Field-Programmable Gate Array for Fuzzy Controllers

[23] Nazarov DM. Synergistic nature of the organizational work culture

management as a business process of an industrial enterprise. In: Nazarov DM, Davydkin EV, editors. Ekonomicheskiy analiz: teoriya i praktika (Economic Analysis: Theory and Practice). 2012.

[24] Nasledov A. IBM SPSS Statistics 20 and AMOS: Professional Statistical Data Analysis. St. Petersburg: Piter; 2013. 416

[25] Pervakova EE. On the Mechanisms of the Organizational Culture Influence on Performance and Productivity. Available from: http://www.civisbook.

Behavioral norms and expectations: A quantitative approach to the evaluation of organizational culture. Group & Organization Studies. 1988;13(3):

ru/files/File/Pervakova.pdf

[26] Сooke RA, Rousseau DM.

[27] Philosophical Encyclopedic Dictionary. 2nd ed. М.: Soviet Encyclopedia; 1989. p. 840

[28] Asher H. Causal Modeling. Sage;

No. 37. pp. 15-20

Fuzzy Logic

pages

245-273

1983

156

Chapter 8

Abstract

Logic Controller

parameters to evaluate the PFDavg.

1. Introduction

evaluation such systems.

state [1].

159

Mohammed Bsiss and Amami Benaissa

Functional Safety of FPGA Fuzzy

In this paper we describe a methodology to implement a fuzzy logic controller in

FPGA. The implementation of fuzzy logic controller (FLC) in FPGA requires a qualitative and a quantitative analysis to define the system safety integrity level (SIL). This level can be defined by the quantification of the probability of failure on demand (PFDavg). We propose to analyze the implementation advance safety architecture of fuzzy logic controllers with 1-out-of-2 controllers (1oo2) in FPGA using the reliability block diagram (RBD) and the Markov model. We demonstrate how from hardware characteristics parameters, such as rate of dangerous detected failure and undetected failure, the diagnostic coverage, proof test interval and other

Keywords: fuzzy logic controller, safety integrity level (SIL), mean time to failure

Markov model, average probability of dangerous failure on demand (PFDavg),

A synthesize fuzzy logic controller in field programmable gate array FPGA means that the VHDL code writing for the systems will be translated into gate, multiplexer, registers RAM, etc. Very low-level FPGA faults to high-level system hazards and common cause faults can put the FPGA-based systems in a dangerous

However, safety-related issues for FPGA-based systems remain to be not only verified but also following a safe methodology to design, implementation and

FMEDA is a systematic process used in the development stage of an integrated

The design, implementation and evaluation of a fuzzy logic controller in the field programmable gate array require a qualitative and quantitative analysis according to IEC 61508. Due to their usage in critical applications, the FLC have a very stringent average probability of failure on demand (PFDavg) requirement.

According to [2] the FPGA chip is classified as a type B with very complex structure. The first step was to perform failure modes, effects, and diagnostic analysis (FMEDA) for the safety related FPGA-based fuzzy logic controller.

circuit to ensure that it meets the pre-determined safety requirements. In the FMEDA, each component implemented in our FPGA is analyzed for possible

failures and the consequences of these failures on the system.

(MTTF), safe failure fraction (SFF), reliability block diagram (RBD),

field programmable gate array (FPGA), IEC standard 61508

## Chapter 8

## Functional Safety of FPGA Fuzzy Logic Controller

Mohammed Bsiss and Amami Benaissa

## Abstract

In this paper we describe a methodology to implement a fuzzy logic controller in FPGA. The implementation of fuzzy logic controller (FLC) in FPGA requires a qualitative and a quantitative analysis to define the system safety integrity level (SIL). This level can be defined by the quantification of the probability of failure on demand (PFDavg). We propose to analyze the implementation advance safety architecture of fuzzy logic controllers with 1-out-of-2 controllers (1oo2) in FPGA using the reliability block diagram (RBD) and the Markov model. We demonstrate how from hardware characteristics parameters, such as rate of dangerous detected failure and undetected failure, the diagnostic coverage, proof test interval and other parameters to evaluate the PFDavg.

Keywords: fuzzy logic controller, safety integrity level (SIL), mean time to failure (MTTF), safe failure fraction (SFF), reliability block diagram (RBD), Markov model, average probability of dangerous failure on demand (PFDavg), field programmable gate array (FPGA), IEC standard 61508

### 1. Introduction

A synthesize fuzzy logic controller in field programmable gate array FPGA means that the VHDL code writing for the systems will be translated into gate, multiplexer, registers RAM, etc. Very low-level FPGA faults to high-level system hazards and common cause faults can put the FPGA-based systems in a dangerous state [1].

However, safety-related issues for FPGA-based systems remain to be not only verified but also following a safe methodology to design, implementation and evaluation such systems.

According to [2] the FPGA chip is classified as a type B with very complex structure. The first step was to perform failure modes, effects, and diagnostic analysis (FMEDA) for the safety related FPGA-based fuzzy logic controller.

FMEDA is a systematic process used in the development stage of an integrated circuit to ensure that it meets the pre-determined safety requirements. In the FMEDA, each component implemented in our FPGA is analyzed for possible failures and the consequences of these failures on the system.

The design, implementation and evaluation of a fuzzy logic controller in the field programmable gate array require a qualitative and quantitative analysis according to IEC 61508. Due to their usage in critical applications, the FLC have a very stringent average probability of failure on demand (PFDavg) requirement.

This requirement is usually determined by industry standards, such as the safety integrity level (SIL) rankings. The SIL is defined as a relative level of risk reduction provides by a safety function for safety function our FPGA-based FLC.

Diagnostic tests are online test to detect hazardous failure. The diagnostic tests have an in fluent at the level of component (internal) but not at the level of the function of the security. The watchdog Test, Walking Bit Test and Ram Test are

Common mode failure refers to the simultaneous failure that can appear in two or more channels in a system multiple channels. The introduction of common-

1oo2 architecture (one-out-of-two) consists of two channels perform each security function. The security function is executed once a channel request. Only any dangerous failure will lead to the failure of the function of application of both

Reliability block diagram is a safety analysis for SIL selection for estimating the

The technique and results developed in this paper are based on the assumptions

• Component failure and repair rate is assumed a constant failure over the life of

• The hardware failure rates used as inputs to the calculations for a single

• All channels in a voted group have the same failure rate and diagnostic

• The proof test interval is at least one order of magnitude greater than the

• For each component of the safety system, the PFDavg is calculated, for simplification only from the undetected dangerous failure rate, λDU given in

For a simple architecture 1 out of 1 (1oo1), the fuzzy logic controller (FLC) contains a fuzzification process to change a real scalar input value to fuzzy value, a fuzzy inference engine for rule based expert systems and defuzzification to change fuzzy value into real scalar output. Figure 1 presents the basis block diagram of

The parameter characterizing the present FLC are summarized in Table 2.

Other assumptions can be referred to the Annex B of IEC 61508-6.

• The demand rate and expected interval between demands are not considered.

performance of systems, other methods are fault tree [6] analysis and Markov

mode failures is generally represented by a factor of β. The 61,508 standard distinguishes two types of factor for non-detected dangerous failures and detected dangerous failures. The values for the factors Beta and are generally between 0.5%

channels to lead to the failure of the security function on demand.

some example of diagnostic test.

Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

and 5% [4].

diagrams [7].

following:

2.2 Assumptions

the system.

coverage rate.

channel of the subsystem

diagnostic test interval

simple fuzzy logic controller.

161

Table 3 and the proof test interval, Ti.

3. Architecture of fuzzy logic controller

The safety function performed by the FLC maintains a safe state of the system relative to specific hazardous failures.

The four levels used in IEC 61508 are defined in Table 1 [5] for various fractions of failures leading to a safe state as follows:


Table 1.

Definition of SILs for low demand mode from IEC 61508-1.

## 2. Definition and assumptions

#### 2.1 Definition

Presented below is a glossary of terminology on topics related to functional safety used in this paper.

Diagnostic coverage represents the probability of discovering a failure. Diagnostic coverage of the test according to the safety standard Norm IEC 61508 is defined as the ratio of the rate of detected dangerous failures (by a diagnostic test) on the total failure of detected and undetected dangerous failure.

Safe failure fraction is used for calculating safety integrity levels (SIL).

Mean time to failure is the average time to the first failure.

Mean time between failure (MTTR) is time between two failures.

Probability of failure on demand (PFD) is a probability on the time interval that the system could not perform the function of safety for which it was at the time or the application of this function is made.

The safe failure fraction is defined by the ratio of average failures of safe λ<sup>S</sup> plus dangerous detected failures λDD and safe plus dangerous detected and undetected λDU failures. The calculation is based on the architecture of FLC and on a functional analysis by carrying out a Failure Modes Effects and Diagnostic Analysis (FMEDA).

Safety integrity level (SIL) – Given a SIL to a system is a decision to be taken in consequence of process hazard and risk analysis. SIL defines the probability of dangerous failure that a system can be authorized. There are four possibility levels (SIL1, SIL2, SIL3 and SIL4) defined by safety norm IEC 61508 [2].

Component type A. All failure modes are known and can be detected. The value of the security factor S for components of type A on a worst-case is defined as S = 10% [3].

Component type B. All failure modes are not completely known. The value of the security factor S for components of type B on a worst-case is defined as S = 50%.

Proof test T-proof is periodic tests offline directed to detect failures in a system so that the system can be repaired to return in a state equivalent to its initial state.

Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

Diagnostic tests are online test to detect hazardous failure. The diagnostic tests have an in fluent at the level of component (internal) but not at the level of the function of the security. The watchdog Test, Walking Bit Test and Ram Test are some example of diagnostic test.

Common mode failure refers to the simultaneous failure that can appear in two or more channels in a system multiple channels. The introduction of commonmode failures is generally represented by a factor of β. The 61,508 standard distinguishes two types of factor for non-detected dangerous failures and detected dangerous failures. The values for the factors Beta and are generally between 0.5% and 5% [4].

1oo2 architecture (one-out-of-two) consists of two channels perform each security function. The security function is executed once a channel request. Only any dangerous failure will lead to the failure of the function of application of both channels to lead to the failure of the security function on demand.

Reliability block diagram is a safety analysis for SIL selection for estimating the performance of systems, other methods are fault tree [6] analysis and Markov diagrams [7].

#### 2.2 Assumptions

This requirement is usually determined by industry standards, such as the safety integrity level (SIL) rankings. The SIL is defined as a relative level of risk reduction

The safety function performed by the FLC maintains a safe state of the system

The four levels used in IEC 61508 are defined in Table 1 [5] for various fractions

Safety integrity level Probably of failure on demand

SIL4 10<sup>4</sup> to 10<sup>5</sup> SIL3 10<sup>3</sup> to 10<sup>4</sup> SIL2 10<sup>2</sup> to 10<sup>3</sup> SIL1 10<sup>1</sup> to 10<sup>2</sup>

Presented below is a glossary of terminology on topics related to functional

Safe failure fraction is used for calculating safety integrity levels (SIL).

Mean time between failure (MTTR) is time between two failures.

plus dangerous detected failures λDD and safe plus dangerous detected and

on the total failure of detected and undetected dangerous failure.

Mean time to failure is the average time to the first failure.

Diagnostic coverage represents the probability of discovering a failure. Diagnostic coverage of the test according to the safety standard Norm IEC 61508 is defined as the ratio of the rate of detected dangerous failures (by a diagnostic test)

Probability of failure on demand (PFD) is a probability on the time interval that the system could not perform the function of safety for which it was at the time

The safe failure fraction is defined by the ratio of average failures of safe λ<sup>S</sup>

undetected λDU failures. The calculation is based on the architecture of FLC and on a functional analysis by carrying out a Failure Modes Effects and Diagnostic Analy-

consequence of process hazard and risk analysis. SIL defines the probability of dangerous failure that a system can be authorized. There are four possibility levels

of the security factor S for components of type A on a worst-case is defined as

(SIL1, SIL2, SIL3 and SIL4) defined by safety norm IEC 61508 [2].

Safety integrity level (SIL) – Given a SIL to a system is a decision to be taken in

Component type A. All failure modes are known and can be detected. The value

Component type B. All failure modes are not completely known. The value of the security factor S for components of type B on a worst-case is defined as S = 50%. Proof test T-proof is periodic tests offline directed to detect failures in a system so that the system can be repaired to return in a state equivalent to its initial

provides by a safety function for safety function our FPGA-based FLC.

relative to specific hazardous failures.

2. Definition and assumptions

or the application of this function is made.

2.1 Definition

Table 1.

Fuzzy Logic

sis (FMEDA).

S = 10% [3].

state.

160

safety used in this paper.

of failures leading to a safe state as follows:

Definition of SILs for low demand mode from IEC 61508-1.

The technique and results developed in this paper are based on the assumptions following:


Other assumptions can be referred to the Annex B of IEC 61508-6.

### 3. Architecture of fuzzy logic controller

For a simple architecture 1 out of 1 (1oo1), the fuzzy logic controller (FLC) contains a fuzzification process to change a real scalar input value to fuzzy value, a fuzzy inference engine for rule based expert systems and defuzzification to change fuzzy value into real scalar output. Figure 1 presents the basis block diagram of simple fuzzy logic controller.

The parameter characterizing the present FLC are summarized in Table 2.

#### Figure 1.

Basis block diagram of simple fuzzy logic controller.


Figure 2.

Figure 3.

163

Design of the present implemented FLC on FPGA.

Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

Block diagram of the fuzzy logic controller with 1oo2 structure.

#### Table 2.

The parameter characterizing FLC.

The FLC has two inputs, one with four linguistic terms and the other with three and an output with three linguistic terms. This makes a total of 4 3 3 different rules that may be sued to describe the strategy of total control (Figure 2).

The FPGA-based fuzzy logic controller consists of two fuzzy logic controller (FLC) with the fuzzification process; rule evaluation process and defuzzification process in a redundant architecture (Figure 3).

In this kind of redundancy, the failure of one channel does not prevent the execution of the safety function. This architecture will be in dangerous state when both FLC have dangerous failures. The main advantage of this architecture is his low probability of failure on demand. Each FLC has diagnostic tests and the results of both FLC are controlled by the comparison module (Figure 3).

The safety function performed by the FLC maintains a safe state of the system relative to specific hazardous failures. The safety function is therefore the power loss for the analog outputs (de-energize-to-trip) of the system in case of dangerous failures by on-line diagnostics tests. These failures can be interconnect faults, stuckat-fault, transition faults, the clock phase shift or a deviation of the value obtained respectively from the both controller.

Figure 3 shows a basic model for a fuzzy logic controller with redundancy architecture 1oo2 designed in FPGA.

#### Figure 2.

The FLC has two inputs, one with four linguistic terms and the other with three and an output with three linguistic terms. This makes a total of 4 3 3 different

The FPGA-based fuzzy logic controller consists of two fuzzy logic controller (FLC) with the fuzzification process; rule evaluation process and defuzzification

In this kind of redundancy, the failure of one channel does not prevent the execution of the safety function. This architecture will be in dangerous state when both FLC have dangerous failures. The main advantage of this architecture is his low probability of failure on demand. Each FLC has diagnostic tests and the results

The safety function performed by the FLC maintains a safe state of the system relative to specific hazardous failures. The safety function is therefore the power loss for the analog outputs (de-energize-to-trip) of the system in case of dangerous failures by on-line diagnostics tests. These failures can be interconnect faults, stuckat-fault, transition faults, the clock phase shift or a deviation of the value obtained

Figure 3 shows a basic model for a fuzzy logic controller with redundancy

rules that may be sued to describe the strategy of total control (Figure 2).

Inputs 2 Outputs 1 Outputs resolution 12 bits Antecedent MF's 7 trapezoidal Antecedent MF resolution 14 bits Consequent MF's 3 singleton Antecedent MF resolution 12 bits Aggregation method Mandani Min-Max Implication method Product operator Defuzzification Weighted average

of both FLC are controlled by the comparison module (Figure 3).

process in a redundant architecture (Figure 3).

Figure 1.

Fuzzy Logic

Table 2.

162

Basis block diagram of simple fuzzy logic controller.

Fuzzy inference system

The parameter characterizing FLC.

respectively from the both controller.

architecture 1oo2 designed in FPGA.

Design of the present implemented FLC on FPGA.

Figure 3. Block diagram of the fuzzy logic controller with 1oo2 structure.

## 4. RBD and Markov model for safety integrity verification

## 4.1 Reliability block diagram

The reliability block diagram is a graphical representation of the system. Each component is represented by a function block in accordance with their logical relation of reliability (Figure 4). A series connection represent logic "and" of component and parallel connections represents logic "or", even as combination of series and parallel connections represents voting logic.

• Dangerous detected failure λDD - is detected by the on-line diagnostics tests

• Dangerous undetected failure λDU - is undetected by on-line diagnostics tests

By redundancy systems the combination of on-line diagnostic and common-

The possible failures of the fuzzy inference engine implemented in FPGA and

Periodic comparison of the result of the redundancy controllers.

Examining of cyclic redundancy value

eatchdog circuit

Dangerous detected Failure λDD

No diagnostic Since it does not affect the

failure λSU

failure λSD

Dangerous detected Failure λDD

security function of the FLC then it is an undetected safe

A failure in the flash memory during FLC operation can be detected only after the mission time delay Ti. It can therefore be classified as a detected safe

Type of failure Potential causes Diagnostic test Classification of failure

Stuck-at Low or Stuckat High anomaly at the internal FPGA component

Stuck-at Low or Stuckat High anomaly at the internal FPGA component

Hardware fault, electrostatic disturbance, magnetic waves, high voltage frequencies, etc.

The drift of the clock Examining via

Failure mode distribution for functional block 3 (FLC).

cause was included. Since the failure is partitioned into eight categories [7].

and the system will be placed into safe state.

Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

• Safe, detected normal λSDN

• Safe, undetected normal λSUN

• Safe, detected, common-cause λSDC

• Safe, undetected common cause λSUC

• Dangerous, detected, common-cause λDDC

• Dangerous, undetected common cause λDUC

• Dangerous, detected normal λDDN

• Dangerous, undetected normal λDUN

their classification are presented in Table 3.

Hazardous hardware failure in module fuzzification

Hazardous hardware failure in module inference rule Hazardous hardware failure in module defuzzification Failure of an internal element that does not intervene in the logic implemented in FPGA

Flash memory failure where logic (VHDL code) is stored.

Table 3.

165

and the system will not be placed into safe state.

If a component fails in a series combination, the corresponding connection will be cut off. Conversely, in a parallel combination, the operation of a single instance is sufficient for the passage of the signal. System shutdown is only possible if all parallel instances fail.

Figure 4 presents the reliability block diagram associated to the fuzzy logic controller with the 1oo2 structure. We take in consideration that the components have only two operating states (correct or faulty operation).

## 4.2 Auto diagnostic and common cause

The first step was to perform a failure modes, effects, and diagnostic analysis (FMEDA) to detecting the hazardous hardware failures of systems. A failure is called safe if it does not put the FLC in a dangerous state when a hazardous fault occurs. A dangerous failure puts the logic controller in a potentially dangerous state and makes the system inoperative.

They are failure rates partitioned into four categories:


Figure 4. Reliability block diagrams analysis.


By redundancy systems the combination of on-line diagnostic and commoncause was included. Since the failure is partitioned into eight categories [7].

• Safe, detected normal λSDN

4. RBD and Markov model for safety integrity verification

series and parallel connections represents voting logic.

have only two operating states (correct or faulty operation).

They are failure rates partitioned into four categories:

4.2 Auto diagnostic and common cause

and makes the system inoperative.

undetected failure rate λSU

Figure 4.

164

Reliability block diagrams analysis.

dangerous undetected failure rate λDU

The reliability block diagram is a graphical representation of the system. Each component is represented by a function block in accordance with their logical relation of reliability (Figure 4). A series connection represent logic "and" of component and parallel connections represents logic "or", even as combination of

If a component fails in a series combination, the corresponding connection will be cut off. Conversely, in a parallel combination, the operation of a single instance is sufficient for the passage of the signal. System shutdown is only possible if all

Figure 4 presents the reliability block diagram associated to the fuzzy logic controller with the 1oo2 structure. We take in consideration that the components

The first step was to perform a failure modes, effects, and diagnostic analysis (FMEDA) to detecting the hazardous hardware failures of systems. A failure is called safe if it does not put the FLC in a dangerous state when a hazardous fault occurs. A dangerous failure puts the logic controller in a potentially dangerous state

• Safe failure rate λ<sup>s</sup> - do not have the potential to put the system in an hazardous state and is equal to the sum of safe detected failure rates λSD and safe

• Dangerous failure rate λ<sup>D</sup> - have the potential to put the system in an hazardous state and is equal to the sum of dangerous detected failure rates λDD and

4.1 Reliability block diagram

Fuzzy Logic

parallel instances fail.


The possible failures of the fuzzy inference engine implemented in FPGA and their classification are presented in Table 3.


### Table 3.

Failure mode distribution for functional block 3 (FLC).

### 4.3 Quantitative analysis using RBD

The structure of reliability block diagram (RBD) defines the logical interactions of failures within a fuzzy logic controller implemented in FPGA. Each component of the fuzzy logic controller is a functional block connected by a series for output module DAC and parallel structure for measurement units. Figure 4 presents the reliability block diagram associated to each component. The unreliability data for each subsystem components is given in Table 4. The probability PFDavg is calculated by summing the probability of failure of all the functional blocks of a FLC. The quantification of average frequency of dangerous failure of our safety function is giving by Eq. [8]:

$$\text{PFDavg} = 2\left( (\mathbf{1} - \beta\_D)\lambda^{DD} + (\mathbf{1} - \boldsymbol{\beta})\lambda^{DD} \right)^2 \mathbf{t}\_{\text{CE}} \mathbf{t}\_{\text{GE}} + \beta\_D \lambda^{DD} \text{MTTR} + \beta \lambda^{DD} \left( \frac{\mathbf{T}\_i}{2} + \mathbf{MTTR} \right) \tag{1}$$

The time of unavailability of a channel tCE due to a detected dangerous failure is given by the following formula [8]:

$$t\_{CE} = \frac{\lambda^{DU}}{\lambda^D} \left(\frac{T\_i}{2} + \text{MTTR}\right) + \frac{\lambda^{DD}}{\lambda^D} \text{MTTR} \tag{2}$$

The time of unavailability of the other channel tGE is also added because of detected dangerous failure which is represented by the following formula [8]:

$$t\_{GE} = \frac{\lambda^{DU}}{\lambda^D} \left(\frac{T\_i}{3} + \text{MTTR}\right) + \frac{\lambda^{DD}}{\lambda^D} \text{MTTR} \tag{3}$$

1oo2 with only on-line diagnostic is presented in Figure 6. This Markov model of

• The first state (S0): specifies the normal state where the booth controller

The system can be repaired according to the transition rates μ0.

• The second state (S1): specifies the state where one controller of the system has a dangerous detected failure by diagnostic with transition probability of 2λDD.

• The third state (S2): specifies the state where one controller of the system has a dangerous undetected failure with transition probability of 2λDU and the

the 1oo2 architecture contains 6 states [7]:

Markov model of the 1oo2 architecture diagnostic (no common cause).

properly works.

Figure 5.

Figure 6.

167

Schematic design of the reliability principle (1oo2).

Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

second work properly.

This result gives a PFDavg of 2.7426E�03, which corresponds to a safety integrity level of SIL2.

The subsystem PFDavg contribution for the supply voltage is 2.1920E�03, for the fuzzy controller implemented in FPGA is 7.3616E�06. That means that the on-line diagnostics tests implemented for FLC systems in FPGA is with high performance and efficiency (Figure 5).

#### 4.4 Quantitative analysis using Markov model

Markov modeling brings a good reliability and safety techniques for qualitative and quantitative analysis that uses state diagrams. This method take account for a realistic repair time, probability of correct repair, proof test effectiveness, and automatic diagnostic testing. The Markov system model for redundancy structure


Table 4. Failure mode distribution and SIL performance analysis for FLC system. Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

#### Figure 5.

4.3 Quantitative analysis using RBD

PFDavg <sup>¼</sup> 2 1ð Þ � <sup>β</sup><sup>D</sup> <sup>λ</sup>DD <sup>þ</sup> ð Þ <sup>1</sup> � <sup>β</sup> <sup>λ</sup>DU <sup>2</sup>

given by the following formula [8]:

performance and efficiency (Figure 5).

4.4 Quantitative analysis using Markov model

Failure mode distribution and SIL performance analysis for FLC system.

tCE <sup>¼</sup> <sup>λ</sup>DU λD

tGE <sup>¼</sup> <sup>λ</sup>DU λD

Ti

Ti

giving by Eq. [8]:

Fuzzy Logic

rity level of SIL2.

Table 4.

166

The structure of reliability block diagram (RBD) defines the logical interactions of failures within a fuzzy logic controller implemented in FPGA. Each component of the fuzzy logic controller is a functional block connected by a series for output module DAC and parallel structure for measurement units. Figure 4 presents the reliability block diagram associated to each component. The unreliability data for each subsystem components is given in Table 4. The probability PFDavg is calculated by summing the probability of failure of all the functional blocks of a FLC. The quantification of average frequency of dangerous failure of our safety function is

The time of unavailability of a channel tCE due to a detected dangerous failure is

þ λDD

þ λDD

<sup>2</sup> <sup>þ</sup> MTTR 

The time of unavailability of the other channel tGE is also added because of detected dangerous failure which is represented by the following formula [8]:

> <sup>3</sup> <sup>þ</sup> MTTR

This result gives a PFDavg of 2.7426E�03, which corresponds to a safety integ-

The subsystem PFDavg contribution for the supply voltage is 2.1920E�03, for the fuzzy controller implemented in FPGA is 7.3616E�06. That means that the on-line diagnostics tests implemented for FLC systems in FPGA is with high

Markov modeling brings a good reliability and safety techniques for qualitative and quantitative analysis that uses state diagrams. This method take account for a realistic repair time, probability of correct repair, proof test effectiveness, and automatic diagnostic testing. The Markov system model for redundancy structure

Component HFT PFDavg % of total PFDavg SFF Supply power 1 2.1920E�03 82.93% 90.000% Clock dispenser 1 1.8785E�04 6.84% 92.059% ADC converter 1 2.1818E�04 7.95% 90.235% Fuzzy controller 1 7.3616E�06 0.68% 99.500% DAC controller 1 5.4770E�05 1.99% 95.000% Total 2.7426E�03 100% 92.57%

tCEtGE <sup>þ</sup> <sup>β</sup>DλDDMTTR <sup>þ</sup> βλDU Ti

<sup>λ</sup><sup>D</sup> MTTR (2)

<sup>λ</sup><sup>D</sup> MTTR (3)

<sup>2</sup> <sup>þ</sup> MTTR 

(1)

Schematic design of the reliability principle (1oo2).

Figure 6. Markov model of the 1oo2 architecture diagnostic (no common cause).

1oo2 with only on-line diagnostic is presented in Figure 6. This Markov model of the 1oo2 architecture contains 6 states [7]:


• States (S3), (S4) and (S5): specify a system fail state, where the booth controllers have a dangerous detected failure by on-line diagnostics tests (S3), or one controller has a dangerous detected failure also by on-line diagnostics tests and the other has a dangerous undetected failure (S4), or the booth channels have a dangerous undetected failure (S5) by on-line diagnostics tests. It means that the probability to be in normal state at initial time is 100 and 0%

After 1 year, the system average frequency of dangerous failure of the safety function is the sum of the of all functional components probabilities of the 1oo2 FLC

The FLC with 1oo2 structure is always starts in state zero. After n hours, the

<sup>S</sup><sup>1</sup> <sup>¼</sup> <sup>S</sup><sup>0</sup> � <sup>P</sup> <sup>S</sup><sup>2</sup> <sup>¼</sup> <sup>S</sup><sup>1</sup> � <sup>P</sup>

<sup>S</sup><sup>3</sup> <sup>¼</sup> <sup>S</sup><sup>2</sup> � <sup>P</sup> <sup>S</sup><sup>4</sup> <sup>¼</sup> <sup>S</sup><sup>3</sup> � <sup>P</sup>

<sup>S</sup><sup>n</sup> <sup>¼</sup> <sup>S</sup><sup>n</sup>�<sup>1</sup> � <sup>P</sup> The Sn matrix for any particular time interval is obtained by multiplying Sn�<sup>1</sup> times P. This process can be continued as necessary, and the probability distribution increases progressively each time, then that remains unchanged as time progresses. If Sn+1 = S<sup>n</sup> a limiting state probability is reached. This matrix is labeled P<sup>L</sup>

SL <sup>¼</sup> <sup>S</sup><sup>n</sup> � <sup>P</sup> <sup>¼</sup> <sup>S</sup><sup>n</sup>�<sup>1</sup> � <sup>P</sup>

The FLC with 1oo2 structure has a safe failure rate of 6.6302E�07 failures per hour and a dangerous failure rate of 1.9118E�07 failures per hour. On-line diagnostic detect 95% of dangerous failure and 92% of safe failure. When failures are

The beta factor β is estimated to be 2%. The failure rates are divided by diag-

<sup>λ</sup>SD <sup>¼</sup> <sup>λ</sup><sup>S</sup> � <sup>0</sup>:<sup>92</sup> <sup>λ</sup>SU <sup>¼</sup> <sup>λ</sup><sup>S</sup> � ð Þ <sup>1</sup> � <sup>0</sup>:<sup>92</sup> <sup>λ</sup>DD <sup>¼</sup> <sup>λ</sup><sup>D</sup> � <sup>0</sup>:<sup>95</sup> <sup>λ</sup>DU <sup>¼</sup> <sup>λ</sup><sup>D</sup> � ð Þ <sup>1</sup> � <sup>0</sup>:<sup>95</sup>

These failure rates are multiplied by beta factor using following equations:

<sup>λ</sup>SDN <sup>¼</sup> ð Þ� <sup>1</sup> � <sup>β</sup> <sup>λ</sup>SD

<sup>λ</sup>SUN <sup>¼</sup> ð Þ� <sup>1</sup> � <sup>β</sup> <sup>λ</sup>SU

<sup>λ</sup>DDN <sup>¼</sup> ð Þ� <sup>1</sup> � <sup>β</sup> <sup>λ</sup>DD

<sup>λ</sup>DUN <sup>¼</sup> ð Þ� <sup>1</sup> � <sup>β</sup> <sup>λ</sup>DU

<sup>λ</sup>SDC <sup>¼</sup> <sup>β</sup> � <sup>λ</sup>SD

<sup>λ</sup>SUC <sup>¼</sup> <sup>β</sup> � <sup>λ</sup>SU

<sup>λ</sup>DDC <sup>¼</sup> <sup>β</sup> � <sup>λ</sup>DD

<sup>λ</sup>DUC <sup>¼</sup> <sup>β</sup> � <sup>λ</sup>DU

…

calculation process of the distribution probabilities S<sup>n</sup> is:

This process can be continued as necessary.

Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

detected, the average system repair time is 24 hours.

nostic capability. The following failure rates result:

PFDavg ¼ ∑PFDavg\_Subsystem (6)

.

for the other states.

systems:

169

A Markov model of 1oo2 structure that take in consideration combination of different failure modes, on-line diagnostic and common cause is draw in Figure 7 with six states [7].

It has the same state combinations as Figure 6 with two additional failure lines. There is a dangerous detected common-cause failure rate from state (S0) to state (S3) and a dangerous undetected common-cause failure rate from state S0 directly to state (S5). The Markov model of the 1oo2 architecture contains 6 states, in that case the transition matrix P with dimension (6 � 6) is given by [7].

$$p = \begin{bmatrix} \mathbf{1} - (\dot{\lambda}\_{DC} + 2\dot{\lambda}\_{DN}) & 2\dot{\lambda}\_{DDN} & 2\dot{\lambda}\_{DUN} & 2\dot{\lambda}\_{DDC} & \mathbf{0} & \dot{\lambda}\_{DUC} \\ \mu\_0 & \mathbf{1} - (\dot{\lambda}\_D + \mu\_0) & \mathbf{0} & \dot{\lambda}\_{DD} & \dot{\lambda}\_{DU} & \mathbf{0} \\ \mathbf{0} & \mathbf{0} & \mathbf{1} - \dot{\lambda}\_D & \mathbf{0} & \dot{\lambda}\_{DD} & \dot{\lambda}\_{DU} \\ \mathbf{0} & 2\mu\_0 & \mathbf{0} & \mathbf{1} - 2\mu\_0 & \mathbf{0} & \mathbf{0} \\ \mathbf{0} & \mathbf{0} & \mu\_0 & \mathbf{0} & \mathbf{1} - \mu\_0 & \mathbf{0} \\ \mathbf{0} & \mathbf{0} & \mathbf{0} & \mathbf{0} & \mathbf{0} & \mathbf{1} \end{bmatrix} \tag{4}$$

The transition matrix P is a matrix showing the probabilities' distribution of different states in one time interval. This matrix can be multiplied by itself to get transition probabilities for different time intervals.

The FLC system is starting always by one particular state (S0), so it contains a single one and a quantity of zeros. The starting probability S would be:

$$\mathbf{S}^0 = \begin{bmatrix} \mathbf{1} & \mathbf{0} & \mathbf{0} & \mathbf{0} & \mathbf{0} & \mathbf{0} & \mathbf{0} \end{bmatrix} \tag{5}$$

Figure 7. Markov model of the 1oo2 architecture—diagnostic and common cause.

Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

• States (S3), (S4) and (S5): specify a system fail state, where the booth

controllers have a dangerous detected failure by on-line diagnostics tests (S3), or one controller has a dangerous detected failure also by on-line diagnostics tests and the other has a dangerous undetected failure (S4), or the booth channels have a dangerous undetected failure (S5) by on-line diagnostics tests.

A Markov model of 1oo2 structure that take in consideration combination of different failure modes, on-line diagnostic and common cause is draw in Figure 7

It has the same state combinations as Figure 6 with two additional failure lines. There is a dangerous detected common-cause failure rate from state (S0) to state (S3) and a dangerous undetected common-cause failure rate from state S0 directly to state (S5). The Markov model of the 1oo2 architecture contains 6 states, in that

(4)

1 � ð Þ λDC þ 2λDN 2λDDN 2λDUN 2λDDC 0 λDUC μ<sup>0</sup> 1 � λ<sup>D</sup> þ μ<sup>0</sup> ð Þ 0 λDD λDU 0 0 01 � λ<sup>D</sup> 0 λDD λDU 0 2μ<sup>0</sup> 0 1 � 2μ<sup>0</sup> 0 0 0 0 μ<sup>0</sup> 0 1 � μ<sup>0</sup> 0 0 0 0 0 01

The transition matrix P is a matrix showing the probabilities' distribution of different states in one time interval. This matrix can be multiplied by itself to get

The FLC system is starting always by one particular state (S0), so it contains a

<sup>S</sup><sup>0</sup> <sup>¼</sup> ½ � 1000 0 0 (5)

single one and a quantity of zeros. The starting probability S would be:

case the transition matrix P with dimension (6 � 6) is given by [7].

transition probabilities for different time intervals.

Markov model of the 1oo2 architecture—diagnostic and common cause.

with six states [7].

Fuzzy Logic

p ¼

Figure 7.

168

It means that the probability to be in normal state at initial time is 100 and 0% for the other states.

After 1 year, the system average frequency of dangerous failure of the safety function is the sum of the of all functional components probabilities of the 1oo2 FLC systems:

$$\text{PFD}\_{\text{avg}} = \sum \text{PFD}\_{\text{avg\\_Subsystem}} \tag{6}$$

The FLC with 1oo2 structure is always starts in state zero. After n hours, the calculation process of the distribution probabilities S<sup>n</sup> is:

$$\begin{aligned} \mathbb{S}^1 &= \mathbb{S}^0 \times P \\ \mathbb{S}^2 &= \mathbb{S}^1 \times P \end{aligned}$$

This process can be continued as necessary.

$$\begin{aligned} \mathcal{S}^3 &= \mathcal{S}^2 \times P \\ \mathcal{S}^4 &= \mathcal{S}^3 \times P \\ \cdots \\ \mathcal{S}^\# &= \mathcal{S}^{\pi - 1} \times P \end{aligned}$$

The Sn matrix for any particular time interval is obtained by multiplying Sn�<sup>1</sup> times P. This process can be continued as necessary, and the probability distribution increases progressively each time, then that remains unchanged as time progresses. If Sn+1 = S<sup>n</sup> a limiting state probability is reached. This matrix is labeled P<sup>L</sup> .

$$\mathbb{S}^{L} = \mathbb{S}^{n} \times P = \mathbb{S}^{n-1} \times P$$

The FLC with 1oo2 structure has a safe failure rate of 6.6302E�07 failures per hour and a dangerous failure rate of 1.9118E�07 failures per hour. On-line diagnostic detect 95% of dangerous failure and 92% of safe failure. When failures are detected, the average system repair time is 24 hours.

The beta factor β is estimated to be 2%. The failure rates are divided by diagnostic capability. The following failure rates result:

$$\begin{aligned} \dot{\lambda}^{\text{SD}} &= \dot{\lambda}^{\text{S}} \times \mathbf{0.92} \\ \dot{\lambda}^{\text{SU}} &= \dot{\lambda}^{\text{S}} \times (\mathbf{1} - \mathbf{0.92}) \\ \dot{\lambda}^{\text{DD}} &= \dot{\lambda}^{\text{D}} \times \mathbf{0.95} \\ \dot{\lambda}^{\text{DU}} &= \dot{\lambda}^{\text{D}} \times (\mathbf{1} - \mathbf{0.95}) \end{aligned}$$

These failure rates are multiplied by beta factor using following equations:

$$\begin{aligned} \dot{\lambda}^{\text{SDN}} &= (\mathbf{1} - \boldsymbol{\beta}) \times \dot{\lambda}^{\text{SD}} \\ \dot{\lambda}^{\text{SDC}} &= \boldsymbol{\beta} \times \dot{\lambda}^{\text{SD}} \\ \dot{\lambda}^{\text{SUN}} &= (\mathbf{1} - \boldsymbol{\beta}) \times \dot{\lambda}^{\text{SU}} \\ \dot{\lambda}^{\text{SUC}} &= \boldsymbol{\beta} \times \dot{\lambda}^{\text{SU}} \\ \dot{\lambda}^{\text{DDN}} &= (\mathbf{1} - \boldsymbol{\beta}) \times \dot{\lambda}^{\text{DD}} \\ \dot{\lambda}^{\text{DDC}} &= \boldsymbol{\beta} \times \dot{\lambda}^{\text{DD}} \\ \dot{\lambda}^{\text{DUN}} &= (\mathbf{1} - \boldsymbol{\beta}) \times \dot{\lambda}^{\text{DU}} \\ \dot{\lambda}^{\text{DUC}} &= \boldsymbol{\beta} \times \dot{\lambda}^{\text{DU}} \end{aligned}$$

Where the failure rates and repair rates are substituted into the transition matrix P, the following solving for limiting state probabilities, the results are:

DAC digital analog converter DC diagnostic coverage

FLC fuzzy logic controller MTBF mean time between failures MTTF mean time to failure MTTR mean time to repair

SFF safe failure fraction

SIL safety integrity level SIS safety instrumented system

Author details

171

Mohammed Bsiss\* and Amami Benaissa

provided the original work is properly cited.

Faculty of Science and Technology, Tangier, Morocco

\*Address all correspondence to: fstbsisss@gmail.com

FPGA field programmable gate array

Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

PFD probability of failure on demand

SIF safety instrumented function

PFDavg average probability of failure on demand PFH probability of a dangerous failure per hour

E/E/PE system electric, electronic, electronic programmable

MooN a system of N redundant channels has a M-out-of-N voting

VHDL very high speed integrated circuit hardware description language

Department of Computer Science, Systems and Telecommunications (LIST),

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

ISO International Organization for Standardization

SL <sup>0</sup> ¼ 0:9583 SL <sup>1</sup> ¼ 0:0095 SL <sup>2</sup> ¼ 0:0095 SL <sup>3</sup> ¼ 0:0093 SL <sup>4</sup> ¼ 0:0097 SL <sup>5</sup> ¼ 0:0038

Since the system is down (failed) in state 5, the predicted average steady-state downtime is 0.0038. The control system is successful in state S0, S1 and S2; therefore, we add the limiting state probability of the success states equal to 0.9773%.

## 5. Conclusion

Markov analysis is used to analyze different states that take the system during its life cycle. Markov analysis provides information on the probability of FLC.

This application contains several important assumptions. First, notice that in Markov models M-out-of-N the probabilities in each row sum to one. Second, the probabilities in Markov models will not change over time. Third, the states are independent over time. In a Markov process after a number of periods (500 hours) have passed, the probability will approach steady state. For our example, the steady-state probabilities are:


However, the reliability block diagram analysis is based on the IEC 61508 international standard in the calculation of PFDavg. This standard considers all the parameters defined previously and there is a difference between both type components A and B. The type of components allows identifying the safety factor which contributes directly in the calculation of the PFDavg. Despite this difference between both standards, both analysis methods give the same results.

The FLC with redundancy structure 1oo2 has a redundant architecture with two controllers adopted by the FLC and the watchdog. This architecture has a majority voting arrangement for the output signals. If only one FLC gives a result which disagrees with the other FLCs, the output state does not change.

The probability of FLC with 1oo2 architecture to be in a dangerous undetected failure is 2.7426E�03 per hour, which relocates the system safety integrity level to SIL2.

## List of abbreviations


Functional Safety of FPGA Fuzzy Logic Controller DOI: http://dx.doi.org/10.5772/intechopen.83619

Where the failure rates and repair rates are substituted into the transition matrix P,

<sup>0</sup> ¼ 0:9583

<sup>1</sup> ¼ 0:0095

<sup>2</sup> ¼ 0:0095

<sup>3</sup> ¼ 0:0093

<sup>4</sup> ¼ 0:0097

<sup>5</sup> ¼ 0:0038 Since the system is down (failed) in state 5, the predicted average steady-state downtime is 0.0038. The control system is successful in state S0, S1 and S2; therefore, we add the limiting state probability of the success states equal to 0.9773%.

Markov analysis is used to analyze different states that take the system during its

This application contains several important assumptions. First, notice that in Markov models M-out-of-N the probabilities in each row sum to one. Second, the probabilities in Markov models will not change over time. Third, the states are independent over time. In a Markov process after a number of periods (500 hours) have passed, the probability will approach steady state. For our example, the

• 13.5E�3 per hour = probability of the FLC to be in a dangerous undetected

However, the reliability block diagram analysis is based on the IEC 61508 inter-

The FLC with redundancy structure 1oo2 has a redundant architecture with two controllers adopted by the FLC and the watchdog. This architecture has a majority voting arrangement for the output signals. If only one FLC gives a result which

The probability of FLC with 1oo2 architecture to be in a dangerous undetected failure is 2.7426E�03 per hour, which relocates the system safety integrity level to

national standard in the calculation of PFDavg. This standard considers all the parameters defined previously and there is a difference between both type components A and B. The type of components allows identifying the safety factor which contributes directly in the calculation of the PFDavg. Despite this difference between both standards, both analysis methods give the same results.

• 1.9E�2 per hour = probability of FLC degraded system fail.

disagrees with the other FLCs, the output state does not change.

FMEDA failure modes, effects, and diagnostic analysis

IEC International Electrotechnical Commission

the following solving for limiting state probabilities, the results are:

SL

SL

SL

SL

SL

SL

life cycle. Markov analysis provides information on the probability of FLC.

5. Conclusion

Fuzzy Logic

failure.

SIL2.

170

List of abbreviations

ADC analog digital converter

RBD reliability block diagram

steady-state probabilities are:


## Author details

Mohammed Bsiss\* and Amami Benaissa Department of Computer Science, Systems and Telecommunications (LIST), Faculty of Science and Technology, Tangier, Morocco

\*Address all correspondence to: fstbsisss@gmail.com

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

## References

[1] IEC. 61508-6: Functional safety of electrical/electronic/programmable electronic safety-related systems. e2.0d; 2010

[2] IEC. 61508-2:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d, pp. 27, Table 3

[3] IEC. 61508-2:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d, pp. 77

[4] IEC. 61508-6:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d, pp. 92, Table D.4

[5] IEC. 61508-2:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d, pp. 34, Table 3

[6] ISA TR84.0.0.2. Safety Instrumented Functions (SIF), Safety Integrity Level (SIL), Evaluation Techniques. Part 2: Determining the SIL of SIF Via Simplified Equations. North Carolina; 1998

[7] Goble LWM. Control Systems Safety Evaluation and Reliability. 3rd ed. Research Triangle Park, NC: International Society of Automation; 2010

[8] IEC. 61508-6:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d, pp. 143-144

References

Fuzzy Logic

2010

Table 3

Table D.4

Table 3

1998

2010

172

pp. 143-144

[1] IEC. 61508-6: Functional safety of electrical/electronic/programmable electronic safety-related systems. e2.0d;

[2] IEC. 61508-2:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d, pp. 27,

[3] IEC. 61508-2:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d, pp. 77

[4] IEC. 61508-6:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d, pp. 92,

[5] IEC. 61508-2:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d, pp. 34,

[6] ISA TR84.0.0.2. Safety Instrumented Functions (SIF), Safety Integrity Level (SIL), Evaluation Techniques. Part 2: Determining the SIL of SIF Via Simplified Equations. North Carolina;

[7] Goble LWM. Control Systems Safety Evaluation and Reliability. 3rd ed. Research Triangle Park, NC:

International Society of Automation;

[8] IEC. 61508-6:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems (E/E/PE, or E/E/PES). e2.0d,

## *Edited by Constantin Volosencu*

This book promotes new research results in the field of advanced fuzzy logic applications. The book has eight chapters, with the following thematic areas: fuzzy mathematics, adaptive neuro-fuzzy inference system, inference methods, expert systems, electrical systems, and application in management and field-programmable gate array. The introductory chapter aims to recall some algebraic relations that describe fuzzy rule bases and fuzzy blocks as algebraic applications. Other works presented are: a study on the convergence of sequence spaces with respect to intuitionistic fuzzy norms and their topological and algebraic properties; an ANFIS application to identifying the online bearing fault; methods of conditional inference for fuzzy control systems; an application of fuzzy logic and fuzzy expert systems in material synthesis methods; control of electrical systems in conditions of incomplete information regarding the values of diagnostic parameters; a methodology for evaluating the causality of factors in organization management; and a technical study on the functional safety of an FPGA fuzzy logic controller. The authors have published worked examples and case studies resulting from their research in the field. Readers will have access to new solutions and answers to questions related to the emerging field of theoretical fuzzy logic applications and their implementation.

Published in London, UK © 2020 IntechOpen © undefined undefined / iStock

Fuzzy Logic

IntechOpen Book Series

Artificial Intelligence, Volume 3

Fuzzy Logic

*Edited by Constantin Volosencu*