Functional Example AS-FE-I-013-V13-EN

Transcription

1 Functional Example AS-FE-I-013-V13-EN SIMATIC Safety Integrated for Factory Automation Practical Application of IEC Illustrated Using an Application Example with SIMATIC S7 Distributed Safety

2 Preliminary remark The Functional Examples dealing with Safety Integrated are fully functional and tested automation configurations based on A&D standard products for simple, fast and inexpensive implementation of automation tasks in safety engineering. Each of these Functional Examples covers a frequently occurring subtask of a typical customer problem in safety engineering. Aside from a list of all required software and hardware components and a description of the way they are connected to each other, the Functional Examples include the tested and commented code. This ensures that the functionalities described here can be reset in a short period of time and thus also be used as a basis for individual expansions. Note The Safety Functional Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Safety Functional Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are correctly used. These Safety Functional Examples do not relieve you of the responsibility of safely and professionally using, installing, operating and servicing equipment. When using these Safety Functional Examples, you recognize that Siemens cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Safety Functional Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Safety Functional Examples and other Siemens publications e.g. Catalogs then the contents of the other documents have priority. As a quality assurance measure for this document, a review was performed by the Center for Quality Engineering. The independent Center for Quality Engineering accredited according to DIN EN ISO/IEC confirms that IEC was correctly applied to the Functional Example and implemented. Further information is available at: A&D Safety Integrated AS-FE-013-V13-EN 2/142

3 Table of Contents Warranty, liability and support Conventions in the Document Terms and abbreviations from IEC References in the document Orientation in the document Contents of the Document Task of the document Structure of the document INTRODUCTION Introduction Safety of machinery Functional safety of a #safety system (SRECS) Overview of IEC Title and status Characteristics Benefit IEC basic standard IEC BASICS #Safety-Related Control Function (SRCF) #Safety function and SRCF Properties of a SRCF #Safety System (SRECS) #Safety Integrity Level (SIL) Meaning of SIL SIL determination Achieving the required SIL #Architectural Constraint Meaning of #SIL claim limit (SILCL) Requirement view and solution view of the SILCL Factors of influence on the SILCL Hardware fault tolerance (HFT) #Safe failure fraction (SFF) Options for determining the SILCL Finished #subsystem: SILCL determination from the category Finished #subsystem: SILCL determination from HFT and SFF Designed #subsystem: SILCL determination from HFT and SFF A&D Safety Integrated AS-FE-013-V13-EN 3/142

4 9 #PFH D Value (PFH D ) Meaning of PFH D Correlation: SIL and PFH D of a SRCF Calculating the PFH D of a SRCF Options for determining the PFH D of a #subsystem Finished #subsystem: PFH D determination from the category Designed #subsystem: PFH D calculation Influence on the PFH D of a #subsystem Dangerous failure rate of a #subsystem element (λ De ) CCF factor (β) #Diagnostic coverage (DC) and diagnostic test interval (T2) Minimum of lifetime and proof test interval (T1) Example: Formula for the PFH D value of basic subsystem architecture D #Systematic Safety Integrity APPLICATION Application Example Problem definition of the application example Solution in the application example Overview of the Application of IEC Overview of the steps Activities in parallel to all steps Step 1: Creating #Safety Plan Objective of the step Procedure Application Step 2: Performing Risk Analysis Objective of the step Procedure Application Step 3: Performing Risk Assessment Objective of the step Procedure Assessment of the risk of the hazard Determination of the required SIL for the SRCF Application Assessment of the risk of the hazard Determination of the required SIL for the SRCF Form for risk assessment Step 4: Developing SRCF Specification Objective of the step A&D Safety Integrated AS-FE-013-V13-EN 4/142

5 16.2 Procedure Application Step 5: Designing SRECS Architecture Objective of the step Procedure Dividing SRCF into #function blocks Specifying requirements for #function blocks Assigning #function blocks to #subsystems Application Dividing SRCF into #function blocks Specifying requirements for #function blocks Assigning #function blocks to #subsystems Step 6: Realizing #Subsystems Structure of the step Objective of the step Procedure Consideration of the #architectural constraint Consideration of the PFH D Consideration of the diagnostics Consideration of the #systematic safety integrity Step 6 / Application: Overview of the #Subsystems Step 6 / Application: Realizing #Subsystem Design of #subsystem 1 (Detect function block) Consideration of the #architectural constraint Consideration of the PFH D PFH D calculation Calculation of the #diagnostic coverage (DC) Consideration of the diagnostics Consideration of the #systematic safety integrity Summary Step 6 / Application: Realizing #Subsystem Design of #subsystem 2 (Evaluate function block) Consideration of the #architectural constraint Consideration of the PFH D Consideration of the diagnostics Consideration of the #systematic safety integrity Summary Step 6 / Application: Realizing #Subsystem Design of #subsystem 3 (React function block) Consideration of the #architectural constraint Consideration of the PFH D A&D Safety Integrated AS-FE-013-V13-EN 5/142

6 PFH D calculation Calculation of the #diagnostic coverage (DC) Consideration of the diagnostics Consideration of the #systematic safety integrity Summary Step 7: Determining SIL Achieved by SRECS Objective of the step Procedure Determination of the minimum SILCL of all #subsystems of the SRCF Determination of the PFH D of the SRCF Derivation of the SIL which is achieved with the SRECS Measures to achieve the required SIL Application Determination of the minimum SILCL of all #subsystems of the SRCF Determination of the PFH D of the SRCF Derivation of the SIL which is achieved with the SRECS Steps 8 to 12: Implementing SRECS Step 13: Generating Information for Use Objective of the step Procedure Step 14: Performing Validation Objective of the step Procedure APPENDIX Background Information Risk analysis and risk assessment CCF factor (β) Failure modes of electrical / electronic components SIMATIC S7 Distributed Safety: Safety-related data SIRIUS: Safety-related data Fault, diagnostics and failure (according to IEC 62061) Fault Diagnostics Failure Examples: Overview Example 1: Zero fault tolerance without diagnostics Example 2: Zero fault tolerance with diagnostics Example 3: Single fault tolerance without diagnostics Example 4: Single fault tolerance with diagnostics Category according to EN 954-1: A&D Safety Integrated AS-FE-013-V13-EN 6/142

7 28 Glossary Terms from IEC Abbreviations from IEC General abbreviations Information Directory History of the Document A&D Safety Integrated AS-FE-013-V13-EN 7/142

8 Warranty, liability and support We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Safety Functional Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). However, claims arising from a breach of a condition which goes to the root of the contract shall be limited to the foreseeable damage which is intrinsic to the contract, unless caused by intent or gross negligence or based on mandatory liability for injury of life, body or health. The above provisions does not imply a change in the burden of proof to your detriment. Copyright 2007 Siemens A&D. It is not permissible to transfer or copy these Safety Functional Examples or excerpts of them without first having prior authorization from Siemens A&D in writing. For questions about this document please use the following -address: Online-support.automation@siemens.com A&D Safety Integrated AS-FE-013-V13-EN 8/142

9 INTRODUCTION Conventions in the Document 1 Conventions in the Document The chapter describes which conventions apply in the document. To use the document, it is important to know these conventions. 1.1 Terms and abbreviations from IEC Terms from IEC Numerous terms from IEC are used in the document. These terms have defined meanings and are uniquely defined in IEC In the document, key terms from IEC are marked with the # character and defined in the glossary (chapter 28.1). The definition in the glossary is identical to the definition in IEC Example: #Safety-related control function (SRCF) If an abbreviation exists for a term from IEC 62061, this abbreviation is added to the term (in the above example: SRCF). In the document, abbreviations are also used by themselves if it improves readability. If you come across a term prefixed by # when reading the document, you see that the term is from IEC the definition of the term is listed in the glossary (chapter 28.1). Abbreviated notation of terms The notation of some terms from IEC is very long. To improve the readability of this document, an abbreviated notation is used for some terms. Table 1-1 Notation in IEC Safety-related electrical, electronic and programmable electronic control system (SRECS) Probability of dangerous failure per hour (PFH D ) Functional safety plan Abbreviated notation in the document #Safety system (SRECS) #PFH D value (PFH D ) #Safety plan A&D Safety Integrated AS-FE-013-V13-EN 9/142

10 INTRODUCTION Conventions in the Document Abbreviations from IEC Abbreviations from IEC are used in the document. Examples: SRCF, SRECS, SIL, SILCL, PFH D For an overview of the abbreviations, please refer to the glossary (chapter 28.2). General abbreviations Generally valid abbreviations are also listed in the glossary ( 28.3). Examples: PLC, F-PLC 1.2 References in the document References to documents and links to the internet are marked with (/x/). For an overview of all references and links, please refer to chapter Orientation in the document The header of the document is useful for the orientation in the document. This is illustrated by the figure below with a screen shot of the header. The first line of the header indicates the respective part of the document. The second line of the header indicates the corresponding chapter. Figure 1-1 A&D Safety Integrated AS-FE-013-V13-EN 10/142

11 INTRODUCTION Contents of the Document 2 Contents of the Document The chapter describes task and structure of the document. 2.1 Task of the document Reason for this document Nowadays, fail-safe programmable logic controllers (F-PLC) simultaneously perform standard and #safety functions on a machine. Example: Monitoring a safety door Machines must be safe. Among other things, this means that the operator has to be protected against hazards caused by operational faults. An operational fault has, for example, occurred if a #safety function has not been performed correctly. Example: Failure of the monitoring of a safety door. IEC describes requirements that have to be met to ensure functional safety. IEC is, for example, applied when #safety functions are performed on a machine by an F-PLC. Objective of the document This document uses a specific application example to illustrate the basic application of IEC The following components are used in the application example: Fail-safe programmable logic controller (F-PLC): SIMATIC S7 Distributed Safety Sensors and actuators: SIRIUS The objective of the document is to illustrate the most important aspects of IEC Not all aspects of the IEC standard are considered in the document. The application example described in the document is used to illustrate the most important correlations and is thus not executed in all details. The specific application of IEC requires that the original standard is used to ensure that all aspects are considered. Benefit of the document The document provides the reader with answers to the following questions: What are the fundamental principles of IEC 62061? How is IEC basically applied ( main thread )? A&D Safety Integrated AS-FE-013-V13-EN 11/142

12 INTRODUCTION Contents of the Document Potential readers of the document The document is aimed at persons who plan, realize or assess #safety functions on machines. These #safety functions are performed by a fail-safe programmable logic controller (F-PLC). This document does not address IEC experts, but users who want to familiarize with the IEC standard. 2.2 Structure of the document The document is divided into several parts. The structure is explained in the following table. Table 2-1 Part Chapter Contents INTRODUCTION 3 to 4 The first part of the document provides an introduction to the subject and a brief overview of IEC IEC BASICS 5 to 10 The second part of the document explains the most important terms and correlations of IEC APPLICATION 11 to 26 The third part of the document uses an application example to show step-by-step how IEC is basically applied. APPENDIX 27 to 29 The fourth part of the document provides in-depth information, a glossary and an information directory. A&D Safety Integrated AS-FE-013-V13-EN 12/142

13 INTRODUCTION Introduction 3 Introduction INTRODUCTION In the IEC environment, the following terms play an important role: Safety of machinery #Safety function, #safety system (SRECS) Functional safety of a #safety system (SRECS) This chapter provides a brief explanation of these terms and shows where IEC is applied. 3.1 Safety of machinery Machinery Machinery means an assembly of linked parts or components, at least one of which moves, with actuators, control and power circuits. Machinery also means an assembly of machines in the sense of a linked system designed to achieve the same end. Safety components (e.g. position switches) for machines are also part of the machines. Safety components are required to realize #safety functions (e.g. monitoring a safety door). A failure or an operational fault of a #safety function endangers: The health of persons in the range of action of the machine The machine Safety of a machine A machine is safe if no hazards arise from it. Safety requires protection against the following hazards: Electric shock Heat and fire Hazardous radiation and emission Mechanical hazards Hazardous materials Operational faults A&D Safety Integrated AS-FE-013-V13-EN 13/142

14 INTRODUCTION Introduction 3.2 Functional safety of a #safety system (SRECS) #Safety system (SRECS) According to IEC 62061, a #safety system (SRECS) has the following properties: A #safety system (SRECS) is an electrical, electronic and programmable electronic control system. A #safety system (SRECS) performs #safety functions In manufacturing automation (e.g. machinery technology, conveyor systems), fail-safe programmable logic controllers (F-PLC) are increasingly used in #safety systems (SRECS). Example of a #safety system (SRECS): A #safety system (SRECS) comprises all components required to perform #safety functions on a machine: Sensors F-PLC Actuators An example of an F-PLC in a #safety system (SRECS) is SIMATIC S7 Distributed Safety, consisting of: Hardware: Fail-safe S7-CPUs, fail-safe input modules and fail-safe output modules Software: S7 Distributed Safety, for programming and configuring Example of a #safety function: On a machine a protective cover protects the operator against a rotating blade. Figure 3-1 The #safety function is then, for example, defined as follows: The blade must not rotate when the protective cover is open. A&D Safety Integrated AS-FE-013-V13-EN 14/142

15 INTRODUCTION Introduction Functional safety of a #safety system (SRECS) Functional safety of a #safety system (SRECS) is ensured when the two following requirements are met: All #safety functions are performed correctly. When a fault occurs in the #safety system (SRECS), no dangerous state arises on the machine. A #safety system (SRECS) thus has to perform the #safety functions correctly and react correctly when faults occur. The reaction to a fault does not necessarily have to cause a stop of the machine. A safe state can, for example, also be achieved when hazardous motions on the machine are decelerated. Examples of faults in a #safety system (SRECS): Break of the actuator of a position switch Contacts of a contactor do not open The IEC standard The internationally valid IEC standard describes the protection against operational faults of a #safety system (SRECS). IEC describes which specific requirements have to be met to ensure the functional safety of a SRECS. A&D Safety Integrated AS-FE-013-V13-EN 15/142

16 INTRODUCTION Overview of IEC Overview of IEC This chapter provides a brief overview of IEC Title and status Title of IEC Safety of machinery: Functional safety of safety-related electrical, electronic and programmable electronic control systems. Title of the German version of IEC Sicherheit von Maschinen: Funktionale Sicherheit sicherheitsbezogener elektrischer, elektronischer und programmierbarer elektronischer Steuerungssysteme. Status of IEC Table 4-1 Status of IEC Date Name International standard 2005 IEC European standard harmonized 2005 EN under the machinery directive 4.2 Characteristics IEC will be briefly described below. Field of application of IEC The internationally valid IEC standard applies to machines which use a #safety system (SRECS) to perform #safety functions. Users of IEC The users of IEC plan, realize or review #safety functions on machines which are performed by a #safety system (SRECS). The users can be divided into: Machine manufacturers: Have requirements for #safety functions. Control integrators: Realize #safety functions with a SRECS. Safety experts: Inspect the safety of machinery. A&D Safety Integrated AS-FE-013-V13-EN 16/142

17 INTRODUCTION Overview of IEC Examples of safety experts: German Technical Inspectorate (TÜV) Center for Quality Engineering (see page 2, note ) BG-Institute for Occupational Safety and Health (BGIA) Contents of IEC IEC describes requirements for a #safety system (SRECS) for machines. Hazards by the actual SRECS (example: Electric shock) are not covered by the standard. The standard describes: An approach for the specification, the design and the validation of a #safety system (SRECS) The requirements for achieving the necessary performance Both finished #subsystems and designed #subsystems are considered. The following table explains the terms finished #subsystem and designed #subsystem. Table 4-2 #Subsystem Finished #subsystem Designed #subsystem Property The IEC user (machine manufacturer, control integrator) purchases a finished #subsystem from a manufacturer and uses it in the #safety system (SRECS). IEC considers #subsystems that are certified according to EN or IEC In general, the #subsystem design is complex. Examples: F-PLC, laser scanners. The #subsystem is designed by the IEC user (machine manufacturer, control integrator) and used in the #safety system (SRECS). In general, the #subsystem design is simple. Example: Combination of electromechanical components such as contactors or position switches. Requirements of IEC The requirements of IEC affect four different fields. Table 7-1 provides an overview of the requirements. A&D Safety Integrated AS-FE-013-V13-EN 17/142

18 INTRODUCTION Overview of IEC Objectives of IEC If the IEC requirements are met by corresponding measures, the functional safety of the #safety system (SRECS) is ensured. This means that the risk of hazards caused by operational faults of the SRECS is minimized. When realizing a SRECS, the objective is to keep the probability of both systematic dangerous faults and random dangerous faults adequately low. Properties of IEC The standard describes a systematic procedure for the design and the integration of a #safety system (SRECS) for a machine. The standard deals with the two fields: Organization / management (example: The standard requires the development of specifications) Engineering (example: The standard includes hardware requirements) The standard is specific, it quantifies safety requirements: #Safety integrity level (SIL) level for specifying the #safety integrity requirements of a #safety-related control function (SRCF) #PFH D value (PFH D ) probability of dangerous failure per hour The standard considers the entire sequence: From the potential hazard on the machine and the #safety function required for risk reduction to the required #safety integrity level (SIL) of the #safety function. The standard considers the complete #safety function: From the acquisition of information (sensor) and the evaluation of information (F-PLC) to the response with actions (actuator) A&D Safety Integrated AS-FE-013-V13-EN 18/142

19 INTRODUCTION Overview of IEC The standard considers the complete life cycle of a machine: Concept, realization, commissioning, operation, maintenance The standard is an application-specific standard: IEC (sector standard) is derived from the application-independent IEC standard (basic standard). IEC is thus based on the principles and the terminology of IEC Benefit General benefit of IEC The existence and the application of IEC provide the following benefits: The IEC standard is internationally valid. This means: The export of machines is facilitated. International standards in safety engineering are developed, safety engineering becomes internationally comparable. IEC is an aid for users and testing agencies dealing with functional safety of #safety systems (SRECS). With the aid of the standard, the user reaches his/her target more quickly: From the safety requirement to the safety solution conforming to standards The user can use finished #subsystems that are certified according to EN or IEC (table 4-2). The standard facilitates the assessment of an F-PLC (SIMATIC S7 Distributed Safety) with regard to the functional safety. Using an F-PLC, intelligent safety solutions can be realized which minimize downtimes and increase productivity. A #safety system (SRECS) is considered to be functionally safe when the requirements of the standard are met. A&D Safety Integrated AS-FE-013-V13-EN 19/142

20 INTRODUCTION Overview of IEC Additional benefit of IEC in the European Union (EU) In the EU, the presumption of conformity applies to EN since EN is a harmonized standard (/2/). Presumption of conformity By complying with a harmonized standard, an automatic presumption of conformity ensues for the compliance with the corresponding directive. The user of a harmonized standard can trust in having complied with the safety objectives of the corresponding directive. For EN this specifically means: By applying EN 62061, the user may assume that he/she has complied with the safety objectives of the machinery directive. Harmonized standard Harmonized standards are published in the Official Journal of the European Union (/3/) and applied to national standards without modifications. They are, among other things, used to comply with the protection objectives listed in the machinery directive. Machinery directive Machines which are put into circulation or operated in the EU have to comply with the machinery directive requirements. The machinery directive includes basic safety requirements for machines and for replaceable equipment and safety components. This also affects machines which are delivered to the EU from countries which are not part of the EU. A&D Safety Integrated AS-FE-013-V13-EN 20/142

21 INTRODUCTION Overview of IEC IEC basic standard Title of IEC Functional safety of electrical/electronic/programmable electronic safety-related systems. Title of the German version of IEC Funktionale Sicherheit sicherheitsbezogener elektrischer/elektronischer/programmierbarer elektronischer Systeme. Basic standard and sector standard IEC deals with the functional safety of safety-related E/E/PES. IEC is independent of the application of the safety-related E/E/PES. For this reason, IEC is referred to as basic standard. Standards are derived from the IEC basic standard, which are tailored to specific applications. These derived standards are referred to as sector standards. Examples of sector standards of the IEC basic standard: IEC 61511: The standard is applied in the process industry. IEC 62061: The standard is applied in machines. Advantages of a sector standard The existence of a sector standard for machines has the following advantages for the user: The sector standard (IEC 62061) is a subset of the basic standard (IEC 61508) and thus less comprehensive and easier to apply. The sector standard considers special conditions of machine building. This enables to simplify complex basic standard requirements in the sector standard. Machine building terminology is used in the sector standard. This increases the comprehension for the user. The sector standard enables the user to achieve functional safety without knowing the basic standard. By applying the sector standard, the basic standard requirements are simultaneously met. A&D Safety Integrated AS-FE-013-V13-EN 21/142

22 INTRODUCTION Overview of IEC Comparison of IEC and IEC The table below illustrates the differences. Table 4-3 Title Terminology, principles Field of application IEC basic standard Functional safety of electrical/electronic/ programmable electronic safety-related systems. All applications in which an E/E/PES is used for safety tasks. IEC sector standard Safety of machinery: Functional safety of safety-related electrical, electronic and programmable electronic control systems. Identical for both standards Machines in which a SRECS is used to perform #safety functions. Users Examples: Turbine control systems Medical equipment Fairground rides Manufacturers of safety engineering: Safety-related E/E/PES (example: F-PLC). Components of a safety-related E/E/PES (example: Laser scanners) Developers of sector standards Example: Monitoring and securing protection zones on a machine Machine manufacturers Control integrators Safety experts International standard since A&D Safety Integrated AS-FE-013-V13-EN 22/142

23 INTRODUCTION Overview of IEC SIMATIC S7 Distributed Safety The SIMATIC S7 Distributed Safety F-PLC is certified as a safety-related programmable system according to IEC The system is thus suitable for use in fail-safe applications. The certification provides the SIMATIC S7 Distributed Safety user with the following advantages: When observing the SIMATIC S7 Distributed Safety configuration guidelines, IEC is automatically complied with. If an acceptance of the machine is required according to IEC 62061, the acceptance jurisdictions only have to evaluate the correct use and the compliance with the SIMATIC S7 Distributed Safety configuration guidelines. A&D Safety Integrated AS-FE-013-V13-EN 23/142

24 IEC BASICS #Safety-Related Control Function (SRCF) IEC BASICS 5 #Safety-Related Control Function (SRCF) 5.1 #Safety function and SRCF Delimitation #safety function and SRCF To simplify matters, so far the term #safety functions has been used exclusively in the document. However, the IEC standard considers #safety-related control functions (SRCFs). The correlation is described below: The necessity to minimize the risk with the aid of #safety functions results from the risk analysis for the machine. To realize #safety functions, a #safety system (SRECS) can be used on the machine. The #safety system (SRECS) then performs #safety-related control functions (SRCFs) to realize the #safety functions. Example to illustrate the difference: The #safety function for the machine is to be: The blade must not rotate when the protective cover is open. To realize the #safety function, a #safety system (SRECS) is used. The SRECS consists of sensors, actuators and a fail-safe programmable logic controller (F-PLC). The #safety system (SRECS) performs a #safety-related control function (SRCF) to realize this #safety function. The designation of the SRCF is then, for example, defined as follows: Stop of the rotating blade The #safety-related control function (SRCF) consists of: Detecting the position of the protective cover via sensor Evaluating the information in the F-PLC Reacting by switching off the motor via actuator A&D Safety Integrated AS-FE-013-V13-EN 24/142

25 IEC BASICS #Safety-Related Control Function (SRCF) 5.2 Properties of a SRCF Task of a SRCF #Safety-related control functions (SRCFs) are performed by a #safety system (SRECS). The task of a SRCF is to prevent dangerous states on a machine. A SRCF has to meet requirements with regard to: Functionality and #safety integrity. Functionality of a SRCF The required functionality of a #safety-related control function (SRCF) is derived from the risk analysis (chapter 14). In general, a SRCF consists of the following #function blocks: Acquiring information Evaluating information Responding with actions The figure shows a SRCF divided into its #function blocks: Figure 5-1 #Safety integrity of a SRCF #Safety-related control functions (SRCFs) must operate reliably. The higher the risk of a hazard arising from an operational fault of a SRCF, the higher the reliability requirements of this SRCF. This reliability is referred to as #safety integrity. The #safety integrity level (SIL) (chapter 7) is the measure for the #safety integrity of a SRCF. A&D Safety Integrated AS-FE-013-V13-EN 25/142

26 IEC BASICS #Safety System (SRECS) 6 #Safety System (SRECS) Properties of a SRECS A #safety system (SRECS) is an electrical control system on a machine whose failure may cause a reduction or loss of safety. The failure of a SRECS may cause a dangerous state on the machine. A SRECS comprises all electrical parts required for performing #safety-related control functions (SRCFs): Sensors, F-PLC, actuators Power and control circuits Task of a SRECS A #safety system (SRECS) performs #safety-related control functions (SRCFs). The SRECS has to meet the following requirements: Correct performance of the SRCFs Reaction to faults in the SRECS If faults occur in the SRECS which no longer allow a correct performance of a SRCF (loss of the SRCF), the SRECS has to behave in such a way that no dangerous state occurs on the machine. In the event of a fault, the SRECS must thus behave in such a way that the #safety function is still performed. Architecture of a SRECS A #safety system (SRECS) has the following properties: It performs #safety-related control functions (SRCFs). It consists of #subsystems. A #subsystem has the following properties: A #subsystem executes a #function block of a SRCF. The failure of a #subsystem causes a loss of the SRCFs that use this #subsystem. A #subsystem consists of one or several #subsystem elements. Below two examples are used to illustrate the architecture of a #safety system (SRECS): A&D Safety Integrated AS-FE-013-V13-EN 26/142

27 IEC BASICS #Safety System (SRECS) Example: SRECS with one single SRCF The figure shows a #safety system (SRECS) with the following properties: The SRECS performs one single SRCF. The SRECS consists of three #subsystems. #Subsystem 1 consists of two #subsystem elements. Figure 6-1 Examples of subsystems: Combination of sensors Combination of actuators Fail-safe programmable logic controller (F-PLC) Examples of #subsystem elements: Position switch Contactor A&D Safety Integrated AS-FE-013-V13-EN 27/142

28 IEC BASICS #Safety System (SRECS) Example: SRECS with two SRCFs The figure shows a #safety system (SRECS) with the following properties: The SRECS performs two SRCFs. The SRECS consists of five #subsystems. #Subsystem 3 is used by both SRCFs. Figure 6-2 A&D Safety Integrated AS-FE-013-V13-EN 28/142

29 IEC BASICS #Safety Integrity Level (SIL) 7 #Safety Integrity Level (SIL) 7.1 Meaning of SIL The #safety integrity level (SIL) is a measure for specifying the requirements for the #safety integrity of a #safety-related control function (SRCF). In IEC 62061, three discrete levels are used as a measure for the SIL: SIL 1, SIL 2 and SIL 3 The higher the requirements for the #safety integrity of a SRCF, the higher the SIL required for the SRCF. A #safety integrity level (SIL) of SIL 3 has the highest requirements for the reliability of the SRCF. This level has the highest probability that the #safety system (SRECS) performs the correct function when it is required. The SRCF must comply with the SIL requirements and consequently also the #safety system (SRECS) and its #subsystems have to meet these requirements. 7.2 SIL determination First, the risk analysis (chapter 14) determines whether #safety-related control functions (SRCFs) for risk reduction are required on the machine. The necessary #safety integrity level (SIL) for each SRCF is then determined in the risk assessment (chapter 15). The higher the risk reduction has to be, the more reliable the performance of the SRCF must be, the higher the required SIL for the SRCF. 7.3 Achieving the required SIL To achieve the required #safety integrity level (SIL) for a #safety-related control function (SRCF), the #safety system (SRECS) and its #subsystems have to meet the requirements described in IEC In general, a higher SRCF reliability (higher SIL) also requires more technical extra work when realizing the #safety system (SRECS). The table below provides an overview of the IEC requirements for a SRECS and its #subsystems. A&D Safety Integrated AS-FE-013-V13-EN 29/142

30 IEC BASICS #Safety Integrity Level (SIL) Table 7-1 Requirements for the safety integrity of the hardware, consisting of: Requirements for the #systematic safety integrity, consisting of: IEC requirements #Architectural constraint: Properties of the structure of the #safety system (SRECS) #PFH D value (PFH D ): Probability of dangerous failure per hour Avoidance of systematic faults Control of systematic faults Requirements for the #safety system (SRECS) behavior when detecting a dangerous fault: Fault detection (diagnostics) and fault reaction Requirements for the design and development of safety-related application software. The following table provides a brief explanation of the IEC core requirements. Details are available in the mentioned chapters. Table 7-2 Grading according to SIL? Clear Clear Slight None None Requirement Explanation Details #Architectural constraint #PFH D value (PFH D ) #Systematic safety integrity The structure (architecture) of the #subsystems must be suitable for the required SIL. The structure of a #subsystem is described by the #SIL claim limit (SILCL). Examples of different structures: #Subsystem with/without redundancy or with/without diagnostics. The probability of a dangerous SRECS failure per hour when performing the SRCF must not exceed a specific limit value. This limit value is defined by the required SIL. Measures for the avoidance and control of systematic faults have to be taken. Examples of systematic faults: Errors in the specification of the SRCF Errors when designing hardware or application software Chapter 8 Chapter 9 Chapter 10 A&D Safety Integrated AS-FE-013-V13-EN 30/142

31 IEC BASICS #Architectural Constraint 8 #Architectural Constraint 8.1 Meaning of #SIL claim limit (SILCL) Starting point of the #SIL claim limit (SIL) considerations: A #safety-related control function (SRCF) must comply with a required #safety integrity level (SIL): A SRCF is performed by a #safety system (SRECS). The SRECS must be suitable for this SIL. The SRECS #subsystems must be suitable for this SIL. Now the #SIL claim limit (SILCL) comes into play: The SILCL is a property of a #subsystem. The SILCL indicates the maximum SIL for which a #subsystem is suitable. If a #subsystem has a specific #SIL claim limit (SILCL), this means: The #subsystem has a defined #systematic safety integrity. The #subsystem has a defined #architectural constraint. The correlations are explained in the following table: Table 8-1 Defined with the SILCL: #Systematic safety integrity #Architectural constraint Meaning Avoidance and control of systematic faults. #Subsystem structure (architecture): Hardware fault tolerance (HFT) #Safe failure fraction (SFF) Grading according to SIL? Details Slight Chapter 10 Clear Chapter 8.4 Example: The statement the #subsystem has SILCL 2 describes the properties: The #subsystem meets all IEC requirements for #systematic safety integrity. The structure of the #subsystem is maximally suitable for SIL 2. A&D Safety Integrated AS-FE-013-V13-EN 31/142

32 IEC BASICS #Architectural Constraint 8.2 Requirement view and solution view of the SILCL Two views are used to explain the meaning of #SIL claim limit (SILCL): Requirement view Solution view Requirement view All #subsystems involved in the performance of a #safety-related control function (SRCF) must have a #SIL claim limit (SILCL) which is at least equal to the required #safety integrity level (SIL) of this SRCF. Example The following applies to the example shown in the figure: SIL 2 of the SRCF requires that all #subsystems have at least SILCL 2. Figure 8-1 A&D Safety Integrated AS-FE-013-V13-EN 32/142

33 IEC BASICS #Architectural Constraint Solution view The maximum #safety integrity level (SIL) that can be achieved for a #safety-related control function (SRCF) corresponds to the smallest #SIL claim limit (SILCL) of all #subsystems involved in the performance of the SRCF. Example The following applies to the example shown in the figure: Due to #subsystem 1, the SIL that can be achieved for the SRCF is limited to maximally SIL 2. Figure Factors of influence on the SILCL From the structure (architecture) of a #subsystem, the following characteristics ensue for this #subsystem: Hardware fault tolerance (HFT) #Safe failure fraction (SFF) The #SIL claim limit (SILCL) of the #subsystem is determined from the two characteristics HFT and SFF. Note: A central explanation of the terms fault and failure is given in chapter A&D Safety Integrated AS-FE-013-V13-EN 33/142

34 IEC BASICS #Architectural Constraint Hardware fault tolerance (HFT) Description The hardware fault tolerance (HFT) expresses the #fault tolerance of a #subsystem. #Fault tolerance is the ability of a #subsystem to continue to perform a required function also after faults have occurred. Determination To determine the HFT, the hardware configuration of the #subsystem is considered. The HFT of a #subsystem expresses the tolerance of a #subsystem to faults in the hardware: A #subsystem with an HFT of N only fails after (N+1) faults have occurred. A failure of a #subsystem causes the loss of all SRCFs using this #subsystem. When determining the HFT, other measures are not considered which could control the effects of faults (example: Diagnostic devices.) In general, the design of #subsystems with #fault tolerance is redundant. The following table and the following examples illustrate the correlations. Table 8-2 HFT of the #subsystem Redundancy of the #subsystem Number of faults in the #subsystem which cause the loss of the SRCF 0 No redundancy 1 fault 1 1-fold redundancy 2 faults 2 2-fold redundancy 3 faults N N-fold redundancy (N+1) faults A&D Safety Integrated AS-FE-013-V13-EN 34/142

35 IEC BASICS #Architectural Constraint Example of a #subsystem with HFT = 0 (#subsystem without #fault tolerance) The #subsystem consists of one single #subsystem element: 1 contactor for switching off a motor A fault in the #subsystem (contactor does not open) has the following effect: 1 fault in the #subsystem Failure of the #subsystem (the #subsystem can no longer perform its function.) Loss of all SRCFs using this #subsystem (the SRCFs are no longer performed because the #subsystem no longer complies with its function.) Example of a #subsystem with HFT = 1 (#subsystem with #fault tolerance) The #subsystem consists of two #subsystem elements: 2 contactors in series for switching off a motor A fault in the #subsystem (1 contactor does not open) has the following effect: 1 fault in the #subsystem No failure of the #subsystem No loss of a SRCF A&D Safety Integrated AS-FE-013-V13-EN 35/142

36 IEC BASICS #Architectural Constraint #Safe failure fraction (SFF) Description Failures are caused by random faults in the hardware of the #safety system (SRECS) or its #subsystems. The failure of a #subsystem causes a loss of the #safety-related control functions (SRCFs) which use this #subsystem. Failures of a #subsystem can be safe or dangerous, depending on the effect on the machine. The following table illustrates the differences. Table 8-3 Failure mode of a #subsystem #Safe failure #Dangerous failure SRCF Loss of the SRCF Loss of the SRCF Effect on State on machine / #safety function The failure does not cause a dangerous state. The #safety function does not fail. The failure may cause a dangerous state. The #safety function may fail. In the event of a #safe failure, the #safety function remains. This is achieved by the following measures: Fault detection (diagnostics) and corresponding fault reaction The #safe failure fraction (SFF) describes the fraction of #safe failures of a #subsystem in the overall failure rate of the #subsystem. A&D Safety Integrated AS-FE-013-V13-EN 36/142

37 IEC BASICS #Architectural Constraint To determine the SFF, an analysis of the #subsystem has to be performed. In the analysis, the following is determined: All faults that can actually occur The failure modes and their fractions The rate (probability) of each failure mode Depending on the complexity of the #subsystem, the method for the analysis of the #subsystem differs: Table 8-4 SFF determination Table 8-5 #Subsystem Complex #subsystem Simple #subsystem (#subsystem with electromechanical components such as contactor or position switch) Short description of SFF Symbol Designation SFF #Safe failure fraction Method Examples of methods: Fault tree analysis Failure mode analysis Effects analysis Simpler methods can be used here. The failure modes to be considered are, for example, listed in Annex D of IEC (chapter 27.3). Meaning SFF indicates for a #subsystem how many percent of all failures are safe failures. Safe failures do not cause a dangerous state on the machine. SFF refers to the #subsystem. For #subsystems with several identical #subsystem elements, it is sufficient to consider one #subsystem element by itself. Definition See tables below. Example SFF = 0.9 Meaning: 90% of all failures are safe failures and do not cause a dangerous state on the machine. 10% of all failures may cause a dangerous state on the machine. A&D Safety Integrated AS-FE-013-V13-EN 37/142

38 IEC BASICS #Architectural Constraint Table 8-6 Calculation of SFF Formula Dimension SFF = (λ total - λ DUtotal ) / λ total Dimensionless The SFF is also indicated as a percentage. This requires that the result is converted: 0.x -> 0.x * 100%. Example: 0.1 -> 10% Table 8-7 Explanations of the SFF formula λ total = Σλ S + Σλ D Designation Rate of all failures of the #subsystem (overall failure rate of the #subsystem) Meaning --- λ DUtotal = Σ λ DU Designation Rate of all dangerous failures not detected by diagnostics. Meaning These failures may cause a dangerous state on the machine. λ D = λ DD + λ DU Designation Dangerous failure rate Meaning These failures may cause a dangerous state on the machine. Table 8-8 Parameters for calculating the SFF λ DU Designation Dangerous failure rate not detected by diagnostics. Meaning These failures may cause a dangerous state on the machine. λ DD Designation Meaning Dangerous failure rate detected by diagnostics. These failures may cause a dangerous state on the machine. λ S Designation Safe failure rate Meaning These failures do not cause a dangerous state on the machine. The following statements apply to all parameters listed above: Definition The definition requires that the different failure modes and their fractions are known. The following sources can be used: Manufacturer documentation IEC 62061, Annex D (chapter 27.3) Calculation Principle: See chapter Dimension 1 / h (per hour) A&D Safety Integrated AS-FE-013-V13-EN 38/142

39 IEC BASICS #Architectural Constraint 8.4 Options for determining the SILCL There are different options for determining the #SIL claim limit (SILCL) of a #subsystem. In the following, a differentiation is made between: Finished #subsystem Designed #subsystem Finished #subsystem In this case, the IEC user (machine manufacturer, control integrator) purchases the finished #subsystem from the manufacturer (table 4-2). When purchasing a finished #subsystem, the user is generally provided with a manufacturer documentation from which he/she can derive the #SIL claim limit (SILCL). Table 8-9 Manufacturer information on the #subsystem SILCL determination SILCL The SILCL is directly applied. --- Category according to EN (Chapter 27.7) HFT, SFF The SILCL is determined using a table from IEC The SILCL is determined using a table from IEC Details in chapter Designed #subsystem In this case, the IEC user (machine manufacturer, control integrator) assembles his/her #subsystem from #subsystem elements (table 4-2). A designed #subsystem requires that the user determines the #SIL claim limit (SILCL) of his/her #subsystem. Chapter 8.7 describes the basic calculation. A&D Safety Integrated AS-FE-013-V13-EN 39/142

40 IEC BASICS #Architectural Constraint 8.5 Finished #subsystem: SILCL determination from the category If the manufacturer provides a category according to EN for the #subsystem, the #subsystem s #SIL claim limit (SILCL) can be derived from this information. To do this, the following table (IEC 62061, table 6) is used. Table 8-10 #Subsystem category Assumption: #Subsystems with category x have the properties HFT SFF SILCL 1 0 < 60% % to 90% SILCL < 60% % to 90% SILCL 2 4 > 1 60% to 90% SILCL > 90% Application of the above table: Table 8-11 Data Remark Input data of the table Category Information of the manufacturer Output data of the table SILCL #SIL claim limit (SILCL) Explanations of the above table: Table 8-12 For the determination of: See chapter: Hardware fault tolerance (HFT) #Safe failure fraction (SFF) Finished #subsystem: SILCL determination from HFT and SFF If the manufacturer provides the characteristics hardware fault tolerance (HFT) and #safe failure fraction (SFF) for the #subsystem, the #subsystem s #SIL claim limit (SILCL) can be derived from this information. To do this, table 8-13 (IEC 62061, table 5, modified) is used. A&D Safety Integrated AS-FE-013-V13-EN 40/142

41 IEC BASICS #Architectural Constraint 8.7 Designed #subsystem: SILCL determination from HFT and SFF When designing a #subsystem from #subsystem elements, proceed as follows to determine the #SIL claim limit (SILCL): HFT determination: See chapter SFF determination: See chapter Derivation of SILCL from HFT and SFF: See below. The #SIL claim limit (SILCL) of the #subsystem can be derived from the hardware fault tolerance (HFT) and the #safe failure fraction (SFF). To do this, the following table (IEC 62061, table 5, modified) is used. Table 8-13 SFF HFT < 60% Not allowed SILCL 1 SILCL 2 60% to < 90% SILCL 1 SILCL 2 SILCL 3 90% to < 99% SILCL 2 SILCL 3 SILCL 3 >= 99% SILCL 3 SILCL 3 SILCL 3 Application of the above table: Table 8-14 Data Remark Input data of the table HFT Hardware fault tolerance (HFT) SFF #Safe failure fraction (SFF) Output data of the table SILCL #SIL claim limit (SILCL) The above table indicates that there are different combinations of SFF and HFT for a specific SILCL value. A specific SILCL can thus be achieved with different structures of a #subsystem. Examples Example 1: A #subsystem without redundancy (HFT = 0) must have a high SFF (SFF >= 99%) to achieve SILCL 3. Example 2: For a #subsystem with high redundancy (HFT = 2), a smaller SFF (SFF = 60%) is sufficient to achieve SILCL 3. A&D Safety Integrated AS-FE-013-V13-EN 41/142

42 IEC BASICS #PFHD Value (PFHD) 9 #PFH D Value (PFH D ) 9.1 Meaning of PFH D Failures of safety devices on a machine may implicate hazards. The occurrence of such dangerous failures is more or less probable. A dimension for the occurrence is the #PFH D value (PFH D ). PFH D is generally defined as: Probability of dangerous failure per hour. The #PFH D value (PFH D ) is applied to: #Safety-related control functions (SRCFs) #Subsystems of a safety system (SRECS) The correlations are explained in the following table. Table 9-1 #PFH D value (PFH D ) PFH D of a SRCF PFH D of a #subsystem Explanation A SRCF can fail. Failure of a SRCF means that the SRCF no longer performs its function. PFH D is a dimension for the probability of failure of a SRCF. A #subsystem can fail. Failure of a #subsystem means that the #subsystem no longer performs its function. The failure of a #subsystem means the failure of all SRCFs using this #subsystem. PFH D is a dimension for the probability of failure of a #subsystem. A&D Safety Integrated AS-FE-013-V13-EN 42/142

43 IEC BASICS #PFHD Value (PFHD) 9.2 Correlation: SIL and PFH D of a SRCF In the risk assessment (chapter 15), one #safety integrity level (SIL) is defined for each #safety-related control function (SRCF) which has to be met by the SRCF. Limit values for the maximum permissible #PFH D value (PFH D ) are assigned to each SIL. The requirements for the reliability of the SRCF increase with an increasing SIL, which is shown by a smaller maximum permissible #PFH D value (PFH D ). The requirements for the reliability of the SRCF decrease with a decreasing SIL, which is shown by a larger maximum permissible #PFH D value (PFH D ). The table below (IEC 62061, table 3) shows the correlation between #safety integrity level (SIL) and #PFH D value (PFH D ) of a #safety-related control function (SRCF). Table 9-2 #Safety integrity level (SIL) #PFH D value SIL PFH D < 10-7 SIL PFH D < 10-6 SIL PFH D < 10-5 A&D Safety Integrated AS-FE-013-V13-EN 43/142

44 IEC BASICS #PFHD Value (PFHD) 9.3 Calculating the PFH D of a SRCF A #safety-related control function (SRCF) is performed by #subsystems of a #safety system (SRECS). The #PFH D value (PFH D ) of a SRCF is calculated from: The sum of the PFH D of the involved #subsystems and the probability of dangerous transmission errors for digital communication processes (example: The F-PLC communicates with the sensors and actuators via PROFIBUS DP) The figure below illustrates the principle. Figure 9-1 A&D Safety Integrated AS-FE-013-V13-EN 44/142

45 IEC BASICS #PFHD Value (PFHD) 9.4 Options for determining the PFH D of a #subsystem There are different options for determining the #PFH D value (PFH D ) of a #subsystem. In the following, a differentiation is made between: Finished #subsystem Designed #subsystem Finished #subsystem In this case, the IEC user (machine manufacturer, control integrator) purchases the finished #subsystem from the manufacturer (table 4-2). When purchasing a finished #subsystem, the user is generally provided with a manufacturer documentation from which he/she can derive the PFH D. Table 9-3 Manufacturer information on the #subsystem SILCL determination PFH D The PFH D is directly applied. --- Category according to EN (Chapter 27.7) Designed #subsystem The PFH D is determined using table 7 from IEC Details in chapter In this case, the IEC user (machine manufacturer, control integrator) assembles his/her #subsystem from #subsystem elements (table 4-2). A designed #subsystem requires that the user determines the PFH D of his/her #subsystem. Chapter 9.6 describes the basic calculation. 9.5 A&D Safety Integrated AS-FE-013-V13-EN 45/142

46 IEC BASICS #PFHD Value (PFHD) 9.5 Finished #subsystem: PFH D determination from the category If the manufacturer provides a category for the #subsystem, the #subsystem s #PFH D value (PFH D ) can be derived from this information. To do this, the following table (IEC 62061, table 7) is used. Table 9-4 #Subsystem category Assumption: #Subsystems with category x have the properties HFT DC PFH D 1 0 0% To be provided by manufacturer or use generic data (IEC 62061, Annex D) % to 90% % to 90% 2 * > 1 60% to 90% 3 * > 90% 3 * 10-8 Application of the above table: Table 9-5 Data Remark Input data of the table Category Information of the manufacturer Output data of the table PFH D #PFH D value (PFH D ) Explanations of the above table: Table 9-6 For the determination of: See chapter: Hardware fault tolerance (HFT) #Diagnostic coverage (DC) A&D Safety Integrated AS-FE-013-V13-EN 46/142

47 IEC BASICS #PFHD Value (PFHD) 9.6 Designed #subsystem: PFH D calculation Basic subsystem architectures For four architectures of simple #subsystems, IEC (chapter ) provides finished formulae for calculating the #PFH D value (PFH D ). In practical operation, almost every simple #subsystem can be covered by the IEC basic subsystem architectures. Characteristics of the basic subsystem architectures The table provides an overview of the basic subsystem architectures. Table 9-7 Basic subsystem architecture Hardware fault tolerance (HFT) Diagnostic function Number of Characteristics #subsystem elements (*1) (*2) (*3) A 0 No 1 to n x C 0 Yes 1 to n x x B 1 No 2 x D 1 Yes 2 x x Description of the characteristics: Table 9-8 Characteristic (*1) The failure of one single #subsystem element causes the failure of the #subsystem and thus the loss of the SRCF. (*2) The diagnostic function detects the failure of a #subsystem element and initiates a fault reaction. (*3) The failure of one single #subsystem element does not cause the failure of the #subsystem and thus not the loss of the SRCF. A&D Safety Integrated AS-FE-013-V13-EN 47/142

48 IEC BASICS #PFHD Value (PFHD) Principle of the basic subsystem architectures The figure below shows the four basic subsystem architectures. Figure 9-2 IEC (chapter ) gives the formula for calculating the #PFH D value (PFH D ) for each basic subsystem architecture. The following parameters are included in these formulae: Table 9-9 Parameter Basic subsystem architecture Designation λ De1 to λ Den All Dangerous failure rate from #subsystem element 1 to n CCF factor (β) B and D Susceptibility to common cause failures DC 1 to DC n C and D #Diagnostic coverage (DC) from #subsystem element 1 to n T 1 B and D The smaller value of proof test interval or lifetime T 2 D Diagnostic test interval The parameters are explained in chapter 9.7. In the application example, the formula for D is applied as an example (chapters 20.3 and 22.3). A&D Safety Integrated AS-FE-013-V13-EN 48/142

49 IEC BASICS #PFHD Value (PFHD) Examples of the basic subsystem architectures Examples of the basic subsystem architectures are shown for clarification. The examples apply to the following boundary conditions: The #subsystem has the function: Switch off motor. The #subsystem consists of one or two #subsystem elements. The #subsystem element is a contactor. Diagnostics of the contactor are performed by evaluating the contactor s readback signals. Table 9-10 Basic subsystem architecture A C B D Example Contactor Contactor with evaluation of the readback signals Two contactors in series Two contactors in series, with evaluation of the readback signals 9.7 Influence on the PFH D of a #subsystem Depending on the present basic subsystem architecture, different formulae are used to calculate the #PFH D value (PFH D ) of a #subsystem. The following parameters are included in the formulae: Dangerous failure rate of a #subsystem element (λ De1 to λ Den ) CCF factor (β) #Diagnostic coverage (DC) and diagnostic test interval Lifetime and proof test interval (T 1 ) These parameters will be described in the following. A&D Safety Integrated AS-FE-013-V13-EN 49/142

50 IEC BASICS #PFHD Value (PFHD) Dangerous failure rate of a #subsystem element (λ De ) The following considerations apply to electromechanical #subsystem elements (examples: Contactor, position switch). A #subsystem of a #safety system (SRECS) can consist of one or several #subsystem elements. The #subsystem elements can be identical or different. The λ De dangerous failure rate is calculated for each #subsystem element. This value is then included in the formula for calculating the #PFH D value (PFH D ) of a #subsystem. The calculation is performed in two steps: Table 9-11 Step Calculation 1 Failure rate of #subsystem element λ 2 Dangerous failure rate of #subsystem element λ De The figure below shows the calculation principle. Figure 9-3 A&D Safety Integrated AS-FE-013-V13-EN 50/142

51 IEC BASICS #PFHD Value (PFHD) 1 st step: Failure rate of #subsystem element λ Table 9-12 Short description of λ Symbol Designation Meaning Definition Example λ Failure rate of a #subsystem element Number of #subsystem element failures per hour See tables below. λ = 10-8 / h Meaning: One failure in 10 8 hours. Table 9-13 Calculation of λ Formula Dimension Table 9-14 Parameters of λ B10 Designation Meaning Definition Dimension C λ = 0.1 * C / B10 1 / h (per hour) B10 value of the #subsystem element. B10 is the number of switching cycles after which 10% of the test objects have failed. #Subsystem element manufacturer Dimensionless Designation - Meaning Number of #subsystem element operations per hour Definition Specification of the #safety-related control function (SRCF). Dimension 1 / h (per hour) A&D Safety Integrated AS-FE-013-V13-EN 51/142

52 IEC BASICS #PFHD Value (PFHD) 2 nd step: Dangerous failure rate of #subsystem element λ De Table 9-15 Short description of λ De Symbol Designation Meaning Definition Example λ De Dangerous failure rate of the #subsystem element Number of dangerous #subsystem element failures per hour. See tables below. λ De = 10-9 / h Meaning: One dangerous failure in 10 9 hours. Table 9-16 Calculation of λ De Formula Dimension Table 9-17 Parameters of λ De λ De = (dangerous failure fraction) * λ 1 / h (per hour) Dangerous failure fraction Designation - Meaning Dangerous failure fraction of the #subsystem element in all #subsystem element failures. Definition The definition requires that the different fault types and their fractions are known. The following sources can be used: Manufacturer documentation IEC 62061, Annex D (chapter 27.3) Dimension λ Dimensionless The dangerous failure fraction is normally indicated as a percentage. The value has to be converted for the formula: x% -> x% / 100%. Example: 10% -> 0.1 See table 9-13: Calculation of failure rate λ. A&D Safety Integrated AS-FE-013-V13-EN 52/142

53 IEC BASICS #PFHD Value (PFHD) CCF factor (β) Description Several #subsystem elements (example: Two position switches for the detection of the same position) are used in redundant #subsystems (chapter 8.3.1). A failure of one single #subsystem element does not yet cause the loss of the #safety-related control function (SRCF). Redundant #subsystems require that the probability of common cause failures which can cause a simultaneous failure of the redundant components is observed. A measure for this is the CCF factor (β). Examples Two redundant #subsystem elements can fail simultaneously when the following faults have occurred: Unplanned exiting of the permissible operating conditions of both redundant components (example: Fan failure). Unplanned electromagnetic interferences affecting both redundant components in equal measure. Faulty batch affecting both redundant components. The table below provides an overview of the CCF factor (β). Table 9-18 Short description of the CCF factor Symbol β Designation Susceptibility of the #subsystem to common cause failures Meaning Measure for the susceptibility of a #subsystem with redundant design to common cause failures. Definition Consideration of the redundant #subsystem. Annex F of IEC provides support. Dimension Dimensionless The CCF factor is normally indicated as a percentage. The value has to be converted for the formula: x% -> x% / 100%. Example: 10% -> 0.1 A&D Safety Integrated AS-FE-013-V13-EN 53/142

54 IEC BASICS #PFHD Value (PFHD) Calculation IEC (Annex F) describes a method to determine the CCF factor (chapter 27.2). If no special measures are taken, a CCF factor of 10% (0.1) may be assumed. A value of 10% is then always safe ( conservative value ). This value can be improved by additional measures (example: Monitoring the ambient temperature of the redundant #subsystem elements with regard to the maximally permissible value.) #Diagnostic coverage (DC) and diagnostic test interval (T2) Description of DC Dangerous failures in the #safety system (SRECS) are detected by diagnostics (fault detection) and a reaction of the SRECS is caused (fault reaction). The fault reaction prevents that the state of the machine becomes dangerous. Example: Reading back contactors enables to detect the non-opening of contactors. A reaction can then be performed which ensures that no dangerous state arises on the machine. The #diagnostic coverage (DC) indicates how many percent of the dangerous failures of a #subsystem element are detected by diagnostics. Naturally, the DC is only of importance for #subsystems for which diagnostic functions are realized. If these #subsystems consist of different #subsystem elements, one DC is determined for each #subsystem element. Calculation of DC Table 9-19 Short description of DC Symbol Designation Meaning Definition DC #Diagnostic coverage (DC) DC indicates for a #subsystem element how many percent of the dangerous failures are detected by diagnostics. See tables below Example DC = 0.9 Meaning: 90% of the dangerous failures are detected by diagnostics. A&D Safety Integrated AS-FE-013-V13-EN 54/142

55 IEC BASICS #PFHD Value (PFHD) Table 9-20 Calculation of DC Formula Dimension Table 9-21 DC = λ DDtotal / λ Dtotal Dimensionless The DC is also indicated as a percentage. This requires that the result is converted: 0.x -> 0.x * 100%. Example: 0.1 -> 10% Explanations of the DC formula λ DDtotal = Σ λ DD Designation Meaning Rate of all dangerous failures detected by diagnostics. These failures may cause a dangerous state on the machine. λ Dtotal = Σ λ D Designation Rate of all dangerous failures Meaning --- λ D = λ DD + λ DU Designation Dangerous failure rate Meaning These failures may cause a dangerous state on the machine. Table 9-22 Parameters of DC λ DD Designation Dangerous failure rate detected by diagnostics. Meaning These failures may cause a dangerous state on the machine. λ DU Designation Meaning Dangerous failure rate not detected by diagnostics. These failures may cause a dangerous state on the machine. The following statements apply to all parameters listed above Definition The definition requires that the different failure modes and their fractions are known. The following sources can be used: Manufacturer documentation IEC 62061, Annex D (chapter 27.3) Calculation Principle: See chapter Dimension 1 / h (per hour) A&D Safety Integrated AS-FE-013-V13-EN 55/142

56 IEC BASICS #PFHD Value (PFHD) Diagnostic test interval (T2) To perform the diagnostics (fault detection), the #safety system (SRECS) performs tests at specific intervals. The interval between two tests is referred to as diagnostic test interval. The table below provides an overview of the diagnostic test interval (T2). Table 9-23 Short description of T2 Symbol T2 Designation Diagnostic test interval Meaning - Definition Specification of the #safety-related control function (SRCF). Example - Dimension h (hour) Minimum of lifetime and proof test interval (T1) Lifetime The lifetime is the time in which a #subsystem or a #subsystem element is used. After the lifetime has expired, the #subsystem or the #subsystem element has to be replaced. The table below provides an overview of the lifetime. Table 9-24 Short description of lifetime Symbol - Designation Lifetime Meaning The time in which a #subsystem or a #subsystem element is used. Definition Manufacturer of the #subsystem or #subsystem element. Range of validity The value is of importance for electromechanical components (example: Position switch, contactor). Dimension h (hour) A&D Safety Integrated AS-FE-013-V13-EN 56/142

57 IEC BASICS #PFHD Value (PFHD) Proof test interval The #proof test is a test (maintenance, inspection) that can detect the faults or a degradation in the #safety system (SRECS) and its #subsystems. The #proof test is intended to detect dangerous faults which cannot be detected by automatic diagnostics. The proof test is performed manually at long intervals (depending on the application). The interval between two manual tests is referred to as proof test interval. After the proof test interval has elapsed, the #safety system (SRECS) and its #subsystems have to be tested and restored to an as new condition. The table below provides an overview of the proof test interval. Table 9-25 Short description of the proof test interval Symbol - Designation Proof test interval Meaning Interval between two manual tests. Definition By manufacturer of the #subsystem or #subsystem element. Range of validity Dimension The value is of importance for electronic and/or programmable components (example: F-PLC). h (hour) Example of lifetime and proof test interval For SIMATIC and SIRIUS components, this specifically means: Table 9-26 Components Relevant time interval Normal value Activity after the time interval has elapsed SIMATIC Proof test interval 10 years Test and update SIRIUS Lifetime 10 years Replacement Minimum of lifetime and proof test interval: T1 T1 is the minimum of the two values for lifetime and proof test interval. T1 is included in the formulae for calculating the #PFH D value (PFH D ) (basic subsystem architectures B and D). A&D Safety Integrated AS-FE-013-V13-EN 57/142

58 IEC BASICS #PFHD Value (PFHD) 9.8 Example: Formula for the PFH D value of basic subsystem architecture D This chapter presents the formula for basic subsystem architecture D from IEC This formula will later be applied in the application example. Characteristics of basic subsystem architecture D: With #fault tolerance (HFT = 1) With diagnostics Two #subsystem elements Boundary conditions for the example: The two #subsystem elements are identical. Figure 9-4 The #PFH D value (PFH D ) is calculated in the following order: Consideration of the #subsystem element (chapter 9.7.1), consideration of the #subsystem This procedure is illustrated in the figure below. The following sections describe 4 steps for calculating the #PFH D value (PFH D ). A&D Safety Integrated AS-FE-013-V13-EN 58/142

59 IEC BASICS #PFHD Value (PFHD) 1 st step: Failure rate of #subsystem element λ Table 9-27 Calculation of λ Formula λ = 0.1 * C / B10 Meaning Failure rate of the #subsystem element Description Chapter Table 9-28 Parameters of λ B10 Meaning B10 value of the #subsystem element C Meaning Number of #subsystem element operations in h 2 nd step: Dangerous failure rate of #subsystem element λ De Table 9-29 Calculation of λ De Formula λ De = (dangerous failure fraction) * λ Meaning Dangerous failure rate of the #subsystem element Description Chapter Table 9-30 Parameters of λ De Dangerous failure fraction Meaning Dangerous failure fraction of the #subsystem element λ Meaning See table 9-27: Failure rate of the #subsystem element A&D Safety Integrated AS-FE-013-V13-EN 59/142

60 IEC BASICS #PFHD Value (PFHD) 3 rd step: Dangerous failure rate of #subsystem λ DssD Table 9-31 Calculation of λ DssD Formula Meaning λ DssD = (1 - β ) 2 * {[ λ De 2 * 2* DC ] * T2 / 2 + [ λ De 2 * (1 DC) ] * T1} + β * λ De Dangerous failure rate of the #subsystem Table 9-32 Parameters of λ DssD β (CCF factor) Meaning Susceptibility to common cause failures Description Chapter T1 Meaning #Subsystem element lifetime Description Chapter T2 Meaning Diagnostic test interval. Description Chapter DC Meaning #Diagnostic coverage (DC) Description Chapter λ De Meaning See table 9-30: Dangerous failure rate of the #subsystem element Description Chapter th step: #PFH D value (PFH D ) of the #subsystem Table 9-33 Calculation of PFH D Formula Meaning Dimension PFH D = λ DssD * 1h #PFH D value (PFH D ) of the #subsystem Dimensionless Table 9-34 Parameters of PFH D λ DssD Meaning Dimension See table 9-31: Dangerous failure rate of the #subsystem 1 / h (per hour) A&D Safety Integrated AS-FE-013-V13-EN 60/142

61 IEC BASICS #Systematic Safety Integrity 10 #Systematic Safety Integrity IEC includes #systematic safety integrity requirements for the #safety system (SRECS) and its #subsystems. The requirements are slightly graded according to the #safety integrity level (SIL). The requirements consist of: Avoidance of systematic faults Control of systematic faults The table below shows examples of systematic faults. Table 10-1 Examples concern Organization, management Examples of systematic faults Defective design of the #safety system (SRECS) No arrangement with regard to responsibilities Engineering Short circuit, wire break (of lines) Overvoltage Incorrect design: Component is unsuitable for the application s ambient conditions Errors in the specification of application software or hardware Errors in the documentation for manufacturing A&D Safety Integrated AS-FE-013-V13-EN 61/142

62 IEC BASICS #Systematic Safety Integrity To meet the requirements of IEC 62061, specific measures have to be taken. The table below shows examples of such measures. Table 10-2 Examples concern Organization, management Engineering Examples of measures Measures to avoid systematic faults: Planning, defining responsibilities Performing quality assurance Reviewing documentation and application software Complete and current documentation Configuration and version management Performing and documenting tests (validation) Measures to avoid systematic faults: Using the components in the scope of the manufacturer s specification (observing, for example, maximum permissible ambient temperature). Acceptance according to manufacturer s specifications (e.g. SIMATIC S7 Distributed Safety) Overdimensioning of components Measures to control systematic faults: Monitoring during operation (e.g. monitoring the ambient temperature or the insulation) Tests by comparison when using redundant hardware In the event of loss of the electrical supply, no dangerous state must occur on the machine A&D Safety Integrated AS-FE-013-V13-EN 62/142

63 APPLICATION Application Example 11 Application Example APPLICATION After the IEC basics have been explained in the previous chapters, the practical part of the document starts with this chapter. The document becomes concrete, IEC is applied. The used application example is briefly presented in this chapter Problem definition of the application example The application example uses an example machine to show the basic application of IEC Properties of the example machine A blade rotates on the machine. A hinged protective cover is used as protection against the blade. For regular cleaning by the operator, the blade can be accessed by opening the protective cover. Figure 11-1 Properties of the example machine s automation A fail-safe programmable logic controller (F-PLC) simultaneously performs standard functions and #safety functions on the machine. Only the #safety function is considered since the document focuses on the application of IEC Standard functions required for normal operation of the machine are not considered. Main focus of the application example Derivation of the #safety function or the #safety-related control function (SRCF) Realization of the #safety system (SRECS) performing the SRCF. A&D Safety Integrated AS-FE-013-V13-EN 63/142

64 APPLICATION Application Example 11.2 Solution in the application example The following section provides a brief overview of the solution shown stepby-step in the application example. #Safety-related control function (SRCF) Designation of the SRCF: Stop of the rotating blade Function of the SRCF: When the protective cover is opened, the motor is switched off. Required #safety integrity level (SIL) of the SRCF: SIL 3 #Safety system (SRECS) The SRECS consists of 3 #subsystems: Table 11-1 #Subsystem Function Components #Subsystem 1 #Subsystem 2 #Subsystem 3 Detecting the position of a protective cover via two position switches Processing the signals with an F-PLC Switching off the motor via two contactors SIRIUS SIMATIC S7 Distributed Safety SIRIUS #Subsystems 1 and 3 are designed #subsystems, #subsystem 2 is a finished #subsystem (table 4-2). The figure below shows the structure (architecture) of the SRECS: Figure 11-2 A&D Safety Integrated AS-FE-013-V13-EN 64/142

65 APPLICATION Application Example Boundary conditions Two already existing Functional Examples form the basis for the application example (/5/, chapter 29): Table 11-2 No. Title of the Functional Example ID Number 04 Safety Door without Guard Locking in Category 4 according to EN Integration of the Readback Signal in an Application of Category 4 according to EN #Subsystem 1 is based on Functional Example No. 04: Realization of the Detection of the position of a protective cover via two position switches function. #Subsystem 3 is based on Functional Example No. 07: Realization of the Read back contactors diagnostic function. A&D Safety Integrated AS-FE-013-V13-EN 65/142

66 APPLICATION Overview of the Application of IEC Overview of the Application of IEC In the following chapters, IEC will be applied to the example machine. The description is divided into individual steps. Specific activities are performed in each step. These activities are carried out in such a way that the requirements of IEC are met. This chapter provides an overview of the steps Overview of the steps Discrete steps The following table 12-2 provides an overview of the steps that are always required when applying IEC The document focuses on steps 2 to 7: From the risk analysis to the realized #safety system (SRECS). The description of the individual steps in the documentation follows a uniform pattern. The description is divided into sections: Table 12-1 Section name Objective of the step The section answers the questions: What is the objective of the step? What is the result of the step? Procedure What has to be done theoretically in the step? Application What has to be done practically in the step? --- Remark This section is based on the following part of the documentation: IEC BASICS This section describes the specific application to the example machine. Parallel activities Activities to be performed in parallel to all steps are briefly described in chapter A&D Safety Integrated AS-FE-013-V13-EN 66/142

67 APPLICATION Overview of the Application of IEC Overview of the steps necessary for the application of IEC 62016: Table 12-2 Step x: Activity Step 1: Creating #Safety Plan Step 2: Performing Risk Analysis Step 3: Performing Risk Assessment Step 4: Developing SRCF Specification Step 5: Designing SRECS Architecture Step 6: Realizing #Subsystems Objective, procedure Overview #subsystems Design #subsystem 1 Design #subsystem 2 Design #subsystem 3 Step 7: Determining Achieved SIL Step 8: Implementing Hardware Step 9: Specifying Software Step 10: Designing / Developing Software Step 11: Integrating and Testing Step 12: Installing Step 13: Generating Information for Use Step 14: Performing Validation Chapter Standard Subject of the step 13 IEC 62061, chapter 4 14 EN ISO 12100, EN EN ISO 12100, EN 1050 IEC 62061, Annex A 16 IEC 62061, chapter 5 17 IEC 62061, chapter IEC 62061, chapter IEC 62061, chapter IEC 62061, chapter 6.9 IEC 62061, chapter IEC 62061, chapter 6.11 IEC 62061, chapter 6.12 IEC 62061, chapter IEC 62061, chapter 7 26 IEC 62061, chapter 8 Entire project Requirements from the perspective of the machine Solution from the perspective of the SRECS Interface machine / SRECS Main focus of the document A&D Safety Integrated AS-FE-013-V13-EN 67/142

68 APPLICATION Overview of the Application of IEC Activities in parallel to all steps According to IEC 62061, additional measures affecting all steps have to be taken in parallel to the individual steps. IEC requires #systematic safety integrity for all steps (chapter 10). This means that the procedure for designing and realizing a #safety system (SRECS) has to be systematic. The table below lists examples. Table 12-3 Examples of the systematic procedure Standard Functional safety management IEC 62061, chapter 4 If necessary, validation by an independent organization. IEC 62061, chapter 8 All changes (modifications) must be made and documented according to a defined procedure. IEC 62061, chapter 9 All definitions must be documented. IEC 62061, chapter 10 A&D Safety Integrated AS-FE-013-V13-EN 68/142

69 APPLICATION Step 1: Creating #Safety Plan 13 Step 1: Creating #Safety Plan The #safety plan is the bracket for all activities required for the realization of a #safety system (SRECS) on a machine Objective of the step IEC requires a systematic procedure when realizing a #safety system (SRECS). This includes the documentation of all activities in the #safety plan. From the risk analysis and risk assessment of the machine and the design and realization of the SRECS to the validation. The #safety plan always has to be updated with each step of the realization of the #safety system (SRECS) Procedure The following topics and activities are documented in the #safety plan: Planning and procedure of all activities required for the realization of a #safety system (SRECS). Examples: Developing the specification of the #safety-related control function (SRCF). Designing and integrating the SRECS Validating the SRECS Preparing the SRECS user documentation Documenting all relevant information on the realization of the SRECS (project documentation) Strategy how the functional safety is to be achieved. Responsibilities for execution and review of all activities Strategy how the configuration management for the user software is to be performed. Plan for the verification Plan for the validation A&D Safety Integrated AS-FE-013-V13-EN 69/142

70 APPLICATION Step 1: Creating #Safety Plan 13.3 Application The chapter shows a concrete example of the #safety plan. The basis is the application example with the example machine. Required activities Table 13-1 Activity Description Standard Developing the SRCF specification Designing, realizing and integrating the SRECS Validation Modification Preparing the user documentation Preparing the project documentation Developing the specification of the #safetyrelated control function (SRCF) and naming the responsible person. Design, realization and integration according to a flowchart to be created and naming of the responsible person. Preparing a document for validation and naming the person responsible. The validation is performed using this document. All modifications are documented. Only authorized persons make modifications to the #safety system (SRECS), including application software. Preparing the user documentation and naming the responsible person. Preparing the project documentation and naming a responsible person. All documents (including application software) are provided with identification number, date and revision level. IEC 62061, chapter 5 IEC 62061, chapter 6 IEC 62061, chapter 8 IEC 62061, chapter 9 IEC 62061, chapter 7 IEC 62061, chapter 10 A&D Safety Integrated AS-FE-013-V13-EN 70/142

71 APPLICATION Step 1: Creating #Safety Plan Strategy Strategy Functional safety Application software Description The strategy to achieve functional safety consists of: Identification of the SRCF by a risk analysis Specification of the identified SRCF Design of a SRECS and verification of the SRECS for all specified SRCF Implementation of the SRECS and validation of the SRECS Review of the requirements Modification if the SRCF do not meet the verification or validation criteria. The strategy to achieve the functional safety of the application software consists of: Use of the development system for the application software according to the manufacturer documentation. Responsibilities Area of responsibility Project management Developing the SRCF specification Functionality of the SRECS Integration and test on the machine Document for validation, actual validation and documentation of the validation. Modifications (SRECS, application software) User documentation Project documentation Troubleshooting and repair Training Responsible person and/or department Mr. Huber Mr. Meier Mr. Meier Mr. Schmidt Mr. Huber Mr. Meier Documentation department Mr. Müller Mr. Müller Mr. Müller A&D Safety Integrated AS-FE-013-V13-EN 71/142

72 APPLICATION Step 2: Performing Risk Analysis 14 Step 2: Performing Risk Analysis A risk analysis has to be performed for the machine before the actual application of IEC The risk analysis is not subject of IEC (chapter 27.1) Objective of the step The risk analysis examines: Which hazards arise from the machine? Which #safety-related control functions (SRCFs) are necessary to minimize the risk of the hazards? The risk of a hazard depends on the two following factors: Severity of the possible harm that may be caused by the hazard Probability of occurrence of the harm 14.2 Procedure Based on the risk analysis and the machine specification, the following is determined: Hazards caused by the machine Necessary SRCFs Functionality of the SRCFs 14.3 Application For our application example, the risk analysis results in the following: There is a hazard on the machine. A SRCF is necessary to minimize the risk. The following table shows the result of the risk analysis for the application example. Table 14-1 Hazard If the protective cover is open, the operator can be seriously injured by the rotating blade. Necessary SRCFs SRCF 1: Stop of the rotating blade A&D Safety Integrated AS-FE-013-V13-EN 72/142

73 APPLICATION Step 3: Performing Risk Assessment 15 Step 3: Performing Risk Assessment The next step after the risk analysis is the risk assessment for each hazard identified on the machine. The risk assessment is not subject of IEC (chapter 27.1). IEC (Annex A) shows a method to determine the necessary #safety integrity level (SIL) for a #safety-related control function (SRCF). This method will be applied in the following Objective of the step The risk assessment examines which measure has to be taken to minimize the risk for each hazard. If the measure is a SRCF, the required #safety integrity level (SIL) has to be defined for this SRCF. The SIL is defined in such a way that the residual risk of the hazard is acceptably low Procedure The required SIL for a SRCF is determined in two steps: Assessment of the risk of the hazard Determination of the required SIL for the SRCF Assessment of the risk of the hazard The higher the severity of a harm and the more probable the occurrence of a harm, the higher the assessment of a risk of a hazard. The risk of a hazard depends on the two following factors: Severity of the possible harm that may be caused by the hazard Probability of occurrence of the harm The probability of occurrence of the harm is determined by: Frequency and duration of the exposure of persons in the danger zone Probability of occurrence of the hazardous event Possibility of avoiding or limiting the harm To assess the risk of a hazard, the above factors of influence are considered and quantified. A&D Safety Integrated AS-FE-013-V13-EN 73/142

74 APPLICATION Step 3: Performing Risk Assessment Determination of the required SIL for the SRCF After assessing the risk, the required SIL for the SRCF can be determined. In general, the following applies: The higher the determined risk, the higher the required SIL Application The following section shows how the required SIL of a SRCF can be determined. The method is described in IEC (Annex A). The figure below illustrates the procedure: Assessment of the risk of the hazard (step 1 to 4) Determination of the required SIL of the SRCF (step 5 and 6) Figure Assessment of the risk of the hazard The factors of influence on the risk of a hazard are assessed with the aid of the following tables. A&D Safety Integrated AS-FE-013-V13-EN 74/142

75 APPLICATION Step 3: Performing Risk Assessment 1. Severity of the harm (Se) The table below is used to assess the severity of the harm. Table 15-1 Severity of the harm Se Irreversible: E.g. losing limb(s) 4 Irreversible: E.g. broken limb(s) 3 Reversible: E.g. requiring attention from a medical practitioner 2 Reversible: E.g. requiring first aid 1 Application of the table: Table 15-2 Table Concretized Input data Contact with the blade can cause the loss of limb(s). Output data Se = 4 2. Frequency and duration of the exposure of persons in the danger zone (Fr) The table below is used to assess how frequently and how long persons are exposed to the hazard. Table 15-3 Exposure Frequency Duration > 10 min (*1) <= 1 h Yes 5 1 h to 1 day Yes 5 1 day to 2 weeks Yes 4 2 weeks to one year Yes 3 > 1 year Yes 2 Fr (*1): If the duration of the exposure to the hazard < 10 min, Fr can be set to the next-lower value. Application of the table: Table 15-4 Table Concretized Input data The operator must open the protective cover at least once per shift. The operator is then in the danger zone for approximately 15 minutes. Output data Fr = 5 A&D Safety Integrated AS-FE-013-V13-EN 75/142

76 APPLICATION Step 3: Performing Risk Assessment 3. Probability of occurrence of a hazardous event (Pr) The table below is used to assess how probable the occurrence of a hazard is. Table 15-5 Probability of occurrence Pr Very high 5 Likely 4 Possible 3 Rarely 2 Negligible 1 Application of the table: Table 15-6 Table Concretized Input data When the protective cover is open, it is probable that the operator gets into the blade s operating range. Output data Pr = 4 4. Possibility of avoiding or limiting the harm (Av) The table below is used to assess whether the operator can avoid the harm. Table 15-7 Possibility of avoiding or limiting the harm Av Impossible 5 Rarely 3 Probable 1 Application of the table: Table 15-8 Table Concretized Input data The operator can avoid the blade only rarely. Output data Av = 3 A&D Safety Integrated AS-FE-013-V13-EN 76/142

77 APPLICATION Step 3: Performing Risk Assessment Determination of the required SIL for the SRCF The risk was assessed in the previous chapter. To do this, the factors of influence Se, Fr, Pr and Av were determined. The required SIL is now derived from this. 5. Determination of the class The class Cl is determined by adding the values for Fr, Pr and Av: Cl = Fr + Pr + Av 6. Determination of the SIL The table below is used to determine the SIL for the SRCF. Table 15-9 Severity of Class Cl the harm Se 3 to 4 5 to 7 8 to to to 15 4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3 3 SIL 1 SIL 2 SIL 3 2 SIL 1 SIL 2 1 SIL 1 Application of the table: Table Table Concretized Input data Se = 4 Cl = = 12 Output data SIL 3 Summary The SIL required for the SRCF is 3. A&D Safety Integrated AS-FE-013-V13-EN 77/142

78 APPLICATION Step 3: Performing Risk Assessment Form for risk assessment To perform and document the risk assessment, a download with a form (Excel file) is available to you. You will find the download on the HTML page of this Functional Example. The figure below shows a form that was filled in. In the form, a hazard with a safety measure (SRCF 1) is entered as an example (red text). Figure 15-2 A&D Safety Integrated AS-FE-013-V13-EN 78/142

79 APPLICATION Step 4: Developing SRCF Specification 16 Step 4: Developing SRCF Specification After the identification of the #safety-related control functions (SRCFs) necessary on the machine, it is now required to specify the SRCFs Objective of the step The requirements for the SRCFs are described in the specification. All SRCFs which were identified during the risk analysis are specified. Since the SRCFs are performed by the #safety system (SRECS), the specification also includes all requirements that have to be met by a SRECS to be realized. The specification can be considered as an interface between machine (machine manufacturer) and SRECS (SRECS developer): The machine manufacturer describes the requirements for the SRECS The SRECS developer realizes the SRECS on this basis The results of risk analysis and risk assessment are the basis for the development of the specification Procedure The specification of a #safety-related control function (SRCF) basically consists of the parts: Information on the SRCF Requirements for the SRCF functionality Requirements for the #safety integrity of the SRCF Information on the SRCF This part of the specification documents all important information on the SRCF. Examples: Result of the risk analysis Operating characteristics of the machine (examples: Modes, cycle time, ambient conditions, number of persons on the machine) Information influencing the design of the SRECS (examples: Behavior of the machine that is to be achieved or prevented by a SRCF; SRCF interfaces) A&D Safety Integrated AS-FE-013-V13-EN 79/142

80 APPLICATION Step 4: Developing SRCF Specification Requirements for the SRCF functionality This part of the specification describes the requirements for the functionality of the #safety-related control function (SRCF). Examples: Function of the SRCF Conditions in which the SRFC has to be active or disabled Required reaction time Reaction to faults Rate of operating cycles for the electromechanical components (example: Number of position switch operations per hour) Requirements for the #safety integrity of the SRCF This part of the specification describes the requirements for the #safety integrity of the SRCF: #Safety integrity level (SIL) of the SRCF, as a result of the risk assessment #PFH D value (PFH D ) of the SRCF derived from the required SIL 16.3 Application This chapter provides an example of the specification of a SRCF. The SRCF of the example machine is specified. Specified SRCF SRCF 1: Stop of the rotating blade Information on the SRCF Table 16-1 Hazard on the machine to be prevented by the SRCF: Persons on the machine: Mode of the machine in which the SRCF is to be active: Information If the protective cover is open, the operator can be injured by the rotating blade. Maintenance staff Clean mode A&D Safety Integrated AS-FE-013-V13-EN 80/142

81 APPLICATION Step 4: Developing SRCF Specification Requirements for the SRCF functionality Table 16-2 Function of the SRCF: Conditions in which the SRFC has to be active or disabled: Required reaction time: Reaction to faults: Rate of operating cycles for the electromechanical components: Requirement After opening the protective cover, the motor must be switched off. The SRCF must always be active on the machine. When the protective cover is opened, the motor has to be stopped at the latest after 200ms. When faults occur, the reaction has to be as follows: Switch off motor Disturbance indicator light on It must only be possible to switch on the motor again if all of the following requirements are met: The fault has been corrected The protective cover is closed The operator has acknowledged via a button on the machine Position switch for protective cover: Operation once per shift (1 x per 8 h) Contactor for motor: Operation once per shift (1 x per 8 h) Requirements for the #safety integrity of the SRCF Table 16-3 Requirement #Safety integrity level (SIL) of the SRCF SIL 3 (Chapter ) #PFH D value (PFH D ) of the SRCF PFH D < 10-7 (table 9-2) A&D Safety Integrated AS-FE-013-V13-EN 81/142

82 APPLICATION Step 5: Designing SRECS Architecture 17 Step 5: Designing SRECS Architecture After the specification of the #safety-related control function (SRCF), the architecture of the #safety system (SRECS) can now be designed Objective of the step Each SRCF is intellectually divided into #function blocks in such a way that these #function blocks can be assigned to specific #subsystems of the SRECS. All designed #subsystems together then result in the required SRECS architecture. Specific components are not yet selected in this step. This is done in step 6 (Realizing #Subsystems). The step is based on the specification of the SRCF (step 4) Procedure To design the architecture of the SRECS, each SRCF is considered individually. The following steps are performed for each SRCF: Dividing SRCF into #function blocks Specifying requirements for #function blocks Assigning #function blocks to #subsystems This procedure is illustrated in the figure below. Figure 17-1 A&D Safety Integrated AS-FE-013-V13-EN 82/142

83 APPLICATION Step 5: Designing SRECS Architecture Dividing SRCF into #function blocks The segmentation of the SRCF into #function blocks is performed so that the following statement applies: A failure of a #function block of the SRCF results in the failure of the SRCF (loss of the SRCF) Specifying requirements for #function blocks After the segmentation of the SRCF into #function blocks, the following requirements are specified for each #function block: Requirements for the SRCF functionality: What is the task of the #function block? Which input information does the #function block require? Which output information does the #function block generate? Requirements for the #safety integrity of the SRCF: Which #safety integrity level (SIL) has to be achieved by the #function blocks? Remark on the #safety integrity: The #safety integrity level (SIL) of the SRCF is passed on to the SRCF #function blocks. This means that the #safety integrity requirements for the #function blocks of the SRCF are identical to the #safety integrity requirements of the actual SRCF Assigning #function blocks to #subsystems One #subsystem of the SRECS is assigned to each #function block of a SRCF. One #subsystem of a SRECS executes one #function block of the SRCF. The #SIL claim limit (SILCL) of the designed #subsystems must be at least as large as the #safety integrity level (SIL) of the #function blocks. A&D Safety Integrated AS-FE-013-V13-EN 83/142

84 APPLICATION Step 5: Designing SRECS Architecture 17.3 Application In the following section, the architecture of a #safety system (SRECS) will be designed for our application example. The #safety-related control function (SRCF) of the application example was specified in step Dividing SRCF into #function blocks The SRCF of the application example is divided into three #function blocks. All three #function blocks are required to perform the SRCF. If one #function blocks fails, the entire SRCF fails (loss of the SRCF). The figure and table below illustrate the segmentation. Figure 17-2 Table 17-1 #Function block #Function block 1 #Function block 2 #Function block 3 Function Detecting: Detecting the protective cover position Evaluating: Evaluating the detected position and triggering corresponding action. Reacting: Disconnecting motor from the supply Specifying requirements for #function blocks The requirements for the SRCF #function blocks of the application example will be specified in this chapter. The requirements are described with the aid of uniform tables with the following structure: Table 17-2 #Function block x Input Output Function Description Which input information does the #function block require? Which output information does the #function block generate? What is the task of the #function block? A&D Safety Integrated AS-FE-013-V13-EN 84/142

85 APPLICATION Step 5: Designing SRECS Architecture Functionality of #function block 1: Detecting Table 17-3 #Function block 1 Input Output Function Description Position of the protective cover: Open or closed Information on the protective cover position: Protective cover is open Protective cover is closed For all modes of the machine: Detecting the protective cover position. Functionality of #function block 2: Evaluating Table 17-4 #Function block 2 Description Input Information on the protective cover position (output #function block 1) Output Command to control the motor: Disconnect motor from supply when protective cover open Function For all modes of the machine: Evaluation of the information on the protective cover position and corresponding control of the motor. Functionality of #function block 3: Reacting Table 17-5 #Function block 3 Description Input Command to control the motor (output of #function block 2) Output --- Function For all modes of the machine: Disconnecting motor from the supply. #Safety integrity of the #function blocks The SRCF specification defines that the SRCF has to comply with SIL 3. This means that each individual #function block must comply with at least SIL 3. A&D Safety Integrated AS-FE-013-V13-EN 85/142

86 APPLICATION Step 5: Designing SRECS Architecture Assigning #function blocks to #subsystems In this step the structure (architecture) of the #subsystems of the #safety system (SRECS) is designed. The #subsystems execute the #function blocks of the #safety-related control function (SRCF). The design of the #subsystems must meet the following requirement: All #subsystems must have a #SIL claim limit (SILCL) of at least SILCL 3. Reason: The SRCF must comply with SIL 3. This requires that the #function blocks also comply with SIL 3. Consequently, the #subsystems must have at least SILCL 3. #Subsystem 1 and 3 A design for the structure of #subsystems 1 and 3 can be derived from the above requirement (at least SILCL 3). The following is assumed for the design: The #subsystem elements for #subsystem 1 (position switches) and #subsystem 3 (contactor) have the following #safe failure fraction (SFF): SFF < 99% With the above assumption and table 8-13 the following ensues for the structure (architecture) of the #subsystems: One single #subsystem element per #subsystem (HFT = 0) is not sufficient. The design of the #subsystems must be redundant. An SFF of at least 90% is required. This means for the design of the #subsystems: Two redundant #subsystem elements per #subsystem (HFT = 1) are necessary. The redundant #subsystem elements have to be monitored (diagnostics are required). An adequate fault reaction must exist. #Subsystem 2 A fail-safe programmable logic controller (F-PLC) that complies with SILCL 3 is used for #subsystem 2. A&D Safety Integrated AS-FE-013-V13-EN 86/142

87 APPLICATION Step 5: Designing SRECS Architecture Summary The table shows the assignment of the SRCF #function blocks to the #subsystems of the #safety system (SRECS). Table 17-6 #Function block 1 Detecting: Detecting the protective cover position 2 Evaluating: Evaluating the detected position and triggering corresponding action. 3 Reacting: Disconnecting motor from the supply. #Subsystem 1 Redundant, with diagnostics: Two position switches with positive opening operation 2 Fail-safe programmable logic controller: F-CPU, F-DI, F-DO, 3 Redundant, with diagnostics: Two contactors with positively driven readback contacts The figure below shows the design for the SRECS architecture. Figure 17-3 A&D Safety Integrated AS-FE-013-V13-EN 87/142

88 APPLICATION Step 6: Realizing #Subsystems 18 Step 6: Realizing #Subsystems After designing the architecture of the #safety system (SRECS), the #subsystems of the SRECS are now realized Structure of the step In the document, step 6 is described in several chapters. The table below lists the individual chapters. Table 18-1 Chapte r Heading Contents 18 Step 6: Realizing #Subsystems Chapter structure, objective and procedure 19 Step 6 / Application: Overview Overview of the #subsystems 20 Step 6 / Application: #Subsystem 1 Application to #subsystem 1 21 Step 6 / Application: #Subsystem 2 Application to #subsystem 2 22 Step 6 / Application: #Subsystem 3 Application to #subsystem Objective of the step The #subsystems of the SRECS are realized in this step. A SRECS must be realized in such a way that it meets all requirements according to the required SIL. The objective is to sufficiently reduce the probability of faults which cause a dangerous state on the machine. The following aspects have to be observed: Safety integrity of the hardware: #Architectural constraint #PFH D value (PFH D ) #Systematic safety integrity: Avoidance of systematic faults Control of systematic faults Behavior of the SRECS when detecting a fault: Fault detection (diagnostics) Fault reaction Design and development of safety-related application software A&D Safety Integrated AS-FE-013-V13-EN 88/142

89 APPLICATION Step 6: Realizing #Subsystems 18.3 Procedure To implement the requirements, the following considerations are made for each #subsystem: Consideration of the #architectural constraint (1) Consideration of the #PFH D value (PFH D ) (2) Consideration of the diagnostics (3) Consideration of the #systematic safety integrity (4) Considerations (1) and (2) concern the safety integrity of the hardware. Diagnostics (3) affect the safety integrity of the hardware. The procedure for the above-mentioned considerations (1) to (4) will be described in the following chapters Consideration of the #architectural constraint The structure (architecture) of the #subsystem must be realized in such a way that the #SIL claim limit (SILCL) of the #subsystem is at least equal to the #safety integrity level (SIL) of the #safety-related control function (SRCF). For the determination of the SILCL: See chapter Consideration of the PFH D The #PFH D value (PFH D ) of the #safety-related control function (SRCF) is equal to the sum of the #PFH D values (PFH D ) of the #subsystems. The #subsystems must thus be realized in such a way that the PFH D value (PFH D ) of the SRCF is not exceeded. For the determination of the #PFH D value (PFH D ): See chapter 9.4. A&D Safety Integrated AS-FE-013-V13-EN 89/142

90 APPLICATION Step 6: Realizing #Subsystems Consideration of the diagnostics Diagnostics are used to detect random and systematic faults in the hardware. Examples of random faults: Break of the actuator of a position switch Contacts of a contactor will not open. Examples of systematic faults: Short circuit, wire break (on lines) Additional diagnostic functions enable to design a #subsystem in such a way that the #SIL claim limit (SILCL) improves: More diagnostics improve the #safe failure fraction (SFF) (improved fault detection) More diagnostics improve the #PFH D value (PFH D ) (reduction of the PFH D ) The diagnostic functions do not have to be performed in the actual considered #subsystems. For example, diagnostics of #subsystem 1 can be performed in #subsystem Consideration of the #systematic safety integrity In the #subsystems, measures have to be taken to achieve #systematic safety integrity (chapter 10). #Systematic safety integrity is complied with if measures are taken which have the following effects: Avoidance of systematic faults Control of systematic faults Diagnostics are one measure to control systematic faults (chapter ). A&D Safety Integrated AS-FE-013-V13-EN 90/142

91 APPLICATION Step 6 / Application: Overview of the #Subsystems 19 Step 6 / Application: Overview of the #Subsystems Figure 19-1 Objective and procedure of step 6 (Realizing #Subsystems) were described in the previous chapter. This chapter first provides an overview of the #subsystems to be realized. The subsequent chapters consider the individual #subsystems. The architecture shown in the figure below is realized: #Safety system (SRECS) with three #subsystems #Subsystem 1 with two identical position switches #Subsystem 2 with SIMATIC S7 Distributed Safety #Subsystem 3 with two identical contactors The #subsystems have the following functions: Table 19-1 #Subsystem Function 1 Detecting: Detecting the protective cover position 2 Evaluating: Evaluating the detected position and triggering action. 3 Reacting: Disconnecting motor from the supply. A&D Safety Integrated AS-FE-013-V13-EN 91/142

92 APPLICATION Step 6 / Application: Realizing #Subsystem 1 20 Step 6 / Application: Realizing #Subsystem 1 This chapter describes the realization of #subsystem Design of #subsystem 1 (Detect function block) Overview The design of #subsystem 1 is shown in figure The requirements for #subsystem 1 are listed in the table below (chapter 17): Table 20-1 #Subsystem 1 Requirement Function Detecting the protective cover position #Safety integrity SILCL 3 Description of #subsystem 1 #Subsystem 1 consists of two identical #subsystem elements (position switches). Both position switches are wired to an F-DI. Both position switches are evaluated in the F-CPU. F-DI and F-CPU are parts of #subsystem 2. #Subsystem 2 is realized with SIMATIC S7 Distributed Safety. Note: A detailed description of the design is available in the Functional Examples (table 11.2). However, the information in this document is sufficient for the considerations concerning IEC Description of #subsystem elements 1.1 and 1.2 The following position switch is used for both #subsystem elements: Table 20-2 Designation Type Order number Manufacturer Position switch Metal-enclosed 3SE2120-6xx Actuator --- 3SX3197 Siemens (SIRIUS components) The position switch has the following properties: Separate actuator Without tumbler Positively opening contacts A&D Safety Integrated AS-FE-013-V13-EN 92/142

93 APPLICATION Step 6 / Application: Realizing #Subsystem 1 Connecting the #subsystem elements of #subsystem 1 to #subsystem 2 The figure below shows the connection principle. The two position switches are connected to an F-DI. F-DI is a fail-safe digital input module of SIMATIC S7 Distributed Safety. Figure 20-1 Connection of the F-DI: One channel per position switch Power supply of the position switches via the F-DI Parameterization of the F-DI: 1-channel sensor interconnection F monitoring time of the module Short circuit test, cyclically per channel Diagnostics of #subsystem 1 The following diagnostics have been realized for #subsystem 1: Table 20-3 Diagnostics of #subsystem 1 If, after a monitoring time has elapsed, both position switch values are different, a fault has occurred. Example of a fault: Position switch actuator broken off or worn. Diagnostics location #Subsystem 2: F-CPU A&D Safety Integrated AS-FE-013-V13-EN 93/142

94 APPLICATION Step 6 / Application: Realizing #Subsystem Consideration of the #architectural constraint Procedure The #SIL claim limit (SILCL) of #subsystem 1 is determined in this chapter. To do this, first the hardware fault tolerance (HFT) and the #safe failure fraction (SFF) are determined. Subsequently, the SILCL is determined (chapter 8.7). HFT determination A failure of a #subsystem element does not cause the loss of the #safetyrelated control function (SRCF). Consequently, the #fault tolerance of #subsystem 1 is one: HFT = 1 SFF determination SFF refers to the #subsystem. For #subsystems with several identical #subsystem elements, it is sufficient to consider one #subsystem element by itself. The analysis of the #subsystem element (position switch) yields the following failures and failure modes: Table 20-4 Failure Contact does not open Contact does not close Failure mode Failure detected by diagnostics Failure rate type Fraction of this failure mode λ S λ D λ DU Value Source Dangerous Yes x 20% Safe --- x 80% Manufacturer of the position switch Note: Wire break and short circuit are not considered here since they are systematic faults. Since all dangerous failures are detected by diagnostics, the following applies: λ Dutotal = Σ λ DU = 0 This results in the following SFF (table 8-6): SFF = (λ total - λ DUtotal ) / λ total = λ total / λ total = 1 SILCL determination The SILCL is determined from HFT and SFF (table 8-13): SILCL 3 A&D Safety Integrated AS-FE-013-V13-EN 94/142

95 APPLICATION Step 6 / Application: Realizing #Subsystem Consideration of the PFH D The PFH D of #subsystem 1 is determined in this chapter. IEC provides the formulae for calculating the #PFH D value (PFH D ) for four basic subsystem architectures. #Subsystem 1 complies with the characteristics of basic subsystem architecture D: Single fault tolerance with diagnostic functions The reason is described in the following table. Table 20-5 Characteristic of D Realization of #subsystem 1 Single fault tolerance A failure of a #subsystem element (position switch) does not cause the loss of the #safety-related control function (SRCF). Diagnostic functions Faults in #subsystem 1 are detected in #subsystem 2 by diagnostics. This is done by comparing the states of the two position switches in the F-CPU. To calculate the PFH D, parameters of the #subsystem element and parameters of the #subsystem are used. The figure below shows the assignment of the parameters. Figure 20-2 A&D Safety Integrated AS-FE-013-V13-EN 95/142

96 APPLICATION Step 6 / Application: Realizing #Subsystem PFH D calculation Note: For explanations of the calculation of the PFH D value (PFH D ), please refer to chapter 9.8. Information on the #subsystem element of #subsystem 1 Table 20-6 #Subsystem element Type SIRIUS position switch Technical data Chapter 27.5 Dangerous failure rate of the #subsystem element Table 20-7 Parameter Meaning Value B10 B10 value position switch 1 * 10 6 C Dangerous failure fraction Table 20-8 Number of position switch operations (1 x per shift, i.e. every 8 hours) Dangerous failure fraction of the position switch Dangerous failure rate of the #subsystem element (λ De ) #PFH D value (PFH D ) of the #subsystem Table 20-9 λ De / h 0.2 Result 2.5 * 10-9 / h Parameter Meaning Value β (CCF factor) Dangerous failure rate of the #subsystem element 2.5 * 10-9 / h (from table 20-7) Susceptibility to common cause failures 0.1 T1 Lifetime of the position switch h T2 Diagnostic test interval (when opening the 8 h protective cover, a defective position switch is detected in the F-CPU. An opening is performed once per shift, i.e. every 8 hours) DC #Diagnostic coverage (DC) position switches (From chapter ) 1 Table Result #PFH D value (PFH D ) of the #subsystem 2.5 * A&D Safety Integrated AS-FE-013-V13-EN 96/142

97 APPLICATION Step 6 / Application: Realizing #Subsystem Calculation of the #diagnostic coverage (DC) Two identical #subsystem elements (position switches) are used in #subsystem 1. For this reason, it is sufficient to determine the DC of one #subsystem element. The determination of the DC requires that the dangerous failure modes and their failure rates (probability) are known (chapter 9.7.3). Dangerous failure modes The analysis of the #subsystem element (position switch) yields the following dangerous failures and failure modes: Table Failure Contact does not open Failure mode Failure detected by diagnostics Failure rate type Fraction of this failure mode λ DD λ D Value Source Dangerous Yes x x 20% Manufacturer of the position switch Note: Wire break and short circuit are not considered here since they are systematic faults. DC calculation The DC is calculated from the above failure rates (table 9-20): DC = λ DDtotal / λ Dtotal = ( Σ λ DD ) / ( Σ λ D ) = ( λ DD ) / ( λ D ) = 1 A&D Safety Integrated AS-FE-013-V13-EN 97/142

98 APPLICATION Step 6 / Application: Realizing #Subsystem Consideration of the diagnostics The diagnostic functions realized in #subsystem 1 are summarized in the table below. Table Diagnostic function Evaluation of the two position switches in the F-CPU. If different states are detected, a fault has occurred. Diagnostics location #Subsystem 2: F-CPU Fault reaction Disconnecting the motor from the supply Consideration of the #systematic safety integrity The requirements for the #systematic safety integrity equally apply to all #subsystems. Also #subsystem 1 must meet these requirements. Examples of measures to avoid and control systematic faults are listed in chapter Summary The realized #subsystem 1 has the following properties: Table SILCL PFH D #Subsystem * A&D Safety Integrated AS-FE-013-V13-EN 98/142

99 APPLICATION Step 6 / Application: Realizing #Subsystem 2 21 Step 6 / Application: Realizing #Subsystem 2 This chapter describes the realization of #subsystem Design of #subsystem 2 (Evaluate function block) Overview The design of #subsystem 2 is shown in figure The requirements for #subsystem 2 are listed in the table below (chapter 17): Table 21-1 #Subsystem 2 Requirement Function Evaluating the detected position and triggering associated action. #Safety integrity SILCL 3 Description of #subsystem 2 #Subsystem 2 is a finished #subsystem. #Subsystem 2 is realized with SIMATIC S7 Distributed Safety. SIMATIC S7 Distributed Safety is certified according to IEC The following SIMATIC Distributed Safety components are used in #subsystem 2: Fail-safe CPU: F-CPU Fail-safe I/O modules: F-DI and F-DO of the ET200S Software for programming and configuring: S7 Distributed Safety The design of the #subsystem is distributed. The F-CPU communicates with F-DI and F-DO via PROFIsafe. PROFIsafe is a profile which ensures fail-safe communication. Note: A detailed description of the design is available in the Functional Examples (table 11-2). However, the information in this document is sufficient for the considerations concerning IEC Description of F-DI See #subsystem 1: Chapter Description of F-DO See #subsystem 3: Chapter A&D Safety Integrated AS-FE-013-V13-EN 99/142

100 APPLICATION Step 6 / Application: Realizing #Subsystem 2 Description of F-CPU The F-CPU processes the user program. The user program consists of the following parts: Standard program (S program) Fail-safe program (F program) The safety-related tasks are performed in the F program, the non-safetyrelated tasks are executed in the S program. Tasks of the F program: The position switches of #subsystem 1 are detected in the F program: 0 means: Switch or protective cover open. 1 means: Switch or protective cover closed. If the 0 state of at least one position switch is read, the contactors of #subsystem 3 are switched off. This disconnects the motor from the supply. The motor must only be switched on again when the two following requirements are met: The operator has acknowledged. Both position switches supply 1 (protective cover closed). To evaluate the position switches of #subsystem 1 and the readback signals of the contactors of #subsystem 3, certified F blocks from the S7 Distributed Safety library are used. Communication with the I/Os (DI, F-DI, F-DO): The F-CPU communicates with the ET200S I/O system via PROFIBUS. Description of DI DI is a standard input module of SIMATIC. The DI is used for the diagnostics of #subsystem 3 (readback of the contactors). A&D Safety Integrated AS-FE-013-V13-EN 100/142

101 APPLICATION Step 6 / Application: Realizing #Subsystem Consideration of the #architectural constraint #Subsystem 2 is a finished #subsystem which is purchased from SIEMENS. According to the information provided by Siemens, SIMATIC S7 Distributed Safety has a maximum #SIL claim limit (SILCL) of 3 (chapter 27.4). In this application example, #subsystem 2 achieves the following #SIL claim limit (SILCL): SILCL Consideration of the PFH D SIMATIC S7 Distributed Safety is used for #subsystem 2. The formula below is used to calculate the #PFH D value (PFH D ): Table 21-2 PFH D of #subsystem 2 PFH D (#subsystem 2) = PFH D (F-CPU) + PFH D (F I/O) + P TE (F Communication) The following boundary conditions apply to the calculations: The #proof test interval is 10 years. F-CPU and F I/O are operated in safety mode. The contribution of the digital communication between the #subsystems to the PFH D of a SRCF is added to #subsystem 2. Information required for the calculation (chapter 27.4): Table 21-3 Parameter Value Component Source PFH D (F-CPU) 5.43 * CPU 315F Siemens PFH D (F I/O) 1 * F-DI Siemens 1 * F-DO Siemens P TE (F Communication) 1 * 10-9 F Communication Siemens This results in the PFH D for #subsystem 2: Table 21-4 Result #PFH D value (PFH D ) of the #subsystem * 10-9 A&D Safety Integrated AS-FE-013-V13-EN 101/142

102 APPLICATION Step 6 / Application: Realizing #Subsystem Consideration of the diagnostics A consideration is not required since #subsystem 2 (SIMATIC S7 Distributed Safety) is certified according to IEC Consideration of the #systematic safety integrity A consideration is not required since #subsystem 2 (SIMATIC S7 Distributed Safety) is certified according to IEC If the user complies with the installation instructions and manuals, #systematic safety integrity is ensured Summary The realized #subsystem 2 has the following properties: Table 21-5 SILCL PFH D #Subsystem * 10-9 A&D Safety Integrated AS-FE-013-V13-EN 102/142

103 APPLICATION Step 6 / Application: Realizing #Subsystem 3 22 Step 6 / Application: Realizing #Subsystem 3 This chapter describes the realization of #subsystem Design of #subsystem 3 (React function block) Overview The design of #subsystem 3 is shown in figure The requirements for #subsystem 3 are listed in the table below (chapter 17): Table 22-1 #Subsystem 3 Requirement Function Disconnecting motor from the supply. #Safety integrity SILCL 3 Description of #subsystem 3 #Subsystem 3 consists of two identical #subsystem elements (contactors). The load contacts of both contactors are connected in series. This ensures that the motor is connected to or disconnected from the supply. The coils of both contactors are wired to an F-DO. Both coils are simultaneously switched via one single channel of the F-DO. The readback contacts of both contactors are separately wired to a DI (standard I/O module). The control of the coils and the evaluation of the readback signals are performed in the F program (fail-safe program) of the F-CPU. F-DO and F-CPU are parts of #subsystem 2. #Subsystem 2 is realized with SIMATIC S7 Distributed Safety. Note: A detailed description of the design is available in the Functional Examples (table 11-2). However, the information in this document is sufficient for the considerations concerning IEC Description of #subsystem elements 3.1 and 3.2 The following contactor is used for both #subsystem elements: Table 22-2 Designation Type Order number Manufacturer Contactor AC-3, 3KW/400V, 1NC, 24VDC 3RT1015-2BB42 Siemens (SIRIUS components) The contactor has the following properties: Positively driven and positively opening readback contacts A&D Safety Integrated AS-FE-013-V13-EN 103/142

104 APPLICATION Step 6 / Application: Realizing #Subsystem 3 Connecting the #subsystem elements of #subsystem 3 to #subsystem 2 The figure below shows the connection principle. The contactors are connected to an F-DO. F-DO is a fail-safe digital output module of SIMATIC S7 Distributed Safety. Figure 22-1 Connection of the F-DO: One single output channel of the F-DO simultaneously switches both contactors K1 and K2 Parameterization of the F-DO: No peculiarities Connection of the DI: The readback signals of the two contactors K1 and K2 are read in separately. Diagnostics of #subsystem 3 The following diagnostics have been realized for #subsystem 3: Table 22-3 Diagnostics of #subsystem 3 If the readback signals do not correspond to the switching status of the contactors, a fault has occurred. Example of a fault: Load contacts of the contactor will not open. Diagnostics location #Subsystem 2: F-CPU A&D Safety Integrated AS-FE-013-V13-EN 104/142

105 APPLICATION Step 6 / Application: Realizing #Subsystem Consideration of the #architectural constraint Procedure HFT determination The #SIL claim limit (SILCL) of #subsystem 3 is determined in this chapter. To do this, first the hardware fault tolerance (HFT) and the #safe failure fraction (SFF) are determined. Subsequently, the SILCL is determined (chapter 8.7). A failure of a #subsystem element does not cause the loss of the #safetyrelated control function (SRCF). Consequently, the #fault tolerance of #subsystem 3 is one: HFT = 1 SFF determination SFF refers to the #subsystem. For #subsystems with several identical #subsystem elements, it is sufficient to consider one #subsystem element by itself. The analysis of the #subsystem element (contactor) yields the following failures and failure modes: Table 22-4 Failure Load contact remains closed when coil not energized Load contact does not close when coil energized Failure mode Danger ous Failure detected by diagnostics λ S Failure rate type Fraction of this failure mode λ D λ DU Value Source Yes x 75% Safe --- x 25% Manufacturer of the contactor Note: Wire break and short circuit are not considered here since they are systematic faults. Since all dangerous failures are detected by diagnostics, the following applies: λ Dutotal = Σ λ DU = 0 This results in the following SFF (table 8-6): SFF = (λ total - λ DUtotal ) / λ total = λ total / λ total = 1 SILCL determination The SILCL is determined from HFT and SFF (table 8-13): SILCL 3 A&D Safety Integrated AS-FE-013-V13-EN 105/142

106 APPLICATION Step 6 / Application: Realizing #Subsystem Consideration of the PFH D The PFH D of #subsystem 3 is determined in this chapter. IEC provides the formulae for calculating the PFH D for four basic subsystem architectures. #Subsystem 3 complies with the characteristics of basic subsystem architecture D: Single fault tolerance with diagnostic functions The reason is described in the following table: Table 22-5 Characteristic of D Realization of #subsystem 3 Single fault tolerance Diagnostic functions A failure of a #subsystem element (contactor) does not cause the loss of the #safety-related control function (SRCF). Faults in #subsystem 3 are detected in #subsystem 2 by diagnostics. This is done by evaluating the readback signals. To calculate the PFH D, parameters of the #subsystem element and parameters of the #subsystem are used. The figure below shows the assignment of the parameters. Figure 22-2 A&D Safety Integrated AS-FE-013-V13-EN 106/142

107 APPLICATION Step 6 / Application: Realizing #Subsystem PFH D calculation Note: For explanations of the calculation of the PFH D value (PFH D ), please refer to chapter 9.8. Information on the #subsystem element of #subsystem 3 Table 22-6 Type #Subsystem element SIRIUS contactor Technical data Chapter 27.5 Dangerous failure rate of the #subsystem element Table 22-7 Parameter Meaning Value B10 B10 value contactor 1 * 10 6 C Dangerous failure fraction Table 22-8 Number of contactor operations (1 x per shift, / h i.e. every 8 hours) Dangerous failure fraction of the contactor 0.75 Dangerous failure rate of the #subsystem element (λ De ) #PFH D value (PFH D ) of the #subsystem Table 22-9 λ De Result 9.4 * 10-9 / h Parameter Meaning Value β (CCF factor) Dangerous failure rate of the 9.4 * 10-9 / h #subsystem element (from table 20-7) Susceptibility to common cause failures 0.1 T1 Lifetime of the contactor h T2 Diagnostic test interval (when disconnecting the 8 h motor from the supply, a defective contactor is detected in the F-CPU. Switching off is performed once per shift, i.e. every 8 hours) DC #Diagnostic coverage (DC) of the contactor (from chapter ) 1 Table Result #PFH D value (PFH D ) of the #subsystem 9.4 * A&D Safety Integrated AS-FE-013-V13-EN 107/142

108 APPLICATION Step 6 / Application: Realizing #Subsystem Calculation of the #diagnostic coverage (DC) Two identical #subsystem elements (contactors) are used in #subsystem 3. For this reason, it is sufficient to determine the DC of one #subsystem element. The determination of the DC requires that the dangerous failure modes and their failure rates (probability) are known (chapter 9.7.3). Dangerous failure modes The analysis of the #subsystem element (contactor) yields the following dangerous failures and failure modes: Table Failure Load contact remains closed when coil not energized Failure mode Failure detected by diagnostics Failure rate type Fraction of this failure mode λ DD λ D Value Source Dangerous Yes x x 75% Manufacturer of the contactor Note: Wire break and short circuit are not considered here since they are systematic faults. DC calculation The DC is calculated from the above failure rates (table 9-20): DC = λ DDtotal / λ Dtotal = ( Σ λ DD ) / ( Σ λ D ) = ( λ DD ) / ( λ D ) = 1 A&D Safety Integrated AS-FE-013-V13-EN 108/142

109 APPLICATION Step 6 / Application: Realizing #Subsystem Consideration of the diagnostics The diagnostic functions realized in #subsystem 3 are summarized in the table below. Table Diagnostic function Evaluation of the readback signals of the two contactors in the F-CPU. If the statuses do not correspond to the switching statuses of the contactors, a fault has occurred. Diagnostics location #Subsystem 2: F-CPU Reaction to faults Disconnecting the motor from the supply Consideration of the #systematic safety integrity The requirements for the #systematic safety integrity equally apply to all #subsystems. Also #subsystem 3 must meet these requirements. Examples of measures to avoid and control systematic faults are listed in chapter Summary The realized #subsystem 3 has the following properties: Table SILCL PFH D #Subsystem * A&D Safety Integrated AS-FE-013-V13-EN 109/142

110 APPLICATION Step 7: Determining SIL Achieved by SRECS 23 Step 7: Determining SIL Achieved by SRECS 23.1 Objective of the step In this step it is checked whether the required #safety integrity level (SIL) is achieved for each #safety-related control function (SRCF) with the realized #safety system (SRECS) Procedure To ensure that the SIL required for the SRCF is achieved, the following requirements have to be met for each individual SRCF: Requirements, clearly graded according to SIL: The #SIL claim limit (SILCL) of each SRCF #subsystem must at least correspond to the #safety integrity level (SIL) of the SRCF. The sum of the #PFH D values (PFH D ) of all SRCF #subsystems must not exceed the #PFH D value (PFH D ) specified by the #safety integrity level (SIL) of the SRCF. If a #subsystem is used by different SRCFs, the #SIL claim limit (SILCL) of the #subsystem must comply with the highest #safety integrity level (SIL) of the SRCF. Requirement, slightly graded according to SIL: #Systematic safety integrity must be complied with. To review the requirements clearly depending on the SIL, the following steps are performed: Determination of the minimum SILCL of all #subsystems of the SRCF Determination of the PFH D of the SRCF Derivation of the SIL which is achieved with the SRECS A&D Safety Integrated AS-FE-013-V13-EN 110/142

111 APPLICATION Step 7: Determining SIL Achieved by SRECS Determination of the minimum SILCL of all #subsystems of the SRCF The lowest #SIL claim limit (SILCL) of all #subsystems of the #safety-related control function (SRCF) is determined: SILCL_Min = Minimum { SILCL (SS1),, SILCL(SSn) } Determination of the PFH D of the SRCF The #PFH D value (PFH D ) of a SRCF is calculated as follows (chapter 9.3): PFH D (SRCF) = PFH D (SS1) + + PFH D (SSn) + P TE (communication) The more #subsystems are required for the performance of a SRCF, the higher the probability that one of these #subsystems fails. Thus also the probability of a SRCF failure is higher. This aspect is considered via the addition Derivation of the SIL which is achieved with the SRECS The required #safety integrity level (SIL) for the #safety-related control function (SRCF) is achieved when the two requirements listed below are met. Table 23-1 Requirement SILCL_Min SIL Description The SILCL of each #subsystem of the SRCF must at least correspond to the SIL of the SRCF. PFH D (SRCF) PFH D (SIL) The sum of the #PFH D values (PFH D ) must not be larger than the #PFH D value (PFH D ) defined by the SIL. PFH D (SIL) is determined from table 9-2. A&D Safety Integrated AS-FE-013-V13-EN 111/142

112 APPLICATION Step 7: Determining SIL Achieved by SRECS Measures to achieve the required SIL If the required SIL for a SRCF is not achieved, the design of the #subsystem has to be touched up. Depending on whether either SILCL or PFH D has not been achieved, different options exist: Examples for improving the #SIL claim limit (SILCL): Improvement by redundancy in the #subsystems Improvement by diagnostics: Converting dangerous undetected failures to dangerous detected failures. Examples of improving the #PFH D value (PFH D ): Using #subsystems or #subsystem elements with an improved #PFH D value (PFH D ). Increasing #diagnostic coverage (DC) by more diagnostics Reducing CCF factor by appropriate measures (example: Selection of different components) 23.3 Application The risk analysis and the risk assessment for our example machine has yielded the following result: A SRCF with SIL 3 is necessary. A #safety system (SRECS) consisting of three #subsystems was realized for this SRCF. The properties are summarized in the table below. Table 23-2 #Subsystem SILCL PFH D #Subsystem 1 (SS1) * #Subsystem 2 (SS2) * 10-9 #Subsystem 3 (SS3) * Determination of the minimum SILCL of all #subsystems of the SRCF Minimum #SIL claim limit (SILCL) of all #subsystems: SILCL_Min = 3 A&D Safety Integrated AS-FE-013-V13-EN 112/142

113 APPLICATION Step 7: Determining SIL Achieved by SRECS Determination of the PFH D of the SRCF The #PFH D value (PFH D ) of the SRCF is calculated as follows: PFH D (SRCF) = PFH D (SS1) + PFH D (SS2) + PFH D (SS3) = * 10-9 The chart below illustrates the order of magnitude of the #PFH D values (PFH D ). Figure Derivation of the SIL which is achieved with the SRECS #PFH D value (PFH D ) for SIL 3: SIL 3 PFH D (SIL) < 10-7 (from table 9-2) Requirements review: Table 23-3 Requirement Application Met? SILCL_Min SIL 3 3 Yes PFH D (SRCF) PFH D (SIL) * * 10-7 Yes Result: SIL 3 is achieved with the #safety system (SRECS)! A&D Safety Integrated AS-FE-013-V13-EN 113/142

114 APPLICATION Steps 8 to 12: Implementing SRECS 24 Steps 8 to 12: Implementing SRECS In step 7 it was checked whether the previously designed #safety system (SRECS) actually complies with the required properties. If this is the case, the SRECS can now be implemented. This chapter provides a brief description of the steps required for the implementation. IEC also includes requirements for these steps which are to be met by appropriate measures. Step 8: Implementing hardware The #safety system (SRECS) must be implemented in accordance with the documented design of the SRECS. Step 9: Specifying software In our application, application software is required for the #safety-related control function (SRCF). The application software is executed by the F-CPU of #subsystem 2. According to IEC 62061, a specification has to be developed for this application software. Step 10: Designing and developing software The application software specified in step 9 has to be realized according to the requirements of IEC These requirements are based on IEC Step 11: Integrating and testing The integration of the #safety system (SRECS) must be in accordance with the IEC requirements. Tests must be performed, which review the correct interaction of all #subsystems and #subsystem elements, including the application software. The tests have to be defined in the #safety plan (test cases) and performed accordingly. Step 12: Installing With the installation the SRECS is ready for the validation (chapter 26). A&D Safety Integrated AS-FE-013-V13-EN 114/142

115 APPLICATION Step 13: Generating Information for Use 25 Step 13: Generating Information for Use 25.1 Objective of the step It is required to provide information on the #safety system (SRECS) which enables the operator of the machine to do the following: Ensuring the functional safety of the SRECS during use and maintenance. The also required project documentation is used as a basis for the user documentation Procedure A documentation is prepared for installation, use and maintenance. It must include (examples): Description of the equipment, installation and mounting Circuit diagram Proof test interval or lifetime Description of the interaction of SRECS and machine Description of the maintenance requirements of the SRECS A&D Safety Integrated AS-FE-013-V13-EN 115/142

116 APPLICATION Step 14: Performing Validation 26 Step 14: Performing Validation 26.1 Objective of the step The validation is used to review whether the #safety system (SRECS) meets the requirements described in SRCF specification (chapter 16). The step is based on the #safety plan (chapter 13) Procedure The following is required for the validation: All tests must be documented Each SRCF must be validated by a test and/or analysis. The #systematic safety integrity of the SRECS must be validated. A&D Safety Integrated AS-FE-013-V13-EN 116/142

117 APPENDIX Background Information APPENDIX 27 Background Information It is not necessarily required to read this chapter. It provides in-depth information on selected topics. The pieces of information in the following chapters are independent of one another, the order of the chapters is random Risk analysis and risk assessment In the event of a failure or malfunction, machines can cause a hazard to persons, environment and material assets. To reduce the risk of a hazard, the following steps have to be performed: Table 27-1 Step Risk analysis Risk assessment Activity Identifying the hazards on a machine for all modes and in each phase of the lifetime of the machine. Assessing the risk arising from these hazards and deciding on adequate risk reduction. The risk of a hazard depends on the two following factors: Severity of the possible harm that may be caused by the hazard Probability of occurrence of the harm Measures to reduce the risk are: Intrinsically safe design Guard Quality assurance measures to avoid systematic faults Information for use The order of the measures listed above must be complied with. At first, it must be attempted to make the machine safer via an intrinsically safe design. Guards to reduce the risk (example: Protective cover) are only used after this has been attempted. A&D Safety Integrated AS-FE-013-V13-EN 117/142

118 APPENDIX Background Information The following standards have to be applied in the European Union (EU) for risk analysis and risk assessment: Table 27-2 Standard Designation Contents EN ISO EN 1050 Safety of machinery: Basic concepts, general principles for design Safety of machinery: Principles for risk assessment Describes the risks to be considered and principles for design to reduce the risk Describes the iterative process with risk assessment and risk reduction to achieve safety Risk analysis and risk assessment are iterative processes. The figure below shows the basic procedure. Figure 27-1 A&D Safety Integrated AS-FE-013-V13-EN 118/142

119 APPENDIX Background Information 27.2 CCF factor (β) Redundant #subsystems require that the probability of common cause failures is considered. These failures cause the simultaneous failure of the redundant components. A measure for this is the CCF factor (β). IEC (Annex F) provides a method for the estimation of the CCF factor. The table below shows the basic procedure: Table 27-3 Step Activity 1 st step Assessment of the #subsystem with regard to the effectiveness of the used measures for protection against common cause failures. During this assessment points are awarded for used measures (examples, see table 27-4). 2 nd step Determination of the CCF factor from the overall score (see table 27-5): Many measures yield a high overall score. 1 st step: Assessment of the #subsystem The table below is an incomplete excerpt from IEC (table F.1). Table 27-4 Separation segregation Diversity redundancy Complexity design application Area Measure Score Are SRECS signal cables for the individual channels routed separately from other channels at all positions or sufficiently shielded? Do the #subsystem elements have a diagnostic test interval of <= 1 min? Is cross-connection between channels of the #subsystem prevented with the exception of that used for diagnostic testing purposes? nd step: Determination of the CCF factor The table below is copied from IEC (table F.2). The overall score is calculated from the addition of the points applicable to the #subsystem from step 1. Table 27-5 Overall score CCF factor (β) < 35 10% (0.1) 35 to 65 5% (0.05) 65 to 85 2% (0.02) 85 to 100 1% (0.01) A&D Safety Integrated AS-FE-013-V13-EN 119/142

120 APPENDIX Background Information 27.3 Failure modes of electrical / electronic components Electrical / electronic components can fail. To estimate failure modes and their ratios, IEC provides a table (IEC 62061, Annex D). The table below is an incomplete excerpt from IEC (table D.1). Table 27-6 Component Failure mode Typical failure mode ratios Switch with positive opening on demand Electromechanical position switch, Contactor Contacts will not open 20% Contacts will not close 80% Contacts will not open 50% Contacts will not close 50% All contacts remain in the 25% energized position when the coil is de-energized All contacts remain in the deenergized position when the coil is 25% energized Contacts will not open 10% Contacts will not close 10% Simultaneous short circuit between 10% three contacts of a change-over contact Simultaneous closing of normally 10% open and normally closed contacts Short circuit between two pairs of 10% contacts and/or between contacts and coil terminal Note: Whether a failure mode on the machine causes a dangerous state or not depends on the respective application. A&D Safety Integrated AS-FE-013-V13-EN 120/142

121 APPENDIX Background Information 27.4 SIMATIC S7 Distributed Safety: Safety-related data The following tables include safety-related data on SIMATIC S7 Distributed Safety. The data are limited to the components of the application example. Data source The data are from the manuals of the corresponding components. When using a component, the respective manual must always be referred to. This ensures that the most current values are determined. Component: F-CPU Table 27-7 Component SILCL PFH D Proof test interval CPU 315F-2 DP 6ES FF01-0AB0 Components: ET200S F I/O system Table * years Component SILCL PFH D Proof test interval EM 4/8 F-DI 24VDC PROFIsafe 6ES FA02-0AB0 4 F-DO 24VDC/2A PROFIsafe 6ES FB02-0AB0 1-channel * years 2-channel * years PM-E 24VDC 2 PM-E 24VDC/120/230VAC 3 PM-E 24 48VDC * years Note: In the application example, two position switches are connected to the F-DI. Each connection is parameterized with 1-channel. In the F-CPU, a discrepancy evaluation is performed via the F program. This means that the data apply to 2-channel (SILCL, PFH D ). Communication Table 27-9 Fail-safe communication F-CPU <-> F-I/O (PROFIBUS) 1.00*10-9 P TE A&D Safety Integrated AS-FE-013-V13-EN 121/142

122 APPENDIX Background Information 27.5 SIRIUS: Safety-related data The following table includes safety-related data on components of the SIRIUS series. The data are limited to the components of the application example. Data source The data are from a recommendation of the A&D CD (of 02/01/06): Recommendation of the standard B10 values for the application of EN An analogous summary is listed below: Recommendation of the standard B10 values for the application of EN The failure rate of electromechanical components is described by the B10 value. The B10 value is defined as follows: B10 is the number of switching cycles after which 10% of the test objects have failed. According to EN 62061, the failure rate of the electromechanical components can be calculated from the B10 value: λ = 0.1 * C / B10 C = operation per hour (depends on the application) Composition of the failure rate: λ = λ S + λ D λ S = safe failure fraction in % ( safe ) λ D = dangerous failure fraction in % ( dangerous ) The table below shows excerpts of the SIRIUS standard B10 values for electromechanical components. Table Component B10 value λ d Position switch with separate actuator (with positively opening contacts) Contactor / motor starter (with positively driven contacts) % % A&D Safety Integrated AS-FE-013-V13-EN 122/142

123 APPENDIX Background Information 27.6 Fault, diagnostics and failure (according to IEC 62061) Fault The terms fault and failure are of great importance when applying IEC To illustrate this importance, simple examples will be used to explain the terms in this chapter. The exact definitions of the terms according to IEC are listed in chapter A #safety system (SRECS) must be realized in such a way that it meets all requirements according to the required SIL. The objective during the realization is to minimize he probability of dangerous systematic and random faults. Faults Faults affect the function of: SRECS or #subsystem or #subsystem element. Faults cause that the required function is no longer performed: Loss of the function If a fault causes the loss of the function of a #subsystem, all #safety-related control functions (SRCFs) using this subsystem are no longer performed: Loss of the SRCF The loss of the #safety-related control function (SRCF) may cause the loss of the #safety function Explanation of may : Loss of the SRCF means that the required function of the SRCF is no longer performed. The fault may be detected by diagnostics by other (not assigned to the SRCF) measures in the SRECS. A fault reaction of the SRECS can prevent the occurrence of a dangerous state on the machine. This means that the #safety function is eventually complied with by a second way (independent of the SRCF). Examples for clarification: Chapter A&D Safety Integrated AS-FE-013-V13-EN 123/142

124 APPENDIX Background Information Dangerous and safe faults All faults can be divided into one of the two classes: Dangerous faults Safe faults Dangerous faults cause dangerous failures, safe faults cause safe failures (chapter ). Random and systematic faults Faults (dangerous or safe faults) can be: Random or systematic Characteristics of a random fault : Fault in the hardware occurring at a random instant of time. The fault causes that a required function is no longer performed. The fault is subject to quantification by IEC The quantification is based on the failure rates. These are, for example, the B10 values of electromechanical components (information of the manufacturer of the components). Examples of random faults: Break of the actuator of a position switch Contacts of a contactor do not open Characteristics of a systematic fault : Fault in the hardware or application software that is related to a specific cause. The cause of the fault can be corrected by the following measures (examples): Modification of the design Modification of the selection of the used components The fault is not subject to quantification by IEC A&D Safety Integrated AS-FE-013-V13-EN 124/142

125 APPENDIX Background Information Examples of systematic faults: Errors in the specification of the SRCF Errors in the design, manufacture, installation or the operation of the hardware Errors in the design or implementation of the application software Short circuit, wire break on lines Diagnostics Objective of the diagnostics: Diagnostics are used to detect random and systematic dangerous faults in the hardware. Diagnostics and corresponding fault reaction prevent that a dangerous fault causes a dangerous state on the machine. Characteristics of the diagnostics : Diagnostics must be performed within the SRECS. Diagnostics of a #subsystem can be performed at the following locations: In the actual #subsystem Outside the #subsystem, in another #subsystem Diagnostics are automatically performed by the SRCES (example: Readback of contactors). Diagnostics improve the #safe failure fraction (SFF) and the #PFH D value (PFH D ) of a #subsystem. Use of SIMATIC standard modules for diagnostics: Example: Use of standard modules (thus no F modules ) for reading in readback signals of contactors. Standard modules may be used for diagnostics in the SRECS when dangerous faults are detected in the F program of the F-CPU. The diagnostic device is not subject to quantification if the following requirements are met: Diagnostics are performed in the F program of the F-CPU. The diagnostic device is cyclically monitored in the F program of the F-CPU. A&D Safety Integrated AS-FE-013-V13-EN 125/142

126 APPENDIX Background Information Failure Fault and failure Faults cause failures of: SRECS or #subsystem or #subsystem element. A failure is defined as follows: Termination of the ability of a SRECS, a #subsystem or a #subsystem element to perform a required function. A failure of a #subsystem causes the loss of all SRCFs using this #subsystem. A failure of a #subsystem element in a #subsystem does not necessarily cause the loss of all SRCFs using this #subsystem. Role of diagnostics In the event of a failure of a SRCF ( first switch-off option failure), the #safety function does not necessarily have to fail. If diagnostics (fault detection) are provided in the SRECS, the #safety function can be maintained by corresponding fault reaction ( second switch-off option ). The model shown below is the basis: Figure 27-2 A&D Safety Integrated AS-FE-013-V13-EN 126/142

127 APPENDIX Background Information Failure modes The figure below shows the considered failure modes. A failure rate λ (probability of failure) is assigned to each failure mode. Figure 27-3 Explanations of the figure: Table λ D λ DD λ DU Failure rate Failure mode Failure cause Effect Dangerous failure Dangerous failure detected by diagnostics. Dangerous failure not detected by diagnostics. Dangerous fault This failure may cause a dangerous state on the machine. λ S Safe failure Safe fault The failure does not cause a dangerous state on the machine. Meaning of may : Depending on the #subsystem (with / without redundancy, with / without diagnostics), the failure of a #subsystem element causes a dangerous state on the machine or not. Examples to illustrate this are listed in chapter A&D Safety Integrated AS-FE-013-V13-EN 127/142

128 APPENDIX Background Information Examples: Overview The next chapters use simple, specific examples to answer the following questions: How does a dangerous fault affect #subsystems with different architectures? When is a #safety function or a SRCF lost? What is the role of diagnostics? The following boundary conditions apply to the four examples: Table Property #Safety function: #Safety-related control function (SRCF): Considered #function block of the SRCF: In the examples The blade must not rotate when the protective cover is open. Stop of the rotating blade. Reacting: Switching off via a #subsystem: With / without redundancy With / without diagnostics. The examples follow the four basic subsystem architectures of IEC 62061: Table Example Basic subsystem architecture #Subsystem Diagnostics See chapter Example 1 Example 2 Example 3 Example 4 Zero fault tolerance without diagnostics Zero fault tolerance with diagnostics Single fault tolerance without diagnostics Single fault tolerance with diagnostics 1 contactor No contactor Readback contactor 2 contactors in series 2 contactors in series No Readback contactors A&D Safety Integrated AS-FE-013-V13-EN 128/142

129 APPENDIX Background Information Example 1: Zero fault tolerance without diagnostics #Subsystem #Subsystem: 1 contactor Fault scenario: Contacts of the contactor do not open Effects: Table Effect Loss of the SRCF: Loss of the #safety function: Yes Yes Explanation The #subsystem cannot perform the required function. Due to loss of the SRCF and the missing diagnostics. Fault type: Dangerous The fault causes a dangerous state on the machine. States on the machine The figure below shows the sequences and events on the machine. Figure 27-4 A&D Safety Integrated AS-FE-013-V13-EN 129/142

130 APPENDIX Background Information Example 2: Zero fault tolerance with diagnostics #Subsystem #Subsystem: 1 contactor, with diagnostics by readback Fault scenario: Contacts of the contactor do not open Effects of the fault: Table Loss of the SRCF: Loss of the #safety function: Effect Yes No Explanation The #subsystem cannot perform the required function. The SRECS detects the fault (diagnostics). The fault reaction of the SRECS ensures that no dangerous state occurs on the machine. Fault type: Dangerous The fault may cause a dangerous state on the machine: In the event of a diagnostics failure, a dangerous state would occur on the machine. Effects of the diagnostics: Switching off using a second option Restart of the machine is prevented until the fault has been corrected. States on the machine The figure below shows the sequences and events on the machine. Figure 27-5 A&D Safety Integrated AS-FE-013-V13-EN 130/142

131 APPENDIX Background Information Example 3: Single fault tolerance without diagnostics #Subsystem: #Subsystem: 2 contactors in series Fault scenario 1: Contacts of a single contactor do not open Effects Table Loss of the SRCF: Loss of the #safety function: Effect No No Explanation The #subsystem can perform the required function while the second contactor is faultless. No loss of the SRCF (see above). Fault type: Dangerous The fault may cause a dangerous state on the machine: In the event of a failure of the second contactor, a dangerous state would occur on the machine. States on the machine The figure below shows the sequences and events on the machine. Figure 27-6 A&D Safety Integrated AS-FE-013-V13-EN 131/142

132 APPENDIX Background Information Fault scenario 2: Contacts of both contactors do not open Effects Table Effect Explanation Loss of the SRCF: Yes The #subsystem cannot perform the required function. Loss of the #safety function: Yes Due to loss of the SRCF and the missing diagnostics. Fault type: Dangerous The fault causes a dangerous state on the machine. States on the machine The figure below shows the sequences and events on the machine. Figure 27-7 A&D Safety Integrated AS-FE-013-V13-EN 132/142

133 APPENDIX Background Information Example 4: Single fault tolerance with diagnostics #Subsystem: #Subsystem: 2 contactors in series, with diagnostics via readback. Fault scenario 1: Contacts of a single contactor do not open Effects Table Effect Explanation Loss of the SRCF: No The #subsystem can perform the required function while the second contactor is faultless. Loss of the No No loss of the SRCF (see above). #safety function: Fault type: Dangerous The fault may cause a dangerous state on the machine: In the event of a failure of the second contactor and a failure of the diagnostics, a dangerous state would occur on the machine. Effects of the diagnostics: Switching off using second option Restart of the machine is prevented until the fault has been corrected. States on the machine The figure below shows the sequences and events on the machine. Figure 27-8 A&D Safety Integrated AS-FE-013-V13-EN 133/142

134 APPENDIX Background Information Fault scenario 2: Contacts of both contactors do not open Effects Table Effect Explanation Loss of the SRCF: Yes The #subsystem cannot perform the required function. Loss of the #safety function: No The SRECS detects the fault (diagnostics). The fault reaction of the SRECS ensures that no dangerous state occurs on the machine. Type of the faults: Dangerous The faults may cause a dangerous state on the machine: In the event of a diagnostics failure, a dangerous state would occur on the machine. Effects of the diagnostics: Switching off using second option Restart of the machine is prevented until the fault has been corrected. States on the machine The figure below shows the sequences and events on the machine. Figure 27-9 Figure A&D Safety Integrated AS-FE-013-V13-EN 134/142