LION SAFE Remote I/O System - luetze LION SAFE Remote I/O System ... LION SAFE Remote I/O System...

LION SAFE Remote I/O System

LÜTZE TRANSPORTATION GMBH | Dimitrios Koutrouvis | V00


New Safety Requirements from Standards and Authorities

Governance

European Union (EU)

==> European Railway Agency (ERA)

==> Technical Specification for Interoperability (TSI)

==> Technical Requirements for Railway Industry

Standards

European Committee for Electrotechnical Standardization (CENELEC)

==> EN 50126 (RAMS) / EN50128 (SW) / EN50129 (HW)

==> safety requirements to electronic equipment for rolling stock

Actual Market Situation


New Safety Requirements from Train Manufacturers

Risk Analysis and Categorization of functions to a certain Safety Integrity Level

according to following steps:

system definition and function identification

Identification of danger situation

definition of safety integrity level

Examples for safety relevant functions:

dead-man's vigilance device: danger: train driver is unconscious

speed Indicator: danger: accidently too high speed

==> safety requirements to electronic equipment for rolling stock



What are Safety Functions on Trains? What does SIL2 mean?

Each function is executed in a process chain of several electronic devices:

25%* 12,5% 10%* 12,5% 40%*

10-6 > HR SYSTEM SIL2 > 10-7

Tolerable Hazard Rate (THR) has to be fulfilled depending on the SIL-Level!

LION target: HR = 2,5E-7

* 75% of the THR 10-7 can be distributed randomly between Sensor, VCU and Actuator


VCU SENSOR ACTUATOR OUTPUT INPUT


What are existing solution concepts?

redundancy of (non-safe) components

proven in use components

adapted solutions from the industry

specific safety networks

specific safety components

==> the railway industry needs a cost-effective solution which fulfils

normative, functional and safety requirements without additional efforts



Why are existing solution concepts not reasonable on a long-term view?

Safety has to be affordable, otherwise it will not be accepted

redundancy is too expensive 1-channel architecture would create great optimization potential

additional safety networks in parallel to the existing vehicle

communication network is too expensive the existing network must be used and extended with safety related functionality (safety

layer) / downward compatibility has to be guaranteed

compact safety I/O stations are too expensive, you have never the

appropriate number of I/O channels available safety functions should be scalable to the application / safety functions should be installed

decentralized in to the area of application they belong

Is there an economical way to realize SIL1 functions?



Why does the market need LION?

1-channel-architecture – no component redundancy is needed saving of space, weight and cost

certified system – SIL2 acc. EN50126, EN50128, EN50129 saving of homologation efforts

exclusively designed and developed for use in railway applications saving of homologation efforts

can be operated in existing network and needs just a safety layer saving of installation, weight and cost

combination of safety and non-safety components on the same station is

possible saving of installation, weight and cost

==> LION is a cost-effective solution which fulfils the normative, functional

and safety requirements without additional efforts, but a safety layer on

the field bus



Is there an economical way to realize SIL1 functions?

Assumptions from our customers:

80% of the functions on trains is not relevant in terms of safety (non-safe)

20% of the functions on trains is safety-relevant

==> 15% SIL1

==> 5% SIL2

In most cases the customer is using SIL2 components for SIL1 or they are

adapting applicative solutions with non-safe components.

==> LION is offering a scalable solution for SIL1 and SIL2!



LION is a scalable SAFE Remote I/O System

The user can the use the modular structure to adapt the composition of the I/O station to

the respective area of application in the train, by combining different available

modules regarding the tasks, functionalities and safety level.

Product Overview


How is LION able to combine safe and non-safe I/O at the same station?

safe L-Bus2 ensures the safe transport of safe I/O data

the non-safe modules are SIL0 (not non-SIL)

the hardware is absent of interaction by galvanic isolation

the software of the SIL0 modules is absent of interaction and developed

according to EN 50128

Product Overview


Which field buses are available for LION ?

The Bus Coupler is available in MVB and Ethernet

in preparation: TRDP (IEC 61375-3-4)

What is the solution for the Safety Layer?

Safety Layer: SDT (IEC 61375)

Product Overview


Product Description


LION unique feature

Safe (SIL2) and Non-Safe (SIL0) I/O Stations can be operated together on the

same field bus system, a separate network installation on the train for the

processing of safety-relevant signals is no longer necessary

Safe (SIL2) and Non-Safe (SIL0) modules can be operated together on the same

I/O station, a separate I/O station for the processing of safety-relevant signals is

no longer necessary

Safe functions in the train can be implemented by the modular structure only in

these areas, where the specific function is needed

Product Description


The following listed products are

part of the LION system.

The marked parts will be certified

for usage in safety-related

applications on trains.

* the use of a safety data transmission protocol is mandatory e.g. SDT

Product Variants

Part.-No. Type Description SIL-

Level

800101 LION-PS-24V-110V-72W Power Supply with input of DC 24V to

DC 110V and output DC 24V / 3A

SIL2

800102 LION-LC-M12 Line Coupler SIL0

800103 LION-PS-24V-110V-36W Power Supply with input of DC 24V to

DC 110V and output DC 24V / 1,5A

SIL2

803001 LION-BC-MVB Bus Coupler MVB SIL2*

803002 LION-BC-ETH Bus Coupler Ethernet SIL2*

803101 LION-DI16-24V-36V Digital Input module 16 channels,

DC 24V…36V

SIL0

803102 LION-DI16-72V-110V Digital Input module 16 channels,

DC 72V…110V

SIL0

803201 LION-RO8 Relay Output module 8 channels SIL0

803202 LION-DO16 Digital Output module 16 channels, 24V SIL0

803203 LION-DO8-24V-110V Digital Output module 8 channels,

24V to 110V

SIL0

803501 LION-DI16-DO8-S-LV Safety Digital Input Output Module LV,

DI 24-36V / DO 24V-110V

SIL2

803502 LION-DI16-DO8-S-HV Safety Digital Input Output Module HV,

DI 72-110V / DO 24V-110V

SIL2


Furthermore we plan the development of additional components:

SIL0-Modules

LION PLC

*Frequeny-/PWM Input

*electronic supply protection

*mixed modules analog, digital

…

SIL2-Modules

LION SAFE PLC

Safe Analog Inputs

*Frequency-/PWM Input

*Lamp-control and monitoring

…

*depending on project requests

Product Variants

Part.-No. Type Description SIL-

Level

803301 LION-AI4-U Analog Input module 4 channels, 0-10V SIL0

803302 LION-AI4-I Analog Input module 4 channels, 0-

20mA

SIL0

803303 LION-AI4-PT100 Analog Input module 4 channels,

PT100

SIL0

803304 LION-AI4-PT1000 Analog Input module 4 channels,

PT1000

SIL0

803401 LION-AO4-U Analog Output module 4 channels, 0-

10V

SIL0

803402 LION-AO4-I Analog Output module 4 channels, 0-

20mA

SIL0


SIL2 I/O module DI16/DO8 – Safe Inputs

Number of Input channels: 16

Number of potential groups: 4 (4 channels per group)

Configurable filter constant (1ms, 2ms, 5ms, 10ms, 20ms)

channel specific error indication (internal test pulses, indication of wrong configuration)

Safety concept for the safe reading of inputs in SIL2 functions:

o redundant / ambivalent (the testing und error detection has to be done in the PLC)

o the use of only one channel will be sufficient for SIL1 functions

Nominal voltage of input channels: 24...36V or 72…110V

Product Description


Safety concept Digital Inputs

The required safety integrity level of the digital inputs can be reached by the cooperation of the I/O Station

with the PLC.

The I/O module is transmitting process data and diagnostic data over the bus coupler of the I/O station to the

PLC by using a safe field bus system.

The PLC is evaluating the process data and the diagnostic information, decides about validity and is

performing if needed safety-related error response.

Errors can be detected by performing continuous diagnostic and self test functions within the digital input and

the bus coupler. Occurring Errors will force the safe state which means “zero-setting” of the input data in the

process data and will mark them in the diagnostic data.

Any dangerous (not controllable) error will force the I/O module to

the Failsafe state.

Product Description


SIL2 I/O Module DI16/DO8 – Safe Outputs

number of output channels: 8

number of potential groups: 8 (1 channel per potential group)

at 4 outputs there is the possibility to detect external voltage at the positive switching output channel

channel specific error detection (switching status of the outputs & transistors, test pulse analysis, overload,

short circuit, external voltage detection)

safety concept for the safe switching of the outputs for SIL2 functions:

plus/minus switching (2 output channels required)

safety concept for the safe switching of the outputs for SIL1 functions:

single-switching

nominal voltage range of the output channels: 24...110V

Product Description


Safety concept Digital Outputs

• The required safety integrity level of the digital outputs can be reached by the cooperation of the I/O Station

with the PLC.

• The I/O module is switching the outputs, is reading the diagnostic information and is testing the outputs and

transmitting diagnostic data over the bus coupler of the I/O station to the PLC by using a safe field bus system.

• The PLC knows the output application, the I/O module doesn't . For that reason the PLC has to decide about

the safety-related reaction depending on the diagnostic data

• Errors can be detected by performing continuous diagnostic and self test functions within the digital output and

the bus coupler. Occurring Errors will force the safe state which means “switch-off” of the output channels and

transmit the error information by the diagnostic data.

• any dangerous (not controllable) error will force the I/O module to the failsafe state and will “switch-off” the

output channels. The I/O module will also “switch-off” the output channels, in order

to protect itself (e.g. At short circuit, , overload and over-temperature)

Product Description


This overview drawing describes the use

of remote I/O stations inside of trains

after today‘s state of knowledge.

The user can connect the LION remote

I/O stations over a fieldbus e.g. MVB

or Ethernet TRDP to the VCU.

In order to ensure the safe transmission of

signals over the fieldbus, it is

mandatory to use a safe data

transmission protocol, e.g. SDT.

Safe (yellow) and non-safe (grey) I/O

modules can be operated on the

same station.

There is no restriction on the order of the

safe or non-safe modules as they can

be connected directly to the bus

coupler or over a line coupler.

Safety Architecture Models


Description:

Redundant reading of the signal by using

2 safe digital input channels inside of

one or two modules connected on

one or two bus couplers.

Applicable for modules with part.-no.

803501 and 803502

Safety Integrity Level: SIL2*

Remarks:

The user has to ensure, that the read

signals are checked on plausibility in

the VCU.


*SIL-Level depending on the HR of the complete system


Description:

Redundant reading of the ambivalent

signal by using 2 safe digital input

channels inside of one or two

modules connected on one or two

bus couplers.


803501 and 803502


Remarks:

The user has to ensure, that the read

signals are checked on plausibility in

the VCU.




Description:

Reading of the single signal by using 1

safe digital input channel inside of

one module connected on one bus

coupler.


803501 and 803502





Description:

Switching of plus and minus potential on

the actuator by using 2 safe digital

output channels inside of one or two

modules connected on one or two

bus couplers.


803501 and 803502


Remarks:

The user has to ensure, that the failure of

one of two output switching channels

are handled correctly in the VCU.




Description:

Switching of plus potential on the actuator

by using 1 safe digital switching

output channel with internal safe

read-back on one module connected

on one bus coupler.

^Applicable for modules with part.-no.

803501 and 803502


Remarks:

The user has to ensure, that the failure of

an output switching channel is

handled correctly in the VCU.




1. replace the existing I/O by the LÜTZE I/O system because of

cost

space

safety

2. use the LÜTZE I/O as a complement to the existing system e.g. under the driver's

desk

3. We are the experts for decentralized I/O modules

Customer Integration Strategy


LUETZE is a flexible company with competitive products

LUETZE products have a high quality and reliability

LUETZE systems are easy to configure

LUETZE products do not need the installation of a cabinet, the customer can

save space on the train

LUETZE products allow flexible mounting position

Customer Benefits


Technical Advantages

the modular structure enables the user to adapt the composition of the I/O station

to the respective area of application in the train, by combining different available

modules regarding the tasks and functionalities

where other systems need redundancy in order to realize a safety function, with

LION the user will save cost by implementing SIL2 safety with the one-channel-

structure

the flat design allows the mounting into places with limited space, e.g. under the

drivers desk or behind the wall panels

the system guarantees high availability and extended product life cycle by the use

of modern and rugged technology, e.g. the robust aluminum housing or the

connectors with gilded contacts

Sales Strategy


Commercial Advantages:

the modular structure enables the user to adapt the composition of the I/O

station to the respective area of application in the train, by combining different

available modules regarding the tasks and functionalities

scalable system, cost-effective in adapting SIL1 and SIL2 functions

high reliability, product is maintenance-free ==> low product cycle cost

long-term-availability of the product, no high risk of discontinuation

Quality Advantages:

high reliability

product is maintenance-free

developed for a long life, exclusively for railway applications

Sales Strategy


Software Tool Lütze LION Framework

I/O Station Configurator

MVB Slave Configurator

more extensions in preparations

Consulting Service Support of the customer during

planning / design-in

installation

commissioning

documentation

Customer training Contact persons:

Dimitrios Koutrouvis

Adam Dombek

Service

We are safe on track!

LION SAFE Remote I/O System - luetze LION SAFE Remote I/O System ... LION SAFE Remote I/O System...

Documents

Transcript of LION SAFE Remote I/O System - luetze LION SAFE Remote I/O System ... LION SAFE Remote I/O System...