Fig. B-1: Supervisory System - Curtis 1222 Manual

APPENDIX B: EN13849 COMPLIANCE
Fig. B-1
Supervisory
system in Curtis 1222
Steering Controllers.
B-1
2 9 J A N U A R Y 2 0 1 3 D R A F T
Since January 1, 2012, conformance to the European Machinery Directive
has required that the Safety Related Parts of the Control System (SRPCS)
be designed and verified upon the general principles outlined in EN13849.
EN13849 supersedes the EN954 standard and expands upon it by requiring
the determination of the safety Performance Level (PL) as a function of Desig-
nated Architecture plus Mean Time To Dangerous Failure (MTTFd), Common
Cause Faults (CCF), and Diagnostic Coverage (DC). These figures are used by
the OEM to calculate the overall PL for each of the safety functions of their
vehicle or machine.
The OEM must determine the hazards that are applicable to their vehicle
design, operation, and environment. Standards such as EN13849-1 provide
guidelines that must be followed in order to achieve compliance. Some indus-
tries have developed further standards (called type-C standards) that refer to
EN13849 and specifically outline the path to regulatory compliance. EN1175-1
is a type-C standard for battery-powered industrial trucks. Following a type-C
standard provides a presumption of conformity to the Machinery Directive.
Curtis 1222 Steering Controllers comply with these directives using
advanced active supervisory techniques. A Supervisor microcontroller continu-
ously tests the safety related parts of the control system; see the simplified block
diagram in Figure B-1.
The Supervisor and Primary motor control processors run diagnostic checks
at startup and continuously during operation. At startup, the integrity of the
code and EEPROM are ensured through CRC checksum calculations. RAM is
pattern checked for proper read, write, and addressing. During operation, the
arithmetic and logic processing unit of each micro is cyclically tested through
dynamic stimulus and response. The operating system timing and task sequencing
are continuously verified. Redundant input measurements are crosschecked, and
operational status information is passed between microprocessors to keep the
system synchronized. Any faults in these startup tests, communication timing,
crosschecks, or responses will be detected within 100 ms.
APPENDIX B
EN13849 COMPLIANCE
Curtis 1222 Manual,
os 15