Always on the Safe Side with Rexroth: 10 Steps to Performance Level

Machinery Safety

Determination of the limits of the machinery
Hazard identification
Risk estimation
Risk evaluation
Is the machinery safe?
Measures for risk reduction
Start
End
R
isk analysis
R
isk assessm
ent (IS
O
14121)
No
Yes!
Is there a C standard for this machine? If yes, use it as a template.
Risk Assessment based on ISO 14121 1
Avoidance by information for use
Avoidance by intrinsic design
Avoidance by safeguards
Safety function (SRP/CS)
based on ISO 13849
Rest risks (new hazards)?
Assessment based on ISO 14121
Measures for risk reduction
according to ISO 12100



Does the measure
depend on a control system?
Everything done?
No!
Yes Safe Torque Off (STO)
Safe Torque Off
Stop category 0 in accordance
with IEC 60204-1:
Safe drive torque cut off
Example: An unexpected startup must be avoided
by opened protective door!
Identification of the Safety Functions 2
Performance Level PL: a measure for the safety level

Severity of injury [S]
S1 slight (normally reversible injury)
S2 serious (normally irreversible injury
or death)
F1 seldom-to-less-often and/or exposure
time is short
F2 frequent-to-continuous and/or exposure
time is long
Frequency and/or exposure to hazard [F]
Possibility of avoiding hazard or limiting harm [P]
P1 possible under specific conditions
P2 scarcely possible
Example: A failure of
the function can lead to
a deadly accident. The
opera tor requires access
to the machine less than
once per shift. In case of
a fault, the operator is not
able to avoid the danger.
a
b
b
c
c
d
d
e
S1
S2
F1
F2
P1
P2
P1
P2
P1
P2
P1
P2
F1
F2
Risk
high
Risk
low
Specification of the required Performance Level (PLr) 3
Diagnostic coverage (DC): Proportion of the faults that can be detected
Examples of design possibilities:
Measure Technology DC
Process (cyclic test) Fluid technology 0 % DC < 99 %
Cross monitoring between 2 channels Electronics DC = 99 %
Indirect monitoring (e.g. pressure) Fluid technology 90 % DC < 99 %
Direct position monitoring Fluid technology DC = 99 %
Integrated self-monitoring Safety on board 90 % DC 99 %
DC: Measure of the effec-
tiveness of diagnostics,
which may be determined
as the ratio between the
failure rate of detected
dangerous failures (d,d)
and the failure rate of total
dangerous failures (d).
d = d,u + d,d
none: DC < 60 %
low: 60 % DC < 90 %
medium: 90 % DC < 99 %
high: 99 % DC
D
C
range
D
enotation d,d d,u
19
Evaluation of the System Monitoring (DC) 7
Measure against CCF Fluid technology Electronics Points Ful-
filled?
Separation between
signal paths Separation in piping
Clearances and creep age
distances on printed-circuit
boards.
15
Diversity e.g. different valves e.g. different processors 20
Protection against
over-voltage,
over-pressure ...
Assembly acc. to EN 982
or EN 983
(pressure-relief valve)
Protection against over-voltage
(e.g. contactors, power supply
unit)
15
Components used are
well-tried System designer 5
FMEA in
development FMEA in the design of the system 5
Competency/ training Qualification measure 5
Protection against
contaminants and EMC Fluid quality EMC test 25
Other influences
(incl. temperature, shock)
Fulfillment of EN 982
or EN 983 and
product specification
Fulfillment of the environmental
conditions acc. to
product specification
10
CCF total Total number of points (65 CCF 100):
CCF: Common Cause Failure
CCF: Failures of different
items, resulting from a single
event, where these failures
are not consequences
of each other (i.e. failures
of redundant units due to
a common event, e.g. high
temperature).
20
Evaluation of the System Robustness (CCF) 8
9.a Measures for control and avoidance systematic failures
see the list of measures in the I SO standard 13849-1, Appendix G
9.b Was a specific software created for this appli cation?
Check the requirement on the application software
9.c Safety principles: Check list for machine builders (ISO 13849-2, example)
Basic safety principles
De-energisation principle
Pressure limitation
Speed limitation
Avoidance of contamination
Proper range of switching time
Protection against unexpected startup
Proper temperature range
Separation
. . .
Well-tried safety principles
Overdimensioning/safety factor
Safe position
Speed limitation
Force limitation
Appropriate range of
working conditions
Monitoring of the condition
of the fluid
. . .
21
Check the Safety Principles and Software Requirements 9
10.a Verification of the reached performance level (PL PLr)
Evaluation of the design
10.b Validation of the reached performance level (machine manufacturer)
Validation procedure acc. to ISO 13849-2
Check of implemented safety function
Creation of technical documentation
Have these
requirements
been met?
Design of the control system (steps 4 to 9)
Next safety function
Requirement: PLr (steps 1 to 3)
PL PLr No
Yes
PL
Safety on board with IndraDrive:
Worldwide first safe braking
and holding system
aDrive:
Verification and
Validation of the reached Performance Level (PL PLr)
10
Connecting the blocks with each other
(reverse analysis):
What does this element depend on?
Serial connection (dependency)
If this element fails,
what takes over its function?
Parallel connection (redundancy)
Channel 1 safe holding with
valve combination 1V3 and 1V4
Channel 2 safe holding with 1V5
both channels are controlled by PLC K1 which
receives the request of the safety function
from sensor F1.
with tests: monitoring by 1S3
Channel 1
Channel 2
Tests
SRP/CSa (PL, PFHd)
(e.g. optoelectronic
barrier)
SRP/CSb (PL, PFHd)
(safety control)
SRP/CSc
1S3
1V5
1V3 1V4 F1 K1
Modeling the Circuit as a Block Diagram 5b
Hydraulic
components
Pneumatic
components
Hydraulic
subsystems
Electronic
subsystems
Supplier:
MTTFd
Machine builder:
Category
DC
CCF
PL of the system
Supplier:
B10 (MTTFd)1
Machine builder:
Category
DC
CCF
PL of the system
Supplier:
PL (PFHd)
Category
Machine builder:
DC
CCF
PL of the system
Supplier:
(certified product)
PL (PFHd)
Category
Machine builder:
PL of the system2
1 To calculate the MTTFd
from the B10 value, see
ISO 13849-1.
2 Calculation of PL by
adding the PFHd values.
The right parameters for different technologies
Selection of Appropriated Components (MTTFd, B10, PL, PFHd) 6
Which elements are relevant
to the safety function?
Which hazards (dangerous
movements) do exist?
Cylinder!
Which elements prevent it
(stop the movement)?
Valves!
What controls these elements?
Safety PLC!
What triggers this function?
Sensor!
What tests this function,
how and how often?
Position monitoring!
What supports this function
(safety principles)?
Environmental conditions:
temperature, level, pressure, filter!
Dangerous
Movement 1a
1V5
1V3
1V2
1V1
1M m
3~
1V3
1V5b
1V5a 1Z2
1P
1Z1 1S1 1S2
1V4
1S3
1S3
a b
K1
K1
K1
K1
K1
F1 S1
Inputs
Laser scanner
Start
Safety
PLC
Outputs
G
Analysis of the Circuit to Create the Block Diagram 5a
Source: With courtesy from BGIA Report 2/2008
Category B
none none high low low medium medium
Category 1 Category 2 Category 3 Category 4
L O I L O I L O I
TE OTE
L1 O1 I1
L2 O2 I2
L1 O1 I1
L2 O2 I2
Performance Level a
10-5 to < 10-4 [h-1]
Performance Level b
3 * 10-6 to < 10-5 [h-1]
Performance Level c
10-6 to < 3 * 10-6 [h-1]
Performance Level d
10-7 to < 10-6 [h-1]
Performance Level e
10-8 to < 10-7 [h-1]
MTTFd
low 3 to < 10 years
MTTFd
medium 10 to < 30 years
MTTFd
high 30 to < 100 years H
m
l
DC:
Information about DC values under step 7
PFHd: Probability of a
dangerous failure per
(operating) hour
PFHd:
Choice of the System Architecture (Category) 4
IEC
61800-5-2
Electric
drives
Risk
assessment
Machinery Safety
C standards
Electric
equipment
Electronic
control
Pneumatics
Hydraulics
Machinery Directive
Machinery
Control
Systems
IEC
62061
EN 983
(ISO 4414)
ISO
13849
EN 982
(ISO 4413)
ISO
23125
EN
1010
EN
693
EN
474
...
Design
basic laws
IEC
60204
ISO
14121
ISO
12100
IEC
61508*
PL (Performance Level):
Discrete level used to specify the ability of safety-
related parts of control systems to performa safety
function under foreseeable conditions
PLr: Required Performance Level
SIL (Safety Integrity Level):
Safety Integrity Level (appropriated only for
electronic control systems, see PL and IEC 62061)
MTTF (Mean Time To Failure):
Statistic expected value of the mean time to failure
MTTFd (Mean Time To dangerous Failure):
Statistic expected value of the mean time to
dangerous failure
FIT (Failure In Time):
Unit used to measure the failure rate of electronic
components (1 FIT=1x10-9/h)
PFHd (Probability of Dangerous Failure per Hour):
Probability of dangerous failure per hour
(reference value for PL and SIL)
B10: Statistic expected value of the number of cycles until
10% of the components have exceeded specified limits
(response time, leakage, switching pressure, ) under
defined conditions
B10d: Expected number of cycles until 10% of the
components fail dangerously
T10d: Expected value of the mean time until 10% of the
components fail dangerously (maximal service time
of a component).
TM (Mission Time):
Service life
DC: Diagnostic Coverage
CCF: Common Cause Failure
SRP/CS:
Safety-Related Parts of a Control System
Dangerous failure:
Failure which has the potential to put the SRP/CS in a
hazardous or fail-to-function state
* IEC 61508 is not a harmonized standard according
to the Machinery Directive, but serves as basis for
other European harmonized standards.
The functional safety standards define clearly a set
of terms and parameters. The most important ones:
B
sta
ndards:
G
e
n
eric safety
s
ta
n
d
ards
B
a
s
is
s
ta
n
d
ards
A
s
ta
n
d
a
rd
s:
P
ro
d
u
ct safety
s
ta
n
d
a
rd
s
www.boschrexroth.com/safety