Functional Safety of Machinery Presented by Greg Richards Manufacturing in America 02/22-23/ PDF Free Download

Functional Safety of Machinery Presented by Greg Richards Manufacturing in America 02/22-23/2017

AGENDA Definition of Safety? Machinery Safety Standards Comparison of ISO 13849-1 and IEC 62061 Safety-related parts of Control Systems Tool to calculate safety levels ANSI B11.25 Status Machine Safety Life Cycle Support

What is Safety? IEC 62061defines safety as: Safety is freedom from unacceptable risk ANSI B11.0 2010 defines Safe as: Safe is the state of being protected from recognized hazards that are likely to cause physical harm. There is no such thing as being absolutely safe, that is, a complete absence of risk. In turn, there is no machine that is absolutely safe. All machinery contains hazards, and some level of residual risk. However, the risk associated with those hazards should be reduced to an acceptable level.

Machine Safety Standards Subdivided into Type A, B & C Standards SIL ß PL ß Stop categories ß For example: IEC 62061 EN ISO 13849-1 IEC 60204 B1 standards B1 standards General General safety safety aspects aspects TYPE A standards (Basic standards) Design guidelines and basic terms for machines TYPE B standards (Group standards) TYPE C standards (Generic standards) For example: IEC 61508 à SIL B2 standards Reference to special protective devices Specific safety-related requirements for certain machine types. These standards have priority over A and B standards. ISO 12100 à Risk assessment ANSI B11.0 Safety Of Machines For example: IEC 61800-5-2 à drives (STO ) ANSI B11.19 & B11.20, NFPA 79 For example: EN 81 à lifts EN 693 à presses ANSI B11.X (1-18) Specific Machines

Machine Safety Standards USA & OSHA USA Machine Safety Ensure Safe and Healthy Work Conditions OSHA - The law have to comply States must meet or exceed OSHA Regulations defined in Code of Federal Regulations Title 29 Reference to Standards such as ANSI and NFPA Considered consensus standards. Standards are Voluntary Unless - they become part of the law Incorporated by Reference ANSI Coordinates Voluntary Standards ANSI Official representative to ISO/IEC TUV OSHA recognized NRTL OSHA Part 1910: Occupational Safety and Health Standards Subpart O: Machinery and Machine Guarding 1910.211: Definitions 1910.212: General Requirements for all Machinery 1910.147(a)(2)(ii) The minor service exception provides that minor tool changes and adjustments and other minor servicing activities which take place during normal operation may be exempt from LOTO if the activity is routine, repetitive, and integral to the use of the equipment for production purposes, provided that the work is performed using alternative measures which provide effective employee protection. 1910.213-190.219: Machine Specific Regulations Subpart J: General Environment Controls 1910.147: The Control of Hazardous Energy (Lockout/Tagout).

Machine Safety Standards NFPA 79 Original NFPA 79 1997 - Restricted machine safety to electromechanical devices. 9.6.3 Where a Category 0 stop is used for the emergency stop function, it shall have only hardwired electromechanical components. In addition, its operation shall not depend on electronic logic (hardware or software). NFPA 79 2002 Allowed the use of safety PLC in safety-related. 11.3.4 Use in Safety-Related Functions. Software and firmware-based controllers to be used in safety-related functions shall be listed for such use. [Annex to NFPA 79 2002, A.11.3.4 IEC 61508] NFPA 79 2007 Allowed drives as a final switching device. 9.2.5.4.1.4 Drives or solid-state output devices designed for safety-related functions shall be allowed to be the final switching element, when designed according to relevant safety standards. NFPA 79 2012 Allowed the use of cable less control 9.2.7.1* General. Cableless control (e.g., radio, infrared) techniques for transmitting commands and signals between a machine control system and operator control station(s) shall meet the requirements of 9.2.7.1.1 through 9.2.7.1.4.

Machine Safety Standards Overview - ISO 13849-1 and IEC 62061 The EN 954-1 (CAT B, CAT 2, CAT3 & CAT4) was replaced by ISO13849-1:2006 because programmable electronic systems were considered insufficiently and the time response (e.g. testing intervals, life cycles) and the failure probability of components were not considered. 18 December 2009: EN 954-1 extension confirmed as two years, until 31 December 2011. Two important standards: ISO 13849-1:2006 and IEC62061:2005 apply the time element to safety systems for the machinery sector. ISO 13849-1:2006 builds on the categories of safety structure, uses the term performance level (PL), and then uses the alphabet, PLa through Ple. IEC 62061 builds on the foundation of the structure or what is called Hardware Fault Tolerance and uses the term safety integrity level (SIL), Only three SILs apply to machine systems: SIL1, SIL2 and SIL3 A third element, diagnostics, not new at all, is added to the picture to give the safety system designer more flexibility to achieve the safety requirements. Putting these three elements together yields a time-sensitive level of integrity in a safety system.

Machine Safety Standards IEC 61508 Low/High Demand Safety System EUC Equipment Under Control

Safety Related Parts of Control System Basic Implementation Procedure Risk Reduction Steps to be performed by the machine manufacturer 1 Risk assessment 2 Risk reduction Step 1: Safe design Step 2: Technical protective measures Step 3: User information on residual risks 3 Validation of the machine 4 Placing the machine on the market Technical documentation Each step must be comprehensibly documented: Procedure and results Test strategy and test results Responsibilities,

ANSI Standards and Risk Assessment?

Risk Assessment Process according to ANSI B11.0

Technical protective measures Technical protective measures For each hazard that cannot be eliminated by inherently safe design, a safety function must be defined Safety functions can be implemented by safety systems 2 1 Example: Safety function, without safety system Access to the point of hazard is permanently prevented (fixed mechanical guard, ) 1 2 Example: Safety function, with safety system If the protective door is opened during normal operation, the motor must be stopped.

Technical protective measure Safety system Safety system Performs safety functions Is composed of subsystems Subsystems of a safety system Detection (position switch, light curtain, ) Evaluation (failsafe controller, safety relay, ) Reaction (contactor, frequency converter, ) Safety system Protective cover Subsystem 1: Detection Subsystem 2: Evaluation Subsystem 3: Reaction Motor or

Technical protective measure Safety function Basic sequence for each safety function a) Specification of the safety function The steps are explained on the following slides. b) Determining the required safety level c) Designing the safety function d) Determining the achieved safety level e) Implementation and testing of the safety function

Determining the safety level Meaning of the required safety level The required safety level is a measure of the reliability of the safety function. The more serious the possible injury and the more probable its occurrence, the higher the required safety level. High risk Medium risk Low risk Lowest risk Avoidable, slight injury Least probability of occurrence Slight injury Low probability of occurrence Slight to serious injury Medium probability of occurrence Serious injury or death High probability of occurrence EN 62061 and EN ISO 13849-1 describe methods for determining the required safety level.

Determining the safety level The magnitude of the risk results from: Severity of the injury Frequency and/or probability of occurrence Possibility of avoidance Depending on the magnitude of the risk, a certain safety level is required. The designation of the safety levels are: at ISO 13849-1: Performance Level a - e (PL) at IEC 62061: Safety Integrity Level 1-3 (SIL) at IEC 61511: Safety Integrity Level 1-4 (SIL) The determining of the safety level is standard-specific different

Designing the safety function Objective of the design The safety system that performs the safety function must meet the requirement of the required safety level (SIL, PL r ). Example Safety function: If the protective door is opened during normal operation, the motor must be stopped. Required safety level: SIL 3 or PL r e Safety system Protective cover Subsystem 1: Detection Subsystem 2: Evaluation Subsystem 3: Reaction Motor Design for SIL 3 or PLr e

Determination of the performance level (PL) acc. to ISO 13849 PL - Performance Level Structure Reliability Diagnostics Resistance Process Category MTTF D DC CCF Check

Determination of the performance level (PL) acc. to ISO 13849 The identification of the performance levels from category, DC and MTTFd within the two norms different methodology is used for the assessment of a safety function, but the results can be convicted into each other. Simplified method to the assessment of the PL reached by a SPR/CS: Table 7 Simplified procedure to evaluate the PL achieved by SPR/CS 3 years 10 years 30 years

Determination of the performance level (PL) acc. to ISO 13849 PL - Performance Level Structure Reliability Diagnostics Resistance Process Category MTTF D DC CCF Check

Architecture ISO 13849-1 Table 10 Summary of requirements for categories

Example of E-STOP and protective door monitoring Emergency Stop Position-switch (protective door monitoring) Cat.1 PL c SIL 1 Position switch with separate actuator Door monitoring with solenoid switch Cat.3 PL d SIL 2 external sensor supply * Cat.4 PL e SIL 3 Internal sensor supply

Determination of the performance level (PL) acc. to ISO 13849 PL - Performance Level Structure Reliability Diagnostics Resistance Process Category MTTF D DC CCF Check See standard / robust processes

MTTFd MTTF d : Average value for operating duration without a dangerous failure in a single channel of the controller Denotation Low Medium high Range of MTTF d 3 years MTTF d < 10 years 10 years MTTF d < 30 years 30 years MTTF d 100 years MTTFd is a statistical mean value and not a guaranteed working life

Electro-mechanical components B10: Number of switching cycles, after which 10% of all devices failed

Determining the MTTFd (acc. to Annex C) Calculation of the MTTFd for components from B10d B10d value: 10% of all devices failed dangerously Operating time T10 d MTTF m it n op = d op = B10 op d 0, 1 n op d h 3600s / h t cycle n op : Number of operating cycles per year h op : Operating time in hours per day [h/d] d op : Operating time in days per year [d/y] t cycle : Time between two operating cycles [s/cycle]

MTTF d - Electromechanical Input Circuit Characteristics: Position switch with separated actuator Switch with positive opening operation Operating voltage 24V Life time: 87,600 h (10 years) B10 d = 1,000,000 / 0.2 [switching cycle] Actuation cycle 4 times per hour Monitoring by logic Estimation of the MTTF d for each channel: n op = æ ç è 50 ö 5 8 3600 ø 15 60 = 8,000 MTTF B 10 d 1,000,000 / 0. 2 d = = years = 6, 250 0. 1 n op 0. 1 8,000 years MTTF d of each channel is high

MTTF d - Electromechanical Output Circuit Characteristics: Contactors Switch with positive opening operation operating voltage 24V Lifetime: 87,600 h (10 years) B10 d = 1,000,000 / 0.75 [switching cycles] Actuation cycles 4 times per hour Monitoring by logic Estimation of MTTF d for each channel: n op = æ ç è 50 ö 5 8 3600 ø 15 60 = 8,000 MTTF B 10 d 1,000,000 / 0. 75 d = = years = 1, 666 0. 1 n op 0. 1 8,000 years MTTF d for each channel high

Determination of the performance level (PL) acc. to ISO 13849 PL - Performance Level Structure Reliability Diagnostics Resistance Process Category MTTF D DC CCF Check

Diagnostic Coverage (DC) The diagnostic coverage (DC) is the ratio of the failure rate of the detected dangerous failures to failure rates of all dangerous failures DC = å l DD å l DD + å l DU DD DU S Denotation Range of DC No DC DC < 60% low 60% DC < 90% medium 90% DC < 99% high 99% DC 100%

Estimates for diagnostic coverage Table E.1 Estimates for diagnostic coverage (DC)

Estimates for diagnostic coverage Table E.1 (continued)

Example DC Sensor DC = 0 DC = 60 DC = 90 DC = 99 external senor supply or supply via evaluation unit external senor supply supply via evaluation unit + + + + + + + +

Example DC Sensor DC = 0 DC = 60 DC = 90 DC = 99 external senor supply or supply via evaluation unit external senor supply or supply via evaluation unit external sensor supply supply via evaluation unit + + + external sensor supply and RFID switch in series +

ISO TR24119

Example DC Sensor DC = 0 DC = 60 DC = 90 DC = 99 External sensor supply or Supply via evaluation unit External senor supply Supply via evaluation unit fault exclusion: break of actuator limitation to PLd / SIL2

ET 200S periphery 4/8 F-DI module Sensor connection SIL1, PLc (Cat.1) Sensor connection to ET 200S 4/8 F-DI 1-channel sensor external sensor supply S0 S1 S2 S6 S3 S4 S5 internal sensor supply

ET 200S periphery 4/8 F-DI module parameterization STEP7 Safety Advanced External sensor supply Internal sensor supply

Calculation SET EN ISO 13849-1 PLc (Kat.1)

ET 200S Periphery 4/8 F-DI module Sensor connection SIL2, PLd (Cat.3) Sensor connection to ET 200S 4/8 F-DI 2-channel Sensors breakage of the actuator must be excluded equivalent contacts Due to the fail-locking system, magnet monitoring and the actuator monitoring can be combined for 2-channel design 1 external sensor supply S0 S1 Non-equivalent contacts

ET 200S periphery 4/8 F-DI module parameterization STEP7 Safety Advanced external sensor supply equivalent contacts external sensor supply

Calculation SET EN ISO 13849-1 PL d (Kat.3) EN ISO 13849-1 PL d (Kat.3)

ET 200S Periphery 4/8 F-DI module Sensor connection SIL3, PLe (Cat.4) Internal sensor supply equivalent contacts s4 S0 S4 S1 S5 Internal sensor supply equivalent contacts

ET 200S periphery 4/8 F-DI module parameterization STEP7 Safety Advanced internal sensor supply equivalent contacts internal sensor supply non-equivalent contacts

Calculation SET S0 S4 EN ISO 13849-1 PL d (Kat.3)

ET 200S Periphery 4/8 F-DI module Sensor connection electronic Sensors External sensor supply Sensor 1 channel 1 OSSD 1 Sensor 1 channel 2 OSSD 2 OSSD Output Signal Switching Device

ET 200S Periphery 4/8 F-DI Module parameterization Safety Advanced Sensor 1 channel 1 OSSD 1 Sensor 2 channel 2 OSSD 2 Cross-circuit is detected by OSSD Short-circuit test locked external sensor supply

Calculation SET EN ISO 13849-1 PL e (Kat.4)

Example DC Actuator DC = 0 DC = 60 DC = 90 DC = 99 Feedback signal to F-DI or Standard DI dynamic dynamic

ET 200S Periphery 4 F-DO module Actuator connection SIL1, PLc (Cat.1) Actuator connection to ET 200S 4 F-DO >>recommended wiring scheme<< SIRIUS contactor Evaluation of readback signal is recommended Function example: ID 21331098

ET 200S Periphery 4 F-DO module parameterization STEP7 Safety Advanced Diagnostics wire break is recommended

Calculation SET EN ISO 13849-1 PL c (Cat.1)

ET 200S Periphery 4 F-DO module Actuator connection SIL2/3, PLd/e (Cat.3/4) Actuator connection to ET 200S 4 F-DO >>recommended wiring scheme<< SIRIUS Contactor ATTENTION! the errors "wire break" and "overload" are detected only at the P-switch (not at the M-switch). The controlled actuator can no longer be switched off should a cross circuit occur between the P and M- switches of the output. Evaluation of readback signal necessary Function Example: ID 21331098

ET 200S Periphery 4 F-DO module parameterization STEP7 Safety Advanced

Calculation SET Q1 Q2 Q1 Q2 EN ISO 13849-1 Pl e (Cat.4)

Determination of the performance level (PL) acc. to ISO 13849 PL - Performance Level Structure Reliability Diagnostics Resistance Process Category MTTF D DC CCF Check See standard / robust processes

CCF = common cause failure Annex F: Estimation of CCF This quantitative process should be passed for the whole system Every part of the safety related part of the control system should be considered Table F.1 lists the measures and contains associated values, based on engineering judgment, which represent the contribution each measure makes in the reduction of common cause failures..

Annex F.1: Procedure for assigning points and quantifying for measures against CCF 1. Add up points 2. Requirements reached?

Safety Evaluation Tool SET TÜV-tested Tool SET Safety Evaluation Tool (SET): Online tool for determining safety levels of safety functions according to: - EN ISO 13849-1 (Performance Level, PL) - EN 62061 (Safety Integrity Level, SIL). Detailed configuration of the safety functions - Emergency stop, fence, etc. This tool is one of a kind - Product information (PFHd-, SIL- and PL-values) of Siemens components are used directly in the safety-calculations. - Input of components from Third-Party-Manufacturers is also possible. Result - Ready made TÜV-certified and compliant safety functions. - Time saving: Less manual calculations required. - Project documentation for the technical dossier of the machine. Free use of the online tool: www.siemens.com/safety-evaluation-tool

Status of ANSI B11.26

Siemens Safety Integrated Machine Safety Life-Cycle Support USA Siemens provides competent support throughout the entire machine safety lifecycle Support Safety Consultants Safety Core Team Safety Validation Implementation Siemens Solution Partners Safety Safety Functional Examples Safety Training Risk Assessment Training Products and Solutions Safety Products Safety Software Wireless Safety PC-Based Safety BMS Safety Education Machine Safety Standards Safety Webinars Newsletter Safety White Papers Siemens Safety Website Compliance OSHA Website Consensus Standards Risk Assessment Standard Safety Evaluation Tool - SET The Complete Safety Solution

Questions? Greg Richards Engineering Manager/Safety System Engineer Richmond, VA Phone: 804-212-4829 E-mail: Gregory.Richards@siemens.com