DE VELO PMENT S AFE T Y

Challenges of Functional Safety in Tractor Development © AVL

In the agricultural industry, the protection of electronic functions according to ISO 25119 is necessary. It enhances security and protects from product liability problems. As a conclusion, AVL implement the safety management and the technical safety concepts as an integral part of the electronic development, right from the beginning.

MOTIVATION

The development of electronic components according to safety standards is already a long-established practice in many industries. Originally introduced by the military soon after, the manufac-

turers of electronic aircraft components used procedures to better secure the development of safety-critical functionalities. Standards such as ISO 61508 have been developed and used to ensure that all manufacturers achieve a comparable level. For more than ten

years, similar standards (ISO 26262 and ISO 25119) have been introduced to the automotive and agricultural industries. In the meantime, the EU Regulation 167/2013 enforces its application as a prerequisite for the homologation of tractors in the EU.

AUTHORS

Dr.-Ing. Carsten Weich is Skill Team Leader Software and Control Systems at AVL Commercial Driveline & Tractor Engineering GmbH in Steyr (Austria).

56

Dipl.-Ing. (FH) Daniel Bayer is Project Manager Controls at AVL Commercial Driveline & Tractor Engineering GmbH in Steyr (Austria).

Ing. Daniel Puckmayr is Development Engineer at AVL Commercial Driveline & Tractor Engineering GmbH in Steyr (Austria).

What does this mean in the practice of developing tractor components? In the following, at the example of a joystick in a tractor are shown how the standard affects the day-to-day work and what additional activities are necessary in the development process. Not only does the function change itself through the installation of additional fuses, but also the entire process of creation: Safety management must be introduced, and additional safeguards become necessary.

FIGURE 1 Joystick for loader operation (© AVL)

ADDITIONAL FUNCTION OF A JOYSTICK

At the joystick of a tractor front loader is the so-called fourth function, FIGURE 1. The switch on the front of the joystick controls the standard function (third function), for example closing of the gripping arm. If the button on the top of the joystick is pressed simultaneously, an additional function (fourth function) is activated, for example the rotation of the gripping arm. During a hazard and risk analysis, each function is evaluated to determine whether users or other persons are at risk. If this question is answered with yes, the function is classified as safety-relevant. Like many other functions associated with the loader, the activation of the additional function also got this rating. As a result, a number of measures must be implemented to secure the function. In the example, the analysis showed that the hydraulic valves for activating the front loader may only be activated if the joystick has also been operated accordingly. In other words, the front loader must not be moved if an electronic fault occurs. It must therefore be ensured that the input data (signals from the joystick), the processing (front loader

control), and the output data (signals to the valves) are correct. It follows, that the input signals from the switch must be trustworthy, and the output signals to the control valve must arrive properly. For this purpose, the cables are monitored for short circuit, open line, and plausibility of the received signal. If the data is received as messages via the CAN bus, the receive time is monitored and a checksum is calculated via the user data. The checksum is calculated, transmitted, and recalculated when it is received. If the data was corrupted during the transmission, then the checksums will not match. For processing, the memory and run time of the function are monitored. The majority of this monitoring is already performed in the input/output drivers of the basic software. A proven monitoring concept for the function itself comes from the automotive industry, the e-gas concept (standardised e-gas monitoring concept for petrol and diesel engine controls).

Essentially, the concept makes use of the fact that the important states of safety are much easier to supervise than the function itself. In the example, the proportional control of the movement of the fourth function via joystick is complex to monitoring. But the state relevant to safety, that the additional function is only active when button pressed simultaneously, is much easier to check. The front loader control checks also only the shift knob. In addition, a redundant safety function, called Level-2 monitor, FIGURE 2, is used in the e-gas concept. The Level-2 monitor only checks the button pressed condition and the fact that the corresponding hydraulic valve has been activated. If the electronics mistakenly allows that the hydraulic valve is energised, even though the button is not pressed, the Level-2 monitor recognises this. If the monitoring detects an error, the safe state is initiated. In the example, the hydraulics are deactivated and the front loader stops where it is straight. Thus, the vehicle or device is safe, despite the occurred error. SYNCHRONISATION IS ESSENTIAL

During the monitoring, it must be distinguished between functionally correct (the monitoring must correctly recognise the state of the system) and temporal correct (the monitoring must also compare the system state simultaneously, meaning with a sufficiently small delay). The temporal accuracy is as important as the functional accuracy. With the Level-2 monitor the system state is calculated redundant, in addition to the control itself. Afterwards, a comparison will be carried out. Does the output of the control match the

FIGURE 2 Level-2 monitor supervises input and output lines of the control unit (© AVL) ATZ offhighway worldwide

04|2017

57

DE VELO PMENT S AFE T Y

FIGURE 3 Sampling of switch signal during state change (© AVL)

expectations of the monitoring? Here it is important to keep an eye on the details since there are many transitions between system states. The information “shift switch pressed” and “rotator activated” (those must be valid simultaneously) is not stable as long as the button is being pressed. The control can scan a little bit earlier than the monitoring, then it is possible that the system state is captured differently by the control function than by the monitoring, FIGURE 3. And this situation can happen in practically all state transitions. All these transitions must be debounced from the monitoring. Typically, this situation is solved by accepting deviation between regulation and monitoring for a certain time. In the example, other errors have occurred in practice: For example, the already debounced monitoring function reported an error when the user activated and deactivated the shift button in rapid succession. ADDITIONAL TESTS

Monitoring functions must, of course, be tested as the control function itself. Specific tests must be defined and executed in which malfunctions are simulated: – All cables must be short-circuited, disconnected and placed on overvoltage, etc. – All messages must be delayed, suppressed and artificially distorted.

58

– The control function must artificially produce incorrect results or not react at all. This is only possible with special test setups in which input/output lines and the CAN bus can be manipulated. Many of these tests are carried out anyway, because – irrespective of Functional Safety – you want to ensure correct diagnosis of malfunctions. It is therefore possible to rely on existing lab tests (HiL tests). However, with the safety requirements, the test get a different value, because it is not just about the correct storage of a diagnostic code, but about the safety of the operator and his machine. It is therefore indispensable to carry out some of these tests in the machine itself in order to check the timely and correct initiation of the safe condition. EXPERIENCES FROM PRACTICE

In addition to the development requirements of the safety functions described here, the following activities are still necessary to meet the ISO 25119 standard applicable to agricultural technology: – The system must be analysed on the machine/vehicle level with regard to the hazards arising from the electronic control functions. – Safety management must be implemented, with a safety manager and a safety plan. – A technical safety concept must be developed and tested.

In particular, it must be taken into account that the efforts only get visible clearly when the technical safety concept is in place. The obvious idea of implementing the functions first, so that the customer can see results quickly, and to introduce the safety functions later, results in a very inefficient outcome (cost/time). You can get the functionality that the customer actually wants earlier. However, parts that do not fit into the later designed safety concept have to be re-developed. Consider the described synchronisation between the control and the Level-2 monitor: It is much easier, as well as more time and cost effective, if the transitional phases are being examined from the beginning. If the control function is already fully developed, it becomes difficult and expensive to track down all transitional situations in retrospect. The described failure situation (when monitor determine a different state than the control function) occurs only accidentally. SUMMARY

The protection of electronic functions according to ISO 25119 is necessary. It enhances security and protects from product liability problems. Proven concepts, like the automotive e-gas concept, can also be successfully implemented in the agricultural sector. It is important to plan functional safety from the outset of the project and to consider it on a timetable.

Get a Grip on Success

For those who want to reach new heights, only the best will do. With adhesion, the international trade magazine for industrial adhesives and sealing technology, you will benefit from valuable insider knowledge, practical information and the latest trends and technologies. Get access to the industry‘s largest knowledge pool – essential for gaining competitive advantage. Try our comprehensive service: four issues per year available as print and digital editions, website and newsletters, now optimized for mobile devices. As a subscriber, you also gain access to our comprehensive online archive with all contributions since 2003, plus the “Adhesives Technology Compendium” - the reference book for adhesives practitioners.

For more information: ATZ offhighway worldwide 04|2017 www.my-specialized-knowledge.com/adhesion

59