TABS Safety days MOBAshort1 ENx - MOBA Community

wistfultitleElectronics - Devices

Nov 24, 2013 (4 years and 1 month ago)

76 views

MOBA Mobile Automation AG
• Kapellenstr. 15 • 65555 Limburg / Germany

Telefon: +49 6431 95770 • Telefax: +49 6431 9577177 • E
-
Mail: moba
-
ag@moba.de • www.moba.de

Electronic
Concepts

for

safety
-
relevant Systems

Pitfalls

of

Electronics

2

Electronic
concepts

for

safety
-
relevant
systems

Preface


Electronic
control

technology

in
connection

with

systems

becomes

more

and

more

important

for

work

machines

and

is

the

driving

force

for

many

innovations
.



More
and

more

subsystems

have

to

be

networked
.



For

this

reason

also
the

work

machines

themselves

become

more

complex
.



“Time
to

market

is

getting

shorter
.



Nevertheless

highest

safety

standards

are

required
.



The
society‘s

demands

on
safety

rise

simultaneously

to

the

technical

progress
.



The
cost

pressure

rises
.


3

Electronic
concepts

for

safety
-
relevant
systems

Measures



Controllability

of

complexity


Wiki:
Complex

systems

are

systems
,
that

refuse

simplification

and

stay

complex
.



Functional

safety

requires
: The
system

archtitecture

has

to

prevent

complexity
.



This
is

not
only

due
for

the

system

structure

but also
for

the

respective

development

processes
.



A
deterministic

system

is

an
i
ndispensible

precondition
.



This
leads

to

the

conclusion
:
No

systems

with

adaptive
or

artificial

intelligence

can

be

built

into

safety

functions
.



E.
Goldratt
: The more complex a problem, the more simple the solution has to be.

4

Electronic
concepts

for

safety
-
relevant
systems

Examples



Controllability

of

complexity


OSI


Reference
model

for

c
ommunication



AUTOSAR



Upgrade
from

C
to

C++



The
programming

language

of

the

control

technology

Codesys


ISO 62262

5

Electronic
concepts

for

safety
-
relevant
systems

Improving

Safety

with

Electronics


Moose
T
est

On 21
October
, 1997
the

moose
test

became

widely

known
.

ESP (Electronic
Stability

Program
)
has

been

fitted

as

standard
.

Originally
, ESP
had

been

intended

for

the

prevention

of

skidding

by

well
-
directed

braking

intervention
.


Referring

electronics

there

are

similar

examples

for

working

platforms
:
basket

weighing

(MRW), electronic
slope

monitoring

of

basket

and

upper

carriage
.


6

Electronic
concepts

for

safety
-
relevant
systems

The Standards


Since

29
-
12
-
2009
the

machine

directive

must
be

applied
. The
machine

directive

is

a
law

that

has

to

be

fulfilled

with

harmonized

standards
.



The IEC 61508 “
Functional

Safety

of

electronic Systems”
is

an
international
standard

for

the

development

of

electronic
systems
.



From

the

EN 954
the

standard

EN ISO 13849
derived
.



The EN ISO13849
is

mainly

based

on
the

known

hardware
-
oriented

structures

of

the

EN 954.



However
,
the

EN ISO13849
includes

the

probability

of

failure

and

can

be

applied

for

electric
/electronic
systems
.



Further
related

standards
: ISO 26262 (
vehicles
), IEC 62061 (
more

complex

systems
), ISO 25119 (agricultural
machines
)


7

Electronic
concepts

for

safety
-
relevant
systems

Definitionen

und
Begriffe

8

Electronic
concepts

for

safety
-
relevant
systems

Risikograph nach EN954

I
II
III
IV
V
1
2
3
4
N
N
-
(N)
(N)
-
N
N
-
+
N
+
Risiko
abschätzung
S1
S2
A1
A2
G1
G2
G1
G2
Risikoebene
Sicherheitskategorie
N = Normale Kategorie für die Risikoebene
(N) = Normale Kategorie für die Risikoebene mit zusätzlichem Hinweis
+ = Abweichung zur höheren Kategorie
-
= Abweichung zur niedrigeren Kategorie
9

Electronic
concepts

for

safety
-
relevant
systems

Risk graph according EN 13849

Classification:


Injuring


Exposition


Prevention

Parameters: MTTF, DC, CCF

10

Electronic
concepts

for

safety
-
relevant
systems

Comparison

PL
and

SIL

11

Electronic
concepts

for

safety
-
relevant
systems

Security
level
, MTTF und
architecture

Security level PL

MTTF
d
:


low



middle



high

12

Electronic
concepts

for

safety
-
relevant
systems

Architecture

Category

B,1

I

L

O

i
m

i
m

i
m

connection line

I

Input /Sensor

L

Logic

O

Output unit (power switch, contactor)

The
structural

characteristics
:


Use

of

established

safety

principles


One
-
channel

setting


No

monitoring

of

the

sensor


No

monitoring

of

the

output

unit


In
c
ategory

1
established

components

have

to

be

used
.

13

Electronic
concepts

for

safety
-
relevant
systems

A
rchitecture Category 2

I

L

O

i
m

i
m

i
m

connection line

m

Monitoring

I

Input /Sensor

L

Logic

O

Output unit (power switch, contactor)

TE

Test equipment

OTE

Output of test equipment

The
structural

charcateristics
:


Requirements

of

category

B


One
-
channel

structure


No

direct

monitoring

of

the

sensor


Monitoring
of

the

release

circuit


Possible

redundant
structure

at

the

actuator

side



In
c
ategory

2 an
error

between

the

tests

can

lead

to

the

loss

of

the

safety

functions
.

TE

OTE

i
m

m

14

Electronic
concepts

for

safety
-
relevant
systems

Architecture Category 3

I

L

O

i
m

i
m

i
m

conneciton

line

c

Cross monitoring

m

Monitoring

I

Input /Sensor

L

Logic

O

Output unit (power unit, contactor)

The
structural

characteristics
:


Requirements

of

category

B


Redundant
structure


Monitoring
the

sensor


Monitoring
the

release

circuit


Possible

redundant
structure

at

the

actuator

side



I
n
category

3 in
case

of

an
error

the

safety

function

is

always

carried

out.
Several

errors

are

identified
, but not all.

I

L

O

i
m

i
m

c

m

m

15

Electronic
concepts

for

safety
-
relevant
systems

Architecture Category 4

I

L

O

i
m

i
m

i
m

connection line

c

Cross monitoring

m

Monitoring

I

Input /Sensor

L

Logic

O

Output unit (power switch, contactor)

The
structural

characteristics
:


Requirement

of

the

category

B


Redundant
structure


Monitoring
of

the

sensor

(
Discrepancy

monitoring
)


Monitoring
of

the

release

circuit


Possible

redundant
structure

at

the

actuator

side


In
category

4
in
case

of

an
error

the

safety

function

is

always

carried

out.
The individual
error

has

to

be

identified

immediately

when

switching

on
the

system

or

at

the

end
of

a
machine

cycle
.

I

L

O

i
m

i
m

c

m

m

Comparison 3 and 4:

DC is higher

MTTF only “high”

16

Electronic
concepts

for

safety
-
relevant
systems

Summary: Stepwise to the Performance Level


Identify safety functions


Risk evaluation corresponding with ISO 14121


Define

required

Performance Levels PL


Choose

system

structure





Choose

reliable

components

with

MTTF


Evaluate

the

monitoring

of

the

components

(DC)


Evaluate

the

control‘s

robustness

(CCF)


Verify

and

validate

PL

17

Electronic
concepts

for

safety
-
relevant
systems

CANopen

Safety

CIA Draft Standard 304

CANopen



Protocols for safety
-
relevant products

Non
-
safety
-
relevant products can be included

Safety functions are processed via special communication objects

SRDO (safety
-
relevant data objects)

18

Electronic
concepts

for

safety
-
relevant
systems

A

SRDO
consists

of

2 CAN
telegrams
.
Both

CAN
telegrams

data

is

redundant.
However
,
the

second

CAN
telegram‘s

data

is

inverted

bitwise
.

The
SRDO‘s

two

CAN
telegrams

have

to

follow

a
certain

order
. First
the

real
data
,
then

the

inverted

data

is

transmitted
.

The
receiver

(
receiving

terminal)
checks

the

SRDO‘s

validity
. The temporal
and

logical

sequence

of

a
SRDO‘s

CAN
telegrams

is

compared

to

an
expectancy

value
.
Afterwards

the

user

data

is

verified
. In
case

errors

are

identified

the

system

changes

to

the

safe

state

of

the

allocated

actuators
. In
dependency

of

the

application

the

safe

state

has

to

be

defined

by

the

product

manufacturer

and
/
or

the

user
.

SRDO
Structure

19

Electronic
concepts

for

safety
-
relevant
systems

A
SRDO
consists

of

two

CAN
telegrams
. The
following

rules

apply

for

the

generation

of

a SRDO:

The CAN
identifiers

of

the

two

CAN
telegrams

differ

in
at

least
two

bit

locations
.

This
is

achieved

by

allocating

the

first

message

to

an
even

ID
and

the

second

message

to

an
odd

ID.

ID
Assignment

SRDO

SRDO

ID Message 1

ID Message 2

SRDO1

101h

102h

SRDO2

103h

104h

SRDO3

105h

106h







SRDO64

17Fh

180h

There

are

64
Safety
-
related

data

objects

(SRDO).

CAN Identifier SRDO

20

Electronic
concepts

for

safety
-
relevant
systems

A SRDO
is

transmitted

periodically
;
the

interval

between

two

SRDOs
is

determined

by

the

SCT
(
S
afeguard

Cycle Time).

The
interval

between

a
SRDO‘s

CAN
telegrams

must not
exceed

the

SRVT
(
S
afety
-
related

ValidationTime
).

SCT
and

SRVT

21

Electronic
concepts

for

safety
-
relevant
systems

To

increase

the

response

time in
safety
-
related

systems

the


Global
F
ailsafe

C
ommand
” (GFC)
has

been

defined
.
It

consists

of

two

high
-
prority

CAN
telegrams

(CAN Identifier
1
and

2). E
ven
with

only

one

of

the

two

CAN
telegrams

receiving

the

GFC
is

operative
. The
GFC
does

not
contain

any

data

and

therefore

can

be

send
by

any

participant
. The
initiating

participant
,
however
,
later

has

to

deliver

the


reason

for

initiating

via SRDO.

Global
F
ailsafe

C
ommand
-

GFC

22

Electronic
concepts

for

safety
-
relevant
systems

Example:
CANopen

with
CANopen

Safety

23

Electronic
concepts

for

safety
-
relevant
systems



Always

2
messages

are

sent
.



The

2.
message

includes

the

inverted

data

of

the

1.
one
.




The

messages

are

sent

cyclically
.



There

is

a time SCT,
taking

care

for

the

package

consisting

of

message

1
and

2
to

arrive

in time.



The time

SRVT
control
s

the

time
delay

between

message

1
and

2.

Summary
CANopen

Safety
:

24

Electronic
concepts

for

safety
-
relevant
systems

Process controller concept

Prozessrechner

1

Funktions
-
controller

1

Über
-
wachung

1

Prozessrechner

2

Funktions
-
controller

2

Über
-
wachung

2

CAN

Single channel

Two channels

25

Electronic
concepts

for

safety
-
relevant
systems

System overview

26

Electronic
concepts

for

safety
-
relevant
systems

Security
control


Alle sicherheitsrelevanten Sensoren
sind redundant.



Es gibt Neigungssensoren für den
Korb und die Plattform.



Hydrauliksensor zur Lastbegrenzung
(Überlastung).



Schalter für Sicherheitsabschaltung

27

Electronic
concepts

for

safety
-
relevant
systems

Emergency
concept

Lastmindernd

Lasterhöhend

Zwangsgeführte Kontakte

28

Electronic
concepts

for

safety
-
relevant
systems

FUNCTION_BLOCK
MOSAFE_MobaSafety

VAR_INPUT


I_DigitalOutputMain

: ARRAY [1..14] OF DIGOUT_SAFETY; (* Array
of

Values
for

the

digital
Outputs *)


I_DigitalOutputSub

: ARRAY [1..14] OF DIGOUT_SAFETY; (* Array
of

Values
for

the

digital
Outputs *)


I_PWMOutputMain

: ARRAY [1..20] OF PWMOUT_SAFETY;


I_PWMOutputSub

: ARRAY [1..20] OF PWMOUT_SAFETY;


I_CurrentControlMain

: BOOL; (* TRUE:
Current

Control

on / FALSE:
Current

Control

off *)


I_CurrentControlSub

: BOOL; (* TRUE:
Current

Control

on / FALSE:
Current

Control

off *)


I_udiTurnSensor

: UDINT; (* Value
of

the

Turn
-
Sensor *)


I_xEmergencyStopCAN_HMI_Cage
: BOOL; (* Emergency Button
of

the

Cage Module *)


I_xEmergencyStopCAN_HMI_Platform
: BOOL; (* Emergency Button
of

the

Platform

Module *)


I_byPlatformMode

: BYTE; (*
Platformmode

(Bitcodiert)
-

1: Standardbetrieb ; 2:
Versetzfahrt

;
4: Tunnelfahrt ; 8: Rüstbetrieb ; 16: Notbetrieb *)


I_xResetOperationTime
: BOOL; (*
Reset

the

internal

Operationtimecounter

*)


I_xSetTaraCageLoad
: BOOL; (* Set Tara
of

the

cage

load

*)


I_xResetErrorCode
: BOOL; (*
Reset

the

actual

ErrorCode

*)


I_xDeactivateSecureFunc
: BOOL;

END_VAR

Der Funktionsblock
MOSAFE_MobaSafety

muss alle 100msec aufgerufen werden. Passiert dies
nicht geht das System in den Sicherheitszustand.

Zentrale Funktion die alles überwacht.

29

Electronic
concepts

for

safety
-
relevant
systems

FUNCTION_BLOCK
MSC_Safety

CAN1

CAN2

Main
controller

application

I/O module

30

Electronic
concepts

for

safety
-
relevant
systems

Interne Funktionen I

Teleskoparm eingefahren

Induktiver Näherungsschalter

31

Electronic
concepts

for

safety
-
relevant
systems

Interne Funktionen II

TRUE
or

FALSE

Control Safety Support

Abstützeinheit belastbar?

32

Electronic
concepts

for

safety
-
relevant
systems

Sicherheits
-
bezogene
Software
-
spezifikation

System
-

entwurf

Modul
-
entwurf

Codierung

Spezifikation
der Sicherheits
-
funktionen

Modul
-
test

Integrations
-

tests

Validierung

validieren

Validierte

Software

Überprüfende

Aktivitäten

Konstruktive

Aktivitäten

Verifikation

Ergebnis

Software
development

according

EN ISO 13849

33

Electronic
concepts

for

safety
-
relevant
systems

Change management

34

Electronic
concepts

for

safety
-
relevant
systems

End of presentation