Functional Safety Primer · Cross monitoring of input signals with dynamic test if short circuits...

1

Functional Safety Primer(and Introduction to Sistema)

Ian Brough, SICK Inc.

Confidential

Industrial Safety Systems.

Made by SICK.

"

Originally......EN 954-1:1996(old ISO 13849-1)

: Concept of deterministic failure mode analysis gets moredifficult with newer and often more complex safety controls

: No detailed requirements defined for programmablesystems and complex electronics.

: No sufficient requirements for the consideration of reliabilityvalues. Complexity of the solution or amount of componentsused did not influence the end result.

2

Confidential


Made by SICK.

• Resulting safety level / risk reduction in case ofcombination of different categories and fault exclusions was

difficult to determine.

• Risk graph for the safety levels less clear at higher levels

• Fault avoiding measure?

• Demands to QM

• Documentation

Originally......EN 954-1:1996(old ISO 13849-1).... Continued.....

Ian Brough 9/30/2013

Confidential


Made by SICK.

Balancing Act

"

Safety Function

Risk Graph

Categories

Component reliabilityand test qualitiy

Common causefailure

Well tried principles New concepts

EN 954-1:1997 IEC 61508:2002

c c

3

Confidential


Made by SICK.

"

Looking back: Risk graph according to EN 954-1(old ISO 13849-1)

Confidential


Made by SICK.

START

Risk analysis

Safety Function

Required PL (r)

Identify the safety functionrelated components

Determine PL using

(Category, DC, MTTFd, & CCF)

achieved PL >=PLr

ISO 13849:Performance Levels Defined

: ISO13849 gives guidance for the design ofSRP/CS*. These includes all kind of technologies,electrical, mechanic, hydraulic. pneumatic, software.

: The reliability of the safety function performance istevaluated with the new defined Performance LevelPL

: ISO 13849-1 also provides a simplified method thatallows the probabilistic aproach. (reliability ofcomponents)

: Methods against common cause failure are rated.

: Improvements in risk graph

: Methods of calculating parameters

* SRP/CS= Safety Related Parts of the Control system

Validation

All functions ?


4

Confidential


Made by SICK.

Safety Functions


: Safety-related stop function triggered by protective equipment (e.g. interlock device,limit value monitoring [e.g. maximum r.p.m., over-temperature, overpressure])

: Manual reset function

: Start/restart function

: Muting function

: Equipment with automatic resetting (jog button)

: Enabling function

: Prevention of unintended start-up

: Control functions and selection of operating mode

: Monitoring of the parameterization of safety-relevant input values

: Emergency stop function (supplementary protective measure)

: Interaction between different safety-related parts of the control system

: Reaction time

: Indicators and alarms

: Etc.

Confidential


Made by SICK.

New 13849-1 –Performance Level

"

5

Confidential


Made by SICK.

PL vs PFH vs SIL

The Performance Level depends on :

: system structure and behaviour in faulty conditions

: reliability of the used components (MTTFd)

: system fault detection ability defines as diagnostic coverage (DC)

: impact of systematic and common cause failures (CCF) in redundant systems

: proper selection of the safeguarding devices and the environmental impact on the

system

The Performance Level describes the reliability of the safety function from therelated control parts (SRP/CS)

Performance

Level (PL)

Average probability of a

dangerous failure per hour (1/h)

SIL

IEC 61508

a ≥ 10-5

to < 10-4

none

b ≥ 3 x 10-6

to < 10-5

c ≥ 10-6

to < 3 x 10-6

d ≥ 10-7

to < 10-6

2

e ≥ 10-8

to < 10-7

3

1


Confidential


Made by SICK.

SRP/CS (or a better term is Subsystems)

"

PROCESSING OUTPUTS

Safety related parts of control systems(SRP/CS)

INPUTS

Safety control system

Safety relays

Hardwired logic

Safety network

Valve

Contactor

Drive

Robot controller

Position Sw.switch

Sensors

E-stoppushbuttonLight curtain

Area scanner

Interlock

6

Confidential


Made by SICK.

physical physical

Guardsensing

Logicsolving

Powerswitching

electrical electrical

SRP/CS 1 SRP/CS 2 SRP/CS 3

„A safety function may be implemented by one or more Subsystems,and several safety functions may share one or more Subsystems“

"

PL1r ³ PL „d“ PL2r ³ PL „d“ PL3r ³ PL „d“

Subsystems

Confidential


Made by SICK.

Safety Data from Manufacturer

7

Confidential


Made by SICK.

"

From Supplier From Supplier DIY

Subsystem 1 Subsystem 2 Subsystem 3

?

Safety related stop function(using non safety rated hardware)

Confidential


Made by SICK.

Design using functional safety

System Performance

Str

uctu

re

Re

liab

ility

Dia

gn

ost

ics

Re

sist

an

ce

Pro

cess

: Structure (or Category) of thesafety system/chain

: Reliability of the componentsused

: Ability to detect failures

: Resistance to commoncause failures

: In addition, further measuresto avoid design faults arerequired

8

Confidential


Made by SICK.

Structural aspects

Confidential


Made by SICK.

„The structure of a Subsytem is a key characteristichaving great influence on the PL“

Category B, 1

Category 2

Category 3, 4

B Components used in accordance with relevantstandards, to withstand expected influence.No protection against faults.

1 Like B ANDuse of well tried components and safety principles.No protection against faults.

2 Like B and use of well tried safety principles.Testing time rate better then 100 times of demandrate.No protection against one fault. Fault detection.

3 like B and use of well tried safety principles.Design for protection against ONE fault. Partial faultdetection.

4 like B and use of approved safety principles.Design for protection against TWO faults

Designated architectures

9

Confidential


Made by SICK.

Reliability aspects

Confidential


Made by SICK.

Mean time to dangerous failure

From valve mfg./calculate from the estimate amount of usage(b10d )

10

Confidential


Made by SICK.

Diagnostic aspects

Confidential


Made by SICK.

Estimation of Diagnostic Coverage- Overview

Table E.1 — Abstract: Estimates for diagnostic coverage (DC)

Measure DCInput Cyclic test stimulus by dynamic change of the input

signals90%

Input Plausibility check, e.g. use of normally open andnormally closed mechanically linked contacts

99%

Input Monitoring some characteristics of the sensor(response time, range of analogue signals, e.g.electrical resistance, capacitance)

60%

Input Cros monitoring if inputs without dynamic test 0%..99% (dependig onsignal change frequency)

Logic Dynamic principle (all components of the logic arerequired to change the state ON-OFF-ON when thesafety function is demanded), e.g. interlockingcircuit implemented by relays

99%

Logic Processing unit: Self test by software 60%..90%

Output Redundant shut-off path with monitoring of one ofthe actuators either by logic or by test equipment

90%

Output Direct monitoring (e.g. electrical position monitoringof control valves, monitoring of electromechanicaldevices by mechanically linked contact elements)

99%

General Fault Detection by process 0%..99% (not alone forPL „e“)

11

Confidential


Made by SICK.

Diagnostic Coverage- Inputs

Measures for Input devices DC

Cyclic test stimulus by dynamic change of the input signals 90%

Plausibility check, e.g. use of normally open and normally closed mechanicall

linked contacts99%

Cross monitoring of inputs without dynamic test90% to 99% depending on how often a signal

change is done by the application

Cross monitoring of input signals with dynamic test if short circuits are not

detectable (for multiple I/O)90%

Cross monitoring of input signals and intermediate results within the logic (L), and

temporal and logical software monitor of the program flow and detection of static

faults and short circuits (for multiple I/O)

99%

Indirect monitoring (e.g. monitoring by pressure switch, electrical position monitoring

of actuators)90% to 99% depending on the application

Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of

electromechanical devices by mechanically linked contact elements)99%

Fault detection by the process

0 % to 99% depending on the application.This

measure alone is no sufficient if the required

performance level is "e"

Monitoring some characteristics of the sensor (response time, range of analogue

signals) e.g. electrical resistance, capacitance60%

Confidential


Made by SICK.

Diagnostic Coverage- Logic

Measures for Logic devices DC

Indirect monitoring (e.g. monitoring by pressure switch electrical position monitoring




Simple temporal time monitoring of th logic (e.g. timer as watchdog, where trigger

points are within the program of the logic)60%

Temporal and logical monitoring of the logic by the watchdog, where the test

equipment does plausibility checks of the behaviour of the logic90%

Start-up self-test to detect latent faults in parts of the logic (e.g. program and data

memories, input / output ports, interfaces)90% (depending on the testing technique)

Checking the monitoring device reaction capability (e.g. watchdog) by the main

channel at start-up or whenever the safety function is demanded or whenever an

external signal demands it, through an input facility)

90%

Dynamic principle (all components of the logic are required to change the state ON-

OFF-ON wehn the safety function is demanded), e.g. interlocking circuit implemented

by relays

99%

Invariable memory: signature of one word (8 bit) 90%

Invariable memory: signature of one double word (16 bit) 99%

Variable memory: RAM-test by use of redundant data e.g. flags, markers, constant,

timers, and cross comparison of these data60%

Variable memory: check for readability and write ability of used data memory cells 60%

Variable memory: RAM monitoring with modified Hamming code or RAM self-test (e.g.

“galpat” or “abraham”)99%

Processing unit: self-test by software 60% to 90%

Processing unit: coded processing 90% to 99%

Fault detection by the process0 % to 99% depending on the application.This measure alone

is no sufficient if the required performance level is "e"

12

Confidential


Made by SICK.

Diagnostic Coverage- Outputs

Measures for Output devices DC

Monitoring of outputs by one channel without dynamic test0% to 99% depending on how often a signal change is done by

the application

Cross monitoring of outputs without dynamic test0% to 99% depending on how often a signal change is done by

the application

Cross monitoring of output signals with dynamic test without detection of short circuits

(for multiple I/O)90%

Cross monitoring of output signals and intermediate results within the logic (L) and

temporal and logical software monitor of the program flow and detection of static

faults and short circuits (for multiple I/O)

99%

Redundant shut-off path with no monitoring of the actuator 0%

Redundant shut-off path with monitoring of one of the actuators either by logic or by

test equipment90%

Redundant shut-off path with monitoring of the actuators by logic and test equipment 99%

Indirect monitoring (e.g monitoring by pressure switch, electrical position monitoring


Fault detection by process0 % to 99% depending on the application.This measure alone is

no sufficient if the required performance level is "e"



Confidential


Made by SICK.

Denotation of DC

13

Confidential


Made by SICK.

Resistance aspects

Confidential


Made by SICK.

Common cause failure

„Failure causing coincident failures of two or more separate channelsin a multiple channel subsystem“

Category 3, 4

14

Confidential


Made by SICK.

Measures against Common Cause Failure

"Score 65

Total 100

Confidential


Made by SICK.

Design process

15

Confidential


Made by SICK.

Simplified V-model for SW lifecycle

Safety relatedsoftware

specification

System

design

Modul

design

Coding

Module-

testing

Validated

Software

Result

Verification

Safety functionsspecification

Validation

Integration

testing

Validation

Confidential


Made by SICK.

Determine PL for one Subsystem

16

Confidential


Made by SICK.

Determine PL for a Subsystem: with the help of ISO13849-1

Confidential


Made by SICK.

PL for a SRP/CS

17

Confidential


Made by SICK.

Performance level

aMTTFd 100

Category 3/4

Confidential


Made by SICK.

Safety related stop function

Subsystem 1 Subsystem 2 Subsystem 3

I1 L1 O1

I2 L2 O2

I1 L1 O1

I2 L2 O2

I1 L1 O1

I2 L2 O2

Cat. 4, PL „e“ Cat. 4, PL „e“Cat. 4, PL „e“

18

Confidential


Made by SICK.

Achieved safety level

edcba

Required safety level PLr Achieved safety level PL

Sistema Intro

Ian Brough, SICK Inc.

19

Confidential


Made by SICK.

What is Sistema?

: “Safety Integrity Software Tool for the Evaluation of Machine Applications”

: Software tool for implementation of EN ISO 13849-1

- Understanding of this standard required for proper use of Sistema

: Created by BGIA (German Institute for Occupational Safety)

- Responsible for testing and certification according to European guidelines/national laws

: Free to download and use


Confidential


Made by SICK.

Why use Sistema?

: Verify safety design meets criteria of 13849-1

: Software automatically calculates reliability values

- Limits the need to look up tables

- Limits hand calculations of MTTFd, DCavg, PL, etc

: Documentation

: Can be tied to risk assessment, product data sheets, standards, validation

- Separate documents, but linked

- Creates an ‘all-inclusive’ project


20

Confidential


Made by SICK.

Components of a Sistema Project

: A project consists of:

- Safety Functions

- Subsystems

- Channels

- Test channels (for CAT2 applications only)

- Blocks

- Elements


Confidential


Made by SICK.

What is a Safety Function?

: Safety functions reduce or eliminate risks/hazards identified in risk assessment

: Defines how the risk is to be reduced by engineering controls

: Defined for each hazard not eliminated by design

- Permanent hard guards for instance are not considered by Sistema

: Consists of

- Triggering event

- Reaction of machine

- Safe state achieved


21

Confidential


Made by SICK.

Types of Safety Functions

: Initiating a stop- A safety-related stop function

places the machine in a safestate (i.e. approach of a personor opening an interlocked doorwith no locking device

: Manual reset- Reset of protective device to

prepare for restarting of themachine

Confidential


Made by SICK.

Types of Safety Functions Continued

: Preventing re-start- After initiating a stop, starting

the machine is prevented bytechnical measures as long aspeople are in the hazardousarea

: Muting- Allows materials to move in/out

of hazardous area, howeverpeople are detected

22

Confidential


Made by SICK.

Types of Safety Functions Continued

: Enabling device- When safety functions are

temporarily disabled for setupor process monitoring (limitspeed, power, duration ofmovement)

: Local control- Monitoring machine parameters

for safety related limits (i.e.position, speed, temperature,pressure)

Confidential


Made by SICK.

Performance Level of Safety Function

: PLr of the safety function can be entered manually directly from the risk assessment ordetermined from risk graph

: ISO 13849-1 Annex A provides some informative guidance

: The PL achieved by the safety function is determined by the subsystems


23

Confidential


Made by SICK.

What is a Subsystem?

: A subsystem can be one of two things:

- A single safety component with PL, PFH, and Category stated by device manufacturer

▪ Also called an encapsulated subsystem

▪ This includes safety relays, safety light curtains, non-contact safety interlocks, etc

- A group of ‘blocks’ which need to be evaluated to determine PL, PFH, and category(such as combinations of non-safety rated devices)


Confidential


Made by SICK.

Subsystem Structure

: Each safety function can typically be broken down into three types of subsystems

- Input: light curtains, interlocks, e-stops, etc

- Logic: safety relay, safety PLC, safety controller

- Output: final switching element, motor contactors, valves

: Applications where input devices are daisy chained together, each device isconsidered to be a subsystem of a single safety function

: When input devices are not daisy chained but are connected to the same logic andoutput devices, each input/logic/output would be a separate safety function


24

Confidential


Made by SICK.

Adding an Encapsulated Subsystem

: When using a safety component (encapsulated subsystem), the relevant data can be;

- Entered manually

- Imported from a library


Confidential


Made by SICK.

Adding Libraries

: Links to Sistema libraries can be found on the IFA website

: Libraries must be saved in the proper folder to easily access while working on aproject


25

Confidential


Made by SICK.

Adding Non-Encapsulated Subsystems

: If a subsystem does not have a performance level stated by the manufacturer, the PLmust be determined by;

- Category (safety related architecture)

- MTTFd

- DCavg

- CCF


Confidential


Made by SICK.

Category of Subsystem

: Category B or 1

- Only difference between these is for CAT1, well-tried components and safety principlesmust be used

- Simple/single channel

▪ No failure detection. A fault will result in risk.


26

Confidential


Made by SICK.

Category of Subsystem Continued

: Category 2

- Same requirements as B and;

▪ Well tried safety principles must be applied

▪ Safety function must be tested at a suitable interval

- Single channel with monitoring

▪ Failures detected by a test

▪ Risk between occurrence of failure and next test


Confidential


Made by SICK.


: Category 3


▪ Well tried safety principles must beapplied

▪ Safety related parts designed so that;

▪ 1) a single fault does not lead to lossof safety function

▪ 2) the single fault is detected withina reasonable time

- Dual channel with monitoring;

▪ Safety function retained in case offailure

▪ Failure detected when;

▪ 1) safety function is used

▪ 2) by the next test

▪ Accumulation of faults lead to risk


27

Confidential


Made by SICK.


: Category 4


▪ Well tried safety principles must be applied

▪ Safety related parts designed so that;

▪ 1) a single fault does not lead to loss of safety function

▪ 2) the single fault is detected at or before the next demand of the safety function

▪ 3) accumulation of faults must not lead to risk if first fault not detected

- Dual channel with multiple fault monitoring


Confidential


Made by SICK.

MTTFd for Subsystem

: If the subsystem has a stated MTTFd value, it can be entered directly

: Some faults can be excluded (examples in ISO 13849-2 Annex C)

: If value is not available and cannot be excluded, ‘blocks’ will determine value


28

Confidential


Made by SICK.

DCavg for Subsystem

: If the subsystem as a stated DCavg value, it can be entered directly

: If value is not available and cannot be excluded, ‘blocks’ will determine value


Confidential


Made by SICK.

Relation between MTTFd, CAT and DCavg


29

Confidential


Made by SICK.

CCF for Subsystem

: To account for Common Cause Failure, measures must be taken to reach a minimum‘point’ level;


Confidential


Made by SICK.

Channels of Subsystem

: If the MTTFd and/or DCavg cannot be determined at the subsystem level, thesubsystem will be subdivided into ‘channels’ to evaluate the ‘blocks’

: The number and types of ‘channels’ depends on the category structure of thesubsystem

: Sistema automatically creates these ‘channels’

CAT B/1 CAT 2 CAT 3 CAT 4

Channel 1 X X X X

Channel 2 X X

Test Channel X


30

Confidential


Made by SICK.

Blocks of a Channel

: A ‘channel’ may consist of one or more ‘blocks’

: These are components that may be in Sistema libraries

: Include mechanical interlocks, e-stops, electrical products (drives, motors, etc.),hydraulic products, and more


Confidential


Made by SICK.

MTTFd for Blocks

: If the ‘block’ component has a stated MTTFd value, it can be entered directly

: Some faults can be excluded (examples in ISO 13849-2 Annex C)

: If value is not available and cannot be excluded, ‘elements’ will determine value


31

Confidential


Made by SICK.

DCavg for Blocks

: If the ‘block’ has a stated DCavg value, it can be entered directly

: If value is not available and cannot be excluded, measures can be selected from abuilt in Sistema library or ‘elements’ will determine value


Confidential


Made by SICK.

Elements of a Block

: An ‘element’ is the smallest subdivision of a subsystem

: An electromechanical ‘block’, for instance, may be broken down into a coupleelements

- E-stop button: mechanical and contact block elements

- Mechanical switch: mechanical and electrical elements

: ‘Elements’ may also include;

- Contactors

- Position switches

- Any component with a B10 value


32

Confidential


Made by SICK.

MTTFd for Elements

: At the ‘element’ level, a MTTFd level must be determined if it cannot be excluded

: Either the MTTFd value can be entered directly, or it can be determined based on theknown B10 value

: If the B10 value is not known, it can be estimated when using the ‘good engineeringpractice’ method


Confidential


Made by SICK.

MTTFd for Elements Continued

: Once the B10 value has been entered, the ‘nop’ (number of annual operating cycles)must be calculated

: Based on the ‘nop’ and B10 value, and MTTFd level is calculated


33

Confidential


Made by SICK.

DCavg for Elements

: If the ‘element’ has a stated DCavg value, it can be entered directly

: If value is not available and cannot be excluded, measures can be selected from abuilt in Sistema library


Confidential


Made by SICK.

Status Summary

: As data is entered, the summary chart is continuously updated

: Achieved performance level of the safety function is compared to the PLr


34

Confidential


Made by SICK.

Project Tree and Status Messages

: Displays the structure of the project including all safety functions, subsystems,channels, blocks, and element

: Provides status of each project component

- Fatal error

- Warning/informative

- All requirements met

: Status messages


Confidential


Made by SICK.

Additional Documentation

: Within each section, additional documentation can be provided such as;

- Risk assessment

- Product datasheets

- Fault exclusion reasoning

: Information can be manually typed into the provided field

: Complete documents can be linked

- Documents are not embedded into the project

- If a document is moved, the link must be updated


35

Confidential


Made by SICK.

Generate Report

: After adding all safety functions, a report can be generated to summarize the project tobe stored with a machine


: Thank you very much for your attention.

Ian Brough SICK Inc.

Cell: 612-859-3428

[email protected]

Functional Safety Primer · Cross monitoring of input signals with dynamic test if short circuits...

Documents

Transcript of Functional Safety Primer · Cross monitoring of input signals with dynamic test if short circuits...