Danfoss SC0XX-1XX User guide

Safety Manual

PLUS+1® Safety Controllers

SC0XX-1XX Safety Controller Family

www.danfoss.com

Safety Manual

SC0XX-1XX Safety Controller Family

Revision history Table of revisions

Date Changed Rev

December 2020 Corrected table on page 9 0601

June 2019 User application software development requirements, first bullet updated 0501

December 2018 Updated user application software development requirements 0404

August 2018 Corrected typo 0403

August 2018 Corrected title 0402

Changed document number from 'BC00000237' and 'L1420375' to 'BC152986482864' XX

July 2018 Updated IEC 61508 to IEC 61508 : 2010 Parts 1-7 and IEC 62061:2005+ A1:2012+ A2:2015

functional safety standards

April 2017 Recommended diagnostics update; User application software development requirements

update

March 2015 FMEDA analysis; User application software development requirements; and added tables for

control of outputs

December 2014 First edition AA

0401

0301

2 | © Danfoss | December 2020 BC152986482864en-000601

Safety Manual

SC0XX-1XX Safety Controller Family

Introduction

This safety manual............................................................................................................................................................................4

Certified SIL 2 Capable.............................................................................................................................................................. 4

Comprehensive information...................................................................................................................................................4

User information..........................................................................................................................................................................4

Latest version of technical literature....................................................................................................................................5

PLUS+1® SC Controller support................................................................................................................................................... 5

Component description and failure rates

Processors and subsystems.......................................................................................................................................................... 6

FMEDA analysis................................................................................................................................................................................. 6

Failure categories description......................................................................................................................................................7

Failure rates........................................................................................................................................................................................ 8

Recommended diagnostics..........................................................................................................................................................8

Design considerations

Safety critical function.................................................................................................................................................................... 9

Recommended diagnostics.....................................................................................................................................................9

User application software development requirements............................................................................................. 10

Control of DOUT.............................................................................................................................................................................11

Control of PWMOUT/DOUT........................................................................................................................................................12

Environmental limits.....................................................................................................................................................................12

Application limits...........................................................................................................................................................................12

Design verification.........................................................................................................................................................................12

SIL capability....................................................................................................................................................................................12

Systematic capability...............................................................................................................................................................12

Random capability................................................................................................................................................................... 12

Connection to sensors and actuators ....................................................................................................................................13

Requirements.................................................................................................................................................................................. 13

Installation and operation considerations

Installation........................................................................................................................................................................................14

Physical location and placement ............................................................................................................................................ 14

Repair and replacement ............................................................................................................................................................. 14

Useful life...........................................................................................................................................................................................14

Software/hardware version numbers.....................................................................................................................................14

Security considerations................................................................................................................................................................14

Danfoss Power Solutions notification ................................................................................................................................... 14

Using the FMEDA results

PFH calculation or PFD

Example application, failure rate analysis........................................................................................................................15

Abbreviations and definitions

Abbreviations..................................................................................................................................................................................16

Definitions........................................................................................................................................................................................ 16

Appendix A

Risk reduction..................................................................................................................................................................................18

Prerequisites.................................................................................................................................................................................... 19

Requirements for Support Tools and Programming Languages..................................................................................19

Software Safety Validation..........................................................................................................................................................21

calculation................................................................................................................................... 15

AVG

Danfoss | December 2020 BC152986482864en-000601 | 3

Safety Manual

SC0XX-1XX Safety Controller Family

Introduction

This safety manual

This safety manual provides information necessary to design, implement, verify and maintain a safety critical function utilizing the PLUS+1® SC0XX-1XX Controller Family. This manual provides necessary requirements for meeting the IEC 61508 : 2010 Parts 1-7 and IEC 62061:2005+ A1:2012+ A2:2015 functional safety standards:

Warning

Read manual completely before programming your application.

Certified SIL 2 Capable

The SC0XX-1XX Controller Family is certified SIL 2 Capable when deployed with the certified SIL 2 Capable OS that is embedded in their respective SC0XX-1XX HWD files.

The SC0XX-0XX Controller Family is designed for meeting the needs of SIL 2 applications where the OEM certifies at the machine level. The SC0XX-0XX Controller Family is not certified SIL 2 Capable as a component regardless of the HWD files with which it is deployed. The table below summarizes this information (the HWD filenames are representative, but not actual).

In all cases, the OEM/customer is responsible for the safety integrity requirement, implementation, and validation of their application.

Controller Family

SC0XX-1XX SC0XX-1XX_HWD_Primary*SC0XX-1XX_HWD_Secondary*Yes Yes SC0XX-1XX SC0XX-0XX_HWD_Primary SC0XX-0XX_HWD_Secondary No Yes SC0XX-0XX SC0XX-1XX_HWD_Primary*SC0XX-1XX_HWD_Secondary*No Yes SC0XX-0XX SC0XX-0XX_HWD_Primary SC0XX-0XX_HWD_Secondary No Yes

These HWD files incorporate the certified SIL 2 Capable OS with Safety Diagnostic Functions.

HWD for the Primary Processor

HWD for the Secondary Processor

Component-Level SIL 2 Capable

Machine-Level SIL 2 Capable

Comprehensive information

Manual

Title Type Identification number

PLUS+1® SC0XX-1XX Controller Family Technical Information BC152986482939 PLUS+1® GUIDE Software User Manual Operation Manual AQ152886483724 How to Install PLUS+1® GUIDE Upgrades Operation Manual AQ152886481488

User information

SC Controller model Document number

Primary processor reference manual

SC050-120/122 70156324 70156321 AI152986482636 SC024-120/122 70156499 70156500 AI152986482900 SC024-110/112 70156496 70156498 AI152986482941 SC050-13H 70153891 70153903 L1407546

Secondary processor reference manual

Data Sheet

4 | © Danfoss | December 2020 BC152986482864en-000601

Safety Manual

SC0XX-1XX Safety Controller Family

Introduction

Latest version of technical literature

Comprehensive technical literature is online at www.danfoss.com

PLUS+1® SC Controller support

Contact information is online at: http://powersolutions.danfoss.com/products/PLUS-1-GUIDE/PLUS-1-

support-and-training/

Danfoss | December 2020 BC152986482864en-000601 | 5

Connector

Input

conditioning

Power input

Power return

VLDP

Protection and power supplies

Comparator check

V ref

14 V 3 V 5 V

PWM shut-off [1:8] DOUT shut-off [1:6]

Shut-off check [1:14]

Clock 2

Clock 1

3 V

Reset

Async COM

PWM current feedback [1:8]

PWM control [1:8]

Inputs [1:24]

CAN1

CAN2

Sensor power

External memory

PWM outputs [1:8] DOUT [1:6]

DOUT status feedback [1:6]

DOUT control [1:6]

Outputs

Power return

Secondary

processor

Voltage

supervisor 2

Voltage

supervisor 1

Primary

processor

3 V

(supply and reference)

Safety Manual

SC0XX-1XX Safety Controller Family

Component description and failure rates

Processors and subsystems

The PLUS+1® SC0XX-1XX Controller has two processors, the primary and the secondary processor, which communicate asynchronously with each other. The PLUS+1® SC0XX-1XX Controller has six main subsystems, each of which was analyzed individually. The configuration of a specific controller deployment is a function of the user application software.

Analyzed subsystems

Subsystem Description

Common Logic Electrical components and circuitry typically involved with all applications regardless of the

DIN/AIN/FreqIN Digital analog and frequency input pins CrntIn (current) Current input pins ResIN Resistance input pins DOUT Digital output pins CrntOUT (current) Current output pins

FMEDA analysis

The FMEDA analysis results include the elements shown in the following diagram (components and inputs/outputs are color coded, blue for the primary processor and red for the secondary processor).

PLUS+1® SC0XX-1XX Controller—Parts included in the FMEDA

input-output channel configuration

Type B component: “Complex” element (using microcontrollers or programmable logic); for details see 7.4.4.1.3 of IEC 61508.

The PLUS+1® SC0XX-1XX Controller is classified as a Type B1 high demand mode component with HFT = 0 per IEC 61508.

The PLUS+1® SC0XX-1XX Controller is certified to provide a 1oo1D architecture in accordance with IEC

61508. This allows the conclusion that a CAT2 architecture can be implemented in accordance with ISO 13849 or ISO 25119. For example this can be accomplished by using the primary processor as main controller for the Safety Function and the secondary processor as diagnostic element (intelligent watch dog, TE-Test Equipment) to observe the correct function of the primary processor and to independently de-energize (safe-state) all corresponding safety-related outputs.

Safety Manual

SC0XX-1XX Safety Controller Family

Component description and failure rates

Detailed analysis, review and documentation for compliance to ISO 13849 or ISO 25119 must be done by the designer or integrator of the safety related system.

Failure categories description

In order to judge the failure behavior of the PLUS+1® SC0XX-1XX Controller, the following definitions for the failure of the component apply.

Definitions for failure of the component

Failure category

Fail-Safe State State where the safety output is de-energized. Fail Safe State where the safety output is de-energized. Fail Detected Failure that is detected by the PLUS+1® SC Controller and causes the

Fail Dangerous Failure that deviates the measured input state or the actual output by

Fail Dangerous Undetected Failure that is dangerous and that is not being diagnosed by automatic

Fail Dangerous Detected Failure that is dangerous but is detected by automatic diagnostics or is

(2)(3)

Fail High

(2)(3)

Fail Low

No Effect Failure of a component that is part of the safety function but that has no

Annunciation Detected Failure that does not directly impact safety but does impact the ability to

Annunciation Undetected Failure that does not directly impact safety but does impact the ability to

FIT Failure In Time (1x10-9 failures per hour)

(1)

The failure categories listed above, expand upon the categories listed in IEC 61508, which are only safe and dangerous, both detected and undetected. In IEC 61508, the No Effect failures cannot contribute to the failure rate of the safety function. Therefore, they are not used for the Safe Failure Fraction calculation.

(2)

Depending on the application, a Fail High or a Fail Low failure can either be safe or dangerous and may be detected or undetected depending on the user software application program.

(3)

Consequently, during a Safety Integrity Level (SIL) verification assessment, the Fail High and Fail Low failure categories need to be classified as safe or dangerous, and as detected or undetected.

(1)

Definition

output signal to go to the predefined fail safe state.

more than the safety accuracy (2% of span) and that leaves the output within the active range.

diagnostics or expected user logic.

expected to be detected by user logic. Failure that causes a safety input signal to go to a value that is clearly

above the normal range and can therefore be reliably detected by the user application software.

Failure that causes a safety input signal to go to a value that is clearly below the normal range and can therefore be reliably detected by the user application software.

effect on the safety function.

detect a future fault (such as a fault in a diagnostic circuit) and that is detected by internal diagnostics.

detect a future fault (such as a fault in a diagnostic circuit) that is not detected by internal diagnostics.

Failure rate of all safe detected failures Failure rate of all safe undetected failures Failure rate of all dangerous detected failures Failure rate of all dangerous undetected failures Failure rate of all dangerous failures, detected and undetected Failure rate of all annunciation detected failures Failure rate of all annunciation undetected failures

Danfoss | December 2020 BC152986482864en-000601 | 7

+ 16 hidden pages

Danfoss SC0XX-1XX User guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Introduction

This safety manual

Certified SIL 2 Capable

Comprehensive information

User information

Latest version of technical literature

PLUS+1® SC Controller support

Component description and failure rates

Processors and subsystems

FMEDA analysis

Failure categories description