Machinery sensor example (ISO 13849, IEC 61508)


We receive many enquiries from organisations that need to develop control systems for machinery in compliance with international safety standard ISO 13849.

As an example of the type of design solution that we use in such products, we explore the development of a monitoring system for a piece of machinery on this page.

Our solution is based on a ‘Time Triggered‘ (TT) software architecture and two low-cost microcontrollers.

The resulting design implements a form of ‘TT Wrapper‘.

Please note that designs similar to the one presented on this page can be created to achieve compliance with ISO 13849 and ISO 26262 (for various autonomous and / or off-road vehicles). Please contact us for further details.

[This page was last updated 2021-01-04]

empty_space

empty_space

Key system and safety requirements

empty_space
In this example, the aim is to ensure that the operator of a piece of equipment is alert: if (for example) the operator falls asleep, becomes ill or leaves his or her position for some other reason, the equipment that the operator is responsible for must be shut down safely.

Such an ‘Operator in Place’ (OiP) monitoring facility has many potential applications: some of these are considered at the end of this example.

It will be assumed that the OiP system is to be applied in the piece of machinery illustrated below.

empty_space

empty_space

empty_space

empty_space

Relevant international safety standards

empty_space
ISO 13849 applies to the development of control systems for a very wide range of machinery.

More specifically, ISO 13849-1 provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS), including the design of software.

ISO 13849-1 provides specific requirements for SRP/CS using programmable electronic system(s).

ISO 13849-1 includes a set of 5 ‘designated architectures’ (DAs): using one of these DAs may help to make it easier to demonstrate compliance with the standard. As an example, the figure below represents a Category 4 designated architecture.

empty_space

empty_space

In our experience, the ‘TT Platforms’ presented in ‘ERES2‘ provide an effective way of meeting the requirements for the various DAs in ISO 13849-1: please see the table below.

empty_space

empty_space

In addition to supporting the implementation of ‘designated architectures’, use of TT architectures can also simplify the process of meeting other key requirements in the ISO 13849 standard, such as those for “response-time” [ISO 13849-1 (2015), Section 5.2.6]

empty_space

empty_space

Other applications of dual-processor architectures

empty_space
Designs similar to the one presented on this page can be created to achieve compliance with ISO 13849 and ISO 26262 (for various autonomous and / or off-road vehicles).

Please contact us for further details.

empty_space

empty_space

Outline design

empty_space

The figure below illustrates an outline design for an OiP system that is intended to meet both ISO 13849 (Category 4 / PL e) and IEC 61508 (‘SIL 3’) requirements.

empty_space

empty_space

Building on a DuplicaTTor software framework (summarised in the figure below), this design employs two low-cost camera modules and appropriate processing to ensure that the machine can only move if there is an alert operator in the cab.

empty_space

empty_space

To achieve this, some of the following operations might need to be performed: [i] the images of the cab would be checked against stored examples to ensure that the operator was sitting in the correct seat position; [ii] images taken in sequence would be checked to ensure that the driver was moving about (a little), as would be expected from an alert person.

One of the design challenges here (we assume) is that the camera modules are ‘unqualified’: that is they were not developed in compliance with an international safety standard (such as IEC 61508). Such components may still be suitable for use in a fail-safe design, provided that appropriate processing is performed on the camera outputs (to confirm their validity) before these outputs are used to support activities that may have safety implications. In addition to the higher-level processing outlined earlier in this section, the required tests would begin by ensuring that the images from the cameras were ‘plausible’ (e.g. new images were provided by the camera modules when requested; the images were not ‘blank’ (e.g. all ‘black’ or all ‘white’); the images were not identical to previous images from the same camera; the images from the two cameras were consistent). In this design, we would aim to meet these requirements using a ‘TT Wrapper’.

empty_space

empty_space

If required, this design could be prototyped using a DuplicaTTor® Evaluation Board.

empty_space

empty_space

empty_space

empty_space

Related design examples

empty_space
It might be argued that an OiP system similar to that presented here should be included in all heavy vehicles that operate on public roads, and particularly to vehicles – such as passenger coaches and school buses – that carry passengers. Similarly, rail vehicles – including both trains and trams – may benefit from such a system (see figure below).

empty_space

empty_space

empty_space

empty_space