Embedded Control Systems Design/A design example 2

Embedded Control Systems Design/A design example 2

The Wikibook of

Embedded Management Programs Design

This chapter illustrates the assorted steps within the design of an embedded system by way of a concrete instance: an automatic Folks Mover.


In an effort to perceive what’s concerned within the design of embedded
management methods, it’s helpful to elaborate an instance of such a system. The
chosen instance comes from a generally recognized utility area, so that every one
readers can rapidly grasp the complexity and the required options of the
design. On the identical time, the instance is sufficiently reasonable to cowl all related facets (economical, technical, human assets, and so on.) that present up (in the course of the varied phases) within the design and the lifecycle of an embedded management system. The instance of a (automated) individuals mover meets these necessities. This Chapter is conceived because the story of how a fictitious firm (Folks Transfer Firm) offers with the choice to design a brand new individuals mover; this story method permits for instance the totally different design standards that develop into related in numerous phases of the product’s design and life cycle.

A individuals mover is an unmanned practice. The primary individuals mover grew to become operational in 1967, as an attraction in Tomorrowland in Disneyland, California. (See the Wikipedia article for extra particulars in regards to the historical past and deployment of individuals movers.) These days, individuals movers are used as transport methods all around the globe.

Because the employees of Folks Transfer Firm is aware of, designing an embedded management system is sort of a job. Lots of people must work collectively to achieve an working complete. From the second on that Folks Transfer Firm determined to participate within the name for bids for a brand new individuals mover undertaking, the
firm tries to function in a structured means. It subdivides the design job into three elements.

  • In a primary step, the necessities evaluation, the chief engineer of the corporate, along with (a consultant of) the CEO, make a product necessities doc, by which the corporate expresses its views on the necessities of the consumer. In case the Board of the Folks Transfer Firm decides the corporate can compete realistically within the bid —and this resolution is in itself not a simple difficulty!— the necessities listing will likely be used to attract up a citation.
  • Secondly, and if the corporate is allowed to take part within the bid, it internally enters the excessive degree design section, throughout which it completes the listing of consumer and product necessities with necessities the corporate imposes for the sake of inner curiosity. Design standards as element reuse, service after sale, and upkeep get the eye throughout this section, since these could make a big monetary distinction for the corporate. Furthermore, the responsibles of the undertaking make a plan of which of their workers can work on which elements of the job.
  • Then all concerned workers can implement the detailed design of the individuals mover.

After these design duties, the peoplemover needs to be produced, serviced and maintained. The manufacturing course of won’t be mentioned intimately right here although.

Necessities evaluation[edit]

Folks Transfer Firm needs to design a completely automated car for public transport. The responsibles for the undertaking make up a listing of technical, industrial and sensible necessities the system has to satisfy with a view to comply to the consumer’s name for bids. This result’s the product necessities doc that’s written in plain language. Because the doc expresses the necessities of the consumer, Folks Transfer Firm needs to attract up the product necessities in dialogue with the consumer. In a single such assembly, the consumer explains that he already is within the possession of rails on which the individuals mover will journey. Folks Transfer Firm will get the specs of those rails, in addition to the requirements for individuals transport that apply within the consumer’s nation. This brings in some design constraints, for instance with respect to most velocities, acceleration profiles, weight, power consumption, and so on. In flip, Folks Transfer Firm income from the interactions with the consumer to clarify the corporate’s aggressive benefits (technically in addition to economically) in addition to some product constraints that the corporate will wish to comply to, for inner technical and economical causes. Making these new constraints clear, in each instructions, can certainly be of nice significance on the subject of a lawsuit between consumer and firm.

The interplay with the consumer brings Folks Transfer Firm to its remaining product necessities doc, that will likely be submitted to the decision for bids. Internally, the identical doc will function the primary enter for the corporate’s personal design workforce. Whereas it can’t be meant to specify all necessities in full technical element, it described the next listing of vital necessities that can’t be omitted. The place precisely the border lies between a element and a high-level requirement, and between vital and lower-priority necessities, could be very exhausting to clarify or train generally; particularly as a result of it includes so many company-specific facets: accessible man energy and experience, present merchandise whose design will be re-used (partially) for the brand new product, and so on. The financial success of an organization will to a big extent rely upon how good the design necessities workforce is in its job to create a practical and aggressive necessities doc.

Due to already present merchandise in its portfolio, the corporate decides to design a individuals mover that consists of a locomotive and a number of passenger carriages. The car is pushed by an electrical motor and receives its energy from the rails. The individuals mover can solely run on particular railroads which might be geared up with beacons. These beacons are positioned alongside the railroad and point out to the individuals mover’s management system a desired change in velocity of the individuals mover. A map of the railroad along with the that means of every beacon needs to be loaded into the reminiscence of the individuals mover controller earlier than the car can drive on this railroad. A sensor on the car detects the beacons and reacts as indicated on the map. The potential reactions are:

  • rushing up with a certain quantity.
    Comment: velocity and acceleration are restricted to a specified most, based on a specified clean profile, with a view to understand a person pleasant peoplemover. Such profiles are a part of many already present railroad requirements.
  • slowing down with a certain quantity.
    Comment: deceleration is restricted to a sure most.
  • stopping with a specified deceleration.

For example, a beacon simply earlier than a bend within the tracks signifies that the peoplemover has to decelerate to a specified velocity. On the locations the place a terminal is indicated on the tracks, the car stops. The place the place the individuals mover stands nonetheless is specified by the consumer to vary with a most of 1 meter from the place indicated on the map. The doorways open at the least 0.1 and at most 0.5 seconds after halting. Thirty seconds after the opening of the doorways a warning sign sounds for one second and the doorways shut. No less than 1 and at most 2 seconds after the warning sign the car continues its journey.

When it’s getting darkish, the headlights of the individuals mover and the inner illumination within the carriages should change on on. The lights have a minimal depth, specified by the consumer.

The corporate just isn’t accountable when the railroad is blocked by any impediment.

Though the individuals mover is totally automated, a management tower is ready to resolve on the actions of the individuals mover. The velocity and place of the car (to a sure precision) will be seen on a show within the management tower.

Excessive-level design[edit]

Hooray, Folks Mover Firm was among the many winners of the decision for bids, and now will get some funding from the consumer to make a extra detailed high-level design, by which all of the technical particulars which might be related to the consumer must be defined. The listing of necessities talked about above meets the overal wants of the consumer, however just isn’t particular sufficient for the corporate’s designers to make a whole evaluation of the feasibility and the prices of the undertaking. These individuals additionally must consider the necessities which might be within the Folks Transfer Firm’s personal curiosity, whatever the consumer’s needs. For instance, as Folks Transfer Firm needs to simply accept solely jobs that match into its long run product portfolio imaginative and prescient and that it might help for many years, the designers have to consider options that facilitate element reuse and upkeep of the individuals mover product. These efforts will decrease the price of service after sale, and of later related merchandise that the corporate needs to deliver to the market. To finish the listing of necessities, the corporate’s design workforce has a listing of design standards that its designers all the time must keep in mind. For the individuals mover these design standards are:

  • Performance: the individuals mover’s first performance is its skill to move individuals in a completely automated means.
  • Security: needs to be integrated in any respect ranges of the design. Together with failure modes and including redundancy are frequent security precautions.
  • Robustness: the design ought to have some margin to outlive in situations which might be considerably past what’s requested by the consumer.
  • Price: the value nonetheless needs to be aggressive.
  • Power consumption: the corporate needs to enhance its picture of the least power consuming autos.
  • Insensitivity for various environmental situations (humidity, temperature and vibrations)
  • Controllability: the individuals mover should be controllable from a management room.
  • House and weight constraints
  • Producibility
  • Certification and standardization
  • Person interface
  • Life time
  • Upkeep
  • Service after sale

Determine 1: International structure

Determine 2: International structure (refined)

Determine 3: Subsystems for the car system of an automatic peoplemover

Determine 4: Communication between subsystems

Now all design standards must be translated into necessities that may be added to the product necessities. The additional necessities thus be sure that all design standards will likely be integrated within the remaining peoplemover. Some examples illustrate how this may be accomplished.

As already said above Folks Transfer Firm can lower your expenses by together with options that facilitate service after sale. This could possibly be carried out with a “upkeep from distance” system.

One other means to economize and time is reusing infrastructure and parts of earlier fashions of the peoplemover. The security requirement was already partially included within the product necessities by specifying {that a} management tower has to have the ability to take over all instructions. However this isn’t sufficient, as security needs to be integrated in all design ranges. For instance, whereas designing the cruise management perform, the designer has to guarantee that the present within the motor by no means exceeds a restrict worth. This might happen when the car tries to go too quick on a slope.

Some design standards intervene with one another. Person interface, for instance, has to do with security. The system design has to anticipate inattention of the customers. It may occur that somebody enters the peoplemover whereas the doorways are already closing. A sensor detecting this harmful act, can forestall accidents. Additionally the design standards life time, robustness and value can work together. A designer has to have an thought of how lengthy the system needs to be in use. A protracted life time asks for sturdy parts of upper high quality. After all this has an affect on the value.

In excessive degree design the necessities are translated in specs, which implies that imprecise necessities as price, life time, upkeep, service after sale and power consumption are expressed extra exactly. Anticipated life time, price and power consumption are outlined by a sure quantity.

After fathoming the design standards Folks Transfer Firm has a extra prolonged model of the product necessities in hand. With this the system engineers or system architects create a extra formal set of purposeful specs. They make up the worldwide system structure. This scheme divides the system into three primary elements:

  • a visitors command system
  • a management command system
  • a car command system

Every half has a few inputs and outputs, represented by arrows in determine 1. The visitors command system for instance will get info from beacons positioned alongside the railroad and from the slopes themselves. These beacons point out a change in velocity of the peoplemover. A map of the railroad along with the that means of every beacon needs to be loaded into the reminiscence of the peoplemover earlier than the car can drive on the railroad. A sensor on the car detects the beacons and reacts as indicated on the map. The slopes lead to a sure load torque. The inputs and outputs of the opposite elements are indicated on determine 1. Determine 2 describes the content material of every half in additional element.

Now the highest of Folks Transfer Firm decides who will work on which a part of the job. In some instances it’s helpful to work with subcontractors. The corporate also can rent an skilled with related expertise. By dividing the system in subsystems, totally different groups can work concurrently to comprehend these totally different subsystems. That is known as concurrent engineering. Good inter-team communication, e.g. in day by day or weekly conferences, makes it potential to attune to one another. The optimum division in subsystems minimizes subsystem-communication and maximizes subsystem-independency. Afterwards the subsystems are assembled into a completely operational system. Making use of the division technique on the automated peoplemover ends in seven subsystems. Determine Three illustrates the subsystems for the car system of the automated peoplemover. The final two subsystems are omitted on this illustration as they don’t seem to be actually associated with the embedded side of the design. Subsequently they won’t be handled in the remainder of this instance.

  • A “Wi-fi communication” subsystem implements the switch of data from the management tower to the practice and vice versa.
  • Subsystem “CPU” features because the mind of the practice. On this subsystem all info is centralized and afterwards divided over the totally different subsystems.
  • Subsystem “Energy” is answerable for constructing within the motor.
  • Subsystem “Management loop” makes the management loop of the drive.
  • After all the peoplemover wants info on the atmosphere. Subsystem “Sensors” gathers info on bends within the railway, terminals, gentle depth outdoors and detects the radio sign of the management room.
  • Because the peoplemover is a bodily object, a subsystem has to handle the “Mechanical design”.
  • Appearances additionally rely, particularly if Folks Transfer Firm needs to impress the general public at giant. Subsequently a subsystem is in control of the “Aesthetic design”.

After all these subsystems can’t work on their very own islands. Interplay between the totally different subsystems is inevitable. Folks Transfer Firm designates an ‘integrator’ who will coordinate the discussions on how switch of data between subteams will likely be carried out. Determine Four exhibits which subsystems want to speak with one another. The mechanical and aesthetic design groups usually are not drawn as they must keep up a correspondence with all different groups. For instance, “CPU” must know when the management room needs to take over management. This info will be wirelessly transferred to the peoplemover. “Sensors” can present info from beacons that point out a desired velocity. It is a needed enter for the “Management loop” subsystem.

Detailed design[edit]

Hooray once more! The Folks Mover Firm received the competitors, and has a contract to ship 100 individuals movers inside 36 months from now. So, the design workforce sits along with the human assets supervisor, the CTO and the CFO, to show the high-level design doc into an in depth design doc that will likely be used to plan and information all actions on this new undertaking.


Determine 5: Detailed structure

The start line for the detailed design is the worldwide structure with the division in subsystems. In a primary step every subsystem has to search out out which parts he wants. Brainstorm periods will be of nice assist right here. The results of this course of is the structure of the peoplemover, illustrated in determine 5.

Moreover the subsystems agree on the shape by which the knowledge will likely be communicated. This may be in an analog or a digital sign. The precise variety of bits or bytes is specified along with the precise that means of every sign. If any of those conventions seems to be unnatural in a later stadium of the method, the concerned subsystems have to take a seat collectively once more to switch the agreements. As already talked about an ‘integrator’ coordinates these conferences.

Now the totally different subteams will be set to work. The system architects keep away from to (re)design each element although. Elements that exist already are a part of the Mental Property (IP) and can be utilized with out having to design them once more. Right here the system architect makes a “make-or-buy resolution.

Wi-fi communication[edit]

The management tower wirelessly sends instructions to the peoplemover. This set of instructions is finite. Every command corresponds with a sequence of ones and zeros, a binary codeword. A huffman code is one technique to assign a binary codeword to every command. The sequence of ones and zeros now needs to be transferred to the peoplemover utilizing a modulated electromagnetic wave.

A tool that performs modulation and the inverse operation demodulation is named a modem.
The peoplemover should be with geared up with an antenna and a modem. Extra info on communication will be discovered within the wikibook on Communication Programs and the wikibook on Knowledge Coding Idea.
The system designer’s activity is to decide on a modulation technique, a code and {hardware} (antennas and modems).


From the product necessities doc it’s already clear that sensors will likely be wanted within the peoplemover. The system designer thus has to decide on appropriate sensors, resolve the place to put them and guarantee that the sensor info finally ends up on the proper handle. For every sort of sensor the designer has to search for totally different necessities.

In each truth the peoplemover wants sensors that may detect when it’s getting darkish outdoors. An apparent answer is a lightweight sensor with fotovoltaic cells. After all a variety of sensors of this sort exist. It’s as much as the designer which remaining sensor will likely be used. It is usually vital to resolve the place this sensor will likely be positioned. One of the best place for the sunshine sensors might be on the roof of the car.

Additionally the communication with the management room asks for a sensor. Right here one can consider sensors for radio detection. The atmosphere by which the peoplemover will likely be used is of nice significance right here, because the management tower all the time has to have the ability to make contact with the peoplemover, even when the car is in a tunnel.

The designer has to decide on how the beacons will work. At first sight optical sensors appear to be very fascinating. The beacons may even ship out coded indicators. This selection will definitely result in difficulties although, as a result of the atmosphere could be very ‘hostile’. A leaf or different pure object can simply disturb the sign. A extra sturdy answer is thus wanted. An choice is to make the beacons magnetic. A sensor within the peoplemover can then detect this magnetic discipline.

Moreover the peoplemover must be geared up with a velocity sensor and weight sensors to detect overload. The outputs of this subteam is distributed to the CPU and can lead to an motion.

Usually sensors are fairly costly. The associated fee design criterion needs to be thought of as a consequence when choosing the proper sensors.


The central processing unit (CPU) handles the incoming info. In first occasion this info comes from the magnetic beacons, however the management room can take over. The potential instructions are:

Determine 6: Doable implementation of the CPU
  • Desired velocity = most velocity
  • Desired velocity = 0.8*most velocity
  • Desired velocity = 0.6*most velocity
  • Desired velocity = 0.4*most velocity
  • Desired velocity = 0.2*most velocity
  • Cease
  • Desired velocity = 0.2*most velocity within the different route
  • Desired velocity = 0.4*most velocity within the different route
  • Desired velocity = 0.6*most velocity within the different route
  • Desired velocity = 0.8*most velocity within the different route
  • Desired velocity = most velocity within the different route
  • Reset counter
  • Lights on
  • Lights off

Every time the wheel senses a magnetic sign from the railway, a counter is incremented with one unity. On this means each beacon has a corresponding counter’s output. A logic circuit decodes this counter output. A programmable logic controller (PLC) gives a sturdy implementation. Determine 6 exhibits a potential implementation of the CPU. For a trajectory with sixteen beacons a 4-bit counter is ample. The decoder comprises the mandatory info to present the correct command every time a beacon sign arrives. A velocity sign goes to the management loop subsystem or a sign is distributed to the sunshine controller.

Management loop[edit]

Determine 7: Implementation of the drive’s management loop

One of many groups is in control of the drive’s management loop. The method this workforce implements is illustrated in determine 7.

This subsystem receives the specified velocity of the CPU workforce and the measured velocity of the Energy Staff. These are digital indicators. To transform them into analog indicators the inputs are despatched by means of Digital to Analog Converters. With the design criterion of robustness in thoughts it’s sensible to incorporate low cross filters right here. This will increase the signal-to-noise ratio. A comparability of the ensuing indicators has to steer as much as a voltage sign that steers the motor. The related controller is the PI velocity controller.

As already indicated within the excessive degree design the present within the motor needs to be restricted for security causes. A clipper can be utilized to realize this.

A second controller is the present controller, which permits fast motor management. In truth the 2 PI-controllers are in a master-slave configuration. The grasp PI controls the velocity by adjusting the requested present, whereas the slave controls the present manipulating the motor voltage.

In spite of everything mentioned manipulations the management loop offers a voltage sign within the output. This sign goes to the Energy Staff.

The conceptual scheme of determine 7 thus consists of Digital to Analog Converters (DAC1 and DAC2), low cross filters (LPF), PI-controllers (PI vel and PI curr), amplifiers (A) and a clipper. These parts will be realized with a set of resistors, capacities and different easy digital parts.


Determine 8: A PWM VFD diagram

An automatic peoplemover is pushed by an electrical motor. Totally different implementations are utilized in apply.

Most trains these days are pushed by a variable frequency drive. A variable-frequency drive (VFD) is a system for controlling the rotational velocity of an alternating present (AC) electrical motor by controlling the frequency of {the electrical} energy provided to the motor. The motor utilized in a VFD system is normally a three-phase induction motor. AC enter energy is first transformed to DC intermediate energy utilizing a rectifier bridge. The DC intermediate energy is then transformed to quasi-sinusoidal AC energy utilizing an inverter switching circuit. The VFD steering circuit is pictured in determine 8.

For the reason that management loop subsystem steers the facility subsystem, these two subsystems must talk. The management loop’s steer sign (named PWM) carries info in its frequency. This sign is in contrast with a triangle wave with a a lot increased frequency. The comparator’s output steers the two switches of 1 section. In consequence every section has a quasi-sinusoidal waveform with the identical frequency because the management loop’s steer sign.
The ability subsystem additionally has different features to meet resembling measuring the present by means of the motor and measuring the velocity of the motor. Once more a number of implementations are potential. Simply a type of is described right here.

The management loop subsystem limits the specified acceleration to keep away from a big present by means of the motor. Subsequently the management loop subsystem wants an enter sign proportional to the motor present. The present will be measured by connecting a small resistance in sequence with the motor. The voltage throughout this small resistance is proportional to the motor present. A differential amplifier is used to develop into a voltage sign with a spread of [-5V, 5V].

Within the energy subsystem itself, a present limiter can also be in-built. In every kind of purposes redundancy is used to extend security. This is essential to develop into a sturdy and protected system.

The precise velocity of the peoplemover is critical info for subsystem management loop to regulate the velocity. The velocity will be measured by a rotary encoder positioned on the wheel axis. The output of the encoder serves as enter of a microcontroller that sends out a 8-bit digital sign to subsystem CPU and subsystem management loop.

One other vital performance that needs to be carried out within the energy subsystem is the emergency brake. When subsystem CPU units the cease sign excessive (5V) the motor needs to be stopped instantly. This performance will be carried out in some ways. The obvious means is to OR the Cease sign with the pulses from the heartbeat width modulation.


An indispensable a part of the design is testing. All subteams have to check their very own system. Furthermore the totally different subsystems must be examined in smaller teams. After all the ultimate step is to check the entire.
For instance, extra on software program testing will be discovered on software program testing.

Implementation and manufacturing[edit]

When all design steps are handed by means of, Folks Transfer Firm can begin with the implementation and manufacturing of the peoplemover. These duties once more ask for a structured method. They aren’t mentioned on this Wikibook although.

Leave a Reply

Your email address will not be published. Required fields are marked *