Background Statement for SEMI Draft Document 5000 REVISION TO SEMI S2, ENVIRONMENTAL, HEALTH, AND SAFETY GUIDELINE FOR SEMICONDUCTOR MANUFACTURING EQUIPMENT Addition of Related Information to S2: Selection of Interlock Reliability Notice: This background statement is not part of the balloted item. It is provided solely to assist the recipient in reaching an informed decision based on the rationale of the activity that preceded the creation of this Document. Notice: Recipients of this Document are invited to submit, with their comments, notification of any relevant patented technology or copyrighted items of which they are aware and to provide supporting documentation. In this context, patented technology is defined as technology for which a patent has issued or has been applied for. In the latter case, only publicly available information on the contents of the patent application is to be provided. Background This Related information is being added to create awareness on the selection of the reliability of interlocks. Original also examples would be added, but because there is now a joint working commission of the standards mentioned in this RI working on examples they will be added later. Details how to design and calculate reliability of interlocks is not covered and can be found in the referenced standards. Review and Adjudication Information Task Force Review Committee Adjudication Group: S2 Interlock Reliability TF NA EHS Committee Date: Monday, April 2, 2012 Thursday, April 5, 2012 Time & Timezone: 1430-1600, Pacific Time 0900-1800, Pacific Time Location (tentative): SEMI Headquarters SEMI Headquarters City, State/Country: San Jose, CA, USA San Jose, CA, USA Leader(s): Bert Planting (ASML) Tom Pilz (Pilz Automation) Chris Evanston (Salus) Sean Larsen (Lam Research AG) Eric Sklar (Safety Guru, LLC) Standards Staff: Paul Trio (SEMI NA) 408.943.7041 ptrio@semi.org James Beasley (ISMI) Paul Trio (SEMI NA) 408.943.7041 ptrio@semi.org This meeting s details are subject to change, and additional review sessions may be scheduled if necessary. Contact the task force leaders or Standards staff for confirmation. Telephone and web information will be distributed to interested parties as the meeting date approaches. If you will not be able to attend these meetings in person but would like to participate by telephone/web, please contact Standards staff.
Safety Checklist for SEMI Draft Document 5000 REVISION TO SEMI S2, ENVIRONMENTAL, HEALTH, AND SAFETY GUIDELINE FOR SEMICONDUCTOR MANUFACTURING EQUIPMENT Addition of Related Information to S2: Selection of Interlock Reliability Developing/Revising Body Name/Type: S2 Interlock Reliability Task Force Technical Committee: EHS Region: Europe / North America Leadership Position Last First Affiliation Leader Planting Bert ASML Leader Pilz Tom Pilz Automation Standards used: 1. ISO 13849-1: Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design (ISO 13849-1:2006, IDT) 2. IEC 61062: Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems 3. EN 954-1: Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design Note: this has been succeeded by the ISO 13849-1 4. European ATEX directive: 94/9/EG 5. IEC_TR_62061-1: Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety related control systems 6. SEMI S10: Safety guideline for Risk assessment and risk evaluation process. Team member Name Company E-mail Bert Planting (TF-leader) ASML Bert.Planting@ASML.com Thomas Pilz Pilz GmbH & Co. KG t.pilz@pilz.de Brian McMorris SICK, Inc. Brian.McMorris@sick.com Mark Fessler Tokyo Electron mark.fessler@us.tel.com Contributors Name Company E-mail Eric Sklar Safety Guru sklar@safetyguru.com Cliff Greenberg Nikon cgreen@nikon.com Ken Mills Estec Solutions kmills@estecsolutions.com Joe Barsky Lewis Bass Int. joe.barsky@lewisbass.com Sean Larsen Cymer splarsen@gmail.com
Mark Frankfurth Cymer Mark_Frankfurth@cymer.com Ken Kapur KLA-Tencor ken.kapur@kla-tencor.com Matthew Grinn TEL Matthew.Gwinn@us.tel.com Shigehito Ibuka TEL shigehito.ibuka@tel.com Paul Kelly Estec Solutions pkelly@estecsolutions.com Carl Wong AKT carl_wong@amat.com Debbie Sawyer Semitool dsawyer@semitool.com Lauren Crane KLA Lauren.Crane@kla-tencor.com Sunny Rai Intertek sunny.rai@intertek.com Alan Crockett KLA-Tencor alan.crockett@kla-tencor.com Ron Birrel TUV-Sud rbirrell@tuvam.com Horrey Hum ESTEC solutions hhum@estecsoutions.com Steve Baldwin Lewis Bass Steve.baldwin@lewisbass.com Sandeep Bendale Lewis Bass sandeep@lewisbass.com Raymond McDaid Lam Research Raymond.mcdaid@lamresearch.com Alan Krov TEL Alan.krov@us.tel.com David Saxton TUV dsexton@ustuv.com Mark Bogner TUV-Sud Mark.bogner@tus-sud.jp Kyle Lebouitz Xactix kylel@xactix.com Paul Breder ESTEC solutions pbreder@estecsolutions.com Byron Yakimov Cymer byakimov@cymer.com Ron Macklin R.Macklon assoc ron@rmacklinandassociates.com Joe Basky Intertek Joseph.barsky@intertek.com Samir Sleiman SSleiman22@gmail.com Chris Evenston Salus Chris.evenston@salusengineering.com Mark Bogner TUV Sud Mark.bogner@TUV-Sud.jp Lindy Austin Salus Lindy.Austin@salusengineering.com Alan Crocket KLA Alan.crocket@KLA-tencor.com Ron Birrell TUV Sud RBirrell@TUVAM.com Ken Kuwatani TUV Sud KKuwatani@TUV.am.com Rich Petronio VEECO Rpetrtronio@Veeco.com Ton Vang LAM Ton.Vang@lamresearch.com Nigusu Ergete Intertek/GS3 Nigusu.ergete@intertek.com Paul Breder Estec pbreder@estecsolutions.com Raymond McDaid LAM Research Raymond.mcdaid@lamresearch.com
Background Statement for SEMI Draft Document 5000 REVISION TO SEMI S2, ENVIRONMENTAL, HEALTH, AND SAFETY GUIDELINE FOR SEMICONDUCTOR MANUFACTURING EQUIPMENT Addition of Related Information to S2: Selection of Interlock Reliability R1-1 Purpose: R1-1.1 Explain how several different standards on interlocks reliability are related and how they determine the reliability performance of a safety interlock. This RI also provides a comparison among the definitions of reliability levels in the several standards. R1-2 Limitations R1-2.1 This RI does not provide details of calculations that determine the reliability of an interlock system. R1-3 Referenced Standards and Documents ISO 13849-1 Safety of machinery Safety-related parts of control systems Part 1: General principles for design (ISO 13849-1:2006, IDT) IEC 61062 Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems EN 954-1 Safety of machinery Safety-related parts of control systems Part 1: General principles for design NOTE 1: EN 954-1 this has been succeeded by the ISO 13849-1 European ATEX directive 94/9/EG IEC_TR_62061-1 Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety related control systems IEC 61496 Safety of machinery Electro-sensitive protective equipment IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems SEMI S10 Safety guideline for Risk assessment and risk evaluation process R1-4 Introduction R1-4.1 Interlocks are used to reduce risk of harm to people. Several standards require different levels of reliability of an interlock depending on the risk. Risk is evaluated on several factor like: frequency people are expected to be harmed the severity of the harm whether there is a possibility to notice the risk and avoid the harm There are several standards that describe what reliability is required of an interlock. Other standards (e.g., robot standards) refer to these basic reliability standards for required reliabilities. R1-4.2 This RI is limited to the selection of the reliability. Information about how reliability can be determined or calculated can be found in the referenced standards. R1-4.3 Depending on the standard the criteria for the interlock selection is based on harm to people sometimes combined with damage to equipment/installations. R1-5 Relation SEMI S10 and Interlock reliability selection R1-5.1 SEMI S10 is used for risk identification, ranking and evaluation. When there is a risk identified that needs mitigation of the risk (e.g. S10 risk-ranking is medium or higher) several options are possible (e.g. change design, Page 1 Doc. 5000 SEMI
add protection, use interlocks, ). If the mitigation is done by using interlocks these should have a reliability level that is suitable for the mitigation that is required. R1-5.2 After the mitigation has been implemented a new risk assessment should be carried out. Remark* Interlock reliability should be based on the risk. The standards ISO13849 and IE61062 are 2 possible ways how to determine a required reliability level Figure R1-1 Relation SEMI S10 and interlock selection Page 2 Doc. 5000 SEMI
R1-6 Selection of the interlock system standard R1-6.1 Because there are many types of interlocks, each standard has its own application and use. Standard Typical use Components covered Remarks ISO 13849: Safety of machinery - Safetyrelated parts of control systems IEC 61062: Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems EN 954-1: Safety of machinery - Safetyrelated parts of control systems - Part 1: General principles for design European ATEX directive: 94/9/EG Calculation of the reliability of individual components and a complete Interlock control systems Calculation of the reliability of a complete Interlock control systems Reliability based on component reliability and architecture of the safety system Defines reliability levels for components that need to be used in explosive atmospheres All electromechanical, electrical, valves, control systems Electromechanical, control system All electromechanical, electrical, valves, control systems Special requirements for components that need to be used in explosive atmospheres ISO 13849-2 provides info how to calculate reliability of all types of components Used for complete systems qualification this has been succeeded by the ISO 13849-1 Components used in explosive atmospheres need to be CE marked R1-7 Interlock selection based on ISO 13849-1 This standard uses a decision tree to estimate the required performance level for the interlock design. Before the risk estimation can be done it is important to clearly understand the hazard scenario which exists if the safety function was not available (fails). Remember that risk reduction by other technical measures independent of the control system (e.g. mechanical guards, administrative controls, LOTO, PPE, etc.) can be taken into account in determining PLr. There are 3 parameters that the safety review team needs to know about, related to the machinery hazards during operation, maintenance and service, in order to determine the required Performance Level. Severity of the injury (S) S1: Slight, normally reversible injury S2: serious, normally irreversible injury or death Frequency or exposure to the hazard (F) F1: Seldom to less-often and/or exposure time is short F2: frequent-to-continuous and/or exposure time is long Possibility of avoidance the harm or limiting the harm (P) P1: Possible under specific conditions P2: Scarcely possible NOTE 2: Although the standard is using and/or in its definition for frequencies, the SEMI working group believes these should be: F1: Seldom to less-often and exposure time is short F2: frequent-to-continuous or exposure time is long Page 3 Doc. 5000 SEMI
Figure R1-2 ISO 13849-1 Decision Tree R1-7.1 The reliability in the ISO 13849-1 is expressed in performance levels (PL) a, b, c, d or e with increasing reliability. These five discrete levels (a, b, c, d and e) are then used to specify the minimum design requirements for the safety related parts of a control system (e.g. a safety interlock) to ensure they perform their function under foreseeable use / mis-use conditions. This must be done for each safety function, but remember it is not just electrical interlocks, it is required for pneumatic, hydraulic and mechanical interlocks as well : R1-7.2 The initial estimation (per Figure R1-2) of the required performance level for the interlock s design is only the beginning of the total design process. The design engineer(s) must first assess how robust he/she is going to build the safety control system for mitigating the hazard as previously defined in the safety teams PLr. This important decision is based upon 3 things: How will the structural layout of the control system be chosen? Will the safety control system have any monitoring / fault detection? How will the component reliability requirements be chosen/met? R1-7.3 The standard introduces 4 parameters that the designers will need to know about their safety interlock circuit / control system in order to determine the achieved Performance Level (PL): R1-7.3.1 Control System Category R1-7.3.1.1 This is the classification of the safety interlock s architecture based on the structural arrangement of parts, fault detection and the component reliability of the parts selected. These control categories were originally defined in EN954-1 (e.g., CAT B, CAT 1, CAT2, CAT 3 and CAT4). R1-7.3.2 MTTF d R1-7.3.2.1 Mean Time to a Dangerous Failure (in years). The re MTTF d is the average time in which a failure that would lead to a dangerous situation occurs in the interlock circuit. The MTTF d is considered to be Low (between 3 to 10 years), Medium (between 10 and 30 years) or High (more than 30 Years). R1-7.3.3 DC avg Average Diagnostic Coverage (%) R1-7.3.3.1 The DC avg is the % proportion of dangerous failures that can be detected by the safety interlock s design (SRP/CS), compared to all of conceivable dangerous failures that exist - both detectable and undetectable failures. It is determined by how frequently and accurately the system performs some self-diagnosis, and what it actions it takes if it senses something wrong. The DC is considered to be: not available (< 60%), Low ( 60% <90%), Medium ( 90% - <99%) or High ( 99% detected). Page 4 Doc. 5000 SEMI
R1-7.3.4 CCF Common Cause Failure R1-7.3.4.1 CCF can be simply thought of as an indicator of whether or not sound engineering practices were followed to ensure parallel channels of the safety interlock is not damaged by common causes. ISO 13849 uses a standard PASS/FAIL checklist is used to help designer to justify if they have included basic considerations to prevent common failures. Having technical measures for avoiding CCF is required for designer justifying the SRP/CS to CAT 2, 3 or 4 architectures, but CCF is simply not relevant for single channels CAT B or CAT 1. R1-7.4 ISO 13849-1 then uses complex mathematical techniques with intelligent grouping to estimate the safety interlock s achieved performance level based on theses 4 basic interlock design factors. Figure R1-3 Overview of ISO 13849-1 Design Validation Process R1-7.5 The standard provides a both a tabular (refer to Table R1-1 below) and graphical way to estimate the achieved PL of a single channel. Design validation occurs when the achieved PL is greater than or equal to required performance level (PL r ). If this is not the case, then a design modification or iteration is necessary. Table R1-1 Simplified relation between Pl and Category levels Average Diagnostic coverage (DC avg ) Main Time To dangerous Failure (MTTF d ) Low Medium High Simplified relation between the achieved PL and the other 4 design parameters Category B 2 2 2 3 3 4 None None Low Medium Low Medium High a b Not covered Not covered Not covered a b b d b c c d Not covered Not covered c c d d d e NOTE 3: More detailed information about comparison between performance levels and the design parameters of the safety interlock can be found in ISO 13849-1. Page 5 Doc. 5000 SEMI
R1-8 Interlock selection based on IEC 62061 R1-8.1 This standard uses severity of harm (Se); and a class (Cl) for probability of occurrence of the harm. R1-8.2 Severity (Se) is divided in 4 levels, as is shown in Table R1-1: Table R1-2 Severity levels (Se) Severity level 1 Reversible: requiring first aid only Consequence 2 Reversible injury, including severe lacerations, stabbing, and severe bruises that requires attention from a medical practitioner. Reversible: requiring attention from a medical practitioner 3 Irreversible injury such that it can be possible to continue work after healing. It can also include a severe major but reversible injury such as broken limbs 4 Irreversible: death, losing an eye or limb R1-8.2.2 Class of probability of occurrence of harm (Cl) is a function of: Frequency and duration of the exposure of persons to the hazard (Fr) 7.2.2, Probability of occurrence of a hazardous event arising from human and machine behavior (Pr ) 7.2.3; Probability of avoiding the risk or limiting the harm (Av) 7.2.4. R1-8.2.3 Frequency and duration of the exposure of persons to the hazard R1-8.2.3.1 Frequency and duration of the exposure of persons to the hazard is based on how often persons are exposed and the time people are exposed. Table R1-2 provides the values of Fr for various frequencies and durations R1-8.2.3.2 The frequency of exposures is divided into 5 levels of time between exposures R1-8.2.3.3 The duration of people are exposed to the hazard is divided into 2 levels: < 10 minutes per occurrence and >= 10 minutes per occurrence. Table R1-3 Frequency and duration of Exposure (Fr) Frequency (time between exposures) Duration < 10 Min. Duration > 10 min 1 hour 5 5 > 1hour to 1 day 4 5 > 1 day to 2 weeks 3 4 > 2 weeks to 1 year 2 3 > 1 year 1 2 R1-8.2.4 Probability of occurrence of a hazardous event arising from human and machine behavior (Pr) this factor is an estimation on the behavior of the machine and foreseeable characteristics of human behavior. R1-8.2.4.1 The machine behavior will vary from very predictable to not predictable but unexpected events cannot be discounted. Predictability of the behavior of component parts of the machine relevant to the hazard in different modes of use (e.g. normal operation, maintenance, fault finding). R1-8.2.4.2 Characteristics of human behavior that should be taken in account include stress, lack of awareness. These are influenced by factors such as skills, training, experience and complexity of the machine. NOTE 4: Skills and training should be stated in the documentation for use. Table R1-4 Probability classification Probability of occurrence Probability of occurrence factor (Pr) Very High 5 Likely 4 Possible 3 Page 6 Doc. 5000 SEMI
Rarely 2 Negligible 1 R1-8.2.5 Probability of avoiding or limiting the harm (Av) This factor can be estimated taken into account aspects of the machine like sudden, fast or slow appearance of the hazardous event, clearances to with draw from the hazard and nature of the system (e.g. cutting machine will have a sharp edge, heating system will have hot surfaces, ) and the possibility of recognition of the hazard (electrical hazard can only be recognized by using a meter, noise when a motor starts). Table R1-5 Probability of avoiding or limiting harm Probability of avoiding or limiting harm Probability of avoiding or limiting harm factor (Av) Impossible 5 Rarely 3 Probable 1 R1-8.2.6 Each probability functions get a rating and the class of probability of occurrence of harm (Cl) is the sum of frequency and duration (Fr), probability of occurrence (Pr) and possibility of avoidance (Av). Cl = Fr + Pr + Av R1-8.2.7 The l SIL requirement is given in table 5. Table R1-6 SIL requirement Severity Class 3-4 5 7 8-10 11 13 14-15 4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3 3 #1 SIL 1 SIL 2 SIL 3 2 #1 SIL 1 SIL 2 1 #1 SIL 1 #1 For these levels other measures may be appropriate (e.g. PL a) R1-8.3 The calculation of the SIL levels will be based on the architecture of the design and the reliability data of the chosen components. Details can be found in IEC 62061. R1-9 Interlock selection based on EN 954-1 R1-9.1 This section is for reference only because EN 954-1 has been replaced by ISO 13849-1. R1-9.2 The hardware requirements of EN 954-1 were based on hardware and fault tolerance. R1-9.3 Required interlock reliability is determined in a decision diagram using severity of possible harm, frequency of exposure and the possibility of avoidance. R1-9.4 Definition of severity, frequency and possibility of avoidance are identical to the ISO 13849-1 (see R1-6.1) Page 7 Doc. 5000 SEMI
R1-10 Other standards that might be useful: Figure R1-4 Interlock category selection based on EN 954-1 R1-10.1 The European legislation for Explosive Atmospheres (ATEX) also defines reliability of the components which can be used in areas with an explosion risk. This risk assessment is based on substances used and time a hazardous atmosphere is present. Details on the requirements for can be found in 4.2.4. R1-10.2 IEC 61508 series provides information and requirement if PLC and logic is used. Preferably a software application used in safety should be approved by a notified body against this standard. R1-10.3 IEC 61496-1 provides information on safety components using Electro-sensitive protective equipment (e.g. light curtains) and their relation with ISO 13849-1 and IEC 10612.. R1-11 Comparison between the different reliability levels R1-11.1 The IEC_TR_62061-1 provides more information comparing the ISO 13849-1 and IEC 62061 and provides an introduction to calculation of reliability levels. PFH d is an estimated data point (parameter) of a subsystem that does take into account the contribution of factors such as diagnostics, proof of test interval, resistance to common cause failure and control system architecture (structure). Besides the Average Probability of a PFH d, there are some additional estimations are still necessary to determine the achieved performance level. It is not all about probability mathematics. Table R1-7 Relationship between SIL s and Performance Levels Performance Level (PL) Average probability of a dangerous failure per hour (1/h); PFH d Safety Integrity Level (SIL) a 10-5 to < 10-4 Not defined b 3*10-6 to < 10-5 1 c 10-6 to < 3*10-6 1 d 10-7 to < 10-6 2 e 10-6 to < 10-7 3 Page 8 Doc. 5000 SEMI
NOTICE: Semiconductor Equipment and Materials International (SEMI) makes no warranties or representations as to the suitability of the Standards and Safety Guidelines set forth herein for any particular application. The determination of the suitability of the Standard or Safety Guideline is solely the responsibility of the user. Users are cautioned to refer to manufacturer s instructions, product labels, product data sheets, and other relevant literature, respecting any materials or equipment mentioned herein. Standards and Safety Guidelines are subject to change without notice. By publication of this Standard or Safety Guideline, SEMI takes no position respecting the validity of any patent rights or copyrights asserted in connection with any items mentioned in this Standard or Safety Guideline. Users of this Standard or Safety Guideline are expressly advised that determination of any such patent rights or copyrights, and the risk of infringement of such rights are entirely their own responsibility. Page 9 Doc. 5000 SEMI