Similar documents
Applications & Tools. Evaluation of the selection of a safetyrelated mode using non-safety-related components

What safety level can be reached when combining a contactor with a circuitbreaker for fail-safe switching?

CT433 - Machine Safety

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

New Thinking in Control Reliability

FLIGHT CREW TRAINING NOTICE

Introduction to Machine Safety Standards

Safety Manual VEGAVIB series 60

Guidelines on Surveys for Dynamic Positioning System

IDeA Competition Report. Electronic Swimming Coach (ESC) for. Athletes who are Visually Impaired

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Safety in pneumatic automation

The following gives a brief overview of the characteristics of the most commonly used devices.

Session: 14 SIL or PL? What is the difference?

955730_1 4/17/18. FlowSense Operator s Guide For Gen2 20/20 SeedSense Displays

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Energy Control. Suite 2A, 55 Frid Street Hamilton, ON L8P 4M3 office: cell:

10 December 2010 GUIDANCE FOR WATERTIGHT DOORS ON PASSENGER SHIPS WHICH MAY BE OPENED DURING NAVIGATION

2. The purpose of this program is to achieve the following objectives:

The Best Use of Lockout/Tagout and Control Reliable Circuits

DuPage County Environmental, Safety, Health & Property Loss Control Program Hazardous Energy Control (Lockout/Tagout)

Series 3730 and Series 3731 EXPERTplus Valve Diagnostics with Partial Stroke Test (PST)

Data Sheet T 8389 EN. Series 3730 and 3731 Types , , , and. EXPERTplus Valve Diagnostic

Ultima. X Series Gas Monitor

Big 5 Site Training Support Information

PSSI 10 Plant and Apparatus Containing Dielectric Gas

Application Note. Safety Sub-function PUS Category 1, up to PL c. Application Note PUS, Category 1, up to PL c M20 S22 R20 M1 Q20

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

ENS-200 Energy saving trainer

Introduction to Pneumatics

This Manual Part recommends functional/operating guidelines for control of automatic grade crossing warning systems. Draft

Pressure switch Type BCP

Minimum standard of competence for electro-technical officers (STCW Reg III/6) Electrical, electronic and control engineering at the operational level

Safety Manual VEGAVIB series 60

Proposed Abstract for the 2011 Texas A&M Instrumentation Symposium for the Process Industries

( ) ( ) *( A ) APPLICATION DATA. Procidia Control Solutions Coarse/Fine Control. Split-Range Control. AD Rev 2 April 2012

Managing for Liability Avoidance. (c) Lewis Bass

Ranger Walking Initiation Stephanie Schneider 5/15/2012 Final Report for Cornell Ranger Research

CASE STUDY. Compressed Air Control System. Industry. Application. Background. Challenge. Results. Automotive Assembly

Supplementary Operator s Manual 42/24-14 EN Rev. 3

YT-3300 / 3301 / 3302 / 3303 / 3350 / 3400 /

Safety When Using Liquid Coatings

Procedure to ensure the safety of 'in house' constructed machinery, rigs or apparatus

Safe hydraulics for hydroforming presses. more finished product to be created from less raw material.

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0

YT-300 / 305 / 310 / 315 / 320 / 325 Series

Electrical Shore Connections

Isolation of power supplies

PREDICTING HEALTH OF FINAL CONTROL ELEMENT OF SAFETY INSTRUMENTED SYSTEM BY DIGITAL VALVE CONTROLLER

Table 1: Safety Function (SF) Descriptions

D-Case Modeling Guide for Target System

HAP e-help. Obtaining Consistent Results Using HAP and the ASHRAE 62MZ Ventilation Rate Procedure Spreadsheet. Introduction

Understanding safety life cycles

Fisher FIELDVUE DVC6200f Digital Valve Controller PST Calibration and Testing using ValveLink Software

SAINT MARY S COLLEGE OF CALIFORNIA STANDARD HAZARDOUS ENERGY CONTROL PROGRAM INCLUDING LOCKOUT/TAGOUT. Prepared by

Control Units for Oil+Air Lubrication

Fiat - Argentina - Wheel Aligner / Headlamp Aimer #16435

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Safely on the way in the automotive and Tier 1 supplier industry

Safe High Pressure Water Washing (HPWW) Requirement

[XACT INTEGRATION] The Race Director. Xact Integration

REASONS FOR THE DEVELOPMENT

APPENDIX 10, Automation Standard

GM Lockout and Energy Control (Released, dated )

Global Information System of Fencing Competitions (Standard SEMI 1.0) Introduction

Safety Manual OPTISWITCH series relay (DPDT)

[CROSS COUNTRY SCORING]

IST-203 Online DCS Migration Tool. Product presentation

AN-140. Protege WX SALLIS Integration Application Note

WORKSHOP SAFE ENGINEERING

LO/TO LOCKOUT/TAGOUT PROGRAM

Software for electronic scorekeeping of volleyball matches, developed and distributed by:

TAMPA ELECTRIC COMPANY ENERGY SUPPLY HAZARDOUS ENERGY CONTROL LOCKOUT PROGRAM

TEST BENCH SAFETY VALVES ¼ - 5 DN10 DN125

Control of Hazardous Energy Lockout / Tagout Program

[CROSS COUNTRY SCORING]

Electrical, electronic and control engineering at the operational level

Assessment Checklist. Project. Name: Created: Machine Details. Serial Number: Type: Model: Manufacturer: Power Supply: Location: Building: Area:

MARINE NOTICE MARINE NOTICE. Marine Notice 7/2012. Guidance on ECDIS for ships calling at Australian ports 7/2012

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Neles ValvGuard VG9000H Rev 2.0. Safety Manual

USER MANUAL. Intelligent Diagnostic Controller IDC24-A IDC24-AF IDC24-AFL IDC24-F IDP24-A * IDP24-AF * IDP24-AFL * IDP24-F * 1/73

Exercise 3-2. Two-Wire and Three-Wire Controls EXERCISE OBJECTIVE DISCUSSION OUTLINE DISCUSSION. Two-wire control

Using MATLAB with CANoe

LOCK-OUT/TAG-OUT (LO/TO) SAFETY PROGRAM

unconventional-airsoft.com

Application Note. Safety Sub-functions SSC Category 1, up to PL c PUS Category 1, up to PL c. Application Note SSC, PUS, Category 1, up to PL c STOP

Partial Stroke Testing. A.F.M. Prins

VENTILATION OF PROTECTED AREAS IN ROAD TUNNELS

CITY AND COUNTY OF DENVER CR&CF RISK UNIT Job Hazard Analysis

Application Notes. SLP85xD Load Cells

Project: OpenDRIVE Document No. Issue: Title: Style Guide For OpenDRIVE Databases VI C. Date: 05 th March 2014 no.

TRAINING SCHEDULE FLUID POWER TRAINING CUSTOM TRAINING PRODUCT TRAINING

Original Date of Issue: 04/09

Health & Safety Policy and Procedures Manual SECTION 6 ELECTRICAL SAFETY / CONTROL OF HAZARDOUS ENERGY

Element C5.1 Selection of Suitable Work Equipment

Integrating Safety and Automation

Status Date Prepared Reviewed Endorsed Approved

Continuous Gas Analysis. ULTRAMAT 6, OXYMAT 6 Safety Manual. Introduction 1. General description of functional safety 2

Sample Written Program for The Control of Hazardous Energy (Lockout/Tagout)

Transcription:

Operating Mode Selection in Conjunction with Functional Safety Safety Integrated https://support.industry.siemens.com/cs/ww/en/view/ 89260861 Siemens Industry Online Support

Siemens AG 2017 All rights reserved 1 Introduction This entry is from the Siemens Industry Online Support. The general terms of use (http://www.siemens.com/terms_of_use) apply. Security Information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions only form one element of such a concept. The customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit http://www.siemens.com/industrialsecurity. Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase the customer s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.siemens.com/industrialsecurity. Contents 1 Introduction... 3 2 Realization of the Operating Mode Selection with Mainly Technical Measures for Risk... 4 2.1 Example with Two Operating Modes... 4 2.2 Analysis and Results... 5 2.3 Statutory Requirements and Standards... 5 2.4 Structuring of the Automation System... 7 3 C Standards... 9 Entry ID: 89260861, V1.0, 09/2017 2

Siemens AG 2017 All rights reserved 1 Introduction 1 Introduction selection and risk assessment The operating mode selection is an elementary component of many machines and plants. In the case of safety-related applications, each operating mode can harbor the potential risk of endangering the personnel. In assessing the risk of a machine you must determine and analyze the endangerment risk of each operating mode and switchover separately. Aim with respect to functional safety The aim of implementing the operating mode selection with respect to functional safety is that each operating mode as such fulfills the corresponding safety requirements. Risk reduction measures If risk reduction measures are necessary for each operating mode, these must be taken. We are considering the measures below: 1. Constructive 2. Technical 3. Organizational The options for implementing the measures are to be examined in this order. Safety functions in the operating modes In practice, technical measures (safety functions) play an important role in reducing risks. Due to the different activities of personnel at or with a machine, the same safety functions are not always suitable for all the operating modes. Some might even be obstructive or completely unsuitable for the operations to be performed in one operating mode or the other. Example: In a "Setup" mode, the necessary operations cannot be performed outside a safety enclosure. During risk assessment it is the responsibility of the configuration engineer to define various measures to counteract the potential dangers in each operating mode. The practical implementation consists of realizing the appropriate safety functions in combination with the operating mode concerned. Here, the configured safety functions can be selected and deselected for each operating mode. Questions and answering procedures The above poses the question as to which requirements are to be fulfilled for the operating mode selection. Here, the following points are to be clarified: Is the operating mode selection a safety measure in itself or does it influence the safety functions? What are the requirements that result for the components of the operating mode selection and how are these to be considered under the aspects of functional safety? Entry ID: 89260861, V1.0, 09/2017 3

Siemens AG 2017 All rights reserved 2 Realization of the Operating Mode Selection with Mainly Technical Measures for Risk 2.1 Example with Two Operating Modes This chapter describes a safety concept that includes technical measures (safety functions) in the separate operating modes in order to reach an acceptable level of remaining risk. The figure below shows the results for two operating modes and their transition. Figure 2-1: Simplified results of a risk assessment for the same risk in two different operating modes 1: Automatic Starting point: Original risk Limit for acceptable level of remaining risk Constructive protective measures Risk reduction through technical measures (safety door monitoring) End point: Remaining risk 2: Setup Starting point: Original risk Limit for acceptable level of remaining risk Constructive protective measures Risk reduction through technical measures (manual approval) End point: Remaining risk Entry ID: 89260861, V1.0, 09/2017 4

Siemens AG 2017 All rights reserved 2.2 Analysis and Results Analysis Results Both operating modes utilize different technical and organizational measures to reduce the same risk. The fail-safe automation system manages all the technical risk reduction measures in all operating states and also the interlock and proper transition (switchover) of the operating modes are ensured by the safety program. Input element errors or faults do not lead to increased risk for the following reasons, even if it is a matter of technical measures of differing safety quality levels: The selected operating mode defines the risk coming from the machine. Switching the operating mode thus leads to switching of the safety function, because one or more safety functions are assigned to each risk in order to achieve adequate risk reduction. However, if the conditions necessary for the safety function are not given (safety door open, for example), the safety program takes over control. The relevant safety functions prevent selection of the operating mode because the conditions are not met and therefore no safe state would exist in the requested operating mode. The relevant safety functions are always executed in the safety program of a fail-safe controller and therefore comply with the corresponding SIL/PL directives without consideration of the operating mode selecting switch. The selected operating mode is also displayed. The operating mode selection itself is not a safety measure. However, an operating mode switchover can affect plant safety. But if monitoring is implemented of the proper transition between operating modes in the safety program of a fail-safe controller (safe operating mode selection), the operating mode selection meets the corresponding level of safety quality. The operating mode selection switch is therefore not part of the safety function and also does not have to be considered. The programming must be configured accordingly to fulfill the above points. 2.3 Statutory Requirements and Standards Obligatory are the general requirements of the machinery directive and the standard EN 60204-1. The Machinery Directive 2006/42/EG lists the requirements in section 1.2.5. Table 2-1 gives possible ways to implement these requirements: Table 2-1 Requirements and implementation Machinery directive requirement The selected operating mode overrides other control and operating functions (exception: Emergency Stop) Implementation Programming in the safety program of the fail-safe controller: Start machine functions only in a defined operating mode. If no operating mode is selected, the machine is in the "Off" mode. Entry ID: 89260861, V1.0, 09/2017 5

Siemens AG 2017 All rights reserved Machinery directive requirement Uniqueness Observability Lockability Limitation of group Implementation Counterlocking of the operating modes in the safety program of the fail-safe controller. Visualization of the currently active operating mode through display elements (indicator lights, for example). An operating mode selection switch must make it possible to prevent a third party from changing the position (for example, by removing a key but retaining the switch position). Limitation of the group with authorized access through coded operating mode selector switches (for example, use of RFIDbased selector switches with coded keys). The standard DIN EN 60204-1 "Safety of machinery - Electrical equipment of machines" extends the requirements of the Machinery Directive. Point 9.2.3 "Operating Modes" of the standard EN 60204-1:2006 lists the following requirements: selection must not trigger any machine operation. A separate start control is required. For each special operating mode, corresponding safety functions and/or protective measures must be fulfilled. If selecting an operating mode can cause a dangerous situation to arise, unauthorized and/or unsupervised selection must be prevented through appropriate means (key switch, access code, etc., for example). The extended requirements of EN 60204-1 in point 9.2.4 confirm the selection of a safety concept with technical measures in all operating modes. The requirements in this section are: "Where it is necessary to set aside safety functions and/or protective measures, safety must be ensured through: The rendering inoperative of all other operating modes (or control types) and other means like: Triggering of motion through operating devices with automatic return (enabling switch, for example). Portable or wireless operator station if active, motion only from that station. Limitation of rate of motion or moving force. Limitation of range of motion. Note The quoted passages of the EN 60204-1:2006 do not mean that you may disable or short-circuit safety functions. Entry ID: 89260861, V1.0, 09/2017 6

Siemens AG 2017 All rights reserved 2.4 Structuring of the Automation System The figure below shows the operating mode selection within the structure of an automation system. An explanation of the terms is given below the figure. Figure 2-2 selection within the structure of an automation system Hardware Software Operating mode selector Standard user program Visualization Safety program Process conditions Verification Operation of operating mode selector Pre-select Select Safety condtions Select Display Link Actuators Process control Safety functions Entry ID: 89260861, V1.0, 09/2017 7

Siemens AG 2017 All rights reserved Table 2-2 Explanation of the terms of the previous figure Term Select Preselect Process conditions Check Select Transition conditions Link Display Process control Explanation Operator requests a specific operating mode via selector switch (ID key, key switch, for example). Querying of process conditions in standard user program for determining whether the selection of a specific operating mode can be permitted. Plant feedback on specific states in the process (for example: start position reached, current job processed or stopped, no errors, etc.). Check in the safety program whether multiple operating modes have been selected simultaneously due to faults (for example: multiple inputs set at the same time). After positive verification and fulfillment of the transition conditions (see term below) the release for a selected operating mode is given. The selection is fed back to the standard user program and displayed. Definition of the transition conditions between the operating modes, for example: Transition "Automatic "Setup": "All drives must deliver STO". Transition "Clean "Automatic": "All axes must be safely referenced + deliver STO". Logical link of the safety functions (see Figure 2-3) with the operating mode in question to trigger the actuators. Visualization of the selected operating mode on an HMI or signal column, for example. Transfer of the selected operating mode to the process control. This enables the operational start of the machine functions. Figure 2-2 shows that the enabling of an operating mode does not depend solely on the position of the operating mode selection switch. Many steps in the standard user program and in the safety program are necessary before the actuators are triggered. The figure below shows an example for the term " Link" from Table 2-2. Figure 2-3: Link Release signals: Emergency Stop function Safety function 1 1 AND Motion monitoring (e.g. SLS) Safety function 2 2 AND AND Drive start lock (e.g. STO) Entry ID: 89260861, V1.0, 09/2017 8

Siemens AG 2017 All rights reserved 3 C Standards 3 C Standards C standards for specific machine types already include risk reduction measures that are based on a general assessment of the machine type. If, when using a C standard safety function, requirements apply for operating mode selection, then primarily the requirements of the C standard are to be followed. Entry ID: 89260861, V1.0, 09/2017 9

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback