Scribd
Upload
110 views52 pages

HYDAC Centralita AEM 04 2016

The document discusses functional safety for electronic control systems. It begins with an agenda that covers functional safety standards, designing machines, system and software design. It then discusses how technological progress has increased complexity in machines, requiring more components, self-diagnostics and functional safety. Standards for functional safety are compared, including ISO 26262 for road vehicles and IEC 61508 for general industry. Steps for designing safe machines include performing a safety analysis. Performance Levels and Safety Integrity Levels are compared between standards EN 13849 and IEC 62061. Choosing the right standard depends on the application.

Uploaded by

Marcos Antonio Navea Garrido
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
110 views52 pages

HYDAC Centralita AEM 04 2016

The document discusses functional safety for electronic control systems. It begins with an agenda that covers functional safety standards, designing machines, system and software design. It then discusses how technological progress has increased complexity in machines, requiring more components, self-diagnostics and functional safety. Standards for functional safety are compared, including ISO 26262 for road vehicles and IEC 61508 for general industry. Steps for designing safe machines include performing a safety analysis. Performance Levels and Safety Integrity Levels are compared between standards EN 13849 and IEC 62061. Choosing the right standard depends on the application.

Uploaded by

Marcos Antonio Navea Garrido
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 52

Functional Safety for Electronic Control

HYDAC ELECTRONIC
Functional
Safety for
Electronic
Control

April 20, 2016


Speaker
Eric Ringholm
HYDAC ELECTRONIC
Division Manager

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Component range for modern machines
Software

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Product Range

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control

Agenda

 Functional safety, why?

 Relevant standards

 First steps to designing a machine

 System design

 Example system design

 Software design

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Technological Progress
Software
Electronic/
hydraulic
circuit diagram
of a typical
mechatronic
system

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Resulting requirements with regards to the components
Complexity of a combine harvester Controllers, the innovative force

• 8 CAN buses and 1 LIN bus (max. 5 per vehicle)


The software content in a Wirtgen new generation large-size stone mill

• Up to 25 controllers per vehicle


• > 80 electrical and electronic major functions Application SW • More than 65.000 lines of software code

• >1000 sub functions


(without firmware) • More than 200 components, modules and
functions
• >3000m electrical wiring • More than 600 global variables
• >350 plug connections • More than 4000 local variables
• 4 CANbuses using different protocols
Development and Automatisation • Approx. 3 years of engineering time

Machines with an increasing number


(withoutof
Visualisation SW
CAN server and
• More than 85.000 lines of software codes
Kernel) • More than 380 classes with 3400 characteristics
functions and with a complex system design, require: • More than 600 local variables
Networking of
the entire
• More than 126 XML lines of configuration data
Networking of
process • Approx. 1000 status and error messages
• Approx. 1500 graphics
 More components with increased Functional
the vehicle fleet
Networking
inside the
Safety
• Approx. 3 years of engineering time
vehicle

Automatisation

 More components with self diagnostic functions


of particular
functions

Quelle/Source:: H. Hieronymus, CLAAS SE GmbH, VDI-Tagung 2012 Quelle/Source: H. Einig, Wirtgen GmbH, VDI-Tagung 2012

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control

 Functional Safety

 Diagnosis

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Safety standards, comparable across all industry sectors

DO 178B / 254 ISO 26262 ISO 25119 EN ISO 13849 IEC 61508

The system requirements are highly diverse!


Mainly Fail-Safe Fail-Operational

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Legal provisions, situation of the standards

CE Mark: Self-declaration from the manufacturer, all the


relevant EU regulations are met
Legal basis: Machinery Guideline 2006/42/EG
Work equipment use directive 89/655/EWG
Required: Risk analysis, risk evaluation
Standard-compliant product design
Technical documentation, operation manual
Relevant standards: Type- A-Standards Basic safety standards:
z.B. EN ISO 12100 Methodology, superordinate
Type-B-Standards Group safety standards:
z.B. EN ISO 13849 Safety of machines
Type-C-Standards Product safety standards:
z.B. DIN EN 16228 Drilling equipment

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Legal provisions, situation of the standards
Machinery guideline Product safety

A standards: Basic safety standards

B standards: Group safety standards

C standards: Product safety standards

DIN EN 12999 EN 13000 EN 474 EN 4254 EN 15000 EN 16228 i.V.


Loader cranes Mobile cranes Earth moving Agricultural machines Material handling Drilling machines
machines

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Extract from the relevant standards
ISO 25119:2010, Tractors and machinery for agriculture and forestry —
Safety related parts of control systems

ISO 15998:2008, Earth-moving machinery — Machine-control


systems (MCS) using electronic components

ISO 13849-1:2006, Functional safety


– safety related parts of a control system

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
First steps to designing a machine
DIN EN ISO 12100: Safety Analysis

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Comparison between SIL and PL

SIL PL
Safety Integrity Level Performance Level
EN 62061 (IEC 61508) EN 13849-1
10-8

3 e
10-7
Safety

2 d
10-6

3x10-6
c
1
10-5 b
a
10-4

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
The right choice

SIL or PL ?

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Comparison EN 13949 with IEC 62061, SIL or PL ?

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
DIN EN ISO 13849 design process
- Safety related parts of control systems SRP/CS
- For each relevant safety function

(1) Identify safety functions


(2) and properties of SF

(3) Define required


Performance level PLr / AgPLr / SILr

(4) Realisation of safety functions,


Identification of SRP/CS

(5) Calculation of achieved PL


Software: exclude systematic failures

(6) Verification
(7) Validation

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Hazard & Risk Analysis

Participants in a risk analysis:


Generally, a representative group of persons, who are familiar
with the machine throughout its whole life cycle.

 Marketing / product management


 Design engineers
 Test engineers
 Production / commissioning
 Service / maintenance
 Machine operator / driver

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Hazard & Risk Analysis
List of machine functions
Example:

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Hazard & Risk Analysis
Definition of malfunctions

Example: Proportional machine control function


 Unintended start
 Unintended stop
 Moving in wrong direction
 Unintended reverse movement
 Unintended fast movement
 Unintended slow movement
 Unintended acceleration
 Unintended deceleration

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Hazard & Risk Analysis
Determination of required performance level
for each specific safety function

Risk analysis based on EN ISO 13849-1

Assessment
S: severity of injury:
H&R F: frequency and / or duration
of exposure to danger:
Machine
function
P: probability of avoiding the
Analysis exposure

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Hazard & Risk Analysis
Determination of required performance level
for each specific safety function

Risk Graph:
Required risk minimisation and Performance Level:

Severity of injury:
S1 slight (usually reversible injury)
S2 serious (usually irreversible injury which may include death)

Frequency and / or duration of exposure to danger:


F1 rarely up to infrequent and / or the time of
exposure to danger is short
F2 frequently up to continuously and / or the time of
exposure to danger is long

Probability of avoiding the danger:


P1 possible under certain conditions
P2 rarely possible

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Hazard & Risk Analysis
Safety function
Each function in a machine whose malfunction can lead directly to an increase of
the risk is defined as a safety function.
A safety function is thus a function that can minimise a risk to an acceptable level
by taking adequate (e.g. control) design measures.
Examples of safety functions:
Safety function Description
- safe standstill (no operation) avoiding an unintended start
- safe moving direction avoiding movement in a wrong direction
- safe lift function avoiding exceeding a load limit (LMI)
- safe acceleration avoiding exceeding an acceleration limit
- function for a safe stop in case of achieving a defined safe state
emergency in case of a failure
Product Safety & Compliance Seminar
April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System Design
Safety related part of a control system SRP/CS

Channel

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System Design
PL column chart according to EN ISO 13849-1

Illustrates the relations between PL, MTTFd, category and DC

PL column chart

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System Design
PL column chart according to EN ISO 13849-1

Illustrates the relations between PL, MTTFd, category and DC

PL column chart

Example 1:

Performance Level
„PL d“ for a
machine function is
required

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System Design
PL column chart according to EN ISO 13849-1

Illustrates the relations between PL, MTTFd, category and DC

PL column chart

Example 1:

Performance Level
„PL d“ for a
machine function is
required

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System Design
The achieved safety level results from (balance)
the combination of the characteristics:

 Architecture  Reliability of the used


components

 Recognition of the safety-relevant failures

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control

 Category

Architecture / Design

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Overview of the Control Architectures (Categories)

Costs

Achievable safety level

design for design with


“normal safety level“ “increased safety level“

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control

 Reliability of the applied components

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control

 MTTFd
Mean time to dangerous failure

Statistically expected value of the average time


to dangerous failure

Note:
indicator of the quality of a component

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Characteristics
MTTF
Meaning: Average period until failure occurs
Scope of the directive: Valid for units which are not intended
for repair.

MTBF
Meaning: Average period between failures
Scope of the directive: Valid for units which are intended to be repaired.

MTTFd
Meaning: Average period until dangerous failure occurs.
Scope of the directive: Valid for units (components, systems), used in
safety-critical systems.
B10
Meaning: Statistically expected value of the number of cycles,
in which 10% of the components have exceeded the defined
limits (switch delay, leakage, switch pressure, etc.) under the
defined conditions.
B10d
Meaning: Expected number of cycles in which 10% of the components
have had dangerous failures.
Product Safety & Compliance Seminar
April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Sensors with increased safety and/or diagnostic functions
Example: Pressure Transmitter – HYDAC

Category B/1

Category 3

Category 2

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Sensors for pressure, position and distance

 Pressure transducer HDA 8000


Category 2
MTTFd high (190 years)
DC: low (87%)
safety level: PL d, SIL 2
 Pressure transducer HDA 4000
Category 3
MTTFd high (976 years)
DC: low (84%)
Safety level: PL d
 Position switch HLS 100
Category 2
MTTFd high (419 years)
DC: low (88%)
Safety level: PL d, SIL 2
 Linear position sensor HLT 1000
Category 2
MTTFd high (83 years)
DC: low (91%)
Safety level: PL d, SIL 2
 Valve position switch HLS 200
Category 2
MTTFD high (110 years)
DC: medium (91%)
Safety level: PL d

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Products with increased safety and/or diagnostic functions
Example: Controller (ECU) Redundant
switch-off for the
Cat 2 – Architecture, PL d Diagnostic outputs to activate
supply the „safe state“

2 CPUs monitor
one and another Actuator for
safety-critical
Supply applications

PWM
Sensor

MainCPU
Diagnosis

Current feedback
Diagnosis Monitoring

Release

Watchdog
FET monitoring
CPU Monitoring of
the PWM outputs

Periodic tests of
Diagnosis of safety- RAM, Flash, CPU-
relevant inputs Registers, Stack
storage
Product Safety & Compliance Seminar
April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Challenges for complex electronic systems

 Multi-Controller-Systems
 Machine functions distributed over a number of controllers

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety of Electronic Controls
Controller and I/O modules
Example: Controller and I/O modules HYDAC
 Standard and with increased functional safety level
 Certified units; IEC 61508 SIL 2 and SIL 3; ISO 13849 PL d
Safety Certified Controllers General Purpose Controllers

HY-TTC 30SH HY-TTC 77 HY-TTC 90, HY-TTC 94 HY-TTC 200 HY-TTC 500 Family HY-TTC 30H HY-TTC 50 Family
14 Inputs, 14 Outputs 39 Inputs, 26 Outputs 28 Inputs, 20 Outputs 33 Inputs, 36 Outputs HY-TTC 580 36 Inputs, 60 Outputs 14 Inputs, 16 Outputs HY-TTC 50 20 Inputs, 20 Outputs
EN ISO 13849 EN ISO 13849 IEC 61508 & EN ISO 13849 IEC 61508 HY-TTC 540 52 Inputs, 44 Outputs HY-TTC60 28 Inputs, 20 Outputs
IEC 61508 & EN ISO 13849

Safe I/O Modules I/O Slave Modules

HY-TTC 30XSH HY-TTC 30XSI HY-TTC 48XS HY-TTC 30X Family HY-TTC 36X HY-TTC 48X
14 Inputs, 14 Outputs 26 Inputs, 4 Outputs 28 Inputs, 20 Outputs HY-TTC 30XH 14 Inputs, 16 Outputs 26 Inputs, 16 Outputs 28 Inputs, 20 Outputs
EN ISO 13849 EN ISO 13849 HY-TTC 30XO 16 Inputs, 14 Outputs 26 Inputs, 16 Outputs
EN ISO 13849
HY-TTC 30XI 26 Inputs, 4 Outputs

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Challenges for complex electronic systems
HMI (Human – Machine – Interface)
Example:
Combination between Display
and manual buttons and switches

Joystick with
function keys
 Hardware switches
and buttons
for safety-relevant
operating functions
10,4’’ Touch Display
 Machine configuration
 Monitoring of the functions
 Failure display and diagnosis
 Convenience functions

Hydraulic main switch


Product Safety & Compliance Seminar
April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control

 System design
- Example -

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System design

Example:
Required: PLr c

Sensor

PL c PL c PL c

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System design
The „simple“ way to the system

Example 1:

Pressure sensor Controller Valve


PL = c PL = c PL = c

PL low =c
PL = b
N low =3

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System design
The „simple“ way to the system

Example 2:

Pressure sensor Controller Valve


PL = d PL = c PL = c

PL low =c
PL = c
N low =2

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Example: System design for a function with an increased
safety level

Category 2 design

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System design
Manual verification through the design
engineer, or with the help of software tools
i.e. software assistant SISTEMA

Software Assisant SISTEMA


(Sicherheit von Steuerungen an Maschinen)
(Safety of Controls in Machines)

Offers support for the evaluation of control safety, based on


DIN EN ISO 13849-1.

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
System design
Software assistant SISTEMA

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Software design
Some requirements for the design of „safe“ software

 Modular and structured design and coding


 Taking into account the safety-related provisions of the
electronic controls manufacturer (safety manual)
 Structured specification with safety requirements
Specification has to be checked by second person
(Safety functions incl. PL, reaction times, hardware interfaces, recognition
and the control of external failures)
 Checking of the software code by a second person

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Software design
Designing a “safe software“ according to V-Model

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Software design
Designing a “safe software“ with design tool MATCH

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Functional Safety for Electronic Control
Products with increased functional safety
Sensors, Controllers, Software

Sensoren / Sensors Steuerungen / Controller IO-Module / IO-modules

HY-TTC 30XS-H

HY-TTC 30XS-I
HY-TTC 30S-H

HY-TTC 48XS
HY-TTC 200

HY-TTC 540

HY-TTC 580
HY-TTC 90

HY-TTC 94
HDA 4700

HDA 8700

HAT 1000
Funktionale

HLT 1000

HIT 1000
HLS 100

HLS 200
Sicherheit
Functional
safety

PL d
PL d              
PL c
PL c   
Kategorie
3 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
Category
SIL 2
SIL 2        
Diagnosefähig
Diagnosable              

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL
Thank you for your attention!
Please discuss your applications with us.
Electronic Division
Functional Safety and Diagnostics - Sensors,
Controllers, Displays, Systems...

"Successful selling by understanding the applications"


INNOVATION, MULTIPLICATION and LOCAL COMPETENCE

Thank you for your attention!


Please discuss your opportunities with us!

Product Safety & Compliance Seminar


April 19 - 20, 2016 Rosemont, IL

You might also like