FSD113: Subsystem DC estimates

Header

Title

FSD113: Subsystem DC estimates

Version

V2

Products

Safety Simplifier

Requirements

EN ISO 13849-1:2006

Purpose

Define DC for the different sub systems

Input

HW design

Output

FSD203: Estimation of hardware common cause failures

Table of contents

Subsystems

CPU power supply

Has reverse voltage protection Input fuse, which gets triggered if too high voltage. Also, later in the chain, there is a small 1206 resistor, which will function as a fuse if there is a malfunction in the power supply, that too high voltage is generated. Unstable/low voltage is handled by brown-out detector in the CPUs.

Thus, DC is 99%.

Relay output

Two relays always work together (in logical series mode). Each of the two relays are monitored separately. The SW monitors both on and off state continously redundant shut-off for both the relays itself, and the drive circuit for the relays.

Thus, DC is 99%.

SIO PWR output

Short circuit is detected and handled dual detection, with different resistor dividers. Redundant shut-off (with transistor output) +5V-relay is implemented as a watch-dog.

Thus, DC is 99%.

Transistor output

Short circuit is detected and handled (via SIO pwr) Output is cross monitored with intermediate result (SIO PWR). Different resistor dividers make it extremely uncommon that detection circuit error will go unnoticed. There is a redundant shut-off path (SIO PWR + actual transistor)

Thus, DC is 99%.

Digital input

Dual different resistor dividors, into ADC. Ie, the only way that a non-high signal could be detected in a dangerous way is that a resistor breaks so its resistance matches the other resistance within 5%. That is way below 1% probability

Thus, DC is 99%.

Note

Signal types that can improve reliability The input and outputs can be quite freely programmed for different types. Two types should be noted for giving extra fault-detection capabilities:

a) OSSD outputs. Output is turned off for a short time periodically. This detects external short circuit and internal failure.

b) pattern inputs (A/B/C/D pulses). A special pattern is required to detect a high signal. This handled short circuit to anything but the pattern signal itself. Certain sensors inverts the signal, which also handles the problem of short-circuit to the source signal.

Revision History

Date

By

Version

Description

2016-09-05

Jesper Ribbe

V1

Initial version

2023-09-11

Nils Odén

V2

Copied over old document to new structure, no changes in the documents content.