Optima In control since 1995 o This presentation covers Machinery Directive 2006/42/EC BS/EN954-1 EN ISO 13849-1 EN/IEC 62061 Safety Update 1 Optima In control since 1995 o Machinery Directive 2006/42/EC Process of Risk Assessment EN ISO 12100–2:2003 Safety of Machinery.Technical principles Machine manufacturers are obligated to complete a Risk Assessment that is now defined within the directive as an iterative process of hazard identification, risk estimation, hazard elimination or risk reduction. Safety system requirements Machine designers are obligated to design control systems in such a way that a fault in the hardware or software of the control system and/or reasonably foreseeable human error does not lead to hazardous situations Introduction 2 Optima In control since 1995 o BS/EN954-1 Valid up to 29th December 2009 (Update from beginning September ’09: EN954-1 has been given a stay of execution until the end of 2011) EN ISO 13849-1 is applicable for electrical/electronic/programmable electronic/hydraulic/pneumatic/mechanical systems. EN/IEC 62061 is applicable for electrical/electronic/programmable electronic systems Current status 3 Optima In control since 1995 o BS/EN954-1 was used for all safety systems using standard control circuits and tried and tested equipment. Higher levels of safety achieved by monitoring at various stages, once per shift, every reset etc. EN ISO 13849-1 is applicable for: electrical/electronic/programmable electronic/hydraulic/pneumatic/mechanical systems. EN/IEC 62061 is applicable for electrical/electronic/programmable electronic systems Usage of different standards 4 Optima In control since 1995 o BS/EN954-1 Categories B,1,2,3,4 S severity of injury S1 slight (normally reversible injury) S2 serious (normally irreversible injury or death) F frequency and/or exposure to hazard F1 seldom-to-less-often and/or exposure time is short F2 frequent-to-continuous and/or exposure time is long P possibility of avoiding hazard or limiting harm P1 possible under specific conditions P2 scarcely possible Safety Categories EN945-1 5 Optima In control since 1995 o EN ISO13849-1 Performance Levels a-e S1 slight (normally reversible injury) S severity of injury S2 serious (normally irreversible injury or death) F frequency and/or exposure to hazard F1 seldom-to-less-often and/or exposure time is short F2 frequent-to-continuous and/or exposure time is long P possibility of avoiding hazard or limiting harm P1 possible under specific conditions P2 scarcely possible Safety Categories EN13849-1 6 Optima In control since 1995 o IEC/EN 62061 is the machine sector specific standard within the framework of IEC/EN 61508. EN 62061 is harmonised under the European Machinery Directive. The Safety Integrity Level (SIL) is the new measure defined in IEC 61508 regarding the probability of failures in a safety function or a safety related system. Safety integrity level High demand or continuous mode of operation (Probability of a dangerous failure per hour) (Average probability of failure to perform its design function on demand) SIL PFHd PFDaverage 4 3 >= 10-9 to < 10-8 >= 10-8 to < 10-7 >= 10-5 to < 10-4 >= 10-4 to < 10-3 2 >= 10 to < 10 >= 10-6 to < 10-5 1 -7 -6 Low demand mode of operation -3 -2 >= 10 to < 10 -2 -1 >= 10 to < 10 For machinery, the probability of dangerous failures per hour of a control system is denoted in IEC/EN 62061 as the PFHd Safety Categories EN62061 7 Optima In control since 1995 o EN/IEC 62061 requires each safety function to be assessed in the following manner Frequency and duration of exposure Risk related to the identified hazard = Severity of the possible harm and Fr Probability of occurrence of a hazardous event Pr Probability of avoiding or limiting harm Av Se } Probability of occurrence of that harm The required risk assessment graph is shown on the following pages Safety Categories EN62061 8 Optima In control since 1995 o Machinery: Risk parameter examples of IEC/EN 62061 Consequences Irreversible: death, losing an eye or arm Irreversible: broken limb(s), losing a finger(s) Reversible: requiring attention from a medical practitioner Reversible: requiring first aid Severity (Se) 4 3 2 1 Frequency and duration of exposure (Fr) Duration Frequency of exposure > 10 min <= 1 h 5 > 1 h to <= 1 day 5 > 1 day to <= 2 weeks 4 > 2 weeks to <= 1 year 3 > 1 year 2 List all the possible hazards of the machine and Probability of occurrence Probability (Pr) Very high 5 Likely 4 Possible 3 Rarely 2 Negligible 1 Probability of avoiding or limiting harm (Av) Impossible 5 Rarely 3 Probable 1 Determine the parameters according to the tables and fill in the values: Serial no. 1 2 3 4 Hazard Se Fr Pr Av Cl The Class Cl is the sum of: Fr + Pr + Av = Cl Safety of Machinery and Functional Safety 9 Optima In control since 1995 o Frequency and duration of exposure (Fr) Duration Frequency of exposure > 10 min <= 1 h 5 > 1 h to <= 1 day 5 > 1 day to <= 2 weeks 4 > 2 weeks to <= 1 year 3 > 1 year 2 Machinery: Determination of the required SIL (Safety Integrity Level). Example according to IEC/EN 62061 Consequences Irreversible: death, losing an eye or arm Irreversible: broken limb(s), losing a finger(s) Reversible: requiring attention from a medical practitioner Reversible: requiring first aid Serial no. 1 2 Hazard hazard x Se 4 Severity (Se) 4 3 2 1 Fr 5 + Probability of occurrence Very high Likely Possible Rarely Negligible Pr 4 Consequences Death, losing an eye or arm Permanent, losing fingers Reversible, medical attention Reversible, first aid + Av 3 = Probability (Pr) 5 4 3 2 1 Probability of avoiding or limiting harm (Av) Impossible 5 Rarely 3 Cl Probable 1 12 Severity (Se) 4 3 2 1 3-4 SIL 2 5-7 SIL 2 OM Class Cl 8 - 10 SIL 2 SIL 1 OM Safety of Machinery and Functional Safety 11 - 13 SIL 3 SIL 2 SIL 1 OM 14 - 15 SIL 3 SIL 3 SIL 2 SIL 1 10 o Optima In control since 1995 Risk assessment and safety measures Product: Issued by: Date: Black area = Safetymeasures required Grey area = Safety mesures recommended Consequences Death, losing an eye or arm Permanent, losing fingers Reversible, medical attention Reversible, first aid No. Hazard Severity (Se) 4 3 2 1 3-4 SIL 2 Se 5-7 SIL 2 OM Fr Class Cl 8 - 10 SIL 2 SIL 1 OM Pr 11 - 13 SIL 3 SIL 2 SIL 1 OM 14 - 15 SIL 3 SIL 3 SIL 2 SIL 1 Av Cl Frequency and duration Fr <= 1 hour 5 > 1 h to <= 1 day 5 > 1 day to <= 2 wks 4 > 2 wks to <= 1 year 3 > 1 year 2 Probability of hzd. Event Pr Common 5 Likely 4 Possible 3 Rarely 2 Negligible 1 Safety Measure Avoidance Av Impossible Possible Likely 5 3 1 Safe Comments Machinery: Risk assessment form given as an example in IEC/EN 6206111 Optima In control since 1995 o SIL calculations can be approximately converted over to PL levels… The relationship between the categories, the PL and the SIL is as follows: Category EN 954-1 B 1 2 3 4 Performance level (PL) prEN ISO 13849-1 a b c d e SIL IEC 61508, EN 62061 no special safety requirements 1 1 2 3 Not more than 1 dangerous failure of the safety function in 10 years Not more than 1 dangerous failure of the safety function in 100 years Not more than 1 dangerous failure of the safety function in 1000 years Safety Level Comparison 12 Optima In control since 1995 o To enable the value of PL or SIL to be calculated information must be available from equipment manufacturers. Software Packages available to help with verification of PL or SIL £ £ PILZ SIEMENS FREE! SISTEMA Pascal “The Safety Evaluation Tool” online package German BGIA organisation tool for calculating Performance Level to EN ISO 13849-1 Calculation of PL and SIL 13 Optima In control since 1995 o Example calculation - Risk assessment for a rotary printing machine On a web-fed printing press, a paper web is fed through a number of cylinders. High operating speeds and rotational speeds of the cylinders are reached, particularly in newspaper printing. Essential hazards exist at the zones where it is possible to be drawn in by the counter-rotating cylinders. This example considers the hazardous zone on a printing machine on which maintenance work requires manual intervention at reduced machine speeds. The access to the hazardous zone is protected by a guard door (safeguarding). The following safety functions are designated: SF1 — Opening of the guard door during operation causes the cylinders to be braked to a halt. SF2— When the guard door is open, any machine movements must be performed at limited speed. SF3— When the guard door is open, movements are possible only whilst an inching button is pressed. Entrapment between the cylinders causes severe injuries (S2). Since work in the hazardous area is necessary only during maintenance tasks, the frequency and duration of hazard exposure can be described as low (Fl). At production speeds, no possibility exists of avoiding the hazardous movement (P2). Example taken from BGIA report 2/2008e Calculation of PL and SIL 14 Optima In control since 1995 o Example calculation - Risk assessment for a rotary printing machine This therefore results in a required Performance Level PLr Of d for the safety functions SF1 and SF2 The safety function SF3 can however be used only if the printing machine has first been halted (SF1) and the permissible rotational speed of the cylinders limited (SF2). This results in the possible machine movements being predictable for the operator, who is thus able to evade hazardous movements (P1). A required performance level PLr of c is therefore adequate for SF3. Example taken from BGIA report 2/2008e Calculation of PL and SIL 15 Optima In control since 1995 o EN ISO13849-1 is the default choice for systems that contain non-electrical systems and an overall summary is shown below: EN ISO 13849-1 IEC 62061 Non electrical, e.g. hydraulics Covered Not covered Electromechanics, e.g. relays, or non complex electronics All architectures and up to PL = e All architectures and up to SIL 3 Complex electronics, e.g. programmable All architectures and up to PL = e Up to SIL 3 when designed according to IEC 61508 Embedded software (SRESW) Up to PL = e (PL = e without diversity: design according to IEC 61508-3, clause 7) Design according to IEC 61508-3 Application software UptoPL=e Combination of different technologies Restrictions as above Restrictions as above non electrical parts acc. to EN ISO 13849-1 UptoSlL3 Conclusions 16