hiperface dsl – combined with safetysick ag 1 bernd appel - germany hiperface dsl – combined...

1SICK AGBernd Appel - Germany

Hiperface DSL – Combined with Safety

International TÜV Rheinland Symposium in ChinaFunctional Safety in Industrial Applications18 – 19 October 2011, Shanghai - China


Safety Implementation

� Hiperface DSL� Protocol overview� Safety architecture

� Safety function of DSL encoders

� Safety implementation� Failure modes� Motor requirements� Drive requirements

� Documentation






� Documentation


Protocol Overview

� Hiperface DSL (Digital Servo Link)� SICK protocol for motor-feedback systems / encoders� Point-to-point connection drive - encoder

Drive

Motor housing

Motor

Encoder

Drive

controller

Power

electronics

One cable for motor & encoder

2 wires for encoder connection

up to

100 m

Drive

Motor housing

Motor

Encoder

Drive

controller

Power

electronics

One cable for motor

One cable for encoder

4 wires for encoder connection

up to

100 m

Variant 1: One cable Variant 2: “Classical” - two cables


Protocol Overview

� Hiperface DSL (Digital Servo Link)� Cyclic communication� Synchronized to drive cycle (500 Hz ~ 80 kHz)


Protocol Overview

� Hiperface DSL (Digital Servo Link)� Multiple communication channels� Fixed framing� Fast position frame: 12…24 µs length

� Safe position frame: 96…192 µs length






� Documentation


Safety Architecture

� Hiperface DSL (Digital Servo Link) Safety protocol� Safe position channel 1 & 2� Diverse, redundant transmission� Dual CRC check


Safety Architecture

� Safety architecture SIL2� 1 sensor channel with diagnostics (“1oo1D” architecture)� Redundant data transmission of same sensor data


Safety Architecture

� Safety architecture SIL3� 2 sensor channels with diagnostics (“1oo2D” architecture)� Data transmission of 2 sensor values

Driv

e

OK …

Safe position channel

Safe position channel 2

SIL3Encoder

Sensor 2

Diagnostics (µC)

Inter-face 2

Inter-face

Drive Controller 1

Drive Controller 2

SICKresponsibility

Customerresponsibility

Sensor 1

Inter-face 1


Safety Architecture

� Diagnostics for safety functions� Sensor signal monitoring (sin2 + cos2 check)� Redundant sensor signal digitizing� CRC for parameter storage� CRC for data transmission� Frame counter for data transmission (“toggle bit”)� Supply voltage, sensor current, ambient temperature monitoring� Mission-time counter






� Documentation


Safety Function

� Encoders with Hiperface DSL are safe in drive applications only

Drive System (User) Encoder System

AC

Synchronous /

Asynchronous

Motor

Mechanical

Connection

(Shaft/Housing)

SensorSensor

Interface

Drive

Interface

Analysis,

Diagnostics

Safety

Function

Motor Stop

in case of Error

(STO)


Hiperface DSLSafety function

� Supported safety functions (acc. IEC 61800-5-2)

STO is generally selected in case of error detection

Safe Torque OffSTO (informative)

Only if indicated for specific product

Safely-limited Position

SLP

Safely-limited Increment

SLI

Safe DirectionSDI

Safe Speed RangeSSR

Safe Acceleration Range

SAR

Safely Limited Acceleration

SLA

Safe Stop 2SS2

Safe Stop 1SS1

Safely Limited SpeedSLS

Safe Operating StopSOS

RemarksFunctionMode


Safety Function

� Safety Parameters� Target for all future DSL encoders

� Specific values found in product datasheet

> 90%Safe Failure Fraction

> 90%-DCavg

> 30 years-MTTFd

1 hour1 hourDiagnostic Test Interval

-Not requiredProof Test Interval

20 years> 20 yearsMission Time

< 10% of PL d resp.PFHd < 10-7 [1/h]

< 10% of SIL 2 resp.PFHd < 10-7 [1/h]

Fraction of availablePFHd allotted toencoder system

Use in safety-relevantfunctional chainsaccording to PL d

Use in safety-relevantfunctional chains accordingto SIL 2

Classification

Corresponds with category 3(in connection with drive systems only)

Structure

Characteristicparameter accordingto DIN EN ISO 13849

Characteristic parameteraccording toDIN EN 62061 / IEC 61508

> 90%Safe Failure Fraction

> 90%-DCavg

> 30 years-MTTFd


-> 4 yearsProof Test Interval


< 20% of PL e resp.PFHd < 2 * 10-8 [1/h]

< 20% of SIL 3 resp.PFHd < 2 * 10-8 [1/h]

Fraction of available PFHd allotted to encoder system

Use in safety-relevant functional chains according to PL e

Use in safety-relevant functional chains according to SIL 3

Classification


Structure

Characteristic parameter accordingto DIN EN ISO 13849

Characteristic parameter according toDIN EN 62061 / IEC 61508

SIL2 encoders SIL3 encoders


Safety Function

� Safety Parameter example� EKS/EKM36 encoder (first series product)

95%Safe Failure Fraction

90%-DCavg

412 years-MTTFd


-Not requiredProof Test Interval


2.8% of PL d resp.PFH = 2.77 x 10-8 [1/h]

2.8% of SIL 2 resp.PFH = 2.77 x 10-8 [1/h]

Fraction of availablePFH allotted to encoderSystem

Use in safety-relevantfunctional chainsaccording to PL d

Use in safety-relevantfunctional chains accordingto SIL 2

Classification


Structure

Characteristicparameter accordingto DIN EN ISO 13849

Characteristic parameteraccording toDIN EN 62061 / IEC 61508

EKS/EKM36 encoder





� Safety implementation

� Failure modes� Motor requirements� Drive requirements

� Documentation


Safety Implementation for Drives

� DSL Master IP-core

� Clock frequency

� 75.0 MHz

� Logic size (standard variant)

� 1700 slices (Xilinx Spartan-3)� 1500 slices (Xilinx Spartan-6)

� 3000 LE (Altera Cyclone III)

� Safe variant: adds +10% logic



� DSL Master IP-core interfaces� “Interface1”: Drive Controller 1

� Serial (SPI)

� Parallel (EMIFA)

� “Interface2”: Drive Controller 2For Safety only!� Serial (SPI)



� DSL Master IP-core� Safety relevance?

� “Grey channel”� Single channel in safety system

� Diagnostics from outside(encoder, drive application)







� Documentation


Safety Failure Modes

� Considered failure modes� Mechanical failures of encoder

� Shaft attachment

� Housing attachment

� Loss of code disc

� Electronical failures of encoder� Signal shape

� Static signals

� Short-cuts, open-circuits� Transmission failures

� Loss, insertion, repetition of frames

� Data corruption� Electronical failures of drive interface

� Static signals

� Short-cuts, open-circuits

Drive







� Documentation


Motor Requirements

� Encoder assembly� Defined geometry of shaft connection

� Defined torque for shaft connection� Defined conditions for housing connection

� Assembly parameters must be monitored and recorded by user

� Usage requirements� Specification for shock/vibration

� All details in product “Operating Manual”







� Documentation


Drive Requirements

� Handling of encoder and transmission faults in drive� Error indicators show detection of faults

� Severity of fault explained in manual

� All details in “DSL Manual”, product datasheet


Drive Requirements

� Diagnostic tests

� Aim: Fault detection still working?� Drive has to send test messages to encoder

cyclically

� Diagnostic test interval: ~ 1h (slow!)� Diagnostic test generates fault in encoder

� Error indication shows that diagnostics are working

� All details in “DSL Safety Implementation Manual”

Example:


Drive Requirements

� Diagnostics in drive controllers

� Necessary since IP-Core is“grey channel”

� Check of 2 position values

� Check of CRC values

Drive

Example:







� Documentation


Documentation

� Two categories of documentation

� Hiperface DSL documentation� General specification of

interface, protocol� Target: Drive

manufacturer

� Encoder documentation� Specific for each product series� Target: Drive and motor manufacturer

� Example: EKS/EKM36DSL Manual(non-safety)

Protocoldetails

DSL Safety Manual

Drive requirementsIP-Core

(interface) Manual

FPGA detailsIP-Core

(interface) datasheet

IP-Core characteristics

OperatingManual

Motor requirementsDatasheet

Encoder characteristics

hiperface dsl – combined with safetysick ag 1 bernd appel - germany hiperface dsl – combined...

Documents