En 13849 Compliance - Kohler Curtis F Series Manual

Curtis AC F2-A, F4-A, F6-A Motor Controllers – FOS 4.5 – April 2022

EN 13849 COMPLIANCE

Since January 1, 2012, conformance to the European Machinery Directive has required that the Safety
Related Parts of the Control System (SRPCS) be designed and verified upon the general principles
outlined in EN13849. EN13849 supersedes the EN954 standard and expands upon it by requiring
the determination of the safety Performance Level (PL) as a function of Designated Architecture
plus Mean Time To Dangerous Failure (MTTFd), Common Cause Faults (CCF), and Diagnostic
Coverage (DC). These figures are used by the OEM to calculate the overall PL for each of the safety
functions of their vehicle or machine.
The OEM must determine the hazards that are applicable to their vehicle design, operation, and
environment. Standards such as EN13849-1 provide guidelines that must be followed in order to
achieve compliance. Some industries have developed further standards (called type-C standards) that
refer to EN13849 and specifically outline the path to regulatory compliance. EN1175-1 is a type-C
standard for battery-powered industrial trucks. Following a type-C standard provides a presumption
of conformity to the Machinery Directive.
Curtis Enhanced AC Motor Controllers comply with these directives using advanced active
supervisory techniques. The basic "watchdog" test circuits have been replaced with a Supervisor
microcontroller that continuously tests the safety related parts of the control system; see the simplified
block diagram in Figure C-1.
Figure C-1
Supervisory system in the Curtis
AC motor controller
The Supervisor and Primary motor control processors run diagnostic checks at startup and
continuously during operation. At startup, the integrity of the code and NV Memory are ensured
through CRC checksum calculations. RAM is pattern checked for proper read, write, and addressing.
During operation, the arithmetic and logic processing unit of each micro is cyclically tested through
dynamic stimulus and response. The operating system timing and task sequencing are continuously
verified. Redundant input measurements are crosschecked over 30 times per second, and operational
status information is passed between microprocessors to keep the system synchronized. Any faults in
these startup tests, communication timing, crosschecks, or responses will command a safe shutdown
of the controller, disabling the driver outputs and motor drive within 200 ms.
To mitigate the hazards typically found in machine operations, EN13849 requires that safety functions
be defined; these must include all the input, logic, outputs, and power circuits that are involved in any
pg. 254
APPENDIX C
EN 13849 COMPLIANCE
Return to TOC
APPENDIX C