Hydraulic Mining Excavators

CAMP/ SIL – Electric System CAT-6060

07. Servo Controller – SIL Operation Manual

Dixio Torrez - 2016

What is SIL? Service Training

SIL means “Safety Integrity Level” and is based on the Standard IEC 61508 as well as IEC 61511. It serves
as evaluation of electric systems in relation of reliability in safety functions.
The safety integrity levels are divided in 4 steps. Level one is the lowest safety level.

The highest level we use on our excavators is safety integrity level 2 (SIL2)

SIL 1:

• safety function depends on reliability of Input

Signal
Logic
Signal
Output
components
• no measures for error detection of
components
• boosting efficiency against common
industrial environmental influences

SIL 2:
Monitoring Monitoring

• enforced testing of safety function at start Input

Signal
Logic
Signal
Output

and or cyclically
Monitoring

Monitoring
• no error detection between test interval
• no error detection in testing device
necessary Testing 2nd switch Output
• 2nd switch off path Device off path Testing

2
SIL on Caterpillar HM Excavators: Service Training

Only the swing function is SIL 2 relevant (see risk assessment down below)

high – Contribution to risk reduction - low

S = How severe is the possible
injury?

F = How often occurs the hazard and

how long is the exposure to the
hazard?

P = Is it possible to avoid that the

person is exposed to the hazard?

Graphic: Risk graph to ISO PLr = required performance level

13849

3
How does it work on HM Excavators? Service Training

The SIL System is monitoring the whole swing system with all its components like joysticks, proportional
valves etc.

In case of a problem regarding the swing system (missing hydraulic pressure, short circuit on sensor,
missing CAN-BUS signal etc.) the control lines from the swing pump will be interrupted and the swing
pump goes into neutral position which slows down the swing movement.

Joystick Signal 35 Joystick Signal

Swing Left bar Swing Right

-2Y30 -2Y31

x1 x2

A B

4
Swing Circuit: Neutral Service Training

25/1
Servo Control Block (LH – side- /26)
From 35 bar
Servoline

Not used (spare)

-2Y16 -2Y15

Charge
Tank Pump

Swing Pump

Swing
Motor
50 - 352 bar

22 bar Servo

35 bar Servo

Tank
5
Safety Integrity Level – SIL Service Training

From 35bar
Servoline

Not used- spare

2Y16 2Y15

-2B33
Servo Controlblock 26

-2B32
-2B17 -2B18
-2B31 Charge
Pump

Swing
Motor

CAMP 1
and 3
Swing Pump
SIL Contoller 2

1
-2Y31
3
2

-2Y30
-2B41 -2B39
-2B36
-2Y23 6
SIL System Overview Service Training

swing_press_lh
SIL2 / PLd components 400 bar (-2B17)

pressure_sensor = p
pressure_sensor_swi
_pump_control
100 bar (-2B31)
100 bar (-2B39)

= p = p
seat contact LH prop valve swing_pump_ctrl
(2S6) (-2Y15) releasing_valve
(-2Y30)
Y2 X5 X1

servo on
(2Y18)
= p balance valve swing pump 1st switch off
servo_press_30bar path
Y1 X6 X2
100bar (-2B33) swing_pump_ctrl
releasing_valve
servo_press _35bar
100 bar (-2B7)
= p
RH prop valve
(-2Y31)
(-2Y16)

= = p
p
CAN Servo
lever Controller
pressure_sensor
= pressure_sensor_swi
safety 100 bar (-2B32) p _pump_control
100 bar (-2B41)
swing_press_rh
swing park 400 bar (-2B18)
brake sw
(2S3, 2S3/1)

swing/tram
CV2 (-2Y23) = p
brake
cylinder
multi-disk
brake 2nd switch off
override sw
(2S5)
path
pressure_sensor
100 bar (-2B36)

ladder prox
switch (2B2) gearbox

7
SIL System on BCS Screen Service Training

If the system detects an error with the

swing function the swing circuit lock-out
screen pops-up on the main page
displaying the faulty component(s).

The pop-up window disappears after

touching anywhere in the window. It will
stay in the background until another fault
happens or the operator navigates to a
different screen and goes back to the
main screen.

To review the fault go to Servo-

Controller Menu (service level 1
required)

The system differentiates between 3 conditions:

(green) – OK
(yellow) – minor fault detected, 48 hours to solve problem before status changes to red and
safe stop sequence is initiated
(red) – major fault detected, safe stop sequence is initiated

The all-over status (green, yellow, red) of the swing circuit is displayed at the end of the chain
and correlates with the 3 conditions mentioned above
8
SIL System on BCS Screen Service Training

You can enter the SIL monitoring screen by using the first level password……………

9
SIL System on BCS Screen Service Training

……… or by pushing the swing break sign on the start screen!

10
Functional Modules Service Training

The following pages describe the interconnection inside the servo controller via software.

It is represented in so called functional modules:

And module:
The output is “high” if input 1 is “high” and input 2 is “high”

Input 1
Output
Input 2 &

Or module:
The output is “high” if input 1 is “high” or input 2 is “high”

Input 1
OR Output
Input 2

11
Functional Modules Service Training

Time delay module:

The output is “high” if input 1 is “high” for at least 15s

15s
Input 1 Output
Delay

Negation module:
The incoming signal will be swapped from “high” to “low” or from “low” to “high”
The output is “high” if input 1 is “low”/ The output is “low” if input 1 is “high”

Input 1 1 Output

12
Functional Modules Service Training

Memory module:
Input 1 sets the output. Input 2 will reset the output.

Input 1 S
Output
Q
Input 2
R

13
Swing Circuit Lock-Out Lever Service Training

Pedals
p/n:3743030

RH Lever
p/n:3743012

LH Lever
p/n:3743011

Attention:
– SIL2 compliant levers have no rotary
switch for address setting
– thumb wheel faces to the seat
– it is recommended to stock LH and RH
lever in case of a machine break down
– if box turns red, it is necessary to reset
the system by ignition switch or reset
button on the BCS

– address setting of foot pedals via rotary

switch (left ID2, middle ID3, right ID4)

14
 Swing Circuit Lock-Out Lever Service Training

-servo controller up and running

-timing problems

-CAN frame decoding problems (SC)

OR & -safe stop sequence is activated (event code 1680)
-event code 1661 is reported
(Servo controller - SIL Hand lever error)
-wrong levers or pedals used

15
Swing System Lock-Out CAN Safety Bus Service Training

16
 Swing System Lock-Out CAN Safety Bus Service Training

-servo controller up and running

-missing or wrong terminating resistor

-bad cable connection

OR & -safe stop sequence is activated (event code 1680)
-event code 1690 is reported
(CAN safety bus off error)
-CAN high and CAN low swapped

-short circuit to +24V

-short circuit to 0V (machine chassis)

-hand lever/ foot pedal signals

can’t be read or interpreted

17
Swing System Lock-Out PLC Servo Controller internal Error Service Training

Servo Controller is
housed in X1 cabinet
in the cascade room

Firmware problems can

be excluded if controller
is TÜV certified. Decal is
located on the small side
next to KS2

18
 Swing System Lock-Out PLC Servo Controller internal Error Service Training

-servo controller start-up

OR
-servo controller up and running
(during operation)

-controller hardware failures -safe stop sequence is activated (event code 1680)
-event code 1681 is reported
-over temperature
OR & (Servo Controller - Program Logic Error)
-all outputs are switched off by internal safety relays
-controller starts to beep (3 times 4kHz for 500ms)
-under voltage

-over voltage

-software problems

-wrong firmware

19
Swing System Lock-Out Swing Parking Brake Switch Service Training

Swing park brake switch

20
 Swing System Lock-Out Swing Parking Brake Switch Service Training

-servo controller up and running

-2S3 swing park brake switch

500ms
-safe stop sequence is activated
-2S3.1 swing park brake switch & Delay
OR & (event code 1680)
-event code 1662 is reported
(swing brake rocker switch error)

-2S3 swing park brake switch

1 500ms

-2S3.1 swing park brake switch & Delay

21
Swing System Lock-Out Swing Parking Brake Valve Service Training

-2B36

-2Y23

22
 Swing System Lock-Out Swing Parking Brake Valve Service Training

-servo controller up and running

-LH engine running >1500RPM

-RH engine running >1500RPM OR

-2Y23 swing park brake solenoid & -event code 1659 is reported
(Safety relevant warning: Slewing

-2B36 pressure sensor < 15bar

& will be disabled)

OR
-2Y23 swing park brake solenoid
1
-2B36 pressure sensor > 15bar
&

-safe stop sequence is activated

(event code 1680)
-event code 1663 is reported
48h (Swing brake valve error)
Delay

23
Swing System Lock-Out Swing Parking Break Sensor Service Training

-2B36

24
Swing System Lock-Out Swing Parking Break Sensor Service Training

-servo controller up and running

-event code 1664
(Cable Break - Swing park brake
pressure sensor) is reported
or
-event code 1665
(Short Circuit - Swing park brake
pressure sensor) is reported
and
& -event code 1659 is reported
(Safety relevant warning: Slewing
-2B36 pressure sensor > 21mA will be disabled)

OR
-2B36 pressure sensor < 3mA

-safe stop sequence is activated

48h (event code 1680)
Delay

25
Swing System Lock-Out Ladder Initiator Service Training

-2B2

26
 Swing System Lock-Out Ladder Initiator Service Training

-servo controller up and running

-2B2 boarding ladder sensor

2s -safe stop sequence is activated
-2B2.1 boarding ladder sensor & Delay
OR & (event code 1680)
-event code 1666 is reported
(Ladder top pos. switch error)

-2B2 boarding ladder sensor

1 2s
-2B2.1 boarding ladder sensor & Delay
1

27
Swing System Lock-Out Service Lift Proximity Switch Service Training

-2B38

28
 Swing System Lock-Out Service Lift Pressure/ Proximity Switch Service Training

-servo controller up and running

-2B38 tank lift sensor

2s -safe stop sequence is activated
-2B38.1 tank lift sensor & Delay
OR & (event code 1680)
-event code 1667 is reported
(Service lift switch error)

-2B38 tank lift sensor

1 2s
-2B38.1 tank lift sensor & Delay
1

29
Swing System Lock-Out Servo Pressure Sensor Service Training

Box turns yellow if:

– controller is up and running
– electrical problem is detected
 safety controller detects problem with pressure transducer
2B7

Caused by:
– cable break or short circuit of pressure tranducer 2B7
exist for more than 10 seconds

Reaction:
– set yellow status
– error code 1659 and 1668 or 1669 is reported
– start countdown of 48 hours to fix the problem
Checks function of pressure transducer 2B7
Box turns red if:
– problem with pressure transducer 2B7 was not fixed
within 48 hours

Reaction:
– safe stop sequence is activated
– event code 1680 is reported

30
Swing System Lock-Out Servo Pressure Sensor Service Training

-servo controller up and running

-event code 1668
(Cable Break - Servo pressure
35bar sensor) is reported
or
-event code 1669
(Short Circuit - Servo pressure
35bar sensor) is reported
and
& -event code 1659 is reported
(Safety relevant warning: Slewing
-2B7 pressure sensor > 21mA will be disabled)

OR
-2B7 pressure sensor < 3mA

-safe stop sequence is activated

48h (event code 1680)
Delay

31
Swing System Lock-Out Servo Valve Service Training

-2Y18

-2B7

32
 Swing System Lock-Out Servo Valve Service Training

-event code 1671

-servo controller up and running
(Permanent servo pressure
supply error) is reported
-LH engine running and
OR -event code 1659 is reported
-RH engine running (Safety relevant warning: Slewing
& will be disabled)

-2Y18 solenoid valve

1 & 800ms

-2B7 pressure sensor > 15bar Delay

-safe stop sequence

48h
is activated
Delay (event code 1680)
-servo controller up and running OR
-event code 1670
-LH engine running is reported
OR (No detectable servo
-RH engine running pressure supply error)
&
-2B7 pressure sensor > 20bar 500ms
Delay & S
-2Y18 solenoid valve
Q
-2Y18 solenoid valve Monitoring of servo pressure (2B7) starts after:
1 R • servo valve (2Y18) is energized and
• servo pressure (2B7) reached 20 bar for 500 ms
-2B7 pressure sensor < 15bar 1.5s
Slew park brake stays engaged otherwise
Delay
OR
-2B7 pressure sensor < 4bar 300ms
Delay
33
Swing System Lock-Out Swing Pilot Valve Service Training

-2Y15

-2B31 -2B32 -2Y16

34
 Swing System Lock-Out Swing Pilot Valve (too high pressure) Service Training

-servo controller up and running

-2Y18 solenoid valve (servo)

-2Y15 pilot valve swing left < 100mA 300ms

Delay
-safe stop sequence is activated
300ms (event code 1680)
-2B31 pilot pressure sensor > 4bar & Delay
OR & -event code 1672 is reported
(Swing pilot valves error -
Unexpected high pressure)
-2Y16 pilot valve swing right < 100mA 300ms
Delay

300ms
-2B32 pilot pressure sensor > 4bar & Delay

35
 Swing System Lock-Out Swing Pilot Valve (too low pressure) Service Training

-servo controller up and running

-2Y18 solenoid valve (servo)

-2Y15 pilot valve swing left > 300mA 300ms

Delay
-safe stop sequence is activated
300ms (event code 1680)
-2B31 pilot pressure sensor < 4bar & Delay
OR & -event code 1673 is reported
(Swing pilot valves error -
Unexpected low pressure)
-2Y16 pilot valve swing right > 300mA 300ms
Delay

300ms
-2B32 pilot pressure sensor < 4bar & Delay

36
Swing System Lock-Out Swing Pilot Pressure Sensor Service Training

-2B31

-2B32

37
Swing System Lock-Out Swing Pilot Pressure Sensor Service Training

-servo controller up and running

-event code 1674
(Cable Break - Swing pilot press
sensor) is reported
-2B31 pressure sensor > 21mA
or
-event code 1675
-2B31 pressure sensor < 3mA (Short Circuit - Swing pilot press
& sensor) is reported
-2B32 pressure sensor > 21mA OR and
-event code 1659 is reported
(Safety relevant warning: Slewing
-2B32 pressure sensor < 3mA will be disabled)

-safe stop sequence is activated

48h (event code 1680)
Delay

38
Swing System Lock-Out Balance Valve Pressure Supply Service Training

-2B33

39
Swing System Lock-Out Balance Valve Pressure Supply Service Training

-servo controller up and running

-LH engine running

-RH engine running OR -safe stop sequence is activated

(event code 1680)
-event code 1678 is reported
-2B33 pressure sensor > 20bar
500ms (No pressure supply (50bar)

-2Y18 solenoid valve & Delay

S
&
at pressure)

Q
-2Y18 solenoid valve
1 R

-2B33 pressure sensor < 15bar 500ms

Delay

Monitoring of pressure supply at balance valve

(-2B33) starts after:
• servo valve (2Y18) is energized and
• pressure (2B33) reached 20 bar for 500 ms

Slew park brake stays engaged otherwise

40
Swing System Lock-Out Balance Valve Pressure Supply Sensor Service Training

-2B33

41
Swing System Lock-Out Balance Valve Pressure Supply Sensor Service Training

-servo controller up and running

-event code 1676
(Cable Break - Servo pressure 50bar
sensor) is reported
or
-event code 1677
(Short Circuit - Servo pressure 50bar
sensor) is reported
& and
- safe stop sequence is activated
-2B33 pressure sensor > 21mA (event code 1680)

OR
-2B33 pressure sensor < 3mA

42
Swing System Lock-Out Control Pressure X1/ X2 Service Training

-2Y31 -2Y30

-2B39 -2B41

43
Swing System Lock-Out Control Pressure X1/ X2 Service Training

-servo controller up and running

-LH engine running

-event code 1683 (High pressure at

-RH engine running OR swing pump control release valves)

is reported
and
-event code 1659 is reported
- test procedure active (Safety relevant warning: Slewing
will be disabled)
-2Y30 solenoid safety valve
& &
1
-2Y31 solenoid safety valve
1
-2B39 pressure sensor > 5bar

-2B41 pressure sensor > 5bar

test procedure is performed

cyclically after 2 minutes
inactivity of LH lever

44
Swing System Lock-Out Control Pressure X1/ X2 Service Training

-2Y31 -2Y30

-2B39 -2B41

45
 Swing System Lock-Out Control Pressure X1/ X2 Service Training

-event code 1683 (High pressure at

swing pump control release valves) -event code 1679
is reported 48h
(Low pressure at swing pump
and Delay control release valves) is reported
-event code 1659 is reported or
(Safety relevant warning: Slewing -event code 1682
will be disabled) (Low pressure at all swing pump
-servo controller up and running control release) is reported
OR and
- safe stop sequence is activated
-LH engine running (event code 1680)

-RH engine running OR

-2Y30 solenoid safety valve

-2Y31 solenoid safety valve

&
-2B41 / -2B39 pressure sensor average < 10bar 1s
Delay
-2B39 pressure sensor > 15bar
500ms
S
-2B41 pressure sensor > 15bar & Delay

-2Y18 solenoid valve

-2Y18 solenoid valve

1 R Q 46
Swing System Lock-Out Control Pressure X1/ X2 Service Training

Monitoring swing pump control pressures (X1 and X2)

starts after

• servo valve (2Y18) is energized and

• all swing pump control pressures (X1 and X2) reached
15bar for 500ms after energizing servo valve solenoid

• Slew park brake stays engaged otherwise and cannot be released

Reason

Depending on excavator’s hydraulics x1/x2 pressures may need long

time (>5s) to come up over 15bar after starting one engine or
activating servo valve (2Y18).

47
Swing System Lock-Out Control Pressure Sensor X1/ X2 Service Training

-2B39

-2B41

48
Swing System Lock-Out Control Pressure Sensor X1/ X2 Service Training

-servo controller up and running

-event code 1684
(Cable Break - Swing pump control
press sensors) is reported
-2B39 pressure sensor > 21mA
or
-event code 1685
-2B39 pressure sensor < 3mA (Short Circuit - Swing pump control
& press sensors) is reported
-2B41 pressure sensor > 21mA OR and
-event code 1659 is reported
(Safety relevant warning: Slewing
-2B41 pressure sensor < 3mA will be disabled)

-safe stop sequence is activated

48h (event code 1680)
Delay

49
Wrap Up – Safe Stop Sequence Service Training

Joystick Fault

Can Safety Bus Fault

Swing Parking Break Switch Fault

Swing Parking Break Valve Fault (after 48h)

Swing Parking Break Sensor Fault (after 48h) OR

Ladder Sensor Fault

Service Lift Fault

Safe Stop Sequence
Servo Pressure Sensor Fault (after 48h)

Servo Valve Fault

Swing Pilot Valve Fault

Swing Pilot Valve Sensor (after 48h)

Balance Valve Supply

Balance Valve Supply Sensor

Control Pressure X1/ X2

Control Pressure Sensor X1/ X2 (after 48h)

50