Upload
arun-babu
View
90
Download
4
Embed Size (px)
DESCRIPTION
a guide on machine safety considerations.
Citation preview
Machine safety ydesignOverview of ISO 13849-1Overview of ISO 13849 1
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Agenda
1. Evolution of the EN ISO 13489-1
2. EN ISO 13849-1 Performance Levels
3. Performance Level Estimation
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Evolution of EN ISO 13849-1: 2206
EN 954 1 [G l P i i l ]• EN 954-1 [General Principles]
– also published as ISO 13849-1 : 1999– based on a risk assessment
– Will remain valid until: Got 2 years more so now for use until 2011
P t 2 f EN 954 1 [V lid ti ]• Part 2 of EN 954-1 [Validation]
– is published as EN ISO 13849-2 : 2003
• EN 954-1 has been revised to include aspects of functional safety. It has changed number to EN ISO 13849-1 (2006)
• Got 2 years more so now for use until 2011………………….
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
EN ISO 13489-1 Performance levels
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
EN ISO 13849-1:2006 Performance levels
Estimation of the Performance Level (PL) requiredCategory
B 1 2 3 4
PerformanceLevel, PLr
aP1
P2F1
S1b
P2
P1
P2F2
F1
cP2
P1
S2
F2
dP2
P1
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
eP2
S = SeverityF = Frequency or Duration of ExposureP = Avoidance Probability
EN ISO 13849-1:2006 Performance levels
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
EN ISO 13849-1:2006 Performance levels
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
EN ISO 13849-1:2006 Performance levels
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
EN ISO 13849-1:2006 Performance levels
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
EN ISO 13849-1:2006 Performance levels
Performance Level (PL) is related to the Probability of Dangerous failure per Hour (PFHD)
The standard give a simplified procedure for estimating the Performance Level
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Performance Level Estimation
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Performance level estimation
PLd is required What does that mean?
Choose the most suitable combination of
Structure (Category), Reliability (MTTFd) and Diagnostics (DC)
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Performance level estimation
PLd is required What does that mean?
Choose the most suitable combination of
Structure (Category), Reliability (MTTFd) and Diagnostics (DC)
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Structure
• Typical safety function diagram:
INPUT LOGIC SOLVING
OUTPUT
Sensing element Final elementControl element
or actuator
• The machine designer shall select an architecture that will meet the needs • The machine designer shall select an architecture that will meet the needs of the safety function.– Cat B 1 2 3 or 4
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Cat B, 1, 2, 3 or 4
Structure
The structure and behaviour of the safety function under fault conditions
Designated Architecture Category B Typical implementationDesignated Architecture Category B Typical implementation
Contactor Motor
Requirements• Basic Safety principles
• Withstand expected influences Machine ControlSensor
• Withstand expected influences
Behaviour under fault conditionsA fault can cause a loss of the safety function.
Designed to product standards e.g. IEC 60947-5-2 (not specific safety standards)
Designed for environment and electrical safety aspects
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Designed for environment and electrical safety aspects e.g IEC 60204-1
Structure
The structure and behaviour of the safety function under fault conditions
Designated Architecture Category 1 Typical implementationDesignated Architecture Category 1 Typical implementation
Contactor Motor
Requirements• Category B
• Well tried components Machine Control
Guard interlock switch
• Well tried components
•Well tried safety principles
Behaviour under fault conditionsA fault can cause a loss of the safety function.
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Structure
The structure and behaviour of the safety function under fault conditions
Designated Architecture Category 2 Typical implementationDesignated Architecture Category 2 Typical implementation
Contactor Motor
Guard interlock switch
Safety monitoring relay with start up check
Requirements
Machine Control
•Category B
•Well tried safety principles
•Functional check at start up and periodically (on/off check)
Behaviour under fault conditionsA fault occurring between the checks can cause a loss of the safety function.
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Structure
The structure and behaviour of the safety function under fault conditions
Designated Architecture Category 3 Typical implementationDesignated Architecture Category 3 Typical implementationContactors with mechanically linked
contacts
Motor
RequirementsSafety monitoring relay
Contactor monitoring
Guard interlock switches
• Category B
• Well tried safety principles
• Single fault does not cause a loss of safety function
Wh ti bl th t f lt h ld b d t t d• Where practicable that fault should be detected
Behaviour under fault conditionsAccumulation of undetected faults can cause a loss of the safety
Machine Control
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
yfunction.
Structure
The structure and behaviour of the safety function under fault conditions
Designated Architecture Category 4 Typical implementationDesignated Architecture Category 4 Typical implementation
Contactors with mechanically linked contacts
Motor
RequirementsS f t
Contactor monitoring
Guard interlock switches
• Category B
• Well tried safety principles
• An accumulation of faults does not cause a loss of safety function
Safety monitoring relays
function
Behaviour under fault conditionsFaults will be detected in time to prevent a loss of safety function
Machine Control
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Structure: Fault exclusion
The structure and behaviour of the safety function under fault conditions
Designated Architecture Categories B 1 2 3 & 4Designated Architecture Categories B, 1, 2, 3 & 4
Fault exclusion
•Clause 7.3 deals with Fault Exclusion. It states:
"It is not always possible to evaluate safety related parts of control systems without assuming that certain faults can be excluded…..
F lt l i i i b t th t h i l f t i t d th th ti l ibilit f Fault exclusion is a compromise between the technical safety requirements and the theoretical possibility of occurrence of a fault.
Fault exclusion can be based on:
th t h i l i b bilit f th f f lt•the technical improbability of the occurrence of some faults.
•generally accepted technical experience, independent of the considered application, and
•technical requirements related to the application and the specific hazard
Example list of excludable in annex of EN 13849-2
• Example
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
– short between conductors belonging to different sheathed wires or cable conduit can be excluded.
Performance level estimation
PLd is required What does that mean?
Choose the most suitable combination of
Structure (Category), Reliability (MTTFd) and Diagnostics (DC)
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Reliability
Reliability (MTTFd –– Mean Time To Failure Dangerous of each channel )
Denotation of MTTF of each Denotation of MTTFd of each channel
Range of MTTFd of each channel
Low 3 years <= MTTFd < 10 yearsLow 3 years MTTFd 10 years
Medium 10 years <= MTTFd < 30 years
High 30 years <= MTTF < 100 yearsHigh 30 years <= MTTFd < 100 years
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Reliability
Reliability (MTTFd –– Mean Time To Failure Dangerous of each channel )
Channel 1
Data sources preference:
1. provided by manufacturers Channel 2B10d =400,000MTTFd = 277yMission time = 27y
2. from generic handbook sources
3. use 10 yearsFault Exclusion? or:
B10d =2,000,000MTTFd = 1388y
Mission time = 27y
4
Simplified into 3 ranges
Low = 3 years to <10 years
MTTFd 1388yMission time = 138y
B10d =20,000,000MTTFd = 13,888yMission time = 1,388y1 2
3
o 3 yea s o 0 yea s
Medium = 10 years to <30 years
High = 30 years to <100 years
Mission time 1,388y
Both guard doors access the same hazard zone
1/MTTFdtotal= 1/MTTFd1 + 1/MTTFd2 + 1/MTTFd3 + 1/MTTFd4
1/MTTFdtotal= 1/1388 + 1/1388 + 1/13888 + 1/277
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
1/MTTFdtotal 1/1388 1/1388 1/13888 1/277
MTTFdtotal= 195 years = High
Reliability
What data is available?Generic data fromEN/ISO 13849-1: 2006
•• B10d: Number of cycles until a component fails d l dangerously
• MTTFd: Mean time to dangerous failure
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Reliability
• B10d = Number of cycles until a component fails dangerously
• dop = Number of days per year when the machine is operational
• h = Number of hours per day the hop = Number of hours per day the machine is operational
• tcycle = Mean time in seconds between the b i i f t ti l f beginning of two consecutive cycles of the component
• To be determined: hshd /3600××– Number of switching cycles per year:
Operation time of the component ntil it
cycle
opopop t
hshdn
/3600××=
B– Operation time of the component until it fails dangerously: op
dd n
BT 10
10 =
T
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
– Mean time to dangerous failure (MTTFd):1.0
10 dd
TMTTF =
Performance level estimation
PLd is required What does that mean?
Choose the most suitable combination of
Structure (Category), Reliability (MTTFd) and Diagnostics (DC)
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Diagnostic
(average) Diagnostic coverage (DC)
Denotation of DC Range of DC
None DC < 60%
Low 60% <= DC < 90%
Medium 90% <= DC < 99%90% C 99%
High 99% <= DC
This is a measure of the effectiveness of the diagnostics
Detected Dangerous FailuresDC = ----------------------------------------
All Dangerous Failures
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
All Dangerous Failures
Diagnostic Coverage
Channel 1
99%
(average) Diagnostic coverage (DC)
Data sources:
1 A E f h d d
Channel 2
Fault Exclusion? or:
99% reduced to
99%
4
1. Annex E of the standard
2. provided by manufacturers
3. FMEA
60% (due to shadowing)
99%
3
3. FMEA
Simplified into 4 ranges
99%1 2
1. None = <60%
2. Low = 60% to <90%
Both guard doors access the same hazard zone
1/MTTFd1 + 1/MTTFd2 + 1/MTTFd3 + 1/MTTFd4
DCavg=DC1/MTTFd1 + DC2/MTTFd2 + DC3/MTTFd3 + DC4/MTTFd4
3. Medium = 90% to <99%
4. High = 99%1/1388 + 1/1388 + 1/13888 + 1/277
DCavg=0.6/1388 + 0.6/1388 + 0.99/13888 + 0.99/277
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
DCavg = 88% = Low
Diagnostic
Simplified DC estimationAnnex E of EN/ISO 13849-1: 2006
1 and 21 and 2
3
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
4
Performance level estimation
• Structure: Cat. 3
• Reliability (MTTFD): HighReliability (MTTFD): High
• Diagnostics (DC): Low
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Common Cause Failures (CCF)
• These are failures of different items, resulting from a single event.
• The failures are not consequences of each other.(see Annex F)
No. Measure Against CCF ScoreNo. Measure Against CCF Score
1 Separation/Segregation 15
2 Diversity 20
3 Design/application/experience 20
4 Assessment/analysis 5
5 Competence/training 5 M t hi 5 Competence/training 5
6 Environmental 35
Must achieve a score of at least 65
for Cat 2, 3 or 4!
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
PL estimation, the easy way
Combining subsystems with known PLs
PLeSubsystem PL
NlAchieved system
PLPLlowNlow PL
a>3 Not allowed
≤3 aPLe
1 2b>2 a
≤2 b
>2 bPLd PLdc
>2 b
≤2 c
d>3 c
d≤3 d
e>3 d
≤3 e
PLd is achieved
Based on the number of the lowest PL
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
≤3 e Based on the number of the lowest PL subsystems
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.
Copyright © 2007 Rockwell Automation, Inc. All rights reserved.