B11 LMSS Module 3 Rev 03 Secure PDF

Summary

This document is an introduction to B11 LMSS Module 3, covering machinery safety, with details of safety interlocks, general design requirements and example circuits.

Full Transcript

DO NOT COPY – DO NOT SHARE B11 LMSS™ Welcome to B11 LMSS Module 3 DO NOT COPY – DO NOT SHARE Safety Services UK and EU Lead– Matt Chandy 3 years experience supporting Safety Interlocks...

DO NOT COPY – DO NOT SHARE B11 LMSS™ Welcome to B11 LMSS Module 3 DO NOT COPY – DO NOT SHARE Safety Services UK and EU Lead– Matt Chandy 3 years experience supporting Safety Interlocks Customer Application Support Manager VP Technical Safety – Jenny Tuertscher Expert member of ISO TC199 WG3, WG5, WG6, WG7, WG8 & ISO TC313 WG1 Member of ANSI B11 committees FS Engineer (TÜV Rheinland) #14247 / 17 – Machinery B11 LMSSTM Certification #AA311265118 B11 LMSS™ Welcome to B11 LMSS Module 3 DO NOT COPY – DO NOT SHARE Time Session Join in! Ask questions at any time 30 Mins Setting the Scene Breaks 90 Mins Required Reliability We will aim for a break every hour or so General Design Requirements with one longer break in the middle 150 mins Example Circuits Mute When you’re not talking please use the mute button Reactions Please make use of the “reaction” buttons Lower your hand by pressing it again B11 LMSS™ Overview B11 LMSS DO NOT COPY – DO NOT SHARE Module 1 Module 2 Module 3 Module 4 Module 5 Examination Introduction to B11.19 Risk B11.26 Integrating LOTO and 50 Multiple Standards and Reduction Functional Machines and electrical safety choice questions Regulations Measures Safety Robotics ANSI Z244.1 and 90 Mins B11.0 Safety of Inherently Safe Performance B11.20 and RIA NFPA 79 Machinery By Design Levels R15.06 Risk Engineering Categories Assessment Controls Control General Administrative Reliability Requirements Controls Fault considerations B11 LMSS™ B11 LMSS Scope DO NOT COPY – DO NOT SHARE This course will instruct you on: Standards and Regulations What are machinery safety standards Why are they useful How do you use them Overview of the key standards This course does not: Cover specific machinery/industry details Cover every single requirement laid out in the standards and regulations (But it will show you how to find them!) B11 LMSS™ DO NOT COPY – DO NOT SHARE ANSI B11.26 – 2018 Functional Safety for Equipment: General Principles for the Design of Safety Control Systems Using ISO 13849-1 This American National Standard provides both requirements and guidance for the implementation of safety-related control functions (functional safety) as they relate to electrical, electronic, pneumatic, hydraulic and mechanical components of control systems B11 LMSS™ Introduction to ANSI B11.26–2018 DO NOT COPY – DO NOT SHARE First published as B11.TR6 in 2010, it began immediate revision as an American National Standard Primarily developed to provide substantial application examples and significant guidance on mechanical, electric, hydraulic and pneumatic circuits as a complement to ISO 13849 ANSI B11.26 contains well over 100 detailed example schematic diagrams with “circuit analysis tables” and annexes based on actual applications B11 LMSS™ B11 SDC Members DO NOT COPY – DO NOT SHARE Alan Metelsky, FS Eng., Chair / Anne Matthias, PE,Vice-Chair / David Felinski, Secretary Organizations Represented Names of Representatives Organizations Represented Names of Representatives (Delegates and Alternates) (Delegates and Alternates) A3 – Association for Advancing Automation Carole Franklin Jeff Fryman LM - Liberty Mutual Craig Karasack, CSP Julie Thompson, CSP AEC - Aluminum Extruders Council Mel Mitchell, CSP Bradley Wyatt, CSP, CMSE MAG - MAG Automotive LLC Erik Carrier Doug Watts Amazon Robotics Jeread Sines, FS Eng, B11 LMSS Pat Barry MPIF - Metal Powder Industries Federation Bill Edwards James P. Adams ASSP - American Society of Safety Professionals Ted Sberna, Sr. Anne Matthias, PE NIOSH - National Institute for Occupational Safety & Health Richard Current, PE AMT - Association for Manufacturing Technology Russ Bensman Alan Metelsky, FS Eng. Omron Tina Hull, FS Exp. Frank Webster BOEING - The Boeing Company Rhiannon McPherson Mark Ellington & Stephen Thomas OSHA - Occupational Safety and Health Administration Ken Stevanus Mary Bauer, CSP, CIH, B11 LMSS Bridgestone Kenji Furukawa, FS Eng. Joey Hinson, FS Eng. PILZ - Pilz Automation Safety, LP Mike Beerman Dino Mariuz CSA - Canadian Standards Association Andrea Holbeche, P. Eng. Walter Veugen PLASTICS - Plastics Industry Association Jeff Linder Dale Bartholomew Deere & Co. Tony Beeth Scott Winter PMA - Precision Metalforming Association James G. Barrett, Jr. PhD David Klotz Euchner Ron Yemmens Jilani Bouchane PMMI, Assoc. of Packaging and Processing Technology Bruce Main, PE, CSP Tom Egan Exponent, Inc. Stephen Andrew, PE, CSM Alex Zelhofer, PhD, PE PSDMA - Presence Sensing Device Manufacturers Association Jim Kirton Mike Carlson FDR – FDR Safety, LLC Mike Taubitz Joe Wolfsberger, CIH & Luke Contos Rockford Systems Brian Boes Matt Brenner Fortress Safety Jenny Tuertscher, FS Eng., B11 LMSS Joshua Hill Rockwell Automation Darin Magnuson, FS Eng Jonathan Barrett, FS Eng GM - General Motors Corporation Mike Douglas Tony Ross Safe-T-Sense Mike Poynter, FS Eng Federico Badillo Honda Development & Manufacturing of America Todd Dickey Doug Titus SMACHA - Sheet Metal & Air Conditioning Justin Crandol, CSP Rick Di Ioli Contractors National Association IDEM Safety Mark Witherspoon Amir Mohtasham SICK, Inc. Chris Soranno, FS Exp. Nate Gose, FS Exp. Komatsu America Industries, LLC George Schreck James Landowski TMMNA - Toyota Motor Manufacturing North America Chip Boertlein Michael Collier, B11 LMSS B11 LMSS™ Why Participate in B11 Standards? DO NOT COPY – DO NOT SHARE Help your organization or clients achieve acceptable risk with feasible risk mitigation Reflect your company’s voice into future standards Gain a deeper understanding of future standards Great networking opportunity with leading safety specialists in a variety of sectors Exceptional cross educational opportunities B11 LMSS™ DO NOT COPY – DO NOT SHARE Setting The Scene First steps in the functional safety process B11 LMSS™ Learning Objectives DO NOT COPY – DO NOT SHARE How to use B11.26 First steps in creating a safe control system B11 LMSS™ Definitions Acronyms DO NOT COPY – DO NOT SHARE Clause 3 B11 LMSS™ How to use B11.26 DO NOT COPY – DO NOT SHARE 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS 3 Define the safety functions 4 Determine the required reliability design specification for each safety function 5 Define the basic input, logic and output elements required 6 Apply the general design requirements for all elements of the system 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ Circuit Examples and Analysis Tables DO NOT COPY – DO NOT SHARE Clause 4 Clauses 9, 10 and 11 of B11.26 contain design requirements of input, logic and output devices that are incorporated into the SRP/CS Example schematics depict how to integrate given devices for a required reliability design specification Symbols used are in Annex A Circuit Analysis Tables follow each schematic and contain four elements that describe the safety details for each safety circuit Safety Functions Fault Considerations Fault Exclusions Safety Principles Figure 3: Sample schematic diagram depicting “Multiple Dual Channel E-Stop with a Safety Interface Module (SIM)(Category3)” B11 LMSS™ Circuit Examples and Analysis Tables DO NOT COPY – DO NOT SHARE Clause 4 Table 1 - Content/Overview of a Circuit Analysis Table Safety Purpose or goal of the safety circuit. That portion of the control system or engineering control – device that either eliminates or reduces exposure to a Function: hazardous situation (from this document). Function initiated by an input signal processed by the SRP/CS to enable the machine (as a system) to achieve a safe state (ISO 13849-1). This is also known as “Functional Safety.” The function of the safety circuit, whose failure can result in an immediate increase in risk(s) (ANSI B11.0 & ISO 12100). Fault Consideration of faults and other related issues with the circuit that can lead to loss of the safety function as defined in this example circuit. Considerations: What faults can occur that cannot be detected (see Annex F of B11.26). For additional examples of fault consideration, refer to Annex M, N, and O (see also, Annex B, C & D of ISO 13849-2). Fault Consideration of faults and other related issues with the circuit that may be excluded, and that can lead to the loss of the safety function as defined in this example circuit. What faults may be excluded that cannot be detected. Exclusions: For examples of fault exclusion, refer to Annex M, N, and O (see also, Annex B, C & D of ISO 13849-2). Safety Engineering recommendations, best practices and requirements as described in standards-related documents such as ANSI B11.19, NFPA 79, ISO 13849-2, etc., to achieve a desired risk level based on, or as part of, the requirements Principles: from an overall risk assessment such as ANSI B11.0. B11 LMSS™ Circuit Examples and Analysis Tables DO NOT COPY – DO NOT SHARE Clause 4 9.3.3.5.1 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4) B11 LMSS™ Circuit Examples and Analysis Tables DO NOT COPY – DO NOT SHARE Clause 4 9.3.3.5.1 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4) Safety Function: When the guard is opened, the power is removed from the hazardous portion of the machine. Fault See general considerations in 9.3.3.1 Considerations: The possibility of intentional defeat by affixing a standard magnet to the sensor is reduced by the design of the alternating poles (i.e., coding). Fault Exclusions: Catastrophic failure of the sensor resulting in the loss of the safety function (switching) may be excluded due to the design of the magnet and sensor and the complementary switching. Safety When the guard is opened, the dual channel safety interface module detects the opening of the interlock Principles: switches. Power is then removed from the hazardous portion of the machine. The safety interface module monitors the Force-Guided Contactors via the normally closed contacts in the reset circuit. The reset button may not be tied-down because of the monitored manual reset of the safety interface module. Complementary switching (N.O. and N.C.) of the magnetic sensors helps prevent common mode and common cause failures. The possibility of intentional defeat by affixing a standard magnet to the sensor is reduced by the design of the alternating poles (i.e., coding). This is Category 4 due to the use of an individual coded magnet/sensor and the frequency of exercising the guard. B11 LMSS™ What did you Learn DO NOT COPY – DO NOT SHARE How to Use B11.26 Layout and Process Circuit Diagrams and Analysis Tables Safety Functions Fault Considerations Fault Exclusions Safety Principles B11 LMSS™ Step 1 Risk Assessment DO NOT COPY – DO NOT SHARE 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS Use B11.0 to conduct a risk 3 Define the safety functions assessment For any task-hazard pairs 4 Determine the required reliability design specification for each safety function whose level of risk is not 5 Define the basic input, logic and output acceptable, identify risk elements required reduction measures using the 6 Apply the general design requirements for all elements of the system Risk Reduction Hierarchy 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ Set the scene Risk Assessment DO NOT COPY – DO NOT SHARE Clause 5.1 1. Prepare for and Set Limits of the Assessment 2. Identify Tasks and Hazards 3. Assess Initial Risk Risk scoring systems 4. Reduce Risk Hazard control hierarchy 5. Assess Residual Risk Risk scoring systems 6. Residual No Risk Acceptable? New/Next Hazard Yes 7. Validate Solutions 8. Results/Documentation Assessment Complete B11 LMSS™ Set the scene Risk Scoring Systems DO NOT COPY – DO NOT SHARE Clause 5.1 Severity of Harm Probability of Occurrence Catastrophic Serious Moderate Minor Very Likely High High High Medium Likely High High Medium Low Unlikely Medium Medium Low Negligible Remote Low Low Negligible Negligible B11 LMSS™ Set the scene Risk Reduction Measures DO NOT COPY – DO NOT SHARE Clause 5.1 B11 LMSS™ What did you Learn DO NOT COPY – DO NOT SHARE Risk Assessment Use B11.0 to conduct a risk assessment For any task-hazard pairs whose level of risk is not acceptable, identify risk reduction measures using the Risk Reduction Hierarchy and B11.19 B11 LMSS™ Identify SRP/CS DO NOT COPY – DO NOT SHARE Clause 5 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS 3 Define the safety functions What is the SRP/CS 4 Determine the required reliability design specification for each safety function How does it fit with the 5 Define the basic input, logic and output rest of the control system elements required 6 Apply the general design requirements for all elements of the system 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ SRP/CS Definitions DO NOT COPY – DO NOT SHARE Machine Part of a machine that consists of (including but not necessarily limited to) control devices, display control functions, data processing or storage, sensors, safety-related functions, and power control elements system (e.g., contactors, valves, speed control, etc.). Safety-Related part of the Part of a control system that responds to safety- related input signals and generates safety-related Control System output signals (SRP/CS) Note: Failure to danger of a Functional System increases the risk back to the initial level B11 LMSS™ SRP/CS What is in the SRP/CS DO NOT COPY – DO NOT SHARE Clause 5 Parts of the SRP/CS B11 LMSS™ SRP/CS What is in the SRP/CS DO NOT COPY – DO NOT SHARE Clause 5 SRP/CS Input Logic Output B11 LMSS™ Integration of SRP/CS in the Overall Machine Controls DO NOT COPY – DO NOT SHARE Clause 6.1 { Manual or Automatic Reset Safety-Related Inputs: Operator Controls or Enabling Power to Machine Actuators: Machine Primary Control Elements (MPCE) Power removed by power control devices Sensors SRP/CS MPCE Feedback Input For Protective Stops: Logic Provided for safety-related starts Circuit Safety-Related Outputs to Power Control Devices Power Safety-Related Control Machine OSSD Outputs Devices Actuators (Output Signal Switching Device) Stop Outputs to Machine Control for Protective Stop Function or Outputs to Machine Actuators that Start Outputs to Machine Control Control Hazardous Machine Actions if Safety Function is Safe, Actuation of Machine Action Non-Safety- Related Machine Non-Safety-Related Inputs: Non-Safety- Operator Controls or Sensors Control Logic Outputs to Non-Safety-Related Machine Actuators Related Machine (Includes Non-Safety-Related Start Inputs) Actuators Figure 5: Machine Control Integrated with the Safety-Related Part of a Control System (SRP/CS) B11 LMSS™ What did you Learn DO NOT COPY – DO NOT SHARE Safety Related Part of the Control System Definition How it interfaces with the machine control system Inputs, logic units, and outputs B11 LMSS™ Step 3 Safety Functions DO NOT COPY – DO NOT SHARE Clause 6 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS For any functional safety risk 3 Define the safety functions reduction measures develop a safety function detailing its 4 Determine the required reliability design specification for each safety function operation and objective. 5 Define the basic input, logic and output elements required The description shall show how the risks are reduced by 6 Apply the general design requirements for all elements of the system the safety function. 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ Step 3 Safety Functions DO NOT COPY – DO NOT SHARE Clause 5.3 Functional safety shall be defined for each hazard that has not been eliminated by inherently safe design measures The complete safety function includes the entire functionality to reduce the risk to an acceptable level Note: the Safety function applies to both inputs and outputs B11 LMSS™ Circuit Examples and Analysis Tables DO NOT COPY – DO NOT SHARE 9.3.3.5.1 Interlocked Guard Monitoring – Dual Channel with a SIM (Category 4) Safety Function: When the guard is opened, the power is removed from the hazardous portion of the machine. Fault See general considerations in 9.3.3.1 Considerations: The possibility of intentional defeat by affixing a standard magnet to the sensor is reduced by the design of the alternating poles (i.e., coding). Fault Exclusions: Catastrophic failure of the sensor resulting in the loss of the safety function (switching) may be excluded due to the design of the magnet and sensor and the complementary switching. Safety When the guard is opened, the dual channel safety interface module detects the opening of the interlock Principles: switches. Power is then removed from the hazardous portion of the machine. The safety interface module monitors the Force-Guided Contactors via the normally closed contacts in the reset circuit. The reset button may not be tied-down because of the monitored manual reset of the safety interface module. Complementary switching (N.O. and N.C.) of the magnetic sensors helps prevent common mode and common cause failures. The possibility of intentional defeat by affixing a standard magnet to the sensor is reduced by the design of the alternating poles (i.e., coding). This is Category 4 due to the use of an individual coded magnet/sensor and the frequency of exercising the guard. B11 LMSS™ Standards Pop Quiz DO NOT COPY – DO NOT SHARE The first step in machinery safety is to True 1 conduct a risk assessment Fixed guarding is always part of the False 2 safety related part of a control system Fixed guarding is separate from the SRP/CS A safety function applies to both True 3 inputs and outputs B11 LMSS™ What did you Learn DO NOT COPY – DO NOT SHARE Safety Functions What are Safety functions B11 LMSS™ Step 4 Required Reliability DO NOT COPY – DO NOT SHARE Clause 6 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS Different reliability 3 Define the safety functions specifications Required reliability and 4 Determine the required reliability design specification for each safety function how to calculate: Control Reliability 5 Define the basic input, logic and output elements required Categories 6 Apply the general design requirements for all Performance Levels elements of the system Selection of components 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ Step 4 How much risk is the SRP/CS reducing? DO NOT COPY – DO NOT SHARE Clause 5.4 Total initial Risk SRP/CS Residual Risk Other Risk Reduction Measures SRP/CS Residual Risk e.g., inherently safe design measures, fixed guards, administrative controls e.g., administrative controls Initial Risk Acceptable Risk Zero Risk B11 LMSS™ Step 4 Reliability Specifications DO NOT COPY – DO NOT SHARE Clause 5.4 A reliability design specification shall be selected for a circuit using one of PLe PLe PLe the following three methodologies: ≠ PLe Performance level (PL) as contained in ISO 13849-1 Categories as originally contained in EN 954-1 The specification refers to the design of the overall circuit Control reliability as used in the B11 series of Capability ratings of individual standards and by OSHA components shall not be used to determine the reliability achieved by a given circuit. B11 LMSS™ Step 4 Reliability Specifications DO NOT COPY – DO NOT SHARE Clause 5.4 ISO 13849-1:2015 Performance Levels (PL) Categories (Cat) Safety of Machinery – Safety related parts of control systems IEC 62061 + IEC 61508 Safety Integrity Levels (SIL) Safety of Machinery – Functional safety of safety related electrical, electronic and programmable electronic control systems ANSI B11.26 - 2018 Categories (Cat) Performance Levels (PL) Functional Safety for Equipment: General Principles for the Design of Safety Control Control Reliability Systems Using ISO 13849-1 B11 LMSS™ Step 4 Performance Levels DO NOT COPY – DO NOT SHARE Clause 5.4.1 Annex B PL PFHD 1/h Approx. number of years before a (Probability of dangerous dangerous failure failure, per hour) Ability of SRP/CS to perform a a ≥ 10-5 to < 10-4 >1 year safety function under b ≥ 3x10-6 to < 10-5 >11 years foreseeable conditions c ≥ 10-6 to < 3x10-6 >38 years d ≥ 10-7 to < 10-6 >100 years e ≥ 10-8 to < 10-7 >1000 years B11 LMSS™ Step 4 Required Reliability DO NOT COPY – DO NOT SHARE Annex B Lowest intended risk reduction by the SRP/CS , lowest required reliability Greatest intended risk reduction by the SRP/CS, greatest required reliability B11 LMSS™ Performance Levels Estimation from Parameters DO NOT COPY – DO NOT SHARE Clause 5.4 Category Architecture Single or dual channel? Architecture of the system MTTFD How likely is a dangerous fault? Mean Time To Dangerous Failure DCavg How likely is a dangerous fault to be detected? Diagnostic Coverage CCF How likely is it that 2 things will fail due to the Common Cause Failure same cause? Mission Time Lifetime of the system for which the PL is valid Always 20 years, or when B10D life is reached B11 LMSS™ Step 4 How to measure reliability DO NOT COPY – DO NOT SHARE Clause 5.4 If reliability of a control system is measured by how frequently it fails to danger, how can we increase, and measure, that reliability? Means of increasing How to quantify? Name of parameter system reliability Increase reliability of the How long until a dangerous failure Mean Time to Dangerous Failure components in a system occurs? (MTTFD) Have redundancy in system, in case What is the system architecture, is Category Architecture a component fails there redundancy and monitoring? Detect dangerous faults (to allow What percentage of dangerous Diagnostic Coverage (DC) the system to be made safe) faults will be detected? Design out failure modes that will Using sufficient design principles to Common Cause Failure (CCF) cause multiple components to fail rule out B11 LMSS™ Performance Levels From Parameters DO NOT COPY – DO NOT SHARE Annex E B11 LMSS™ Step 4 Categories DO NOT COPY – DO NOT SHARE Annex C The maximum achievable reliability is limited by the architecture The design of the SRP/CS shall use a category of architecture or structure that is appropriate for the application Architecture requirements apply to the Inputs, Logic and Outputs of a control system B11 LMSS™ Functional Safety Category Architecture B DO NOT COPY – DO NOT SHARE Clause 5.4.2 Annex C Category B Circuit: is designed in accordance with relevant standards; can withstand the expected influences; the occurrence of a fault can lead to loss of the safety function. B11 LMSS™ Functional Safety Category Architecture B DO NOT COPY – DO NOT SHARE Motor Magnet switch Control Relay B11 LMSS™ Functional Safety Category Architecture 1 DO NOT COPY – DO NOT SHARE Clause 5.4.2 Annex C Category 1 Circuit: All Cat B requirements plus; is designed in accordance with relevant standards; well-tried components and well- tried safety principles are used; the occurrence of a fault can lead to loss of the safety function MTTFd ≥ 30 years B11 LMSS™ Functional Safety Category Architecture 1 DO NOT COPY – DO NOT SHARE Type 2 Light Curtain Control relay Motor B11 LMSS™ Functional Safety Category Architecture 2 DO NOT COPY – DO NOT SHARE Clause 5.4.2 Annex C Category 2 Architecture Requirements of Cat B and well-tried safety principles as well as: safety function shall be checked at suitable intervals by the machine control system; the occurrence of a (single) fault can lead to loss of the safety function between the checks; Note: to reach PLd the the loss of safety function is detected by output shall initiate a safe the check (automatic or manual) state which is maintained until the fault is cleared CCF ≥ 65 DC ≥ 60% B11 LMSS™ Functional Safety Category Architecture 2 DO NOT COPY – DO NOT SHARE B11 LMSS™ Functional Safety Category Architecture 3 DO NOT COPY – DO NOT SHARE Clause 5.4.2 Annex C Category 3 Architecture: Requirements of Cat B and well-tried safety principles as well as: a single fault does not lead to loss of the safety function, and whenever reasonably practicable the single fault is detected (i.e., some but not all faults will be detected); accumulation of undetected faults can lead to loss of the safety function. CCF ≥ 65 DC ≥ 60% B11 LMSS™ Functional Safety Category Architecture 4 DO NOT COPY – DO NOT SHARE Clause 5.4.2 Annex C Category 4 Architecture: Requirements of Cat B and well-tried safety principles as well as: a single fault does not lead to loss of the safety function, and the single fault is detected at or before the next demand upon the safety function. If this is not possible, then an accumulation of faults shall not lead to loss of the safety function; the faults will be detected in time to prevent loss of the safety function CCF ≥ 65 DC ≥ 99% MTTFd ≥ 30 years B11 LMSS™ DO NOT COPY – DO NOT SHARE B11 LMSS™ MTTFD How long before a fail to danger? DO NOT COPY – DO NOT SHARE Clause 5.4.1 Mean Time to Dangerous Failure Classification Range for each Channel Use manufacturer’s data Low 3-10 years Tables in the annex D Medium 10-30 years High 30-100 years Choose ten years (Up to 2500 for Cat 4) B11 LMSS™ Diagnostic Coverage How likely to detect a dangerous fault? Clause 5.4.1 DO NOT COPY – DO NOT SHARE Detected Dangerous Failures X 100 = %DC All Dangerous Failures Use manufacturer’s data Classification Range None 99% B11 LMSS™ CCF Is the same thing causing failure? DO NOT COPY – DO NOT SHARE Clause 5.4.1 Common Cause Failure is only for Category 2, 3, and 4! Evaluate: Separation/Segregation Diversity Design of components Same design principles, all FMEA components shatter if hit Competence of designers/maintainers Environmental Wires in same housing, cable breaks Environmental influences e.g., rust B11 LMSS™ DO NOT COPY – DO NOT SHARE Figure 28 Simplified procedure for evaluating Performance Level achieved by the SRP/CS (from ISO 13849-1:2015 Fig 5). Annex E B11 LMSS™ Step 4 Control Reliability DO NOT COPY – DO NOT SHARE Clause 5.4.3 The capability of the machine control system, the engineering control – devices, other control components and related interfacing to achieve a safe state in the event of a failure within their safety-related functions. While the requirements of control reliability are not directly comparable to the requirements of ISO 13849-1 (1999) or ISO 13849-1 (2015), for the purposes of this standard, complying with Category 3 or 4 and/or Performance Level “d” or “e”, at a minimum, will satisfy the requirements of control reliability. B11 LMSS™ Functional Safety Process DO NOT COPY – DO NOT SHARE 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS 3 Define the safety functions Components 4 Determine the required reliability design specification for each safety function Input Logic 5 Define the basic input, logic and output elements required Output 6 Apply the general design requirements for all elements of the system 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ Basic Elements Required DO NOT COPY – DO NOT SHARE Clause 5.5 Provides an operator input or detect a state of the machine or safety function Manual operator controls, sensors or encapsulated Input subsystems Safety Interface Module = SIM e.g., safety Provide a relationship between the inputs and outputs of the SRP/CS circuit A device incorporating monitored redundancy, in a single controller body, using safety principles to control electrical circuits. Monitor for faults in the input elements, internal Logic logic elements and response of the output elements Safety Programmable Electronic System = SPES Can be in the same device as the input element e.g., Safety A programmable electronic system for control of safety- PLC related functions Directly enable or control the power to the machine actuators that produce hazardous motion or Machine Primary Control Element = MPCE e.g., Output conditions e.g., contactors, drives or fluid power valves Contactor B11 LMSS™ Basic Elements Required Clause 5.5 SRP/CS DO NOT COPY – DO NOT SHARE Input Logic Output B11 LMSS™ Standards Pop Quiz DO NOT COPY – DO NOT SHARE False Category 2 is dual channel architecture Category 3 and 4 are dual 1 channel Required reliability is calculated based only True on the risk being reduced by the SRP/CS 2 A light curtain is an output device False 3 It is an input device B11 LMSS™ What did you Learn DO NOT COPY – DO NOT SHARE Required Reliability How much risk is the SRP/CS reducing? Different reliability specifications Required reliability and how to calculate: Performance Levels Categories Control Reliability Determination of required components B11 LMSS™ DO NOT COPY – DO NOT SHARE General Design Requirements Provides overall design requirements for the SRP/CS regardless of the required reliability. The design requirements are based on good engineering practice and are considered to be well-tried. B11 LMSS™ Functional Safety Process DO NOT COPY – DO NOT SHARE 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS 3 Define the safety functions SRP/CS Integration into the control system 4 Determine the required reliability design specification for each safety function Design Requirements 5 Define the basic input, logic and output elements required Electrical Pneumatics 6 Apply the general design requirements for all elements of the system Hydraulics 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ Integration of SRP/CS in the Overall Machine Controls DO NOT COPY – DO NOT SHARE Clause 6.1 { Manual or Automatic Reset Safety-Related Inputs: Operator Controls or Enabling Power to Machine Actuators: Manual Primary Control Elements (MPCE) Power removed by power control devices Sensors SRP/CS MPCE Feedback Input For Protective Stops: Logic Provided for safety-related starts Circuit Safety-Related Outputs to Power Control Devices Power Safety-Related Control Machine OSSD Outputs Devices Actuators (Output Signal Switching Device) Stop Outputs to Machine Control for Protective Stop Function or Outputs to Machine Actuators that Start Outputs to Machine Control Control Hazardous Machine Actions if Safety Function is Safe, Actuation of Machine Action Non-Safety- Related Machine Non-Safety-Related Inputs: Non-Safety- Operator Controls or Sensors Control Logic Outputs to Non-Safety-Related Machine Actuators Related Machine (Includes Non-Safety-Related Start Inputs) Actuators Figure 5: Machine Control Integrated with the Safety-Related Part of a Control System (SRP/CS) B11 LMSS™ Specific Functions – Protective Stop and Start DO NOT COPY – DO NOT SHARE Clause 6.2 When the SRP/CS issues a protective stop the machine control should Turn off appropriate outputs Take the appropriate action associated with the stop command Update machine status that may be required Display status information Where the Safety Function of the SRP/CS is the Safe Start of machine Action the SRP/CS will provide a signal to the power control device to enable (provide power to) the output actuator that controls machine action and a start signal to the machine control to activate the output actuator The safety circuits provide energy to the hazardous portion of the machine and do not start the hazardous machine motion or operation. B11 LMSS™ Electrical Design Requirements DO NOT COPY – DO NOT SHARE Clause 6.3 Time Dependent Functions + Circuit shall be designed to minimize the impact of DC stored energy Power Supply Positive, Negative Logic - Positive logic uses current sinking inputs and current sourcing outputs such that a short circuit or wire breaks Sourcing Pushbutton PNP are interpreted as an “off state” Current sourcing inputs and current sinking outputs (negative logic) have a low degree of fault tolerance and + not recommended as primary logic DC Electro-Mechanical Contact Requirements Power Supply The current interrupted by contacts in the circuit shall be above the manufacturers recommended minimum and below the maximum Sinking Pushbutton NPN B11 LMSS™ Electrical Design Requirements DO NOT COPY – DO NOT SHARE Clause 6.3 Interfacing SRP/CS with Non-Safety PES/PLC (Programmable Electronic System/Programmable Logic Controller) Interfacing SRP/CS with Non-Safety PES/PLC Important to NOT remove power from the non-safety PES/PLC as part of the safety function (to allow diagnostics) As a rule a protective stop circuit is placed in the supply line to the output card or in one or more of the output circuits controlling hazardous motion (allowing the PLC to take proper action) If the protective stop interface removes power from the PES/PLC output or output card The PES/PLC outputs shall directly control the last electrically powered device or actuator Only source of energy supplied to the outputs, and devices connected to them, is controlled by the protective stop circuit Dropping power to the PES/PLC output card SHALL cause a Category 0 Stop B11 LMSS™ Fluid Power (Pneumatics & Hydraulics Design) Requirements DO NOT COPY – DO NOT SHARE Clause 6.4 Protective Stops in Fluid Power Systems are realized through: Blocking the fluid power energy source Removing electrical power from the safety valve(s), conversion pump and/or directional control valves Exhausting or removal of energy Selective trapping of fluid to maintain actuator position (preventing unintended hazardous motion caused by stored energy.) Using mechanical means (e.g., rod blocks) to prevent/control hazardous motion Reapplication of pressure shall not create a Hazard Removing control voltage from a directional control valve does not ensure that the SRP/CS will perform as required. B11 LMSS™ Fluid Power (Pneumatics & Hydraulics Design) Requirements DO NOT COPY – DO NOT SHARE Clause 6.4 Fluid Power Valve Crossover Open crossover – fluid pressure (energy) will be open between the supply, an outlet, and an exhaust/return port; Closed crossover – fluid pressure (energy) will be trapped at the outlet port with no flow path to supply or exhaust/return port. B11 LMSS™ Standards Pop Quiz DO NOT COPY – DO NOT SHARE In Fluid Power, exhausting or removal of True energy can create a protective stop 1 Removing control voltage from a directional False control valve ensures that the SRP/CS will Remove power from the 2 perform as required valve not the control Circuit shall be designed to minimize the True impact of stored energy 3 B11 LMSS™ What did you Learn DO NOT COPY – DO NOT SHARE SRP/CS Integration into the control system Design Requirements Electrical Pneumatics Hydraulics B11 LMSS™ DO NOT COPY – DO NOT SHARE Fault Consideration Fault consideration includes the evaluation of failure modes that could affect the ability of a specific circuit to perform its safety function. The acceptance of failure modes and their probability of occurrence is dependent on the required level of circuit reliability. Fault consideration shall be performed as part of the design process. B11 LMSS™ Functional Safety Process DO NOT COPY – DO NOT SHARE 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS 3 Define the safety functions Fault Exclusion Diagnostic Coverage – 4 Determine the required reliability design specification for each safety function Monitoring 5 Define the basic input, logic and output elements required 6 Apply the general design requirements for all elements of the system 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ Fault Consideration DO NOT COPY – DO NOT SHARE Clause 7 It may not be possible to detect some faults during operation, and the probability that they can occur can be reduce significantly by using mitigating design, construction and installation Under these conditions the faults may be excluded from further consideration Fault Exclusion May be based on the low probability of occurrence of some faults well-tried engineering safety practices application-specific technical requirements for the specific hazard B11 LMSS™ Fault Consideration DO NOT COPY – DO NOT SHARE Clause 7 Failure modes of circuit devices, actuators, and the controller (including interfaces) shall be evaluated. Electrical Failure Modes short circuit of outputs, external wiring, or output devices/actuators, such as the loss of the switching function due to a short to power across the output contacts PES/PLC program alteration (unsecured logic) and programming errors loss of PES/PLC memory failure or fault of the safety device (e.g., internal components) false actuator/input signal (noise, external signal error, off-state currents or internal shorted/open PES/PLC input) B11 LMSS™ Fault Consideration DO NOT COPY – DO NOT SHARE Clause 7 Fluid Power Failure Modes Seal Failure Spring Failure Coil Failure Complete or Partial Loss of Electrical Power Complete Loss of Fluid Power Diminished Response Time Fault Valve Element Position Failure Position Fault Partial Loss of Fluid Power Pilot Section Failure Mounting Orientation Inertial Forces Conductor (hose/tube/pipe) / Connector Failure B11 LMSS™ Fault Consideration DO NOT COPY – DO NOT SHARE Clause 7 Pneumatic Failure Modes Temperature Moisture Electrical Lubrication Line blockage or muffler restriction Ingress of contaminants Hydraulic Failure Modes Temperature Moisture NOTE: Hydraulic installations are closed systems; managing wear Air is important as byproducts of component wear contaminate the Particle contamination system, thereby increasing the rate of further wear. B11 LMSS™ Fault Consideration DO NOT COPY – DO NOT SHARE Clause 7 Annexes L, M, N and O – B11.26 B11 LMSS™ What did you Learn DO NOT COPY – DO NOT SHARE Fault Considerations Fault Exclusions Documentation required B11 LMSS™ Functional Safety Process DO NOT COPY – DO NOT SHARE 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS Diagnostic coverage is a measure of a 3 Define the safety functions system's ability to detect failures There are diagnostic coverage 4 Determine the required reliability design specification for each safety function requirements for some reliability specifications Monitoring contacts must be force 5 Define the basic input, logic and output elements required guided or mechanically linked to ensure the contacts correctly indicate the state 6 Apply the general design requirements for all elements of the system of the primary device Means to detect masking of devices connected in series 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ Force Guided/Safety Relay DO NOT COPY – DO NOT SHARE Force guided Standard In a Force Guided Relay (Safety Relay) all contacts are mechanically linked, if a NO contact welds closed, the other Actuator contacts will not change state. NC contacts NO Contacts NC contacts NO Contacts Welding Welding This allows monitoring for faults such as welded contacts. Actuating direction A standard relay will not act in this manner, the contacts can move or change state independently Actuating direction B11 LMSS™ Monitoring / Diagnostic Coverage DO NOT COPY – DO NOT SHARE Clause 8 Some level of diagnostic coverage or monitoring may be required depending on required reliability Redundant Devices shall be Monitored Fault detection by the process requires fault conditions and actions provided in information for use Non-safety devices used to monitor for faults shall be included in fault considerations and have additional means to enhance reliability Where auxiliary contacts are used to monitor primary devices, the contacts shall be mechanically linked and force guided B11 LMSS™ Monitoring / Diagnostic Coverage DO NOT COPY – DO NOT SHARE Clause 8.1 Input Masking on Series Connected Devices B11 LMSS™ Standards Pop Quiz DO NOT COPY – DO NOT SHARE Redundant Devices shall be Monitored True 1 Seal Failure is not a fault to consider in False 2 Pneumatic systems Seal failure is one of many faults to consider Fault exclusion may be based upon True 3 well-tried engineering safety practices B11 LMSS™ What did you Learn DO NOT COPY – DO NOT SHARE Monitoring & Diagnostic Coverage Requirements Fault Masking B11 LMSS™ DO NOT COPY – DO NOT SHARE Design Requirements – Input Devices (Engineering Control – Devices) B11 LMSS™ Functional Safety Process DO NOT COPY – DO NOT SHARE 1 Conduct risk assessment and determine risk reduction measures 2 Identify risk reduction measures that involve the SRP/CS Emergency Stop Devices 3 Define the safety functions Mechanical Guard Interlocking Non-Contact Guard Interlocking Guard Locking 4 Determine the required reliability design specification for each safety function Optical Presence Sensing Devices Safety Mats/Edges 5 Define the basic input, logic and output elements required Two Hand Control Speed Detection 6 Apply the general design requirements for all elements of the system Enabling Devices 7 Determine Failure Modes/Fault Considerations to be managed 8 Determine monitoring and diagnostic coverage to be applied 9 Apply specific design requirements, examples and circuit analyses for each circuit element 10 Evaluate the effectiveness of that system for the desired results B11 LMSS™ Design Requirements Emergency Stop Devices DO NOT COPY – DO NOT SHARE Clause 9.1 Types Pushbutton-operated device Rope pull (cable pull) operated device Foot-operated device without a mechanical guard Rod-operated device Push-bar-operated device Considerations Tampering/Defeat Failure Mode B11 LMSS™ Design Requirements Emergency Stop Devices DO NOT COPY – DO NOT SHARE Clause 9.1 E-Stop Reset 9.1.3.1 Single Channel E-stop Control Using a Control Relay (Category 1) Relay 1 Faults to Consider Control Stuck armature or welded contacts in Relay 1 CR1 Wiring short from power to CR1 coil Hazardous Portion of Machine Reset contacts held closed Control E-stop contacts falling off the push Relay 1 Control button actuator Relay Fault Exclusion Non-hazardous Portion of Machine Welded E-stop contacts may be

Use Quizgecko on...
Browser
Browser