Overview of Safety Standards - Panasonic Electric Works Europe AG
advertisement
Overview of Safety Standards New Machinery Directive 2006/42/EG 2010 Panasonic Electric Works Europe AG 2 Machine Safety EU Standards for Machine and Device Manufacturers Machinery Directive 2006/42/EG Functional safety Low Voltage Directive 2006/95/EG EMC Directive 2004/108/EG Electrical safety Electromagnetic compatibility: - Radiation - Immunity - Conducted interference IEC/EN 61508-1 EN 50178 EN ISO 13849-1/2 IEC/EN 62061 EN 61000 Series EN 60950-1 EN 61131-2 EN 550xx Series EN 61131-2 Depending on the product, additional harmonized standards may apply. Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 3 European Machinery Directive MRL 2006/42/EG European Directive: Not legally binding (06/29/2006) All EU member states were required to incorporate the Machinery Directive into national law. (The deadline was 12/29/2009.) Example: In Germany, the Directive was implemented by the Equipment and Product Safety Law (GPSG, 9th edict). GPSG, Machinery Directive German National Law: In effect since 12/29/2009 Note: There was no transition period! - Product liability - Conformity assessment - Technical safety requirements - Documentation requirements - EC Declaration of Conformity (Machinery Directive) Lowas / Wohlschlaeger / 2010 Panasonic Electric Works When Is a Manufacturer Allowed to Affix a CE Marking on a Product? 4 Product requirements: Æ Technical documents Technical construction file (TCF) Technical documentation for a product providing evidence of conformity with regard to the following points: • Product name and description • Construction and detail drawings • Product description with explanation of specific purpose • List of standards and technical specifications applied • Documents on risk assessment and measures for preventing risk • Technical reports detailing the results of tests conducted by the manufacturer or by an authorized testing agency • Operating instructions • EC Declaration of Conformity Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 5 Machine Safety: Overview Machine construction and risk evaluation EN ISO 12100 EN ISO 14121 Basic terms, general principles Risk assessment Functional and safety requirements for the safety-related functions Design and implementation of safety-related functions IEC/EN 62061:2005 Safety of machines EN ISO 13849-1:2006 Safety of machines Functional safety of safety-related electrical, electronic, and programmable electronic control systems Safety-related parts of programmable electronic control systems and all types of machinery, regardless of the technology or energy type employed (electric, hydraulic, pneumatic, mechanical, etc.) Electrical safety aspects EN 60204-1 Safety of machines, electrical equipment of machines Lowas / Wohlschlaeger / 2010 Panasonic Electric Works Safety Goals Relating to Design: Risk Assessment (ISO 14121) Risk assessment Iterative process Identify hazards Estimate risk Risk analysis Define machine limits Start Application limits = household, industry Spatial limits = interfaces, energy supply Time limits = estimated product durability What are the risks that must be dealt with? How serious are these risks? Do measures need to be taken to deal with these risks? Evaluate risk Was the risk adequately reduced? 6 Yes End No Take measures to minimize risks in accordance with DIN EN ISO 12100 Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 7 Risk Minimization (ISO 12100) Measures taken to minimize risks in accordance with DIN EN ISO 12100 EXAMPLE: OK Punching tool e.g.: Modifying product shape Intrinsically safe design e.g.: Protective covers Safety beam sensors Safety-related functions Protective equipment (SRP/CS) User information e.g.: User’s manual No Does the selected safety measure depend on a control system? (SRP/CS) Yes Design of the control system’s safety-related parts in accordance with DIN EN ISO 13849 Residual risk; will new risks emerge? SRP/CS = safety-related parts of the control system Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 8 Risk and Hazard Assessment Hitting EN ISO 14121 • Mechanical hazards • Electrical hazards Crushing EN ISO 12100 Clipping Risk minimization Cutting Puncture • Heat-related hazards • Material- and substancerelated hazards • Noise hazards Risk reduction through protective equipment Risk reduction through intrinsically safe design • Radiation hazards • Vibration-related hazards DIN EN ISO 13849 • Ergonomics-related hazards Safety-related parts of control systems (SRP/CS): functional safety Lowas / Wohlschlaeger / 2010 Panasonic Electric Works Risk Minimization According to DIN EN ISO 13849 9 Design process for safety-related parts of a control system (SCP/CS) in accordance with ISO 13849: 1. Determine required performance level (PLr) 2. Choose category 3. Determine components used 4. Perform evaluation / consider diagnostic coverage (DC) 5. Perform evaluation / consider control system’s robustness (CCF) 6. Verify PL for safety-related functions PL ≥ Plr 7. Validation: Have all requirements been met? Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 10 Determining the Required Machine Performance Level (PLr) PLr Risk graph P1 a Low risk S1: Slight (usually reversible) injury F1 S2: Heavy (usually irreversible) injury, including death P2 S1 Severity of injury (S) P1 b Frequency and/or duration of stay (exposure to hazard) (F) F2 P2 P1 F1: Seldom to infrequent, and/or short exposure to hazard c F1 F2: Frequent to continuous, and/or long exposure to hazard P2 S2 P1 d Feasibility of preventing harm or limiting damage (P) F2 P2 e P1: Possible under certain conditions High risk P2: Hardly possible Æ Machine must meet PLd requirement Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 11 Achieving the Required Performance Level (PL) The performance level (for SRP/CS design) is a measure of several factors that determine the system’s safety and reliability. The PL principle measures 4 auxiliary quantities: Designated architecture (category) Hardware quality (MTTFd) Diagnostic coverage (DC) Common cause failure (CCF) Mean time to dangerous failure Performance level Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 12 Risk Assessment, Categories, Bar Graph Low Relationship between category, MTTFd, DC, and CCF Medium High MTTFd Without CCF With CCF At least 65 points Performance level a ≥ 10-5 to < 10-4 [h-1] Performance level b ≥ 3*10-6 to < 10-5 [h-1] Performance level c ≥ 10-6 to < 3*10-6 [h-1] Performance level d ≥ 10-7 to < 10-6 [h-1] Performance level e ≥ 10-8 to < 10-7 [h-1] PFHD values DC Cat. B Cat. 1 Cat. 2 none none low Cat. 2 Cat. 3 Cat. 3 Cat. 4 medium low medium high Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 13 Category B and Category 1 I Category B 1 L O Requirement (summary) System performance The safety‐related parts of control systems Fault occurrence can and/or their protective equipment, as well lead to failure of the safety‐related function. as their components, must be designed, built, selected, combined, and mounted in compliance with the relevant standards, and be capable of withstanding the expected strain. Fundamental safety principles must be applied. The requirements for category B must be fulfilled. Well‐proven components and well‐tested safety principles must be applied. I = Input unit L = Logic O = Output unit MTTFd Low to medium Fault occurrence can High lead to failure of the safety‐related function; however, the probability of fault occurrence is lower than in category B. DCavg CCF None Not relevant None Not relevant Safety principle for these categories: • Main determinant: choice of components Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 14 Category 2 I L O m TE Category 2 Requirement (summary) OTE System performance TE = Testing device OTE = TE output m = Monitoring Dotted lines = feasible fault detection MTTFd The requirements for category B must be met, and Fault occurrence can lead Low well‐proven safety principles must be applied. to failure of the to The safety‐related function must be tested at suitable safety‐related function high intervals by the machine’s control system; the between tests. mandatory monitoring points include machine startup The test will detect any and the start of any high‐risk step in the production such failure. process (e.g., start of a new cycle, start of a different motion type). DCavg CCF Low Must be to monitored medium Safety principle for this category: • Main determinant: system architecture Æ Testing device; monitoring Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 15 Category 3 I1 L1 m O1 c = Cross-validation m = Monitoring c I2 Category 3 L2 Requirement (summary) The requirements for category B must be met, and well‐proven safety principles must be applied. Safety‐ related parts must be designed in such a way that: 1. a single fault in any of these parts will not lead to loss of the safety‐related function, and 2. if detection is feasible, the individual fault will be detected. O2 System performance If a single fault occurs, the safety‐related function always remains intact. Some but not all faults will be detected. An accumulation of unknown faults can lead to failure of the safety‐related function. Dotted lines = feasible fault detection MTTFd DCavg CCF Low Low Must to to be high medium monitored Safety principle for this category: • Main determinant: architecture Æ Dual channel / redundancy Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 16 Category 4 m I1 L1 O1 c = Cross-validation m = Monitoring c I2 Category 4 L2 Requirement (summary) The requirements for category B must be met, and well‐proven safety principles must be applied. Safety‐related parts must be designed in such a way that: 1. a single fault in any of these parts will not lead to loss of the safety‐related function, and 2. the individual fault will be detected on or before the next occasion on which the safety‐ related function is in demand. If this is not possible, an accumulation of faults must not lead to failure of the safety‐related function. O2 Lines = feasible fault detection System performance MTTFd DCavg If a single fault occurs, the High High safety‐related function always remains intact. If fault accumulation is detected, the safety‐ related function will be less likely to fail (high diagnostic coverage). CCF Must be monitored Safety principle for this category: • Main determinant: architecture Æ Dual channel / redundancy Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 17 MTTFd – Component Quality Definition: The MTTFd value specifies the mean time to dangerous failure for every channel This is a statistical value; it does not represent a guarantee of product durability. The MTTFd value is divided into 3 categories: MTTFd category for every channel MTTFd range for every channel Low Medium High 3 to 10 years 10 to 30 years 30 to 100 years The PFHD value is almost the equivalent: it specifies the probablility of a dangerous failure per hour – i.e., the inverse of MTTFd NOTE: A value >100 years would not be a desirable means of reaching a better PL; rather, the emphasis should be placed on improving the designated architecture. This value is specified by the component manufacturer. Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 18 DC – Diagnostic Coverage Definition: The diagnostic coverage value specifies the ratio of dangerous failures detected to the total number of dangerous failures. Dangerous failures detected DC = Total number of dangerous failures The DC value is divided into 4 categories: DC category DC range None Low Medium High < 60% 60% to < 90% 90% to < 99% 99% and more Diagnostic measures for determining DC values from Standard 13849-1, Annex E.1 For additional measures, please refer to IEC 61508-2, Tables A.2 to A.15. Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 19 Diagnostic Coverage: Sample Safety Measures Excerpt from EN ISO 13849-1, Table E.1: Safety measure DC Cyclical test impulse generated by a dynamic modification of input signals 90% Plausbility test, e.g., use of 1c and breaker contacts belonging to forcibly guided relays 99% Cross‐validation of input signals without dynamic testing 0% to 99%, depending on how often a signal is modified by the application Cross‐validation of input signals with dynamic testing if short circuits cannot be detected (used for multiple inputs/outputs) 90% Cross‐validation of input signals with immediate and intermediate results in the logic (L), as well as time‐ and logic‐related program run monitoring and detection of static failures and short circuits (used for multiple inputs/outputs) 99% Indirect monitoring (e.g., monitoring via pressure tanks; electrical position monitoring of control elements) 90% to 99%, depending on the application Direct monitoring (e.g., electrical position monitoring of control valves, monitoring of electromechanical units through forced operation) 99% Fault detection by the process 0% to 99%, depending on the application. Used alone, this measure is not sufficient to meet performance level „e“ criteria! Monitoring of certain sensor characteristics (response time, analog signal area, e.g., electrical resistance, capacitance) 60% Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 20 CCF: Common Cause Failure Definition: Failure of several different units resulting from a single event, where these failures are not consequences of each other Measures to prevent CCF are required for Categories 2, 3, and 4. Table with measures to prevent CCF: Standard 13849-1, Annex F.1 A total of at least 65 points is required! EXAMPLE: Because of overheating, two sensors malfunction independently of each other. Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 21 Measures to Prevent CCF No. 1 Measures to prevent CCF Separation / disconnection Physical separation between signal paths 2 Points 15 Diversity Various different technologies are used (programmable electronic systems and hard wiring) 3 4 Design / application / experience Protection against overvoltage, positive pressure, overcurrent 15 Use of well‐tested components 5 Evaluation / analysis Have the results of an FMEA been taken into account? 5 5 Competence / education CCF training for developers and technicians 6 20 5 Environment Protection against contamination; electromagnetic compatibility 25 Other influences (temperature, shock, vibration) 10 A total of at least 65 points is required! Maximum number of points Lowas / Wohlschlaeger / 2010 100 Panasonic Electric Works 22 Risk Assessment, Categories, Bar Graph Low Relationship between category, MTTFd, DC, and CCF Medium High MTTFd Without CCF At least 65 points With CCF Performance level a ≥ 10-5 to < 10-4 [h-1] Performance level b ≥ 3*10-6 to < 10-5 [h-1] Performance level c ≥ 10-6 to < 3*10-6 [h-1] Performance level d ≥ 10-7 to < 10-6 [h-1] Performance level e ≥ 10-8 to < 10-7 [h-1] PFHD values DC Cat. B Cat. 1 Cat. 2 none none low Cat. 2 Cat. 3 Cat. 3 Cat. 4 medium low medium high Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 23 Safety-Related Functions: Examples (1) Emergency stop button, emergency pull cord, or safety door opener • When any of these safety-related functions is triggered, a stop signal is transmitted via safety relay. This signal shuts down the system. • The subsequent reset signal must not trigger a machine restart. Laser scanner and safety light curtain If the area monitored by the laser scanner is penetrated, or if the safety light curtain is disturbed, the hazardous part of the machine must be shut down. Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 24 Calculating the PL for a Safety-Related Function: 2 Methods Detection (Input) Processing (Logic) Reaction (Output) Method 1: Block method: • Required for the exact calculation Safety-related function • Considers the entire SRP/CS • Most appropriate for complex, interconnected SRP/CS Method 2: Subsystem method • Simplified form for determining the PL by means of combination tables • If the PFHD of the subsystems is a known value, the PL can be estimated quickly. • The PFHD value is specified by the manufacturer Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 25 Total Performance Level (Method 1: Block Calculation) Impact of the PFHD value on the total performance level Detection (Input) Case #1 PLe PFHD = 2.2 x 10-9 Processing (Logic) PLe PFHD = 8.7 x 10-9 PFHD total = 2.2 x 10-9 + 8.7 x 10-9 + 2.1 x 10-9 Case #2 PLe PFHD = 2.2 x 10-8 Reaction (Output) = PLe PFHD = 2.1 x 10-9 13 x 10-9 = PLe 1.3 x 10-8 PLe PFHD = 2.2 x 10-8 PLe PFHD = 6.78 x 10-8 PFHD total = 2.2 x 10-8 + 6.78 x 10-8 + 2.2 x 10-8 = = 11.18 x 10-8 = 1.12 x 10-7 = PLd PLe = > 10-8 to < 10-7 (SIL3) Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 26 Determining the PL for a Series Connection (Method 2: Table Lookup) Subsystem method This procedure is used to determine the PL of the entire combined SRP/CS that execute the safety-related function. Pllow Steps: 1. Determine the lowest PL; this is PLlow 2. Determine the numberl Nlow ≤ N of the SRP/CS, with Pli = PLlow 3. Look up the PL in the table a b c d PLe + PLe + PLe Æ PLe e Nlow PL >3 → Not possible ≤3 → a >2 → a ≤2 → b >2 → b ≤2 → c >3 → c ≤3 → d >3 → d ≤3 → e Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 27 DIN EN ISO 13849-1/2 & IEC/EN 62061 DIN EN ISO 13849-1 Applies to safety-related parts of programmable electronic control systems and all types of machinery, regardless of the technology or energy type employed (electric, hydraulic, pneumatic, mechanical, etc.) versus IEC/EN 62061 Applies to safety-related electric, electronic, and programmable electronic control systems (SRECS) for machines Lowas / Wohlschlaeger / 2010 Panasonic Electric Works 28 Comparison Between PL and SIL PL and SIL can be mapped onto each other via the PFHD value. Performance level ISO 13849 PL Probability of dangerous failures per hour (1/h) PFHD Safety integrity level IEC 62061 SIL a ≥10-5 to < 10-4 Not defined b ≥ 3*10-6 to < 10-5 1 c ≥ 10-6 to < 3*10-6 1 d ≥ 10-7 to < 10-6 2 e ≥ 10-8 to < 10-7 3 Lowas / Wohlschlaeger / 2010 Panasonic Electric Works Thank You ! Panasonic Your Automation Partner Lowas / Wohlschlaeger / 2010 Panasonic Electric Works
