Applications & Tools. Evaluation of the selection of a safetyrelated mode using non-safety-related components

Similar documents
Functional Example CD-FE-I-029-V30-EN Safety-related controls SIRIUS Safety Integrated

Application Note. Safety Sub-function PUS Category 1, up to PL c. Application Note PUS, Category 1, up to PL c M20 S22 R20 M1 Q20

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

CT433 - Machine Safety

Application Note. Safety Sub-functions SSC Category 1, up to PL c PUS Category 1, up to PL c. Application Note SSC, PUS, Category 1, up to PL c STOP

Safety Manual VEGAVIB series 60

Safety Manual VEGAVIB series 60

What safety level can be reached when combining a contactor with a circuitbreaker for fail-safe switching?


Introduction to Machine Safety Standards

Safety Manual OPTISWITCH series relay (DPDT)

Session: 14 SIL or PL? What is the difference?

PL estimation acc. to EN ISO

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

New Thinking in Control Reliability

Table 1: Safety Function (SF) Descriptions

Safety Manual VEGASWING 61, 63. NAMUR With SIL qualification. Document ID: 52084

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

Vibrating Switches SITRANS LVL 200S, LVL 200E. Safety Manual. NAMUR With SIL qualification

Safety-critical systems: Basic definitions

Available online at ScienceDirect. Jiří Zahálka*, Jiří Tůma, František Bradáč

DSL, DSH: Specially designed pressure limiter

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Failure Modes, Effects and Diagnostic Analysis

Safety in pneumatic automation

Operating instructions Safety Rope Emergency Stop Switches ZB0052 / ZB0053 ZB0072 / ZB0073

Understanding safety life cycles

The Best Use of Lockout/Tagout and Control Reliable Circuits

Safety Legislation and Standards

Hydraulic (Subsea) Shuttle Valves

Special Documentation Proline Promass 80, 83

Race Screen: Figure 2: Race Screen. Figure 3: Race Screen with Top Bulb Lock

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Implementing IEC Standards for Safety Instrumented Systems

Bespoke Hydraulic Manifold Assembly

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Failure Modes, Effects and Diagnostic Analysis

Managing for Liability Avoidance. (c) Lewis Bass

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Transmitter mod. TR-A/V. SIL Safety Report

Continuous Gas Analysis. ULTRAMAT 6, OXYMAT 6 Safety Manual. Introduction 1. General description of functional safety 2

Solenoid Valves For Gas Service FP02G & FP05G

TECHNICAL INSTALLATION MANUAL FOR AUTOMATIC GATES

Ultima. X Series Gas Monitor

Application Notes. SLP85xD Load Cells

Failure Modes, Effects and Diagnostic Analysis

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

Accelerometer mod. TA18-S. SIL Safety Report

YT-3300 / 3301 / 3302 / 3303 / 3350 / 3400 /

Transducer mod. T-NC/8-API. SIL Safety Report

Safety Circuit Design. Heinz Knackstedt Safety Engineer C&E sales, inc.

Commissioning and safety manual

Failure Modes, Effects and Diagnostic Analysis

Distributed Control Systems

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

Safe hydraulics for hydroforming presses. more finished product to be created from less raw material.

Section 1: Multiple Choice Explained EXAMPLE

Neles ValvGuard VG9000H Rev 2.0. Safety Manual

IGEM/SR/15 Edition 5 Communication 1746 Integrity of safety-related systems in the gas industry

Section 1: Multiple Choice

Cover. Configuration of Override Control SIMATIC PCS 7. Application Example August Applikationen & Tools. Answers for industry.

FRDS GEN II SIMULATOR WORKBOOK

INSTALLATION MANUAL. M-WRG-S/Z-T(-F, -FC) and InControl pushbutton sensor

SPR - Pneumatic Spool Valve

Roller AC Servo System

ICS Supersedes EN ISO :2006. English Version

Valve Communication Solutions. Safety instrumented systems

T i m i n g S y s t e m s. RACEAMERICA, Inc. P.O. Box 3469 Santa Clara, CA (408)

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Manuals Mandatory! New EU Legislation for Electrical Appliances. Matthias Schulz, Erkelenz AXELENT ProfiServices

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects, and Diagnostic Analysis of a Safety Device

Failure Modes, Effects and Diagnostic Analysis

Operating Instructions. Ball valve fitting according to ZB For pressure transmitter VEGABAR 82. Document ID: 50027

A4s Operation Manual

P33 Safety Exhaust Valve Externally Monitored. Bulletin 0700-B14 ENGINEERING YOUR SUCCESS.

Safe Machinery Handbook

C1960. Multi-recipe profile recorder/controller. Measurement made easy

PROPORTIONING VALVE. Model 150 INSTRUCTION MANUAL. March 2017 IMS Company Stafford Road

TorMinal. Operating instructions V OCE-Rev.L_EN

BUBBLER CONTROL SYSTEM

Partial Stroke Testing for SRD991 and SRD960

E28/Q28 Safety Exhaust Valve Externally Monitored

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Safety Critical Systems

Failure Modes, Effects and Diagnostic Analysis

The following gives a brief overview of the characteristics of the most commonly used devices.

Design of safety guards Under observation of ISO 14119

( ) ( ) *( A ) APPLICATION DATA. Procidia Control Solutions Coarse/Fine Control. Split-Range Control. AD Rev 2 April 2012

AHE58/59 AC Servo System

Manual. Kingpad mc-32 Edition. Bus system control pad for installation in the Graupner mc-32 transmitter. No Copyright Graupner/SJ GmbH

Rosemount 2130 Level Switch

TEST REPORT Safety Laboratory-MD Team Report No.: RA/2013/90003

Operating instructions Capacitive sensor KIA (M30) / / 2010

Light beam devices. Product range Light beam devices

Stand-Alone Bubble Detection System

Neles trunnion mounted ball valve Series D Rev. 2. Safety Manual

Series 3730 and Series 3731 EXPERTplus Valve Diagnostics with Partial Stroke Test (PST)

Transcription:

Cover sheet Evaluation of the selection of a safetyrelated mode using non-safety-related components SINUMERIK 840D sl SINUMERIK Safety Integrated Application description February 2015 Applications & Tools Answers for industry.

Siemens Industry Online Support This article originates from Siemens Industry Online Support. The following link takes you directly to the download page for this document: http://support.automation.siemens.com/ww/view/en/108866318 Caution: The functions and solutions described in this article are restricted primarily to the implementation of the automation task. Please also observe that, if your plant is networked with other plant units, the company network, or the Internet, appropriate protective measures must be taken as part of industrial security. For more information, see the Entry ID 50203404. http://support.automation.siemens.com/ww/view/en/50203404 2 Entry ID: 108866318

s Task 1 Terms 2 Mode selection equipment (ISO 16090) 3 SINUMERIK 840D sl Mode selection using standard components Application example 4 Contact 5 SINUMERIK Safety Integrated Entry ID: 108866318 3

Warranty and liability Warranty and liability Note The application examples are not binding and do not purport to be complete in respect of the configuration and equipment shown nor to cover any eventuality. These application examples do not represent specific customer solutions, but are only intended to provide support with typical applications. You are responsible for ensuring that the products described are used correctly. These application examples do not relieve you of the responsibility in safely and professionally using, installing, operating, and servicing equipment. By using these application examples, you agree that Siemens cannot be made liable for possible damage beyond the liability clause described. We reserve the right to make changes to these application examples at any time and without prior notice. If there are any discrepancies between the suggestions made in these application examples and other Siemens publications such as catalogs, the contents of the other document(s) shall prevail. Siemens shall not be held liable for the information provided in this document. We accept no liability for any damage or loss caused by the examples, information, programs, planning data or performance data described in this application example, irrespective of the legal basis for claims arising from such damage or loss, unless liability is mandatory. For example, according to the product liability law, in cases of malfeasance, gross negligence, due to endangerment of life, body or health, due to assumption of a guarantee for a product's characteristics of state, due to malicious concealment of a defect or due to violation of basic contractual obligations. However, claims for indemnification based on breach of contract shall be limited to liability for damages to the contract-specific, foreseeable damages, provided there is no mandatory liability for intent, acts of gross negligence, harm to the life, body and health of human beings. Any change to the burden of proof to your disadvantage is not covered hereby. Any form of duplication of these application examples or excerpts hereof is not permitted without the express consent of Siemens Industry Sector. 4 Entry ID: 108866318

Table of contents Table of contents Warranty and liability... 4 Table of contents... 5 1 Task... 6 1.1 Note... 6 1.2 Introduction... 6 1.3 Description... 6 1.4 References to standards... 7 2 Terms... 8 3 Mode selection equipment (ISO 16090)... 9 4 Application example... 10 4.1 Components used... 10 4.2 Category 2 according to ISO 13849-1... 10 4.3 Example of mode selection... 12 4.4 Features and failure modes... 16 4.4.1 Pushbutton for MSO 1 or MSO 2... 16 4.4.2 Standard input module... 17 4.4.3 IM (Interface module)... 18 4.4.4 CPU... 18 4.5 Calculating the achievable PL or SIL... 18 4.5.1.1 Category 2 or 1-channel architecture with failure detection 19 4.5.2 Calculating the PFH D value... 19 4.5.2.1 Calculation of the "Input" subsystem according to ISO 1384919 4.5.2.2 Calculation of the "Input" subsystem according to ISO 6206120 4.5.2.3 Calculation of subsystem L/O/OTE... 20 4.5.2.4 Total PFH D value... 20 4.5.3 Achievable PL or SIL... 21 5 Contact... 22 Entry ID: 108866318 5

1 Task 1 Task 1.1 Note The application examples provided below are intended as guidance with calculating a Performance Level according to EN ISO 13849 or a Safety Integrity Level according to IEC 62061 for selecting a mode using standard components. A risk assessment is always the basis for configuring safety functions. The manufacturer of a machine or an authorized representative must perform this risk assessment to determine the applicable safety and health protection requirements for the machine. The machine must be designed and constructed taking into account the results of the risk assessment. 1.2 Introduction Since the December 29, 2009 in the European Community, the requirements of the new Machinery Directive 2006/42/EC apply for functional safety and therefore the protection of people, machines, and production materials. This means that all machines that are marketed in the European Community must meet the requirements of this Machinery Directive. You can achieve conformity with the new Machinery Directive, which enables you to export and protects you from liability claims, in a number of ways including applying the EN ISO 13849-1 or EN 62061 standard. The safety case required by both standards must demonstrate that the SIL (Safety Integrity Level) or PL (Performance Level) value determined in the risk assessment was achieved with the safety solutions used. A clearly structured risk assessment is the basis for the safety case! This risk assessment is the first step toward a safe machine, and it is already performed in the planning phase. Protective measures are derived from the risk assessment to reduce risk. These are described as safety functions. The safety function solution is then checked and evaluated to determine whether the Safety Integrity or Performance Level required as a result of the risk assessment is achieved. 1.3 Description By way of example it will be demonstrated how mode selection can be achieved with Performance Level PL d, Category 2 according to ISO 13849-1 or SIL 2 according to IEC 62061 using "standard" (i.e. non-safety-related) components of control systems. 6 Entry ID: 108866318

1 Task 1.4 References to standards pren ISO 16090:2014 Machine tools safety - Machining centres, Milling machines, Transfer machines - Part 1: Safety requirements ISO 13849-1 Safety of machines Safety-related parts of control systems Part 1: General principles for design IEC 62061 Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems Entry ID: 108866318 7

2 Terms 2 Terms The following terms are defined in pren ISO 16090:2014: Mode selection equipment This equipment generally consists of the following individual components: Access system Equipment that limits access to a particular restricted group of persons and prevents unintentional or unauthorized operation of a selection system. This equipment is not a safety-related part of a control system (SRP/CS). Selection system Equipment allowing the selection of a safety-related mode in combination with access system authorization. Activation system Activates a particular number of functions for the selected safety-related mode. Fig. 2-1 The selection and activation system is part of the SRP/CS under consideration and is used as an example in this document. 8 Entry ID: 108866318

3 Mode selection equipment (ISO 16090) 3 Mode selection equipment (ISO 16090) In this example: the access system comprises an electronic "key system," the selection system comprising pushbuttons, illuminated pushbuttons, and lamps for mode selection, protective doors, etc., and the activation system comprising a PLC (controller) combined with a safety-related control. Elektronisches Electronic access Zugangssystem system Fig. 3-1 Safety Sicherheitsbezogene related modes Betriebsarten Mode of safe operation ISO 369 / ISO 7000 MSO 1 Automatic operation Reference ISO 369 5.1 15 ISO 7000 0017 Symbol MSO 2 Set-up mode ISO 369 5.1 12 ISO 7000 0910 MSO 3 Automatic operation with manual intervention ISO 369 5.1 -?? a ISO 7000-1942 MSO SE Service mode ISO 369 5.1 44 ISO 7000-0717 Table 3-1: Example mode selection equipment, modes according to pren ISO 16090:2014 a This symbol together with a new subheading "Symbols for modes of safe operation" should be included in ISO 369 in the next revision MSO = Mode of Safe Operation Entry ID: 108866318 9

4 Application example The application example below shows how mode selection could be evaluated using standard components. 4.1 Components used The pushbutton shown in Fig. 4-1 is read and assessed by a standard PLC that is linked to a safety-related control. MSO1\2\3 Mode selection with a push button DI Standard (not safety related) Standard input module Interface *) Standard (not safety related) IM CPU Standard (not safety related) CPU NC\PLC Safety related control Fig. 4-1 Used components *) Depending on the hardware configuration, see Chapter 4.4.3 4.2 Category 2 according to ISO 13849-1 Fig. 4-2 is a logical representation of Category 2 according to ISO 13849-1. Input signal Output signal Monitoring Output signal TE, test equipment OTE, output of TE Figure 4-2: Logical representation of Category 2 according to ISO 13849-1 10 Entry ID: 108866318

Fig. 4-3 shows the structure with the components used. MSO1/2/3/SE DI CPU NC/PLC Mode selection with a push button Standard input module (not safety related) Standard CPU (not safety related) Safety related control monitoring Figure 4-3: Logical representation of Category 2 according to ISO 13849-1 based on the components used used (a IM module must only be considered if no failsafe module is located on the DI rack) On mode selection and test without faults (TE and OTE), the safety-related control (L) generates a software enable (O) for this mode selection in the form of a safetyrelated flag. If an incorrect selection (TE and OTE) is detected by the safety-related evaluation during the selection sequence, the safety-related flag is reset (O). Note: The failure response (OTE) is not a physical response but a safety-related software enable and does not have to be additionally evaluated for PFHd, as this already forms part of the safety-related evaluation. Entry ID: 108866318 11

4.3 Example of mode selection The following example illustrates the "selection sequence" as a chronological sequence of operator actions. Starting point (see Figure 4-4). Mode MSO 1 (automatic mode) is active and the lamp on the illuminated pushbutton for MSO 1 is lighted. Pressing illuminated pushbutton MSO 2 (setup mode) to change the mode has no effect so long as the key is not inserted. The key of the access system is inserted and illuminated pushbutton MSO 2 is then pressed. The lamp on the illuminated pushbutton for MSO 2 starts flashing. The protective door is requested (protective door button is pressed) and the "protective door" lamp starts flashing, switchover to activate MSO 2 is triggered (safe operational stop (SOS) requested, hydraulic/pneumatic functions deactivated, coolant high pressure switched off, etc.). When acknowledgment of the above requests (SOS active, acknowledgment from ground contacts, axes, spindles etc.) has been received, the guard locking device is operated. When the guard locking device is operated, the "protective door" lamp stops flashing and switches to steady light. The lamp on the illuminated pushbutton for MSO 1 goes out and the lamp on the illuminated pushbutton for MSO 2 switches to steady light. Now mode MSO 1 is deselected and MSO 2 is selected. Even though the key of the access system is still inserted, operating the button for the protective door request does not elicit any further response in the system as this is only possible in MSO 1. The key of the access system is removed. Activating illuminated pushbutton MSO 1 has no effect on the system because access authorization is not given. (The key of the access system has been removed.) (Merely) reinserting the key of the access system has no effect on the system. 12 Entry ID: 108866318

Figure 4-4: Mode selection from MSO 1 to MSO 2 (selection sequence) Entry ID: 108866318 13

Starting point (see Figure 4-5) Mode MSO 2 (setup mode) is active and the lamp on the illuminated pushbutton for MSO 2 is lighted. The axes are in safe operating stop and the conditions mentioned above for MSO 2 are also met. Pressing illuminated pushbutton MSO 1 has no effect so long as the key is not inserted. The key of the access system is inserted. Illuminated pushbutton MSO 1 is pressed and the lamp on the illuminated pushbutton for MSO 1 starts flashing if safety system switchovers are required. Otherwise, the lamp on the illuminated pushbutton for MSO 1 immediately switches to steady light and the lamp on the illuminated pushbutton for MSO 2 goes out. If switchovers are requested, the lamp of the illuminated pushbutton for MSO 2 goes out after a time delay (depends on the feedback signals) and the lamp on the illuminated pushbutton for MSO 1 switches to steady light. Now that the door is closed, the protective door button can be operated again. The protective door is kept closed again by resetting operation of the guard locking device and the above requests are canceled again. The "protective door" lamp goes out. The machine can be operated in MSO 1 mode. 14 Entry ID: 108866318

Figure 4-5: Mode selection from MSO 2 to MSO 1 (selection sequence) Entry ID: 108866318 15

4.4 Features and failure modes 4.4.1 Pushbutton for MSO 1 or MSO 2 The following failure modes can be evaluated: Component / Unit / Characteristics Pushbutton: Assessment of NO contact Idle state: Contact open Edge evaluation: When contact closes Table 4-1 Possible failure / Failure modes 2) Contact does not close when pushbutton pressed Contact closes automatically, even if pushbutton is not pressed Contact does not open (any more) when button is no longer pressed Contact opens automatically, even if pushbutton is pressed Proportion in percent 1) Total 100 % Failure class 49 % Safe: No mode can be selected; this affects availability << 1% Hazardous: Evaluation required due to selection sequence 50 % Safe: Edge evaluation no longer possible << 0,1 % Safe: Edge evaluation no longer possible 1) Distribution of states "close contact" and "open contact" assumed to be 50%. 2) Incorrect operation of the pushbutton is detected by the safety-related evaluation based on the selection sequence. 16 Entry ID: 108866318

Technical features: B10 Switch cycles RDF 1) (%) B10d (= B10/RDF) (switch cycles) Cycle of operation (per hour) MTTFd (years) D (failures per hour) 50.000 50% 100.00 10 11.4 1.00 E-05 10% 500.000 57.1 2.00 E-06 1% 5.000.000 n op = 87,600 570.7 2.00 E-07 1.000.000 50% 2.000.000 10 228.3 5.00 E-07 10% 10.000.000 1.141.5 1.00 E-07 1% 100.000.000 n op = 87,600 11.415.5 1.00 E-08 Table 4-2 1) RDF ( ratio of dangerous failure): referred to the application, i.e. contact closes automatically (see table Failure modes). 2) corresponds to the mechanism of a keyswitch and is used for the worst-case scenario. 3) Pushbuttons work with very simple direct mechanical operation: This value is typical. The values listed here seek to demonstrate possible MTTFd values. 4.4.2 Standard input module Technical features with failure class (RDF): This example is based on the digital standard input module 6ES7131-4BD00-0AA0. MTBF (years) Table 4-3 1) MTTF (years) RDF 1) (%) MTTFd (= MTTF/RDF) (years) D (failures per hour) 140 140 50 280 4.07 E-07 RDF ( ratio of dangerous failure): Proportion of dangerous failures depending on the application; in electronics, 50% is assumed. A dangerous failure occurs if a pushbutton that has not been activated returns an operated pushbutton signal to the safety-related software. Entry ID: 108866318 17

4.4.3 IM (Interface module) Only if no F-module is located on the DI rack must the communication interface (e.g. IM 151-1, 6ES7151-1AA05-0AB0) be considered for the PROFIBUS communication. Technical features with failure mode (RDF): The digital standard interface 6ES7151-1AA05-0AB0 has been used in this example. MTBF MTTF RDF 1) MTTFd D (years) (years) (%) (= MTTF/RDF) (years) (failures per hour) 141 141 50 282 4,07 E-07 Table 4-4 1) RDF ( ratio of dangerous failure): Proportion of dangerous failures depending on the application; with electronics, 50% is assumed. A dangerous failure occurs if a pushbutton that has not been operated sends an operated pushbutton signal to the safety-related software. 4.4.4 CPU Technical features with failure class (RDF) This example is based on the NCU730.3PN (6FC5373-0AA30-0AA1). MTBF (years) MTTF (years) RDF 1) (%) MTTFd (= MTTF/RDF) (years) D (failures per hour) 45 45 50 90 1.26 E-06 Table 4-5 1) RDF ( ratio of dangerous failure): Proportion of dangerous failures depending on the application; with electronics, 50% is assumed. A dangerous failure occurs if a pushbutton that has not been operated sends an operated pushbutton signal to the safety-related software. 4.5 Calculating the achievable PL or SIL Basically, mode selection is based on a prescribed sequence of operator actions, i.e. a so-called "selection sequence." The selection sequence allows a diagnosis to be performed at any time: The states can be predicted, assessed for diagnosis, and thus compared with a defined "expectation." 18 Entry ID: 108866318

4.5.1.1 Category 2 or 1-channel architecture with failure detection With these extensive diagnostic possibilities, a DC of 90% or higher can be assumed, see Chapter 4.3 Example of mode selection (selection sequence). Undetected states are avoided using the following measures and justify this DC: The "electronic access system" provides access authorization in addition to the selection sequence and only allows trained personnel with the relevant authorization to perform mode selection. I.e. an operator with access authorization for MSO 2, MSO 3, and MSO SE can recognize the incorrect enable of a selection system. (A higher MSO might have been selected than the access system permits.) Example: Key inserted in access system max. for MSO 2, MSO 3 can nevertheless be selected. Such a fault is recognized by the trained operator. The selection sequence represents the systematic detection of possible failures. If the PLC (DI, CPU) incorrectly passes a pressed pushbutton for a mode selection to the safety-related control, the selection sequence and the related interaction of the operator will prevent an unintended mode selection from occurring. 4.5.2 Calculating the PFH D value The limit value of PL d according to ISO 13849-1 1- or SIL 2 according to IEC62061 is: 1.00 E-06 4.5.2.1 Calculation of the "Input" subsystem according to ISO 13849 ISO 13849-1: Use of the parts count method and Appendix K. Pushbutton for MSO 1 or MSO 2 (MTTF d1) Standard DI (MTTF d2) NCU/CPU (MTTF d3) Result (MTTF dg) ISO 13840 Appendix K (Category 2 and DC average) (PFH D) 570 years 280 years 90 years 60.8 years 4.56 E-07 Table 4-5 1 1 1 1 = + + MTTF dg MTTF d1 MTTF d2 MTTF d3 The calculation of the Input subsystem with IM module is described in the SET resp. SISTEMA file. Entry ID: 108866318 19

4.5.2.2 Calculation of the "Input" subsystem according to ISO 62061 IEC 62061: Use of the formula basic subsystem architecture C DC Pushbutton for MSO 1 or MSO 2 Standard DI NCU/PCU Result (PFH D) ( 1) ( 2) ( 3) ( g) 0% 2.00 E-07 4.07 E-07 1.26 E-06 1.88 E-06 60% 8.00 E-08 1.63 E-07 5.07 E-07 7.51 E-07 90% 2.00 E-08 4.07 E-08 1.26 E-07 1.88 E-07 Table 4-6 g = 1 (1 - DC 1 ) + 2 (1 - DC 2 ) + 3 (1 - DC 3 ) The calculation of the Input subsystem with IM module is described in the SET resp. SISTEMA file. 4.5.2.3 Calculation of subsystem L/O/OTE Subsystem "L/O/OTE" comprises the safe part (safe programmable logic) of the SINUMERIK 840D sl (NCU 730.3.PN) The PFH value of the NCU 730.3 PN (6FC5373-0AA30-0AA1) is 6.60 E-08. 4.5.2.4 Total PFH D value Calculation in accordance with ISO 13849 PFH D value Input PFH D value L/O/OTE Total 4.56 E-07 6.60 E-08 5.22 E-07 Table 4-7 The total PFH D value corresponds to PL d. 20 Entry ID: 108866318

Calculation according to IEC 62061 PFH D value Input PFH D value L/O/OTE Total 1.88 E-07 6.60 E-08 2.54 E-07 Table 4-8 The total PFH D value corresponds to SIL 2. 4.5.3 Achievable PL or SIL All standard components used meet the requirements of a PL d according to ISO 13849-1 with Category 2 or SIL 2 according to IEC 62061 with a 1-channel architecture with diagnosis. The common cause failure is included in the consideration with respect to failure detection by the safety-related assessment. Entry ID: 108866318 21

5 Contact 5 Contact Jürgen Strässer Siemens AG Industry Sector Drive Technologies Division Motion Control Systems I DT MC MTS SP1 Frauenauracher Str. 80 D 91056 Erlangen, Germany Phone: +49 9131 98-3959 Fax: +49 9131 98-63959 mailto:juergen.straesser@siemens.com 22 Entry ID: 108866318

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback