Products are becoming increasingly 'intelligent' and 'convenient' - the automatic robot mower instead of the manually operated lawnmower is an example of this. Manufacturers of such systems are faced with the legal challenge of minimizing the risks associated with their use. This is where the Machinery Directive in general and 'functional safety' in particular come into play. The EU Machinery Directive - MRL for short - contains the basics of safety and protection requirements. The aim is clear: to minimize the number of accidents when handling devices and machines. Therefore, the aspect of safety must already be incorporated into the design of a system - which applies to a robotic mower as well as a complex production system.

Protection for people, machines and the environment

The guidelines for functional safety - FuSi for short - aim to provide reliable protection for people, the environment and machines. The legal regulations include EN ISO 13849-1 and EN 62061; they regulate which safety requirements a machine must fulfill. The safety integrity level (SIL) and the performance level (PL) are defined as parameters for the reliability of safety functions.
FuSi means having to invest additional, sometimes considerable, effort in the development of a product. If this product is later sold by the millions or if the additional costs are dwindling in comparison to the sales price, this is feasible for manufacturers. But what about devices that have to be sold under price pressure or where the achievable quantities make it impossible to accommodate the additional costs economically? Smaller companies in particular are therefore facing an economic problem with this market development: on the one hand, the high development costs for FuSi are driving up the product price, and on the other, the market is not prepared and in many cases not in a position to accept this price increase.

Affordable for safe use

This is where ISH, sister company of the Austrian company Logi.cals, comes in with a certified FuSI modular system that enables the cost-effective implementation of FuSi. The components of the modular system can be used for simple IO modules or sensors, but also for complex control solutions. The SIC (Safety Integrated Core) acts as a central platform for a 2-channel hardware and software with all elements for the acquisition of safe inputs and the writing of safe outputs. All procedures for testing, filtering and linking up to the acquisition and testing of analog inputs are available here. This can be extended by the customer application, the integration of the test library for the normative tests of the processor and the memory, the coupling of various fieldbuses such as the FSoE stack from ISH through to the safe PLC. "It should be possible to cover a good 90% of all safe applications in automation and process technology," says ISH Managing Director Axel Helmerth. This means that only a few things need to be completely redeveloped.

FuSi integration takes just under a year

The ISH safety kit with its certified modules.

© ISH

The platform's components meet all the requirements for a compliant item in accordance with IEC 61508, allowing developers to develop almost any appropriate safety-related hardware and software, from simple sensors/actuators and intelligent IO modules to fieldbus-based control systems consisting of PLCs and I/O modules. The platform is designed to be scalable for growing requirements.
According to Axel Helmerth, experience from real projects shows that a product can be ready for TÜV approval, including the corresponding documentation, within nine to twelve months of the specification and functional safety management being defined. This makes FuSi feasible because the modular system halves the time and costs.

The FuSi modular system in detail

The compact and efficient implementation of the FSoE Master/Slave Stack V2 - developed in accordance with FSoE specification ETG.5100 S (D) V1.2.0 and IEC 61784-3 - enables integration into very small and cost-effective hardware structures, for example in process sensors, and is characterized by high-performance runtime behaviour. Connection to existing Ethercat structures is possible with little effort thanks to the clear interface structure of the stack. The module has been developed in accordance with IEC 61508 for use in applications up to SIL3 and pre-certified as a compliant item by TÜV Rheinland.
The stack works without an operating system and makes no special demands on the development environment. Several I/O instances of a target hardware can be managed by one stack. There are no restrictions on the size of the usable process image. Integration is simplified by the supplied Integration Guide with directly embeddable requirements. Unit tests are available as an option, but are only required for changes to the code. Interfaces are integrated for carrying out the FSoE conformance test.

Simple modules can be combined to create complex solutions.

© ISH

The 'Cora' test library is a tool with which large parts of the hardware tests required by IEC 61508 can be realized. Tests that can be carried out include CPU, RAM, ROM and block CRC, as well as firmware and stack monitoring. A configurable test manager is also integrated. As the core of the library, this test manager manages the configured tests and calls up the individual test functions. For example, various memory blocks can be registered for the memory test, which are then processed by the test manager. To ensure that all memory areas have been tested after system startup, even on systems with short runtimes, the test manager also manages the last test segments. There is also a diagnostic function for monitoring continuous test coverage.

The library is suitable for use in real-time environments; an operating system is not required. The functions provided are pre-certified by TÜV Rheinland and can be used in security projects. All unit tests are optionally available for your own extensions. The tool currently supports processor types such as ARM7/9, Cortex M and Cortex A; adaptation to other controller types is possible.

Universal hardware construction kit

Walter Lutz works as a freelance journalist for PRservice in Haiger.

© PRservice

In order to implement functional safety in the shortest possible time, the SIC modular hardware system was developed with a two-channel architecture. It has a basic set of common interfaces, inputs and outputs in TTL. This means that a maximum of 24 safe I/Os can be implemented. The A/D converters are equipped with diagnostic functions. The FSoE (Safety over Ethercat) and Profisafe options are available for fieldbus connection.

The hardware runs modular software whose modules can be combined according to the required complexity. This is configured via a central look-up table that assigns the logical objects to the hardware. There are interfaces to user-defined software and a fieldbus stack interface.
This enables both simple safe IO modules almost out of the box and complex integrations of PLC runtime systems with safe fieldbus connection. Support is provided by the safe PLC runtime systems and corresponding engineering tools from Logi.cals. Both browser-based tools and classic programming environments are available here. ISH also provides support with functions for safe drive technology in accordance with EN 61800-5-2 or floating point monitoring functions, for example.