The d-SC software distinguishes between the safe and the non-vital domain in order to save cost and time for application development and certification. This separation allows the development of non-vital applications separately from safe applications. Non-vital applications cannot influence safe applications because they are executed on a separate processor.
The high-availability software extension increases the availability of the system by supporting controller redundancy, so that the loss of a single controller is tolerated. In this set-up, one controller is active while the other is on standby. If the active controller fails, then the standby controller will seamlessly take over the active controller state. This ensures that a failure in one controller will not lead to a total system loss and the application will continue to work. The defective hardware can then be repaired or restarted without having to restart the system. Once the repairs have been made, the system will resynchronize the repaired controller, so that it becomes the standby controller and is ready for the next switchover.
As a unique feature and as the main use case, d-SC allows the two redundant controllers to connect to a shared set of I/O. The big advantage of using shared I/O compared to controllers with dedicated I/Os is that a failure of the controller does not result in a loss of the I/Os at all (fault domains are independent)
- The loss of a single controller is tolerated
- Failure of a controller does not result in the loss of the I/Os
- Uninterrupted performance
- 99% availability
- Fast switchover time
- Hot standby setup
- Re-synchronization of repaired hardware
- Simple integration
- Usable with PACY-I/O, Y-COM I/O or any other I/O framework
- Customer choice of hardware architectures
Without being influenced by non-vital applications, the safe applications are executed on two separated redundant control processors. Integrity tests ensuring the safe operation of each safe processor are provided by the safe operating system.
This architecture allows the development of safe applications on a d-SC platform in combination with all market relevant safe operating systems. The standard version comes with QNX. PikeOS, VxWorks or Integrity are possible as well, but need to be developed for the customer individually.
Together with QNX, the d-SC CPU and I/O components come with pre-certified SIL 4 hardware/software bundles, accelerating time to market even further. In fact, the QNX “Neutrino” microkernel provides important safety-relevant features like memory protection, interprocess communication, or deterministic scheduling. It protects user processes from each other, so that processes can also have different SIL levels
Pacy is a process data application framework that makes the d-SC hardware transparent for the application. It handles the communication between the CPU together with custom-specific application software and the safe I/O cards.
Being a transparent abstraction layer PACY takes care of the execution of the application’s commands, providing an API for "C" language programming. Developers can control the I/O through "C" language variables independently of the kind of I/Os that need to be controlled.
As a module-based framework PACY provides open interfaces to allow flexible extension by individual, custom-specific modules.
The FSoE protocol (Fail Safe over EtherCAT) integrated in PACY is responsible for the safe data transmission and protection of what is called the Black Channel.
A SIL 4 certification according to EN 50128 will also be available for PACY, including the corresponding documents.
PACY is configured by a tool to define the I/O configuration and mapping of the application variables to the I/O interfaces. It also allows to run the same application with different I/O configurations.
Synchronization service functions are part of the certified platform software and have SIL 4 quality according to EN 50128. The synchronization and comparison service function ensures that both safe processors use the same input data and verifies that the calculated output data is the same. Additionally, the application can use this service for temporal logical monitoring of the application program as required by EN 50129 for SIL 3 or 4 applications.
The following figure shows a representative safety application which is using synch services to synchronize the execution of the redundant architecture of the two control processors.
External systems communicating with the safe d-SC controllers via Ethernet using UDP or TCP see both processors as “one instance” using duagon’s Y-COM service functions. Incoming frames are distributed to both safe domain processors by the Y-COM server running on the non-vital processor, whereas outbound frames are synchronized between both safe domain processors. The payload is mixed, meaning that each safe CPU generates a part of the outbound transmit frame, and the Y-COM server on the non-vital processors sends this frame to the external system.
While the safe applications are executed on two separated redundant control processors, a third processor controls all non-vital applications. The operating system running on this third processor can be Linux or any of the known real-time operating systems. Being an open standard hardware platform, d-SC ideally uses Linux as the operating system based completely on open source technology. Linux is free, and is supported by a broad, community driven product offering. Installation of applications is easy as it is to change options, and it comes with security features.
At duagon we have a wide range of standard products ready for use, and our products can all be customized for use in a specific application environment. Our sales team is here to provide more specific information about our standard hardware range, our software technology, the required standards and certifications, and, together with our team of engineers, developing the optimal solution to your specific application requirements.