Flow rates of up to 200m3/h and vertical reaches of up to 70m bring truck-mounted concrete pumps to their physical limits. The main objectives of new developments are to increase operating convenience, to extend the range of applications and to lower the operating costs. This is amongst other things achieved through the automation or partial automation of processes as well as through the development of additional convenience-related equipment (e.g. Ergonic® Boom Control). Due to the area of application and the fact that people are always present during operation, high safety requirements are placed on these functions. The challenge for every machine manufacturer is to fulfill the functional requirements with simultaneous increase in safety whilst maintaining the economic viability. Here, the company Putzmeister relies on the safety-certified, freely-programmable control device by Sensor-Technik Wiedemann GmbH (STW). A safety-certified ESX®-3XL, equipped with two safety-certified EB06 extension boards, is used. The control device forms the central component of the Ergonic 2.0® system by Putzmeister, which is responsible for the monitoring and control of the truck-mounted concrete pump.
Ergonic 2.0® system
Ergonic 2.0® is the latest microprocessor-supported system for the control of concrete pumps and booms by Putzmeister.
Using this, the working and movement ranges of the boom can be defined in complex and limited workspaces. The system ensures that these ranges are reliably adhered to. Additional operating safety is provided through the semi-automatic folding in and out of the boom. By using an actively-regulated damping system, the end hose vibrations are reduced by 33%; this leads to substantially smoother pumping characteristics even at full capacity.
Due to the computer-supported system, many electrical components could be saved. In this way, the complexity of the switching cabinet could be reduced.
Safety control platform – a certified part of the microprocessor-supported
Ergonic 2.0® system
For the tasks described above, Putzmeister was looking for a high-performance and flexible control device, which should be utilizable across the entire Putzmeister product range. In addition, the control device should offer the required flexibility and performance in order to safely cover the future requirements.
Of course, the control technology should fulfill the high environmental and climate requirements placed on construction machinery. In addition to extreme temperatures, the control device must also be able to cope with vibrations and impacts, and also be resistant to liquids such as water, oils, fuels, acids and even gases such as sulfur dioxide and hydrogen sulfide.
Using the 32-bit ESX®-3XL Safety control device by STW, which is certified in accordance with the DIN IEC 61508: SIL2 and DIN EN ISO 13849: PLd standards, a solution was found which more than fulfills these requirements (Fig. 4).
The basis of the control device is a 32-bit TriCore controller, with a 150MHz core, 4MB RAM, 6MB flash and 32kB EEPROM. One outstanding feature of the ESX®-3XL is its scalability. As the control device can be extended at any time via extension boards, it simply grows flexibly with a project. The mainboard (without extension boards) has 52 control inputs and outputs. The basic version already provides 28 analog inputs and 28 digital or rpm inputs on multifunction pins. 8 x 4 Ampere and 16 x 2.5 Ampere are available as digital outputs in the form of pulse width modulated power outputs. There are three independent, stabilized power supplies as voltage outputs, for example for the connection of sensors. The system can be extended by up to six slots to maximum 136 I/Os for additional inputs and outputs or other functionalities, which can also be adapted almost completely freely according to the customer’s requirements. Four separate CAN Bus interfaces acc. CAN Specification 2.0 B and one RS232 interface are available as interfaces. Further interfaces can be implemented via extension boards. The highly durable control housing made of die cast aluminum with Gore-Tex membrane to compensate for the pressure are predestined for mobile use. The unit fulfills the high requirements of protection class IP67; IP69K is also available. The compact, sealed housing construction offers both high levels of safety against electromagnetic interference and against mechanical strain. The housing connection takes place via two 81-pole plugs suitable for mobile use and produced by Tyco / AMP. The permitted application temperature covers a wide range from –40 to +85 degrees Celsius. The control is also tested in accordance with the standards and requirements of the construction machines, vehicle and agricultural machine industry and for CE conformity.
Safety-orientated functionalities only were available for the mainboard inputs and outputs at the start of developments. During the project, it became clear that the safe inputs and outputs provided on the mainboard were insufficient to cover all safety functions of the vehicle using only one central control device. For this reason, a safe extension board, the EB06 Safety, was developed based on these safety requirements in collaboration with Putzmeister.
EB06 Safety – a certified all-rounder
The EB06 Safety was developed in accordance with the DIN IEC 61508 standards: SIL2 and DIN EN ISO 13849: PLd and provides the following safe input/output functionalities:
- 16 safe digital high-side outputs
- 16 safe digital or voltage inputs
- 2 safe analog power inputs
The up to 16 safe high-side outputs are completely diagnosable and suitable for the realization of safety-critical functions with safety requirements up to SIL2/PLd.
Input signals can be safely read in different ways.
Digital input signals, which have to fulfill SIL2/PLd requirements can be realized through the use of a freely-selectable redundant combination of mainboard and EB06 inputs.
If a single-channel external switch is to be used, these signals can also be achieved with a single-channel digital mainboard input SIL2/PLd. For this purpose, the switch is to be supplied with a frequency signal generated by the EB06 Safety for diagnosis purposes. The combination output to input assignment can be freely selected. External resistances for diagnosis measurements are not required.
If only SIL1 or PLc are required for the safety-relevant functionality, it is generally sufficient to supply the external switch via a digital output of the EB06 Safety and to execute the appropriate start-up tests. External diagnosis resistances are not required.
In order to assess safe analog signals, one analog mainboard input can each be combined with an analog EB06 Safety input and read in redundantly. The inputs to be used on the mainboard and the EB06 Safety are freely selectable. The safe analog power or voltage input combinations fulfill the safety level SIL2/PLd.
In this way, the application has a total of 56 safe high-side outputs and 28 safe dual digital or voltage inputs available in the ESX®-3XL Safety control device.
The Ergonic 2.0 System executes both safe and non-safe functionalities.
If software functions with different SIL assessments are executed on a control device, the entire application software must be developed in accordance with the highest SI Level unless suitable independence can be offered through temporal and spatial separation. Because a safety-orientated development represents a major cost factor during the creation of the product, one of the main requirements on the control device was to provide this independence of safe (yellow) and non-safe (grey) software functions. The spatial and temporal independence is implemented in the ESX®-3XL Safety through the following mechanisms.
Spatial separation of yellow and grey SW functions:
The spatial separation is guaranteed through the realization of a memory protection. The aim of the memory protection is to divide global and static data into different areas and to inspect the write accesses to these data areas so that only yellow functions have write access to safety-relevant data.
Through the MPU used, global and static data can be filed in three independent memory areas, namely System, Safety and Standard. The read and write functions of these different areas, on the other hand, possess specific authorization levels (System, Safety, Standard levels). Every level can read access all data areas. The System level is reserved for internal system functions. System functions possess write authorizations in all three memory areas. The Safety level has write access to Safety and to Standard data areas.
Grey functions executed in the Standard level only have write authorization in Standard data areas. This ensures that grey software functions executed in the Standard level cannot influence yellow data.
The software executed in the System and Safety levels possess safety-relevant functionalities such as the operation of safe outputs, and must therefore be developed, verified and documented in accordance with the safety standard to be applied. Functions executed in the Standard level must only accord with the respective company-internal quality standards.
The definition of the level a function is executed on is determined through the STW task system. It possesses Safe tasks and Standard tasks which the respective SW components execute independently and sequentially.
Temporal separation of yellow and grey SW functions:
The aim of the temporal separation is to ensure that grey functions do not influence the runtime characteristics of yellow functions.
The required temporal independence is provided through a Watchdog controller and the abovementioned STW task system, which provides the prioritization of the tasks available.
Summary:
Through the extension of the ESX®-3XL Safety with the safety-orientated extension board EB06 Safety and the memory protection already contained in it, it has been possible in this project to optimally unite the functional safety requirements and the economic viability.
