Transcription
Machine safetyydesignOverview of ISO 1384913849-11Copyright 2007 Rockwell Automation, Inc. All rights reserved.Copyright 2007 Rockwell Automation, Inc. All rights reserved.Agenda1. Evolution of the EN ISO 13489-12. EN ISO 13849-1 Performance Levels3. Performance Level EstimationCopyright 2007 Rockwell Automation, Inc. All rights reserved.
Evolution of EN ISO 13849-1: 2206 EN 954-1954 1 [General[GlPPrinciples]i i l ]– also published as ISO 13849-1 : 1999– based on a risk assessment– Will remain valid until: Got 2 years more so now for use until 2011 PartP t 2 off EN 954-1954 1 [Validation][V lid ti ]– is published as EN ISO 13849-2 : 2003 EN 954-1 has been revised to include aspects of functional safety. It haschanged number to EN ISO 13849-1 (2006) Got 2 years more so now for use until 2011 .Copyright 2007 Rockwell Automation, Inc. All rights reserved.EN ISO 13489-1Performance levelsCopyright 2007 Rockwell Automation, Inc. All rights reserved.
EN ISO 13849-1:2006 Performance levelsCategoryEstimation of the Performance Level (PL) requiredB1 2 3 4PerformanceLevel, PLrP1F1aP2S1F2P1P2P1bcF1P2S2P1dF2P2S SeverityeF Frequency or Duration of ExposureP Avoidance ProbabilityCopyright 2007 Rockwell Automation, Inc. All rights reserved.EN ISO 13849-1:2006 Performance levelsCopyright 2007 Rockwell Automation, Inc. All rights reserved.
EN ISO 13849-1:2006 Performance levelsCopyright 2007 Rockwell Automation, Inc. All rights reserved.EN ISO 13849-1:2006 Performance levelsCopyright 2007 Rockwell Automation, Inc. All rights reserved.
EN ISO 13849-1:2006 Performance levelsCopyright 2007 Rockwell Automation, Inc. All rights reserved.EN ISO 13849-1:2006 Performance levelsPerformance Level (PL) is related to the Probability of Dangerous failure perHour (PFHD)The standard give a simplified procedure for estimating the Performance LevelCopyright 2007 Rockwell Automation, Inc. All rights reserved.
Performance LevelEstimationCopyright 2007 Rockwell Automation, Inc. All rights reserved.Performance level estimationPLd is requiredWhat does that mean?Choose the most suitable combination ofStructure (Category), Reliability (MTTFd) and Diagnostics (DC)Copyright 2007 Rockwell Automation, Inc. All rights reserved.
Performance level estimationPLd is requiredWhat does that mean?Choose the most suitable combination ofStructure (Category), Reliability (MTTFd) and Diagnostics (DC)Copyright 2007 Rockwell Automation, Inc. All rights reserved.Structure Typical safety function diagram:INPUTSensing elementLOGICSOLVINGControl elementOUTPUTFinal elementor actuator The machine designer shall select an architecture that will meet the needsof the safety function.– Cat B,B 1,1 2,2 3 or 4Copyright 2007 Rockwell Automation, Inc. All rights reserved.
StructureThe structure and behaviour of the safety function under fault conditionsDesignated Architecture Category BTypical implementationContactorMotorRequirements Basic Safety principlesSensorMachine Control Withstand expected influencesBehaviour under fault conditionsA fault can cause a loss of the safety function.Designed to product standards e.g. IEC 60947-5-2(not specific safety standards)Designed for environment and electrical safety aspectse.g IEC 60204-1Copyright 2007 Rockwell Automation, Inc. All rights reserved.StructureThe structure and behaviour of the safety function under fault conditionsDesignated Architecture Category 1Typical implementationContactorRequirements Category BMotorGuard interlockswitchMachine Control Well tried components Well tried safety principlesBehaviour under fault conditionsA fault can cause a loss of the safety function.Copyright 2007 Rockwell Automation, Inc. All rights reserved.
StructureThe structure and behaviour of the safety function under fault conditionsDesignated Architecture Category 2Typical implementationMotorContactorGuard interlockswitchSafety monitoring relay withstart up checkMachine ControlRequirements Category B Well tried safety principles Functional check at start up and periodically (on/off check)Behaviour under fault conditionsA fault occurring between the checks can cause a loss of thesafety function.Copyright 2007 Rockwell Automation, Inc. All rights reserved.StructureThe structure and behaviour of the safety function under fault conditionsDesignated Architecture Category 3Typical implementationContactors with mechanically linkedcontactsMotorContactor monitoringGuard interlockswitchesRequirementsSafetymonitoring relay Category B Well tried safety principles Single fault does not cause a loss of safety function WhereWh practicableti bl thatth t faultf lt shouldh ld beb ddetectedt t dMachine ControlBehaviour under fault conditionsAccumulation of undetected faults can cause a loss of the safetyyfunction.Copyright 2007 Rockwell Automation, Inc. All rights reserved.
StructureThe structure and behaviour of the safety function under fault conditionsDesignated Architecture Category 4Typical implementationContactors with mechanically linkedcontactsMotorGuard interlockswitchesContactor monitoringRequirementsSafetySf tmonitoringrelays Category B Well tried safety principles An accumulation of faults does not cause a loss of safetyfunctionBehaviour under fault conditionsFaults will be detected in time to prevent a loss of safety functionMachine ControlCopyright 2007 Rockwell Automation, Inc. All rights reserved.Structure: Fault exclusionThe structure and behaviour of the safety function under fault conditionsDesignated Architecture Categories BB, 11, 22, 3 & 4Fault exclusion Clause 7.3 deals with Fault Exclusion. It states:"It is not always possible to evaluate safety related parts of control systems without assuming that certain faultscan be excluded .F lt exclusionFaultl i isi a compromisei betweenb ttheth technicalt h i l safetyf t requirementsit andd theth ththeoreticalti l possibilityibilit offoccurrence of a fault.Fault exclusion can be based on: theth technicalt h i l improbabilityib bilit off theth occurrence off some faults.f lt generally accepted technical experience, independent of the considered application, and technical requirements related to the application and the specific hazardExample list of excludable in annex of EN 13849-2 Example– short between conductors belonging to different sheathed wires or cable conduit can be excluded.Copyright 2007 Rockwell Automation, Inc. All rights reserved.
Performance level estimationPLd is requiredWhat does that mean?Choose the most suitable combination ofStructure (Category), Reliability (MTTFd) and Diagnostics (DC)Copyright 2007 Rockwell Automation, Inc. All rights reserved.ReliabilityReliability (MTTFd –– Mean Time To Failure Dangerous of each channel )Denotation of MTTFd of eachchannelRange of MTTFd of each channelLow3 years MTTFd 10 yearsMedium10 years MTTFd 30 yearsHigh30 years MTTFd 100 yearsCopyright 2007 Rockwell Automation, Inc. All rights reserved.
ReliabilityReliability (MTTFd –– Mean Time To Failure Dangerous of each channel )Channel 1Data sources preference:1.provided by manufacturers2.from generic handbook sources3.use 10 yearsB10d 400,000MTTFd 277yMission time 27yChannel 24Fault Exclusion? or:B10d 2,000,000MTTFd 1388yMission time 138y3Simplified into 3 rangeso 3 yeayearss too 100 yeayearssLow1B10d 20,000,000MTTFd 13,888yMission time 1,388y2Medium 10 years to 30 yearsHigh 30 years to 100 yearsBoth guard doors access the same hazard zone1/MTTFdtotal 1/MTTFd1 1/MTTFd2 1/MTTFd3 1/MTTFd41/MTTFdtotal 1/1388 1/1388 1/13888 1/277MTTFdtotal 195 years HighCopyright 2007 Rockwell Automation, Inc. All rights reserved.ReliabilityWhat data is available?Generic data fromEN/ISO 13849-1: 2006 B10d: Number of cycles untila component failsddangerouslyl MTTFd: Mean time todangerous failureCopyright 2007 Rockwell Automation, Inc. All rights reserved.
Reliability B10d Number of cycles until acomponent fails dangerously dop Number of days per year when themachine is operational hop Number of hours per day themachine is operational tcycle Mean time in seconds between theb i i off ttwo consecutivebeginningti cyclesl offthe component To be determined:– Number of switching cycles per year:– Operation time of the component untilntil itfails dangerously:– Mean time to dangerous failure (MTTFd):d op hop 3600 s / hnop tcycleT10 d MTTFCopyright 2007 Rockwell Automation, Inc. All rights reserved.Performance level estimationPLd is requiredWhat does that mean?Choose the most suitable combination ofStructure (Category), Reliability (MTTFd) and Diagnostics (DC)Copyright 2007 Rockwell Automation, Inc. All rights reserved.dB 10 dn op T10 d0 .1
Diagnostic(average)Diagnostic coverage (DC)Denotation of DCRange of DCNoneDC 60%Low60% DC 90%Medium90% DCC 99%High99% DCThis is a measure of the effectiveness of the diagnosticsDetected Dangerous FailuresDC ---------------------------------------All Dangerous FailuresCopyright 2007 Rockwell Automation, Inc. All rights reserved.Diagnostic Coverage(average)Channel 1Diagnostic coverage (DC)99%Data sources:Fault Exclusion? or:11.AAnnexE off theh standardd d60% (due to shadowing)2.provided by manufacturers3.FMEAChannel 2499% reduced to3199%2Simplified into 4 rangesBoth guard doors access the same hazard zone1. None 60%2. Low 60% to 90%DCavg 3. Medium 90% to 99%4. High 99%DCavg DC1/MTTFd1 DC2/MTTFd2 DC3/MTTFd3 DC4/MTTFd41/MTTFd1 1/MTTFd2 1/MTTFd3 1/MTTFd40.6/1388 1/1388 0.6/1388 0.99/13888 0.99/2771/1388DCavg 88% LowCopyright 2007 Rockwell Automation, Inc. All rights reserved. 1/13888 1/277
DiagnosticSimplified DC estimationAnnex E of EN/ISO 13849-1: 20061 and 234Copyright 2007 Rockwell Automation, Inc. All rights reserved.Performance level estimation Structure: Cat. 3 Reliability (MTTFD): High Diagnostics (DC): LowCopyright 2007 Rockwell Automation, Inc. All rights reserved.
Common Cause Failures (CCF)(see Annex F) These are failures of different items, resulting from a single event. The failures are not consequences of each other.No.Measure Against ompetence/training56Environmental35Mustt achieveMhiascore of at least 65for Cat 2, 3 or 4!Copyright 2007 Rockwell Automation, Inc. All rights reserved.PL estimation, the easy wayCombining subsystems with known PLsSubsystemPLlowabcdeNlowlAchieved systemPL 3Not allowed 3a 2a 2b 2b 2c 3c 3d 3d 3ePLe1PLd2PLePLdPLd is achievedBased on the number of the lowest PLsubsystemsCopyright 2007 Rockwell Automation, Inc. All rights reserved.
Copyright 2007 Rockwell Automation, Inc. All rights reserved.Copyright 2007 Rockwell Automation, Inc. All rights reserved.
Evolution of EN ISO 13849-1: 2206 EN 954-1 [G l P i i l ][General Principles] – also published as ISO 13849-1 : 1999 – based on a risk assessment – Will remain valid until: Got 2 years more so now for use until 2011 P t 2 f EN 954Part 2 of EN 954-1 [V lid ti ][Validation] – is File Size: 706KBPage Count: 17
