1. Patent Search
  2. Details

METHOD AND SYSTEM FOR OPERATING A SAFETY-CRITICAL DEVICE VIA A NON-SECURE NETWORK AND FOR PROVIDING RELIABLE DISENGAGEMENT OF OPERATIONS OF THE DEVICE

20230229794 · 2023-07-20

    Inventors

    Cpc classification

    International classification

    Abstract

    A system and method for operating, at a near location, a safety-critical device 260 located at a remote location. The system comprises a first control panel interface 200 and at least one operating input device 220 at a near location, adapted for transmitting control signals to the safety-critical device 260 at a remote location. The first control panel interface 200 comprises hardware barrier communication means 206 and at least a first and a second hardware safety barrier 202, 204, each with safety barrier interfaces connected to the at least one operating input device 220 and to the hardware barrier communication means 206 for communication through the non-secure network 240. The system further comprises a second control panel interface 250, connected to the safety-critical device at the remote location, adapted for receiving control signals from the first control panel interface 210 via a secure communication tunnel 242. The second control panel interface 250 comprises hardware barrier communication means 256 and at least a first and a second hardware safety barrier 252, 254, each with safety barrier interfaces connected to the hardware barrier communication means 256 for communication through the non-secure network 240. A switch 215 is connected to the first and second hardware safety barriers 202, 204 of the first control panel interface 200, controlling Hi- and Lo-signal inputs on the hardware safety barriers, such that a Hi-signal is input on the first hardware safety barrier 202 and a Lo-signal is input on the second hardware safety barrier 204 and vice versa for respectively enabling and disengaging operation of the safety-critical device 260. The safety-critical device 260 is activated when both hardware barriers 252, 254 are activated and the switch is in an enabled state.

    Claims

    1. A system for operating a safety-critical device via a non-secure network, and for providing reliable disengagement of operations of the safety-critical device, comprising: a first control panel interface, at a near location, adapted for transmitting control signals to the safety-critical device at a remote location, the first control panel interface comprises hardware barrier communication means and at least a first and a second hardware safety barrier, each with safety barrier interfaces connected to at least one operating input device and to the communication means for communication through the non-secure network, a second control panel interface, connected to the safety-critical device, adapted for receiving control signals from the first control panel interface via a secure communication tunnel, the second control panel interface comprises hardware barrier communication means and at least a first and a second hardware safety barrier, each with safety barrier interfaces connected to the hardware barrier communication means for communication through the non-secure network, were the safety-critical device is activated when both hardware barriers are activated,  wherein the system further comprises: a switch, connected to the first and second hardware safety barriers of the first control panel interface, controlling Hi- and Lo-signal inputs on the hardware safety barriers, such that a Hi-signal is input on the first hardware safety barrier and a Lo-signal is input on the second hardware safety barrier and vice versa for respectively enabling and disengaging operation of the safety-critical device.

    2. The system according to claim 1, further comprising a light source connected to the first and the second hardware safety barriers of the first control panel interface for indicating status of the safety-critical device.

    3. The system according to claim 2, where the first and second control panel interfaces further comprises respective communication means and software safety barrier providing transparent signaling between the first and second control panels interfaces.

    4. The system according to claim 1, where the first and second control panels interfaces comprise identical hardware, where the first control panel interface is operated as a client, while the second control panel interface is operated as a server.

    5. The system according to claim 1, configured to return to a default safe state by disabling the safety-critical device when communication between the first and second control panel interfaces is lost.

    6. The system according to claim 1, for operating, at a near location, a plurality of safety-critical devices each connected to a second panel control interface located at the remote location, the first control panel interface comprises: a first multiplexer, multiplexing a plurality of first barrier control signals onto the secure communication tunnel through the non-secure communication network; a second multiplexer, multiplexing a plurality of second barrier control signals onto the secure communication tunnel through the non-secure communication network; each second panel control interface connected to each safety critical device comprises a first demultiplexer, demultiplexing the first barrier control signals, and a second demultiplexer, demultiplexing the second barrier control signals.

    7. System according claim 1, wherein the non-secure communication network is a packet-based communication network.

    8. System according to claim 1, wherein the non-secure communication network is an Internet Protocol (IP) network and the secure communication tunnel is an Internet Security (IPsec) network tunnel configured in an integrity only mode.

    9. System according to claim 1, wherein the communication through the secure communication tunnel employs a protocol which includes timestamping of data.

    10. System according to claim 3, wherein the safety-critical device includes at least one of a weapon firing circuitry, a weapon movement circuitry, and a video confirmation device.

    11. System according to one of the claims 1-9, wherein the one or more operating input devices includes at least one of: a weapon fire control device, a weapon movement control device, and a video session information device.

    12. System according to claim 1, wherein the operating input device includes a video session information device, and the safety-critical device includes a video confirmation device, the system further comprising: a video distribution device providing a video signal, the video signal being transferred through the non-secure communication network and displayed on a screen at the near location; the video session information device being configured to derive video session information from the video signal and transfer the video session information through the secure communication tunnel, the video confirmation device being configured to confirm the authenticity of the video signal transferred through the non-secure communication network.

    13. A method for operating a safety-critical device via a non-secure network, and for providing reliable disengagement of operations of the device, comprising: providing, at a near location, a first control panel interface for transmitting control signals the safety-critical device at a remote location, the first control panel interface comprises hardware barrier communication means and at least a first and a second hardware safety barrier, each with safety barrier interfaces connected to at least one operating input device and to the hardware barrier communication means for communicating through the non-secure network, providing, at the remote location and connected to the safety-critical device, a second control panel interface adapted for receiving control signals from the first control panel interface via a secure communication tunnel, the second control panel interface comprises hardware barrier communication means and at least a first and a second hardware safety barrier, each with safety barrier interfaces connected to the hardware barrier communication means for communication through the non-secure network, establishing communication between the first and second control panel interfaces via said first and second hardware safety barriers and the communication means of the first and second control panel interfaces, connecting a switch to the safety barrier interfaces of the first and second hardware safety barriers of the first control panel interface and transmitting a Hi-signal on the first hardware safety barrier and a Lo-signal on the second hardware safety barrier when the state of the switch is enabled, and transmitting a Lo-signal on the first hardware safety barrier and a Hi-signal on the second hardware safety barrier when the state of the switch is disabled, activating the safety-critical device when both hardware barriers of the second control panel interface are activated and the switch connected to the first control panel interface is enabled, continuously monitoring the Hi- and Lo-signals received on the first and second hardware safety barriers of the second control panel interface, and continuously returning the received Hi- and Lo-signals to the first control panel interface via the first and second hardware safety barriers of the second control panel interface, disengaging the safety-critical device if the switch is in a disabled state.

    14. The method according to claim 13, by connecting a light source to the first and the second hardware safety barriers of the first control panel interface for indicating status of the safety-critical device.

    15. The method according to claim 13 or 14, further comprising continuously signaling the state of the switch from the first control panel interface to the second control panel interface and verifying that the state corresponds to the Hi- and Lo-signals received on the second hardware safety barriers of the second control panel interface.

    16. The method according to claim 13, further comprising providing a software safety barrier with transparent signaling to and from the first and second control panels interfaces.

    17. The method according to claim 13 or 14, by disabling the safety-critical device when communication between the first and second control panel interfaces is lost, thereby returning to a default safe state.

    18. The method according to claim 13, for operating, at a near location, a plurality of safety-critical devices located at the remote location, the method further comprising: multiplexing, on the first panel interface, a plurality of first barrier control signals onto the secure communication tunnel through the non-secure communication network, multiplexing, on the first panel interface, a plurality of second barrier control signals onto the secure communication tunnel through the non-secure communication network; demultiplexing the first and second barrier control signals, received from the first panel interface, on each second panel control interface connected to each safety critical device.

    19. The method according to claim 13, wherein the non-secure communication network is a packet-based communication network.

    20. The method according to claim 17, wherein the non-secure communication network is an Internet Protocol (IP) network, and the secure communication tunnel is an Internet Security (IPsec) tunnel and configured in an integrity only mode.

    21. The method according to claim 17, wherein the communication through the secure communication tunnel employs a protocol which includes timestamping of data.

    22. The method according to claim 13, wherein the safety-critical device includes at least one of a weapon firing circuitry, a weapon movement circuitry, and a video confirmation device.

    23. The method according to claim 13, wherein the at least one operating input device includes at least one of: a weapon fire control device, a weapon movement control device, and a video session information device.

    24. The method according to claim 13, wherein at least one of the first and second operating input devices include a video session information device, wherein the safety-critical device includes a video confirmation device, and the method further comprises: generating, by a video distribution device, a video signal, transmitting the video signal through the non-secure communication network, receiving the video signal at a screen at the near location and displaying content of the video signal thereon, deriving, by the video session information device, video session information from the received video signal, transmitting the video session information through a secure communication tunnel to the video confirmation device, and confirming, at the video confirmation device, an authenticity of the video signal.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0074] FIG. 1 is a schematic block diagram illustrating the different modules comprised in a system according to prior art.

    [0075] FIG. 2 is a schematic block diagram illustrating a system according to the invention.

    [0076] FIG. 3 illustrates a first solution according to the invention with a man-in-the-loop according to operational levels 1 to 3.

    [0077] FIG. 4 illustrates a second solution according to the invention with a man-on-the-loop and man-off-the-loop according to operational levels 4 and 5.

    [0078] FIG. 5 illustrates a third solution according to the invention with man-in-the-loop, man-on-the-loop and man-off-the-loop according to operational levels 1 to 5.

    [0079] FIG. 6 illustrates first and second control panel interfaces operating with client and server services.

    [0080] FIG. 7 illustrates the main interfaces of the invention and the implemented ATP (E-stop).

    [0081] FIG. 8 illustrates the implemented ATP (E-stop) used with a diagnostic information path.

    [0082] FIG. 9 shows a block diagram of the first control panel interface, operating as a client.

    [0083] FIG. 10 shows block diagram of the second control panel interface, operating as a server.

    DETAILED DESCRIPTION OF THE INVENTION

    [0084] As mentioned in the background section above, there is a need for a solution which may be used for systems to transport safety barriers and signaling over IP/Ethernet networks and to provide an “Authorization to proceed” (ATP) for disengaging safety-critical devices utilizing available radios.

    [0085] FIG. 1 is a schematic block diagram illustrating the different modules comprised in a solution described in applicant's own U.S. Pat. No. 10,063,552 B2. The present invention introduces an improvement of this solution.

    [0086] FIG. 2 is a schematic block diagram illustrating a system according to the invention for operating a safety-critical device 260 enabled via a secure communication channel 242 of a non-secure network 240, and for providing reliable disengagement of operations of the safety-critical device 260. The safety critical device 260 may for instance be a weapon station (WS).

    [0087] The system comprises a first control panel interface 200 and one or more operating connected input devices 210, 220 at a near location. The input devices may for instance be a weapon fire control device and a weapon movement control device. In the figure, input device 210 controls non-safety critical functions, while input device 220 controls safety-critical functions.

    [0088] The system is adapted for transmitting control signals to the safety-critical device 260 at a remote location, the first control panel interface 200 comprises hardware barrier communication means 206 and at least a first and a second hardware safety barrier 202, 204, each with safety barrier interfaces. The figure illustrates an example where operating input device 220 in connected to the first and second hardware barriers 202, 204. The first and a second hardware safety barriers 202, 204 are further connected to the hardware barrier communication means 206 for safe communication through the non-secure network 240.

    [0089] The first control panel interface 200 further comprises communication means 205 for transferring signals from input device 210 controlling non-safety critical function of the safety-critical device 260.

    [0090] The non-secure communication network 240 may be a packet-based communication network, such as an Internet Protocol (IP) network.

    [0091] The system further comprises a second control panel interface 250, connected to the safety-critical device 260 at the remote location, and which is adapted for receiving control signals from the first control panel interface 200. The second control panel interface 250 comprises hardware barrier communication means 256 and at least a first and a second hardware safety barrier 252, 254, each with safety barrier interfaces connected to the hardware barrier communication means 256 for communication through the non-secure network 240.

    [0092] The second control panel interface 250 further comprises communication means 255 for transferring signals to and from input device 210 controlling non-safety critical function of the safety-critical device 260.

    [0093] The system further comprises a switch 215, connected to the first and second hardware safety barriers 202, 204 of the first control panel interface 200, controlling Hi- and Lo-signal inputs on the hardware safety barriers, such that a Hi-signal is input on the first hardware safety barrier 202 and a Lo-signal is input on the second hardware safety barrier 204 and vice versa for respectively enabling and disengaging operation of the safety-critical device 260.

    [0094] FIGS. 3 to 5 show several scenarios with different operational levels where the inventive solution can be used according to level autonomy of the device at the remote location. A remote weapon station (RWS) on a Robotic Controlled Vehicle (RCV) is used as an example, but other types of safety-critical devices can use the described solution.

    [0095] The operational levels, i.e. levels of autonomy, where the invention can be applied, for a safety-critical device, such as for instance for the RWS and RCV, includes all levels 1 to 5 listed in the background section above.

    [0096] The solution according to the present invention has two different setups, one for level 1 to 3, and one for all levels, i.e. 1 to 5.

    [0097] Level 1 to 3 requires a high bandwidth radio for closed loop operator control, while level 4 and 5 does not require the same bandwidth and should make use of low bandwidth radios with high availability/range.

    [0098] These levels are in line with the different levels described in the background section.

    [0099] FIG. 3 illustrates a solution in line with operation level 1 to 3, with man-on-the-loop. The mobility operator and the lethality operator may be separated or operate from a common screen.

    [0100] FIG. 4 illustrates a solution in line with operation level 4 and 5, with a man-on-the-loop and man-off-the-loop. This solution only requires a high availability radio. The system provides information to the operator for authorization to engage, mobility navigates only on waypoints/routes. Since the closed loop control of the operator is no longer required, the weapon station (WS) control and the Mobility control interface is not required. The remaining WS and mobility signaling interface is for controlling the boundaries of the autonomy functions on the WS and platform.

    [0101] FIG. 5 illustrates a solution in line with operation level 1 to 5, man-in-the-loop, man-on-the-loop and man-off-the-loop. This solution requires both a high bandwidth radio and high availability radio. The system may be operated dynamically as man-in-the loop when the high bandwidth radio is available and as man-on/off-the loop when only the high availability radio is providing connectivity. This makes the solution very flexible.

    [0102] FIG. 6 illustrates interworking services between safety client and server. Here, the client is the first control panel interface 200, while the server is the second control panel interface 250 as described above. The solution is generalized to provide a management interface through which the client-server connectivity, operation and status is managed. The control function is the internal system maintenance function which provides Multi-Client, Multi-Server support, server auto-discovery, safe transfer of HW barriers and transparent Software (SW) signaling channels between the client and the server.

    [0103] The transparent signaling channels may provide TOP signaling (Joint Architecture of Unmanned Systems, JAUS messages) for RCV/UGV mobility solutions or other protocols.

    [0104] The solution according to the present invention has the following characteristics and advantages: [0105] It provides a safe diverse transfer of HW barriers and operator indications over a network. [0106] It is based on the safety principles of the safety approved CPI, ref. U.S. Pat. No. 10,063,552 B2. [0107] It is authenticated (security approval through government agencies). [0108] It is a general network-based architecture which can be supported on different radios. [0109] It requires low bandwidth and will provide a deployable solution at level 1 to 5 described above. [0110] The used HW can easily be tailored, will depend on signaling needs. [0111] It is default safe—loss of connectivity implies disabled system. [0112] It is TOP and CPI compatible. [0113] It has a very low physical footprint [0114] It is media agnostic (copper, fiber, radio) [0115] It provides Multi-Client, Multi-Server support [0116] It provides server auto-discovery [0117] It provides a Probability of Failure per Hour (PFH) for dangerous failures for continuous operation above SIL 4.

    [0118] The solution provides Multi-Client functionality. Through the client management interface illustrated in FIG. 6, the server to connect to is selected prior to requesting control. The client will through this become a member of a server arbitration group.

    [0119] All clients in the server arbitration group can all arbitrate for connectivity to the server. The arbitration is fast (<100 msec), activated through io or signaling. The arbitration is based on priority of the allocated role of the client. The system can support many clients and servers in the same network.

    [0120] The clients are initially, when joining the arbitration group, in the monitoring state. In this state the client is not connect and cannot send/receive on the signaling channels or HW barriers, i.e. all are safe. The client does however receive status information from the server, e.g. which client is connected to the server. If the client is granted connectivity it is in the connected state. In the connected state the signaling and barrier transfer services are provided.

    [0121] The solution further provides Multi-Server functionality where the servers announce their presence in the network through standard protocols like SAP/SDP distributed in multicast groups. All clients in the network monitors the announcements and builds a list of available servers. The list of servers is made available on the management interface of the client.

    [0122] The client will at power up belong to a default server but through the management interface of the client the server to connect to can be selected. One server can be connected to at most one client, and one client can be connected to one server.

    [0123] FIG. 7 illustrates the main interfaces of the solution and the implemented ATP (E-stop). The figure shows the interfaces and modules of the design. The safe barrier transfer is redundant to provide the possibility of 2 HW barriers and 1 SW barrier which is through the CPI control for each safety critical function. The input on the client is mirrored on to the output of the server and vice versa. This information is transferred through the barrier to barrier protocol from the CPI. The use of the design for ATP (E-stop) is also shown in the figure where the ATP (E-stop) switch uses 2 HW barriers to transfer the Hi- and Lo-signal side of the enable switch. Both must set correctly to enable the system.

    [0124] According to one embodiment of the invention, the system for operating a safety-critical device 260 further comprising a light source 217 as illustrated in FIG. 7. The light source is preferable a multicolor LED, e.g. which can display red and green color. The light source 217 is connected to the first and the second hardware safety barriers 202, 204 of the first control panel interface 200 for indicating status of the safety-critical device 260. The different states of the light source are controlled by Hi- and Lo-signals, received from the second control panel interface 250, on the first and second hardware safety barriers 202, 204 of the first control panel interface 200.

    [0125] The table below illustrates the different possible situations and corresponding light indications.

    TABLE-US-00001 Hi Lo ATP side side Function LED Situation Low Low Off (*) Off Error. Barriers equal: e.g. lack of coms, failed diagnostics High Low On Green System enabled Low High Off (**) Red System disabled High High Off (*) Off Error. Barriers equal: e.g. lack of coms, failed diagnostics (*) no +ve voltage between Hi and Lo, (**) −ve voltage between Hi and Lo.

    [0126] FIG. 8 illustrates the implemented ATP (E-stop) used with a diagnostic information path. The information transfer of the HW safety barriers may be provided with diagnostic information as indicated in the figure. The input from the switch 215 is provided with 2 switches on each hardware safety barrier 202, 204. The CPI control SW on the client reads the inputs and verifies that the inputs are inverted on both barriers (only one shown in figure).

    [0127] The diagnostic information, i.e. the switch positions, is signaled to the server side, i.e. to the second control panel interface 250. The SW on the server side reads the state of the transferred information and verifies the correct state of the HW barrier. If a correspondence is verified, the signal is let through to the output.

    [0128] The ATP switch 215 in this scenario uses two HW barriers to transfer the Hi- and LO-signal side of the ATP switch 215, and in addition each of the HW barriers has diagnostic signals to verify the correct information transfer where the diagnostic information is transferred on a third path.

    [0129] The actual state of the server output, i.e. the second control panel interface 250, is then fed back as inputs on the server to provide the reverse path back to the operator for operator confirmation regarding the state of the ATP function. All the signals are multiplexed into an IPsec tunnel for an integrity verified transmission. This solution provides both diversity on multiple HW barriers and diagnostics on each barrier.

    [0130] FIG. 9 shows a block diagram of the first control panel interface 200, operating as a client, and FIG. 10 shows block diagram of the second control panel interface 250, operating as a server. The design of the client and server boards are the same, but they are operated differently as is illustrated in the figures.

    [0131] The server SW can support a local emergency stop as an addition to the ATP/E-Stop connected to the client and can further support multiple simultaneous barrier signals with diagnostics as shown.

    [0132] The ATP function may be combined with transparent signaling channels as shown in Error! Reference source not found. FIG. 6. This enables a standard compliant solution for e.g. IOP based mobility where the IPsec tunnel is also part of the IOP standard. The additional HW barriers can be used for ATP/E-Stop but also to enhance the IOP solution with e.g. HW based mobility enable signals. This is useful in the manual mobility control scenarios where a Palm switch on the control grip needs to be activated. The Palm switch can be transferred on the HW barriers.

    [0133] The current inventive solutions for ATP/E-stop over Ethernet/IP are based on solutions where a SW architecture is “made safe”. The SW is designed for high certified integrity levels, typically SIL3, IEC 61508 with safety protocols added on top of a standard transmission protocol set. Examples of this are: [0134] Common Industrial Protocol (CIP) with the CIP Safety for Safety Services. This is a protocol set maintained and developed by, the Open DeviceNet Vendors Association (ODVA) and ControlNet international. The CIP Safety is based on an option called “the black channel”. The black channel assumes that network is completely unreliable, so diagnostics must exist outside of the network infrastructure, i.e. a separate SW safety protocol, the CIP Safety. [0135] Converged Plantwide Ethernet (CPwE) refers to CIP Safety. [0136] openSAFETY is a version of the CIP protocol, and is used to transmit information that is crucial for the safe operation of machinery in manufacturing lines, process plants, or similar industrial environments over different communication protocols, also Ethernet. This also based on “black channel” option. openSAFETY makes use of the option to establish connections via its own assemblies. Safe communication then proceeds via these assemblies. This is also a SIL3 SW implementation. [0137] SIGMATEK E-Stop solutions are based on the PLCopen standard. This is also a black channel SW based E-stop solution.

    [0138] All identified alternative solutions are based on SW developed with a formalized process and well-defined architecture to establish a safe solution. These types of solutions do not provide a verifiable diversity in the same way as the proposed solution. Neither do they provide the same level of safe operation, SIL 3 according to IEC 61508 shall provide a system probability of dangerous failure per hour (PFH) of 10.sup.−7-10.sup.−8. The proposed ATP/E-stop solution provides a PFH which is above SIL 4.

    ACRONYMS AND ABBREVIATIONS

    AI Artificial Intelligence

    [0139] ATP Authorization to proceed

    CPI Control Panel Interface

    HMI Human Machine Interface

    TOP Unmanned Ground Vehicle (UGV) Interoperability Profile

    IP Internet Protocol

    JAUS Joint Architecture of Unmanned Systems

    RCV Robotic Combat Vehicle

    RPV Robotic Patrol Vehicle

    RWS Remote Weapon Station

    SAP/SDP Session Announcement Protocol/Session Description Protocol

    SIL Safety Integrity Level

    TA Target Acquisition

    TE Target Engagement

    UGV Unmanned Ground Vehicle

    USG United States Government

    USMC US Marine Core

    WS Weapon Station

    FIGURE REFERENCES

    [0140] 110—operating input device
    112 —first barrier control signal
    120—operating input device
    122—second barrier control signal
    140—communication network
    150—first barrier circuit
    152—first activating input
    160—second barrier circuit
    162—second activating input
    180—safety critical device
    200—first control panel interface
    202—first hardware barrier
    204—second hardware barrier
    205—communication means
    206—hardware barrier communication means
    210—first input device
    215—switch
    217—light source
    220—second input device
    240—non-secure network
    242—secure communication tunnel
    250—second control panel interface
    252—first hardware barrier
    254—second hardware barrier
    255—communication means
    256—hardware barrier communication means
    260—safety critical device