Transcript Introduction to SISTEMA

Introduction to
SISTEMA
Introduction
● Introduction
In Europe:
● Manufacturers are used to designing the safety-related part of control
system (electrical, hydraulic, pneumatic & mechanical) for machines
and equipments in accordance to the standard EN 954-1, based on a
qualitative approach.
● However, EN 954-1 does not cover the development of Electronic and
Programmable Electronic Control Systems  new European and
international standards (EN ISO 13849, EN IEC 61508 & EN IEC
62061) based on a quantitative (probabilistic) approach.
Schneider Electric - Mac - Safety – March 2010
2
Introduction
● Introduction
● SIL calculation according to EN/IEC 62061
● What is SISTEMA ?
● Web page for SISTEMA
● Downloading the SISTEMA software
● SISTEMA library – Schneider Electric
● 7 basic items of SISTEMA
● SISTEMA – Schneider Electric emergency stop system number 1
● Emergency stop device by means of a safety module – Category 3 –
PLe
Schneider Electric - Mac - Safety – March 2010
3
Introduction
● EN 954-1 not sufficient for increasingly complex control systems
● The qualitative approach of the EN 954-1 is no longer sufficient for
modern controls based on new technologies (Electronic and
Programmable Electronic systems):
● no consideration for programmable systems,
● risk graph not specific enough
● The EN 954-1 has been recently replaced by the new standard
EN ISO 13849-1, which will upgrade the qualitative approach by the
addition of the new quantitative (probabilistic) approach
● EN 954-1 stays valid up to 31/11/2009 (transition period where both
standards are valid)
● EN ISO 13849-1 tackles electric hazards, pneumatic, hydraulic, etc
Schneider Electric - Mac - Safety – March 2010
4
Introduction
● Select the suitable standard
Schneider Electric - Mac - Safety – March 2010
5
Introduction
● For complex machines, the international sector specific standard IEC
62061 based on standard IEC 61508, must be used.
IEC 61508
Functional safety of
Electrical / Electronic / Programmable Electronic (E/E/PE) safety-related systems
EN/IEC 62061
Safety of machinery
Functional safety
of E/E/PE control systems
IEC 61511
Functional safety
Safety instrumented
systems for the
process industry sector
IEC 61513
Nuclear power plants
Instrumentation and control
for systems
important to safety
Published on December 31 2005
Harmonized to the Machinery Directive
Restricted to electric, electronic and electronic programmable safety-related control systems
Possible overlap with EN ISO 13849-1
Schneider Electric - Mac - Safety – March 2010
6
Introduction
● The probability of failure associated to the required SIL level depends on the
frequency of usage of the safety function to be performed:
Safety
Integrity
Level
Low demand mode of operation
(Average probability of failure to
perform its design function on
demand)
High demand (>1/y. or 2 x proofcheck freq.)
or continuous mode of operation
(Probability of a dangerous failure
per hour)
4
≥ 10-5 to < 10-4
≥ 10-9 to < 10-8
3
≥ 10-4 to < 10-3
≥ 10-8 to < 10-7
2
≥ 10-3 to < 10-2
≥ 10-7 to < 10-6
1
≥ 10-2 to < 10-1
≥ 10-6 to < 10-5
Safety of Machinery application
EN IEC 62061
Schneider Electric - Mac - Safety – March 2010
7
Introduction
EN IEC 62061
Assigning
a SIL level
=> SIL
EN ISO 138491
=> PL
(EN 954-1)
Schneider Electric - Mac - Safety – March 2010
8
Introduction
● Determination of performance level PL
● In this example the Safety Function is the disconnection of a motor
when the safety guard is open. Without the guard the possible harm is
to loose an arm. With the answers for S2, F2 and P2 the graph leads to
a required performance level of PLr = e.
Required Performance Level
(PLr)
F1
P1
a
Low contribution
to risk reduction
P2
Starting point for the evaluation of
the contribution to the risk reduction
of a safety function
S1
F2
P1
b
P2
F1
P1
c
P2
S2
P1
d
F2
P2
S = Severity of injury
S1 = Slight (normally reversible injury)
S2 = Serious (normally irreversible) injury including death
e
High contribution
to risk reduction
F = Frequency and/or exposure time to the hazard
F1 = Seldom to less often and/or the exposure time is short
F2 = Frequent to continuous and/or the exposure time is long
P = Possibility of avoiding the hazard or limiting the harm
P1 = Possible under specific conditions
P2 = Scarcely possible
Schneider Electric - Mac - Safety – March 2010
9
Introduction
● PL estimation according to EN/ISO 13849-1 Example calculation for
an application
● All parts which carry out to the safety function must be identified; in our
example we use a redundant structure with 2 inputs, 2 logic channels
and 2 outputs switching the power.
● Each block in the diagram represents one hardware device
implementing the safety function:
INPUT
Interlocking Switch 1
SW1
Interlocking Switch 2
SW2
SRP/CSa
Schneider Electric - Mac - Safety – March 2010
LOGIC
Safety Module
XPS
SRP/CSb
OUTPUT
Contactor 1
CON1
Contactor 2
CON2
SRP/CSc
10
Introduction
● Evaluate the performance level PL
Example SRP/CS
Interlocking Switches SW1,
SW2
B10 (operations)
B10d (operations)
MTTFd (years)
DC
10 000 000
20 000 000
4 734 => 100
99%
191,5 => 100
99%
94,7
99%
Safety Module XPS (XPSAK)
Contactors CON1, CON2
Schneider Electric - Mac - Safety – March 2010
400 000
11
Introduction
● Verify the achieved performance level
● We put the data for the example SRP/CS with MTTFd = high, DCavg =
99% and category 4 in the graph below in order to find the achieved
performance level for our safety function. Achieved PL = e
b
1
c
1
d
2
e
3
Cat. B
Cat. 1
Cat. 2
Cat. 2
DCavg= none
DCavg= none
DCavg= low
DCavg= medium DCavg= low
Cat. 3
Cat. 3
Safety Integrity Level
Performance Level
a
Cat. 4
DCavg= medium DCavg= high
MTTFd of each channel = low
MTTFd of each channel = medium
MTTFd of each channel = high
Schneider Electric - Mac - Safety – March 2010
12
SIL calculation according to
EN/IEC 62061
● Safety specification of the function blocks
● The safety requirements for each function block are derived from the
safety requirements specification of the corresponding safety-related
control function (SRCF). In our example each function block needs a
SIL 2 capability. (i.e. FB1 →SILCL2, etc). The SIL Claim Limited
(SILCL) is the maximum SIL capability of a subsystem.
Schneider Electric - Mac - Safety – March 2010
13
SIL calculation according to
EN/IEC 62061
● The subsystems
● Each function block is allocated to a subsystem within the structure of
the safety-related control system (SRECS).
● The subsystems must achieve at the least the same SIL capability as
assigned to the entire safety-related control function (SRCF).
Schneider Electric - Mac - Safety – March 2010
14
SIL calculation according to
EN/IEC 62061
● Select the devices
● For each subsystem select the devices or design and develop the safety
solution.
Schneider Electric - Mac - Safety – March 2010
15
SIL calculation according to
EN/IEC 62061
● Design the diagnostic tests
Schneider Electric - Mac - Safety – March 2010
16
SIL calculation according to
EN/IEC 62061
● Calculation of subsystems SS1 and SS3
Schneider Electric - Mac - Safety – March 2010
17
SIL calculation according to
EN/IEC 62061
● Verify the achieved SIL
Schneider Electric - Mac - Safety – March 2010
18
SIL calculation according to
EN/IEC 62061
● Example of Risk Assessment
Schneider Electric - Mac - Safety – March 2010
19
What is SISTEMA ?
● SISTEMA is a software tool safety related parts of control systems for
machinery implementing EN ISO
● This software was developed by BGIA in Germany
● SISTEMA stands for “Safety Integrity Software Tool for the Evaluation
of Machine Applications”
● Here is the link to obtain the SISTEMA software :
http://www.dguv.de/ifa/en/pra/softwa/sistema/index.jsp
Schneider Electric - Mac - Safety – March 2010
20
SISTEMA
● (Institute for Occupational Safety and Health of the German Social
Accident Insurance)
Schneider Electric - Mac - Safety – March 2010
21
Click on “Download Version
1.1.2”
Schneider Electric - Mac - Safety – March 2010
22
Downloading the SISTEMA
software
● After clicking on the key for “Download Version 1.1.1”
● Submit e-mail address for the link to the download page
● Register, download and follow installation instructions
● Here is the link for the library for various manufacturers:
http://www.dguv.de/ifa/en/pra/softwa/sistema/bibliotheken/index.jsp
Schneider Electric - Mac - Safety – March 2010
23
SISTEMA library – Schneider
Electric
● Scroll down to Schneider Electric Automation GmbH then click
Schneider Electric - Mac - Safety – March 2010
24
Schneider Electric Automation
GmbH
● Scroll down to “Click here to download the “Preventa library for
SISTEMA” “ Then click on this link
● Save the file on to the hard drive of the computer, preferably using a
download manager
● After this has been completed then you are ready to use the SISTEMA
software and Schneider Electric’s library files
Schneider Electric - Mac - Safety – March 2010
25
7 basic items of SISTEMA
● When the SISTEMA project is being created it comprises the following
basic items:
● Project - PR - this generally refers to the portion of the machine that is
to be analysed by SISTEMA
● Safety Function - SF – this refers to the determination of the increase in
risk due to failure analysis of any function of the machine
● Subsystem - SB - there can multiple subsystems, and can consist of
safety-related signals and safety-related processing
● Channel - CH - a subsystem consists of one or two channels which are
used for structuring the control system
● Test channel – there are test channels in subsystems and these have
the function of repeated testing
Schneider Electric - Mac - Safety – March 2010
26
7 basic items of SISTEMA
(continued)
● Block - BL - subdivides a channel into various logical function units, for
example safety devices (such as emergency stop buttons and various
safety switches), the logic unit (such as a safety module), main
contactors
● Element - EL – the last item of items in the hierarchy. An element can
be electromechanical, an item on a pneumatically operated system, or
an item on a hydraulically operated system
Schneider Electric - Mac - Safety – March 2010
27
7 basic items of SISTEMA summary
Schneider Electric - Mac - Safety – March 2010
28
SISTEMA – general example of
an emergency stop system
Schneider Electric - Mac - Safety – March 2010
29
SISTEMA – Schneider Electric
emergency stop system number
1
Schneider Electric - Mac - Safety – March 2010
30
Figure (1) Example Schematic of Category 4 E-stop Circuit
L
21
22
Q1
( + ) F1
S1
11
21
12
22
1 3 5
13 21
Q1
14 22
I> I> I>
A1
B1
S11 S12
S22 S21 Y3 Y4 13
23
K3
K1/K2
XPS-ASF/AMF
KM1
Fuse
A2 PE S32 S31 S42
S33/41
S34
S3
13
Y1 Y2 14
24
Y33/43
Y44
Redundancy
KM1
22
21
ESC
14
+
KM2
22
U V
A1
A1
A2
A2
KM1
ESC :ESC:
external
startstart
conditions
external
conditions
Schneider Electric - Mac - Safety – March 2010
34 42
KM2
21
N
(-)
2 4 6
33 41
Y34
A1/A2
KM2
W
M
3~
Periodic Checking/
Self monitoring
31
7 basic items of SISTEMA –
summary with Schneider
Electric products
Schneider Electric - Mac - Safety – March 2010
32
Emergency stop device by means of a
safety module – Category 3 – PLe
● Emergency stop device by mean of a safety module (emergency stop
function, STO)
● Safety function
● Emergency stop function, STO by actuation of an emergency stop
device
● Functional description
● Hazardous movements or states are interrupted or prevented by
actuation of an emergency stop device. Refer to figure (1), each
emergency stop device triggers a safety function of its own. S1 is
evaluated in a safety module K3, which actuates two redundant
contactors KM1 and KM2
Schneider Electric - Mac - Safety – March 2010
33
Emergency stop device by means of a
safety module – Category 3 – PLe
● Emergency stop device by means of a safety module (emergency stop
function, STO), (continued)
● The signals from the emergency stop devices are read redundantly into
the safety module K3 for fault detection. K3 also features internal test
measures. The contactors KM1 and KM2 are also monitored in K3, by
means of mechanically link feedback contacts. KM1 and Km2 are
operated by switch S3 at each start-up command.
KM1
S1
K3
KM2
Schneider Electric - Mac - Safety – March 2010
34
Emergency stop device by means of a
safety module – Category 3 – PLe
● Emergency stop device by means of a safety module (emergency stop
function, STO), (continued)
● Design features
● Basic and well-tried safety principles are observed and the
requirements of Category B are met.
● The emergency stop device S1 is a switching device with direct opening
contacts in accordance with IEC 60947-5-1, Annex K.
● The supply conductors to the switching devices are laid separately or
with protection.
● The safety module K3 satisfies all requirements for category 4 and PLe.
● KM1 and KM2 possess mechanically linked elements to IEC60947-5-1,
Annex L.
Schneider Electric - Mac - Safety – March 2010
35
Emergency stop device by means of a
safety module – Category 3 – PLe
● Emergency stop device by means of a safety module (emergency stop
function, STO), (continued)
● Calculation of the probability of failure:
● S1 the emergency stop device is a standard emergency stop devices to
EN ISO 13850.
● The probability of failure of the final safety module K3 is added at the
end of the calculation (2.31 x 10-9 per hour [M], suitable for Ple). For
the subsystem KM1/KM2, the probability of failure is calculated as
follows :
Schneider Electric - Mac - Safety – March 2010
36
Emergency stop device by means of a
safety module – Category 3 – PLe
● Emergency stop device by means of a safety module (emergency stop
function, STO), (continued)
● MTTFd: for the contactors KM1 and KM2, the B10 value corresponds
under an inductive load (AC3) to an electrical lifetime of 1,000,000
switching operations [M]. If 50% of failures are assumed to be
dangerous, the B10d value is produced by doubling of the B10 value.
With three demands upon the emergency stop function and 24 start
commands per year, nop is 27 cycles per year and the MTTFd is
740,740 years. This is also the symmetrical MTTFd for the channel,
which is capped to 100 years (“high”).
● DCavg : the DC of 90% for KM1 and KM2 is based upon testing by the
safety module K3. This is also the DCavg (“medium”).
● Adequate measures against common cause failure (70 points);
separation (15), well-tried components (5), overvoltage protection etc.
(15) and environmental conditions (25 + 10).
Schneider Electric - Mac - Safety – March 2010
37
Emergency stop device by means of a
safety module – Category 3 – PLe
● Emergency stop device by means of a safety module (emergency stop
function, STO), (continued)
● The subsystem KM1/KM2 corresponds to Category 3 with a high
MTTFd is (100) years and medium DCavg (90%). This results in an
average dangerous failure of 4.29 x 10-8 per hour. Following addition of
the subsystem K3, the average probability of dangerous failure is 4.52 x
10-8 per hour. The PLr of d is thus surpassed.
KM1
S1
K3
KM2
Schneider Electric - Mac - Safety – March 2010
38