Aucun titre de diapositive
Download
Report
Transcript Aucun titre de diapositive
Product & Technology
Quality . Excellence . Support
Automation & Safety
SIL Explanation
27.JAN 2006
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)
New Technologies for the Safety of Machinery
Machine safety is a fast growing segment of industrial automation driven by new
technologies like safety field buses and integrated safety in drives along with the
development of international safety standards.
The new safety technologies like safety PLCs or safety field buses require the use of
highly complex electronic components like micro controllers and of course the use of
firmware and software.
The revision of the existing ISO 13849-1 (equivalent to EN 954-1) and new standards
within the framework of IEC/EN 61508 like IEC/EN 62061 take into account the use of
these new technologies in safety products and solutions and provide guidelines to
calculate the probability of failures.
With these new technologies and standards worker safety and saving costs can be
realised by intelligent safety strategy.
MAC - A.Wenigenrath - 26.JAN 06 - English
2
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)
New Standards for the Safety of Machinery
Today more and more the devices and products dedicated to the safety of machinery
incorporate complex and programmable electronic systems.
Due to the complexity of the programmable electronic systems it is in practice difficult
to determine the behaviour of such safety device in the case of a fault.
Therefore the standard IEC/EN 61508 with the title “Functional safety of
electrical/electronic/ programmable electronic safety-related systems” provides a new
approach by considering the reliability of safety functions.
It is a basic safety standard for the industry and in the process sectors.
IEC/EN 62061 is the machine sector specific standard within the framework of IEC/EN
61508. EN 62061 is harmonised under the European Machinery Directive.
The Safety Integrity Level (SIL) is the new measure defined in IEC 61508 regarding
the probability of failures in a safety function or a safety related system.
Note: IEC = International Electrotechnical Committee
EN = European Norm
MAC - A.Wenigenrath - 26.JAN 06 - English
3
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)
Sector specific standards for the Process Industry and Machinery
Process
Machines
Safety of Systems and Equipment
IEC/EN 61508
EN 954-1*
Functional safety of electrical / electronic /
programmable electronic safety-related systems
Safety related parts of
control systems
Software
IEC/EN 61511
MAC - A.Wenigenrath - 26.JAN 06 - English
IEC/EN 61508-3
IEC/EN 62061
prEN ISO 13849-1*
*Covering the
non-electrical
technologies
e.g. hydraulics...
4
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)
Definition of Functional Safety according to IEC/EN 61508
Safety is freedom from unacceptable risk (from ISO/IEC Guide 51)
Functional safety is a part of the overall safety related to the EUC and the EUC
control system. It depends on:
the correct functioning of the E/E/PE safety-related systems,
other technology safety-related systems and
external risk reduction facilities.
Note:
EUC
= equipment under control
E/E/PE = electrical / electronic / programmable electronic
Safety Integrity Level (SIL): The scale of the achieved functional safety is declined
on 4 levels*. It depends on:
the probability of dangerous failures together with the fault tolerance and
the quality by which the freedom of systematic faults is ensured.
Note:
Safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest.
MAC - A.Wenigenrath - 26.JAN 06 - English
5
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)
Risk reduction according to IEC/EN 61508
Safety is achieved by risk reduction (for those hazards that cannot be designed-out).
Residual risk is the risk remaining after protective measures have been taken.
Protective measures realised by E/E/PE safety related systems contribute to risk
reduction.
Residual
risk
Tolerable
risk
EUC
risk
Necessary risk reduction
Increasing
risk
Actual risk reduction
Practical risk covered
by other technology
safety-related
systems
Practical risk covered
by E/E/PE
safety-related
systems
Practical risk covered
by external risk
reduction facilities
Risk reduction achieved by all safety-related
systems and external risk reduction facilities
Note:
EUC
E/E/EP
MAC - A.Wenigenrath - 26.JAN 06 - English
= equipment under control
= electrical / electronic / programmable electronic
6
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)
The safety integrity levels consider the probability of failures
For machinery, the probability of dangerous failures per hour of a control system
is denoted in IEC/EN 62061 as the PFHd
Safety integrity
level
High demand or continuous mode of operation
(Probability of a dangerous failure per hour)
(Average probability of failure to perform its design function on demand)
SIL
PFHd
PFDaverage
4
3
>= 10-9 to < 10-8
>= 10-8 to < 10-7
>= 10-5 to < 10-4
>= 10-4 to < 10-3
2
>= 10 to < 10
>= 10-6 to < 10-5
1
-7
-6
Low demand mode of operation
-3
-2
>= 10 to < 10
-2
-1
>= 10 to < 10
IEC 61508 considers two modes of operation:
high demand or continuous mode – where the frequency of demands for operation made on a safety-related system is greater than one
per year or greater than twice the proof check frequency; or
low demand mode – where the frequency of demands for operation made on a safety-related system is no greater than one per year and
no greater than twice the proof test frequency
The low demand mode is not considered in IEC/EN 62061 to be relevant for safety applications at
machinery!
SIL 4 is not considered in IEC/EN 62061, as it is not relevant to the risk reduction requirements
normally associated with machinery.
MAC - A.Wenigenrath - 26.JAN 06 - English
7
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)
The safety integrity levels are identified by the probability of failures
The rate of failures l can be expressed as follows: l = ls+ ldd + ldu
(ls = rate of safe failures, ldd = rate of detected dangerous failures, ldu = rate of undetected dangerous failures)
In practice, detected dangerous failure are dealt with by fault reaction functions
The calculation of the PFHd for a system or subsystem depends on several
parameters:
the dangerous failure rate (ld) of the subsystem elements
the fault tolerance (e.g. redundancy) of the system
the diagnostic test interval (T2)
the proof test interval (T1) or lifetime whichever is smaller
the susceptibility to common cause failures (b)
For each of the four different logical architectures A to D there is a different formula to
calculate the PFHd. (The principal relationship is: PFHd = ld x 1h)
MAC - A.Wenigenrath - 26.JAN 06 - English
8
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)
Risk graph of IEC/EN 61508-5 (given as an example in an informative Annex)
C1
Starting point
for risk reduction
estimation
F1
C2
F2
C3
P1
P2
P1
P2
F1
P1
F2
P2
C4
C = Consequence risk parameter
F = Frequency and exposure time risk
parameter
P = Probability of avoiding hazard risk
parameter
W = Probability of unwanted
occurrence
a,b,c ... h = Estimates of the required risk
reduction for the SRSs
W3
W2
W1
a
b
c
d
e
f
g
h
a
b
c
d
e
f
g
a
b
c
d
e
f
Necessary
minimum risk
reduction
a
b, c
d
e, f
g
h
MAC - A.Wenigenrath - 26.JAN 06 - English
a, b, c, d, e, f, g, h represent the
necessary minimum risk
reduction. The link between the
necessary minimum risk
reduction and the safety integrity
level is shown in the table.
Safety integrity level
No safety requirements
No special safety
requirements
1
2
3
4
An E/E/EP SRS is not
sufficient
9
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Functional Safety and Safety Integrity Level (SIL)
Risk parameters given as an example in IEC/EN 61508
Risk parameter
Consequence (C)
Classification
C1 Minor injury
C2 Serious permanent injury to one or
more persons; death to one person
C3 Death to several people
C4
Frequency of, and
F1
exposure time in, the
hazardous zone (F)
F2
Possibility of
avoiding the
hazardous event (P)
P1
Very many people killed
Rare to more often exposure in the
hazardous zone
Frequent to permanent exposure in the
hazardous zone
Possible under certain conditions
P2 Almost impossible
Probability of the
unwanted
occurrence (W)
W1 A very slight probability that the
unwanted occurrences will come to
pass and only a few unwanted
occurrences are likely
W2 A slight probability that the unwanted
occurrences will come to pass and few
unwanted occurrences are likely
Comments
1 The classification system has been developed to deal with injury and death to people.
Other classification schemes would need to be developed for environmental or material
damage.
2 For the interpretation of C1, C2, C3 and C4, the consequences of the accident and normal
healing shall be taken into account.
3
See comment 1 above.
4
This parameter takes into account:
— operation of a process (supervised (ie operated by skilled or unskilled persons) or
unsupervised);
— rate of development of the hazardous event (for example suddenly, quickly or slowly);
— ease of recognition of danger (for example seen immediately, detected by technical
measures or detected without technical measures);
— avoidance of hazardous event (for example escape routes possible, not possible or
possible under certain conditions);
— actual safety experience (such experience may exist with an identical EUC or a similar
EUC or may not exist).
5 The purpose of the W factor is to estimate the frequency of the unwanted occurrence
taking place without the addition of any safety-related systems (E/E/PE or other technology)
but including any external risk reduction facilities.
6 If little or no experience exists of the EUC, or the EUC control system, or of a similar EUC
and EUC control system, the estimation of the W factor may be made by calculation. In such
an event a worst case prediction shall be made.
W3 A relatively high probability that the
unwanted occurrences will come to
pass and frequent unwanted
occurrences are likely
MAC - A.Wenigenrath - 26.JAN 06 - English
10
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery and Functional Safety
Machinery: Risk estimation and SIL assignment of IEC/EN 62061
(given as an example in an informative Annex)
Frequency and duration
of exposure
Risk related
to the
identified
hazard
=
Severity of
the possible
harm
and
Fr
Probability of occurrence
of a hazardous event
Pr
Probability of avoiding
or limiting harm
Av
Se
MAC - A.Wenigenrath - 26.JAN 06 - English
}
Probability of
occurrence of
that harm
11
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery and Functional Safety
Machinery: Risk parameter examples of IEC/EN 62061
Consequences
Irreversible: death, losing an eye or arm
Irreversible: broken limb(s), losing a finger(s)
Reversible: requiring attention from a medical practitioner
Reversible: requiring first aid
Severity (Se)
4
3
2
1
Frequency and duration of exposure (Fr)
Duration
Frequency of exposure
> 10 min
<= 1 h
5
> 1 h to <= 1 day
5
> 1 day to <= 2 weeks
4
> 2 weeks to <= 1 year
3
> 1 year
2
Probability of occurrence
Very high
Likely
Possible
Rarely
Negligible
List all the possible hazards of
the machine and
determine the parameters
according to the tables and fill
in the values:
Serial no.
1
2
3
4
MAC - A.Wenigenrath - 26.JAN 06 - English
Hazard
Probability (Pr)
5
4
3
2
1
Probability of avoiding or limiting harm (Av)
Impossible
5
Rarely
3
Probable
1
Se
Fr
Pr
Av
Cl
The Class Cl is the sum of:
Fr + Pr + Av = Cl
12
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery and Functional Safety
Machinery: Determination of the required SIL. Example according to IEC/EN 62061
Consequences
Irreversible: death, losing an eye or arm
Irreversible: broken limb(s), losing a finger(s)
Reversible: requiring attention from a medical practitioner
Reversible: requiring first aid
Frequency and duration of exposure (Fr)
Duration
Frequency of exposure
> 10 min
<= 1 h
5
> 1 h to <= 1 day
5
> 1 day to <= 2 weeks
4
> 2 weeks to <= 1 year
3
> 1 year
2
Severity (Se)
4
3
2
1
Probability of occurrence
Very high
Likely
Possible
Rarely
Negligible
Probability (Pr)
5
4
3
2
1
Probability of avoiding or limiting harm (Av)
5
Rarely
3
Probable
1
Impossible
Risk assessment and safety measures
Serial no.
1
2
Product:
Hazard
Issued
hazard
x by:
Date:
Se
4
Fr
5
+
Pr
4
+
Av
3
=
Cl
12
Black area = Safetymeasures required
Grey area = Safety mesures recommended
Consequences
Death, loosing an eye or arm
Permanent, loosing fingers
Reversible, medical attention
Reversible, first aid
No.
MAC - A.Wenigenrath - 26.JAN 06 - English
Hazard
Severity
(Se)
4
3
2
1
3-4
SIL 2
5-7
SIL 2
OM
Class Cl
8 - 10
SIL 2
SIL 1
OM
Se
Fr
Pr
11 - 13
SIL 3
SIL 2
SIL 1
OM
14 - 15
SIL 3
SIL 3
SIL 2
SIL 1
Av
Cl
Frequency and duration
Fr
<= 1 hour
5
> 1 h to <= 1 day
5
> 1 day to <= 2 wks
4
> 2 wks to <= 1 year 3
> 1 year
2
Probability o
P
Comm
Like
Possi
Rare
Neglig
Safety Measure
13
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery and Functional Safety
Machinery: Risk assessment form given as an example in IEC/EN 62061
Risk assessment and safety measures
Product:
Issued by:
Date:
Black area = Safetymeasures required
Grey area = Safety mesures recommended
Consequences
Death, losing an eye or arm
Permanent, losing fingers
Reversible, medical attention
Reversible, first aid
No.
Hazard
Severity
(Se)
4
3
2
1
3-4
SIL 2
Se
5-7
SIL 2
OM
Fr
Class Cl
8 - 10
SIL 2
SIL 1
OM
Pr
11 - 13
SIL 3
SIL 2
SIL 1
OM
14 - 15
SIL 3
SIL 3
SIL 2
SIL 1
Av
Cl
Frequency and duration
Fr
<= 1 hour
5
> 1 h to <= 1 day
5
> 1 day to <= 2 wks
4
> 2 wks to <= 1 year 3
> 1 year
2
Probability of hzd. Event
Pr
Common
5
Likely
4
Possible
3
Rarely
2
Negligible
1
Safety Measure
Avoidance
Av
Impossible
Possible
Likely
5
3
1
Safe
Comments
MAC - A.Wenigenrath - 26.JAN 06 - English
14
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery: prEN ISO 13849-1, definition of MTTFd
Instead of a failure rate per hour (l), prEN ISO 13849-1 uses the mean time to
failure (MTTF) as the parameter for the probability of failures.
MTTF = mean time to failure [years]
MTTF = 1/l
– The mean time after installation of devices to any first failure.
– The relation between l and MTTF is:
MTBF = mean time between failures
– Not relevant for devices which are not repaired.
MTTFd = mean time to dangerous failure
– The MTTFd is defined in prEN ISO 13849-1 as the expectation of the mean time to
dangerous failure of a safety related part of a control system.
MAC - A.Wenigenrath - 26.JAN 06 - English
15
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery: new parameters of prEN ISO 13849-1
prEN ISO 13849-1 adds three new parameters to the requirements of the
categories of EN 954-1 in order to determine the Performance Level (PL):
MTTFd = mean time to dangerous failure
– Three levels of MTTFd are defined in this standard in order to classify the requirements
of the categories and the performance levels (PL):
DC
Denotation of mean time to dangerous failure
Range of MTTFd
low
3 years <= MTTFd < 10 years
medium
10 years <= MTTFd < 30 years
high
30 years <= MTTFd < 100 years
Denotation of diagnostic coverage
none
low
medium
high
DC = ldd / ld total
= diagnostic coverage
Range of DC
DC < 60%
60% <= DC < 90%
90% <= DC < 99%
99% <= DC
CCF = common cause failure (b)
– This parameter describes the failure of different items resulting from a single
event. (The CCF can be estimated with the help of table I.1 in annex I of the prEN ISO 13849-1.)
MAC - A.Wenigenrath - 26.JAN 06 - English
16
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery: prEN ISO 13849-1
Risk graph and parameters
Required
performance
level (PLr)
P1
a
Low contribution
to risk reduction
F1
Starting point
for the evaluation of the contribution
to the risk reduction of a safety function
P2
S1
P1
b
F2
P2
P1
c
F1
P2
S2
S = Severity of injury
S1 = Slight (normally reversible injury)
S2 = Serious (normally irreversible) injury including death
P1
d
F2
P2
e
F = Frequency and/or exposure time to the hazard
F1 = Seldom to less often and/or the exposure time is short
F2 = Frequent to continuous and/or the exposure time is long
High contribution
to risk reduction
P = Possibility of avoiding the hazard or limiting the harm
P1 = Possible under specific conditions
P2 = Scarcely possible
MAC - A.Wenigenrath - 26.JAN 06 - English
17
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery: prEN ISO 13849-1
Probability of dangerous failure and performance level (PL)
In difference to the pure categories the performance levels refer now as well to
failure rates per hour required for the safety related parts of the control system:
Performance level prEN ISO 13849-1
PL
Average probability of a dangerous failure per hour
[1/h]
>= 10-5
>= 3 x 10-6
>= 10-6
>= 10-7
>= 10-8
a
b
c
d
e
to
to
to
to
to
<
<
<
<
<
10-4
10-5
3 x 10-6
10-6
10-7
The relation between the categories, the PL and the SIL is the following:
Category
EN 954-1, prEN 13849-1
B
1
2
3
4
MAC - A.Wenigenrath - 26.JAN 06 - English
Performance level (PL)
prEN ISO 13849-1
a
b
c
d
e
SIL
IEC 61508, EN 62061
no special safety requirements
1
1
2
3
18
Machine Control
Industrial Presence Sensors / Control and Signaling / Machine Safety
Safety of Machinery: prEN ISO 13849-1
a
*
b
1
*
c
1
d
2
e
3
Cat. B
DC avg =
0
Cat. 1
DC avg =
0
Cat. 2
DC avg =
low
Cat. 2
DC avg =
medium
Cat. 3
DC avg =
low
Cat. 3
DC avg =
medium
Safety Integrity Level
Performance level
Relationship between categories, DC, MTTFd and PL
Cat. 4
DC avg =
high
MTTFd of each channel = low
MTTFd of each channel = medium
MTTFd of each channel = high
* In several application the realisation of performance level c by category 1 may not be sufficient. In
this case a higher category e.g. 2 or 3 should be chosen.
MAC - A.Wenigenrath - 26.JAN 06 - English
19