test report en iso 13849 -1: 2015 safety of machinery ......report no.: szes1908015084 01 page 1 of...

Report No.: SZES190801508401

of 19

EN ISO 13849-1A Report Rev. 1.1

TEST REPORT

EN ISO 13849-1:2015

Safety of machinery - Safety-related parts of control systems

Part 1: General principles for design

Responsibility

Tested by (printed name and signature) .......... : Shawn Chen

.....................................................

Approved by (printed name and signature) .......... : Judy Fu

.....................................................

Date of issue .................................... :

2020-06-01

Testing Laboratory Name ............. : SGS-CSTC Standards Technical Services Co., Ltd. Shenzhen Branch.

Address ............................................ : No. 1 Workshop, M-10, Middle Section, Science & Technology Park, Shenzhen, Guangdong, China 518057

Applicant's Name ........................... : YOKU ENERGY (ZHANGZHOU) CO., LTD.

Address ............................................ : No.198, Highway 319, Jingcheng, Nanjing, Zhangzhou, Fujian Province, China

Manufacturer’s Name .................... : Zhangzhou Aucopo Energy Technology Co., Ltd.

Address ............................................ : No.198, Highway 319, Jingcheng, Nanjing, Zhangzhou, Fujian Province, China

Test specification

Standard ........................................... : EN ISO 13849-1:2015

Test procedure ................................. : SGS-CSTC

Non-standard test method ............... : N/A

Test Report Form No. EN ISO 13849-1A

TRF originator. .................................. : SGS

Master TRF ...................................... : Dated

Products may only be provided with an approval mark if the relevant conditions have been fulfilled.

© Publication in total or in part and/or reproduction in whatever way of the contents of this report is not allowed unless permission has been explicitly given either in this report or by previous letter.

Test item description .................... : BMS for battery package

Trademark ....................................... :

Model and/or type reference ............ : WBSW191003 BMS board for following models:

Alpha Series:

WB3621ZCZR*,WB3617ZCZR*,WB3616ZCZR*,WB3615ZCZR*,

WB3614ZCZR*,WB3613ZCZR*,WB3612ZCZR*,WB3611ZCZR*,

WB3610ZCZR*,WB3609ZCZR*,WB3608ZCZR*


of 19


iTube Series:

WB3617ZGIR*,WB3616ZGIR*, WB3615ZGIR*, WB3614ZGIR*, WB3613ZGIR*,WB3612ZGIR*,WB3611ZGIR*, WB3610ZGIR*, WB3609ZGIR*,WB3608ZGIR*

ZDS Series:

WB3617ZDSR*,WB3616ZDSR*, WB3615ZDSR*, WB3614ZDSR*, WB3613ZDSR*,WB3612ZDSR*,WB3611ZDSR*, WB3610ZDSR*, WB3609ZDSR*,WB3608ZDSR*

ZFL Series:

WB3617ZFLR*,WB3616ZFLR*, WB3615ZFLR*, WB3614ZFLR*, WB3613ZFLR*,WB3612ZFLR*,WB3611ZFLR*, WB3610ZFLR*, WB3609ZFLR*,WB3608ZFLR*

ZFN Series:

WB3617ZFNR*,WB3616ZFNR*, WB3615ZFNR*, WB3614ZFNR*, WB3613ZFNR*,WB3612ZFNR*,WB3611ZFNR*, WB3610ZFNR*, WB3609ZFNR*,WB3608ZFNR*

ZFS Series:

WB3617ZFSR*,WB3616ZFSR*, WB3615ZFSR*, WB3614ZFSR*, WB3613ZFSR*,WB3612ZFSR*,WB3611ZFSR*, WB3610ZFSR*, WB3609ZFSR*,WB3608ZFSR*

ZFU Series:

WB3617ZFUR*,WB3616ZFUR*, WB3615ZFUR*, WB3614ZFUR*, WB3613ZFUR*,WB3612ZFUR*,WB3611ZFUR*, WB3610ZFUR*, WB3609ZFUR*,WB3608ZFUR*

ZGC Series:

WB3617ZGCR*,WB3616ZGCR*,WB3615ZGCR*,WB3614ZGCR*, WB3613ZGCR*,WB3612ZGCR*,WB3611ZGCR*,WB3610ZGCR*, WB3609ZGCR*,WB3608ZGCR*

ZGH Series:

WB3617ZGHR*,WB3616ZGHR*, WB3615ZGHR*, WB3614ZGHR*, WB3613ZGHR*,WB3612ZGHR*, WB3611ZGHR*, WB3610ZGHR*, WB3609ZGHR*,WB3608ZGHR*

ZGN Series:

WB3617ZGNR*, B3616ZGNR*, WB3615ZGNR*, WB3614ZGNR*, WB3613ZGNR*,WB3612ZGNR*, WB3611ZGNR*, WB3610ZGNR*, WB3609ZGNR*,WB3608ZGNR*

ZGQ Series:

WB3617ZGQR*,WB3616ZGQR*,WB3615ZGQR*,WB3614ZGQR*, WB3613ZGQR*,WB3612ZGQR*, WB3611ZGQR*,WB3610ZGQR*, WB3609ZGQR*,WB3608ZGQR*

ZGM Series:

WB3617ZGMR*,WB3616ZGMR*,WB3615ZGMR*,WB3614ZGMR*, WB3613ZGMR*,WB3612ZGMR*,WB3611ZGMR*,WB3610ZGMR*, WB3609ZGMR*,WB3608ZGMR*

Aston Series:

WB3611ZEOR*, WB3613ZEOR*, WB3614ZEOR*, WB3617ZEOR*, WB4809ZEOR*, WB4812ZEOR*,WB4814ZEOR*


of 19


Astar Series:

WB3609ZELR*, WB3610ZELR*, WB3612ZELR*, WB3613ZELR*, WB4809ZELR*, WB4810ZELR*

Astin Series:

WB3609ZEUR*, WB3610ZEUR*, WB3612ZEUR*, WB3613ZEUR*, WB4810ZEUR*, WB4809ZEUR*

Epro Series:

WB3611ZDDR*, WB3613ZDDR*, WB3614ZDDR*, WB3617ZDDR*, WB4809ZDDR*, WB4812ZDDR*,WB4814ZDDR*

Mini Epro Series:

WB3609ZDHR*, WB3610ZDDR*, WB3613ZDHR*, WB4809ZDHR*, WB4810ZDHR*

HW & FW Version............................. : HW: WBSW191003

Rating(s) ........................................... : See the nameplate


of 19


Test case verdicts

Test case does not apply to the test object ....................... : N/A

Test item does meet the requirement ................................ : P(ass)

Test item does not meet the requirement .......................... : F(ail)

Testing

Date of receipt of test item ................................................. : 2019-08-19

Date(s) of performance of test ........................................... : 2019-08-19~2020-06-01

General remarks

This report shall not be reproduced except in full without the written approval of the testing laboratory.

The test results presented in this report relate only to the item(s) tested.

” (see remark #)" refers to a remark appended to the report.

"(see Annex #)" refers to an annex appended to the report.

Throughout this report a comma is used as the decimal separator.

References

No. Document Description

[1] (1) SRS_WBSW191X03+BMS_20200319_v1.0

[2] (2) HW&SW Design Description_WBSW191X03+BMS_20200319_v1.0

[3] (3) Validation Test Report_WBSW191X03+BMS_20200319_v1.0 _v1.2

[4] (4) FMEDA _WBSW191X03 BMS_v1.1

[5] (5) SPB19-TI10-012-A-A01 Schematic

[6] (6) AUCOPO ISO9001 2015 Quality Management System Certification

[7] (7) WBSW191X03 Pack BMS Specification_V1.0

[8] (8) Environment test report

Revision Logs

Version Changes Description

V1.0 Initial Version


of 19


1)Nameplates and Product Photos

2)Package Photos

Alpha Series ZDS Series

SB Series

iTube Series


of 19


ZFL Series

ZFN Series

ZFS Series ZFU Series


of 19


ZGC Series

ZGH Series


of 19


ZGN Series

ZGQ Series

ZGM Series

Aston Series:

Astar Series:


of 19


Astin Series:

Epro Series:

Mini Epro Series:


of 19


3) PCB Photos


of 19


4) PCB Layout

Summary of assessment:

The safety protection functions of WBSW191003 Pack could be applied in category 2 system to achieved performance level of PL c. The detail information please refer to the following report.


of 19


1. BMS Protection Functions

Prevention of risk of fire in case of management system failure for batteries, following protection circuits have been defined as safety related function in BMS Part: - Over/under voltage protection - Over current (short) protection - Over/under temperature protection

The behaviors of the safety function under fault condition were defined as switching off charging or discharging MOSFET within the specified response time.

2. Risk Assessment

Per the Figure A.1 of ISO 13849-1:2015

Figure 1 Risk Assessment

Note: The required performance level (PLr c) has been defined in BS EN 15194:2017, 4.3.22.


of 19


3. Analysis the Category

Figure 2 Safety Structure for BMS

Structure Analysis: Category and circuit modules description as below table:

Category Modules Circuit modules description

Input Package & cells voltage input, 1 current sensor, 1 temperature sensors in primary protection circuits;

Logic Battery Protector in primary protection circuits

Output Charging & discharging MOSFETs in primary protection circuits

Test Equipment (TE) All secondary protection circuit were considered as TE related parts, i.e. fuel gauge, MCU, temperature sensor 2, fuse circuits.

Output Test Equipment (OTE)

CAN bus was considered as OTE related part, the alarm information could be sent to display on detection of faults in protection circuits.

Result:


of 19


According to above analysis and safety structure diagram, the safety system structure could be considered as category 2.

4. Calculate the components MTTFd

Analysis:

The system MTTFd for has been calculated based on schematic and BoM, the MTTFd calculation report has been checked and confirmed, the total system MTTFd is 568.2 years.

Result:

Per table 4 of ISO 13849:1-2015, the calculated value for the system MTTFd of 568.2 years results in a HIGH level of reliability.

5. Estimate the diagnostic coverage (DC)

Annex E of ISO 13849-1:2015 is used as the guideline to estimate the diagnostic coverage (DC) of the system, which in fact is noted as average DC (DCavg). First diagnostic coverage of circuits used in the system is determined.

Function DC Diagnosis Methods Description

Voltage protection 60 % In case of any faults occur in cell’s voltage monitoring circuits or package voltage go to wrong, BMS will detect it and send the alarm information to display, the system will go into state. 60% diagnostic coverage could be claimed with this diagnostic measure.

Current protection 60 % In case of any fault(s) detected, BMS will send the alarm information to display and switch off the discharge circuit. 60% diagnostic coverage could be claimed with this diagnostic measure.

Temperature protection

60 % 2 extra temperature sensors used for monitoring the battery and cells temperature, and the 2-temperature sensor composed of the secondary protection function, in case of the temperature of cells rise up to a limited value, BMS will switch off the discharge and charge circuit, the alarm information will be sent to display and the system will go into safe state. 60% diagnostic coverage could be claimed with this diagnostic measure.

Result:

Minimum DC value has been pickup as system DCavg. Per clause 4.5.3 and Table 5 of ISO 13849-1:2015, the diagnostic coverage (DC) level is determined to be LOW for this system.


of 19


6. Estimate Common Cause Failure

Annex F of ISO 13849-1:2015 is used as the guideline to estimate the common cause failure (CCF) of the interlock system. This is based on the requirements set forth in IEC 61508-6.

No Item and Measures Against CCF Score for control circuit

Maximum possible score

1 Separation/segregation

Physical separation between signal paths 15 15

2 Diversity

Different technologies/design or physical principles are used 0 20

3 Design/application/experience

Protection against over-voltage, over-pressure, over-current, over-temperature, etc. 15 15

Components used are well-tried. 5 5

4 Assessment/analysis

For each part of safety related parts of control system, a failure mode and effect analysis has been carried out and its results considered to avoid common-cause-failures in the design.

0 5

5 Competence/training

Training of designers to understand the causes and consequences of common cause failures. 0 5

6 Environmental

The system is designed to meet EMC directive 25 25

Other influences: Consideration of the requirements for immunity to all relevant environmental influences such as, temperature, shock, vibration, humidity

10 10

TOTAL 70 100

Result: The estimated CCF for the function of prevention of an intentional power self-start is 70, which is larger than the minimum requirement of 65, thus the calculated CCF meets the requirements set forth in ISO 13849-1.

7. Safety-related Software

N/A

8. Systematic Failure

8.1. Introduction


of 19


When electrical systems are used in conjunction with other technologies, then relevant tables for basic safety and well–tried safety principles should also be taken

into account.

8.2. List of basic safety principles

Table D.1 — Basic safety principles

Clause Requirement + Test Result - Remark Verdict

Use of suitable materials and adequate manufacturing

Selection of material, manufacturing methods and treatment in relation to e. g. stress, durability,

elasticity, friction, wear, corrosion, temperature, conductivity, dielectric rigidity.

Refer to the display BOM. P

Correct dimensioning and shaping

Consider e. g. stress, strain, fatigue, surface roughness, tolerances, manufacturing.

Not assessed in this report. N/A

Proper selection, combination, arrangements, assembly and installation of components/system

Apply manufacturer's application notes, e. g. catalogue sheets, installation instructions,

specifications, and use of good engineering practice.

Work products in main phase are

available.

The Display user manual is available.

P

Correct protective bonding

One side of the control circuit, one terminal of the operating coil of each electromagnetic operated

device or one terminal of other electrical device is connected to the protective bonding circuit [for

full text see EN 60204-1:1997 (IEC 60204-1:1997), 9.1.4].


Insulation monitoring

Use of isolation monitoring device which either indicates an earth fault or interrupts the circuit

automatically after an earth fault [see EN 60204- 1:1997 (IEC 60204-1:1997), 9.4.3.1].


Use of de–energisation principle

A safe state is obtained by de–energising all relevant devices, e. g. by using of normally closed

(NC) contact for inputs (push–buttons and position switches) and normally open (NO) contact for



of 19


relays [see also EN 292–2:1991 (ISO/TR 12100-2:1992), 3.7.1].

Exceptions may exist in some applications, e. g. where the loss of the electrical supply will create

an additional hazard. Time delay functions may be necessary to achieve a system safe state [see

EN 60204–1:1997 (IEC 60204-1:1997), 9.2.2].

Transient suppression

Use of a suppression device (RC, diode, varistor) parallel to the load, but not parallel to the

contacts.

P

Reduction of response time

Minimise delay in de–energising of switching components.


Compatibility

Use components compatible with the voltages and currents used.

All components meet the requirements

of volt and current rated value.

P

Withstanding environmental conditions

Design the equipment so that it is capable of working in all expected

environments and in any foreseeable adverse conditions, e. g. temperature, humidity, vibration

and electromagnetic interference (EMI)

The product has been executed EMC

testing according to the requirement, all

testing items passed, EMC testing report

is available.

P

Secure fixing of input devices

Secure input devices, e. g. interlocking switches, position switches, limit switches, proximity

switches, so that position, alignment and switching tolerance is maintained under all expected

conditions, e. g. vibration, normal wear, ingress of foreign bodies, temperature. See EN 1088:1995

(ISO 14119:1998), clause 5.


Protection against unexpected start–up

Prevent unexpected start–up, e. g. after power supply restoration [see EN 292–2:1991 (ISO/TR

12100-2:1992), 3.7.2, EN 1037 (ISO 14118),

EN 60204–1 (IEC 60204-1)].

N/A

Protection of the control circuit

The control circuit should be protected in accordance with EN 60204- 1:1997 (IEC 60204-1:1997),

7.2 and 9.1.1.

N/A

Sequential switching for circuit of serial contacts of redundant signals to avoid the common mode

failure of the welding of both contacts, the switching on and off does not happen simultaneously,

so that one contact always switches without current.

N/A


of 19


8.3. List of well–tried safety principles Table D.2 — Well–tried safety principles

Clause Requirement + Test Result - Remark Verdict

Positive mechanically linked contacts Use of positively mechanically linked contacts for, e. g. monitoring function [see EN 292–2:1991 (ISO/TR 12100-2:1992), 3.5].


Fault avoidance in cables To avoid short circuit between two adjacent conductors: use cable with shield connected to the protective bonding circuit on each separate conductor, or in flat cables, use of one earthed conductor between each signal conductors.


Separation distance Use of sufficient distance between position terminals, components and wiring to avoid unintended connections.

Having sufficient distance between position terminals, components and wiring to avoid unintended connections.

P

Energy limitation Use of a capacitor for supplying a finite amount of energy, e. g. in timer application.


Limitation of electrical parameters Limitation in voltage, current, energy or frequency resulting, e. g. in torque limitation, hold–to–run with displacement/time limited, reduced speed, to avoid leading to an unsafe state.

All main components were de-rating used.

P

No undefined states Avoid undefined states in the control system. Design and construct the control system so that during normal operation and all expected operating conditions its state, e. g. its output(s) can be predicted.

All state is defined clearly, no undefined states.

P

Positive mode actuation Direct action is transmitted by the shape (and not by the strength) with no elastic elements, e. g. spring between actuator and the contacts, [see EN 1088:1995 (ISO 14119:1998), 5.1].


Failure mode orientation Wherever possible, the device/circuit should fail to the safe state or condition.

The diagnostic measures are designed, in case of any faults detected; the system will go into safe state.

P

Oriented failure mode Oriented failure mode components or systems should be used wherever practicable [see EN 292–2:1991 (ISO/TR 12100-2:1992), 3.7.4].


Over–dimensioning De-rate components when used in safety circuits, e. g. by:



of 19


Current passed through switched contacts should be less than half their rated current, The switching frequency of components should be less than half their rated value, and Total number of expected switching operation shall be ten times less than the device's electrical durability.

Minimise possibility of faults Separate safety–related functions from the other functions

N/A

Balance complexity/simplicity Balance should be made between complexity to reach a better control and simplify to have a better reliability.

The balance between complexity controllability and simple reliability are taken into consideration during product design and development life cycle.

P

9. Performance Testing Under Expected Environmental Conditions

Below environmental testing has been executed to verify the ability of safety function: 1) Initial capacity testing 2) Cycle life at 25oC 3) Storage characteristics 4) High temperature storage testing 5) Temperature dependency of capacity 6) Electrostatic discharge testing 7) Constant temperature and constant humidity testing 8) EMC test etc.

10. Conclusions and Recommendations

The performance level of the safety protection function is determined in the table below.

Category B 1 2 2 3 3 4

DCavg None None Low Medium Low Medium High

MTTF d of each channel

Low a Not covered a b b c Not covered

Medium b Not covered b c c d Not covered

High Not covered c c d d d e

Result:

According to above analysis and evaluation, the WBSW191003 BMS match a display could compose a category 2 system to achieve PL c, and the required performance level is PLr c, the performance level meets the requirements per ISO 13849.

test report en iso 13849 -1: 2015 safety of machinery ......report no.: szes1908015084 01 page 1 of...

Documents