En ISO 13849-1 Safety performance level - Free Download PDF

En ISO 13849-1 Safety performance level. March 23, 2017 | Author: kanate | Category: N/A. DOWNLOAD PDF - 3.1MB. Share Embed Donate. Report this link ... Search Categories TopDownloads Login Register Search Home EnISO13849-1Safetyperformancelevel EnISO13849-1Safetyperformancelevel March23,2017|Author:kanate|Category:N/A DOWNLOADPDF-3.1MB Share Embed Donate Reportthislink ShortDescription SafetyperformancelevelENISO13849-1issuedbyRockwell... Description ENISO13849-1 SafetyPerformanceLevelsTransitionfromEN954-1toENISO13849-1 FUNCTIONALSAFETY TransitionfromEN954-1toENISO13849-1INTRODUCTIONThispublicationisintendedtoshedsomelightontherecentandupcomingchangesinthelegislationandstandardsthatapplytothesafetyofmachinery.ItisfocusedontheEUrequirementsbut,duetotheincreasingglobalisationofmachinerysafetystandards,muchofthecontentisrelevantworldwide.Machineryandprocessescontinuetobecomefaster,moreflexibleandmorepowerful.Inordertoofferthecontinuedsafetyofoperatorsandtechniciansprotectivemeasureshave,inturn,evolvedtokeeppacewiththeincreasingcomplexityofautomation.Traditionally,safetysystemshavebeenimplementedseparatelytoautomationsystems,operatingindependentlyandofteninparalleltotheautomationsystem.Thereisgoodreasonforthis;thesafetysystemmustalwaysbeavailable.Afaultorunexpectedoccurrenceinthe"normal"operationofthemachinemustnotdegradeorcompromisethesafetyprotectivemeasures.Howeveritisaninescapablefactthatasautomationsystemsbecomemoreintelligentthensomustthesafetysystem.Whatisrequiredforsaferfunctionalityincreasinglydependsonwhatthemachineisdoingorwhatmodeitisin.Thismeansthat"safety"has,insomeway,tocommunicatewiththe"normal"controlsystem.Thatmeansthatweneedtoreconsiderhowweachievetheindependenceandintegrityofthesafetysystem.OneofthemostsignificantmanifestationsofthisisanewgenerationofstandardscommonlyreferredtoasFunctionalSafetyStandards.Inthispublicationwewillconsideroneofthemostsignificantofthem:ENISO13849-1.Inadditiontothis,thereisanewMachineryDirectiveintheEUthatlookstokeepthelegislativelandscaperelevanttothecontemporaryindustrialenvironment.Foranyonesupplyingmachinesorusingthemitisimportanttokeepinformedoftherelevantstandardsandregulatoryrequirements.Thispublicationisintendedtoassistinthattaskespeciallywithregardtocontrolsystemaspects.Itisnotasubstituteforadetailedstudyofthespecificprovisionsdetailedinthestandardsandlegislation.Itisintendedtogiveanoverviewandhopefullyitwillhelptogivesomeclarityonwhatisrequired. 1 ThemigrationfromEN954-1toENISO13849-1FormanyyearsthemostcommonwayofclassifyingsafetyrelatedsystemshasbeentousetheCategoriesofEN954-1[oritscounterpartISO13849-1:1999].AttheendofDecember2009EN954-1willbewithdrawn[itscounterpartISO138491:1999hasalreadybeenwithdrawn]ThemainimplicationofthisisthefactthatafterthatdatethisstandardcannolongerbeusedtoshowconformitywiththeMachineryDirective.AnewstandardtoreplaceEN954-1hasalreadybeenpublished.ItisENISO13849-1:2008.“Safetyofmachinery-Safetyrelatedpartsofcontrolsystems".Thereisalsoanalternativestandardthatcanbeused:EN/IEC62061"Safetyofmachinery-Functionalsafetyofelectrical,electronicandprogrammableelectriccontrolsystems.EitherofthesestandardscanbeusedtoshowconformitywiththeMachineryDirective.Inthispublicationwewillconsidertherelationshipbetweenthetwostandardswhererelevant.ThechoiceofwhichonetouseislefttotheuserbutwewillconcentrateonENISO13849-1:2008.IthasbeenspecificallydraftedtoprovideatransitionpathforsystemdesignerswhohavebeenusingCategoriesandthereforeitislikelytobecomethemostcommonlyusedstandardformachinesafetysystems.Itcanbeusedeitherforacompletesystemorforasubsystem.BasicdifferencesbetweenEN954-1andENISO13849-1Firstlylet'shavelookatwhatarethebasicdifferencesbetweentheoldEN954-1andthenewENISO13849-1.TheoutputsoftheoldstandardwereCategories[B,1,2,3or4].TheoutputsofthenewstandardarePerformanceLevels[PLa,b,c,dore].TheCategoryconceptisretainedbutthereareadditionalrequirementstobesatisfiedbeforeaPLcanbeclaimedforasystem.Therequirementscanbelistedinbasicformasfollows:•Thearchitectureofthesystem.EssentiallythiscaptureswhatwehavebecomeusedtoastheCategories.•Reliabilitydataisrequiredfortheconstituentpartsofthesystem.•TheDiagnosticCoverage[DC]ofthesystemisrequired.Thiseffectivelyrepresentstheamountoffaultmonitoringinthesystem.•Protectionagainstcommoncausefailure.•Protectionagainstsystematicfaults•Whererelevant,specificrequirementsforsoftware. 2 FUNCTIONALSAFETY TransitionfromEN954-1toENISO13849-1Laterwewilltakeacloserlookatthesefactorsbutbeforewedoitwillbeusefultoconsiderthebasicintentandprincipleofthewholestandard.Itisclearatthisstagethattherearenewthingstolearnbutthedetailwillmakemoresenseoncewehaveunderstoodwhatitistryingtoachieveandwhy.Firstofallwhydoweneedthenewstandard?Itisobviousthatthetechnologyusedinmachinesafetysystemshasprogressedandchangedconsiderablyoverthelasttenyears.Untilrelativelyrecentlysafetysystemshavedependedon"simple"equipmentwithveryforeseeableandpredictablefailuremodes.Morerecentlywehaveseenanincreasinguseofmorecomplexelectronicandprogrammabledevicesinsafetysystems.Thishasgivenusadvantagesintermsofcost,flexibilityandcompatibilitybutithasalsomeantthatthepre-existingstandardsarenolongeradequate.Inordertoknowwhetherasafetysystemisgoodenoughweneedtoknowmoreaboutit.Thisiswhythenewstandardasksformoreinformation.Assafetysystemsstarttouseamore"blackbox"approachwestarttorelymoreheavilyontheirconformitytostandards.Thereforethosestandardsneedtobecapableofproperlyinterrogatingthetechnology.Inordertofulfilthistheymustspeaktothebasicfactorsofreliability,faultdetection,architecturalandsystematicintegrity.ThisistheintentofENISO13849-1.Inordertoplotalogicalcoursethroughthestandarditisimportanttorealisethatithastwofundamentallydifferentusertypes:thedesignerofsafetyrelatedsubsystemsandthedesignersofsafetyrelatedsystems.Ingeneralthesubsystemdesigner[typicallyasafetycomponentmanufacturer]willbesubjectedtoahigherlevelofcomplexity.Theywillneedtoprovidetherequireddatainorderthatthesystemdesignercanensurethatitisofadequateintegrityforthesystem.Thiswillusuallyrequiresometesting,analysisandcalculation.Theresultswillbeexpressedintheformofthedatarequiredbythestandard.Thesystemdesigner[typicallyamachinedesignerorintegrator]willusethisdatatoperformsomerelativelystraightforwardcalculationstodeterminetheoverallPerformanceLevel[PL]ofthesystem.InordertodeterminewhatPLisrequired[PLr]thestandardprovidesriskgraphintowhichtheapplicationfactorsofseverityofinjury,frequencyofexposureandpossibilityofavoidanceareinput.TheoutputisthePLr.UsersoftheoldEN954-1willbefamiliarwiththisapproachbuttakenotethattheS1linenowsubdivideswhereastheoldriskgraphdidnot.Notethatthismeansapossiblereconsiderationoftheintegrityofsafetymeasuresrequiredatlowerrisklevels. 3 F1S1F2StartF1S2F2 P1 a P2P1 b P2P1 c P2P1 d P2 CategoriesB1 234 S1P1F1P2P1 S2 e F2P2 RiskGraphfromAnnexAofENISO13849-1 RiskGraphfromAnnexBofEN945-1 SonowwecanseethedirectrelationbetweenthePLrofthesystem[fromtheriskgraph]andthePLachievedbythesystem[bycalculation].Thereisoneveryimportantpartyettobecoveredhowever.Wenowknowfromthestandardhowgoodthesystemneedstobeandalsohowtodeterminehowgooditisbutwedon'tknowwhatitneedstodo.Weneedtodecidewhatthesafetyfunctionis.Clearlythesafetyfunctionmustbeappropriatetothetasksohowdoweprovidethis?Howdoesthestandardhelpus?Itisimportanttorealisethatthefunctionalityrequiredcanonlybedeterminedbyconsideringthecharacteristicsprevailingattheactualapplication.Thiscanberegardedthesafetyconceptdesignstage.Itcannotbecompletelycoveredbythestandardbecausethestandarddoesnotknowaboutallthecharacteristicsofaspecificapplication.Thisalsooftenappliestothemachinebuilderwhoproducesthemachinebutdoesnotnecessarilyknowtheexactconditionsunderwhichitwillbeused.Thestandarddoesprovidesomehelpbylistingoutmanyofthecommonlyusedsafetyfunctionsandgivingsomenormallyassociatedrequirements.OtherstandardssuchasENISO12100:BasicdesignprinciplesandENISO14121:Riskassessment,arehighlyrecommendedforuseatthisstage.Alsothereisalargerangeofmachinespecificstandardsthatwillprovidesolutionsforspecificmachines.WithintheEuropeanENstandardstheyaretermedCtypestandards,mostofthemhaveexactequivalentsinISOstandards.Sowecannowseethatthesafetyconceptdesignstageisdependentonthetypeofmachineandalsoonthecharacteristicsoftheapplicationandenvironmentinwhichitisused.Themachinebuilderwillanticipatethesefactorsinordertobeabletodesignthesafetyconcept.Theintended[i.e.anticipated]conditionsofuseshould 4 FUNCTIONALSAFETY TransitionfromEN954-1toENISO13849-1begivenintheusermanual.Theuserofthemachineneedstocheckthattheymatchtheactualusageconditions.Sonowwehaveadescriptionofthesafetyfunctionality.FromannexAofthestandardwealsohavetherequiredperformancelevel[PLr]forthesafetyrelatedpartsofthecontrolsystem[SRP/CS]thatwillbeusedtoimplementthisfunctionality.WenowneedtodesignthesystemandmakesurethatitcomplieswiththePLr.Oneofsignificantfactorsinthedecisionofwhichstandardtouse[ENISO13849-1orEN/IEC62061]isthecomplexityofthesafetyfunction.Inmostcases,formachinery,thesafetyfunctionwillberelativelysimpleandENISO13849-1willbethemostsuitableroute.InordertoassesthePLitusesthefactorsalreadymentioned;reliabilitydata,diagnosticcoverage[DC],thesystemarchitecture[Category]andwhererelevant,requirementsforsoftware.Thisisasimplifieddescriptionmeantonlytogiveanoverview.Itisimportanttounderstandthatalltheprovisionsgiveninthebodyofthestandardmustbeapplied.However,helpisathand.Thereisanexcellentsoftwaretoolavailabletohelpuswiththecalculationaspects.ItiscalledSISTEMA.ItisproducedbytheBGIAinGermany.Itisavailablefreeforuseanddownloaddetailscanbefoundat:www.dguv.de/bgia/en/pra/softwa/sistemaAttimeofgoingtoprintofthispublicationitisavailableinGermanandEnglish,withotherlanguagesbeingreleasedinthenearfuture.Thistoolisnotcommerciallyproduced.BGIA,thedeveloperofSISTEMA,isawell-respectedresearchandtestinginstitutionbasedinGermany.ItisparticularlyinvolvedinsolvingscientificandtechnicalproblemsrelatingtosafetyinthecontextofstatutoryaccidentinsuranceandpreventioninGermany.Itworksincooperationwithoccupationalhealthandsafetyagenciesfromovertwentycountries.SpecialistsfromBGIA,alongwiththeirBGcolleagueshadsignificantparticipationinthedraftingofbothENISO13849-1andIEC/EN62061.RockwellAutomation®dataforusewithSISTEMAARockwellAutomation“library”ofitssafetydevicesisavailableforusewiththeSISTEMAPerformanceLevelcalculationtool.Toobtainthislibrarypleaselogonto:www.discoverrockwellautomation.com/safetyWhicheverwaythecalculationofthePLisdoneitisimportanttostartoffromtherightfoundation.Weneedtoviewoursysteminthesamewayasthestandardsolet'sstartwiththat. 5 SYSTEMSTRUCTURE InputSubsystem LogicSubsystem OutputSubsystem Anysystemcanbesplitintobasicsystemcomponentsor"subsystems".Eachsubsystemhasitsowndiscretefunction.Mostsystemscanbesplitintothreebasicfunctions;input,logicsolvingandactuation[somesimplesystemsmaynothavelogicsolving].Thecomponentgroupsthatimplementthesefunctionsarethesubsystems.InputSubsystem LimitSwitch OutputSubsystem SafetyContactor Interlockswitchandsafetycontactor Asimplesinglechannelelectricalsystemexampleisshownabove.Itcomprisesonlyinputandoutputsubsystems.InputSubsystem OutputSubsystem LogicSubsystem OutputtoothersystemsLimitSwitch SmartGuard600 SafetyContactor Interlockswitch,safetycontrollerandsafetycontactor Thesystemisalittlemorecomplexbecausesomelogicisalsorequired.Thesafetycontrolleritselfwillbefaulttolerant(e.g.dualchannel)internallybuttheoverallsystemisstilllimitedtosinglechannelstatusbecauseofthesinglelimitswitchandsinglecontactor. 6 FUNCTIONALSAFETY TransitionfromEN954-1toENISO13849-1InputSubsystem OutputSubsystem LogicSubsystem LimitSwitch SmartGuard600 SafetyContactor Dualchannelsafetysystem Takingthebasicarchitectureofthepreviousdiagram,therearealsosomeotherthingstoconsider.Firstlyhowmany"channels"doesthesystemhave?Asinglechannelsystemwillfailifoneofitssubsystemsfails.Atwochannel[alsocalledredundant]systemwouldneedtohavetwofailures,oneineachchannelbeforethesystemfails.Becauseithastwochannelsitcantolerateasinglefaultandstillkeepworking.Thediagramaboveshowsatwochannelsystem.Clearlyadualchannelsystemislesslikelytofailtoadangerousconditionthanasinglechannelsystem.Butwecanmakeitevenmorereliable[intermsofitssafetyfunction]ifweincludediagnosticmeasuresforfaultdetection.Ofcourse,havingdetectedthefaultwealsoneedtoreacttoitandputthesystemintoasafestate.Thefollowingdiagramshowstheinclusionofdiagnosticmeasuresachievedbymonitoringtechniques.InputSubsystem OutputSubsystem LogicSubsystemMonitoring MonitoringMonitoring LimitSwitch SmartGuard600 Diagnosticswithadualchannelsafetysystem 7 SafetyContactor Itisusually[butnotalways]thecasethatthesystemcomprisestwochannelsinallitssubsystems.Thereforewecanseethat,inthiscaseeachsubsystemhastwo"subchannels".Thestandarddescribestheseas"blocks".Atwochannelsubsystemwillhaveaminimumoftwoblocksandasinglechannelsubsystemwillhaveaminimumofoneblock.Itispossiblethatsomesystemswillcompriseacombinationofdualchannelandsinglechannelblocks.Ifwewanttoinvestigatethesysteminmoredepthweneedtolookatthecomponentspartsoftheblocks.TheSISTEMAtoolusestheterm"elements"forthesecomponentparts.InputSubsystem Element OutputSubsystem LogicSubsystem BlockMonitoringLinkage Contacts Linkage Contacts Monitoring CHANNEL2 CHANNEL1 Element Monitoring Block LimitSwitchElement SmartGuard600Element Diagnostics SafetyContactorDiagnostics Subdividedsystemwithdiagnosticswithadualchannelsafetysystem Thelimitswitchessubsystemisshownsubdivideddowntoitselementlevel.Theoutputcontactorsubsystemissubdivideddowntoitsblocklevelandthelogicsubsystemisnotsubdividedatall.Themonitoringfunctionforboththelimitswitchesandthecontactorsisperformedatthelogiccontroller.Thereforetheboxesrepresentingthelimitswitchandcontactorsubsystemshaveasmalloverlapwiththelogicsubsystembox.ThisprincipleofsystemsubdivisioncanberecognisedinthemethodologygiveninENISO13849-1andinthebasicsystemstructureprinciplefortheSISTEMAtool.Howeveritisimportanttonotethattherearesomesubtledifferences.ThestandardisnotrestrictiveinitsmethodologybutforthesimplifiedmethodforestimatingthePLtheusualfirststepistobreakthesystemstructureintochannelsandtheblockswithineachchannel.WithSISTEMAthesystemisusuallyfirstdividedintosubsystems.Thestandarddoesnotexplicitlydescribeasubsystemconceptbutits 8 FUNCTIONALSAFETY TransitionfromEN954-1toENISO13849-1useasgiveninSISTEMAprovidesamoreunderstandableandintuitiveapproach.Ofcoursethereisnoeffectonthefinalcalculation.SISTEMAandthestandardbothusethesameprinciplesandformulae.ItisalsointerestingtonotethatthesubsystemapproachisalsousedinEN/IEC62061.Thesystemwehavebeenusingasanexampleisjustoneofthefivebasictypesofsystemarchitecturesthatthestandarddesignates.AnyonefamiliarwiththeCategoriessystemwillrecogniseourexampleasrepresentativeofeitherCategory3or4.ThestandardusestheoriginalEN954-1Categoriesasitsfivebasictypesofdesignatedsystemarchitectures.ItcallsthemDesignatedArchitectureCategories.TherequirementsfortheCategoriesarealmost[butnotquite]identicaltothosegiveninEN954-1.TheDesignatedArchitectureCategoriesarerepresentedbythefollowingfigures.Itisimportanttonotethattheycanbeappliedeithertoacompletesystemorasubsystem.Thediagramsshouldnotbetakenpurelyasaphysicalstructure,theyareintendedmoreasagraphicalrepresentationofconceptualrequirements. InputDevice OutputDevice Logic DesignatedArchitectureCategoryB DesignatedArchitectureCategoryBmustusebasicsafetyprinciples[seeannexofENISO13849-2].Thesystemorsubsystemcanfailintheeventofasinglefault.SeeENISO13849-1forfullrequirements. InputDevice OutputDevice Logic DesignatedArchitectureCategory1 DesignatedArchitectureCategory1hasthesamestructureasCategoryBandcanstillfailintheeventofasinglefault.Butbecauseitmustalsousewelltriedsafetyprinciples[seeannexofENISO13849-2]thisislesslikelythanforCategoryB.SeeENISO13849-1forfullrequirements. 9 InputDevice Wiring Logic Wiring OutputDevice Monitoring TestOutput TestDesignatedArchitectureCategory2 DesignatedArchitectureCategory2mustusebasicsafetyprinciples[seeannexofENISO13849-2].Theremustalsobediagnosticmonitoringviaafunctionaltestofthesystemorsubsystem.Thismustoccuratstartupandthenperiodicallywithafrequencythatequatestoatleastonehundredteststoeverydemandonthesafetyfunction.ThesystemorsubsystemcanstillfailifasinglefaultoccursbetweenthefunctionaltestsbutthisisusuallylesslikelythanforCategory1.SeeENISO13849-1forfullrequirements. InputDevice Wiring Logic Wiring OutputDevice MonitoringCrossMonitoring InputDevice Wiring Logic Wiring OutputDevice MonitoringDesignatedArchitectureCategory3 DesignatedArchitectureCategory3mustusebasicsafetyprinciples[seeannexofENISO13849-2].Thereisalsoarequirementthatthesystem/subsystemmustnotfailintheeventofasinglefault.Thismeansthatthesystemneedstohavesinglefaulttolerancewithregardtoitssafetyfunction.Themostcommonwayofachievingthisrequirementittoemployadualchannelarchitectureasshownabove.Inadditiontothisitisalsorequiredthat,whereverpracticable,thesinglefaultshouldbedetected.ThisrequirementisthesameastheoriginalrequirementforCategory 10 FUNCTIONALSAFETY TransitionfromEN954-1toENISO13849-13fromEN954-1.Inthatcontextthemeaningofthephrase"whereverpracticable"provedsomewhatproblematic.ItmeantthatCategory3couldcovereverythingfromasystemwithredundancybutnofaultdetection[oftendescriptivelyandappropriatelytermed"stupidredundancy"]toaredundantsystemwhereallsinglefaultsaredetected.ThisissueisaddressedinENISO13849-1bytherequirementtoestimatethequalityoftheDiagnosticCoverage[DC].Wecanseethatthegreaterthereliability[MTTFd]ofthesystem,thelesstheDCweneed.HoweveritisalsoclearthattheDCneedstobeatleast60%forCategory3Architecture. InputDevice Wiring Logic Wiring OutputDevice MonitoringCrossMonitoring InputDevice Wiring Logic Wiring OutputDevice MonitoringDesignatedArchitectureCategory4 DesignatedArchitectureCategory4mustusebasicsafetyprinciples[seeannexofENISO13849-2].IthasasimilarrequirementsdiagramtoCategory3butitdemandsgreatermonitoringi.e.higherDiagnosticCoverage.Thisisshownbytheheavierdottedlinesrepresentingthemonitoringfunctions.InessencethedifferencebetweenCategories3and4isthatforCategory3mostfaultsmustbedetectedbutforCategory4allsinglefaultsmustbedetected.TheDCneedstobeatleast99%.Evencombinationsoffaultsmustnotcauseadangerousfailure. RELIABILITYDATAENISO13849-1usesquantitativereliabilitydataaspartofthecalculationofthePLachievedbythesafetyrelatedpartsofacontrolsystem.ThisisasignificantdeparturefromEN954-1.Thefirstquestionthisraisesis"wheredowegetthisdatafrom?"Itispossibletousedatafromrecognisedreliabilityhandbooksbutthestandardmakesitclearthatthepreferredsourceisthemanufacturer.Tothisend,RockwellAutomationismakingtherelevantinformationavailableintheformofadatalibraryforSISTEMA.Induecourseitwillalsopublishthedatainotherforms.Beforewegoanyfurtherweshouldconsiderwhattypesofdataarerequiredandalsogainanunderstandingofhowitisproduced. 11 TheultimatetypeofdatarequiredaspartofthePLdeterminationinthestandard[andSISTEMA]isthePFH[theprobabilityofdangerousfailureperhour].ThisisthesamedataasrepresentedbythePFHdabbreviationusedinIEC/EN62061.PL(PerformanceLevel) PFHD(Probabilityofdangerousfailureperhour) SIL(SafetyIntegrityLevel) A ≥10–5to Viewmore... Comments Report"EnISO13849-1Safetyperformancelevel" Pleasefillthisform,wewilltrytorespondassoonaspossible. Yourname Email Reason -SelectReason- Pornographic Defamatory Illegal/Unlawful Spam OtherTermsOfServiceViolation Fileacopyrightcomplaint Description Close Submit Share&Embed"EnISO13849-1Safetyperformancelevel" Pleasecopyandpastethisembedscripttowhereyouwanttoembed EmbedScript Size(px) 750x600 750x500 600x500 600x400 URL Close Copyright©2017KUPDFInc. SUPPORTKUPDF Weneedyourhelp! Thankyouforinterestinginourservices.Weareanon-profitgroupthatrunthiswebsitetosharedocuments.Weneedyourhelptomaintenancethiswebsite. Donate Sharing Tokeepoursiterunning,weneedyourhelptocoverourservercost(about$400/m),asmalldonationwillhelpusalot. ShareonFacebook ShareonGoogle+ Tweet Pinit ShareonLinkedIn Sendemail Pleasehelpustoshareourservicewithyourfriends. No,thanks!Closethebox.