Sie sind auf Seite 1von 23
FUNCTIONAL SAFETY for MACHINERY Safer by design OR a technical Banana Skin? By Robin J

FUNCTIONAL SAFETY for MACHINERY

Safer by design OR a technical Banana Skin?

By Robin J Carver

New Family of Standards

Under the EN 61508 family Principles for risk assessment EN 1050 (ISO 14121) Principles for
Under the EN 61508 family
Principles for risk
assessment
EN 1050
(ISO 14121)
Principles
for design
EN ISO
12100
Functional Safety
of SRECS for
Machinery
Functional Safety of E/E/PE
Safety-related Systems
EN 61508
EN 62061
Other
Industry
sectors
Safety of electrical
equipment of
machinery
EN 60204-1
Design of safety
related parts of
machinery control
systems
ISO 13849

New Standards for Industry Sectors

EN IEC 61508 Functional Safety
EN IEC 61508
Functional Safety
for Industry Sectors EN IEC 61508 Functional Safety IEC 62061 prEN 51056 Furnaces IEC 61513 Nuclear

IEC 62061

Industry Sectors EN IEC 61508 Functional Safety IEC 62061 prEN 51056 Furnaces IEC 61513 Nuclear Industry

prEN 51056 Furnaces

IEC 61508 Functional Safety IEC 62061 prEN 51056 Furnaces IEC 61513 Nuclear Industry EN 50126/7/8 Railways

IEC 61513 Nuclear Industry

Safety IEC 62061 prEN 51056 Furnaces IEC 61513 Nuclear Industry EN 50126/7/8 Railways IEC 61511 Process
Safety IEC 62061 prEN 51056 Furnaces IEC 61513 Nuclear Industry EN 50126/7/8 Railways IEC 61511 Process
Safety IEC 62061 prEN 51056 Furnaces IEC 61513 Nuclear Industry EN 50126/7/8 Railways IEC 61511 Process
Safety IEC 62061 prEN 51056 Furnaces IEC 61513 Nuclear Industry EN 50126/7/8 Railways IEC 61511 Process

EN 50126/7/8 Railways

Safety IEC 62061 prEN 51056 Furnaces IEC 61513 Nuclear Industry EN 50126/7/8 Railways IEC 61511 Process

IEC 61511

Process

Industry

Machinery Standards – in with the new

EN ISO 12100

– To provide designers with an overall framework and guidance to enable them to produce machines that are safe. – replaced EN 292

prEN ISO 14121

– General principles for Risk Assessment – to replace EN 1050

EN 60204

– Application of electrical & electronic systems to machines – to be updated in 2006

EN IEC 62061

– Requirements for the design, integration & validation of Safety Related Electrical, Electronic & Programmable Electronic Control Systems for Machines.

prEN ISO 13849

– Specifies characteristics & categories required for Safety Related Parts of Control Systems (SRP/CS) – all technologies

Machinery Standards – out with the old

EN 292

– Basic concepts, general principles for design - replaced by EN ISO 12100

EN 1050

– General principles for Risk Assessment

EN 60204

– to be replaced by prEN ISO 14121

– Application of electrical & electronic systems to machines

EN 954-1

– to be updated in 2006

– Safety Related Parts of Control Systems – may be replaced by prEN ISO 13849

Functional Safety Objectives

• Alignment with the strategy for risk reduction

• Quantitative rather than Qualitative determination of the performance requirements.

• Integration of SRP/CS with the process control system

• Better Validation of the SRP/CS

• Better management of Functional Safety

An ISO 9001:2000 for the design of safety systems ???

Safety systems for Machines

Machines can be dangerous!

• Most machines are controlled by logic

• sequential etc.

• Most machines have one safe stop condition.

• Category 0 or 1 (EN 60204-1)

controlled by logic • sequential etc . • Most machines have on e safe stop condition.
controlled by logic • sequential etc . • Most machines have on e safe stop condition.

Better machine systems?

• Acceptance of electronic equipment in safety systems.

• Use of PLC’s, Industrial Computers, etc.

• More complex safety requirements.

CURRENT NEW “FUNCTIONAL “PERIPHERAL” SAFETY” SAFETY ARCHITECTURE ARCHITECTURE

PLC (TO ISO SAFETY 65108) RELAY SAFETY RELATED PART OF THE SAFETY CONTROL SYSTEM SYSTEM
PLC (TO ISO SAFETY 65108) RELAY SAFETY RELATED PART OF THE SAFETY CONTROL SYSTEM SYSTEM
PLC (TO ISO SAFETY 65108) RELAY SAFETY RELATED PART OF THE SAFETY CONTROL SYSTEM SYSTEM
PLC (TO ISO SAFETY 65108)
RELAY
SAFETY
RELATED PART
OF THE
SAFETY CONTROL SYSTEM SYSTEM
(SRP/CS)
RELATED PART OF THE SAFETY CONTROL SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF
RELATED PART OF THE SAFETY CONTROL SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF

STANDARD PLC

OF THE SAFETY CONTROL SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL

PROCESS PROCESS PART

(FUNCTIONAL) OF THE

CONTROL CONTROL LOOP SYSTEM

SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL CONTROL LOOP SYSTEM MACHINE
SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL CONTROL LOOP SYSTEM MACHINE
SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL CONTROL LOOP SYSTEM MACHINE
SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL CONTROL LOOP SYSTEM MACHINE
SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL CONTROL LOOP SYSTEM MACHINE
SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL CONTROL LOOP SYSTEM MACHINE
SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL CONTROL LOOP SYSTEM MACHINE
SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL CONTROL LOOP SYSTEM MACHINE
SYSTEM SYSTEM (SRP/CS) STANDARD PLC PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL CONTROL LOOP SYSTEM MACHINE

MACHINE MACHINE

Better machine systems?

Example with peripheral safety

SET SPEED

• A machine with high inertia normally controlled by a speed controller with dynamic braking.

• Braking control lost when guard is opened

SPEED CONTROLLER SAFETY CONTACTOR C MOTOR
SPEED
CONTROLLER
SAFETY
CONTACTOR
C
MOTOR
• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START
• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START
• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START
• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START
• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START
• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START
• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START
• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START

LOAD

START

• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START

STOP

• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START

GUARD SWITCH

• Braking control lost when guard is opened SPEED CONTROLLER SAFETY CONTACTOR C MOTOR LOAD START

Better machine systems?

Example with functional safety

SET SPEED

SPEED CONTROLLER MOTOR NOT TURNING MOTOR
SPEED
CONTROLLER
MOTOR NOT TURNING
MOTOR

START

SET SPEED SPEED CONTROLLER MOTOR NOT TURNING MOTOR START STOP LOAD GUARD LOCK SOLENOID • A

STOP

SPEED SPEED CONTROLLER MOTOR NOT TURNING MOTOR START STOP LOAD GUARD LOCK SOLENOID • A machine
LOAD
LOAD

GUARD LOCK

SOLENOID

• A machine with high inertia normally controlled by a speed controller with dynamic braking.

• Guard may not be opened until the motor has stopped

The Problem!

The Problem! I am a control systems engineer with 40 years in the industry working with

I am a control systems engineer with 40

years in the industry working with safety related systems

I am a Chartered Safety Practitioner

I have spent many hours, days, even week trying to understand the requirements.

I have tried to apply the Standards.

I have spent many hours, days, even week trying to understand the requirements. I have tried
I have spent many hours, days, even week trying to understand the requirements. I have tried
I have spent many hours, days, even week trying to understand the requirements. I have tried
I have spent many hours, days, even week trying to understand the requirements. I have tried
I have spent many hours, days, even week trying to understand the requirements. I have tried
I have spent many hours, days, even week trying to understand the requirements. I have tried
I have spent many hours, days, even week trying to understand the requirements. I have tried
I have spent many hours, days, even week trying to understand the requirements. I have tried

The Banana Skin!

Which Standard to apply?

The Banana Skin! Which Standard to apply? Two Standards:- EN 62061 Safety of Machinery – Functional
The Banana Skin! Which Standard to apply? Two Standards:- EN 62061 Safety of Machinery – Functional
The Banana Skin! Which Standard to apply? Two Standards:- EN 62061 Safety of Machinery – Functional
The Banana Skin! Which Standard to apply? Two Standards:- EN 62061 Safety of Machinery – Functional
The Banana Skin! Which Standard to apply? Two Standards:- EN 62061 Safety of Machinery – Functional
The Banana Skin! Which Standard to apply? Two Standards:- EN 62061 Safety of Machinery – Functional

Two Standards:- EN 62061

Safety of Machinery – Functional safety of E/E/PE Control Systems Scope –

specifies requirements and makes recommendations for the design, integration & validation of SRECS’s for machines….

integration & validation of SRECS’s for machines…. … prEN ISO 13841 Safety of Machinery – Safety
integration & validation of SRECS’s for machines…. … prEN ISO 13841 Safety of Machinery – Safety
integration & validation of SRECS’s for machines…. … prEN ISO 13841 Safety of Machinery – Safety
integration & validation of SRECS’s for machines…. … prEN ISO 13841 Safety of Machinery – Safety

prEN ISO 13841 Safety of Machinery – Safety related parts of Control Systems Scope –

… provides safety requirements & guidance on the principals for the design & integration of SRP/CS’s including the design of application software….

The Banana Skin!

The Banana Skin! Two Standards:- EN 62061 Safety of Machinery – Functional safety of E/E/PE Control
The Banana Skin! Two Standards:- EN 62061 Safety of Machinery – Functional safety of E/E/PE Control
The Banana Skin! Two Standards:- EN 62061 Safety of Machinery – Functional safety of E/E/PE Control

Two Standards:- EN 62061 Safety of Machinery – Functional safety of E/E/PE Control Systems Safety requirements based on:- SIL – Safety Integrity Levels SIL1 (lowest) to SIL3 (highest possible for machinery)

SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –
SIL1 (lowest) to SIL3 (hig hest possible for machinery) prEN ISO 13841 Safety of Machinery –

prEN ISO 13841 Safety of Machinery – Safety related parts of Control Systems Safety requirements based on:- PL - Performance Levels PL = a (lowest) to PL = e (highest)

parts of Control Systems Safety requirements based on:- PL - Performance Levels PL = a (lowest)
parts of Control Systems Safety requirements based on:- PL - Performance Levels PL = a (lowest)

The Banana Skin!

The Banana Skin! prEN ISO 13849 Safety of Machinery – Safety re lated parts of Control

prEN ISO 13849 Safety of Machinery – Safety related parts of Control Systems

Lots of new words:-

PL

- Performance Level

MTTFd

- Mean Time to Dangerous Failure

DC

- Diagnostic Coverage

CCF

- Common Cause Failure

Category

- Defining system architecture (as used in EN 954-1)

SFF

- Safe failure fraction

The Banana Skin!

The Banana Skin! Performance Level (PL) a P1 P2   P1   P2 P1 P2  
The Banana Skin! Performance Level (PL) a P1 P2   P1   P2 P1 P2  
The Banana Skin! Performance Level (PL) a P1 P2   P1   P2 P1 P2  
The Banana Skin! Performance Level (PL) a P1 P2   P1   P2 P1 P2  
The Banana Skin! Performance Level (PL) a P1 P2   P1   P2 P1 P2  

Performance Level (PL)

aThe Banana Skin! Performance Level (PL) P1 P2   P1   P2 P1 P2   P1

P1

P2

 

P1

 

P2

P1

P2

 

P1

 

P2

P1   P2 P1 P2   P1   P2 F1 F2 F1 F2 b S1 S2

F1

F2

F1 F2 F1 F2

F1

F2

bP2   P1   P2 F1 F2 F1 F2 S1 S2 Start c d e S1

P2   P1   P2 F1 F2 F1 F2 b S1 S2 Start c d e

S1

S2

Start

P1   P2 F1 F2 F1 F2 b S1 S2 Start c d e S1 Severity

cP1   P2 F1 F2 F1 F2 b S1 S2 Start d e S1 Severity of

dP1   P2 F1 F2 F1 F2 b S1 S2 Start c e S1 Severity of

eP1   P2 F1 F2 F1 F2 b S1 S2 Start c d S1 Severity of

S1

Severity of Injury - Slight

S2

Severity of Injury - Serious

F1

Frequency of exposure - Seldom

F2

Frequency of exposure - Frequent

P1

Possibility of avoiding - Possible

P2

Possibility of avoiding – Scarcely possible

The Banana Skin!

Mean Time to Dangerous Failure (MTTFd)

Reliability

But what about:-

Operating Cycle? To make any sense of MTTFd - Mean Time to Dangerous Failure – for a safety related part of a control system it must be related to the demand placed upon it!

Some safety relay manufacturers are claming MTTFd of:- 650 years (on a 7000 uses/year) and 950 years (on a 4000 uses/year)

safety relay manufacturers are claming MTTFd of:- 650 years (on a 7000 us es/year) and 950
safety relay manufacturers are claming MTTFd of:- 650 years (on a 7000 us es/year) and 950
safety relay manufacturers are claming MTTFd of:- 650 years (on a 7000 us es/year) and 950
safety relay manufacturers are claming MTTFd of:- 650 years (on a 7000 us es/year) and 950
safety relay manufacturers are claming MTTFd of:- 650 years (on a 7000 us es/year) and 950

The Banana Skin!

Diagnostic Coverage (DC)

DC is given in 4 levels:-

None

-

DC < 60%

Low

-

DC = 60% to <90%

Medium

-

DC = 90% to <99%

High

-

DC >99%

But how do you determine DC%?

What is the DC% of a relay with forced driven contacts?

What is the DC% of a relay with forced driven contacts with a monitoring contact?

What is the DC% of an Emergency Stop Button with redundant contacts?

What is the DC of its associated wiring?

etc. etc.

The Banana Skin!

Put it all together -

Determination of required performance and how to achieve it!

Category PL B 1 2 3 4 LOW RISK MTTFd a MTTFd Low MTTFd Low
Category
PL
B
1
2
3
4
LOW RISK
MTTFd
a
MTTFd
Low
MTTFd
Low
Med
MTTFd
b
MTTFd
Low
MTTFd
Med
High
Low
Low
c
Med
High
Med
Med
d
High
High
MTTFd
High
e
High
HIGH RISK
DCavg =
None
None
Low
Med
Low
Med
High
CCF =
Not relevant
65% or better

The Banana Skin!

Verification of the system design! A few examples of the formulas to be applied to each channel of a SRP/CS

The MTTFd for each channel must be calculated MTTF d 1 / = ∑ (
The MTTFd for each channel
must be calculated
MTTF d 1 /
=
( nj / MTTF d , j )[ y ]
The MTTFd for
each system
must be
calculated
2
1
MTTF
=
MTTF
+
MTTF
d
d ch
,
1
d ch
,
2
3 
1
1
+
MTTF
MTTF
d ch
,
1
d ch
,
2
DC
DC
DC
The average diagnostic
coverage for each system
must be calculated
2
n
+
+
+
MTTF
MTTF
MTTF
d
1
d 12
dn
DC
=
avg
1
1
1
+
+
+
M
TTF
M
TTF
M
TTF
d
1
d 2
dn

The Banana Skin!

but is there a flaw?

Using the formula to determine the average Diagnostic Coverage for a system

n + + + MTTF MTTF MTTF d 1 d 12 dn = DC avg
n
+
+ +
MTTF
MTTF
MTTF
d
1
d 12
dn
=
DC avg
1
1
1
+
+ +
M TTF
M
TTF
M
TTF
d
1
d 2
dn

DC

1

DC 1 DC 2 DC

DC

2

DC

If we add more diagnostics the average is degraded!

A Category 4 system with more diagnostics can be downgraded to a Category 3 system

And the reaction of most Machine System builders:-

And the reaction of most Machine System builders:- And the result:- UNSAFE MACHINERY!

And the result:-

UNSAFE MACHINERY!

The principal of Functional Safety is to be welcomed

The objective is:-

SAFE MACHINERY!

To achieve this the Standards must:-

Be clear Non-conflicting

but above all:-

Workable

objective is:- SAFE MACHINERY! To achieve this the Standards must:- Be clear Non-conflicting but above all:-
Thank you for your attention Robin J Carver MIEE MinstMC CMIOSH MIIRSM

Thank you for your attention

Robin J Carver

MIEE MinstMC CMIOSH MIIRSM