System technology Leber
The best of two worlds
The increasing networking of systems in the Internet of Things and in the self-driving vehicle of the future makes it necessary to design drive solutions that are both functionally safe and resistant to external manipulation. How can this combination be achieved?
Functional safety involves assessing and controlling all potential risks. Manufacturers of electronic components in particular, such as sensitive control systems and motor starters, have the issue of functional safety on their radar. However, machine manufacturers and system integrators also need to be familiar with the applicable standards in their respective fields in order to avoid potential liability claims on the part of the user.
The normative basis for functionally safe systems is the safety standard EN 61508. This internationally accepted seven-part standard is aimed at developers and system integrators alike as the basic standard for functional safety. It is therefore the 'guard rail' for all activities during the safety life cycle for systems that consist of electrical and/or electronic and/or programmable electronic elements and perform a safety function.
Relevant standards
The product standard EN 61800-5-2, which provides recommendations for the design, development, integration and validation of safety-related power drive systems, applies specifically to variable-speed drives for applications in industrial automation technology and mechanical engineering. It applies to systems with a high demand rate or continuous operation and provides a broad catalog of stop and monitoring functions.
Other applicable standards include:
- EN 62061 for safety-related control systems for machines;
- EN ISO 13849-1 and EN ISO 13849-2 for the integration of safety-related parts of machine control systems;
- EN 50126, EN 50128, EN 50129 for safety management and safety aspects in the railroad sector;
- EN 61511 for safety functions in the process industry.
In the automotive sector, ISO 26262 applies to electrical and/or electronic systems in road vehicles. For example, it applies to window regulators, light adjustment, brakes, steering or seat adjustment. The applicable range of safety standards must be taken into account right from the start of product development - whereby the term 'development' here does not stand for the realization of hardware or software, but already includes the concept and design phase and is always associated with a risk and hazard assessment of the overall system.
Protected from attacks
The EN 61508 standard forms the basic standard in the 'world of functional safety'. Various standards derived from it apply to the respective industry (e.g. automotive).
© System technology LeberIn addition to functional safety, security is playing an increasingly important role. If the developed, functionally safe systems are networked, they must be protected against external attacks - and thus made 'secure'. In the field of Industrial Control Systems (ICS), development must be carried out in accordance with the IEC 62443-4-1 standard.
The increasing networking of systems in the Internet of Things and in the autonomous vehicles of the future make a combination of safety and security aspects necessary and require the 'unification' of the seemingly contradictory demands on security with simultaneous end-to-end networking. This means that product development is becoming increasingly complex. The many, sometimes new requirements have an impact on the entire development process.
Development teams that can fall back on concepts that have already been tested and proven in practice have an advantage here - a 'construction kit' that includes not only the latest technology platforms, but also process models and solution concepts accumulated over the course of many projects. When implementing concrete, application-specific requirements, developers regularly encounter individual challenges when it comes to developing a 'consistently secure' system that meets the respective framework conditions. It is therefore advisable to fall back on existing 'modules' - processes, concepts and technologies that have either already achieved positive results in the past or have been developed and tested with a focus on a specific functionality in such a way that they can be efficiently integrated into individual products. On the one hand, this significantly reduces the risk of development failures and, on the other, prevents the costs of such a solution from being incalculable.
Examples of such modules are
- Technology components for communication technology (SoC, SoM);
- Integrated security functions and APIs;
- Drive control-specific design patterns for hardware and software;
- Proven verification and validation concepts for drive systems;
- Process models that are customized for the respective project.
These modules can be accessed as required. They are adapted or 'customized' depending on the application. As a result, drive control systems can be developed in accordance with both safety and security standards.
Typical development process in a normative environment
The V-model is established as a documentation model for regulated processes. The development process based on it can be adapted to the specific requirements of the respective project and standards environment (tailoring).
© System technology LeberA typical procedure for the development of mechatronic solutions at Systemtechnik Leber is as follows:
1. definition of responsibilities for individual work packages at the start of the project.
2. standard development process according to ISO 9001 and the so-called V-model, including mapping in a process world.
3. precise examination of the normative project environment for correct classification in the development process.
4. adapted development processes within the framework of the standards Safety EN 61508 and ISO 26262 as well as security according to IEC 62443-4-1.
5. project-specific selection of process elements and, if necessary, tailoring according to specific requirements.
Martin Bayer is a hardware developer and functional safety engineer at Systemtechnik Leber in Nuremberg.
© System technology LeberThis can be illustrated in concrete terms using a project example from the field of drive control technology:
As part of a design-in partnership with Hilscher, a provider of automation solutions for factory automation, the engineers at Systemtechnik Leber are currently investigating an evaluation board that is currently under development. This provides a fieldbus controller, a motor controller and a power section for the control of brushless DC motors (BLDC). The two controllers are housed in a single chip, but operate independently of each other. With regard to safety and security, the initial results of the investigation are as follows: On the one hand, the separation into two cores, which can only communicate via a shared memory interface, already results in a massive reduction in the attack surface as defined by ISO/IEC 62443. Secondly, the controller is equipped with modern cyber security functions - for example, a hardware-based implementation of cryptographic functions and a secure bootloader. This makes it possible to install or start firmware images only if they have been provided with a corresponding digital signature by the manufacturer and have not been changed afterwards. The reason for this is that a significant proportion of attacks on IoT devices are based on the undetected installation of malicious firmware.
Jörg Klenke is Project Manager Product Development at Systemtechnik Leber in Nuremberg.
© System technology LeberA secure boot process makes this type of attack relatively easy to fend off. Furthermore, firmware updates can be distributed in encrypted form to hide the binary code from prying eyes - thus protecting the intellectual property of the developing company.
An extension of this technology with, for example, a hardware-based functionally secure stop function is possible and has already been implemented in several customer projects. In this case, the safety function is set up with two channels, while the activation takes place via two redundant inputs so that the motor control is interrupted. The stop function is dominant over all other functions.

















