Functional safety requirements and solutions are more expensive when it comes to lower cost machines with less power but same functionalities with respect to big machines. The paper will show a real Electronic Control Unit (ECU) design of a machine controller, controlling both engine working point, transmission, and other utilities like PTO, 4WD, brakes and Differential Lock; the ECU was designed in accordance to ISO 25119 regulation, to meet AgPL = C or even D for some functionalities. The unit is a fully redundant electronic control unit with two CAN networks and some special safe state oriented mechanism, that allow the Performance Level C with less software analysis requirements compared with traditional solutions. All safety critical sensors are redounded and singularly diagnosable, all command effects are directly observable and most of commands are directly diagnosable. With a minimum extra-cost the hardware category for the most critical controls was brought to the category 4, thus theoretically allowing the Performance Level D achievement. But the most unseen solution was to include this unit in the dashboard, thus creating a smart dashboard and machine controller, with an important machine cost reduction. The paper will explain all technical solution, analyzing functionalities and showing the most interesting problem solutions. The hazard analysis and the functional assessment results will be briefly exposed.
A High Functional Safety Performance Level Machine Controller for a Medium Size Agricultural Tractor
Ruggeri M;Ferraresi C;Dariz L;Malaguti;
2014
Abstract
Functional safety requirements and solutions are more expensive when it comes to lower cost machines with less power but same functionalities with respect to big machines. The paper will show a real Electronic Control Unit (ECU) design of a machine controller, controlling both engine working point, transmission, and other utilities like PTO, 4WD, brakes and Differential Lock; the ECU was designed in accordance to ISO 25119 regulation, to meet AgPL = C or even D for some functionalities. The unit is a fully redundant electronic control unit with two CAN networks and some special safe state oriented mechanism, that allow the Performance Level C with less software analysis requirements compared with traditional solutions. All safety critical sensors are redounded and singularly diagnosable, all command effects are directly observable and most of commands are directly diagnosable. With a minimum extra-cost the hardware category for the most critical controls was brought to the category 4, thus theoretically allowing the Performance Level D achievement. But the most unseen solution was to include this unit in the dashboard, thus creating a smart dashboard and machine controller, with an important machine cost reduction. The paper will explain all technical solution, analyzing functionalities and showing the most interesting problem solutions. The hazard analysis and the functional assessment results will be briefly exposed.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
