If you look for a controller for mobile control systems there are several points to consider. First there are some common specifications any good controller should have to be suitable for the harsh environment they have to function in. Secondly, there are special safety requirements like international standard IEC 61508 and ISO/EN13849 that these controllers have to be in compliance with.

What are the standard requirements a controller needs to offer?

• Two CPU processors, preferable if both are 32bit
• CAN BUS lines, better if at least two are independent lines
• Two independent (redundant) channels
• Programmable as a MASTER unit, preferable if languages are CoDeDys and “C”
• IP 65 or IP 67 rating
• Rugged design and approved sealing
• Configurable I/Os, accordingly to project needs
• Data logger, to record all typical application conditions that could be helpful for further analysis
• Design for a PL “d” application usage
• Software library concepts

The most common standards for safety applications are the IEC 61508 and ISO/EN13849.

IEC 61508: This International Standard defines a generic approach for all safety lifecycle activities for systems comprised of electrical and/or electronic and/or programmable electronic elements that are used to perform safety functions. This unified approach has been adopted in order to develop a rationale and consistent technical policy, for all electrically-based safety-related systems. A major objective is to facilitate the development of products and applications that guarantee a minimum safety level.

In most situations, safety is achieved by a number of sub-system which rely on multiple technologies. Examples include: mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronics. Any safety strategy must therefore not only consider all the elements within an individual system (sensors, controlling devices and actuators) but rather all the safety-related sub-system make up the total combination of safety-related system. Therefore, while this International Standard is concerned with Electronic Control Unit (ECU) safety-related systems, it may also provide a framework within safety-related systems based on other technologies.

It is recognizable that there is a great variety of applications using ECUs safety-related systems, in a variety of application sectors, covering a wide range of complexity, hazards and risk potentials. In any particular application, the required safety measures will be dependent on many factors specific to the application. Suppliers need to adapt accordingly. For example, MOBA provides controllers and software that follow the requirements of this applicable norm.

ISO/EN13849: MOBA controllers are designed to be part of a safety-related control system. They are part of the machine control system that prevents a hazardous condition from occurring. The international standard ISO EN 13849 gives guidance on the design and analysis of safety-related machine control systems and defines a system of five Performance Levels (PL, from “a” to “e”) that are qualified in terms of “the average probability of a dangerous failure per hour”. The table shown here is a summary of the different PL:

The following table shows the relationship of the circuit structure (cat. B, 1, 2, 3 and 4), diagnostic and reliability in determining PL. Considering the structure of the control circuit (e.g. single channel, dual channel, test and monitoring circuits) it is not sufficient to determine a safety performance. Reliability and diagnostics are necessary factors to define the safety performance for a system.

The safety performance of a machine can also be defined in terms of Safety Integrity Levels (SIL, 1, 2 or 3) in accordance with the International Standard IEC 62061 (functional safety of ECU). The standard provides procedures that are most useful for complex control system, primarily on programmable electronics like MOBA controllers. Based on common practice, referring to an Aerial Platform, usually it requires a PL “d” CAT.III as shown in the following picture:

Double CPU channel, redundant sensors on two different channels or inputs, double outputs with feedback for integrity and positioning check, interconnection in between the two channels for internal integrity check are used. The new MOBA controllers MPC-113 and MSC-113 (Leaflet_MPC-113_en.pdf and Leaflet_MSC-113_en.pdf) are designed to respond completely to these requirements.

For this PL evaluation there are other two important parameters: MTTFd and DC.

In a safety-related control system for Aerial Platforms, it is necessary to choose components (ECUs, sensors, valves, etc.) with MTTFd and DC value to reach a PL “d”. These are indexes defined by product manufacturers (MOBA defines those parameter indexes for all its MOBA-Platform safety products). For electro-mechanic products (valves, limit-switches) a similar document called B10d is enough to be used in the final calculation.

The system designer, typically a machine designer (OEM) or a System Integrator (MOBA Expertise Engineering Team), uses subsystem data previously mentioned to perform some relatively straightforward calculations, and determine the overall PL of the system. The standard, ISO/EN13849, provides a risk graph into which the application factors of severity injury, frequency of exposure, and possibility of avoidance are input (see the down-left graphic).

The output is the PLr. Users of the old EN 954-1 (see the above-right graphic) will be familiar with this approach. What is new is the S1 line that now subdivides whereas the old risk graph did not. Note that this means a possible reconsideration of the integrity of safety measures required at lower risk levels. This is a simplified description and meant to only give an overview. It is important to understand that the new generation of MOBA controllers is designed to cover all these aspects. To do this, the application software is not enough, but it is a matter of documentation and calculation aspects, that produces a technical file.