This article has been published first on ATZheavy duty worldwide
By Arno Purkrabek, Team Lead Product Management at TTControl
During the last few decades, mobile machinery has become increasingly more efficient, more convenient to operate and especially also safer. This evolution goes hand in hand with a constant update of regulations and standards. Manufacturers of off-highway vehicles are faced with the challenge of complying with all regulations, such as ISO 26262:2018. In the article, TTControl discusses ISO 26262:2018 and demonstrates its application using the high-end controller TTC 580 as an example.
The ISO 26262 international standard for road vehicle functional safety as defined by the International Organization for Standardization (ISO) aims to reduce possible hazards caused by electrical and electronic systems’ failure and malfunctioning. Originally a standard for the Automotive market, the standard has been extended to vehicles weighing over 3.5 tons in the latest ISO 26262:2018 edition, making it now also applicable for off-highway vehicles with on-road use. So, the same level of safety that applies to cars also applies to e.g. trucks, busses or mobile machinery like firefighting vehicles, garbage collection trucks or road sweepers.
One application where the ISO 26262:2018 standard applies is fire trucks. Rosenbauer, one of the largest manufacturers of fire fighting vehicles, recently launched the first electrically powered fire truck that has a fully electric drive, an innovative vehicle architecture and supports digital operation and full connectivity. The Rosenbauer ‘Revolutionary Technology’ (RT) firefighting vehicle is a response to global megatrends such as urbanization, climate and demographic changes. Each axle of the truck is powered by an electric motor, with a diesel engine in combination with a generator as a backup energy provider. This means that no clutch may disconnect from the drive train in any situation which highlights the importance of a safety certified electronic control unit.
Rosenbauer decided to use an electronic control unit that is certified according to the ISO 26262 standard for its upcoming Rosenbauer RT firefighting truck. The TTC 580 by TTControl acts as vehicle control unit (VCU) and as safety companion for the torque command on the Rosenbauer RT firetruck. This allows the vehicle to operate safely by guarding the whole torque chain, from throttle command down to the wheels. Both safety related and non-safety-related code is executed on the same CPU. As the non-safe code shall not influence the safe code at run-time, “freedom from interference” has to be ensured as defined in the ISO 26262-1: absence of cascading failures between two or more elements that could lead to the violation of a safety requirement.
This freedom from interference is ensured by the safety driver library by ensuring temporary separation (e.g. checking that unsafe code does not block execution of safe code, using a Watchdog) and spatial separation (e.g. protection of critical data with MPU) of safe and unsafe code. With this kind of demanding development, TTC 580 guarantees that the functional safety code with Automotive Safety Integrity Level (ASIL) C guards the torque chain at all times without interference from the functional code.
Increasing efficiency, operator’s convenience and overall safety is only possible by adding more and more advanced technologies to mobile machinery. The amount of automated and electronically controlled functions on a mobile machinery is constantly increasing. What saves time and cost for the operator on the one side is on the other side a challenge for the manufacturers of mobile machinery, which are faced with increasing system complexity. To design and build an off-highway vehicle a high number of specialists with expertise and know-how is needed. Let’s take safety as an example for such specialization: with the increasing number of regulations and standards the safety design of a mobile machinery gets more and more a topic for highly experienced specialists with a lot of know-how about designing safe systems and about how to fulfill all the requirements. This high complexity leads to the trend that manufacturers of off-highway vehicles focus their development on the core features of their machinery and how to differentiate from their competitors and rely for electronics and software on suppliers that offer off-the-shelf products.
To reach low failure rates of an electronic control system and therefore highest safety goals for the mobile machinery it is not only about getting the certification and documentation. It starts already at the very beginning with the selection of the electronic components. TTControl’s development team for example puts a lot of effort into analysis and selection of the individual electronic components which are used in the final product on the printed circuit board. Thorough performance and worst-case analysis, component stress analysis considering off-highway conditions as well as failure rate calculations for every single electronic component are performed before selecting it for the final design. This ensures that the most reliable components are chosen to fulfill the required safety targets in the harsh off-highway environment. The dedication to the smallest electronic components to fulfill highest safety standards of heavy mobile machinery like excavators, farm tractors or firefighting trucks also shows the increasing specialization and complexity in the design of off-highway vehicles. Therefore, companies like Rosenbauer choose technology partners for developing their innovative vehicles.
The development of electronic control units is not just about selecting the right components. The experience and knowhow to design electronic products for the off-highway market is also an essential factor. The work of experienced hardware and software development engineers accompanied by the capacity for extensive testing that leads to a final product design which is certified by an independent notified body like for example TÜV. When a safety certified electronic control unit like the TTC 580 is in series production and ready for delivery the work and service from an electronics supplier does not end. Any change of safety critical functionality, be it due to obsolescence, further development or bug fixing, triggers again the extensive testing and certification effort.
Let’s take again the example of the ISO 26262 standard. The quite comprehensive ISO 26262:2018 standard differs significantly in the way how safety goals are reached and how failure rate calculations have to be done compared to other common standards in the off-highway market, like the IEC 61508, ISO 13849 and ISO 25119 safety standards. Not considering this already at an early stage in the vehicle development process might end up in costly overruns of development budget and timeline. To avoid this, technology often provide advanced support for their customers. Beside the Safety Manuals which are provided and explain how to design and operate the electronic control unit, for example, TTControl also provided already pre-calculated mission profiles. These mission profiles enable manufacturers of mobile machinery to calculate their overall failure rates to fulfill the requirements of the ISO 26262:2018 safety standard. In case the already calculated and available mission profiles do not match to the application of the customer, experienced Safety Managers from the partner can support by calculating a mission profile especially fitting to the application of the customer. If needed the application development team of TTControl can also offer support for safety analysis and safety architecture of the vehicle.
Another aspect which should not be underestimated is the impact of safety design on the development effort and timeline of mobile machinery. For manufacturers of off-highway vehicles the consideration of certification aspects when selecting electronic components for the overall machinery architecture is key for keeping system costs low and reaching a short time to market. Testing and validation processes typically account for 20 to 30 percent of the development costs. And this calculation is not even considering the risks in case non-certified components are selected and planned to be used for developing safety related machine functions. It might e.g. turn out during the development that one component does not fulfill the needed failure rates to reach the needed safety certification which might enforce a complete re-design of the overall system, resulting in timeline overruns and high re-design costs. This is another reason which shows the advantage for vehicle manufacturers of procuring already safety certified commercial off-the-shelf electronic control units.
One aspect which is often overlooked is that as a side effect safety also goes hand in hand with high reliability. The previously explained design and thorough testing of a safety certified electronic control unit, starting already by choosing the safest and therefore most reliable components, also leads to a high reliability of the control unit. And a highly reliable electronic control system in turn saves a lot of money for the operator by reducing the downtime of the mobile machinery. No matter if it’s an agricultural harvester in the harvesting season or a road paving machine on the highway construction site, the operators are expecting that the machine is reliably doing its mission.
Now one might argue that what is true for the electronic control unit might not always be true from an overall systems perspective. Let’s imagine you have for example an excavator and the boom are colliding with a barrier which damages a cable harness to an actuator leading to a short circuit. A safely designed machine is immediately performing a safety shutdown to avoid any danger to the surrounding by unintended machine movements. A non-safe machine in contrast would continue operation although the environment is endangered. So, in this example high safety does not automatically lead to high reliability. For this case, the TTC 500 electronic control unit offers three different safety shutoff groups to save costs by reducing downtime without compromises to safety. So, in the example of the excavator only the working function related with the damaged cable is going into a safety shutoff while all other machine functions keep operational. Depending on the design of the machine this allows to continue working or at least to go with the machine to the nearest repair spot, that’s why it’s also called limp-home functionality.
Overall, safety certified mobile machinery does not only ensure the highest safety and reliability, it is often a critical advantage in the eye of the customer and is regularly being considered in tenders. Safety certification also reduces liability risks and recourses claims against the manufacturer in the event of damage. As there is no “one size fits all” electronic component, thus each OEM must still weigh the pros and cons, based on their specific conditions and needs.
Read more about safety-certified electronic control units here.