PL estimation acc. to EN ISO

Similar documents
CT433 - Machine Safety

New Thinking in Control Reliability

Session: 14 SIL or PL? What is the difference?

Introduction to Machine Safety Standards

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0

Safety Legislation and Standards

Safety in pneumatic automation

What safety level can be reached when combining a contactor with a circuitbreaker for fail-safe switching?

Available online at ScienceDirect. Jiří Zahálka*, Jiří Tůma, František Bradáč

TEST REPORT Safety Laboratory-MD Team Report No.: RA/2013/90003

Bespoke Hydraulic Manifold Assembly

Hydraulic (Subsea) Shuttle Valves

Machine Safety Guide 1

Safe Machinery Handbook

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Why do I need dual channel safety? Pete Archer - Product Specialist June 2018

Solenoid Valves used in Safety Instrumented Systems

Safe Machinery Handbook

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

model for functional safety of

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Safety Manual VEGAVIB series 60

Safety Manual VEGAVIB series 60

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Solenoid Valves For Gas Service FP02G & FP05G

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

SPR - Pneumatic Spool Valve

ICS Supersedes EN ISO :2006. English Version

Safety Circuit Design. Heinz Knackstedt Safety Engineer C&E sales, inc.

Understanding safety life cycles

Functional Safety SIL Safety Instrumented Systems in the Process Industry

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Implementing IEC Standards for Safety Instrumented Systems

Safety Manual OPTISWITCH series relay (DPDT)

E28/Q28 Safety Exhaust Valve Externally Monitored

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

DeZURIK. KSV Knife Gate Valve. Safety Manual

P33 Safety Exhaust Valve Externally Monitored. Bulletin 0700-B14 ENGINEERING YOUR SUCCESS.

Safety manual for Fisher GX Control Valve and Actuator

Safely on the way in the automotive and Tier 1 supplier industry

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Section 1: Multiple Choice Explained EXAMPLE

Failure Modes, Effects and Diagnostic Analysis

SEMI Headquarters 3081 Zanker Road City, State/Country: San Jose, CA, USA San Jose, CA, USA Leader(s):

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Valve Communication Solutions. Safety instrumented systems

H250 M9 Supplementary instructions

Failure Modes, Effects and Diagnostic Analysis

Section 1: Multiple Choice

The Best Use of Lockout/Tagout and Control Reliable Circuits

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Applications & Tools. Evaluation of the selection of a safetyrelated mode using non-safety-related components

YT-3300 / 3301 / 3302 / 3303 / 3350 / 3400 /

The following gives a brief overview of the characteristics of the most commonly used devices.

Special Documentation Proline Promass 80, 83

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

Achieving Compliance in Hardware Fault Tolerance

Safety Manual VEGASWING 61, 63. NAMUR With SIL qualification. Document ID: 52084

Neles trunnion mounted ball valve Series D Rev. 2. Safety Manual

Failure Modes, Effects, and Diagnostic Analysis of a Safety Device

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

Neles ValvGuard VG9000H Rev 2.0. Safety Manual

Vibrating Switches SITRANS LVL 200S, LVL 200E. Safety Manual. NAMUR With SIL qualification

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Functional Example CD-FE-I-029-V30-EN Safety-related controls SIRIUS Safety Integrated

High Integrity Pressure Protection Systems HIPPS

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Instrumented Safety Systems

Partial Stroke Testing. A.F.M. Prins

San Francisco Marriott Marquis Hotel 55 Fourth Street City, State/Country: San Francisco, CA / USA San Francisco, CA / USA Leader(s):

MTS SafeGuard Technology. Solutions to protect test operators, equipment and specimen. be certain.

Safety Critical Systems

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

Ultima. X Series Gas Monitor

Design of safety guards Under observation of ISO 14119

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

CHANGE HISTORY DISTRIBUTION LIST

Wing of Tomorrow Work Equipment Compliance Workshop Day 3

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Safety-critical systems: Basic definitions

High performance disc valves Series Type BA, BK, BW, BM, BN, BO, BE, BH Rev Safety Manual

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

Every things under control High-Integrity Pressure Protection System (HIPPS)

Accelerometer mod. TA18-S. SIL Safety Report

Continuous Gas Analysis. ULTRAMAT 6, OXYMAT 6 Safety Manual. Introduction 1. General description of functional safety 2

Design of safety guards Under observation of ISO 14119

Managing for Liability Avoidance. (c) Lewis Bass

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

T71 - ANSI RIA R15.06: Robot and Robot System Safety

Failure Modes, Effects and Diagnostic Analysis

Workshop Functional Safety

DSB, DSF: Pressure monitors and pressure switches

DSL, DSH: Specially designed pressure limiter

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Transmitter mod. TR-A/V. SIL Safety Report

IGEM/SR/15 Edition 5 Communication 1746 Integrity of safety-related systems in the gas industry

Transcription:

PL estimation acc. to EN ISO 3849- Example calculation for an application MAC Safety / Armin Wenigenrath, January 2007

Select the suitable standard for your application Reminder: The standards and the technologies Technology implementing the safety EN ISO 3849- related control function(s) A Non electrical, e.g. hydraulics X B Electromechanical, e.g. relays, Restricted to designated architectures (see Note ) and or non complex electronics up to PL=e C Complex electronics, e.g. programmable Restricted to designated architectures (see Note ) and up to PL=d D A combined with B Restricted to designated architectures (see Note ) and up to PL=e E C combined with B Restricted to designated architectures (see Note ) and up to PL=d F C combined with A, or X see Note 2 C combined with A and B "X" indicates that this item is dealt with by this standard. EN IEC 6206 Not covered All architectures and up to SIL 3 All architectures and up to SIL 3 X see Note 3 All architectures and up to SIL 3 X see Note 3 NOTE Designated architectures are defined in Annex B of EN ISO 3849- to give a simplified approach for quantification of performance level. NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 3849- up to PL=d or any architecture according to EN IEC 6206. NOTE 3 For non-electrical technology use parts according to EN ISO 3849- as subsystems. Table MAC A.Wenigenrath JAN 2007 - EN 2

The 6 Steps to Safety with EN ISO 3849- STEP : Risk Assessment and basic structure of Safety-Related Parts of a Control System (SRP/CS) implementing a Safety Function STEP 2: Determine the required Performance Level PL r for the safety function. STEP 3: Identify the combination of safety-related parts which carry out the safety function. STEP 4: Evaluate the Performance Level PL for the all safety-related parts. STEP 5: Verify that the PL of the SRP/CS for the safety function is greater or equal to the PL r. STEP 6: Validate that all requirements are met. MAC A.Wenigenrath JAN 2007 - EN 3

STEP: Risk Assessment and basic structure of the safety chain We will take as example the Safety Function which will disconnect a motor when the Safety Guard is open. From the Risk Assessment (see Annex ) we got the safety requirements for this structure. It needs to achieve the PL e in order to provide the necessary risk reduction (see Annex 2). The diagram shows the combination of safety-related parts of control systems processing a typical safety function: SRP/CS PL r = e Initiation event i ab SRP/CS a SRP/CS b SRP/CS c i bc Machine actuator e.g. Motor brakes INPUT LOGIC OUTPUT A Safety Function may be implemented by one ore more Safety-Related Parts of a Control System (SRP/CS) and several safety functions may share one ore more SRP/CS, e.g.: Input (SRP/CS a ) Logic / processing (SRP/CS b ) Output / power control elements (SRP/CS c ) Interconnecting means (i ab, i bc ) MAC A.Wenigenrath JAN 2007 - EN 4

STEP 2: Determine the required Performance Level In this example the Safety Function is the disconnection of a motor when the safety guard is open. Without the guard the possible harm is to loose an arm: Required Performance Level (PLr) P F P2 S Starting point for the evaluation of P the contribution to the risk reduction F2 of a safety function P2 P F P2 S2 P F2 P2 S = Severity of injury S = Slight (normally reversible injury) S2 = Serious (normally irreversible) injury including death a b c d e Low contribution to risk reduction High contribution to risk reduction F = Frequency and/or exposure time to the hazard F = Seldom to less often and/or the exposure time is short F2 = Frequent to continuous and/or the exposure time is long P = Possibility of avoiding the hazard or limiting the harm P = Possible under specific conditions P2 = Scarcely possible With the answers for S2, F2 and P2 the graph leads to a required performance level of PL r = e. MAC A.Wenigenrath JAN 2007 - EN 5

STEP 3: Identify the safety-related parts All parts which carry out to the safety function must be identified; in our example we use a redundant structure with 2 inputs, 2 logic channels and 2 outputs switching the power. Each block in the diagram represents one hardware device implementing the safety function: I L O I2 L2 O2 INPUT Interlocking Switch SW Interlocking Switch 2 SW2 LOGIC Safety Module XPS OUTPUT Contactor CON Contactor 2 CON2 SRP/CS a SRP/CS b SRP/CS c In this example the two channels provide redundancy, the Safety Module provides the logic solving and diagnostics for both channels; both channels of the SRP/CS are equal. MAC A.Wenigenrath JAN 2007 - EN 6

STEP 4: Evaluate the Performance Level PL For each selected SRP/CS and/or for the combination of SRP/CS that performs the safety function the estimation of PL shall be done. The PL of the SRP/CS shall be determined by the estimation of the following parameters: (see Annex 2): The CATEGORY (structure) (see Clause 6 of EN ISO 3849-) The d for the single components (see Annex C, D of EN ISO 3849-) The DC (see Annex E of EN ISO 3849-) The CCF (see score table in Annex F of EN ISO 3849-) (If the PLs of all SRP/CS in the combination are known you can estimate the overall PL according to Annex 4.) MAC A.Wenigenrath JAN 2007 - EN 7

STEP 4: Evaluate the Performance Level PL 4. Category, d, DC and CCF From the safety related block diagram we know the category 4 structure, the channels and the safety-related parts in each channel: SW CON XPS SW2 CON2 From the catalogue of the supplier we get the values of d or B 0 for the selected devices: Example SRP/CS B 0 (operations) d (years) DC Interlocking Switches SW, SW2 0.000.000 99% Safety Module XPS (here XPSAK) 72,2 99% Contactors CON, CON 2.000.000 99% Table 2a The DC values we take from the Table E. in Annex E of EN ISO 3849- The measures against CCF must be checked using the Table F. in Annex F of EN ISO 3849-. The score for the example achieves 80 points which is OK. MAC A.Wenigenrath JAN 2007 - EN 8

STEP 4: Evaluate the Performance Level PL 4.2 The d of single components With the formulae from Annex 4 we calculate the d for the interlocking switches and the contactors. The operation of the example machine is notified with the following data: the mean time between two cycles is 90s, the machine is used on 220 days per year, and 8 hours per day so that n op = 70400 operations per year. (see Annex 4) d = B 0d / (0, n op ), with B 0d = 2 B 0 Example SRP/CS B 0 (operations) d (years) DC Interlocking Switches SW, SW2 0.000.000 2840 99% Safety Module XPS (XPSAK) 72,2 99% Contactors CON, CON 2.000.000 284 99% Table 2b The d values in blue are depending on the number of annual operations in the application; that s why the supplier can only provide the B 0 or B 0d values for the life time. MAC A.Wenigenrath JAN 2007 - EN 9

STEP 4: Evaluate the Performance Level PL 4.3 The d of each channel With the formula for the parts count method we calculate the d for the channels: d = ~ N i= di SW d = 2840y SW2 d = 2840y XPS d =72,2y CON d = 284y CON2 d = 284y Channel Channel 2 dc = dc2 = dsw,2 + dxps + dcon,2 dc,2 = 2840 years + 72,2 years + 284 years = 56,4 years The d for each channel in the example is 56,4 years, which is high according to Table in Annex 2. MAC A.Wenigenrath JAN 2007 - EN 0

STEP 4: Evaluate the Performance Level PL 4.4 The average DC (DC avg ) The diagnostic coverage is defined as the ratio between the detected dangerous failure rate and the failure rate of the total dangerous failures. According to this definition an average diagnostic coverage DC avg is estimated with the following formula: DC avg = DC d d DC2 + + d2 d2 DCN +... + +... + dn dn For our example we get: 0,99 0,99 0,99 + + 2480 72,2 284 DC avg = = 99% + + 2480 72,2 284 SW d = 2840y DC = 99% SW2 d = 2840y DC=99% DC=99% CON d = 284y DC = 99% CON2 d = 284y DC=99% The DC avg in the example is 99%, which is high according to Table 2 in Annex 2. XPS d =72,2y Channel Channel 2 MAC A.Wenigenrath JAN 2007 - EN

STEP 5: Verify the achieved PL We put the data for the example SRP/CS with d = high, DC avg = 99% and category 4 in the graph below in order to find the achieved performance level for our safety function: a Performance Level b c d 2 Safety Integrity Level e 3 Cat. B DC avg = none Cat. DC avg = none Cat. 2 DC avg = low Cat. 2 DC avg = medium Cat. 3 DC avg = low Cat. 3 DC avg = medium Cat. 4 DC avg = high d of each channel = low d of each channel = medium d of each channel = high The graph shows that the achieved PL = e. MAC A.Wenigenrath JAN 2007 - EN 2

STEP 6: Validation The design of the SRP/CS shall be validated. The validation shall demonstrate that the combination of SRP/CSs providing each safety function meet all the relevant requirements of the EN ISO 3849-. The details of validation can be found in EN ISO 3849-2. MAC A.Wenigenrath JAN 2007 - EN 3

Annex : Risk Graph The EN ISO 3849- refers to the ISO 42 (EN 050) regarding the Risk Assessment. The safety requirements for a control system contributing to the reduction of risk can be determined with the risk graph from the Annex A of EN ISO 3849-: Required Performance Level (PLr) P F P2 S Starting point for the evaluation of P he contribution to the risk reduction F2 of a safety function P2 P F P2 S2 P F2 P2 S = Severity of injury S = Slight (normally reversible injury) S2 = Serious (normally irreversible) injury including death F = Frequency and/or exposure time to the hazard F = Seldom to less often and/or the exposure time is short F2 = Frequent to continuous and/or the exposure time is long P =Possibility of avoiding the hazard or limiting the harm P = Possible under specific conditions P2 = Scarcely possible a b c d e Low contribution to risk reduction High contribution to risk reduction MAC A.Wenigenrath JAN 2007 - EN 4

Annex 2: Category, structure and behavior Category B When a fault occurs it can lead to the loss of the safety function i m i m Input Logic Output Category Category 2 Category 3 Category 4 When a fault occurs it can lead to the loss of the safety function, but the d of each channel in category is higher than in category B. Consequently the loss of the safety function is less likely. Category 2 system behavior allows that: the occurrence of a fault it can lead to the loss of the safety function between the checks; the loss of the safety function is detected by the check. SRP/CS to category 3 shall be designed so that a single fault in any of these safety-related parts does not lead to the loss of the safety function. Whenever reasonably possible the single fault shall be detected at or before the next demand upon the safety function. SRP/CS to category 4 shall be designed so that a single fault in any of these safety-related parts does not lead to the loss of the safety function, and the single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at switch on, at end of a machine operation cycle. If this detection is not possible an accumulation of undetected faults shall not lead to the loss of the safety function. i m Input Logic Output i m i m i m Input Logic Output i Test m Test equipment output m i m Input Logic i m Output cross monitoring m i m Input 2 Logic 2 i m Output 2 m i m Input Logic i m Output cross monitoring m i m Input 2 Logic 2 i m Output 2 MAC A.Wenigenrath JAN 2007 - EN 5

Annex 2: Mean Time to dangerous Failure ( d ) The value of d of each channel is given in three levels and shall be taken into account for each channel (e.g. single channel, each channel of a redundant system) individually. Denotation of mean time to dangerous failure low medium high Range of d 3 years d < 0 years 0 years d < 30 years 30 years d < 00 years Table For the estimation of d of a component the hierarchical procedure to find data shall be:. use manufactures data; 2. use methods of Annexes C and D of EN ISO 3849-; 3. choose 0 years. MAC A.Wenigenrath JAN 2007 - EN 6

Annex 2: Diagnostic Coverage (DC) The value of the diagnostic coverage (DC) is given in four levels: Denotation of diagnostic coverage Table 2 Range of DC none DC < 60% low 60% DC < 90% medium 90% DC < 99% high 99% DC For the estimation of DC in most cases, Failure Mode and Effects Analysis (FMEA) or similar methods can be used. Examples of DC for functions and modules can be found in Annexes E of EN ISO 3849- MAC A.Wenigenrath JAN 2007 - EN 7

Annex 2: Common Cause Failure (CCF) The common cause failures (CCF) should also be taken into account (see Annex F of EN ISO 3849-). In Category B and the common cause failures (CCF) are not relevant. Examples of measures against CCF: separation diversity prevention of contamination and electromagnetic compatibility (EMC) MAC A.Wenigenrath JAN 2007 - EN 8

Annex 3: d calculation for components from the B 0 For the electromechanical, mechanical, pneumatic or hydraulic devices normally the supplier should provide the d or the B 0d values (mean number of cycles until ten percent of the components fail dangerously). Where this data is not available the calculation of the d from the B 0 may be necessary: If the dangerous fraction of B 0 is not given 50% of B 0 may be used, so B 0d = 2 B 0 is recommended. With B 0d and the mean number of annual operations (n op ) the d for components can be calculated as: d = B 0d / (0, n op ). n op can be calculated as: n op = (d op h op 3600s/h) / t cycle, where d op = mean operation days per year, h op = mean operation per hours per day, t cycle = mean time between the beginning of two successive cycles MAC A.Wenigenrath JAN 2007 - EN 9

Annex 4: The overall PL for a combination of SRP/CS If the PLs of each SRP/CS in a combination is known, the new complex calculation of the overall performance level achieved can be avoided. For a serial alignment of SR/CS the following estimations are presented: Example: SRP/CS PL = d SRP/CS 2 PL 2 = e SRP/CS 3 PL 3 = d. Identify the lowest PL, this PL low PL low =d 2. Identify the number N low N of SRP/CS with PL low N low =2 3. Look-up PL in the following table: PL = d PL low N low PL a > 3 No, not allowed 3 a b > 2 a 2 b c > 2 b 2 c d > 3 c 3 d e > 3 d 3 e MAC A.Wenigenrath JAN 2007 - EN 20

Glossary Safety-Related Parts of Control Systems (SRP/CS) A part of a control system that responds to input signals and generates safety-related output signals. Category The classification of safety-related parts of a control, respective their resistance against faults and their behaviour in the fault condition, which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability. Performance Level (PL) The ability of safety-related parts to perform a safety function under foreseeable conditions (which should be taken into account) to fulfil the expected risk reduction. The performance level is indicated in five possible discrete levels from a to e according to Table. Safety Integrity Level (SIL) One of three possible discrete levels for specifying the safety integrity requirements to be allocated to the safety-related electrical control system (SRECS), where the SIL 3 has the highest level of safety integrity for machinery and SIL the lowest. Mean Time To dangerous Failure ( d ) Expectation of the mean time to dangerous failure. Diagnostic Coverage (DC) The DC is a measure for the effectivity of diagnostics, may be determined as the ratio between the rate of the detected dangerous failures (λ DD ) and the rate of total dangerous failures (λ D ): DC = Σλ DD / Σλ Dtotal Common Cause Failure (CCF) The CCF-factor b is a measure for a failure, which is the result of one or more events causing coincident failure of two or more separate channels in a multiple channel (redundant architecture) subsystem, leading to failure of a safety function. MAC A.Wenigenrath JAN 2007 - EN 2

Glossary Risk Combination of the probability of the occurrence of a harm and severity of that harm. Risk assessment Overall process comprising of risk analysis and risk evaluation. Risk analysis Combination of the specification of the limits of the machine, hazard identification and risk estimation. Risk evaluation Judgment, on the basis of risk analysis, of whether risk reduction objectives have been achieved. Low Complexity Component component in which failure modes are well-defined, and the behavior under fault conditions can be completely defined Complex Component component in which failure modes are not well-defined, or the behavior under fault conditions cannot be completely defined MAC A.Wenigenrath JAN 2007 - EN 22

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback