Open search

CAN Newsletter magazine

Decision support for functional safety encoders

If to use certified or non-certified functional safety products for safety-related applications is a hard question. In this article several technologies used in encoders are explained.

Application areas for the encoders are for example an aerial ladder (Photo: Fraba)

This article originally appeared in the March issue of the CAN Newsletter magazine 2019. This is just an excerpt.

Today, engineers have the choice of using certified or non-certified functional safety products for safety-related applications. This choice is not easy, and the task is likely to be influenced by considerations such as the availability of products, their cost, and the required integration effort. As well, the ability to react quickly to end-customer demands for machine adaptation can be critical to the final decision. Fraba has extensive experience in the development of safety products. In 2009, the company introduced their first SIL3 / PLe-rated encoders with a CANopen Safety interface.

This encoder was based a redundant design, with duplicate optical measurement systems. By comparing the output from these two systems, the device’s primary micro-controller (MCU) could detect errors or component failure with a sufficient level of certainty to meet SIL3 requirements. This system was implemented with a pre-certified micro-controller running the CANopen Safety stack. A second small MCU provided a monitoring function. With two redundant measurement modules, these devices were slightly longer than the company’s standard optical encoders and more expensive.

However, these devices offered important advantages over the use of two standard encoders to achieve redundancy, eliminating the need for duplicated couplings, mounting brackets, and cables. SIL3-rated encoders were available in single or multi-turn versions. More recently, Fraba developed a second generation of safety encoders as successor, designed to meet SIL2 / PLd requirements. These are based on magnetic measurement technology, which is less expensive than optical systems and better suited to harsh environmental conditions. They feature two redundant Hall sensors. These sensors measure the rotary position of a single magnet mounted on the encoder’s shaft and mechanical gearing.

Block diagram of a redundant diverse encoder (Photo: Fraba)

There are several MCUs that carry out signal conditioning for the two position sensor channels and verify the position values read by the two channels. Both single-turn and multi-turn models are available with CANopen Safety interface and Profisafe interfaces. CANopen is widely used for mobile and construction machines while Profisafe is important for manufacturing automation. A main advantage of the two encoders series described above is that they are easy to integrate into safety-critical systems.

The engineer can “trust” these safety-certified devices and the position values that they produce, leaving users to focus on the remainder of the application task. On the other hand, this ease of use has the drawback of reduced flexibility when handling failure situations. These sensors simply transmit an error code and switch off when a measurement discrepancy is detected. Safety requirements are fulfilled, but availability is gone. Customer specific requests for adaption build into the hardware and software, requiring extra effort for implementation, testing and documentation, is leading to less flexibility.

If you want to continue reading this article, you can download the PDF of Klaus Matzker. Or you download the full magazine. This is free-of-charge.


Publish date