Difference between EN/ISO 13849 and EN/IEC
advertisement
Presentation *HQHUDOSUHVHQWDWLRQ Safety Legislation and Standards +RZWRFKRRVHEHWZHHQ(1,62DQG (1,(& 6HOHFWWKHDSSOLFDEOHVWDQGDUG %DVHGRQWKHJHQHULFGH¿QLWLRQRIWKHULVNWKHVWDQGDUGVFODVVLI\QHFHVVDU\VDIHW\ levels in different discrete levels corresponding for each one to a probability of dangerous failure per hour: > 3/3HUIRUPDQFH/HYHOIRUVWDQGDUG(1,62 > 6,/6DIHW\,QWHJULW\/HYHOIRUVWDQGDUG(1,(& 1 The table below gives the relationship between the performance level (PL) and the Safety Integrity Level (SIL). 2 3/ ,6/ 3UREDELOLW\RIGDQJHURXVIDLOXUHVSHUKRXUK a No correspondance u -5«-4 b 1 u[-6«-5 c 1 u-6«[-6 d 2 u -7«-6 e 3 u «-7 3 5HFRPPHQGHGDSSOLFDWLRQRI,(&DQG,62 Annex 7HFKQRORJ\ LPSOHPHQWLQJWKH VDIHW\UHODWHG FRQWUROIXFWLRQ6 ,62 ,(& A Non electrical, e.g. hydralics X Not covered B Electromechanical, e.g. relays, or non-complex electronics Restricted to designated architectures (see Note 1) and up to PL=e All architectures and up to SIL 3 C Complex electronics, e.g. programmable Restricted to designated architectures (see Note 1) and up to PL=d All architectures and up to SIL 3 D A combined with B Restricted to designated architectures (see Note 1) and up to PL=e X see Note 3 E C combined with B Restricted to designated architectures (see Note 1) and up to PL=d All architectures and up to SIL 3 F C combined with A, or C combined with A and B X see Note 2 X see Note 3 4 5 “X” indicates that this item is dealt with by the standard shown in the column heading. 1RWH'HVLJQDWHGDUFKLWHFWXUHDUHGH¿QHGLQ$QQH[%RI(1,62WRJLYHDVLPSOL¿HG DSSURDFKIRUTXDOL¿FDWLRQRISHUIRUPDQFHOHYHO 6 7 1RWH)RUFRPSOH[HOHFWURQLFVXVHRIGHVLJQDWHGDUFKLWHFWXUHDFFRUGLQJWR(1,62 XSWR3/ GRUDQ\DUFKLWHFWXUHDFFRUGLQJWR(1,(& 1RWH)RUQRQHOHFWULFDOWHFKQRORJ\XVHSDUWVDFFRUGLQJWR(1,62DVVXEV\VWHPV )RUEXLOGLQJVSHFL¿FFRPSOH[VXEV\VWHPVRUIRUKLJKHUOHYHOUHTXLUHPHQWV LQFOXGLQJVRIWZDUHVWDQGDUG(1,(&UHODWLQJWRV\VWHPVPXVWEHXVHG 8 9 10 1/15 *HQHUDOSUHVHQWDWLRQ Presentation Safety Legislation and Standards 1 6WDQGDUG(1,62 6WDQGDUGVWREHDSSOLHGDFFRUGLQJWR WKHGHVLJQVHOHFWHGIRUWKHVDIHW\ UHODWHGPDFKLQHFRQWUROV\VWHP ,QWURGXFWLRQWR)XQFWLRQDO6DIHW\RI0DFKLQHU\ 7KHIXQFWLRQDOVDIHW\VWDQGDUGVDUHLQWHQGHGWRHQFRXUDJHGHVLJQHUVWR IRFXVPRUHRQWKHIXQFWLRQVWKDWDUHQHFHVVDU\WRUHGXFHHDFKLQGLYLGXDO ULVNDQGRQWKHSHUIRUPDQFHUHTXLUHGIRUHDFKIXQFWLRQUDWKHUWKDQVLPSO\ UHO\LQJRQSDUWLFXODUFRPSRQHQWV7KHVHVWDQGDUGVPDNHLWSRVVLEOHWR DFKLHYHJUHDWHUOHYHOVRIVDIHW\WKURXJKRXWWKHPDFKLQH¶VOLIH > 8QGHUWKHSUHYLRXVVWDQGDUG(1FDWHJRULHV%DQGGLFWDWHG how a safety-related electrical control circuit must behave under fault conditions. 'HVLJQHUVFDQIROORZHLWKHU(1,62RU(1,(&WRGHPRQVWUDWH conformity with the Machinery Directive. These two standards consider not only ZKHWKHUDIDXOWZLOORFFXUEXWDOVRKRZOLNHO\LWLVWRRFFXU > 7KLVPHDQVWKHUHLVDTXDQWL¿DEOHSUREDELOLVWLFHOHPHQWLQFRPSOLDQFHPDFKLQH builders must be able to determine whether their safety circuit meets the required safety integrity level (SIL) or performance level (PL). Panel builders and designers should be aware that manufacturers of the components used in safety circuits (such as safety detection components, safety logic solvers and output GHYLFHVOLNHFRQWDFWRUVPXVWSURYLGHGHWDLOHGGDWDRQWKHLUSURGXFWV 2 3 6WDQGDUG(1,62 0DFKLQHU\VDIHW\6DIHW\UHODWHGSDUWVRIFRQWUROV\VWHPV 6WDQGDUG(1,62LVDQHYROXWLRQRIVWDQGDUG(1 )LHOGRIDSSOLFDWLRQRIWKHVWDQGDUG This standard gives safety requirements and advice relating to principles for the design and integration of safety-related parts of control systems (SRP/CS), LQFOXGLQJVRIWZDUHGHVLJQ)RUWKHVHSDUWVLWVSHFL¿HVWKHFKDUDFWHULVWLFVLQFOXGLQJ the performance level, needed to achieve these safety functions. It applies to the SRP/CS of all types of machine, regardless of the technology and type of energy used (electric, hydraulic, pneumatic, mechanical, etc.). 4 5 6 Guard contact Logic Contactor L 8 Inputs Processing Action: motor stop 6DIHW\IXQFWLRQV Event: limit switch 7 Outputs Representation of the safety function 9 5LVNUHODWHG WRWKH SRWHQWLDO KD]DUG 10 Risk analysis 1/16 Severity of the potential harm Probability of occurrence: - Frequency and duration of exposure - Possibility of avoiding or limiting the probability of the occurrence of an event that could cause the harm 3URFHVV 5LVNDVVHVVPHQWDVGH¿QHGLQVWDQGDUG(1,62OHDGVWRGHFLVLRQVRQULVN reduction measures. If these measures depend on a control system, then (1,62FDQDSSO\,WGH¿QHV a VWDJHGHVLJQSURFHVV: 1 - Selection of the essential safety functions that SRP/CS must perform. For each safety function, specify the required characteristics 2 - Determine the required performance level (PLr) 3 - Design and technical creation of safety functions: identify the parts that perform the safety function 4 - Evaluate the performance level PL for each safety-related part 5&KHFNWKDWWKHSHUIRUPDQFHOHYHO3/DFKLHYHGLVJUHDWHUWKDQRUHTXDOWRWKH required level (PLr) 6&KHFNWKDWDOOUHTXLUHPHQWVDUHVDWLV¿HG :HZLOOQRZLOOXVWUDWHWKHVHVWDJHVWDNLQJDVDQH[DPSOHDVDIHW\IXQFWLRQZKHUHD severe injury can be caused by a trolley not stopping at the end of the Jib and thus causing the trolley to fall. A person can be exposed to this dangerous situation around the hoisting machine. 6WDJH6HOHFWLRQRIVDIHW\IXQFWLRQV The diagram opposite shows a safety function which consists of several parts: > The input actuated by opening of the guard (SRP/CSa) > The control logic, limited in this example to opening or closing of a contactor coil (SRP/CSb) > The power output that controls the motor (SRP/CSc) > The connections (Iab, Ibc) 6WDJH(VWLPDWLRQRIUHTXLUHGSHUIRUPDQFHOHYHO3/U Considering our example of the person coming into area where the dangerous KRLVWLQJPDFKLQHLVRSHUDWLQJZHQRZHVWLPDWHWKHULVNXVLQJWKHULVNJUDSK The parameters to be considered are: > S Severity of the injury > S1 Slight injury, normally reversible > S2 Serious, normally irreversible, including death > ) Frequency and/or duration of exposure to the hazardous phenomenon > ) Rare to fairly frequent and/or short duration of exposure > ) Frequent to permanent and/or long duration of exposure > P Possibility of avoiding the hazardous phenomena or limiting the harm > P1 Possible under certain circumstances > P2 Virtually impossible *HQHUDOSUHVHQWDWLRQ Presentation Safety Legislation and Standards 6WDQGDUG(1,62 0DFKLQHU\VDIHW\6DIHW\UHODWHGSDUWVRIFRQWUROV\VWHPV(continued) 1 3URFHVV(continued) 6WDJH(VWLPDWLRQRIUHTXLUHGSHUIRUPDQFHOHYHO3/U(continued) For our example: a serious injury S1 can be caused by being exposed near the hoisting machine as if there is no safe guarding to ensure the trolley stops the load and trolley will fall. After considering the severity of the injury we investigate the frequency and/or GXUDWLRQRIWKHSRVVLEOHHQWU\WRWKHGDQJHURXVDUHD+HUHZHGH¿QHWKHIUHTXHQF\RI exposure to the hazard is low F1 (occasional presence) as there are restrictions to enter the area. The last step is based upon the possibility to avoid the hazard and limiting the KDUP7RHYDOXDWHWKLVZHWDNHLQWRFRQVLGHUDWLRQWKDWLWLVSRVVLEOHWRDYRLGWKHKDUPDV the visibility around the dangerous machine is monitored by the operator and in this case WKHUHLVDSRVVLELOLW\WRDYRLGWKHKDUPXQGHUFHUWDLQFRQGLWLRQVVRZHGH¿QHLWDV3 7KHUHVXOWRIWKHHVWLPDWLRQJLYHVDUHTXLUHGSHUIRUPDQFHOHYHO3/U F Required / performance level PLr: 6WDJH'HVLJQDQGFUHDWLRQRIWKHVDIHW\IXQFWLRQV At this point, we need to describe the PL calculation method. )RUD653&6RUDFRPELQDWLRQRI653&63/FRXOGEHHVWLPDWHGZLWKWKH¿JXUH VKRZQRQSDJHDIWHUHVWLPDWLRQRIVHYHUDOIDFWRUVVXFKDV > Hardware and software system structure (categories) > Mechanism of failures, diagnostic coverage (DC) > Components reliability, Mean Time To dangerous Failure (MTTFd) > Common Cause Failure (CCF) > Categories (Cat.) and designated architectures 2 3 4 The table below summarises system behaviour in the event of a failure and the SULQFLSOHVXVHGWRDFKLHYHWKHVDIHW\IRUWKHFDWHJRULHVGH¿QHG 'HVLJQDWHGDUFKLWHFWXUHV &DW 6\VWHPEHKDYLRXU Starting point for the evaluation of the contribution to the risk reduction of a safety function H B A fault can lead to loss of the safety function 1 As for category B but the probability of this occurence is lower than for the category B 2 A fault can lead to loss of the safety function between two periodic inspections and loss of the safety function is detected by the control system at the next test. Estimation of required performance level 6 6HYHULW\RILQMXU\ S1 = Slight (normally reversible injury) S2 = Serious (normally irreversible) injury including death im L 3 F2 = Frequent to continuous and/or the exposure time is long 3 3RVVLELOLW\RIDYRLGLQJWKHKD]DUGRUOLPLWLQJWKHKDUP 3 3RVVLEOHXQGHUVSHFL¿FFRQGLWLRQV 4 For a single fault, the safety function is always ensured. Only some faults will be detected. The accumulation of undetected faults can lead to loss of the safety function. When faults occur, the safety function is always ensured. Faults will be detected in time to prevent loss of the safety function im O 5 I im L im O im OTE m TE ) )UHTXHQF\DQGRUH[SRVXUHWLPHWRWKHKD]DUG F1 = Seldom to less often and/or the exposure time is short P2 = Scarcely possible / /RZFRQWULEXWLRQWRULVNUHGXFWLRQ H +LJKFRQWULEXWLRQWRULVNUHGXFWLRQ Estimation I I1 im I2 im I1 im m L1 O1 6 c L2 L1 m im O2 m im O1 m im O2 7 c I2 Key: im: Interconnecting means c: Cross monitoring I, I1, I2: Input device, e.g. sensor L, L1, L2: Logic im L2 m: Monitoring O, O1, O2: Output device, e.g. main contactor TE: Test equipment OTE: Output of TE 8 > MTTF (Mean Time To dangerous Failure) d The value of the MTTFd of each channel is given in 3 levels (see table below) and VKDOOEHWDNHQLQWRDFFRXQWIRUHDFKFKDQQHOHJVLQJOHFKDQQHOHDFKFKDQQHORID redundant system) individually. 5HOLDELOLW\OHYHOVRIFRPSRQHQWV ,QGH[ 5DQJH Low 3 years y MTTFd\HDUV Medium \HDUVy MTTFd\HDUV High \HDUVy MTTFd\HDUV A MTTFd of less than 3 years should never be found, because this would mean that DIWHURQH\HDULQRSHUDWLRQRIDOOWKRVHFRPSRQHQWVLQXVHZRXOGKDYHIDLOHG WRDGDQJHURXVVWDWH7KHPD[LPXPYDOXHLVOLPLWHGWR\HDUVEHFDXVHGHYLFHV GHDOLQJZLWKDVLJQL¿FDQWULVNVKRXOGQRWGHSHQGRQWKHUHOLDELOLW\RIDVLQJOH component. Additional measures such as redundancy and tests are required. 1/17 9 10 *HQHUDOSUHVHQWDWLRQ Presentation Safety Legislation and Standards 1 6WDQGDUG(1,62 6WDQGDUGVWREHDSSOLHGDFFRUGLQJWR WKHGHVLJQVHOHFWHGIRUWKHVDIHW\ UHODWHGPDFKLQHFRQWUROV\VWHP 2 6WDQGDUG(1,62 0DFKLQHU\VDIHW\6DIHW\UHODWHGSDUWVRIFRQWUROV\VWHPV(continued) 3URFHVV (continued) 6WDJH(continued > 'LDJQRVWLFFRYHUDJH'&WKLVWHUPLVH[SUHVVHGDVDSHUFHQWDJHDQGTXDQWL¿HV the ability to diagnose a dangerous failure For example, in the event of welding of a N/C contact in a relay, the state of the N/O contact could incorrectly indicate the opening of the circuit, unless the relay has PHFKDQLFDOO\OLQNHG12DQG1&FRQWDFWVZKHQWKHIDXOWFDQEHGHWHFWHG The standard recognises four levels: 'LDJQRVWLFFRYHUDJH'& 3 Denotation 5DQJH Nil '& Low y'& Medium y'& High y DC > Relationship between Categories, DC and MTTF Performance level PL d 4 of each channel and the PL PFHD a b u-6«-5 c u-6«-5 d u-7«-6 e u«-7 5 Cat. B DCavg = QLO 6 MTTFd: > > 7 > &KDQQHO low Cat. 2 DCavg = low Cat. 2 DCavg = medium medium Cat. 3 DCavg = low Cat. 3 DCavg = medium Cat. 4 DCavg = high high Using the above chart we can now select the most appropriate architecture, the required Diagnostic coverage as well as ensure the products selected have the right MTTFd values As we require PL= “c” the chart states as a minimum a category 1 architecture with a 'LDJQRVWLFFRYHUDJHRI1LODQGD077)d of High is required. It is possible to use architectures with higher categories to solve the safety function needs We start with determining the architecture required to solve the function. We use the IROORZLQJ&DWHJRU\DUFKLWHFWXUHVHHSDJH Input 1 Processing 1 Output 1 Input 2 Processing 2 Output 2 Action: motor stop > In our example, to reach the PL = e, the solution will therefore have to Event: door opening 8 Cat. 1 DCavg = QLO correspond to category 4 with redundant circuit; the function scheme is shown opposite with two channels in parallel > a high diagnostic capability > a high MTTFd For our application, we could suggest a redundant relay scheme but it is nowadays HDVLHUWRXVHVDIHW\IXQFWLRQEORFNV7KHVROXWLRQLVLOOXVWUDWHGEHORZ Open 9 &KDQQHO Functional diagram of the example Closed 10 Application scheme of the example The process suggested by the standard is iterative and a few estimations are therefore necessary in order to obtain the expected result. In view of the required performance level, we have chosen a solution with redundant circuit. *HQHUDOSUHVHQWDWLRQ Safety Legislation and Standards 6WDQGDUG(1,62 0DFKLQHU\VDIHW\6DIHW\UHODWHGSDUWVRIFRQWUROV\VWHPV(continued) 1 3URFHVV (continued) 6WDJH(YDOXDWHWKHSHUIRUPDQFHOHYHO3/IRUHDFKVDIHW\UHODWHGSDUW Based on the information in the supplier’s catalogue and Annex E of the standard, we obtain the following values: ([DPSOH B10 (number of operations) dangerous failure 077)G DC SRP/CSa: Safety limit switches GDQJHURXVIDLOXUH SRP/CSb: XPS AK safety module - 154.5 SRP/CSc: LCK contactor GDQJHURXVIDLOXUH 2 For electromechanical products, the MTTFd is calculated on the basis of the total number of operations that the product can perform, using BG values: ,QRXUFDVHWKHPDFKLQHRSHUDWHVIRUGD\VSHU\HDUKRXUVSHUGD\ZLWKD F\FOHRIV 1 [[ RSHUDWLRQV\HDU MTTFd = BG[1DQGBG = B10GDQJHURXVIDLOXUH 3 For the safety switches, the MTTFd= [[ \HDUV For the contactors, the MTTFd [[ \HDUV The MTTFd for each channel will then be calculated using the formula: 4 LH\HDUVIRUHDFKFKDQQHO A similar formula is used to calculate the diagnostic capability 5 7KHUHVXOWRIWKHFDOFXODWLRQLQRXUH[DPSOHJLYHVDYDOXHRI 6 6WDJH&KHFNLQJWKDWUHTXLUHGSHUIRUPDQFHOHYHOLVDFKLHYHG The result of the above calculations is summarised below: > a redundant architecture: category 4 > DPHDQWLPHWRIDLOXUH!\HDUVKLJK077)d > DGLDJQRVWLFFDSDELOLW\RIKLJK'& 7 /RRNLQJDWWKLVWDEOHZHFRQ¿UPWKDW3/ level e is achieved: Performance level PL Presentation PFHD a b u-6«-5 c u-6«-5 d u-7«-6 e u«-7 8 Cat. B DCavg = QLO MTTFd: Cat. 1 DCavg = QLO low Cat. 2 DCavg = low Cat. 2 DCavg = medium medium Cat. 3 DCavg = low Cat. 3 DCavg = medium 9 Cat. 4 DCavg = high high 10 Checking the PL 6WDJH9DOLGDWLRQRIWKHUHTXLUHGSHUIRUPDQFHOHYHO The design of SRP/CS must be validated and must show that the combination of 653&6SHUIRUPLQJHDFKVDIHW\IXQFWLRQVDWLV¿HVDOOWKHDSSOLFDEOHUHTXLUHPHQWV RI(1,62 Presentation *HQHUDOSUHVHQWDWLRQ Safety Legislation and Standards 1 6WDQGDUG(1,(& 6WDQGDUGVWREHDSSOLHGDFFRUGLQJWR WKHGHVLJQVHOHFWHGIRUWKHVDIHW\ UHODWHGPDFKLQHFRQWUROV\VWHP 6WDQGDUG(1,(& 0DFKLQHU\VDIHW\6DIHW\5HODWHG(OHFWULFDO&RQWUROV\VWHPV65(&6 )XQFWLRQDO6DIHW\RIVDIHW\UHODWHGHOHFWULFDOHOHFWURQLFDQGHOHFWURQLF SURJUDPPDEOHFRQWUROV\VWHPV )LHOGRIDSSOLFDWLRQRIWKHVWDQGDUG Safety-related electrical control systems in machines (SRECS) are playing an increasing role in ensuring the overall safety of machines and are more and more frequently using complex electronic technology. 2 7KLVVWDQGDUGLVVSHFL¿FWRWKHPDFKLQHVHFWRUZLWKLQWKHIUDPHZRUNRI(1 ,(&,WJLYHVUXOHVIRUWKHLQWHJUDWLRQRIVXEV\VWHPVGHVLJQHGLQ DFFRUGDQFHZLWK(1,62,WGRHVQRWVSHFLI\WKHRSHUDWLQJUHTXLUHPHQWV of non-electrical control components in machines (for example: hydraulic, pneumatic). )XQFWLRQDODSSURDFKWRVDIHW\ 3 $VZLWK(1,62WKHSURFHVVXVLQJWKH(1,(&VWDUWVZLWKDQDO\VLVRI WKHULVNV(1,62LQRUGHUWREHDEOHWRGHWHUPLQHWKHVDIHW\UHTXLUHPHQWV $SDUWLFXODUIHDWXUHRIWKLVVWDQGDUGLVWKDWLWSURPSWVWKHXVHUWRPDNHD IXQFWLRQDODQDO\VLVRIWKHDUFKLWHFWXUHWKHQVSOLWLWLQWRVXEIXQFWLRQVDQG DQDO\VHWKHLULQWHUDFWLRQVEHIRUHGHFLGLQJRQDKDUGZDUHVROXWLRQIRUWKHP WKH65(&6 4 > A functional safety plan must be drawn up and documented for each design project. It must include: > $VSHFL¿FDWLRQRIWKHVDIHW\UHTXLUHPHQWVIRUWKHVDIHW\IXQFWLRQV65&)WKDW is in two parts: > Description of the functions and interfaces, operating modes, function priorities, frequency of operation, etc. > 6SHFL¿FDWLRQRIWKHVDIHW\LQWHJULW\UHTXLUHPHQWVIRUHDFKIXQFWLRQH[SUHVVHG 5 in terms of 6,/ (Safety Integrity Level) > The structured and documented design process for electrical control systems (SRECS) > The procedures and resources for recording and maintaining appropriate information > 7KHSURFHVVIRUPDQDJHPHQWDQGPRGL¿FDWLRQRIWKHFRQ¿JXUDWLRQWDNLQJLQWR account organisation and authorised personnel 6 > 7KHYHUL¿FDWLRQDQGYDOLGDWLRQSODQ > Functional safety The decisive advantage of this approach is that of being able to offer a failure calculation method that incorporates all the parameters that can affect the reliability of electrical systems, whatever the technology used. 7KHPHWKRGFRQVLVWVRIDVVLJQLQJD6,/WRHDFKIXQFWLRQWDNLQJLQWRDFFRXQWWKH following parameters: > The probability of a dangerous failure of the components (PFHd) > The type of architecture; with or without redundancy, with or without diagnostic GHYLFHPDNLQJLWSRVVLEOHWRDYRLGVRPHRIWKHGDQJHURXVIDLOXUHV > Common cause failures (power cuts, overvoltage, loss of communication QHWZRUNHWF&&) > The probability of a dangerous transmission error where digital communication is used > Electromagnetic interference (EMC) 7 8 9 10 *HQHUDOSUHVHQWDWLRQ Presentation Safety Legislation and Standards 6WDQGDUG(1,(& 0DFKLQHU\VDIHW\6DIHW\5HODWHG(OHFWULFDO&RQWUROV\VWHPV65(&6 (continued) 3URFHVV Probability of the harm occurring 5LVN UHODWHGWRWKH KD]DUGRXV SKHQRPHQRQ LGHQWL¿HG Severity of the potential harm Se Frequency and duration of exposure )U Probability of an event occurring Pr Probability of avoiding or limiting the harm Av Designing a system is split into 5 stages after having drawn up the functional safety plan: 1%DVHGRQWKHVDIHW\UHTXLUHPHQWVVSHFL¿FDWLRQ656DVVLJQDVDIHW\OHYHO (SIL) and identify the basic structure of the electrical control system (SRECS), describe each related function (SRCF) 2%UHDNGRZQHDFKIXQFWLRQLQWRDIXQFWLRQEORFNVWUXFWXUH)% 3/LVWWKHVDIHW\UHTXLUHPHQWVIRUHDFKIXQFWLRQEORFNDQGDVVLJQWKHIXQFWLRQ EORFNVWRWKHVXEV\VWHPVZLWKLQWKHDUFKLWHFWXUH 4 - Select the components for each sub-system 5'HVLJQWKHGLDJQRVWLFIXQFWLRQDQGFKHFNWKDWWKHVSHFL¿HGVDIHW\OHYHO6,/LV achieved. 6WDJH$VVLJQDVDIHW\LQWHJULW\OHYHO6,/DQGLGHQWLI\WKHVWUXFWXUHRIWKH 65(&6 %DVHGRQWKHULVNDVVHVVPHQWSHUIRUPHGLQDFFRUGDQFHZLWKVWDQGDUG (1,62HVWLPDWLRQRIWKHUHTXLUHG6,/LVSHUIRUPHGIRUHDFKKD]DUGRXV SKHQRPHQRQDQGLVEURNHQGRZQLQWRSDUDPHWHUVVHHLOOXVWUDWLRQRSSRVLWH ,QSXW 3URFHVVLQJ 2XWSXW 2 3 > Severity Se 7KHVHYHULW\RILQMXULHVRUGDPDJHWRKHDOWKFDQEHHVWLPDWHGE\WDNLQJLQWRDFFRXQW reversible injuries, irreversible injuries and death. 7KHFODVVL¿FDWLRQLVVKRZQLQWKHWDEOHEHORZ 65(&66DIHW\UHODWHGFRQWUROV\VWHP 1 &RQVHTXHQFH 6HYHULW\6H Irreversible: death, loss of an eye or an arm 4 ,UUHYHUVLEOHVKDWWHUHGOLPEORVVRID¿QJHU 3 Reversible: requires the attention of a medical practitioner 2 5HYHUVLEOHUHTXLUHV¿UVWDLG 1 4 5 > Probability of the harm occurring Sub-systems Sub-system components Stage 1: Basic structure of the electrical control system Each of the three parameters Fr, Pr, Av must be estimated separately using the PRVWXQIDYRXUDEOHFDVH,WLVVWURQJO\UHFRPPHQGHGWKDWDWDVNDQDO\VLVPRGHOEH used in order to ensure that estimation of the probability of the harm occurring is FRUUHFWO\WDNHQLQWRDFFRXQW > Frequency and duration of exposure Fr 7KHOHYHORIH[SRVXUHLVOLQNHGWRWKHQHHGWRDFFHVVWKHKD]DUGRXV]RQHQRUPDO operation, maintenance, ...) and the type of access (manual feeding, adjustment, ...). It must then be possible to estimate the average frequency of exposure and its duration. 7KHFODVVL¿FDWLRQLVVKRZQLQWKHWDEOHEHORZ )UHTXHQF\RIGDQJHURXVH[SRVXUH )U y 1 hour 5 >1 hour... y 1 day 5 > 1 day... yZHHNV 4 ZHHNVy 1 year 3 > 1 year 2 7 > Probability of occurrence of a hazardous event Pr. 7ZREDVLFFRQFHSWVPXVWEHWDNHQLQWRDFFRXQW > the predictability of the dangerous components in the various parts of the machine in its various operating modes (normal, maintenance, troubleshooting), paying particular attention to unexpected restarting > behaviour of the persons interacting with the machine, such as stress, fatigue, inexperience, etc. 3UREDELOLW\RIRFFXUUHQFHRIDGDQJHURXVHYHQW Pr Very high 5 Probable 4 Possible 3 Almost impossible 2 Negligible 1 6 8 9 10 1/21 *HQHUDOSUHVHQWDWLRQ Presentation Safety Legislation and Standards 1 6WDQGDUG(1,(& 6WDQGDUGVWREHDSSOLHGDFFRUGLQJWR WKHGHVLJQVHOHFWHGIRUWKHVDIHW\ UHODWHGPDFKLQHFRQWUROV\VWHP 2 Av Impossible 5 Almost impossible 3 Probable 1 Se 65(&6 2EMHFWLYH6,/ ,QSXW 3URFHVVLQJ 2XWSXW *XDUG GHWHFWLRQ /RJLF Motor FRQWURO Function EORFN )% Function EORFN )% Function EORFN )% Stage 2: Break down into function blocks 9 3UREDELOLW\RIDYRLGLQJRUOLPLWLQJWKHKDUP (VWLPDWLRQRIWKH6,/ 5 8 6WDJH (continued) > Probability of avoiding or limiting the harm Av 7KLVSDUDPHWHULVOLQNHGWRWKHGHVLJQRIWKHPDFKLQH,WWDNHVLQWRDFFRXQWWKH suddenness of the occurrence of the hazardous event, the nature of the dangerous component (cutting, temperature, electrical) and the possibility for a person to identify a hazardous phenomenon. Estimation is made with the help of the table below. ,QRXUH[DPSOHWKHGHJUHHRIVHYHULW\LVEHFDXVHWKHUHLVDULVNRID¿QJHUEHLQJ DPSXWDWHGWKLVYDOXHLVVKRZQLQWKH¿UVWFROXPQRIWKHWDEOH All the other parameters must be added together in order to select one of the classes (vertical columns in the table below), which gives us: > Fr = 5 accessed several times a day > Pr = 4 hazardous event probable > Av = 3 probability of avoiding almost impossible Therefore a class CI = 5 + 4 + 3 = 12 A level of SIL 2 must be achieved by the safety-related electrical control system(s) (65(&6) on the machine. 4 7 0DFKLQHU\VDIHW\6DIHW\5HODWHG(OHFWULFDO&RQWUROV\VWHPV65(&6 (continued) 3URFHVV(continued) > Assignment of the 6,/ 3 6 6WDQGDUG(1,(& 65(&6 Sub-system 1 Sub-system 2 Sub-system 3 *XDUG GHWHFWLRQ /RJLF Motor FRQWURO Safety limit switch 1 Contactor 1 Safety limit switch 2 Contactor 2 Sub-system components Stage 3: Assignment of function blocks 10 1/22 &ODVV&, 3-4 5-7 11-13 4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3 3 - - SIL 1 SIL 2 SIL 3 2 - - - SIL 1 SIL 2 1 - - - - SIL 1 14-15 > Basic structure of the 65(&6 Without going into detail about the hardware components to be used, the system is EURNHQGRZQLQWRVXEV\VWHPV,QRXUFDVHZH¿QGWKHVXEV\VWHPVWKDWZLOO SHUIRUPWKHLQSXWSURFHVVLQJDQGRXWSXWIXQFWLRQV7KH¿JXUHRSSRVLWHLOOXVWUDWHV this stage, using the terminology given in the standard. 6WDJH%UHDNGRZQHDFKIXQFWLRQLQWRDIXQFWLRQEORFNVWUXFWXUH)% $IXQFWLRQEORFN)%LVWKHUHVXOWRIDGHWDLOHGEUHDNGRZQRIDVDIHW\UHODWHG function. 7KHIXQFWLRQEORFNVWUXFWXUHJLYHVDQLQLWLDOFRQFHSWRIWKH65(&6DUFKLWHFWXUH 7KHVDIHW\UHTXLUHPHQWVRIHDFKEORFNDUHGHGXFHGIURPWKHVSHFL¿FDWLRQRIWKH safety requirements of the system’s function. 6WDJH/LVWWKHVDIHW\UHTXLUHPHQWVIRUHDFKIXQFWLRQEORFNDQGDVVLJQWKH IXQFWLRQEORFNVWRWKHVXEV\VWHPVZLWKLQWKHDUFKLWHFWXUH (DFKIXQFWLRQEORFNLVDVVLJQHGWRDVXEV\VWHPLQWKH65(&6DUFKLWHFWXUH$ failure of any sub-system will lead to the failure of the safety-related control IXQFWLRQ0RUHWKDQRQHIXQFWLRQEORFNPD\EHDVVLJQHGWRHDFKVXEV\VWHP(DFK sub-system may include sub-system elements and, if necessary, diagnostic functions in order to ensure that anomalies can be detected and the appropriate DFWLRQWDNHQ These diagnostic functions (D) are considered as separate functions; they may be performed within the sub-system, by another internal or external sub-system. *HQHUDOSUHVHQWDWLRQ Presentation Safety Legislation and Standards 6WDQGDUG(1,(& 0DFKLQHU\VDIHW\6DIHW\5HODWHG(OHFWULFDO&RQWUROV\VWHPV65(&6 (continued) 3URFHVV(continued) 'HWHFWLRQ SS1 /RJLF SS2 Sub-system 1 Sub-system 2 6WDJH6HOHFWWKHFRPSRQHQWVIRUHDFKVXEV\VWHP The products shown in the illustration opposite are selected. If the sensors and contactors are the same as in the previous example, a safety module XPS AK will EHFKRVHQ,QWKLVH[DPSOHZHWDNHDF\FOHRIVZKLFKPHDQVWKHGXW\F\FOHC LVRSHUDWLRQVSHUKRXU Motor FRQWURO SS3 Sub-system 3 66 66 66 66 Stage 4: Component selection Sub-system element 1 Sub-system element n Sub-system type A Common cause failure 4 architecture > SS2: a SIL 3 safety module (obtained on the basis of the PFH provided by the manufacturer) 5 > SS3: two redundant contactors built in accordance with a type B architecture Sub-system type B Sub-system element n Sub-system element 1 Diagnostic function(s) Sub-system type C Sub-system element 1 Common cause failure Diagnostic function(s) Sub-system element 2 /RJLF SS2 Sub-system 1 Sub-system 2 Motor FRQWURO SS3 Sub-system 3 66 6 7 We obtain: > for SS1 PFHd = 1.6 E > for SS3 PFHd ( > 3)+'65(&6 Types of sub-system architecture 'HWHFWLRQ SS1 The calculation method can be found in the machine safety guide, so we will only JLYHWKH¿QDOUHVXOW7KLVPHWKRGWDNHVLQWRDFFRXQWWKHIROORZLQJSDUDPHWHUV > B10QXPEHURIRSHUDWLRQVDWZKLFKRIWKHSRSXODWLRQIDLO > C: Duty cycle (number of operations per hour) > D: rate of dangerous failures ( D = [SRUWLRQRIGDQJHURXVIDLOXUHVLQ > EFRPPRQFDXVHIDLOXUHFRHI¿FLHQWZKLFKLVKHUHDQGLVWKHZRUVW case: see Annex F > 7: Proof Test Interval or life time whichever is smaller, as provided by the supplier > 7: diagnostic test interval > DC: Diagnostic coverage rate = DD/ D, ratio between the rate of detected failures and the rate of dangerous failures -7 8 The total probability of dangerous failures per hour is: > 3)+'65(&6 = 3)+DSS1+ 3)+DSS2 + 3)+DSS3 Sub-system type D Architecture D 3 > SS1: two redundant safety limit switches in a sub-system with a type D Sub-system element 2 SS 6WDJH'HVLJQWKHGLDJQRVWLFIXQFWLRQ The SIL of the sub-system depends not only on the components, but also on the architecture selected. For our example, we will choose architectures B and D of the standard. In our architecture, the safety module performs diagnostics not only on itself, but also on the safety limit switches. 2 We have three sub-systems for which the safety levels must be determined: Sub-system element 1 SS As the safety integrity level required for the entire system is SIL 2, each of the components must achieve this level. The manufacturer’s catalogue gives the following values: Safety limit switches 1 and 2: B RSHUDWLRQVWKHSURSRUWLRQRI GDQJHURXVIDLOXUHVLVOLIHWLPHLV\HDUV > Safety module: PFHd > Contactors 1 and 2: B RSHUDWLRQVWKHSURSRUWLRQRIGDQJHURXV IDLOXUHV OLIHWLPHLV\HDUV 1 + (-7 = 1.15 E-7 Which corresponds to the expected result (table below) of a SIL = 2 . Comment: A level of SIL 3 could have been achieved by using mirror contacts to FUHDWHDIHHGEDFNORRSRQWKHFRQWDFWRUVLHDVXEV\VWHPDUFKLWHFWXUHW\SH' 9 &KHFNLQJWKHUHTXLUHG6,/ 6,/ 3UREDELOLW\RIGDQJHURXVIDLOXUHVSHUKRXU3)+G 3 u-7 2 u 10 1 u-6-5 10 66 Architecture B Stage 5: Design of the diagnostic function 1/23
