At the “Inter Airport Europe 2015”, the company Goldhofer presented the new high-speed-towing aircraft tractor generation AST-2P/X. Using the AST-2P/X, the majority of popular airplanes can be moved, from the Embraer170 right up to the Boeing B777-300ER and the Airbus A340.
The AST 2 of the fourth generation is characterized by a new, compact and modular vehicle concept. The hydrostatically driven steering axle delivers optimum traction, even in case of low superimposed load. Customers can choose between two engine powers for the vehicle which offers a 3-circuit braking system which optimally distributes the braking force for maximum stability and safety. The engines fulfill all required international emission standards, Euro IIIa or IVf. The airplane power supply during towing operation is ensured via a Ground Power Unit (GPU), which can be retrofitted into each of these vehicles. Operations on airport aprons entail a lot of waiting periods. This cost-savings potential has been utilized through the installation of an automatic start-stop function. In this way, not just the diesel consumption can be substantially reduced. The tractor maintenance costs will also go down as maintenance intervals depend directly on operating hours. For the customer these are further modules towards a lower “Total Cost of Ownership” (TCO).
Drive Line Controller (DLC)
A central component of the system is the diesel-hydraulic drive system. It is built on a pump and two hydraulic engines, which drive a differential steering axle via a summation gearbox. Pump and engines are controlled with electrical proportional adjustment. The energy for the drive system is supplied by a 231KW (optional: 283 KW) Cummins QSL9 diesel engine.
The drive system is controlled by the Drive Line Controller (DLC). The DLC is responsible for the entire drive management and the airplane type-dependent tensile force limitation. During the towing process, only a limited tensile force may be applied to the nose wheel. The tensile force limitation in the DLC is realized through a dynamic, airplane type-dependent high pressure regulation. In addition, the DLC is responsible for the automatic start-stop function.
Selection of the DLC control platform
For the selection of the drive control, focus was on a flexible and high-power control unit which would be in a position to reliably execute the safety-relevant functionalities. The control unit should be adaptable to other aircraft tractor types and provide the required performance to safely cover current and future requirements. A solution was found with the 32-bit control unit ESX-3XL Safety from Sensor-Technik Wiedemann (STW). The ESX-3XL is certified acc. the standards DIN IEC 61508: SIL 2 and DIN EN ISO 13849: PL d.
The control unit is based on a 32-bit TriCore controller with a 150MHz core, 4MB RAM, 6MB Flash and 32kB EEPROM. In addition to the flexible adaptation possibilities in the basic version – e.g. all inputs can be configured via the init functions as current/voltage/digital or rpm
inputs – the possibility to extend the device via expansion boards represents an outstanding feature of the ESX-3XL. Because the control unit can be configured with up to six of these boards, it simply grows flexibly with the project. At the moment, 14 expansion board versions are available featuring different inputs and outputs, additional RS232/RS485/CAN interfaces and a programmable Linux system incl. Ethernet and USB. Generally, development environments for programming in “C”, Matlab and CODESYS are available. For the development of the DLC the development environment CODESYS in version CODESYS SAFETY SIL2 was chosen.
DLC safety functions
In accordance with the applied standards, a risk analysis for the drive functionalities was carried out, which resulted for several functions in a required safety level of AgPLr >= c.
Safety-orientated development represents a substantial cost factor during product development and during maintenance of the subsequent product. Therefore, particular attention was paid during drafting of the technical safety concept to a clear and unambiguous definition of the safety functions and their assignment to the appropriate software components. The focus was placed on keeping safety-relevant parts as simple as possible and creating clear interfaces between safety-relevant and non-safety-relevant software parts. In the software architecture, this is presented in appropriate safety-relevant and non-safety-relevant modules. The clear assignment of functionalities and the precise definition of the interface between the two software worlds is always meaningful. But it will only lead to cost reductions for development and maintenance if the separation of different software components is supported by the hardware.
IEC 61508-3, 7.4.2.9 defines that software parts with different safety classifications are to be developed on a control unit in accordance with the highest safety level, unless they are suitably independent through temporal and spatial separations. The ESX-3XL control unit supports temporal and spatial independence of application parts by providing appropriate memory protection and watchdog functionalities. With the supplied safety mechanisms software with different safety requirements can be independently executed on the ESX-3XL. This opens up the possibility for the development team to develop non-safety-relevant parts of the application in accordance with a simplified development and verification process.
Safe DLC parameterization
The objective was to guarantee a standard- compliant parameterization of the DLC. In addition, it was necessary to verify that parameter changes to non-safety-relevant application parts would not have any effects on the safety-relevant application parts, in order to keep the required validation and verification expenses as low as possible here, too.
Basically, every additional parameterization provides additional complexity, additional error sources and therefore increased validation and verification expenses. Accordingly, attention was paid in the specifications and design of the safety-relevant modules to limit the number of parameters to a minimum.
With the clear delineation between safety-relevant and non-safety-relevant application parts, the basis was provided for division of the parameterization into a safety-relevant and non-safety-relevant part.
The process of safe parameterization is supported via the ESX-KEFEX Toolchain. This Toolchain is part of the ESX-3XL development environment and comes with a detailed user and safety manual. The KEFEX Toolchain has been certified for use in projects with safety requirements in accordance with DIN IEC 61508: SIL 2 and DIN EN ISO 13849: PL d.
System Support
The entire development process (risk analysis, hardware assignment, preparation of safety concept, software architecture, implementation, verification) has been realized in close coordination between STW and Goldhofer, which has resulted in a safe, maintainable and optimally tuned drive system.
