In safety-relevant applications, it must be ensured that there is no risk to bystanders. Depending on the relevant standard, these functional safety requirements are subdivided into different levels or stages. Since 2011, the international safety standard ISO 26262 "Road vehicles - Functional safety" has been applied to electrical and electronic systems in series-produced motor vehicles, i.e. cars, trucks, buses and motorbikes. Certification in accordance with this automotive standard is not yet mandatory for mobile machinery. Depending on the application, special industry standards apply, such as ISO 25119 for agricultural machinery.
Nevertheless, machine operators and, above all, machine drivers expect their work machines to offer the same assistance and comfort functionalities as their private motor vehicles. Stefan Hohn, Product Manager Control Units at STW, explains: "Operators of construction or agricultural machinery spend a large part of their working day travelling from construction site to construction site or from field to field. The time on the road is naturally higher for municipal vehicles or emergency services. These machines should be no less safe or comfortable on the road than other road vehicles. That is why we certify our ESX.4 control systems in accordance with ISO 26262". Machine manufacturers are now frequently demanding fulfilment of this standard, in order to meet the needs of machine operators and build future-proof systems even if it is not yet binding.
How are the ASIL levels determined?
The standard provides for five safety levels, QM as the starting point at which no further measures need to be taken, and then there are the Automotive Safety Integrity Levels ASIL A to ASIL D.
Each application is subjected to a risk analysis and then categorized accordingly. This involves analyzing the potential severity of the consequences of a fault, how often the driving situation occurs, and the controllability of the situation if a fault occurs.
In the case of potential consequences (severity), for example, a distinction is made between the levels S0, no injuries, and S3, life-threatening to fatal injuries. However, even applications with an S3 rating can be categorized under QM if the probability of the situation occurring is close to 0 and the situation remains controllable by the driver.
Examples of applications according to ASIL D would be automated steering or braking systems. These are used almost constantly, can cause potentially fatal accidents and cannot be corrected by the driver in the event of system misbehavior, such as unpredictable emergency braking.
High-performance compact controller with ASIL-B certification
With the latest platform release, STW has had its ESX.4cm-a mobile controllers certified up to ASIL B as standard. The ESX.4cm-a has an Aurix multicore processor, four CAN bus interfaces and a managed Ethernet switch, two 100Mbit/s Ethernet (100Base-Tx) and two Single Pair Ethernet (100Base-T1) ports. The Ethernet switch enables large amounts of data to be exchanged without negatively influencing the controller's processor performance. A second switch-off path reliably and safely disconnects the outputs of the ESX.4cm-a. This emergency shutdown is mandatory for safety-related applications. With a protection class of up to IP6k9k, the controller is suitable for use in the most adverse conditions.
"The ESX.4cm-a is a high-performance compact controller. It provides a total of 34 configurable analog and digital multifunctional inputs and also supports the SENT protocol. This makes it very flexible and means it can be used for a wide range of applications," explains Stefan Hohn. However, the standard ASIL-B certification is not the end of the story. In customer projects with a specific application, the ESX.4cm-a can also be used to realize an ASIL-C certification. Typical applications with ASIL-B requirements can be found, for example, in the safe operation of camera systems and lighting systems. Applications with ASIL-C requirements include adaptive cruise control.
Functionally secure portfolio
The ESX.4cm-a is not the only controller from STW that fulfils the requirements of ISO 26262. When required, the entire ESX.4 family, from the ESX.4cs-gw to the ESX.4cl, can be TÜV-certified in accordance with the automotive standard. Stefan Hohn explains the background: "ISO 26262 is not yet binding for mobile machinery, so certification of the entire portfolio is not necessary at the moment. However, if the ESX.4cm-a is under or oversized for a customer's requirements, we can make a suitable offer from our wide range of control systems and facilitate certification in line with customer’s requirements."
If you want to build a functionally safe system architecture outside the scope of ISO 26262, STW is still the right address. As specialists in functional safety, the Kaufbeuren-based company has optimized the ESX.4 controllers for the requirements of all common standards for construction machinery, agricultural and forestry machinery, municipal and commercial vehicles. The mobile controllers are certified up to SIL 2 / PL d or AG PL d as standard. As openSYDE, the software platform for implementing, commissioning and analyzing the controllers, is already compliant up to SIL 2 / PL d, safety applications can be developed and integrated in a particularly efficient and user-friendly way.
STW will be showcasing its innovations for agricultural machinery manufacturers at the Agrishow in Ribeirão Preto, the largest trade fair for agricultural technology in Brazil. Experts from STW will be there to meet visitors at the German Pavilion, G8d booth 3.