Automation software/hardware

[Simon35]

The radio system is a non-starter, unless you can determine it's reliability, by which I mean attach some actual numbers based on evidence (mean time to failure etc etc).

If it's the job of the tractor driver to emergency stop the system, then the supplier of that emergency stop pushbutton will provide the figures, as will the supplier of the safety relay monitoring the pushbutton, and the supplier of the safety contactor to remove power.

You have a strange idea of how agricultural systems work. There will be no e-stop button - just manual controls. So once the pump is set running, it'll run until it's either stopped (manually) or the tractor engine stops.
That's generally how most agricultural machinery works.

Manning the pump will be a really boring job - you just sit there, start it when needed, do nothing for <some period of time>, stop it, rinse and repeat ... - whoever gets that job isn't going to be the most alert and motivated person around. So you've got a human with a boring task and lots of free time. You can reasonably expect these days that their attention will mostly be on a mobile or something like that. So overall, I'd say a radio system stands a good chance of being more reliable - it'll be hard to make it less reliable

You're absolutely right, I don't know about agricultural systems.

What I do know about is industrial control, and safety-related industrial controls, and the design process and documentation required to meet the current legislation.

You clearly don't, if you think that some lash-up with a radio is anywhere near. Somebody is asking for advice on how to do a job, for which they will be paid, involving modifications to existing equipment used by somebody's employees. It needs to be done correctly, because so often it isn't by well meaning dabblers.

 

[bernardgreen]

Using wireless to control remote equipment is acceptable provided loss of communications will result in the machinery stopping in s safe manner and coming to rest in a safe state. For example slamming a brake on hard to a rotating shaft could result in fractures of mounting brackets etc. etc. resulting in the hazards of metal flying around loose.

In this pumping application wireless even with a "lash up" of tone decoding would be acceptable provided :-

[1] the pump started on a start command of at least 3 DTMF digits where at least one was A B C or D ( the buttons not used on a standard DTMF dial ) and then stopped automatically after a timer expired.

[2] once started the timer could be reset by a continue pumping command using different digits than those in the start command.

[3] the pump stopped immediately when a stop command was received.

The hazard here is that if communications were lost the pump could run for a period of time until the timer expired.

 

[ban-all-sheds]

You'll find, when you get down to it, that the code to implement something like that will be a lot more complicated than it first appears it might be.

 

[bernardgreen]

You'll find, when you get down to it, that the code to implement something like that will be a lot more complicated than it first appears it might be.

At the receiving end it is 3 chips and about 100 lines of code in a PIC processor, the timer can be in the PIC and backed up by using a mechanical relay with timer built in should the PIC lock up with a "continue" command on its output.

Some where I will have the schematics for a similar application but using a telephone wire instead of wireless.

 

[ban-all-sheds]

Fine.

You build one like that and offer a challenge to see how easily it can be hacked.

 

[bernardgreen]

You build one like that and offer a challenge to see how easily it can be hacked.

Any wireless linked communications can be hacked. But there has to be a motivation strong enough to make the effort to hack worthwhile.

 

[ban-all-sheds]

Any wireless linked communications can be hacked.

No - they can be made secure. Or at least they can be made a lot more secure than you'd get with your 100 lines of code.

But there has to be a motivation strong enough to make the effort to hack worthwhile.

I regularly see graffiti where clearly the motivation to spray a tag on something was strong enough for the sprayers to risk their lives.

I'm not sure that you can dismiss the risks of insecure industrial control systems by saying that nobody would be bothered to try and hack them.

 

[bernardgreen]

I'm not sure that you can dismiss the risks of insecure industrial control systems by saying that nobody would be bothered to try and hack them.

My experience in a successful close on 50 year career in electronics is what I base my opinions on. That career included design of industrial controls (9 years )and wireless communications ( 12 years ).

Yes systems do get attacked, sometimes industrial controls are hacked ( damaged )by staff. Sometime this is done to delay work until overtime rates apply, It is thinking out of the box and thinking in the mind set of the "opposition" that is an essential part of the design of "secure" systems.

 

[SimonH2]

In this case, consider the "economins" of hacking.
Firstly, someone has to bother getting the right wireless equipment. OK, it's trivial to obtain, but it's not what most "casual pranksters" will routinely carry.
Then they have to be in the vicinity at a time when the spreading activity is going on. Yes the radio may carry a mile or two over open ground, but if you aren't visual then all you can do is random starts and stops.
And they need to figure out what the coding is (OK, that bit is trivial) - and build something to emulate it.

And here's the crunch bit. All they can do is stop the pump when it should be running, or start it when it should be stopped.

Stopping the pump is nothing other than inconvenient - the operator will just start it again. If it happens a lot, he'll figure out that he's being pranked - combine the requirement for proximity, and the general remoteness of such operations, and there's a good chance of noticing who is responsible. Bear in mind farmers have a few tools at their disposal for dealing with pranksters - not least is a large quantity of sh... manure and a means of spreading it. Many farmers own firearms, and I've known one or two who wouldn't be averse to using them to "scare someone off".

Starting the pump when it should be stopped is also going to be a non-event most of the time. Yes the pranksters could wait behind a wall for the operator to be changing a pipe (adding a new reel) - that's just going to get someone more than a tad dirty. Very worst case, the operator has to drive back to base to shut down the pump at source - which given that he won't be more than a pipes length away will take at most a couple of minutes (during which time he can be sending pump-stop commands).
There is a very small risk of pumping a large volume of manure onto one spot - but he's putting a large quantity out into the field anyway so the likelihood of actually causing a pollution event is slim.

So several small values - small window of opportunity, requirement for proximity, small window to actually command a pump start when it'll matter, and small risk of causing serious harm if it happens.
All in all, I'd suggest the risks are no more than relying on a bored and inattentive operator to notice something is wrong and stop the pump (say if a pipe burst of became uncoupled).

 

[ban-all-sheds]

Many farmers own firearms, and I've known one or two who wouldn't be averse to using them to "scare someone off".

Well let's hope that such people lose their right to possess firearms and lose their liberty for a significant time.

All in all, I'd suggest the risks are no more than relying on a bored and inattentive operator to notice something is wrong and stop the pump (say if a pipe burst of became uncoupled).

Doesn't matter.

You do not design insecure systems. End of.

 

[JohnW2]

All in all, I'd suggest the risks are no more than relying on a bored and inattentive operator to notice something is wrong and stop the pump (say if a pipe burst of became uncoupled).

Doesn't matter. You do not design insecure systems. End of.

You seem to live in an incredibly 'black and white' world ... and seemingly also somehow sheltered from the realities of what actually goes on in the world. Exactly what is a 'totally secure system'?

Kind Regards, John

 

[stillp]

Same as a totally safe machine John, an ideal to which one can aspire.

 

[SimonH2]

You seem to live in an incredibly 'black and white' world

You say that like it's news BAS has always (well as long as I've known him in here) lived in a black and white world where he's right and anyone disagreeing with him is wrong.

There is no such thing as a 100% secure system, or 100% safe system. BAS really ought to recognise that.

But his attitude does somewhat suggest he doesn't have any experience in this particular area of enterprise. You might get the impression I do, and I can assure BAS that there are a LOT of dangerous things in farming - many of them really make the subject of this thread seem incredibly harmless.
I think it's something like, after construction, farming is one of the most dangerous occupations. Big nasty machines with unguarded bits that will pull you in, chew you up, and spit the bits out at the other end. Big heavy machines that can run over you without noticing. Work on uneven (and sometimes unstable) ground and steep slopes. Big heavy things that can fall on you. Tanks/stores of "fluids" or solids that can act like fluids that you can fall into and get drowned/crushed/just suffocated with noxious fumes.
Trip and slip hazards. Working out in all weathers - freezing spells were best fun, with all that ice about.

Of relevance to this forum, an "interesting" attitude to electrical safety *.

And then lets not get started on the four legged hazards, some of which are just plain out to get you.

Yup, looking back (especially at some of the things I've got away with over the years ), the system he's criticising as totally unsuitable is about as dangerous as letting a child play with a box of wet and already used matches - on the beach, in the rain.


* I now know why we had a long extension lead that was two-core and had a lead with crock clip coming out of the socket. Pity back then we didn't know that the idea was to use a local earth from the nearest water pipe (all galv steel) - we either didn't use it, or clipped it to the machine we were using Eventually it got cut off.

 

[bernardgreen]

Same as a totally safe machine John, an ideal to which one can aspire.

an ideal to which one can ONLY aspire in this world of idiots whose actions can make anything unsafe.

 

[SimonH2]

You can only aspire to a totally safe machine even in situation where everyone involved specifically wants to keep it safe.
You can never ever rule out mechanical failure. You can never ever rule out manufacturing defects.
You can build systems with multiple levels of redundancy.
You can operate it with highly trained and competent people - who have a vested interest in it working safely.

And it can still go tits-up (for example).


More down to earth, you could totally eliminate accidents and casualties on our roads - by doing away with the roads and all traffic. But that would have such side effects that the net effect would be significantly negative - think about the improvements in living standards that industrialisation has brought.
So transport is one system that is very much designed such that it is not totally safe or secure. What we do though is to apply restrictions/rules so that it is reasonably safe/secure - balancing the costs of making it safer vs the costs of not doing so.
Example - it is suggested that a significantly tighter driving test would be a good idea, and periodic retests. Yes, that would almost certainly improve driving standards - but it would also remove a lot of people from being able to drive with a consequent lowering of living standards. Go too far (and I suspect "too far" isn't actually very far) and the negative effects from lowering living standards outweigh the positive effects from improving driving standards.