Functional Safety Primer · Cross monitoring of input signals with dynamic test if short circuits...
Transcript of Functional Safety Primer · Cross monitoring of input signals with dynamic test if short circuits...
1
Functional Safety Primer(and Introduction to Sistema)
Ian Brough, SICK Inc.
Confidential
Industrial Safety Systems.
Made by SICK.
"
Originally......EN 954-1:1996(old ISO 13849-1)
: Concept of deterministic failure mode analysis gets moredifficult with newer and often more complex safety controls
: No detailed requirements defined for programmablesystems and complex electronics.
: No sufficient requirements for the consideration of reliabilityvalues. Complexity of the solution or amount of componentsused did not influence the end result.
2
Confidential
Industrial Safety Systems.
Made by SICK.
• Resulting safety level / risk reduction in case ofcombination of different categories and fault exclusions was
difficult to determine.
• Risk graph for the safety levels less clear at higher levels
• Fault avoiding measure?
• Demands to QM
• Documentation
Originally......EN 954-1:1996(old ISO 13849-1).... Continued.....
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Balancing Act
"
Safety Function
Risk Graph
Categories
Component reliabilityand test qualitiy
Common causefailure
Well tried principles New concepts
EN 954-1:1997 IEC 61508:2002
c c
3
Confidential
Industrial Safety Systems.
Made by SICK.
"
Looking back: Risk graph according to EN 954-1(old ISO 13849-1)
Confidential
Industrial Safety Systems.
Made by SICK.
START
Risk analysis
Safety Function
Required PL (r)
Identify the safety functionrelated components
Determine PL using
(Category, DC, MTTFd, & CCF)
achieved PL >=PLr
ISO 13849:Performance Levels Defined
: ISO13849 gives guidance for the design ofSRP/CS*. These includes all kind of technologies,electrical, mechanic, hydraulic. pneumatic, software.
: The reliability of the safety function performance istevaluated with the new defined Performance LevelPL
: ISO 13849-1 also provides a simplified method thatallows the probabilistic aproach. (reliability ofcomponents)
: Methods against common cause failure are rated.
: Improvements in risk graph
: Methods of calculating parameters
* SRP/CS= Safety Related Parts of the Control system
Validation
All functions ?
Ian Brough 9/30/2013
4
Confidential
Industrial Safety Systems.
Made by SICK.
Safety Functions
Ian Brough 9/30/2013
: Safety-related stop function triggered by protective equipment (e.g. interlock device,limit value monitoring [e.g. maximum r.p.m., over-temperature, overpressure])
: Manual reset function
: Start/restart function
: Muting function
: Equipment with automatic resetting (jog button)
: Enabling function
: Prevention of unintended start-up
: Control functions and selection of operating mode
: Monitoring of the parameterization of safety-relevant input values
: Emergency stop function (supplementary protective measure)
: Interaction between different safety-related parts of the control system
: Reaction time
: Indicators and alarms
: Etc.
Confidential
Industrial Safety Systems.
Made by SICK.
New 13849-1 –Performance Level
"
5
Confidential
Industrial Safety Systems.
Made by SICK.
PL vs PFH vs SIL
The Performance Level depends on :
: system structure and behaviour in faulty conditions
: reliability of the used components (MTTFd)
: system fault detection ability defines as diagnostic coverage (DC)
: impact of systematic and common cause failures (CCF) in redundant systems
: proper selection of the safeguarding devices and the environmental impact on the
system
The Performance Level describes the reliability of the safety function from therelated control parts (SRP/CS)
Performance
Level (PL)
Average probability of a
dangerous failure per hour (1/h)
SIL
IEC 61508
a ≥ 10-5
to < 10-4
none
b ≥ 3 x 10-6
to < 10-5
c ≥ 10-6
to < 3 x 10-6
d ≥ 10-7
to < 10-6
2
e ≥ 10-8
to < 10-7
3
1
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
SRP/CS (or a better term is Subsystems)
"
PROCESSING OUTPUTS
Safety related parts of control systems(SRP/CS)
INPUTS
Safety control system
Safety relays
Hardwired logic
Safety network
Valve
Contactor
Drive
Robot controller
Position Sw.switch
Sensors
E-stoppushbuttonLight curtain
Area scanner
Interlock
6
Confidential
Industrial Safety Systems.
Made by SICK.
physical physical
Guardsensing
Logicsolving
Powerswitching
electrical electrical
SRP/CS 1 SRP/CS 2 SRP/CS 3
„A safety function may be implemented by one or more Subsystems,and several safety functions may share one or more Subsystems“
"
PL1r ³ PL „d“ PL2r ³ PL „d“ PL3r ³ PL „d“
Subsystems
Confidential
Industrial Safety Systems.
Made by SICK.
Safety Data from Manufacturer
7
Confidential
Industrial Safety Systems.
Made by SICK.
"
From Supplier From Supplier DIY
Subsystem 1 Subsystem 2 Subsystem 3
?
Safety related stop function(using non safety rated hardware)
Confidential
Industrial Safety Systems.
Made by SICK.
Design using functional safety
System Performance
Str
uctu
re
Re
liab
ility
Dia
gn
ost
ics
Re
sist
an
ce
Pro
cess
: Structure (or Category) of thesafety system/chain
: Reliability of the componentsused
: Ability to detect failures
: Resistance to commoncause failures
: In addition, further measuresto avoid design faults arerequired
8
Confidential
Industrial Safety Systems.
Made by SICK.
Structural aspects
Confidential
Industrial Safety Systems.
Made by SICK.
„The structure of a Subsytem is a key characteristichaving great influence on the PL“
Category B, 1
Category 2
Category 3, 4
B Components used in accordance with relevantstandards, to withstand expected influence.No protection against faults.
1 Like B ANDuse of well tried components and safety principles.No protection against faults.
2 Like B and use of well tried safety principles.Testing time rate better then 100 times of demandrate.No protection against one fault. Fault detection.
3 like B and use of well tried safety principles.Design for protection against ONE fault. Partial faultdetection.
4 like B and use of approved safety principles.Design for protection against TWO faults
Designated architectures
9
Confidential
Industrial Safety Systems.
Made by SICK.
Reliability aspects
Confidential
Industrial Safety Systems.
Made by SICK.
Mean time to dangerous failure
From valve mfg./calculate from the estimate amount of usage(b10d )
10
Confidential
Industrial Safety Systems.
Made by SICK.
Diagnostic aspects
Confidential
Industrial Safety Systems.
Made by SICK.
Estimation of Diagnostic Coverage- Overview
Table E.1 — Abstract: Estimates for diagnostic coverage (DC)
Measure DCInput Cyclic test stimulus by dynamic change of the input
signals90%
Input Plausibility check, e.g. use of normally open andnormally closed mechanically linked contacts
99%
Input Monitoring some characteristics of the sensor(response time, range of analogue signals, e.g.electrical resistance, capacitance)
60%
Input Cros monitoring if inputs without dynamic test 0%..99% (dependig onsignal change frequency)
Logic Dynamic principle (all components of the logic arerequired to change the state ON-OFF-ON when thesafety function is demanded), e.g. interlockingcircuit implemented by relays
99%
Logic Processing unit: Self test by software 60%..90%
Output Redundant shut-off path with monitoring of one ofthe actuators either by logic or by test equipment
90%
Output Direct monitoring (e.g. electrical position monitoringof control valves, monitoring of electromechanicaldevices by mechanically linked contact elements)
99%
General Fault Detection by process 0%..99% (not alone forPL „e“)
11
Confidential
Industrial Safety Systems.
Made by SICK.
Diagnostic Coverage- Inputs
Measures for Input devices DC
Cyclic test stimulus by dynamic change of the input signals 90%
Plausibility check, e.g. use of normally open and normally closed mechanicall
linked contacts99%
Cross monitoring of inputs without dynamic test90% to 99% depending on how often a signal
change is done by the application
Cross monitoring of input signals with dynamic test if short circuits are not
detectable (for multiple I/O)90%
Cross monitoring of input signals and intermediate results within the logic (L), and
temporal and logical software monitor of the program flow and detection of static
faults and short circuits (for multiple I/O)
99%
Indirect monitoring (e.g. monitoring by pressure switch, electrical position monitoring
of actuators)90% to 99% depending on the application
Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of
electromechanical devices by mechanically linked contact elements)99%
Fault detection by the process
0 % to 99% depending on the application.This
measure alone is no sufficient if the required
performance level is "e"
Monitoring some characteristics of the sensor (response time, range of analogue
signals) e.g. electrical resistance, capacitance60%
Confidential
Industrial Safety Systems.
Made by SICK.
Diagnostic Coverage- Logic
Measures for Logic devices DC
Indirect monitoring (e.g. monitoring by pressure switch electrical position monitoring
of actuators)90% to 99% depending on the application
Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of
electromechanical devices by mechanically linked contact elements)99%
Simple temporal time monitoring of th logic (e.g. timer as watchdog, where trigger
points are within the program of the logic)60%
Temporal and logical monitoring of the logic by the watchdog, where the test
equipment does plausibility checks of the behaviour of the logic90%
Start-up self-test to detect latent faults in parts of the logic (e.g. program and data
memories, input / output ports, interfaces)90% (depending on the testing technique)
Checking the monitoring device reaction capability (e.g. watchdog) by the main
channel at start-up or whenever the safety function is demanded or whenever an
external signal demands it, through an input facility)
90%
Dynamic principle (all components of the logic are required to change the state ON-
OFF-ON wehn the safety function is demanded), e.g. interlocking circuit implemented
by relays
99%
Invariable memory: signature of one word (8 bit) 90%
Invariable memory: signature of one double word (16 bit) 99%
Variable memory: RAM-test by use of redundant data e.g. flags, markers, constant,
timers, and cross comparison of these data60%
Variable memory: check for readability and write ability of used data memory cells 60%
Variable memory: RAM monitoring with modified Hamming code or RAM self-test (e.g.
“galpat” or “abraham”)99%
Processing unit: self-test by software 60% to 90%
Processing unit: coded processing 90% to 99%
Fault detection by the process0 % to 99% depending on the application.This measure alone
is no sufficient if the required performance level is "e"
12
Confidential
Industrial Safety Systems.
Made by SICK.
Diagnostic Coverage- Outputs
Measures for Output devices DC
Monitoring of outputs by one channel without dynamic test0% to 99% depending on how often a signal change is done by
the application
Cross monitoring of outputs without dynamic test0% to 99% depending on how often a signal change is done by
the application
Cross monitoring of output signals with dynamic test without detection of short circuits
(for multiple I/O)90%
Cross monitoring of output signals and intermediate results within the logic (L) and
temporal and logical software monitor of the program flow and detection of static
faults and short circuits (for multiple I/O)
99%
Redundant shut-off path with no monitoring of the actuator 0%
Redundant shut-off path with monitoring of one of the actuators either by logic or by
test equipment90%
Redundant shut-off path with monitoring of the actuators by logic and test equipment 99%
Indirect monitoring (e.g monitoring by pressure switch, electrical position monitoring
of actuators)90% to 99% depending on the application
Fault detection by process0 % to 99% depending on the application.This measure alone is
no sufficient if the required performance level is "e"
Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of
electromechanical devices by mechanically linked contact elements)99%
Confidential
Industrial Safety Systems.
Made by SICK.
Denotation of DC
13
Confidential
Industrial Safety Systems.
Made by SICK.
Resistance aspects
Confidential
Industrial Safety Systems.
Made by SICK.
Common cause failure
„Failure causing coincident failures of two or more separate channelsin a multiple channel subsystem“
Category 3, 4
14
Confidential
Industrial Safety Systems.
Made by SICK.
Measures against Common Cause Failure
"Score 65
Total 100
Confidential
Industrial Safety Systems.
Made by SICK.
Design process
15
Confidential
Industrial Safety Systems.
Made by SICK.
Simplified V-model for SW lifecycle
Safety relatedsoftware
specification
System
design
Modul
design
Coding
Module-
testing
Validated
Software
Result
Verification
Safety functionsspecification
Validation
Integration
testing
Validation
Confidential
Industrial Safety Systems.
Made by SICK.
Determine PL for one Subsystem
16
Confidential
Industrial Safety Systems.
Made by SICK.
Determine PL for a Subsystem: with the help of ISO13849-1
Confidential
Industrial Safety Systems.
Made by SICK.
PL for a SRP/CS
17
Confidential
Industrial Safety Systems.
Made by SICK.
Performance level
aMTTFd 100
Category 3/4
Confidential
Industrial Safety Systems.
Made by SICK.
Safety related stop function
Subsystem 1 Subsystem 2 Subsystem 3
I1 L1 O1
I2 L2 O2
I1 L1 O1
I2 L2 O2
I1 L1 O1
I2 L2 O2
Cat. 4, PL „e“ Cat. 4, PL „e“Cat. 4, PL „e“
18
Confidential
Industrial Safety Systems.
Made by SICK.
Achieved safety level
edcba
Required safety level PLr Achieved safety level PL
Sistema Intro
Ian Brough, SICK Inc.
19
Confidential
Industrial Safety Systems.
Made by SICK.
What is Sistema?
: “Safety Integrity Software Tool for the Evaluation of Machine Applications”
: Software tool for implementation of EN ISO 13849-1
- Understanding of this standard required for proper use of Sistema
: Created by BGIA (German Institute for Occupational Safety)
- Responsible for testing and certification according to European guidelines/national laws
: Free to download and use
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Why use Sistema?
: Verify safety design meets criteria of 13849-1
: Software automatically calculates reliability values
- Limits the need to look up tables
- Limits hand calculations of MTTFd, DCavg, PL, etc
: Documentation
: Can be tied to risk assessment, product data sheets, standards, validation
- Separate documents, but linked
- Creates an ‘all-inclusive’ project
Ian Brough 9/30/2013
20
Confidential
Industrial Safety Systems.
Made by SICK.
Components of a Sistema Project
: A project consists of:
- Safety Functions
- Subsystems
- Channels
- Test channels (for CAT2 applications only)
- Blocks
- Elements
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
What is a Safety Function?
: Safety functions reduce or eliminate risks/hazards identified in risk assessment
: Defines how the risk is to be reduced by engineering controls
: Defined for each hazard not eliminated by design
- Permanent hard guards for instance are not considered by Sistema
: Consists of
- Triggering event
- Reaction of machine
- Safe state achieved
Ian Brough 9/30/2013
21
Confidential
Industrial Safety Systems.
Made by SICK.
Types of Safety Functions
: Initiating a stop- A safety-related stop function
places the machine in a safestate (i.e. approach of a personor opening an interlocked doorwith no locking device
: Manual reset- Reset of protective device to
prepare for restarting of themachine
Confidential
Industrial Safety Systems.
Made by SICK.
Types of Safety Functions Continued
: Preventing re-start- After initiating a stop, starting
the machine is prevented bytechnical measures as long aspeople are in the hazardousarea
: Muting- Allows materials to move in/out
of hazardous area, howeverpeople are detected
22
Confidential
Industrial Safety Systems.
Made by SICK.
Types of Safety Functions Continued
: Enabling device- When safety functions are
temporarily disabled for setupor process monitoring (limitspeed, power, duration ofmovement)
: Local control- Monitoring machine parameters
for safety related limits (i.e.position, speed, temperature,pressure)
Confidential
Industrial Safety Systems.
Made by SICK.
Performance Level of Safety Function
: PLr of the safety function can be entered manually directly from the risk assessment ordetermined from risk graph
: ISO 13849-1 Annex A provides some informative guidance
: The PL achieved by the safety function is determined by the subsystems
Ian Brough 9/30/2013
23
Confidential
Industrial Safety Systems.
Made by SICK.
What is a Subsystem?
: A subsystem can be one of two things:
- A single safety component with PL, PFH, and Category stated by device manufacturer
▪ Also called an encapsulated subsystem
▪ This includes safety relays, safety light curtains, non-contact safety interlocks, etc
- A group of ‘blocks’ which need to be evaluated to determine PL, PFH, and category(such as combinations of non-safety rated devices)
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Subsystem Structure
: Each safety function can typically be broken down into three types of subsystems
- Input: light curtains, interlocks, e-stops, etc
- Logic: safety relay, safety PLC, safety controller
- Output: final switching element, motor contactors, valves
: Applications where input devices are daisy chained together, each device isconsidered to be a subsystem of a single safety function
: When input devices are not daisy chained but are connected to the same logic andoutput devices, each input/logic/output would be a separate safety function
Ian Brough 9/30/2013
24
Confidential
Industrial Safety Systems.
Made by SICK.
Adding an Encapsulated Subsystem
: When using a safety component (encapsulated subsystem), the relevant data can be;
- Entered manually
- Imported from a library
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Adding Libraries
: Links to Sistema libraries can be found on the IFA website
: Libraries must be saved in the proper folder to easily access while working on aproject
Ian Brough 9/30/2013
25
Confidential
Industrial Safety Systems.
Made by SICK.
Adding Non-Encapsulated Subsystems
: If a subsystem does not have a performance level stated by the manufacturer, the PLmust be determined by;
- Category (safety related architecture)
- MTTFd
- DCavg
- CCF
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Category of Subsystem
: Category B or 1
- Only difference between these is for CAT1, well-tried components and safety principlesmust be used
- Simple/single channel
▪ No failure detection. A fault will result in risk.
Ian Brough 9/30/2013
26
Confidential
Industrial Safety Systems.
Made by SICK.
Category of Subsystem Continued
: Category 2
- Same requirements as B and;
▪ Well tried safety principles must be applied
▪ Safety function must be tested at a suitable interval
- Single channel with monitoring
▪ Failures detected by a test
▪ Risk between occurrence of failure and next test
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Category of Subsystem Continued
: Category 3
- Same requirements as B and;
▪ Well tried safety principles must beapplied
▪ Safety related parts designed so that;
▪ 1) a single fault does not lead to lossof safety function
▪ 2) the single fault is detected withina reasonable time
- Dual channel with monitoring;
▪ Safety function retained in case offailure
▪ Failure detected when;
▪ 1) safety function is used
▪ 2) by the next test
▪ Accumulation of faults lead to risk
Ian Brough 9/30/2013
27
Confidential
Industrial Safety Systems.
Made by SICK.
Category of Subsystem Continued
: Category 4
- Same requirements as B and;
▪ Well tried safety principles must be applied
▪ Safety related parts designed so that;
▪ 1) a single fault does not lead to loss of safety function
▪ 2) the single fault is detected at or before the next demand of the safety function
▪ 3) accumulation of faults must not lead to risk if first fault not detected
- Dual channel with multiple fault monitoring
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
MTTFd for Subsystem
: If the subsystem has a stated MTTFd value, it can be entered directly
: Some faults can be excluded (examples in ISO 13849-2 Annex C)
: If value is not available and cannot be excluded, ‘blocks’ will determine value
Ian Brough 9/30/2013
28
Confidential
Industrial Safety Systems.
Made by SICK.
DCavg for Subsystem
: If the subsystem as a stated DCavg value, it can be entered directly
: If value is not available and cannot be excluded, ‘blocks’ will determine value
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Relation between MTTFd, CAT and DCavg
Ian Brough 9/30/2013
29
Confidential
Industrial Safety Systems.
Made by SICK.
CCF for Subsystem
: To account for Common Cause Failure, measures must be taken to reach a minimum‘point’ level;
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Channels of Subsystem
: If the MTTFd and/or DCavg cannot be determined at the subsystem level, thesubsystem will be subdivided into ‘channels’ to evaluate the ‘blocks’
: The number and types of ‘channels’ depends on the category structure of thesubsystem
: Sistema automatically creates these ‘channels’
CAT B/1 CAT 2 CAT 3 CAT 4
Channel 1 X X X X
Channel 2 X X
Test Channel X
Ian Brough 9/30/2013
30
Confidential
Industrial Safety Systems.
Made by SICK.
Blocks of a Channel
: A ‘channel’ may consist of one or more ‘blocks’
: These are components that may be in Sistema libraries
: Include mechanical interlocks, e-stops, electrical products (drives, motors, etc.),hydraulic products, and more
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
MTTFd for Blocks
: If the ‘block’ component has a stated MTTFd value, it can be entered directly
: Some faults can be excluded (examples in ISO 13849-2 Annex C)
: If value is not available and cannot be excluded, ‘elements’ will determine value
Ian Brough 9/30/2013
31
Confidential
Industrial Safety Systems.
Made by SICK.
DCavg for Blocks
: If the ‘block’ has a stated DCavg value, it can be entered directly
: If value is not available and cannot be excluded, measures can be selected from abuilt in Sistema library or ‘elements’ will determine value
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Elements of a Block
: An ‘element’ is the smallest subdivision of a subsystem
: An electromechanical ‘block’, for instance, may be broken down into a coupleelements
- E-stop button: mechanical and contact block elements
- Mechanical switch: mechanical and electrical elements
: ‘Elements’ may also include;
- Contactors
- Position switches
- Any component with a B10 value
Ian Brough 9/30/2013
32
Confidential
Industrial Safety Systems.
Made by SICK.
MTTFd for Elements
: At the ‘element’ level, a MTTFd level must be determined if it cannot be excluded
: Either the MTTFd value can be entered directly, or it can be determined based on theknown B10 value
: If the B10 value is not known, it can be estimated when using the ‘good engineeringpractice’ method
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
MTTFd for Elements Continued
: Once the B10 value has been entered, the ‘nop’ (number of annual operating cycles)must be calculated
: Based on the ‘nop’ and B10 value, and MTTFd level is calculated
Ian Brough 9/30/2013
33
Confidential
Industrial Safety Systems.
Made by SICK.
DCavg for Elements
: If the ‘element’ has a stated DCavg value, it can be entered directly
: If value is not available and cannot be excluded, measures can be selected from abuilt in Sistema library
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Status Summary
: As data is entered, the summary chart is continuously updated
: Achieved performance level of the safety function is compared to the PLr
Ian Brough 9/30/2013
34
Confidential
Industrial Safety Systems.
Made by SICK.
Project Tree and Status Messages
: Displays the structure of the project including all safety functions, subsystems,channels, blocks, and element
: Provides status of each project component
- Fatal error
- Warning/informative
- All requirements met
: Status messages
Ian Brough 9/30/2013
Confidential
Industrial Safety Systems.
Made by SICK.
Additional Documentation
: Within each section, additional documentation can be provided such as;
- Risk assessment
- Product datasheets
- Fault exclusion reasoning
: Information can be manually typed into the provided field
: Complete documents can be linked
- Documents are not embedded into the project
- If a document is moved, the link must be updated
Ian Brough 9/30/2013
35
Confidential
Industrial Safety Systems.
Made by SICK.
Generate Report
: After adding all safety functions, a report can be generated to summarize the project tobe stored with a machine
Ian Brough 9/30/2013
: Thank you very much for your attention.
Ian Brough SICK Inc.
Cell: 612-859-3428