Implementing a controller for an industrial robot (IEC 61508, SIL 3)
We receive many enquiries from organisations that need to develop embedded systems in compliance with international safety standard IEC 61508 (‘SIL 3’).
On this page, we present- in outline – an example of a ‘Time Triggered‘ (TT) design that can meet such requirements.
The design employs two low-cost microcontrollers.
[This page was last updated 2018-03-06]
Key system and safety requirements
This design example considers a controller for an industrial robot.
The core system requirements in this example are superficially very simple:
- when the robot control unit (RCU) receives commands over the serial communication link, it shall ensure that the robot carries out the commands correctly;
- if the RCU cannot operate in compliance with the commands, it shall ensure that the robot enters a ‘fail safe’ state.
Relevant international safety standards
It is assumed that this system is to be developed in compliance with international standard IEC 61508.
IEC 61508 is concerned with functional safety, achieved by means of systems that are implemented primarily in electrical and/or electronic and/or programmable electronic technologies (for example, using microcontrollers – MCUs – and appropriate software).
TT software architectures provide a highly-effective way of meeting IEC 61508 requirements. For example:
- TT architectures are “Highly Recommended” for systems of Safety Integrity Level (SIL) 2 or above. [IEC 61508-3 (2010), Table A.2]
- Use of a TT architecture “Greatly reduces the effort required for testing and certifying the system” [IEC 61508-3 (2010), Table C.1]
In addition to these general considerations, ‘Hardware Fault Tolerance’ (HFT) is a key consideration in many IEC 61508 designs.
When HFT = 0, this means that there is only a single processing path available. If this path fails, it may be challenging to: [i] detect this failure; and [ii] ensure that the system can enter an appropriate ‘Fail-Safe State’.
When HFT = 1, this means that there is a second (independent) processing path available: if one processing path fails, the second processing path is intended to be able to both detect this failure and act appropriately (typically by forcing the system into an appropriate Fail-Safe State).
To achieve compliance with IEC 61508 at ‘SIL 3’ level, many designs employ an HFT of 1.
Use of TT architectures provides an excellent way of meeting ‘HFT = 1’ requirements.
It is assumed that it has been determined that the RCU must be developed in compliance with IEC 61508 at ‘SIL 3’, using an architecture with HFT of 1.
The design will be based on a ‘DuplicaTTor’ (TT) software platform, as illustrated below.
In this example it is assumed that:
- the RCU will perform control function (that is, it will cause the robot to move in accordance with directions received over the serial communications link);
- the RCU will monitor the operation of the robot to ensure that it moves as directed;
- the RCU will perform internal ‘self checks’, to ensure that it is operating correctly (the dual-MCU architecture will have a central role to play in such checks);
- if problems are detected in any of the control or monitoring operations, the RCU will ensure that at least one of the power switches (PS-A, PS-B, PW-eWDC) is opened, thereby disabling the drive unit and causing the robot to stop in what is assumed to be a fail-safe state.
If required, this design could be prototyped on a DuplicaTTor Evaluation Board.
Related design examples
As outlined above, this design involves receipt of commands over a serial link.
Many control systems take this form (for example in medical systems, aerospace systems, automotive systems, …).
For example, a braking unit in a passenger car might employ a similar architecture.
Learn more about TT software architectures
The Second Edition of ‘The Engineering of Reliable Embedded Systems’ (ERES2), documents an industry-proven approach to the development of software for reliable, real-time embedded systems, based on the use of ‘Time Triggered’ (TT) architectures.
What distinguishes TT approaches is that it is possible to model the expected system behaviour precisely. This means that: [i] during the development process, we can demonstrate that all of the requirements have been met; and [ii] at run time, we can detect problems very quickly.
The end result is that we can have a high level of confidence that a TT system will either: [i] operate precisely as required; or [ii] move into an appropriate state if a problem occurs.
The above characteristics mean that appropriately-implemented TT systems provide a particularly effective means of meeting the requirements of various international safety standards.
In order to illustrate how the TT techniques presented in ERES2 can be employed in practical designs, five detailed case studies are included. These studies describe the development of embedded control and monitoring systems for the following products:
- an industrial alarm sounder unit (IEC 61508, SIL 2);
- a domestic washing machine (IEC 60730, Class B);
- a hospital radiotherapy machine (IEC 62304, Class C);
- a steering-column lock for a passenger car (ISO 26262, ASIL D);
- an aircraft jet engine (DO-178C, Level A).
Complete your cost-effective IEC 61508 design successfully using a SafeTTy Solutions™ package
Our SafeTTy Solutions™ packages are designed to help your development team produce a safety-related embedded system quickly and cost-effectively, in compliance with one or more international safety standards (IEC 61508, ISO 26262, DO-178C, IEC 62304, IEC 60730 …).
SafeTTy Solutions packages are based on TT designs and include carefully-selected combinations of our various products and services.
SafeTTy Solutions packages include an appropriate ReliabiliTTy® Technology Licence.
Learn more about SafeTTy Solutions packages …