Rockwell Automation TechED 2018 - SS13 - Introduction To Machine Risk Assessment and Functional Specification Development

Introduction to Machine Risk Assessment and
Functional Specification Development
Jon Riemer
Solution Architect – Safety & Security
Functional Safety Engineer (TÜV Rheinland)
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2018 Rockwell Automation TechED™ Event #ROKTechED
Agenda
 Understand the big picture of machine safety
 ‘Connect the dots’ between Risk Assessment and safety control system design
 Work through the eight-step design process of ISO 13849-1
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2018 Rockwell Automation TechED™ Event #ROKTechED 3
Functional Safety Design Process - the Safety Lifecycle
5. Operate, Maintain 1. Assessment

& Improve
4. Installation
& Validation
2. Functional
Requirements
3. Selection, Design & Verification
Risk Definition
Probability of Occurrence
R
Is a - Exposure of Person to Hazard
I function
Severity of And
S of Harm - Occurrence of Hazardous Event
K - Possibility to Avoid or Limit Harm
Only changes
with design ANSI/ISO 12100: 2012; Figure 3
Possible Mitigation Techniques
 Hierarchy of Protective Measures Most
Design it out Effective
Fixed enclosing guard
Safety-Related Parts Monitoring Access /

of Control Systems
(SRP/CS)
Interlocked Gates
Awareness Means, Training and

Procedures (Administrative)
Least
Personal protective equipment
Effective
Risk Assessment
 Risk Assessment is the basis of risk reduction
 Process of risk analysis and risk evaluation
 A control system is a common risk reduction method
 When a control system is used, you must follow the iterative
design process of the safety-related parts of a control system
(SRP/CS)
 ISO 13849-1 is an iterative design process
ISO 13849-1:2015; Figure 1
Risk Assessment
 Risk assessment performed as if existing safeguards are NOT in place
 A comprehensive risk assessment includes all hazard types and tasks
 Task based risk assessment identifies hazards based upon real

machine interaction
Risk Assessment:
RIA TR R15.306 – Tasked Based Risk Assessment Methodology
PLr
PLc
PLc
PLd
PLd
PLd
PLe
Risk Assessment
 Use system architecture to identify hazard sources
 Five sources of mechanical hazards:
1) Conveyor Belt
2) Bottle Side Belt
3) Sleeve Indexer
4) Sleeve Cutter
5) Vacuum Pump
 Other hazards sources:
1) Pneumatics
2) Hydraulics
3) Gravitational
Vacuum Pump
Risk Assessment
 Sources of Mechanical
Hazard
 Conveyor Belt
 Bottle Side Belt
 Sleeve Indexer
 Sleeve Cutter
 Vacuum Pump
 Operator doing Normal
Operating Tasks on the
Machine
 Possible injuries the
Operator may sustain
and Risk Level for each
 Risk Reduction Methods
are identified A Control System for Risk Reduction = Safety Function
ISO 13849-1 – Big Picture
Goal: Minimize Safety Control System Failures
Hardware Integrity Systematic Integrity

• Architecture • Design Quality Measures
• Component Reliability • Project Management
• Fault Detection and Reaction • Specification and Documentation
Random hardware failure can be Human error can be avoided during

mathematically modeled as a the hardware and software design,
Probability of Dangerous Failure per implementation, and operation of the
hour (PFHD). system.
ISO 13849-1:2015; Figure 3
Overview of ISO 13849-1 Design Flow
1
1 Use the Risk Assessment to Identify all Safety Functions
2
Specify each Safety Function – Safety Requirements Specification (SRS) 3
2
4
3 Determine the required Performance Level (PLr) for each Safety Function
4 Design and technical realization of each Safety Function 5
5 Evaluate the Performance Level (PL) of each Safety Function

6
6 Verification of the PL for each Safety Function (PL ≥ PLr)
7
7 Validation – The Safety Control System meets the requirements of the SRS
Review the Risk Assessment to ensure all Safety Functions are analyzed 8
8
1 Identify Primary Safety Functions
 Safety Function = Control system for risk reduction
 List each hazardous energy source and triggering event possibility
SF6
SF1-5
SF1 Guard Door 1 (op side) Protective stop and prevention of restart of the conveyor when opened
SF2 Guard Door 1 (op side) Protective stop and prevention of restart of the bottle feed belts when opened
SF3 Guard Door 1 (op side) Protective stop and prevention of restart of the sleeve feeder when opened
SF4 Guard Door 1 (op side) Protective stop and prevention of restart of the cutter when opened
SF5 Guard Door 1 (op side) Unlock with conditional time delayed unlock Guard Door 2 Drive Side
SF6 Guard Door 2 (dr side) Protective stop and prevention of restart of the sleeve feeder opened
1 Identify Complementary Safety Functions
 Emergency Stop safety functions are complementary
 List each hazardous energy source
SF12
SF7-11
SF7 Emergency Stop 1 (op side) of the conveyor when the emergency stop push button is pressed
SF8 Emergency Stop 1 (op side) of the bottle feed belts when the emergency stop push button is pressed
SF9 Emergency Stop 1 (op side) of the sleeve feeder when the emergency stop push button is pressed
SF10 Emergency Stop 1 (op side) of the cutter when the emergency stop push button is pressed E-stop Only Output
SF11 Emergency Stop 1 (op side) of vacuum pump when the emergency stop push button is pressed
E-stop 2 Drive Side
SF12 Emergency Stop 2 (dr side) of the sleeve feeder when the emergency stop push button is pressed
2 Safety Requirements Specification (SRS)
 SRS describes the characteristics of the safety-related
parts of a control system (SRP/CS)
 Needed for the design and technical realization of the
control system
2 Specify Safety Requirements (SRS)
 Detail each safety function
 Provides the pass/fail criteria for future
verification and validation activities
 Describe interaction with standard machine
control
 Document unique behavior or requirements
3 Determine the Required PL (PLr)
 Severity and probability data from the Risk Assessment is needed
 ISO 13849-1, Annex A
 Risk Reduction by Safety Related Parts of the Control System
 Shows a risk graph scoring technique to identify Performance Levels (a, b, c, d & e)
 As risk increases, safety performance of the control system must increase
RISK
S1 & S2 – Severity of Injury (Slight or Serious)
F1 & F2 – Frequency and/or Exposure (Seldom or Frequent)
ISO 13849-1:2015; Figure A.1
P1 & P2 – Possibility of Avoidance (Possible or Not Possible)
3 Determine the Required PL (PLr)
 Each safety function must have a PLr based upon Risk Assessment
 PLr may vary depending upon Safety Function risk scoring
SF Safety Function Description PLr
SF1 Guard Door 1 (op side) Protective stop and prevention of restart of the conveyor when opened b
SF2 Guard Door 1 (op side) Protective stop and prevention of restart of the bottle feed belts when opened b
SF3 Guard Door 1 (op side) Protective stop and prevention of restart of the sleeve feeder when opened d
SF4 Guard Door 1 (op side) Protective stop and prevention of restart of the cutter when opened d
SF5 Guard Door 1 (op side) Unlock with conditional time delayed unlock c
SF6 Guard Door 2 (dr side) Protective stop and prevention of restart of the sleeve feeder opened d
SF7 Emergency Stop 1 (op side) of the conveyor when the emergency stop push button is pressed b
SF8 Emergency Stop 1 (op side) of the bottle feed belts when the emergency stop push button is pressed b
SF9 Emergency Stop 1 (op side) of the sleeve feeder when the emergency stop push button is pressed d
ISO 13849-1:2015; Figure A.1
SF10 Emergency Stop 1 (op side) of the cutter when the emergency stop push button is pressed d
SF11 Emergency Stop 1 (op side) of vacuum pump when the emergency stop push button is pressed a
SF12 Emergency Stop 2 (dr side) of the sleeve feeder when the emergency stop push button is pressed c
4 Design and Technical Realization
 Typical Input, Logic and Output SRP/CS devices
Input Logic Output
E-stop buttons Safety Contactors

Interlock Relays Safe Torque Off Drive
Switches Safety Relays
Light Curtains PLCs
Solenoid Valves
Limit Switches
 Develop a block diagram for each safety function

 Identify devices and assign them to Input/Logic/Output subsystems
SF Safety Function Description PLr
SF3 Guard Door 1 (op side) Protective stop and prevention of restart of the sleeve feeder when opened d
SF5 Guard Door 1 (op side) Unlock with conditional time delayed unlock c
SF9 Emergency Stop 1 (op side) of the sleeve feeder when the emergency stop push button is pressed d
SF11 Emergency Stop 1 (op side) of vacuum pump when the emergency stop push button is pressed b
SF3 I L O SF5 I L O
Guard Door Safety Sleeve Hazards Safety Guard Door
Switch Relay Feeder Safe State Relay Unlock
Servo Feedback Solenoid
SF9 I L O SF11 I L O
E-stop push Safety Sleeve E-stop push Safety Vacuum
button Relay Feeder button Relay Pump
Servo Contactor
 Estimate number of annual operation (Nops) of each electromechanical component
 Highlight any components shared by safety functions
 Nops must include any normal operation
Nops = 17,520 Nops = 17,520 Nops = 17,520
SF3 I L O SF5 I L O
Guard Door Safety Sleeve Hazards Safety Guard Door
Switch Relay Feeder Safe State Relay Unlock
Servo Feedback Solenoid
Shared
Nops = 100 Nops = 17,620 Nops = 100 Nops = 465
SF9 I L O SF11 I L O
E-stop push Safety Sleeve E-stop push Safety Vacuum
button Relay Feeder button Relay Pump
Servo Contactor
With safety functions defined and block diagrams created:
 Review safety functions for design optimization
 Migrate electromechanical devices with solid state (remove Nops from equation)
 Interlocks dry contact  OSSD
 Contactors to Safe Torque Off drive
 Electromechanical Safe Torque Off to solid-state Safe Torque Off
 Choose safety logic level to optimize total cost of ownership:
 Safety: Relay, Configurable Relay, PLC
 Review power structure to determine cost-effective energy control
 Hardware standardization will simplify design, verification, and validation
 Exceeding PLr is common
 Standardized hardware choices may allow combining of safety functions
 Specify bill of material for each Safety Function control system safety devices
Interlock
Switch
Contactor
Locking
Interlock
Switch
Servo
Safety
Relay
Drive
Emergency
Stop 24
 Identify safety data for each safety function device
5 Evaluate the Performance Level (PL)
 The Performance Level (PL) is a way to express the ability of an SRP/CS to
perform a safety function under foreseeable conditions
Probability
 Two aspects to safety design process: Dangerous Failure
(PFHD)
1. Hardware Integrity (PFHD)
a = 1 / 10,000
Systematic Integrity (Design Techniques)
Performance Level
2.
b = 1 / 100,000
Both must be fulfilled to claim a PL for the safety function
c = 1 / 1,000,000
d = 1 / 10,000,000
e = 1 / 100,000,000
Goal: Determine the PL of the Safety Function
 Most systems have both electronic and
electromechanical devices
Electromechanical Electronic
 Using the manufacturer’s safety data makes the • Category • PFHD: Manufacturer
PFHD calculation easier • MTTFD (B10d/NOP)
• DC
 Sum up the device PFHD numbers to get the
• CCF
total safety function PFHD PFHD: ISO 13849-1, Table K.1
 The PL is determined from ISO 13849-1,
Table 2 PFHD for all subsystems (Input, Logic & Output)
Total Input Logic Output

PFHD PFHD PFHD PFHD
Safety Function (PL) from ISO 13849-1, Table 2
5 PL Variables: CATEGORY
Cat 1 Motor
Cat 3 Safety Safety
Motor
Contactor Contactor 1Contactor 2
Guard Guard
Interlock Interlock
Switch Switch
Safety Monitoring Relay

with startup check
Cat 2 Safety Cat 4 Safety Safety

Motor
Contactor Motor Guard Contactor 1 Contactor 2
Interlock
Guard Switch
Interlock With
Switch Monitor
OSSD
Test 100x demand

rate
Safety Monitoring Relay Safety Monitoring Relay

with startup check with startup check
 Interlock Switch and E-stop have B10d data and will
require the complete ISO 13849-1 calculation
 A summary of the calculations are shown in the table
Interlock Switch: PFHD = 4.29E-08 / PLe

E-stop Button: PFHD = 4.29E-08 / PLe
Contactor: PFHD = 1.14E-06 / PLc
 The total PFHD for each safety function is calculated by adding the PFHd values for each safety
device
Interlock Safety Feeder Safety Function 1:
SF3 Switch Relay Servo Cat. 3/PLd
Guard Door 1
(I) (L) (O)
PFHD = 4.78E-8
Cat. 3/PLe Cat. 4/PLe Cat. 3/PLd
Sleeve Feeder
PFHD = 4.29E-8 PFHD = 4.35E-9 PFHD = 5.90E-10
E-stop push Safety Feeder Safety Function 2:
SF9 button Relay Servo Cat. 3/PLd
E-stop 1
(I) (L) (O)
PFHD = 4.89E-8
Cat. 3/PLe Cat. 4/PLe Cat. 3/PLd
Sleeve Feeder
E-stop Safety Vac Pump

Safety Function 3:
SF11 Push button Relay Contactor Cat. 1/PLc
(I) (L) (O) PFHD = 1.18E-6
E-stop 1
Vacuum Pump
Cat. 3/PLe Cat. 4/PLe Cat. 1/PLc
6 Verification of the PL (PL ≥ PLr)
 For each safety function, the PL of
the SRP/CS shall meet or exceed
the PLr identified in Step 3
5 6 SISTEMA Software
 SISTEMA software supports SRP/CS designers with the calculation and documentation
requirements of ISO 13849-1
 The tool enables modeling of the SRP/CS devices and safety functions
 Calculation of the safety device reliability values and total safety function Performance Level (PL)
 The SISTEMA software free online:
http://www.dguv.de/ifa/praxishilfen/practical-solutions-machine-safety/software-sistema
http://www.marketing.rockwellautomation.com/safety-solutions/en/MachineSafety/ToolsAndDownloads/sistema_download
7 Validation – SRP/CS Meets the SRS
 SRP/CS shall be validated as a system
 ISO 13849-2 sets the requirements for
validation and calls for a documented plan to
confirm the requirements in the SRS are met
 Validation includes functional testing and
fault injection to determine the system
responds accordingly
 Use a checklist to document the validation of
the SRP/CS
8 Verify all Safety Functions Analyzed
 The final step in the ISO 13849-1 design process is to review the Risk Assessment to ensure all
Safety Functions have been identified and analyzed
 The Functional Safety Design process is iterative
 As changes are made, the risk assessment is used to review the impact to safety
SF6
SF12 SF1-5
SF7-11
Share your Feedback
Please complete a session survey on the mobile app
 Download the Rockwell Automation Events App
 Select Rockwell Automation TechED™ and login
 Click on Session Surveys or Schedule in the main menu

 Select the session you are attending
 Click on the survey tab
 Complete the survey and submit
Questions?
#ROKTechED
www.rockwellautomation.com

Rockwell Automation TechED 2018 - SS13 - Introduction To Machine Risk Assessment and Functional Specification Development

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Rockwell Automation TechED 2018 - SS13 - Introduction To Machine Risk Assessment and Functional Specification Development

Hochgeladen von

Copyright:

Verfügbare Formate

Introduction to Machine Risk Assessment and

Functional Specification Development

5. Operate, Maintain 1. Assessment

3. Selection, Design & Verification

Fixed enclosing guard

Safety-Related Parts Monitoring Access /

Awareness Means, Training and

ISO 13849-1:2015; Figure 1

 A comprehensive risk assessment includes all hazard types and tasks

 Task based risk assessment identifies hazards based upon real

Goal: Minimize Safety Control System Failures

Hardware Integrity Systematic Integrity

Random hardware failure can be Human error can be avoided during

4 Design and technical realization of each Safety Function 5

5 Evaluate the Performance Level (PL) of each Safety Function

Input Logic Output

E-stop buttons Safety Contactors

 Develop a block diagram for each safety function

Total Input Logic Output

Safety Function (PL) from ISO 13849-1, Table 2

Safety Monitoring Relay

Cat 2 Safety Cat 4 Safety Safety

Test 100x demand

Safety Monitoring Relay Safety Monitoring Relay

Interlock Switch: PFHD = 4.29E-08 / PLe

E-stop Safety Vac Pump

 Download the Rockwell Automation Events App

 Select Rockwell Automation TechED™ and login

 Click on Session Surveys or Schedule in the main menu

Das könnte Ihnen auch gefallen