Functional Safety for Machinery
-
date post
13-Nov-2014 -
Category
Documents
-
view
62 -
download
3
description
Transcript of Functional Safety for Machinery
FUNCTIONAL SAFETYfor MACHINERY
ByRobin J Carver
Safer by design
OR
a technical Banana Skin?
New Family of Standards• Under the EN 61508 family
Safety of electricalequipment of
machineryEN 60204-1
Design of safetyrelated parts of
machinery controlsystems
ISO 13849
Principlesfor designEN ISO12100
Functional Safetyof SRECS for
Machinery
EN 62061
Principles for riskassessmentEN 1050
(ISO 14121)
Functional Safety of E/E/PESafety-related Systems
EN 61508
OtherIndustrysectors
New Standardsfor Industry Sectors
IEC 61511ProcessIndustry
IEC 61513Nuclear Industry
prEN 51056Furnaces
EN 50126/7/8Railways
IEC 62061Machinery
EN IEC 61508Functional Safety
Machinery Standards– in with the new
• EN ISO 12100– To provide designers with an overall framework and guidance to
enable them to produce machines that are safe. – replaced EN 292• prEN ISO 14121
– General principles for Risk Assessment – to replace EN 1050• EN 60204
– Application of electrical & electronic systems to machines – to beupdated in 2006
• EN IEC 62061– Requirements for the design, integration & validation of Safety
Related Electrical, Electronic & Programmable Electronic ControlSystems for Machines.
• prEN ISO 13849– Specifies characteristics & categories required for Safety Related
Parts of Control Systems (SRP/CS) – all technologies
Machinery Standards– out with the old
• EN 292– Basic concepts, general principles for design
- replaced by EN ISO 12100
• EN 1050– General principles for Risk Assessment
– to be replaced by prEN ISO 14121
• EN 60204– Application of electrical & electronic systems to machines
– to be updated in 2006
• EN 954-1– Safety Related Parts of Control Systems
– may be replaced by prEN ISO 13849
Functional SafetyObjectives
• Alignment with the strategy for risk reduction• Quantitative rather than Qualitative determination
of the performance requirements.• Integration of SRP/CS with the process control
system• Better Validation of the SRP/CS• Better management of Functional Safety
An ISO 9001:2000 for the design of safetysystems ???
Safety systems forMachines
• Machines can be dangerous!• Most machines are controlled by logic
• sequential etc.
• Most machines have one safe stop condition.• Category 0 or 1 (EN 60204-1)
Better machine systems?
• Acceptance of electronicequipment in safetysystems.
• Use of PLC’s, IndustrialComputers, etc.
• More complex safetyrequirements.
CURRENT “PERIPHERAL” SAFETYARCHITECTURE
SAFETY SYSTEM
STANDARD PLC
SAFETYRELAY
MACHINE
PROCESS PARTOF THE
CONTROLSYSTEM
MACHINE
NEW “FUNCTIONAL SAFETY”ARCHITECTURE
PROCESS(FUNCTIONAL)
CONTROL LOOP
PLC (TO ISO 65108)
SAFETYRELATED PART
OF THECONTROLSYSTEM(SRP/CS)
Better machine systems?Example with peripheral safety
• A machine with high inertianormally controlled by a speedcontroller with dynamic braking.
• Braking control lost when guard isopened
C
SET SPEED
START
STOP
SPEEDCONTROLLER
MOTOR
LOAD
GUARD SWITCH
SAFETYCONTACTOR
Better machine systems?Example with functional safety
• A machine with high inertianormally controlled by a speedcontroller with dynamic braking.
• Guard may not be opened until themotor has stopped
SET SPEED
START
STOP
SPEEDCONTROLLER
MOTOR
LOAD
GUARD LOCKSOLENOID
MOTOR NOT TURNING
The Problem!
I am a control systems engineer with 40years in the industry working with safetyrelated systems
I am a Chartered Safety Practitioner
I have spent many hours, days, even weekstrying to understand the requirements.
I have tried to apply the Standards.
The Banana Skin!Which Standard to apply?
Two Standards:-EN 62061Safety of Machinery – Functional safety of E/E/PE Control SystemsScope – … specifies requirements and makes recommendations for the design,
integration & validation of SRECS’s for machines….
prEN ISO 13841Safety of Machinery – Safety related parts of Control SystemsScope – … provides safety requirements & guidance on the principals for the design &
integration of SRP/CS’s including the design of application software….
The Banana Skin!
Two Standards:-EN 62061Safety of Machinery – Functional safety of E/E/PE Control SystemsSafety requirements based on:-
SIL – Safety Integrity LevelsSIL1 (lowest) to SIL3 (highest possible for machinery)
prEN ISO 13841Safety of Machinery – Safety related parts of Control SystemsSafety requirements based on:-
PL - Performance LevelsPL = a (lowest) to PL = e (highest)
The Banana Skin!
prEN ISO 13849Safety of Machinery – Safety related parts of Control Systems
Lots of new words:-
PL - Performance LevelMTTFd - Mean Time to Dangerous FailureDC - Diagnostic CoverageCCF - Common Cause Failure
Category - Defining system architecture (as used in EN 954-1)SFF - Safe failure fraction
The Banana Skin!Performance Level (PL)
e
d
c
b
a
Possibility of avoiding – Scarcely possibleP2
Possibility of avoiding - PossibleP1
Frequency of exposure - FrequentF2
Frequency of exposure - SeldomF1
Severity of Injury - SeriousS2
Severity of Injury - SlightS1
P1
P2P1
P2
P1
P2P1
P2
F1
F2
F1
F2
S1
S2
Start
The Banana Skin!
But what about:-
Operating Cycle?To make any sense of MTTFd - Mean Time to Dangerous Failure – for asafety related part of a control system it must be related to the demandplaced upon it!
Mean Time to Dangerous Failure (MTTFd)Reliability
Some safety relay manufacturers are claming MTTFd of:-650 years (on a 7000 uses/year) and 950 years (on a 4000 uses/year)
The Banana Skin!
DC is given in 4 levels:-None - DC < 60%Low - DC = 60% to <90%Medium - DC = 90% to <99%High - DC >99%
Diagnostic Coverage (DC)
But how do you determine DC%?• What is the DC% of a relay with forced driven contacts?• What is the DC% of a relay with forced driven contacts with a
monitoring contact?• What is the DC% of an Emergency Stop Button with redundant
contacts?• What is the DC of its associated wiring?• etc. etc.
The Banana Skin!Put it all together -Determination of required performance and how to achieve it!
PL
a
b
c
d
e
Category
BLOW RISK
HIGH RISK
1 2 3 4
HighMed
Low
High Med
Low
High
Med
Low
HighMed
Low
HighHigh
None None Low Med Low Med HighDCavg =
Med
LowMTTFd
MTTFd
MTTFd
MTTFd
MTTFd
MTTFd
MTTFd
Not relevant 65% or betterCCF =
The Banana Skin!Verification of the system design!
A few examples of the formulas to be applied to each channel ofa SRP/CS
])[/(/1 , yMTTFnMTTF jdjd ∑=
+−+=
MTTFMTTFMTTFMTTFMTTF
chdchd
chdchdd
2,1,
2,1, 111
32
MTTF
MTTFDC
MTTF
MTTFDC
MTTF
MTTFDC
DCdn
dn
n
d
d
d
davg 1........1
........
1
2
12
2
1
1
1
++
++
+
+
=
The MTTFd for each channelmust be calculated
The MTTFd foreach systemmust becalculated
The average diagnosticcoverage for each systemmust be calculated
The Banana Skin!but is there a flaw?
Using the formula to determine the average Diagnostic Coveragefor a system
If we add more diagnostics the average is degraded!
A Category 4 system with more diagnostics canbe downgraded to a Category 3 system
MTTF
MTTFDC
MTTF
MTTFDC
MTTF
MTTFDC
DCdn
dn
n
d
d
d
davg 1........1
........
1
2
12
2
1
1
1
++
++
+
+
=
And the reaction of mostMachine System builders:-
And the result:-
UNSAFE MACHINERY!
The principal of FunctionalSafety is to be welcomed
To achieve this the Standards must:-Be clearNon-conflicting
but above all:-Workable
SAFE MACHINERY!The objective is:-
Thank you for yourattention
Robin J CarverMIEE MinstMC CMIOSH MIIRSM