SPRAD98 may   2023 TMS320F280033 , TMS320F280034 , TMS320F280034-Q1 , TMS320F280036-Q1 , TMS320F280036C-Q1 , TMS320F280037 , TMS320F280037-Q1 , TMS320F280037C , TMS320F280037C-Q1 , TMS320F280038-Q1 , TMS320F280038C-Q1 , TMS320F280039 , TMS320F280039-Q1 , TMS320F280039C , TMS320F280039C-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
  5. 2Understanding Cat 2, PLd Safety Requirements
    1. 2.1 Safety Requirements per ISO 3691-4
    2. 2.2 System Architecture Selection
    3. 2.3 Device Selection Based on Process Safety Time
  6. 3Implementing Mobile Robot Motor Drive Safety Requirements
  7. 4Conclusion

2.3 Device Selection Based on Process Safety Time

Once the initial safety requirements are known, as well as the architecture that is to be implemented, it is time to select the devices. As a common starting point, the MCU or processor is selected prior the rest of the devices and aspects such as safety features or processing capabilities are a key result during the selection process.

Within the safety standard, ISO 13849-1 describes different timing requirements to make sure that the system is able to detect a fault and reach a safe state within a defined process safety time. Figure 2-3 shows the typical nomenclature used to defined the time intervals.

GUID-20230504-SS0I-LLTG-BVQB-S175QQX8HSV5-low.svgFigure 2-3 Functional Safety Related Timing Considerations

The diagnostic time interval comprises the amount of time available to execute the diagnostic functions and process the inputs received from them. Given a defined diagnostic time interval, higher diagnostic coverage implies a more powerful processor is required.

Due to the unpredictability of the hazards, in AMRs the diagnostics need to be run continuously. By running continuously, a fault can be instantaneously detected and the device can be brought to the safe state within the required process safety time.

Moreover, ISO 3691-4 further restricts this testing time interval by defining the maximum speed of the AMR depending on the distance to an object. By considering the worst-case scenario the designer must calculate the process safety time needed to avoid the risk and make sure that the safety state is reached prior to collision of the object.

Based on the maximum speeds and distances to objects stated in ISO 3691-4 table A.1, it is estimated that the safety process time needs to be less than 415 ms. Within this timing, the diagnostics functions of the MCU must be completed and if a fault is detected, the safe state must be reached. To allow enough leeway for the reaction time, the diagnostics time interval must be less than 10% of the overall process safety time. This means a maximum of 41.5 ms is allowed for a full diagnostic sweep during operation of the system function.

Due to these timing constraints and the Cat 2 architecture selection, it is important to have a powerful real-time MCU with integrated safety mechanisms that can both fulfill the motor control and the safety requirements. TI C2000 real-time controllers and PMIC devices are an excellent choice to make sure that both the process safety time and the diagnostic coverage can be met, achieving PLd.