Safety Manual
PLUS+1® Safety Controllers
SC0XX-1XX Safety Controller Family
www.danfoss.com
Safety Manual
SC0XX-1XX Safety Controller Family
Revision history Table of revisions
Date Changed Rev
December 2020 Corrected table on page 9 0601
June 2019 User application software development requirements, first bullet updated 0501
December 2018 Updated user application software development requirements 0404
August 2018 Corrected typo 0403
August 2018 Corrected title 0402
Changed document number from 'BC00000237' and 'L1420375' to 'BC152986482864' XX
July 2018 Updated IEC 61508 to IEC 61508 : 2010 Parts 1-7 and IEC 62061:2005+ A1:2012+ A2:2015
functional safety standards
April 2017 Recommended diagnostics update; User application software development requirements
update
March 2015 FMEDA analysis; User application software development requirements; and added tables for
control of outputs
December 2014 First edition AA
0401
0301
BA
2 | © Danfoss | December 2020 BC152986482864en-000601
Safety Manual
SC0XX-1XX Safety Controller Family
Contents
Introduction
This safety manual............................................................................................................................................................................4
Certified SIL 2 Capable.............................................................................................................................................................. 4
Comprehensive information...................................................................................................................................................4
User information..........................................................................................................................................................................4
Latest version of technical literature....................................................................................................................................5
PLUS+1® SC Controller support................................................................................................................................................... 5
Component description and failure rates
Processors and subsystems.......................................................................................................................................................... 6
FMEDA analysis................................................................................................................................................................................. 6
Failure categories description......................................................................................................................................................7
Failure rates........................................................................................................................................................................................ 8
Recommended diagnostics..........................................................................................................................................................8
Design considerations
Safety critical function.................................................................................................................................................................... 9
Recommended diagnostics.....................................................................................................................................................9
User application software development requirements............................................................................................. 10
Control of DOUT.............................................................................................................................................................................11
Control of PWMOUT/DOUT........................................................................................................................................................12
Environmental limits.....................................................................................................................................................................12
Application limits...........................................................................................................................................................................12
Design verification.........................................................................................................................................................................12
SIL capability....................................................................................................................................................................................12
Systematic capability...............................................................................................................................................................12
Random capability................................................................................................................................................................... 12
Connection to sensors and actuators ....................................................................................................................................13
Requirements.................................................................................................................................................................................. 13
Installation and operation considerations
Installation........................................................................................................................................................................................14
Physical location and placement ............................................................................................................................................ 14
Repair and replacement ............................................................................................................................................................. 14
Useful life...........................................................................................................................................................................................14
Software/hardware version numbers.....................................................................................................................................14
Security considerations................................................................................................................................................................14
Danfoss Power Solutions notification ................................................................................................................................... 14
Using the FMEDA results
PFH calculation or PFD
Example application, failure rate analysis........................................................................................................................15
Abbreviations and definitions
Abbreviations..................................................................................................................................................................................16
Definitions........................................................................................................................................................................................ 16
Appendix A
Risk reduction..................................................................................................................................................................................18
Prerequisites.................................................................................................................................................................................... 19
Requirements for Support Tools and Programming Languages..................................................................................19
Software Safety Validation..........................................................................................................................................................21
calculation................................................................................................................................... 15
AVG
©
Danfoss | December 2020 BC152986482864en-000601 | 3
W
Safety Manual
SC0XX-1XX Safety Controller Family
Introduction
This safety manual
This safety manual provides information necessary to design, implement, verify and maintain a safety
critical function utilizing the PLUS+1® SC0XX-1XX Controller Family. This manual provides necessary
requirements for meeting the IEC 61508 : 2010 Parts 1-7 and IEC 62061:2005+ A1:2012+ A2:2015
functional safety standards:
Warning
Read manual completely before programming your application.
Certified SIL 2 Capable
The SC0XX-1XX Controller Family is certified SIL 2 Capable when deployed with the certified SIL 2
Capable OS that is embedded in their respective SC0XX-1XX HWD files.
The SC0XX-0XX Controller Family is designed for meeting the needs of SIL 2 applications where the OEM
certifies at the machine level. The SC0XX-0XX Controller Family is not certified SIL 2 Capable as a
component regardless of the HWD files with which it is deployed. The table below summarizes this
information (the HWD filenames are representative, but not actual).
In all cases, the OEM/customer is responsible for the safety integrity requirement, implementation, and
validation of their application.
Controller
Family
SC0XX-1XX SC0XX-1XX_HWD_Primary*SC0XX-1XX_HWD_Secondary*Yes Yes
SC0XX-1XX SC0XX-0XX_HWD_Primary SC0XX-0XX_HWD_Secondary No Yes
SC0XX-0XX SC0XX-1XX_HWD_Primary*SC0XX-1XX_HWD_Secondary*No Yes
SC0XX-0XX SC0XX-0XX_HWD_Primary SC0XX-0XX_HWD_Secondary No Yes
*
These HWD files incorporate the certified SIL 2 Capable OS with Safety Diagnostic Functions.
HWD for the Primary
Processor
HWD for the Secondary
Processor
Component-Level
SIL 2 Capable
Machine-Level
SIL 2 Capable
Comprehensive information
Manual
Title Type Identification number
PLUS+1® SC0XX-1XX Controller Family Technical Information BC152986482939
PLUS+1® GUIDE Software User Manual Operation Manual AQ152886483724
How to Install PLUS+1® GUIDE Upgrades Operation Manual AQ152886481488
User information
SC Controller model Document number
Primary processor
reference manual
SC050-120/122 70156324 70156321 AI152986482636
SC024-120/122 70156499 70156500 AI152986482900
SC024-110/112 70156496 70156498 AI152986482941
SC050-13H 70153891 70153903 L1407546
Secondary processor
reference manual
Data Sheet
4 | © Danfoss | December 2020 BC152986482864en-000601
Safety Manual
SC0XX-1XX Safety Controller Family
Introduction
Latest version of technical literature
Comprehensive technical literature is online at www.danfoss.com
PLUS+1® SC Controller support
Contact information is online at: http://powersolutions.danfoss.com/products/PLUS-1-GUIDE/PLUS-1-
support-and-training/
©
Danfoss | December 2020 BC152986482864en-000601 | 5
Connector
Input
conditioning
Power input
Power return
VLDP
Protection and power supplies
Comparator check
V ref
14 V 3 V 5 V
PWM shut-off [1:8]
DOUT shut-off [1:6]
Shut-off check [1:14]
Clock 2
Clock 1
3 V
Reset
Async COM
PWM current feedback [1:8]
PWM control [1:8]
Inputs [1:24]
CAN1
CAN1
CAN2
Sensor power
External
memory
PWM outputs [1:8]
DOUT [1:6]
DOUT status feedback [1:6]
DOUT control [1:6]
Outputs
Power return
Secondary
processor
Voltage
supervisor 2
Voltage
supervisor 1
Primary
processor
3 V
(supply and reference)
Safety Manual
SC0XX-1XX Safety Controller Family
Component description and failure rates
Processors and subsystems
The PLUS+1® SC0XX-1XX Controller has two processors, the primary and the secondary processor, which
communicate asynchronously with each other. The PLUS+1® SC0XX-1XX Controller has six main
subsystems, each of which was analyzed individually. The configuration of a specific controller
deployment is a function of the user application software.
Analyzed subsystems
Subsystem Description
Common Logic Electrical components and circuitry typically involved with all applications regardless of the
DIN/AIN/FreqIN Digital analog and frequency input pins
CrntIn (current) Current input pins
ResIN Resistance input pins
DOUT Digital output pins
CrntOUT (current) Current output pins
FMEDA analysis
The FMEDA analysis results include the elements shown in the following diagram (components and
inputs/outputs are color coded, blue for the primary processor and red for the secondary processor).
PLUS+1® SC0XX-1XX Controller—Parts included in the FMEDA
input-output channel configuration
6 | © Danfoss | December 2020 BC152986482864en-000601
1
Type B component: “Complex” element (using microcontrollers or programmable logic); for details see 7.4.4.1.3 of IEC 61508.
The PLUS+1® SC0XX-1XX Controller is classified as a Type B1 high demand mode component with HFT = 0
per IEC 61508.
The PLUS+1® SC0XX-1XX Controller is certified to provide a 1oo1D architecture in accordance with IEC
61508. This allows the conclusion that a CAT2 architecture can be implemented in accordance with ISO
13849 or ISO 25119. For example this can be accomplished by using the primary processor as main
controller for the Safety Function and the secondary processor as diagnostic element (intelligent watch
dog, TE-Test Equipment) to observe the correct function of the primary processor and to independently
de-energize (safe-state) all corresponding safety-related outputs.
Safety Manual
SC0XX-1XX Safety Controller Family
Component description and failure rates
Detailed analysis, review and documentation for compliance to ISO 13849 or ISO 25119 must be done by
the designer or integrator of the safety related system.
Failure categories description
In order to judge the failure behavior of the PLUS+1® SC0XX-1XX Controller, the following definitions for
the failure of the component apply.
Definitions for failure of the component
Failure category
Fail-Safe State State where the safety output is de-energized.
Fail Safe State where the safety output is de-energized.
Fail Detected Failure that is detected by the PLUS+1® SC Controller and causes the
Fail Dangerous Failure that deviates the measured input state or the actual output by
Fail Dangerous Undetected Failure that is dangerous and that is not being diagnosed by automatic
Fail Dangerous Detected Failure that is dangerous but is detected by automatic diagnostics or is
(2)(3)
Fail High
(2)(3)
Fail Low
No Effect Failure of a component that is part of the safety function but that has no
Annunciation Detected Failure that does not directly impact safety but does impact the ability to
Annunciation Undetected Failure that does not directly impact safety but does impact the ability to
λ
SD
λ
SU
λ
DD
λ
DU
λ
D
A
D
A
U
FIT Failure In Time (1x10-9 failures per hour)
(1)
The failure categories listed above, expand upon the categories listed in IEC 61508, which are only safe and
dangerous, both detected and undetected. In IEC 61508, the No Effect failures cannot contribute to the failure rate
of the safety function. Therefore, they are not used for the Safe Failure Fraction calculation.
(2)
Depending on the application, a Fail High or a Fail Low failure can either be safe or dangerous and may be
detected or undetected depending on the user software application program.
(3)
Consequently, during a Safety Integrity Level (SIL) verification assessment, the Fail High and Fail Low failure
categories need to be classified as safe or dangerous, and as detected or undetected.
(1)
Definition
output signal to go to the predefined fail safe state.
more than the safety accuracy (2% of span) and that leaves the output
within the active range.
diagnostics or expected user logic.
expected to be detected by user logic.
Failure that causes a safety input signal to go to a value that is clearly
above the normal range and can therefore be reliably detected by the
user application software.
Failure that causes a safety input signal to go to a value that is clearly
below the normal range and can therefore be reliably detected by the
user application software.
effect on the safety function.
detect a future fault (such as a fault in a diagnostic circuit) and that is
detected by internal diagnostics.
detect a future fault (such as a fault in a diagnostic circuit) that is not
detected by internal diagnostics.
Failure rate of all safe detected failures
Failure rate of all safe undetected failures
Failure rate of all dangerous detected failures
Failure rate of all dangerous undetected failures
Failure rate of all dangerous failures, detected and undetected
Failure rate of all annunciation detected failures
Failure rate of all annunciation undetected failures
©
Danfoss | December 2020 BC152986482864en-000601 | 7
Loading...