3 Implementing Mobile Robot Motor Drive Safety Requirements

Once the safety requirements and architecture category of the system are understood, the designer must select the remaining devices and implement the complete motor drive to make sure that the safety requirements are met.

Figure 3-1 Motor Drive System Block Diagram

As Figure 3-1 shows, a motor drive system is typically formed by an MCU, a power stage which can integrate the analog front end, the encoder, and the power supply.

In the IEC 61508, the required safe failure fraction (SFF) depends on the type of device which can be Type A or Type B. Per IEC 61508, type A subsystems have the failure modes well defined, where the behavior under fault conditions is determined and there is enough failure data to claim that the failure rates are met. Conversely, type B subsystems are more complex subsystems where the failure modes are not fully defined, the fault conditions cannot be completely determined, and there is not enough data to support that the failure rates are met. The complete definition of both types of subsystems is found in section 7.4.4 of the IEC61508 standard.

Moreover, the CNB-M-11.059 amendment of the IEC61508 standard states that diagnostics subsystems only need to achieve a safety level below the required system SIL level to achieve the minimum safety level. Although this amendment is part of the IEC61508 standard, it is state-of-art to use it with the ISO 13849-2 machinery standard when analyzing diagnostic subsystems.

Therefore, for this specific case, because an SIL 2 system is required, diagnostic related modules must fulfill at least SIL 1 and a minimum SFF = 0% to meet the SIL 2 system requirements. However; safety and non-diagnostic functions still must fulfill SIL 2 and have a minimum SFF of 60%.

By understanding which sub-systems are Type A and Type B, it is possible to easily select the device itself based on features such as available safety documentation or diagnostic features.

Because the MCU is a type B device and is used to implement safety functions, the MCU needs a minimum SFF = 60%. This means that each one of the subsystems used by the device must be monitored with diagnostic functions to achieve the required 60% coverage.

As a first step it is needed to select which device functions need to be used and the diagnostic coverage required for each. Once defined, safety documentation is key to demonstrate if there are enough diagnostics available for each one of the intended functions or if external diagnostic devices are needed.

TI's latest C2000™ real-time controllers are designed considering functional safety. By taking advantage of the safety features and documentation provided, it is possible to simplify and accelerate the safety assessment. Some of the key C2000™ safety features and devices are documented in the Industrial Functional Safety for C2000™ Real-Time Microcontrollers product overview.

Moreover, for less complex devices, it is also important to have safety documentation available. As previously mentioned, one of the conditions of a device type A to consider is that the device functionalities and failure modes must be well defined. For that, TI safety documentation results are beneficial to justify the type of device and therefore the minimum SFF required.

TI Multi-channel ICs (PMICs) devices greatly help reduce the overall BOM and size of the motor control module while making sure that the safety requirements are met. With integrated functionalities such as built-in LDOs, supervisors, BISTs, Watchdog, and DC/DC regulators, these ICs help simplify the design while providing the diagnostic functions needed to supervise both MCU and the required power rails.

Per ISO 13849 section 6.1, given that the safety functions cannot be periodically performed, the diagnostics and the safety functions cannot be within the same IC to achieve this 60% diagnostic coverage. ISO 13849 considers that a single fault in the IC results in the complete loss of function of this IC and for Category 2, that loss of function should be detected by the diagnostics features. Therefore, to make sure that the loss of function does not result in a loss of the diagnostics function, it is not possible to use voltage supervision and watchdog Q&A within the same IC. For this example, external voltage supervisors are used and the internal question and answer (Q&A) Watchdog of the PMIC device. The Supervisor and reset ICs power management folder details the extensive TI portfolio of voltage supervisors supporting functional safety.

Figure 3-2 shows a highly simplified example of some of the diagnostic features that can be used to achieve
SIL 2.

Figure 3-2 Simplified Motor Drive System Including Safety Features

Once the safety functions are defined on a system level, a block level analysis is needed to demonstrate that each one of the subsystems meets the needed safety requirements.

In this case, safety subsystems are split between safety and diagnostic functions. The diagnostic functions are used to make sure that the safety functions meet the minimum SFF defined per subsystem type. Table 3-1 summarizes the details.

By properly defining and demonstrating that each of the intended functions achieves the required minimum diagnostic coverage, this demonstrates that the system is able to achieve the required PL and SIL and can be safety certified.