Danfoss SC0XX-1XX User guide
Safety Manual
PLUS+1® Safety Controllers
SC0XX-1XX Safety Controller Family
www.danfoss.com
Safety Manual
SC0XX-1XX Safety Controller Family
Revision history |
Table of revisions |
|
|
|
|
|
|
|
|
|
Date |
|
Changed |
Rev |
|
|
|
|
|
|
December 2020 |
|
Corrected table on page 9 |
0601 |
|
|
|
|
|
|
|
|
Changed document number from 'BC00000237' and 'L1420375' to 'BC152986482864' |
XX |
|
|
|
|
|
|
June 2019 |
|
User application software development requirements, first bullet updated |
0501 |
|
|
|
|
|
|
December 2018 |
|
Updated user application software development requirements |
0404 |
|
|
|
|
|
|
August 2018 |
|
Corrected typo |
0403 |
|
|
|
|
|
|
August 2018 |
|
Corrected title |
0402 |
|
|
|
|
|
|
July 2018 |
|
Updated IEC 61508 to IEC 61508 : 2010 Parts 1-7 and IEC 62061:2005+ A1:2012+ A2:2015 |
0401 |
|
|
|
functional safety standards |
|
|
|
|
|
|
|
April 2017 |
|
Recommended diagnostics update; User application software development requirements |
0301 |
|
|
|
update |
|
|
|
|
|
|
|
March 2015 |
|
FMEDA analysis; User application software development requirements; and added tables for |
BA |
|
|
|
control of outputs |
|
|
|
|
|
|
|
December 2014 |
|
First edition |
AA |
|
|
|
|
|
2 | © Danfoss | December 2020 |
BC152986482864en-000601 |
Safety Manual |
|
SC0XX-1XX Safety Controller Family |
|
Contents |
|
Introduction |
|
This safety manual............................................................................................................................................................................ |
4 |
Certified SIL 2 Capable.............................................................................................................................................................. |
4 |
Comprehensive information................................................................................................................................................... |
4 |
User information.......................................................................................................................................................................... |
4 |
Latest version of technical literature.................................................................................................................................... |
5 |
PLUS+1® SC Controller support................................................................................................................................................... |
5 |
Component description and failure rates |
|
Processors and subsystems.......................................................................................................................................................... |
6 |
FMEDA analysis................................................................................................................................................................................. |
6 |
Failure categories description...................................................................................................................................................... |
7 |
Failure rates........................................................................................................................................................................................ |
8 |
Recommended diagnostics.......................................................................................................................................................... |
8 |
Design considerations |
|
Safety critical function.................................................................................................................................................................... |
9 |
Recommended diagnostics..................................................................................................................................................... |
9 |
User application software development requirements............................................................................................. |
10 |
Control of DOUT............................................................................................................................................................................. |
11 |
Control of PWMOUT/DOUT........................................................................................................................................................ |
12 |
Environmental limits..................................................................................................................................................................... |
12 |
Application limits........................................................................................................................................................................... |
12 |
Design verification......................................................................................................................................................................... |
12 |
SIL capability.................................................................................................................................................................................... |
12 |
Systematic capability............................................................................................................................................................... |
12 |
Random capability................................................................................................................................................................... |
12 |
Connection to sensors and actuators .................................................................................................................................... |
13 |
Requirements.................................................................................................................................................................................. |
13 |
Installation and operation considerations |
|
Installation........................................................................................................................................................................................ |
14 |
Physical location and placement ............................................................................................................................................ |
14 |
Repair and replacement ............................................................................................................................................................. |
14 |
Useful life........................................................................................................................................................................................... |
14 |
Software/hardware version numbers..................................................................................................................................... |
14 |
Security considerations................................................................................................................................................................ |
14 |
Danfoss Power Solutions notification ................................................................................................................................... |
14 |
Using the FMEDA results |
|
PFH calculation or PFDAVG calculation................................................................................................................................... |
15 |
Example application, failure rate analysis........................................................................................................................ |
15 |
Abbreviations and definitions |
|
Abbreviations.................................................................................................................................................................................. |
16 |
Definitions........................................................................................................................................................................................ |
16 |
Appendix A |
|
Risk reduction.................................................................................................................................................................................. |
18 |
Prerequisites.................................................................................................................................................................................... |
19 |
Requirements for Support Tools and Programming Languages.................................................................................. |
19 |
Software Safety Validation.......................................................................................................................................................... |
21 |
© Danfoss | December 2020 |
BC152986482864en-000601 | 3 |
Safety Manual
SC0XX-1XX Safety Controller Family
Introduction
This safety manual
This safety manual provides information necessary to design, implement, verify and maintain a safety critical function utilizing the PLUS+1® SC0XX-1XX Controller Family. This manual provides necessary requirements for meeting the IEC 61508 : 2010 Parts 1-7 and IEC 62061:2005+ A1:2012+ A2:2015 functional safety standards:
W Warning
Read manual completely before programming your application.
Certified SIL 2 Capable
The SC0XX-1XX Controller Family is certified SIL 2 Capable when deployed with the certified SIL 2 Capable OS that is embedded in their respective SC0XX-1XX HWD files.
The SC0XX-0XX Controller Family is designed for meeting the needs of SIL 2 applications where the OEM certifies at the machine level. The SC0XX-0XX Controller Family is not certified SIL 2 Capable as a component regardless of the HWD files with which it is deployed. The table below summarizes this information (the HWD filenames are representative, but not actual).
In all cases, the OEM/customer is responsible for the safety integrity requirement, implementation, and validation of their application.
Controller |
HWD for the Primary |
HWD for the Secondary |
Component-Level |
Machine-Level |
Family |
Processor |
Processor |
SIL 2 Capable |
SIL 2 Capable |
|
|
|
|
|
SC0XX-1XX |
SC0XX-1XX_HWD_Primary* |
SC0XX-1XX_HWD_Secondary* |
Yes |
Yes |
SC0XX-1XX |
SC0XX-0XX_HWD_Primary |
SC0XX-0XX_HWD_Secondary |
No |
Yes |
|
|
|
|
|
SC0XX-0XX |
SC0XX-1XX_HWD_Primary* |
SC0XX-1XX_HWD_Secondary* |
No |
Yes |
SC0XX-0XX |
SC0XX-0XX_HWD_Primary |
SC0XX-0XX_HWD_Secondary |
No |
Yes |
|
|
|
|
|
* These HWD files incorporate the certified SIL 2 Capable OS with Safety Diagnostic Functions.
Comprehensive information
Manual
Title |
Type |
Identification number |
|
|
|
PLUS+1® SC0XX-1XX Controller Family |
Technical Information |
BC152986482939 |
PLUS+1® GUIDE Software User Manual |
Operation Manual |
AQ152886483724 |
How to Install PLUS+1® GUIDE Upgrades |
Operation Manual |
AQ152886481488 |
User information
SC Controller model |
Document number |
|
|
|
|
|
|
|
Primary processor |
Secondary processor |
Data Sheet |
|
reference manual |
reference manual |
|
|
|
|
|
SC050-120/122 |
70156324 |
70156321 |
AI152986482636 |
|
|
|
|
SC024-120/122 |
70156499 |
70156500 |
AI152986482900 |
|
|
|
|
SC024-110/112 |
70156496 |
70156498 |
AI152986482941 |
|
|
|
|
SC050-13H |
70153891 |
70153903 |
L1407546 |
|
|
|
|
4 | © Danfoss | December 2020 |
BC152986482864en-000601 |
Safety Manual
SC0XX-1XX Safety Controller Family
Introduction
Latest version of technical literature
Comprehensive technical literature is online at www.danfoss.com
PLUS+1® SC Controller support
Contact information is online at: http://powersolutions.danfoss.com/products/PLUS-1-GUIDE/PLUS-1- support-and-training/
© Danfoss | December 2020 |
BC152986482864en-000601 | 5 |
Safety Manual
SC0XX-1XX Safety Controller Family
Component description and failure rates
Processors and subsystems
The PLUS+1® SC0XX-1XX Controller has two processors, the primary and the secondary processor, which communicate asynchronously with each other. The PLUS+1® SC0XX-1XX Controller has six main subsystems, each of which was analyzed individually. The configuration of a specific controller deployment is a function of the user application software.
Analyzed subsystems
Subsystem |
Description |
|
|
Common Logic |
Electrical components and circuitry typically involved with all applications regardless of the |
|
input-output channel configuration |
|
|
DIN/AIN/FreqIN |
Digital analog and frequency input pins |
|
|
CrntIn (current) |
Current input pins |
|
|
ResIN |
Resistance input pins |
|
|
DOUT |
Digital output pins |
|
|
CrntOUT (current) |
Current output pins |
|
|
FMEDA analysis
The FMEDA analysis results include the elements shown in the following diagram (components and inputs/outputs are color coded, blue for the primary processor and red for the secondary processor).
PLUS+1® SC0XX-1XX Controller—Parts included in the FMEDA
Connector |
|
|
|
|
|
|
|
|
Power input |
|
Protection and power supplies |
VLDP |
|
|
|||
|
|
|
|
|
||||
|
|
|
|
|
|
|||
Power return |
|
Comparator check |
|
|
|
|
|
|
|
|
V ref |
|
|
|
|
|
|
|
|
14 V 3 V 5 V |
|
|
|
|
|
|
|
|
CAN1 |
|
|
|
PWM shut-off [1:8] |
|
|
3 V |
|
|
|
Secondary |
DOUT shut-off [1:6] |
|
|
|
(supply and reference) |
|
|
processor |
Shut-off check [1:14] |
|
|
||
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
Voltage |
|
|
|
|
|
|
|
Clock 2 |
supervisor 2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 V |
Reset |
|
Async COM |
|
|
|
|
Clock 1 |
Voltage |
|
|
|
|
|
|
|
|
|
|
|
|
||
Inputs [1:24] |
Input |
|
supervisor 1 |
|
|
|
|
|
|
conditioning |
|
|
|
|
PWM current feedback [1:8] |
|
|
|
|
CAN1 |
|
Primary |
|
PWM control [1:8] |
|
Power return |
|
|
|
|
|
|
|||
|
|
|
processor |
|
Outputs |
|||
|
|
|
|
|
|
|||
|
|
CAN2 |
|
|
|
DOUT status feedback [1:6] |
|
|
|
|
Sensor power |
|
|
|
DOUT control [1:6] |
|
|
|
|
|
|
|
|
|
|
|
External
memory
PWM outputs [1:8]
DOUT [1:6]
The PLUS+1® SC0XX-1XX Controller is classified as a Type B1 high demand mode component with HFT = 0 per IEC 61508.
The PLUS+1® SC0XX-1XX Controller is certified to provide a 1oo1D architecture in accordance with IEC 61508. This allows the conclusion that a CAT2 architecture can be implemented in accordance with ISO 13849 or ISO 25119. For example this can be accomplished by using the primary processor as main controller for the Safety Function and the secondary processor as diagnostic element (intelligent watch dog, TE-Test Equipment) to observe the correct function of the primary processor and to independently de-energize (safe-state) all corresponding safety-related outputs.
1 Type B component: “Complex” element (using microcontrollers or programmable logic); for details see 7.4.4.1.3 of IEC 61508.
6 | © Danfoss | December 2020 |
BC152986482864en-000601 |
Safety Manual
SC0XX-1XX Safety Controller Family
Component description and failure rates
Detailed analysis, review and documentation for compliance to ISO 13849 or ISO 25119 must be done by the designer or integrator of the safety related system.
Failure categories description
In order to judge the failure behavior of the PLUS+1® SC0XX-1XX Controller, the following definitions for the failure of the component apply.
Definitions for failure of the component
Failure category(1) |
Definition |
Fail-Safe State |
State where the safety output is de-energized. |
|
|
Fail Safe |
State where the safety output is de-energized. |
|
|
Fail Detected |
Failure that is detected by the PLUS+1® SC Controller and causes the |
|
output signal to go to the predefined fail safe state. |
|
|
Fail Dangerous |
Failure that deviates the measured input state or the actual output by |
|
more than the safety accuracy (2% of span) and that leaves the output |
|
within the active range. |
|
|
Fail Dangerous Undetected |
Failure that is dangerous and that is not being diagnosed by automatic |
|
diagnostics or expected user logic. |
|
|
Fail Dangerous Detected |
Failure that is dangerous but is detected by automatic diagnostics or is |
|
expected to be detected by user logic. |
|
|
Fail High(2)(3) |
Failure that causes a safety input signal to go to a value that is clearly |
|
above the normal range and can therefore be reliably detected by the |
|
user application software. |
|
|
Fail Low(2)(3) |
Failure that causes a safety input signal to go to a value that is clearly |
|
below the normal range and can therefore be reliably detected by the |
|
user application software. |
|
|
No Effect |
Failure of a component that is part of the safety function but that has no |
|
effect on the safety function. |
|
|
Annunciation Detected |
Failure that does not directly impact safety but does impact the ability to |
|
detect a future fault (such as a fault in a diagnostic circuit) and that is |
|
detected by internal diagnostics. |
|
|
Annunciation Undetected |
Failure that does not directly impact safety but does impact the ability to |
|
detect a future fault (such as a fault in a diagnostic circuit) that is not |
|
detected by internal diagnostics. |
|
|
λSD |
Failure rate of all safe detected failures |
λSU |
Failure rate of all safe undetected failures |
λDD |
Failure rate of all dangerous detected failures |
λDU |
Failure rate of all dangerous undetected failures |
λD |
Failure rate of all dangerous failures, detected and undetected |
A D |
Failure rate of all annunciation detected failures |
A U |
Failure rate of all annunciation undetected failures |
FIT |
Failure In Time (1x10-9 failures per hour) |
(1)The failure categories listed above, expand upon the categories listed in IEC 61508, which are only safe and dangerous, both detected and undetected. In IEC 61508, the No Effect failures cannot contribute to the failure rate of the safety function. Therefore, they are not used for the Safe Failure Fraction calculation.
(2)Depending on the application, a Fail High or a Fail Low failure can either be safe or dangerous and may be detected or undetected depending on the user software application program.
(3)Consequently, during a Safety Integrity Level (SIL) verification assessment, the Fail High and Fail Low failure categories need to be classified as safe or dangerous, and as detected or undetected.
© Danfoss | December 2020 |
BC152986482864en-000601 | 7 |
Loading...