SEMI Headquarters 3081 Zanker Road City, State/Country: San Jose, CA, USA San Jose, CA, USA Leader(s):

Transcription

1 Background Statement for SEMI Draft Document 5000 REVISION TO SEMI S2, ENVIRONMENTAL, HEALTH, AND SAFETY GUIDELINE FOR SEMICONDUCTOR MANUFACTURING EQUIPMENT Addition of Related Information to S2: Selection of Interlock Reliability Notice: This background statement is not part of the balloted item. It is provided solely to assist the recipient in reaching an informed decision based on the rationale of the activity that preceded the creation of this Document. Notice: Recipients of this Document are invited to submit, with their comments, notification of any relevant patented technology or copyrighted items of which they are aware and to provide supporting documentation. In this context, patented technology is defined as technology for which a patent has issued or has been applied for. In the latter case, only publicly available information on the contents of the patent application is to be provided. Background This Related information is being added to create awareness on the selection of the reliability of interlocks. Original also examples would be added, but because there is now a joint working commission of the standards mentioned in this RI working on examples they will be added later. Details how to design and calculate reliability of interlocks is not covered and can be found in the referenced standards. Review and Adjudication Information Task Force Review Committee Adjudication Group: S2 Interlock Reliability TF NA EHS Committee Date: Monday, April 2, 2012 Thursday, April 5, 2012 Time & Timezone: , Pacific Time , Pacific Time Location (tentative): SEMI Headquarters SEMI Headquarters City, State/Country: San Jose, CA, USA San Jose, CA, USA Leader(s): Bert Planting (ASML) Tom Pilz (Pilz Automation) Chris Evanston (Salus) Sean Larsen (Lam Research AG) Eric Sklar (Safety Guru, LLC) Standards Staff: Paul Trio (SEMI NA) ptrio@semi.org James Beasley (ISMI) Paul Trio (SEMI NA) ptrio@semi.org This meeting s details are subject to change, and additional review sessions may be scheduled if necessary. Contact the task force leaders or Standards staff for confirmation. Telephone and web information will be distributed to interested parties as the meeting date approaches. If you will not be able to attend these meetings in person but would like to participate by telephone/web, please contact Standards staff.

2 Safety Checklist for SEMI Draft Document 5000 REVISION TO SEMI S2, ENVIRONMENTAL, HEALTH, AND SAFETY GUIDELINE FOR SEMICONDUCTOR MANUFACTURING EQUIPMENT Addition of Related Information to S2: Selection of Interlock Reliability Developing/Revising Body Name/Type: S2 Interlock Reliability Task Force Technical Committee: EHS Region: Europe / North America Leadership Position Last First Affiliation Leader Planting Bert ASML Leader Pilz Tom Pilz Automation Standards used: 1. ISO : Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design (ISO :2006, IDT) 2. IEC 61062: Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems 3. EN 954-1: Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design Note: this has been succeeded by the ISO European ATEX directive: 94/9/EG 5. IEC_TR_ : Guidance on the application of ISO and IEC in the design of safety related control systems 6. SEMI S10: Safety guideline for Risk assessment and risk evaluation process. Team member Name Company Bert Planting (TF-leader) ASML Bert.Planting@ASML.com Thomas Pilz Pilz GmbH & Co. KG t.pilz@pilz.de Brian McMorris SICK, Inc. Brian.McMorris@sick.com Mark Fessler Tokyo Electron mark.fessler@us.tel.com Contributors Name Company Eric Sklar Safety Guru sklar@safetyguru.com Cliff Greenberg Nikon cgreen@nikon.com Ken Mills Estec Solutions kmills@estecsolutions.com Joe Barsky Lewis Bass Int. joe.barsky@lewisbass.com Sean Larsen Cymer splarsen@gmail.com

3 Mark Frankfurth Cymer Ken Kapur KLA-Tencor Matthew Grinn TEL Shigehito Ibuka TEL Paul Kelly Estec Solutions Carl Wong AKT Debbie Sawyer Semitool Lauren Crane KLA Sunny Rai Intertek Alan Crockett KLA-Tencor Ron Birrel TUV-Sud Horrey Hum ESTEC solutions Steve Baldwin Lewis Bass Sandeep Bendale Lewis Bass Raymond McDaid Lam Research Alan Krov TEL David Saxton TUV Mark Bogner TUV-Sud Kyle Lebouitz Xactix Paul Breder ESTEC solutions Byron Yakimov Cymer Ron Macklin R.Macklon assoc Joe Basky Intertek Samir Sleiman Chris Evenston Salus Mark Bogner TUV Sud Lindy Austin Salus Alan Crocket KLA Ron Birrell TUV Sud Ken Kuwatani TUV Sud Rich Petronio VEECO Ton Vang LAM Nigusu Ergete Intertek/GS3 Paul Breder Estec Raymond McDaid LAM Research

4 Background Statement for SEMI Draft Document 5000 REVISION TO SEMI S2, ENVIRONMENTAL, HEALTH, AND SAFETY GUIDELINE FOR SEMICONDUCTOR MANUFACTURING EQUIPMENT Addition of Related Information to S2: Selection of Interlock Reliability R1-1 Purpose: R1-1.1 Explain how several different standards on interlocks reliability are related and how they determine the reliability performance of a safety interlock. This RI also provides a comparison among the definitions of reliability levels in the several standards. R1-2 Limitations R1-2.1 This RI does not provide details of calculations that determine the reliability of an interlock system. R1-3 Referenced Standards and Documents ISO Safety of machinery Safety-related parts of control systems Part 1: General principles for design (ISO :2006, IDT) IEC Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems EN Safety of machinery Safety-related parts of control systems Part 1: General principles for design NOTE 1: EN this has been succeeded by the ISO European ATEX directive 94/9/EG IEC_TR_ Guidance on the application of ISO and IEC in the design of safety related control systems IEC Safety of machinery Electro-sensitive protective equipment IEC Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems SEMI S10 Safety guideline for Risk assessment and risk evaluation process R1-4 Introduction R1-4.1 Interlocks are used to reduce risk of harm to people. Several standards require different levels of reliability of an interlock depending on the risk. Risk is evaluated on several factor like: frequency people are expected to be harmed the severity of the harm whether there is a possibility to notice the risk and avoid the harm There are several standards that describe what reliability is required of an interlock. Other standards (e.g., robot standards) refer to these basic reliability standards for required reliabilities. R1-4.2 This RI is limited to the selection of the reliability. Information about how reliability can be determined or calculated can be found in the referenced standards. R1-4.3 Depending on the standard the criteria for the interlock selection is based on harm to people sometimes combined with damage to equipment/installations. R1-5 Relation SEMI S10 and Interlock reliability selection R1-5.1 SEMI S10 is used for risk identification, ranking and evaluation. When there is a risk identified that needs mitigation of the risk (e.g. S10 risk-ranking is medium or higher) several options are possible (e.g. change design, Page 1 Doc SEMI

5 add protection, use interlocks, ). If the mitigation is done by using interlocks these should have a reliability level that is suitable for the mitigation that is required. R1-5.2 After the mitigation has been implemented a new risk assessment should be carried out. Remark* Interlock reliability should be based on the risk. The standards ISO13849 and IE61062 are 2 possible ways how to determine a required reliability level Figure R1-1 Relation SEMI S10 and interlock selection Page 2 Doc SEMI

6 R1-6 Selection of the interlock system standard R1-6.1 Because there are many types of interlocks, each standard has its own application and use. Standard Typical use Components covered Remarks ISO 13849: Safety of machinery - Safetyrelated parts of control systems IEC 61062: Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems EN 954-1: Safety of machinery - Safetyrelated parts of control systems - Part 1: General principles for design European ATEX directive: 94/9/EG Calculation of the reliability of individual components and a complete Interlock control systems Calculation of the reliability of a complete Interlock control systems Reliability based on component reliability and architecture of the safety system Defines reliability levels for components that need to be used in explosive atmospheres All electromechanical, electrical, valves, control systems Electromechanical, control system All electromechanical, electrical, valves, control systems Special requirements for components that need to be used in explosive atmospheres ISO provides info how to calculate reliability of all types of components Used for complete systems qualification this has been succeeded by the ISO Components used in explosive atmospheres need to be CE marked R1-7 Interlock selection based on ISO This standard uses a decision tree to estimate the required performance level for the interlock design. Before the risk estimation can be done it is important to clearly understand the hazard scenario which exists if the safety function was not available (fails). Remember that risk reduction by other technical measures independent of the control system (e.g. mechanical guards, administrative controls, LOTO, PPE, etc.) can be taken into account in determining PLr. There are 3 parameters that the safety review team needs to know about, related to the machinery hazards during operation, maintenance and service, in order to determine the required Performance Level. Severity of the injury (S) S1: Slight, normally reversible injury S2: serious, normally irreversible injury or death Frequency or exposure to the hazard (F) F1: Seldom to less-often and/or exposure time is short F2: frequent-to-continuous and/or exposure time is long Possibility of avoidance the harm or limiting the harm (P) P1: Possible under specific conditions P2: Scarcely possible NOTE 2: Although the standard is using and/or in its definition for frequencies, the SEMI working group believes these should be: F1: Seldom to less-often and exposure time is short F2: frequent-to-continuous or exposure time is long Page 3 Doc SEMI

7 Figure R1-2 ISO Decision Tree R1-7.1 The reliability in the ISO is expressed in performance levels (PL) a, b, c, d or e with increasing reliability. These five discrete levels (a, b, c, d and e) are then used to specify the minimum design requirements for the safety related parts of a control system (e.g. a safety interlock) to ensure they perform their function under foreseeable use / mis-use conditions. This must be done for each safety function, but remember it is not just electrical interlocks, it is required for pneumatic, hydraulic and mechanical interlocks as well : R1-7.2 The initial estimation (per Figure R1-2) of the required performance level for the interlock s design is only the beginning of the total design process. The design engineer(s) must first assess how robust he/she is going to build the safety control system for mitigating the hazard as previously defined in the safety teams PLr. This important decision is based upon 3 things: How will the structural layout of the control system be chosen? Will the safety control system have any monitoring / fault detection? How will the component reliability requirements be chosen/met? R1-7.3 The standard introduces 4 parameters that the designers will need to know about their safety interlock circuit / control system in order to determine the achieved Performance Level (PL): R Control System Category R This is the classification of the safety interlock s architecture based on the structural arrangement of parts, fault detection and the component reliability of the parts selected. These control categories were originally defined in EN954-1 (e.g., CAT B, CAT 1, CAT2, CAT 3 and CAT4). R MTTF d R Mean Time to a Dangerous Failure (in years). The re MTTF d is the average time in which a failure that would lead to a dangerous situation occurs in the interlock circuit. The MTTF d is considered to be Low (between 3 to 10 years), Medium (between 10 and 30 years) or High (more than 30 Years). R DC avg Average Diagnostic Coverage (%) R The DC avg is the % proportion of dangerous failures that can be detected by the safety interlock s design (SRP/CS), compared to all of conceivable dangerous failures that exist - both detectable and undetectable failures. It is determined by how frequently and accurately the system performs some self-diagnosis, and what it actions it takes if it senses something wrong. The DC is considered to be: not available (< 60%), Low ( 60% <90%), Medium ( 90% - <99%) or High ( 99% detected). Page 4 Doc SEMI

8 R CCF Common Cause Failure R CCF can be simply thought of as an indicator of whether or not sound engineering practices were followed to ensure parallel channels of the safety interlock is not damaged by common causes. ISO uses a standard PASS/FAIL checklist is used to help designer to justify if they have included basic considerations to prevent common failures. Having technical measures for avoiding CCF is required for designer justifying the SRP/CS to CAT 2, 3 or 4 architectures, but CCF is simply not relevant for single channels CAT B or CAT 1. R1-7.4 ISO then uses complex mathematical techniques with intelligent grouping to estimate the safety interlock s achieved performance level based on theses 4 basic interlock design factors. Figure R1-3 Overview of ISO Design Validation Process R1-7.5 The standard provides a both a tabular (refer to Table R1-1 below) and graphical way to estimate the achieved PL of a single channel. Design validation occurs when the achieved PL is greater than or equal to required performance level (PL r ). If this is not the case, then a design modification or iteration is necessary. Table R1-1 Simplified relation between Pl and Category levels Average Diagnostic coverage (DC avg ) Main Time To dangerous Failure (MTTF d ) Low Medium High Simplified relation between the achieved PL and the other 4 design parameters Category B None None Low Medium Low Medium High a b Not covered Not covered Not covered a b b d b c c d Not covered Not covered c c d d d e NOTE 3: More detailed information about comparison between performance levels and the design parameters of the safety interlock can be found in ISO Page 5 Doc SEMI

9 R1-8 Interlock selection based on IEC R1-8.1 This standard uses severity of harm (Se); and a class (Cl) for probability of occurrence of the harm. R1-8.2 Severity (Se) is divided in 4 levels, as is shown in Table R1-1: Table R1-2 Severity levels (Se) Severity level 1 Reversible: requiring first aid only Consequence 2 Reversible injury, including severe lacerations, stabbing, and severe bruises that requires attention from a medical practitioner. Reversible: requiring attention from a medical practitioner 3 Irreversible injury such that it can be possible to continue work after healing. It can also include a severe major but reversible injury such as broken limbs 4 Irreversible: death, losing an eye or limb R Class of probability of occurrence of harm (Cl) is a function of: Frequency and duration of the exposure of persons to the hazard (Fr) 7.2.2, Probability of occurrence of a hazardous event arising from human and machine behavior (Pr ) 7.2.3; Probability of avoiding the risk or limiting the harm (Av) R Frequency and duration of the exposure of persons to the hazard R Frequency and duration of the exposure of persons to the hazard is based on how often persons are exposed and the time people are exposed. Table R1-2 provides the values of Fr for various frequencies and durations R The frequency of exposures is divided into 5 levels of time between exposures R The duration of people are exposed to the hazard is divided into 2 levels: < 10 minutes per occurrence and >= 10 minutes per occurrence. Table R1-3 Frequency and duration of Exposure (Fr) Frequency (time between exposures) Duration < 10 Min. Duration > 10 min 1 hour 5 5 > 1hour to 1 day 4 5 > 1 day to 2 weeks 3 4 > 2 weeks to 1 year 2 3 > 1 year 1 2 R Probability of occurrence of a hazardous event arising from human and machine behavior (Pr) this factor is an estimation on the behavior of the machine and foreseeable characteristics of human behavior. R The machine behavior will vary from very predictable to not predictable but unexpected events cannot be discounted. Predictability of the behavior of component parts of the machine relevant to the hazard in different modes of use (e.g. normal operation, maintenance, fault finding). R Characteristics of human behavior that should be taken in account include stress, lack of awareness. These are influenced by factors such as skills, training, experience and complexity of the machine. NOTE 4: Skills and training should be stated in the documentation for use. Table R1-4 Probability classification Probability of occurrence Probability of occurrence factor (Pr) Very High 5 Likely 4 Possible 3 Page 6 Doc SEMI

10 Rarely 2 Negligible 1 R Probability of avoiding or limiting the harm (Av) This factor can be estimated taken into account aspects of the machine like sudden, fast or slow appearance of the hazardous event, clearances to with draw from the hazard and nature of the system (e.g. cutting machine will have a sharp edge, heating system will have hot surfaces, ) and the possibility of recognition of the hazard (electrical hazard can only be recognized by using a meter, noise when a motor starts). Table R1-5 Probability of avoiding or limiting harm Probability of avoiding or limiting harm Probability of avoiding or limiting harm factor (Av) Impossible 5 Rarely 3 Probable 1 R Each probability functions get a rating and the class of probability of occurrence of harm (Cl) is the sum of frequency and duration (Fr), probability of occurrence (Pr) and possibility of avoidance (Av). Cl = Fr + Pr + Av R The l SIL requirement is given in table 5. Table R1-6 SIL requirement Severity Class SIL 2 SIL 2 SIL 2 SIL 3 SIL 3 3 #1 SIL 1 SIL 2 SIL 3 2 #1 SIL 1 SIL 2 1 #1 SIL 1 #1 For these levels other measures may be appropriate (e.g. PL a) R1-8.3 The calculation of the SIL levels will be based on the architecture of the design and the reliability data of the chosen components. Details can be found in IEC R1-9 Interlock selection based on EN R1-9.1 This section is for reference only because EN has been replaced by ISO R1-9.2 The hardware requirements of EN were based on hardware and fault tolerance. R1-9.3 Required interlock reliability is determined in a decision diagram using severity of possible harm, frequency of exposure and the possibility of avoidance. R1-9.4 Definition of severity, frequency and possibility of avoidance are identical to the ISO (see R1-6.1) Page 7 Doc SEMI

11 R1-10 Other standards that might be useful: Figure R1-4 Interlock category selection based on EN R The European legislation for Explosive Atmospheres (ATEX) also defines reliability of the components which can be used in areas with an explosion risk. This risk assessment is based on substances used and time a hazardous atmosphere is present. Details on the requirements for can be found in R IEC series provides information and requirement if PLC and logic is used. Preferably a software application used in safety should be approved by a notified body against this standard. R IEC provides information on safety components using Electro-sensitive protective equipment (e.g. light curtains) and their relation with ISO and IEC R1-11 Comparison between the different reliability levels R The IEC_TR_ provides more information comparing the ISO and IEC and provides an introduction to calculation of reliability levels. PFH d is an estimated data point (parameter) of a subsystem that does take into account the contribution of factors such as diagnostics, proof of test interval, resistance to common cause failure and control system architecture (structure). Besides the Average Probability of a PFH d, there are some additional estimations are still necessary to determine the achieved performance level. It is not all about probability mathematics. Table R1-7 Relationship between SIL s and Performance Levels Performance Level (PL) Average probability of a dangerous failure per hour (1/h); PFH d Safety Integrity Level (SIL) a 10-5 to < 10-4 Not defined b 3*10-6 to < c 10-6 to < 3* d 10-7 to < e 10-6 to < Page 8 Doc SEMI

12 NOTICE: Semiconductor Equipment and Materials International (SEMI) makes no warranties or representations as to the suitability of the Standards and Safety Guidelines set forth herein for any particular application. The determination of the suitability of the Standard or Safety Guideline is solely the responsibility of the user. Users are cautioned to refer to manufacturer s instructions, product labels, product data sheets, and other relevant literature, respecting any materials or equipment mentioned herein. Standards and Safety Guidelines are subject to change without notice. By publication of this Standard or Safety Guideline, SEMI takes no position respecting the validity of any patent rights or copyrights asserted in connection with any items mentioned in this Standard or Safety Guideline. Users of this Standard or Safety Guideline are expressly advised that determination of any such patent rights or copyrights, and the risk of infringement of such rights are entirely their own responsibility. Page 9 Doc SEMI