IEC 62061 SIL - Conclusions - ReeR

IEC 62061 is derived from IEC 61508 – Functional safety of safety-related electric/electronic/programmable electronic control systems. Contacts Salesnetwork Workwithus ReeR Aboutus Video News Products SafetyLightCurtains Watertightenclosures ATEXlightcurtains Accessories Safetycontrollers Safetyinterfaces Safetyrelays Laserscanner MeasurementandAutomationSensors Contactlesssafetysensors Safetyphotocells Muting,automationphotocells SafetyEncoders Safetyinterlock Events Fairs Seminars Download Catalogs Manuals Presentations Software MOSAIC MZERO SAFEGATE 3Ddrawings Certificates Safetyguide Safetyintheworkingenvironment Europeandirectives Harmonizedstandards NorthernAmericanstandardsandtestbodies Riskassessment Safetyrelatedcontrolsystemformachinery ISO13849-1PL IEC62061SIL-Conclusions ENISO14119:2013 Safetyspeedmonitoring Glossary SistemaLibrary PhotoelectricSafetyLightCurtains PhotoelectricSafetyLightCurtains ThetechnicalspecificationIEC62046 Selectioncriteria Determinationofthesafetydistance Lightcurtainsprotectedheight Mutingfunction Blankingfunction SafetyLaserScanner Characteristicelements Controlledareas Applications IntegrationoftheESPE Onlinesafetydistancecalculator Standardcommittees Support FAQ Technicalassistance R.M.A.module Contacts Salesnetwork Workwithus Home»Safetyguide»IEC62061SIL-Conclusions IEC62061SIL-Conclusions   Nota Safety-relatedPLCs,safetybus,actuators,safetylightcurtainsandingeneralallcomplexsafety-relateddeviceswithintegralprogrammablelogicsandembeddedsoftware,ifusedtobuildaSRECS,shallcomplywiththerequirementsoftheappropriateProductStandards(ifapplicable)andwithIEC61508asregardsfunctionalsafety. Safetyofmachinery–Functionalsafetyofsafety-relatedelectrical,electronicandprogrammableelectroniccontrolsystem.   IEC62061isderivedfromIEC61508–Functionalsafetyofsafety-relatedelectric/electronic/programmableelectroniccontrolsystems. IEC61508istheinternationalreferencestandardonfunctionalsafetyofelectric,electronicandprogrammableelectronicsystems. TheStandardconsistsofsevensections.Thefirstthreesectionsspecifythesafetyrequirementsforhardwareandsoftware,therest areofaninformativenatureandoffersupportforthecorrectapplicationoftheformer. IEC62061retainsthefeaturesofIEC61508,butsimplifiessafetyrequirements(ofbothhardwareandsoftware)adaptingthemtothespecificneedsofindustrialmachinery. Safetyrequirementsareconsideredonlyfor“highdemandmode”,i.e.requestofthesafetyfunctionmorethanonceperyear.Thestandardisbasedontwobasicconcepts: ManagementofOperationalSafety. SafetyIntegrityLevel. ManagementofOperationalSafety Specifiesalldesignaspectsneededtoattaintherequiredleveloffunctionalsafety,fromassignmentofsafetyrequirementstodocumentation,designmanagementuptovalidation.EachdesignshallhaveitsownFunctionalSafetyPlanproperlywritten,documentedanddulyupdatedasnecessary.TheFunctionalSafetyPlanshallidentifypeople,functionsandresourcesneededfordesignandimplementationofthesafetysystem. SafetyIntegrityLevel(SIL) Methodologyandrequirementsisgivenfor: specifyingfunctionalrequirementsofeachsafety-relatedfunctiontobeimplemented. assigningtheSafetyIntegrityLevel(SIL)foreachsafety-relatedfunctionenvisaged. allowthedesignofaSRECSsuitableforthesafety-relatedfunctiontobeimplemented. validatingtheSRECS.   SILassignment ForSILassignmentusethemethodofAnnexA(althoughtheStandardalsoacceptsthetechniquesofIEC61508-5).Foreachriskidentifiedthefollowingmustbeassessed: Degreeofseverity(Se)ofpossibledamage. Frequencyandtime(Fr)ofexposuretodanger. Probabilityofdangerousevent(Pr)linkedtomachineoperatingmode. Avoidability(Av)ofdanger.Themoredifficulttoavoiddangerthehigherthenumberrepresentingavoidability. Thefollowingtable,extractedfromtheforminFigureA.3oftheStandardIEC62061,willhelpinobtainingtheSILtobeassignedtothesafety–relatedfunction.OM(OtherMeasures)=Theuseofotherparametersisrecommended.Thesumofmarksobtainedforattributesoffrequency,probabilityandavoidabilityprovidestheprobabilityclassofdanger: Cl=Fr+Pr+Av   ToobtaintheSILalignactualCltolevelofseverity(Se)identified.Thisisaniterativeprocess.Infact,dependingontheprotectiveactionundertaken,someparametersmightchange,e.g.FrorPr,inwhichcasetheSILassignmentprocesswillhavetoberepeatedusingnewvaluesforchangedparameters.Threelevelsareenvisaged:SIL1,SIL2,SIL3.   Averageprobabilityofseriousfailureperhour(PFHd)     Tabella3diIEC62061   Thus,theSILrepresentsthesafetyleveltobeassignedtoaSRECSforattainmentofitssafetyintegrityintheoperatingconditionsandallthewaythroughthetimespecified.   TheparameterusedtodefinetheSIL(SafetyIntegrityLevel)istheprobabilityofdangerousfailure/hour(PFHd).   ThehighertheSIL,thelowertheprobabilityoftheSRECSnotperformingassafelyasexpected.   TheSILmustbedefinedforeachsafety-relatedfunctionresultingfromriskanalysis.DevelopmentanddesignprocessEachsafety-relatedfunctionidentifiedthroughriskanalysisshallbedescribedintermsof: Operationalrequirements(modeofoperation,cycletime,environmentalconditions,responsetime,typeofinterfacewithothercomponentsoritems,EMClevel,etc.). Safetyrequirements(SIL). Eachsafety-relatedfunctionshallbebrokendownintofunctionalblocks,e.g.functionalblockofinputdata,functionalblockoflogicdataprocessing,functionalblockofoutputdata.   Asubsystemisassociatedwitheachfunctionalblock.Inturn,subsystemswillconsistofelectricalcomponentsinterconnectedwithoneanother.Electricalcomponentsareknownassubsystemelements.   ImplementationoftheSRECStechniquewillresultinatypicalarchitectureasshown(inthisinstanceaccesscontrolthroughphotoelectriccurtain).   ForSRECStocomplywithidentifiedoperationalandsafetyrequirements,thefollowingrequirementsshallbemet: EachsubsystemshallconsistofelectricalcircuitssuitedtoattaintherequiredSIL.ThemaximumSILattainablebyasubsystemisidentifiedasSILCL(SILclaim).SubsystemSILCLsdependonPFHd,architectureconstraints,performanceunderfailureconditionsandontheabilitytocontrolandavoidsystematic failure.Safety-relatedsoftwareForsoftwaredesign,thecodemustbedevelopedasperreferencestandardsdependingonthetypeofsoftwareinquestionasfollows:     IMPORTANT! TheprobabilityaspectisonlyoneoftheelementscontributingtoassignmentofSIL.ToclaimaspecificSILapplicantsmustproveanddocumenthaving: Adoptedadequatemanagementactionsandtechniquestoattaintherequiredlevelofoperationalsafety Inplaceadocumentedandup-to-dateOperationalSafetyPlan Avoidedsystematicfailureasfaraspossible Evaluated(throughinspectionsandtests)safetysystemperformanceinactualenvironmentalconditions Developedthesoftwareafteradoptingallorganizationalaspectsrequired.   CalculationofsubsystemPFHdTocalculatesubsystemPFHdselectfirstthetypeofarchitecture(structure).TheStandardsuggestsfourpre-definedarchitectures,providingadifferentsimplifiedformulaforeachofthem.Thiscalculationrequirestheuseofthefollowingparameters:λd=Dangerousfailurerateofeachsubsystemelement.Obtainedfromitsknownfailurerateλ,percentdistributionoffailurerateforallfailuremodesandanalysisofsubsystemperformanceafterfailure(DangerousFailure=λdorNon-dangerousFailure=λs).T1=ProofTest.Prooftestinterval(externalinspectionandrepairreturningthesystemtoas-newcondition)forindustrialmachineryusuallycoincideswithlifetime(20years).T2=Testintervalofthediagnosticfunctions.DependingondesignordevicesusedthediagnosticfunctionscanbeexecutedbyinternalcircuitryofthesameSRECSorbyotherSRECSs.DC=DiagnosticCoverage:Parameterrepresentingthepercentofdangerousfailuresdetectedoutofallpossibledangerousfailures.DCdependsonself-diagnostictechniquesimplemented.Assumingthatfailureisalwayspossible(otherwisetherewouldbenopointindefiningλ),thatmechanismsfordetectingfailuresarenotnecessarily allequallyeffectiveandresponsive(dependingontypeoffailuresomemaytakelonger),thatitisimpossibletodetectallfailures,thatsuitable circuitryarchitecturesandeffectivetestingmaypermitdetectionofmostdangerousfailures,aDCparametermaybedefinedforestimatingthe effectivenessofimplementedself-diagnostictechniques.IEC62061doesnotprovidedataforobtainingDCinrelationtoimplementeddiagnostictechniques.However,dataofIEC61508-2AnnexAmay beused.β=Commoncausefailurefactor.Providesameasureofthedegreeofindependenceofoperationofredundantchannelsystems.HavingcalculatedsubsystemPFHdbymeansoftheformulasfromtheIEC62061,itisimportanttoensurethattheassociatedSILCLobtainedfromTable3ofIEC62061 iscompatiblewiththeconstraintsimposedbythearchitectureasthemaximumSILCLattainablebyagivensubsystemisrestrictedbythehardwarefaulttoleranceofthearchitectureandbySFFaslistedinthefollowingtable   Safefailurefraction(SFF) Hardwarefaulttolerance 0 1 2 SFF<60% Notallowed SIL1 SIL2 60%≤SFF<90% SIL1 SIL2 SIL3 90%≤SFF<99% SIL2 SIL3 SIL3 SFF≥99% SIL3 SIL3 SIL3 (Table5ofIEC62061)   Subsystemsafetyfailurefraction(SFF)is,bydefinition,thefractionofoverallfailureratenotinvolvingdangerousfailure   SFF=(Σλs+Σλdd)/(Σλs+Σλdd+Σλdu). λdd(failurerateofdetectabledangerousfailures)andλdu(failurerateofundetectabledangerousfailures)areobtainedfromknowneffectivenessofimplementeddiagnostictechniques.IfPFHdandSILCLofeachsubsystemareknown,itwillbepossibletocalculatetheoverallSILofSRECS.Theoverallprobabilityofdangerousfailure/hourofSRECSwillequalthesumoftheprobabilitiesofdangerousfailure/hourofallsubsytemsinvolvedandshallinclude,ifnecessary,alsotheprobabilityofdangerousfailureperhour(PTE)ofanysafety-relatedcommunicationlines: PFHd=PFHd1+...+PFHdN+PTE KnownthePFHd,theresultingSILoftheSRECSisobtainedfromTable3.TheSILshallthanbecomparedtotheSILCLofeachsubsystem,astheSILthatcanbeclaimedfortheSRECSshallbelessorequaltothelowestvalueoftheSILCLofanyofthesubsystems. Example: Whereasubsysteminvolvestwoormoresafety-relatedfunctionsrequiringdifferentSILs,thehighestSILshallapply.   CONCLUSIONS TheproceduresspecifiedinISO13849-1:2006simplifytheestimationofAverageProbabilityofDangerousFailureperHourcomparedtoIEC61508,offeringapragmaticapproachmoreinlinewiththeneedsofthemachinetoolindustry.   ByretainingCategoriesandotherbasicconcepts,suchassafety-relatedfunctionandriskgraph,seamlesscontinuitywithEN954:1996isassured.   MaintainingacloselylinearapproachwithEN954-1:1996however,showsthelimitsofISO13849-1:2006.Wheretheadoptionofcomplextechnologyisanticipated,e.g.programmableelectronics,safety-relatedbusapplications,differentarchitectures,etc.,itwillbemoreappropriatetodesigntoIEC62061.   Wheredevicesand/orsubsystemsdesignedinaccordancewithISOEN13849-1:1999areused,Std.IEC62061showshowtointegratetheminSRECS.   Aprecisebi-univocalequivalencebetweenPLandSILcannotbeidentified.   However,theprobabilisticsideofPLandSILcanbecomparedastheyusethesameconcept,namelytheAverageProbabilityofDangerousFailureperHour,todefinetheextenttofailureresistance.   Also,althoughtheprobabilityconceptusedinthetwoStandardsisthesame,theresultmaydifferastherigorofcalculationisnotthesame.   Infact,forevaluatingPFHd,IEC62061specifiesaprocedurebasedonformulasderivedfromthesystemreliabilitytheory.Theresultsmayinsomecases,e.g.reducednumberofcomponents,high-efficiencyofself-diagnostictechniquesimplemented,turnouttobeverylow,i.e.verygood.   TosimplifyandspeedupevaluationofProbabilityofDangerousFailureperHour,ISO13849-1usesapproximationtableswhichmustnecessarilyconsiderworstcasescenarios,withconsequentlyhigherresults,i.e.inferiorto,thanthosecalculatedusingIEC62061.   Next...ENISO14119 backtotop