegram used, the radio components, the noise level, and the operating distance. Response times in the range of 100 milliseconds are normally perceived by an operator as instantaneous, and are usually much less than the response time of other electromechanical components. From a safety viewpoint, though, the maximum response time is more important. The actual response time of the control system may increase above the theoretical minimum due to interference causing some telegrams to be damaged, and thus rejected.
This delays the reception of a valid telegram, and during this period operator commands will not be put into action. Clearly this is a potential hazard which must be managed. After a pre-determined amount of time has elapsed without a valid message from the transmitter, the receiver must perform a STOP and bring the machine to a safe state. The permitted time may vary from application to application, though maximums are defined in some regulations – the limit of 550ms set in EN IEC 60204-32 and AS1418.1 is typical.
The mechanism by which the loss of valid signal reception for a period of time causes the machine to revert to the STOP state is called a Passive Stop, and is a fundamental requirement of a safety radio control. Another such requirement is a STOP button or other actuator that the operator can use to quickly bring the machine to a safe state. This button must be a normally-closed type with positive-break contacts, that is, the operating force of the button must act directly on the contacts to force them apart without reliance on springs or other mechanisms. Standard pushbuttons with normally-open contacts are completely unacceptable for use as STOP actuators in safety systems.
Some radio control types use the STOP button to simply turn off the transmitter, and rely on the loss of signal at the receiver to cause a passive-stop. The disadvantage of this technique is that of response time, the machine will not revert to the safe state until the passive stop time has elapsed. A better approach is to send a dedicated stop-telegram to the receiver when the operator presses the STOP button, a technique known as an Active Stop. This results in a rapid response time if the stop-telegram is received correctly.
If it is not, the system will stop anyway after the passive-stop time due to loss of the normal telegram. So a combined stop system can provide the best of both worlds, the rapid response time of the active stop, with the safety-net provided by the passive stop.
What next?
We have seen that the above techniques can be used to control the risks presented by external influences on a remote control system. But equally important is the ability of the control system to resist internal faults without causing hazardous machine motion. In the next article of this series, we examine the means by which this is achieved and look at quantifying and testing the safety performance of the system.
To ensure that only the correct machine is controlled, different radio systems must be distinguished from each other by each having a different ID number, common for each receiver/transmitter pair, but different between systems REMOTES 2 Recent years have seen the rapid proliferation of wireless communication systems, with large increases in both the number of applications, and in the number of units in use REMOTES 1
