Machine Safety: Steps to reduce risk and boost productivity

Transcription

1 Machine Safety: Steps to reduce risk and boost productivity Special Excerpt from the Bosch Rexroth Handbook for implementing economical and intelligent safety functions

2 0 steps to performance level Handbook for the implementation of functional safety according to ISO 3849 This document is a helpful tool for the design of a control system based on the standard ISO and ISO The statements contained within this document have been done carefully, but without guarantee. The information given does not release the user from the obligation of their own judgment and verification. This also applies to tables that are made by Bosch Rexroth. Only the original texts from the relevant standards and directives are mandatory. The specified product data is provided as examples only and may dier from the real data. No statements concerning the suitability for a certain condition or application can be derived from this information. This document, as well as the data, specifications and other information set forth in it, are the exclusive property of Bosch Rexroth AG. It may not be reproduced of given to third parties without its consent. Translation from German. 202 Bosch Rexroth AG, First edition Translation: Essner Zeitgeist Translations GmbH Authors: Dr. Jürgen Barg, Franz Eisenhut-Fuchsberger, Dr. Alexandre Orth, Jochen Ost, Dr. Carsten Springhorn Revison: Volker Wandrey, Norbert Nellen, Jens-Dietrich Heinz, Thilo Steigerwald Organization: Sabine Nätusher Order no. R , ISBN

3 Preface to the Special Excerpt With our compliments, find this excerpt from Bosch Rexroth s authoritative 0 steps to performance level: Handbook for the implementation of functional safety according to ISO It is a useful overview of the design of safety-related control systems, and a preview of the contents of the complete publication. Though we ve chosen a machine tool example for the excerpt, Rexroth s expertise in safe system design is relevant to OEMs and End Users in all industries. To create the complete handbook, Bosch Rexroth s expert authors drew on practical experience from numerous machine safety projects from multiple industries, as well as the latest information and insight resulting from participation in various standards committees and industrial associations that address the challenges of industrial safety. The current standards for functional safety take into account the progress of automation technology and the way dierent technologies are combined into complete system solutions; this situation in turn has led to the development of a holistic approach crossing all technology categories. Risk assessment, safety functions, required level of performance, diagnostics and reliability values for all electric, hydraulic, mechanical and pneumatic components are crucial elements that need to be considered in the design of safety-related control systems to satisfy the requirements of the International Standards Organization (ISO) 3849 directive. The 0 steps to performance level handbook is an unmatched resource for the eicient implementation of the legal and normative requirements of ISO 3849, as well as other safety industry standards. It provides a detailed, 0-step process for implementing Rexroth Safety on Board according to the standards and directives. It also translates these steps into practical knowhow through application examples, such as the Machine Tool Application provided in this excerpt. As The Drive & Control Company, Bosch Rexroth is uniquely equipped to provide the comprehensive expertise needed to implement functional safety in all automation control systems. In this excerpt, we provide a complete Table of Contents for the full 0 steps to performance level handbook, so you can appreciate the comprehensive, detailed material the full publication oers. This excerpt also provides the full text of the Machine Tool Application example, with all the original graphics and tables included, as well as the complete Index from the handbook. Bosch Rexroth is your partner for driving improvements in machine safety. This includes oering a state-of-the-art portfolio of proven components, complete system solutions with integrated safety technology, all supported by easyto-use software. In addition, we oer practical, hands-on machine safety training programs, in both classroom and online configurations. The 0 steps to performance level handbook is not available in electronic format. The same expertise in the handbook is available from qualified Bosch Rexroth associates around the world. Call on us today for a consultation if you would like to reduce the time, complexity and cost of developing machine safety systems. Should you wish to order the complete publication please see instructions below. To order the complete 0 steps to performance level publication, visit the Bosch Rexroth eshop at and search for R

4

5 Contents Contents Preface 7 Part A: Basics of machine safety Legal and normative requirements A- European directives and national acts 3 Directives 4 National acts and regulations 4 Standards 4 Requirements of the Machinery Directive and the Use of Work Equipment Directive 4 Scope of the Machinery Directive 5 With the Machinery Directive to the Declaration of Conformity 5 What does the CE mark stand for? 6 Implementation of the Machinery Directive in machinery 7 Definition 7 Implementation 7 Supplied documentation 7 CE mark 7 Implementation of the Machinery Directive in partly completed machinery 9 Definition 9 Implementation 9 Supplied documentation 9 CE mark 9 Implementation of the Machinery Directive in safety components 20 Definition 20 Safety components versus safety-related parts 20 Implementation 20 Supplied documentation 20 CE mark 20 Significant changes in machinery 20 Definition 20 Implementation 2 New documentation 2 CE mark 2 Other directives 2 Low-voltage Directive 2006/95/EC 22 EMC Directive 2004/08/EC 22 ATEX Product Directive 94/9/EC 22 Pressure Equipment Directive 97/23/EC 22 Directive on Simple Pressure Vessels 2009/05/EC 23 A-2 Basic standards for functional safety 25 Structure of international standards for machine safety 25 Standardization organizations 26 Presumption of conformity by harmonized standards 27 Consideration of failure probabilities 27 Standards for functional safety 27 ISO IEC IEC IEC IEC ISO 3849 (replacement of EN 954-) 29 History of the standards for functional safety 29 Functional safety scope of ISO One control system, several standards 30 Global markets and local regulations 3 Part B: 0 steps to performance level 33 B- Risk assessment 35 Basics 35 Risk assessment as the basis for machine safety 35 Risk assessment based on standards 37 Procedure 37 Example 47 Documents for the validation 49

6 Contents B-2 Identification of the safety functions 5 Basics 5 Safety functions 5 Procedure 52 Determination of the safety functions 52 Determining the safety-relevant properties of the safety functions 52 Variants of the safety functions Partial safety functions of electric drive systems according to IEC Example 60 Documents for the validation 6 B-3 Determination of the PL r 63 Basics 63 Selecting the procedure 64 Determination of the PL r according to ISO Determination of the PL r based on IEC Procedure 65 Example 68 Identification of the safety function 68 Determination of the PL r 68 Comparison with the procedure of ISO Documents for the validation 69 B-4 Category selection 7 Basics 7 Relationship between performance level and category 7 Free category selection 72 Recursive process 73 Properties of the categories 73 Procedure 75 Example 76 Documents for the validation 77 B-5 Modeling the block diagram 79 Basics 79 Analysis 79 Modeling principles 80 Division into subsystems 80 Procedure 8 Example 84 Description of the SRP/CS components 84 Characterisitics of the safety function 85 Documents for the validation 87 B-6 Faults and diagnosis 89 Basics 89 Consideration of failures (fault list) 89 Fault exclusion 9 Diagnostic Coverage (DC) 9 Procedure 95 Example 95 Fault list 95 Determining the Diagnostic Coverage (DC) of the components 98 Calculation of the DC avg 98 Documents for the validation 98 B-7 Determination of the PL 99 Basics 99 Reliability (MTTF d, B 0d ) 0 Determination of the performance level (PL SRP/CSi ) 02 Procedure 04 Example 05 Subsystem : SRP/CS Cat3/4 05 Subsystem 2: SRP/CS cert 08 Determination of the PL SF 08 Adjustment of the PL SF 08 Documents for the validation 09 B-8 Evaluation of the control system robustness Failure avoidance Basics Measures against Common Cause Failures (CCF) Basic and well-tried safety principles 3 Well-tried components 6 Systematic failures 7 Procedure 9 Example 20 Example : Measures against CCF 20 Example 2: Safety principles 2 Documents for the validation 23 B-9 Software requirements 25 Basics 25 Software-based parameterization 26 Safety-related application software (SRASW) 26 Safety-related embedded software (SRESW) 27 Procedure 27 Project-independent preparations 28 Project-specific activities for SRASW 28

7 Contents Example 32 Preparation and verification of the software specification 32 Selection of the engineering tools 33 Software design 35 Combination of safety-related and standard programs 35 Software coding 36 Test 36 Documents for the validation 38 B-0 Verification and validation 39 Basics 39 Validation plan 4 Documentation of the validation process 4 Validation by analysis 42 Validation by testing 42 Procedure 43 Documents for the validation 45 Validation checklist 45 Explanation 45 Part C: Application examples 5 C- Example: Machine tool 53 Machine description 54 st step: Risk assessment 2 nd step: Identification of the safety functions 3 rd step: Determination of the PL r 62 4 th step: Category selection 63 5 th step: Modeling the block diagram 64 6 th step: Faults and diagnosis 67 7 th step: Determination of the PL SF 70 8 th step: Evaluation of the robustness 73 9 th step: Software requirements 79 0 th step: Verification and validation 88 C-2 Example: Machine tool, pneumatic subsystem 9 st to 3 rd step to PL 9 4 th step: Category selection 9 5 th step: Modeling the block diagram 9 6 th step: Faults and diagnosis 93 7 th step: Determination of the PL SF 96 8 th step: Evaluation of the robustness 99 9 th step: Software requirements th step: Verification and validation nd step: Identification of the safety functions rd step: Determination of the PL r 2 4 th step: Category selection 2 5 th step: Modeling the block diagram 2 6 th step: Faults and diagnosis 25 7 th step: Determination of the PL SF 27 8 th step: Evaluation of the robustness 29 9 th step: Software requirements th step: Verification and validation 225 Part D: Appendix 227 D- ISO 3849: Machine Safety depends on Reliability 229 Overview 229 Reliability basics 229 Bathtub curve 229 Reliability characteristics 230 Basis of the statistically based safety technology 23 State diagram 23 Characteristics of the statistically based safety technology 232 Risk assessment, safety function, performance level (PL) 233 Usability of a component for the functional safety 233 Methods for determining the reliability characteristics 234 Calculations of the life cycle of electronic components 235 Testing of the life cycle 235 Life cycle analyses of field data 236 Failure probability of a safety function 237 Reliability model: Block diagram 237 Meaning of the MTTF d value for the safety function 238 Calculation of the dangerous failure probability (PFH D ) 239 Example of safety characteristics 239 Conclusion 240 D-2 Terms, symbols and abbreviations 24 D-3 Bibliography 2 Sources used in the book 2 Related literature 257 D-4 Alphabetical index 259 C-3 Example: Injection molding machine 207 Machine description 207 st step: Risk assessment 208

8

9 Application example 0 steps to performance level Handbook for the implementation of functional safety Machine Tool Application Chapter C

10

11 C- example: Machine tool 53 C- Example: Machine tool In the following sections, dierent safety functions are considered according to the 0 steps to performance level using the machine tool shown as an example in the figure (Fig. C-.). In this way, you get an overview of the design of safetyrelated control systems, from the requirement to the validation. Information on components or machinery is generic and does thus not claim to be complete. Fig. C-.: Exemplary machine tool

12 54 C- Example: Machine tool Machine description Machine description The machine is a machining center used for cutting a workpiece. It is equipped with an electro-pneumatic tool magazine that can be manually fitted with tools. For that purpose, the operator needs access to the related tool magazine (door 2). The workpiece is processed in the work area. For mounting the workpiece and for remedying failures, the operator needs access to the work area (door ). For maintenance tasks, the operator needs access to the machine through the maintenance door (door 3). In many machines, the tool magazine is moreover separated from the actual work area by another door so that tools can be exchanged without having to interrupt the processing sequence. For reasons of simplification, the work area and the tool magazine are in this example, however, considered as one work area. The machine has two essential operating states: f f Automatic, that is, all safety doors are closed, the machine is producing; f f Set up mode, that is, safety doors can be opened. The operator intervenes and may move the machine axes at safety limited speed. The rotational movement of the tool magazine (W axis) is electric, the linear movement (X3 axis) pneumatic. The workpiece is clamped by the hydraulic clamping device. The movements of the spindle (S axis), the workpiece (C and X axis) and the tool (X2, Y, Z axis) are generated by electric drives. Fig. C-.2 shows the axes in the machine outline. Due to the overlapping of hazards, each axis located in the work area contributes to the personal hazard. Thus each axis increases the probability of a dangerous event. Due to the number of axis, it may consequently not be possible to achieve the required performance level. It is, however, acceptable to consider the hazard per machine part [43]. Thus, the following machine parts can be identified and allocated to movements in the example: Tool incl. spindle: Axes X2, Y, Z and S (machine part ) Workpiece: Axes C, X (machine part 2) Tool magazine: W and X3 (machine part 3) The machine is divided into two hazard zones (see Fig. C-.2):. Work area with access through safety door and 2 including as axes X, C, S, X2, Z, Y, W and X3. 2. Maintenance area with access through safety door 3 including axes S, X2, Z, Y, W and X3. Axes X and C do not constitute a hazard as they are not accessible from the maintenance area. The hydraulic device for weight compensation of the Z axis, the workpiece and the tool clamping device are not considered in the example. Working space X C Machine part Hazard zone : Work area W S Door Door 2 X3 Y Z X2 Electrical axis Overlapping of hazard zones and 2 Maintenance area - Power units - Drive units - Electric control cabinet Pneumatic axis Hazard zone 2: Maintenance area Fig. C-.2: Exemplary machine tool - axes and hazard zones Door 3 Overlapping hazards are being referred to if, in the hazard zone, one person is exposed to several dangerous movements at the same time.

13 st step: Risk assessment C- Example: Machine tool st step: Risk assessment Regarding the risk assessment, reference is here made to EN 247 (Machine tools Safety Machining centers). The safety requirements and protective measures according to this standard must be satisfied. For risk reduction, safety functions are necessary. The standard (table 2, point 4: Hazard due to failure of the control system) defines control measures and requirements on the safety functions of control systems. The list of hazards with related risk reduction measures from EN 247 must be complemented for the specific machine according to ISO 200 in order to consider for example new technologies. For this purpose, you can use the risk assessment form (see Table B-.). For the validation, the following documents have been prepared: Risk assessment: Information from EN 247 with complements in form (Table B-.) List of the considered standards: DIN EN ISO 3849-:2006, DIN EN 247:2009, DIN EN ISO 2325:200, DIN EN ISO 200:20 etc. Detailed system description: Customer or internal specifications 2 nd step: Identification of the safety functions In the following, the safety functions for the dierent hazardous situations are identified. Emergency stop Upon operation of the Emergency stop device, all electric axes (X, C, S, X2, Y, Z, W) are to be stopped according to stop category and the pneumatic axis (X3) according to stop category 0 in a safe manner. Furthermore, unexpected start-up must be avoided. The function is superior to all other safety functions. In Table C-.,this is indicated with prio (highest priority). Safety door locking As it cannot be guaranteed that the electric drives have been stopped before the operator passes through the safety door and reaches the hazard zone, the safety doors are provided with an electro-mechanical locking. The locking may only be released if the drives are in the safe state, for example by avoiding the unexpected start-up. Unexpected start-up If safety doors, 2 or 3 are opened, an unexpected start-up of all axes must be avoided in a safe manner. Inching with safely limited speed In set up mode, movement of the axes X, X2, Y, Z, and C with safely limited speed is admissible if safety door is open and the enabling device is operated. The prerequisite is that door 2 and 3 are closed. All other axes (X3, W, S) stand still and the unexpected start-up must still be avoided. At this point, we want to repeat once again that this is an exemplary determination that must be adjusted according to the real application, for example spindle S may also rotate with at limited speed. Safeguardings based on control system Fig. C-.3 shows the outline of the machine with the corresponding control-dependent safeguardings based on control system, such as safety door, enabling device, Emergency stop button. The processing of the safety-relevant control signals on a safety PLC is not shown.

14 56 C- Example: Machine tool 2nd step: Identification of the safety functions Here, four safety function types have been identified. SF: Safe stopping in case of emergency (Emergency stop) SF2: Safe stopping and avoiding unexpected start-up, triggered by safety doors SF3: Safe locking of the safety door SF4: Safely limited speed in set up mode Work area X C W S Door 2 X3 Y Z Maintenance area - Power units - Drive units - Electric control cabinet Door 3 the safety door and confirmation that the hazard zone has been exited (reset), the machine can be operated at increased speed again. The door locking (SF3) is then activated again. The Emergency stop can be initiated from every machine state by operating the Emergency stop button. The state transitions to the machine restart (reset) after an Emergency stop are not shown. Door closed Auto SF3 MS Manual SF3 Door request Reset Safe stop SF2 Set-up mode Door sensor Safe stop SF2 ED 2 Door open Inching at red. velocity SF4 X2 Machine part Hazard zone : Work area Door Electrical axis Overlapping of hazard zones and 2 Auto Set-up Pneumatic axis Hazard zone 2: Maintenance area Fig. C-.3: Exemplary machine tool - outline with safeguardings based on control system. Fig. C-.4 shows the individual safety functions and the transitions between depending on the machine states. In manual mode, the Safe locking of the safety door safety function (SF3) takes eect. By operating a pushbutton, opening of the related door is requested and thus the Safe stopping and avoiding an unexpected start-up triggered by safety doors safety function (SF2) is initiated. After having reached the safe state of the drives, the door can be opened, for example, to load something into the machine. In this state, the operator may move the drives with safety limited speed when the safety door is open. For this purpose, they activate the Safely limited speed in set up mode safety function (SF4) using the enabling device. After closing of For this button, there are no safety requirements as the door can only be opened if the machine axes have been safely stopped. EMERGENCY STOP SF Unlocking of the lock is already regarded as opening of the door. 2 Enable only admissible if door 2 and door 3 closed. MS: Mode selector switch ED: Enabling device Red. velocity: Reduced velocity Fig. C-.4: State diagram of the machine with the safety functions As there are several actuators and sensors as well as dierent hazard zones, numerous safety functions result, depending on the Emergency stop devices, Doors, Hazard zones, Overlapping of hazard zones (actuators), Operating states (automatic or set up mode) Every Emergency stop device or every door must be considered singularly as a separate safety function as the devices take eect irrespective of each other. It should moreover be noted that every safety function must be considered separately for every machine part (tool incl. spindle, workpiece, tool magazine). The individual safety functions SF to SF4 are accordingly divided into several (partial) safety functions, for example SF.x.y. (x: Emergency stop device, y: Machine part)

15 2nd step: Identification of the safety functions C- Example: Machine tool 57 SF.x.y: Safe stopping in case of emergency (Emergency stop) For the example shown, safety function SF is divided into fifteen partial safety functions (see Table C-.), due to the combination of the individual Emergency stop device and the overlapping movements per machine part. Apart from that, the Panic position 2 of the enabling device has been integrated as an Emergency stop. 2 Panic position of the enabling device: If the operator pushes the device as a reaction (e.g. fear) to an event (3 rd stage of the enabling device), Emergency stop is triggered.

16 58 C- Example: Machine tool 2nd step: Identification of the safety functions Table C-.: Safety functions: Safe stopping in case of emergency (Emergency stop) Name of the safety functions Dangerous situation Triggering events (sensor) Condition (logic) Safe state Necessary reaction (actuator) Requirement for the control SF - Safety function : Safe stopping in case of emergency (Emergency stop) With Emergency stop, the axes move: Emergency stop Emergency stop 2 Emergency stop 3 Emergency stop 4 Emergency stop (enabling device) Sensor safety door Sensor safety door 2 Sensor safety door 3 Enabling (enabling device) Stopping all movements Locking safety door Locking safety door 2 Locking safety door 3 Drive C Drive X Drive S Drive X2 Drive Y Drive Z Drive W Drive X3 PL r Risk graph Comments SF..: Tool incl. spindle SF..2: Workpiece SF..3: Tool magazine SF.2.: Tool incl. spindle SF.2.2: Workpiece SF.2.3: Tool magazine SF.3.: Tool incl. spindle SF.3.2: Workpiece SF.3.3: Tool magazine SF.4.: Tool incl. spindle SF.4.2: Workpiece SF.4.3: Tool magazine S+X2+Y+Z C+X W+X3 S+X2+Y+Z C+X W+X3 S+X2+Y+Z C+X W+X3 S+X2+Y+Z C+X W+X3 X X X X X X X X X X X X Always, prio Always, prio Always, prio Always, prio Always, prio Always, prio Always, prio Always, prio Always, prio Always, prio Aways, prio Always, prio SS SS SS SS SS d SS SS SS d SS/STO SS STO d SS SS SS SS SS d SS SS SS d SS/STO SS STO d SS SS SS SS SS d SS SS SS d SS/STO SS STO d SS SS SS SS SS d SS SS SS d SS/STO SS STO d S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 Comparison: ISO 2325 PL r = c Comparison: ISO 2325 PL r = c Comparison: ISO 2325 PL r = c Comparison: ISO 2325 PL r = c

17 2nd step: Identification of the safety functions C- Example: Machine tool 59 Name of the safety functions Dangerous situation Triggering events (sensor) Condition (logic) Safe state Necessary reaction (actuator) Requirement for the control SF - Safety function : Safe stopping in case of emergency (Emergency stop) With Emergency stop, the axes move: Emergency stop Emergency stop 2 Emergency stop 3 Emergency stop 4 Emergency stop (enabling device) Sensor safety door Sensor safety door 2 Sensor safety door 3 Enabling (enabling device) Stopping all movements Locking safety door Locking safety door 2 Locking safety door 3 Drive C Drive X Drive S Drive X2 Drive Y Drive Z Drive W Drive X3 PL r Risk graph Comments SF.5.: Tool incl. spindle SF.5.2: Workpiece SF.5.3: Tool magazine S+X2+Y+Z X Always, prio C+X X Always, prio W+X3 X Always, prio SS SS SS SS SS d SS SS SS d SS/STO SS STO d X: Triggering event occurred ) : Panic position of the enabling device SS: Stop category STO: Safe Torque O; stop category 0 (empty): Irrelevant always: In any operating state S2, F, P2 S2, F, P2 S2, F, P2 Comparison: ISO 2325 PL r = c SF2.x.y: Safe stopping and avoiding unexpected start-up Safety function SF2 is divided into nine partial safety functions (see Table C-.2), according to the combination of safety doors and the machine parts.

18 60 C- example: Machine tool 2nd step: Identification of the safety functions Table C-.2: Safety functions: Safe stopping and avoiding an unexpected start-up Name of the safety functions Dangerous situation Triggering events (sensor) Condition (logic) Safe state Necessary reaction (actuator) Requirement for the control SF 2 - Safety function 2: Safe stopping and avoiding unexpected start-up The axes move while a person stays in the hazard zone (opened door): Emergency stop Emergency stop 2 Emergency stop 3 Emergency stop 4 Emergency stop (enabling device) Sensor safety door Sensor safety door 2 Sensor safety door 3 Enabling (enabling device) Stopping all movements Locking safety door Locking safety door 2 Locking safety door 3 Drive C Drive X Drive S Drive X2 Drive Y Drive Z Drive W Drive X3 PL r Risk graph Comments SF2..: Tool incl. spindle SF2..2: Workpiece SF2..3: Tool magazine SF2.2.: Tool incl. spindle SF2.2.2: Workpiece SF2.2.3: Tool magazine SF2.3.: Tool incl. spindle SF2.3.2: Workpiece SF2.3.3: Tool magazine S+X2+Y+Z C+X W+X3 S+X2+Y+Z C+X W+X3 S+X2+Y+Z C+X W+X3 X X X X X X X X X Always, Prio 2 Always, Prio 2 Always, Prio 2 Always, Prio 2 Always, Prio 2 Always, Prio 2 Always, Prio 2 Always, Prio 2 Always, Prio 2 SS2 SS2 SS2 SS2 SS2 d SS2 SS2 SS2 d SS2/STO SS2 STO d SS2 SS2 SS2 SS2 SS2 d SS2 SS2 SS2 d SS2/STO SS2 STO d SS2 SS2 SS2 SS2 SS2 d SS2 SS2 SS2 d SS2/STO SS2 STO d X: Triggering event occurred SS2: Stop category 2 STO: Safe Torque O; stop category 0 (empty): Irrelevant always: In any operating state S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P2 S2, F, P Comparison: ISO 2325 PL r = d Cat 3 Comparison: ISO 2325 PL r = d Cat 3 Comparison: ISO 2325 PL r = d Cat 3 SF3.x: Safe locking of the safety door The locking of doors and 2 may only be released if all drives systems are in the safe state. For door 3, the drive systems W, X3, S, Y, Z, X2 must be in the safe state. In the normal operating state, all safety doors are locked and kept closed. If the operator wants access to the machine, they select the set up mode using the mode selector switch and press the request button at the relevant safety door. Safety function SF2 gets triggered. The electric drives transmit an enable signal if the safe state, that is, stopping, has been reached. The pneumatic drive reaches the safe state after a defined time as there are no external forces. Thus, you must at least wait for this period until the control system releases the door locking. In order to reduce the waiting time, you could also monitor the pneumatic movement. However, this would require an additional sensor with corresponding Diagnostic Coverage at axis X3. The SF3 safety function is divided into two partial safety functions SF3.x according to the hazard zones. Here, the x stands for the hazard zone (see Table C-.3)

19 2nd step: Identification of the safety functions C- Example: Machine tool 6 Table C-.3: Safety functions: Safe locking of the safety door Name of the safety functions Dangerous situation Triggering events (sensor) Condition (logic) Safe state Necessary reaction (actuator) Requirement for the control SF3 - Safety function 3: Safe locking of the safety door Access to the hazard zone with moving machine if the safety door is open: SI status drive C SI status drive X SI status drive S SI status drive X2 SI status drive Y SI status drive Z SI status drive W SI status drive X3 No access Locking safety door Locking safety door 2 Locking safety door 3 Drive C Drive X Drive S Drive X2 Drive Y Drive Z Drive W Drive X3 PL r Risk graph Comments SF3. Locking safety door and 2 SF3.2 Locking safety door 3, 2 X X X X X X X T 2) prio 2 Door Always, requirement 3 X X X X X T 2) prio 2 Door Always, requirement Door is kept locked Door is kept locked O O c X: Drive acknowledges the safe state O: Unlocking solenoid can be energized (empty): Irrelevant always: In any operating state 2) Safe state requested (SF2) and reached after expiry of time T O c S2, F, P S2, F, P P:Danger is recognized P:Danger is recognized SF4.x: Safely limited speed in set up mode In set up mode, the axes X, X2, Y, Z as well as the C axis must - with activated enabling device 3 - be monitored for safely limited speed. Axes S, X3 and W remain safely stopped. One prerequisite for inching in set up mode is that doors 2 and 3 are closed. The Set up mode is preselected via the mode selector switch; for safety aspects it is, however, decisive whether door is open and doors 2 and 3 are closed. The mode selector switch is only used to select the set up mode. Activation of the enabling device allows a temporary suppression (muting) of safety function SF2 with opened safety door. As soon as the enabling device is released, SF2 is active. If the enabling device is pushed fully (Panic position), SF Emergency stop is triggered. Safety drives provide this function as safety function Safely Limited Speed (SLS). The SF4 safety function is divided into two partial safety functions SF4.x according to the machine parts. Here, the x stands for the relevant machine part. As neither the tool magazine nor the spindle must be moved in inching mode, only the machine parts workpiece without spindle and tool are considered (see Fig. C-.4). 3 According to EN 60204, an enabling device is a device for enable control

20 62 C- example: Machine tool 3rd step: Determination of the PL r Table C-.4: Safety functions: Limited speed in set up mode Name of the safety functions Dangerous situation Triggering events (sensor) Condition (logic) Safe state Necessary reaction (actuator) Requirement for the control SF 4 - Safety function 4: Safely limited speed in set up mode SF4.: Tool without spindle SF4.2: Workpiece Excessive speed with opened safety door of the axes: X2+Y+Z C+X Emergency stop Emergency stop 2 Emergency stop 3 Emergency stop 4 Emergency stop (enabling device) Sensor safety door Door open Door open Sensor safety door 2 Sensor safety door 3 Enabling (enabling device) Door Door closed closed X3) Door Door closed closed X3) Always, prio 3 Always, prio 3 Safely limited speed (SLS) Locking safety door Locking safety door 2 Locking safety door 3 X: Enabling device in middle position SLS: SafelyLimitedSpeed (empty): Irrelevant always: In any operating state 3) For these axes, safety function SF2 is still eective Drive C Drive X Drive S Drive X2 Drive Y Drive Z Drive W Drive X3 PL r Risk graph Comments SLS 3) SLS SLS SLS 4) 4) d S2, F, P2 Comparison: ISO 2325 SLS SLS SLS 3) 4) 4) d PL r = d for S2, F, P2 enabling device Further down, as of the 4 th step, only the safety function SF4. will be considered in detail. It is therefore useful to specify this safety function in more detail using the subsystems (see Table C-.5). For the validation, the following documents have been prepared: List of the identified safety functions with description: See Table C-. to Table C-.5. Table C-.5: Specification of SF4. with description of the subsystems Procedure Machinery Sensor subsystem Logic subsystem Actuator subsystem. Identify the dangerous situation (e.g. dangerous movements). 2. Determine the triggering event. If the machine runs faster than with limited speed when persons are present in the hazard zone. Limbs or clothes may be pulled in by forward or backward movements of the tool machine part. Activation of the enabling device 3. Define the safe state. Machine part moves maximally with reduced velocity. 4. Specify the necessary reaction. 5. Denominate the safety function. Monitoring of the machine part for limited speed If the enabling device is activated in set up mode with open door, the velocity of the machine part is to be monitored for reduced velocity. Electric drives X2, Y, Z rotate faster than with reduced velocity. Activation of the enabling device. Both release contacts of the enabling device are closed. Set up mode with open door (that is to say door is open, doors 2 and 3 are closed) Overspeed of the electric drives is detected. Drives are safely disconnected from the energy supply. Select the safety function (SLS) at the drives, i.e. activate corresponding outputs. If the enabling device is activated, the contacts of the enabling device are closed. If the input signals door = open, doors 2 and 3 = closed and enabling device = activated are set, the corresponding outputs for the axes X2, Y, Z are set (i.e. the SLS safety function is activated). In case of overspeed, stop drives with subsequent STO activation If the input signals are set, the SLS drive safety function of drives X2, Y, Z is activated. The electric drives are monitored for reduced speed.

21 3rd step: Determination of the PLr C- Example: Machine tool 63 3 rd step: Determination of the PL r SF.x.y: Safe stopping in case of emergency (Emergency stop) EN 247 [3] requires realization of the Safe stopping in case of emergency 4 safety function in category 3 according to EN 954 [3]. This standard has not been converted to ISO 3849 yet. If using the risk graph of ISO 3849 you determine the required performance level, the following risk parameters result in a PL r = d for all safety functions SF.. to SF.5.3. S2: In the event of failure, irreversible injuries are expected. F: Persons stay in the hazard zone only rarely and shortly. P2: In case of emergency, it cannot be assumed that the operator has the possibility to avoid the danger. If you use ISO 2325 Machine tools Safety Turning machines [25] for comparison, which has already been converted to ISO 3849, a PL r = c is recommended for Emergency switching o 5. However, the standard does not contain any justification. SF2.x.y: Safe stopping and avoiding of unexpected start-up EN 247 requires category 3 according to EN 954 for every partial safety function. The following risk parameters result in a PL r = d for all nine safety functions SF2.. to SF S2: In the event of failure, irreversible injuries are expected. F: Persons stay in the hazard zone only rarely and shortly. 4 Emergency stop (Safe stopping in case of emergency) is still frequently confused with Emergency switching o (switch-o in case of emergency - including power supply) (refer to EN 60204). P2: If the operator is in clos proximity to the highly dynamic axes, it has to be assumed that in case of an unexpected start-up, the operator will not be able to avoid the danger. If you compare the result to ISO 2325 Machine tools Safety Turning machines, a PL r = d is also required here, as well, however with the additional specification of category 3. SF3.x: Safe locking of the safety door EN 247 does not contain any information on the required PL r of these safety functions. According to the risk graph of ISO 3849, the following risk parameters result in a PL r = c for both safety functions SF3. and SF3.2. S2: In the event of failure, irreversible injuries are expected. F: Persons need access to the hazard zone only rarely. P: The operator is outside of the machine. He recognizes if movements have not been stopped. Thus, there is the possibilty to avoid the danger. ISO 2325 does not contain any information here on the PL r of these safety functions. SF4.x: Safely limited speed in set up mode EN 247 does not contain any explicit information on the required PL r of these safety functions. According to the risk graph of ISO 3849, the following risk parameters result in a PL r = d for both safety functions SF4. and SF4.2. S2: In the event of failure, irreversible injuries are expected. F: Persons stay in the hazard zone only rarely and shortly. P2: The operator may be right next to the highly dynamic axes. It has to be assumed that with higher speeds, the operator will not be able to avoid the danger. 5 Here, it has to be assumed that Emergency stop is meant.

22 64 C- Example: Machine tool 4th step: Category selection ISO 2325 requires a PL r = d for the enabling device. The PL r values of the individual safety functions are entered in tables C-. to C-.4 as requirements on the control system. For the validation, the following documents have been prepared: Determination of the PL r for every safety function: See the above-mentioned explanations and Table C-.4 with justification and comparison with other standards 4 th step: Category selection For the next steps, SF4. is dealt with as an example of safely limited speed by operating an enabling device with superimposed movement of axes Y, Z and X2. According to Fig. C-.5, the required performance level PL r = d can be realized in category 2, 3 or 4. If you divide the safety function into three subsystems by Sensors, Logic and Actuators, you can construct every subsystem with a dierent category. Given the fact that electromechanical door switches are to be used and thus the condition necessary for category 2 (test rate 00 times demand rate 6 ) cannot be satisfied, the position monitoring of the safety doors as well as operation of the enabling device are realized in category 3. Safety control system and drives with integrated safety technology are pre-fabricated devices (subsystems) and are acquired from the device manufacturer. They must, however, at least be suitable for safety functions with PL = d. The same applies to the interface, that is to say inputs and outputs of the control system, which are particularly intended for processing the signals of the safety door switches and the enabling device according to category 3. 6 That would mean that the door switches must be switched 00 times for test purposes between each operational request. MTTF d low MTTF d medium MTTF d high 3 years 0 years 30 years 00 years Category B Category Category 2 Category 3 Category 4 I L O I L O I L O I L O I L O TE O TE I2 L2 O2 I2 L2 O2 Performance Level a PFH d : 0-5 to < 0-4 [h - ] Performance Level b PFH d : 3 * 0-6 to < 0-5 [h - ] Performance Level c PFH d : 0-6 to < 3 * 0-6 [h - ] Performance Level d PFH d : 0-7 to < 0-6 [h - ] Performance Level e PFH d : 0-8 to < 0-7 [h - ] DC: None None Low Medium Low Medium High PFH d: Probability of a dangerous failure per (operating) hour I: Input; L: Logic; O: Output; TE: Test equipment; O TE : Test equipment output; Fig. C-.5: Possible control system categories for achieving PL r = d MTTF d : Mean time to dangerous failure; DC: Diagnostic coverage

23 5th step: Modeling the block diagram C- Example: Machine tool 65 For the validation, the following documents have been prepared: Category selection for safety function SF4. - Safely limited speed for subsystems Sensor (position monitoring of the safety doors and operation of the enabling device): Category 3 Logic (safety PLC and interface): Category 3 Actuator (drive systems of the Y, Z and X2 axes): Category 3 Further information: There are no specifications in the machinespecific standards concerned (DIN EN 247:2009, DIN EN ISO 2325:200) with regard to the category for this safety function 7. The requirements of the selected categories are summarized as a checklist in Fig. B th step: Modeling the block diagram The safety function SF4. Safely limited speed is realized with the following components: Door 3 Door 2 Door S32 S22 S2 S4 Enable button S3 S2 S Safety PLC with I/O K K Safety drives X2 Fig. C-.6: Selection of the components for safety function SF4. Table C-.6 shows an exemplary parts list for SF4.. T Y T2 Z T3 7 For safety functions SF2 and SF3, ISO 2325 provides category 3. Table C-.6: Parts list for safety function SF4. Item Assembly Description Manufacturer Type Mat.no. Denomination Safety switch (NC) SICK S with locking Safety door Safety switch (NO) 2 SICK S2 without locking Safety switch (NC) 3 SICK S2 with locking Safety door 2 Safety switch (NO) 4 SICK S22 without locking Safety switch (NC) 5 SICK S3 with locking Safety door 3 Safety switch (NO) 6 SICK S32 without locking 7 Enabling Enabling device channel S4 SICK 8 device Enabling device channel S42 9 CPU Safety PLC Bosch Rexroth 0 Input/output module K Safety drive, Control/power section Bosch Rexroth 2 Axis X2 Motor (encoder) T 3 Safety drive, Control/power section Bosch Rexroth 4 Axis Y Motor (encoder) T2 5 Safety drive, Control/power section Bosch Rexroth 6 Axis Z Motor (encoder) T3 NC = normally closed, NO = normally open

24 66 C- Example: Machine tool 5th step: Modeling the block diagram SRP/CS S32 S3 S3 S32 K X2 axis Y axis Z axis - Y-Achse Z-Achse S2 S S2 S S22 S2 S2 S4 S42 Eingänge Inputs Safety-SPS PLC Outputs Ausgänge Command Sollwerte values UT G M UT 2 T T G M T2 T2 G M T3 T3 Tippen + Inching + Inching -- Betriebsart Modes of operation 24V Eingänge Inputs Bewegungssteuerung Motion control Outputs Ausgänge Fig. C-.7: Circuit diagram for safety function SF4. Safely limited speed in set up mode - Tool without spindle non-srp/cs One contact of the safety door switch is read in by the safety PLC input unit. The PLC input unit provides a dynamic supply voltage for fault diagnosis in the signal transmission. The drives are connected via two output pairs. Via the first one, the operating state Automatic/ set up mode is selected and via the second one the safety function Safe stopping and avoiding the unexpected start-up (SS2) or Safely limited speed in set up mode (SLS). Drives T, T2 and T3 are wired in parallel. The safety PLC outputs test the switch-o paths by means of corresponding low impulses. One drive system comprises a so-called power section, a control section and a motor encoder. The motor itself is not covered by ISO safety drive is monitored and the safety drive would automatically initiate a stopping procedure if the admissible limited speed is exceeded. Malfunctions of the movement control would thus only influence the availability of the machine but not its safety. All drives and the safety control unit are components with integrated safety functions. The safety PLC (CPU with input/output module) as well as the encoders and the control/power sections of the individual drive systems can be considered as individual subsystems. The safety door switches as well as the enabling device are all used in the same category and may be assigned to a subsystem of category 3. This results in a total of nine subsystems (see Fig. C-.8). The motion control gives movement commands to the drives. In case of safely limited speed, the motion control must specify accordingly limited speed reference values. The safety PLC activates the monitoring function in the safety drive. From a safety point of view, the movement control does not have a safety-related function as the motion in the

25 5th step: Modeling the block diagram C- Example: Machine tool 67 A) Individual blocks S S2 S3 S2 S22 S32 S4 S42 K T T2 T3 No add i tional diagnostic elements no additional diagnostic elements B) Individual blocks with internal structures S S2 S3 S2 S22 S32 S4 S42 K T CPU I/O Drive G No add i tional diagnostic elements no additional diagnostic elements Drive G T2 Drive G T3 C) Subsystems K T T2 T3 SRP/CS SRP/CS 2 SRP/CS 3 SRP/CS 4 SRP/CS 5 SRP/CS 6 SRP/CS 7 SRP/CS 8 SRP/CS 9 No no additional i tional diagnostic elements Fig. C-.8: Modeling of safety function SF4. For the validation, the following documents have been prepared: Modeling with block diagram of the SF4. safety function: See Fig. C-.8 Circuit diagram (see Fig. C-.7) with above-mentioned description) Parts list (see Table C-.6) Sequence diagrams and/or state diagram (see Fig. C-.4) Further documents, if applicable: Assembly plans, internal wiring, housing, materials, installation, etc.

26 68 C- Example: Machine tool 6th step: Faults and diagnosis 6 th step: Faults and diagnosis For the SF4. safety function, a fault list with justification for fault exclusions as well as the DC values per component have been determined (see Table C-.7). Below, the DC values for all components are explained. DC value of the safety switch In the control system, the two contacts of the safety switches are checked for plausibility 8. Moreover, there is a short-circuit test by the input unit using dynamic signals 9. The door is opened once per hour. According to Table B-6.3, a DC value of 99 % can be taken into account. DC value of the enabling device In the control system, the two contacts of the enabling device (middle position) are checked for plausibility. Moreover, there is a short-circuit test by the input assembly using dynamic signals. For the mechanical system, there is a fault exclusion. The device is operated once per day. According to Table B-6.3, a DC value of 99 % can be considered. For the validation, the following documents have been prepared: List of the faults considered with justifications for fault exclusions on the basis of the fault list from ISO , including details on the diagnosis, such as sensor, test rate, etc. (see Table C-.7). It is explained for control systems of categories 3 and 4 how the safety function is maintained in all imaginable fault cases of the component. For control systems of category 4, it is moreover explained how the dierent accumulation of faults have been considered in the design and how the safety function is maintained in all fault combinations. Determination and justification of the DC values on the basis of the measures in ISO and the fault list from ISO (see Table C-.). DC value of the safety PLC (CPU incl. I/O) The safety control has already been confirmed with a performance level by the device manufacturer. Explicit specification of the DC value is no longer necessary. DC value of the drive systems The control/power section and motor encoder drive systems have already been confirmed with a performance level by the device manufacturer. Explicit specification of the DC value is no longer necessary. 8 Plausibility: Due to the mechanical coupling of both contacts, the signal must have an identical switching behavior. Dierent signal states are an indication of a fault. 9 For fault detection, a pulsed supply voltage is applied to sensors. By comparing the sensor signal with the clock pattern of the supply voltage, short-circuits to 24 V or between the lines can be detected.

27 6th step: Faults and diagnosis C- Example: Machine tool 69 Table C-.7: Fault list for the SF4. safety function Relevant component: From the SRP/CS modeling st component: Safety drive system T (axis X2), T2 (axis Y) and T3 (axis Z) 2 nd component: Safety PLC K (including interface) 3 rd component: Electro-mechanical position switch Safety door: (S NC, S2 NO) Safety door: 2 (S2 NC, S22 NO) Safety door: 3 (S3 NC, S32 NO) (Fault list for Electromechanical position switch, manually operated switch: D-8 from ISO ) (Fault list for conductors/ cables: D.4) (Fault list for mechanical parts: A.4) Line number 2 Fault considered: ISO fault list with amendments Closed subsystem: Evaluation by component manufacturer Closed subsystem: Evaluation by component manufacturer 3 Contact will not close 4 Contact NC will not open 5 Contact NC will not open Short-circuit between adjacent contacts insulated from each other Simultaneous short-circuit between the three terminals of change-over contacts Short-circuit between any two conductors Eect of the failure: Description of the malfunction Circuit of category 4: A fault will not lead to the loss of the safety function Circuit of category 4: A fault will not lead to the loss of the safety function Safe state: Machine does not start-up, as door is assumed to be opened. Dangerous as the opening of the door is not correctly notified Dangerous as the opening of the door is not correctly notified Dangerous as the opening of the door is not correctly notified Dangerous failure? Share calculated in PL/SIL Share calculated in PL/SIL Fault exclusion? NO NO Justification for the fault exclusion: Criteria from ISO fault list NO x x YES YES x x Fault exclusion only for NC contacts according to IEC :997, annex K [49] YES NO x YES YES Short-circuit for switches according to IEC :997 can be excluded. Not applicable NO x x Dangerous as the opening of the door is not correctly notified YES NO No information by the component manufacturers whether cables and installation space satisfy the requirements of IEC Short-circuit of any conductor to an exposed conductive part or to earth or to the protective bonding conductor Dangerous as the opening of the door is not correctly notified YES NO No information by the component manufacturers whether cables and installation space satisfy the requirements of IEC th component: Electro-mechanical enabling device S4, S42 (Fault list for Electromechanical position switch, manually operated switch: D-8 from ISO ) (Fault list for conductors/ cables: D.4) (Fault list for mechanical parts: A.4) x: No details necessary 0 Open-circuit of any conductor Is perceived as opening of the door: NO x x Mechanical failures: such as fracture, deformation, loosening, etc. 2 Contact will not close 3 Contact will not open Short-circuit between adjacent contacts insulated from each other Simultaneous short-circuit between the three terminals of change-over contacts Short-circuit between any two conductors Short-circuit of any conductor to an exposed conductive part or to earth or to the protective bonding conductor 8 Open-circuit of any conductor 9 Mechanical failures: such as fracture, deformation, loosening, etc. Opening of the door cannot be detected Safe state: Machine does not start-up as switch is assumed to be not operated. Dangerous as button remains in the enable position and the movement is not stopped Dangerous as the short-circuit may be interpreted as enable position YES NO x NO x x YES NO x YES YES Short-circuit for switches according to IEC :997 can be excluded. Not applicable NO x x Dangerous as the short-circuit may be interpreted as enable position Dangerous as the short-circuit may be interpreted as enable position Safe state: Machine does not start-up as switch is assumed to be not operated. Dangerous as button remains in the enable position and the movement is not stopped YES YES NO NO NO x x YES YES Component is overdimensioned for the application. Criteria for well-tried spring have been satisfied. (supplier)

28 70 C- example: Machine tool 7th step: Determination of the PL SF Table C-.7 (continued): Fault list for the SF4. safety function Relevant component: From the SRP/CS modeling Line number DC measures TE: Test Explanation of the test equipment DC value per DC value of equipment (e.g. test rate, interface, etc.) measure the component Loss of SF? ( or 2 channels) st component: Safety drive system T Cyclic testing/ DC value has been considered in PL/SIL Safety PLC (axis X2), T2 (axis Y) and dynamization value x x T3 (axis Z) 2 nd component: DC value has been considered in PL/SIL Safety PLC K 2 Several self tests Safety PLC value (including interface) x x 3 rd component: Electro-mechanical 3 x x x x x position switch Safety door: (S NC, S2 NO) 4 x x x x x Safety door: 2 (S2 NC, S22 NO) Plausibility check between S and Safety door: 3 5 Plausibility check Safety PLC S2, S2 and S22, S3 and S % (S3 NC, S32 NO) The door is opened once per hour. (Fault list for Electromechanical 6 x x x x x position switch, manually operated switch: D-8 from 7 x x x x x ISO ) 99 % Plausibility check between S and (Fault list for S2, S2 and S22, S3 and S32 as conductors/cables: Plausibility check, 8 Safety PLC well as the short-circuit test in the input 99 % D.4) dynamization assembly. (Fault list for The door is opened once per hour. mechanical parts: A.4) Plausibility check between S and 9 S2, S2 and S22, S3 and S32 as Plausibility check, Safety PLC well as the short-circuit test in the input dynamization assembly. 99 % The door is opened once per hour. 4 th component: Electro-mechanical enabling device S4, S42 (Fault list for Electromechanical position switch, manually operated switch: D-8 from ISO ) (Fault list for conductors/cables: D.4) (Fault list for mechanical parts: A.4) 0 x x x x x Plausibility check Safety PLC Plausibility check between S and S2, S2 and S22, S3 and S32 The door is opened once per hour. 2 x x x x 3 Plausibility check Safety PLC Plausibility check between contacts S4 and S42 4 x x x x x 5 x x x x x 6 7 Plausibility check, dynamization Plausibility check, dynamization Safety PLC Safety PLC Plausibility check between S4 and S42 as well as the short-circuit test in the input assembly Plausibility check between S4 and S42 as well as the short-circuit test in the input assembly 99 % 99 % 99 % 99 % 99 % NO, by redundant channels NO, by redundant channels NO, by redundant channels NO, by redundant channels NO, by redundant channels NO, by redundant channels x NO, by redundant channels NO, by redundant channels NO, by redundant channels Suitable up to cat.: x x x x x x: No details necessary 9 x x x x x

29 7 7 th step: Determination of the PL SF Table C-.8 contains the data that has been taken from the component manufacturers information. The characteristic values used here are only exemplary used for the PL calculation. For the current values, please contact the corresponding component manufacturers. PL subsystem : SRP/CS For the safety door, this results in an n op,s = = n op,s3 = n op,s2 = = n op,s2 n op,s22 = = a 5760 d a d MTTF d value of the enabling device MTTF MTTF d,s4 d,s42 h B = = = 0. n op [ ] a = MTTF 0d 466 [ ] d,s4 n op,s32 a C-.3 C-.4 Enabling device The enabling device is operated once per day. With 240 working days, this results in 240 operations per year. n op,s4 = n op,s42 = 240 a C-. Safety door The safety door is opened once per hour. With 240 working days, this results in 5760 operations per year. d h t op op Cycle = 240 Working days = 24 Hours/ Day = h = 3600 s C-.2 T 0d 20 years MTTF d values of the safety switches S, S2, S3 Mechanical system: MTTF d,mech B0d = 0. n op = = 3472 [ a] C [ ] a T 0d 20 years Table C-.8: Data sheet information for the SF4. safety function Component MTTF d /B 0d PL/Cat PFH D Safety principles Working conditions Door switches NC: S, S2, S3 NO: S2, S22, S32 Supplier SICK IndraDrive T, T2, T3 with safety option S2 Supplier Bosch Rexroth Safety control system K SafeLogic compact Supplier Bosch Rexroth Enabling device S4, S42 Supplier SICK B 0d,mech. NC: NO: B 0d,elect. NC: Fault exclusion NO: B 0d NO: Safety drive system: Category 3, PL d 0.5*0-8 [/h] Encoder: *0-8 [/h] Safety CPU: Category 4, PL e.69*0-9 [/h] I/O: Category 4, PL e 9*0-0 [/h] Satisfies IEC and EN 088 [52], Basic and well-tried safety principles are satisfied Certified according to EN or IEC 6508, ISO 3849-, EN 6206 Certified according to IEC 6508, ISO 3849-, EN 6206 Basic and well-tried safety principles are satisfied T M = 20 [a] T = 5.. C T M = 20 [a] T = 5.. C T M = 20 [a] T = 5.. C T M = 20 [a] T = 5... C

30 72 C- example: Machine tool 7th step: Determination of the PL SF NC = normally closed, NO = normally open T: Temperature range for application T M : Service time Electric contacts: MTTF d,elect B0d = 0. n op Channel Here, you must also consider the share of the electric contacts. = [ ] a = 3472 [ a] C-.6 MTTF d, Channel MTTF d, Channel = MTTF d, S + MTTF d, S2 + MTTF d, S3 + MTTF = [ a] 3472[ a] 3472[ a] 466[ a] d, S4 C-.9 T 0d 20 years MTTF d, Channel = 905 [ a] 00[ a] MTTF d values of the switches S, S2, S3 Mechanical system: MTTF d,s = MTTF d, S2 = MTTF d,s3 = MTTF d,mech = 3472[a] T 0d 20 years C-.7 For channel, 00 [a] results after addition and limitation according to the standard. Channel 2 MTTF d, Channel2 MTTF d, Channel 2 = MTTF d, S2 + MTTF d, S22 + MTTF d, S32 + MTTF d, S42 = C [ a] 736[ a] 736[ a] 466[ a] Electric contacts: Fault exclusion, i.e. the electric contracts are not included in the calculation, no MTTF d value is necessary (see conditions for fault exclusion in chapter B-6). MTTF d, Channel 2 = 508 [ a] 00[ a] For channel 2, an MTTF d of 00 years results, also after addition and limitation according to the standard. MTTF d values of the switches S2, S22, S32 Symmetrization of the channels MTTF d,s2 = MTTF d, S22 = MTTF d,s32 = = MTTF 3472[ d,mech + a] + MTTF 3472 [ a] d,elect = 736[ a] C-.8 2 MTTFd = MTTF 3 MTTF MTTF = 00 [ a] d d,channel+ d,channel MTTF + MTTF d,channel2 d,channel2 C-. T 0d 20 years The symmetrization results in an MTTF d of 00 years as both channels are identical. For the switches S, S2 and S3, a fault exclusion can be carried out for the electric contacts. So only the mechanical section will be considered in the MTTF d value. This is not possible for switches S2, S22 and S32. Diagnostic Coverage DC avg Determination of the Diagnostic Coverage results in a DC avg value of 99 % as all components are diagnosed with a DC = 99 %.

31 7th step: Determination of the PLSF C- Example: Machine tool 73 DC avg = DC MTTF MTTF d, d, DC MTTF n MTTF d,n d,n = 99 % C-.2 Table C-.9: Determination of the PL and the PFH D value. MTTF d for each channel [years] Average probability of dangerous failure per hour [/h] and the related performance level (PL) Category B PL Category PL Category 2 PL Category 2 PL Category 3 PL Category 3 PL Category 4 PL DC avg = none DC avg = none DC avg = low DC avg = medium DC avg = low DC avg = medium DC avg = high *0-6 c.02*0-6 c 5.0*0-7 d 2.52*0-7 d.03*0-7 d 4.73*0-8 e 62.84*0-6 c 9.06*0-7 d 4.43*0-7 d 2.3*0-7 d 8.84*0-8 e 4.22*0-8 e 68.68*0-6 c 8.7*0-7 d 3.90*0-7 d.84*0-7 d 7.68*0-8 e 3.80*0-8 e 75.52*0-6 c 7.3*0-7 d 3.40*0-7 d.57*0-7 d 6.62*0-8 e 3.4*0-8 e 82.39*0-6 c 6.6*0-7 d 3.0*0-7 d.35*0-7 d 5.79*0-8 e 3.08*0-8 e 9.25*0-6 c 5.88*0-7 d 2.6*0-7 d.4*0-7 d 4.94*0-8 e 2.74*0-8 e 00.4*0-6 c 5.28*0-7 d 2.29*0-7 d.0*0-7 d 4.29*0-8 e 2.47*0-8 e For the SRP/CS subsystem, the following result can be read o from table K. of ISO 3849-: first of all add up the PFH D values of the individual subsystems. PL e PFH D, SRP/CS Category 4 = [ ] h C-.3 The requirements of the selected category have been exceeded by the selection of the switches and the diagnostic measures. It has been proven that one-fault security is guaranteed and the accumulation of faults does not lead to the failure of the subsystem. This corresponds to category 4. PFH PFH D, SF D,SF = n i= PFH = [ ] [ ] [ ] h h h [ ] [ ] + 0 [ ] [ ] h h h h [ ] h D, SRP/ CSi 8 [ ] h 8 PFH D, SF = [ ] h C-.4 If you cannot satisfy the quality requirements of category 4, you could still achieve the PL = e with category 3 and thus with a slightly worse PFH D value. Alternatively, you can also use SISTEMA for the determination. At this point, the SISTEMA result is identical as the MTTF d = 00 years and the DC = 99 % and thus, there is no interpolation of interim values. PL SF The PL or the PFH D of the other subsystems are known as they are pre-fabricated devices for which the manufacturer testifies the values (see Table C-.8). In order to determine the PL SF, you must The PFH D,SF corresponds to PL e. It must now be checked whether there is a limitation by the subsystems. According to the manufacturer information, the Drives subsystem may only be used up to PL d. This results in a limitation of the PL SF to d. It is assumed here that the quality measures are implemented at least according to the requirements of PL d (see chapter B-8 and B-9). The specification of the SF4. safety function resulted in a required performance level PL r of d. A PL = d was also achieved. Thus, the requirement PL PL r is satisfied.

32 74 C- Example: Machine tool 8th step: Evaluation of the robustness For the validation, the following documents have been prepared: Component specification: For all components that are relevant for a safety function (i.e. SRP/ CS), you need specification with the admissible working conditions, that is to say a data sheet from the component manufacturer. Characteristic values of the components, such as MTTF d, B 0,: For these selected components (i.e. SRP/CS) you therefore still need the safety characteristics, such as MTTF d or B 0 for one component or even the PL or SIL for a subsystem. Description of the relevant properties of components validated earlier, if available. Determination and justification of the entire MTTF d value: Using the characteristic values of the individual components you calculate and document the entire d value. Calculation and justification of the PL: Finally, you can complete and document the PL calculation. 8 th step: Evaluation of the robustness The SF4. safety function has to satisfy the requirements of category 3. Thus the following requirements have to be satisfied: Measures against Common Cause Failures (CCF) The basic and well-tried safety principles Measures against systematic failures These requirements are to be implemented for the Sensor subsystem. For the other subsystems, the component manufacturer has already done this. They confirm this by means of the SIL/PL testimony. Evaluation of the measures against CCF for the Sensor subsystem For the SF4. safety function, the following measures against Common Cause Failures have been considered for the Sensor subsystem (SRP/CS ) (see Table C-.0):

33 8th step: Evaluation of the robustness C- Example: Machine tool 75 Table C-.0: Evaluation of the measures against CCF for the Sensor subsystem DIN EN ISO Appendix F: Estimates for common cause failure (CCF) Measure Description Points Fulfilled? CCF Explanations against CCF Separation/ segregation Diversity Design/ application/ experience Design/ application/ experience Assessment/ analysis Competence/ training Environmental Environmental CCF total Physical separation between signal paths: - Separation in wiring/piping, - Suicient clearances and creepage distances on printed-circuit boards Dierent technologies/design or physical principles are used, for example: Kind of initiation, pressure and temperature, measuring of distance and pressure, digital and analog. Components of dierent manufactures. Protection against over-voltage, over-pressure, overcurrent, etc. 5 YES 5 20 NO 0 5 YES 5 Components used are well-tried. 5 YES 5 Are the results of a failure mode and eect analysis taken into account to avoid common-cause failures in design? Have designers/ maintainers been trained to understand the causes and consequences of Common Cause Failures? Prevention of contamination and electromagnetic compatibility (EMC) against CCF in accordance with appropriate standards. - Fluid systems e.g. filtration of the pressure medium - Electric systems e.g. as specified in relevant standards against CCF Other influences Have the requirements for immunity to all relevant environmental influences such as, temperature, shock, vibration, humidity (e.g. as specified in relevant standards) been considered? Total number of points from all implemented measures: 5 NO 0 5 YES 5 25 YES 25 0 YES 0 At least 65 YES 75 Requirements of EN are satisfied. Manufacturer requirements regarding connection points are satisfied. There is no 00 % diversity, especially with the enabling device and due to the use of safety switches of the same type, even if the NC contact is used in one channel and the NO contact in the other one. Limitation of the energy supply (protection against overvoltage) has been implemented. Electro-mechanical switches are welltried, especially for this application, as here in the example. FMEA has been carried out for the components, however not for the machine. Construction and assembly/wiring were completed by specialists. The component has been tested within the scope of environmental tests and EMC tests. The component has been designed for the specified environmental conditions and tested within the scope of environmental tests. The working conditions (see data sheet) have been specified in the operating instructions. Requirements fulfilled (approved of for category 2, 3 and 4) Evaluation of the basic and well-tried safety principles for the Sensor subsystem The machine manufacturer verifies as the responsible party whether the basic and welltried safety principles applicable to the Sensor subsystem have been implemented (see Table C-. and Table C-.2). The component manufacturer confirms suitability of the components for use in safety functions according to ISO 3849 and thus also their part in the safety principles. Finally, the machine manufacturer will provide the machine end-user with special information, such as in the operating instructions, in order to ensure fulfillment of the safety principles during the machine service duration (see comment in Table C-. and Table C-.2).

34 76 C- Example: Machine tool 8th step: Evaluation of the robustness Table C-.: Evaluation of the basic safety principles for the Sensor subsystem Basic safety principles Can be used for technology: Mechanical system Pneumatics Hydraulics Electrical system Implementation e.g. by* Component manufacturer Machine manufacturer (OEM) Use of carefully selected materials and manufacturing 2 Correct dimensioning and shaping 2 Proper selection, combination and assembly of the components 2 Use of de-energization principle (release of energy principle, e.g. return spring) 2 Correct protective bonding Machine end-user Comment (see comments in ISO ) Confirmed by component manufacturer Confirmed by component manufacturer Components are proper for application Release of energy principle: 0 V corresponds to the safety function requirement Protective earth bonding according to IEC Proper fastening 2 Robust fastening for all conditions Insulation monitoring Insulation monitoring according to IEC Force (or pressure) limitation Not applicable to SF sensors Speed limitation Not applicable to SF sensors Transient suppression (voltage peaks) 2 Suicient avoidance of contamination of the fluid (air, oil) Proper reaction time (e.g. range of switching time, min. response time) 2 Compatibility (regarding electric voltages and currents) 2 Related information to machine end-user Not applicable to electric SF Provide related information regarding maintenance According to specification in the data sheet Protection against unexpected start-up (even after restoration of the energy supply) Only passive components Withstanding environmental conditions 2 Provide related information to machine end-user Simplification 2 Not applicable to electric SF Separation Not applicable to electric SF Proper lubrication 2 Proper temperature range for fluids 2 Not applicable to SF sensors Not applicable to electric SF Protection of the electric control circuit According to IEC Proper prevention of the ingress of fluids and dust 2 Sequential switching for circuit of serial contacts of redundant signals Blue: Principle is not listed in ISO for the corresponding technology. Protection class IP66 according to IEC [47] The sensors are read in individually (no connection in series). * These columns of the table serve as a basis for the machine manufacturers and are to be adjusted by them. Suitability of the components for safety functions according to ISO 3849 has been confirmed by the component manufacturer.

35 8th step: Evaluation of the robustness C- Example: Machine tool 77 Table C-.2: Evaluation of the well-tried safety principles for the Sensor subsystem Well-tried safety principles Can be used for technology: Mechanical system Pneumatics Hydraulics Electrical system Implementation e.g. by* Component manufacturer Machine manufacturer (OEM) Use of carefully selected materials and manufacturing 2 Machine end-user Comment (see comments in ISO ) Confirmed by component manufacturer Overdimensioning/safety factor 2 Components are overdimensioned Positive mechanically linked contacts Not relevant Use of components with oriented failure mode (directed failure) 2 Safe position 2 Failure avoidance in cables Increased OFF force 2 Failure behavior is known (fault list) Not relevant for electric safety function Proper shielding and protective earth Not relevant for electric safety function! Separation distance between electric conductors 2 Suicient distances considered Valve closed by load pressure Not applicable to this SF Energy limitation 2 Not relevant for sensors Positive mechanical action/operation Safety door operated upon opening or closing of the switches Limitation of electrical parameters 2 Voltage/current/frequency limited Careful selection, combination and assembly of the components related to the application 2 Components proper for application/assembled according to manufacturer s instruction Multiple parts 2 Use of 2 sensors in redundancy Avoidance of undefined states Failure behavior considered: Fault list Careful selection of the mounting type for the relevant application Robust fastening for application Use of well-tried springs 2 Only well-tried spring is used Speed limitation/reduction Not applicable to SF sensors Failure mode orientation 2 Failure behavior considered: Fault list Force limitation/reduction Not applicable to SF sensors Appropriate range of working conditions (environmental parameters) 2 Avoidance of contamination of the compressed air Monitoring of the condition of the hydraulic fluid Minimize possibility of faults/separation Related information to machine end-user Not applicable to this SF Not applicable to this SF Component is only used for the safety function Suicient positive overlapping in piston valves Not applicable to this SF Balance between complexity/simplification 2 Simple circuit Limited hysteresis 2 Attachment of the safety switch considering the hysteresis Blue: Principle is not listed in ISO for the corresponding technology. * These columns of the table serve as a basis for the machine manufacturers and are to be adjusted by them. Suitability of the components for safety functions according to ISO 3849 has been confirmed by the component manufacturer.

36 78 C- Example: Machine tool 8th step: Evaluation of the robustness Evaluation of the relevant components as well-tried components The components of the Sensor subsystem have been classified as well-tried components (see Table C-.3). Table C-.3: Evaluation of the relevant components as well-tried components for the Sensor subsystem Well-tried components according to List of the components used (relevant parts of the control) Switch with positive mechanically linked mode of operation (direct opening): Safety switches (door) S, S2, S3 Mechanical system ISO , annex A.4 Pneumatics ISO , annex B.4 Hydraulics ISO , annex C.4 Electrical system: ISO , annex D.4 Justification* (see conditions in ISO ) EN :997 (IEC :997), annex K [49] Enabling device S4, S42 EN ISO 028 [50], [5], EN Position switches S2, S22, S32 EN088 [52], EN * A well-tried component for a safety-related application is a component which has either been: a) Widely used in the past with successful results in similar applications, or b) Made and verified using principles which demonstrate its suitability and reliability for safety-related applications. Evaluation of the measures against systematic failures for the Sensor subsystem For all control system categories, measures against systematic failures (see annex G of ISO 3849-) must be applied. Table C-.4 Shows a list of the measures applied against systematic failures for the Sensor subsystem (SRP/CS ). Some criteria refer to the sensors in connection with the application software (SRASW; safety PLC subsystem) and are therefore considered here.

37 8th step: Evaluation of the robustness C- Example: Machine tool 79 Table C-.4: Evaluation of the measures against systematic failures for the Sensor and Safety PLC subsystems Measures to control and avoid systematic failures Use of de-energization (release of energy principle) Can be used for technology Binding force Mech., pneum., hydraulics Electrical system Software Implementation e.g. by* Component manufacturer Machine manufacturer (OEM) SHOULD 2 Robustness against voltage variations SHOULD 2 Resistance to the determined environmental conditions SHOULD 2 Machine end-user Comment (see comments in ISO 3849-) Safe state in case of de-energization Within their limits, passive components are resistant to voltage variations Provide related information to machine end-user Program sequence monitoring SHOULD Integrated in the safety PLC Control of failure in the data communication process SHOULD 2 Not relevant Failure detection by automatic tests CAN** Tests by redundant hardware CAN** Plausibility check integrated in safety PLC or safety I/O Entire SF is two-channel (redundant) Diverse hardware CAN** 2 Not applicable (see CCF table) Positive mechanically linked contacts (force guided contacts) CAN** 2 Contacts are not positive mechanically linked Direct opening action CAN** 2 Not for all sensors Oriented mode of failure CAN** 2 Overdimensioning with an appropriate factor (.5) Use of suitable materials and adequate manufacturing Failure behavior considered: Fault list CAN** 2 Components are overdimensioned SHOULD 2 Correct dimensioning and shaping SHOULD 2 Proper assembly and installation SHOULD 2 Compatibility (with regard to operating characteristics) Confirmed by component manufacturer Confirmed by component manufacturer Components are proper for application SHOULD 2 According to specification Use of standardized and safe components SHOULD Hardware design check (e.g. inspection or walk-through) Sensors according to standards (EN , annex K, EN 088) CAN** 2 Hardware has been verified Computer-aided design tools CAN** 2 Use of dierent engineering tools Simulation (of the functional performance and correct dimensioning of the components) CAN** Only for critical components Functional test SHOULD Testing carried out Project management SHOULD Project management installed Documentation SHOULD See validation report Black box test CAN** Blue: Principle is not listed in ISO 3849 for the corresponding technology. * These columns of the table serve as a basis for the machine manufacturers and are to be adjusted by them. Black box test of the software carried out CAN**: Additionally, one or several of these measures should be applied taking the complexity of the SRP/CS and its PL into consideration. Suitability of the components for safety functions according to ISO 3849 has been confirmed by the component manufacturer.

38 80 C- Example: Machine tool 9th step: Software requirements For the validation, the following documents have been prepared: List of the basic safety principles applied: See Table C-.. List of the well-tried safety principles applied: See Table C-.2. List of the well-tried components used: See Table C-.3. List of the measures against CCF used: See Table C-.0. List of the measures against systematic failures used: See Table C-.4. Component manufacturers declaration: Suitability of the components for safety functions according to ISO 3849: Related examples can be found on the Bosch Rexroth homepage: 9 th step: Software requirements According to section B-9, the software must be specified. Tables C-. to C-.4 serve as a starting basis; they have been used to define the individual safety functions. With regard to the PL evaluation (PFHD calculation) according to the sensors and machine parts concerned, the individual safety functions must be considered in a dierentiated form. The logic function of the individual safety functions is, however, identical within one safety function type, for example: SF Safe stopping in case of emergency (Emergency stop). The state diagram in Fig. C-.4 shows the events causing a transition between the individual machine states and/or safety functions. It must be considered that the drive controllers used are already equipped with integrated safety functions (see Fig. C-.9) and have a specified behavior with regard to the priority of the requested safety functions, that is to say one part of the logic is already pre-programmed in the drive. With the Rexroth components used, the drive has several input signals for activating the safety functions accordingly. In the example, the following input signals are used: SS-ES Operation mode Enabling Via the SS-ES input, the drive is stopped according to stop category. This function is always carried out, irrespective of the question whether other requests like enabling or operation mode are pending at the same time. By selecting Operation mode, the drive is transferred into the safe operating stop - stop category 2. Via the Enabling input, you can change the monitoring. That means if the enabling device is operated, the system is monitored for Safe speed ; if the enabling device is released, the monitoring for Safe operating stop will be automatically activated again. the temporary suppression (muting) of SF2 for drives C, X, X2, Y, Z by SF4 is automatically considered by the drive. Therefore, selection of SF2 and SF4 may be requested simultaneously. Feedback SI status K X2 axis Y axis Z axis X axis C axis S axis X3 axis Inputs Safety PLC Outputs SS-ES Special mode Enable UT G M UT 2 T G T2 M G T3 M G T4 M G T5 M G T6 M G T7 M Drive group Fig. C-.9: Activation of the drive built-in safety functions

39 9th step: Software requirements C- Example: Machine tool 8 Table C-.5: Cause-eect matrix Safety function Prio Triggering events Sensors/inputs Muting condition Outputs Reaction Performance criterion SI status drive C SI status drive X SI status drive S SI status drive X2 SI status drive Y SI status drive Z SI status drive W SI status drive X3 Emergency stop Emergency stop 2 Emergency stop 3 Emergency stop 4 Emergency stop (enabling device) Sensor safety door Sensor safety door 2 Sensor safety door 3 Enabling (enabling device) SF If Emergency stop, 2, 3 and 4 has not been operated and the enabling device is not in Panic position (inputs = ) SF2 2 If door, 2 and 3 are not opened (inputs = ) SF3 2 If all drives are in the safe sate (input = ) Locking safety door Locking safety door 2 Locking safety door 3 Drive C Drive X Drive S Drive X2 Drive Y Drive Z Drive W Drive X3 ) Muting of SF2 in case of activating SF4 for drives C, X, X2, Y, Z by SF4 is programmed in the drive 4) 5) 6) 2) Inputs drive SS-ES = (SS deactivated) Operation mode = Enabling = 0 (SS2 deactivated) Unlock door Reaction time Switch o: 00 ms SF4 3 If all drives are in the safe state and door is open and doors 2 and 3 are closed and the enabling device is operated 4) 5) 0 3) 3) ) SS is deactivated 2) SS2 is deactivated 3) SLS is activated 4) Drive system acknowledges safe state 5) After time T, pneumatic control system is in the safe state 6) Door interlocking is released Operationmode = Enabling = (SLS activated) The drive based safety function are activated in accordance with the de-energization principle. (LOW means safety function is activated/requested). If none of the sensors are operated (that is, input signals = ), the safety function is deactivated. The detailed correlation between the individual sensor signals and the performance of the safety function in the actuator are shown in Table C-.5. The drive controllers used confirm via an output that the safe state has been reached. All controllers can be used in a so-called drive group, that is to say the Safety active feedback (SI status in Table C-.5) is provided by the master of the drive group via a single electric signal when all drives of one group have reached the requested safe state. If there is only one drive that cannot reach this state, there will be no acknowledgement by the master drive. The drives with an identical safety function can also be controlled with only one signal by electrically

40 82 C- Example: Machine tool 9th step: Software requirements connecting the selection of the individual drives in series. Table C-.5 shows the cause-eect matrix for the safety functions SF to SF4. For all safety functions, a corresponding maximum reaction time has to be defined, which must be verified in the validation. It specifies until which time the safe state has to be achieved in case of failure. For the implementation of the program, the following module design has been created for the software (see Fig. C-.0). At the beginning, the states of the doors, drive and the mode of operation are evaluated, that is to say the inputs are processed. Using these results, the individual machine states can be controlled before the outputs are then set at the end of the program. States/inputs Status_drives Data flow/program sequence Status_door Mode of operation Safety functions Emergency stop Safely limited speed Safe stop Setting outputs Door Interlock Valve Electric drives Software module Fig. C-.0: Software module design The program has been exemplary implemented using the SafeLogic Designer. Fig. C-. shows the overview of the individual program modules. They correspond to the module design according to Fig. C-.0. The input and output signals of the individual modules.

41 Fig. C-.: Implementation of the program modules in the SafeLogic Designer engineering tool 9th step: Software requirements C- Example: Machine tool 83

42 84 C- Example: Machine tool 9th step: Software requirements Fig. C-.2 shows the exemplary implementation of the Safely Limited Speed module. According to the software requirements of the ISO 3849, the module has been provided with a corresponding header. The operation of the machine with safely limited speed is activated if All drives are in the safe sate, Door is open, Doors 2 and 3 are closed and The enabling device is operated. The highest priority for SF guarantees that upon operation of Emergency stop, the drives are stopped. Moreover, the following is ensured: After an Emergency stop has been activated or one door had been opened in the meantime, the enabling device must first of all be released before the machine can be moved at limited speed again. Fig. C-.2: Exemplary implementation of the SafelyLimitedSpeed module

43 9th step: Software requirements C- Example: Machine tool 85 Table C-.6 shows an extract from a test plan that can be used for testing the software. Table C-.6: Software test plan (extract) Project: MyFirstProject Creator: Ma. Doe Date: yyyy-mm-dd Version: V.0 Released: Jack Checker Safety function Condition Sensors/inputs Muting condition Outputs Performance criterion acc. to specification Fulfilled Test SF 4 - Safety function 4: Safely limited speed in set up mode always SI status drive C SI status drive X SI status drive S SI status drive X2 SI status drive Y SI status drive Z SI status drive W SI status drive X3 Emergency stop Emergency stop 2 Emergency stop 3 Emergency stop 4 Emergency stop (enabling device) Sensor - safety door Sensor - safety door 2 Sensor - safety door 3 Enabling (enabling device) Locking safety door Locking safety door 2 Locking safety door 3 Drive C Drive X Drive S Drive X2 Drive Y Drive Z Drive W Drive X3 Reaction time If all drives are in the safe state and door is open and doors 2 and 3 are 0 ) ) ) ) ) ok closed and the enabling device is operated 5 Door closed 0 2) 0 2) 0 2) 0 2) 0 2) ok 6 Drive C not in the safe state ok 7 Drive X not in the safe state ok 8 Drive S not in the safe state ok 9 Drive X2 not in the safe state ok 0 Drive Y not in the safe state ok Drive Z not in the safe state ok 2 Drive W not in the safe state ok 3 Drive X3 not in the safe state ok 4 Emergency stop operated ms ok 6 Emergency stop 2 operated ms ok 7 Door 2 open ok 8 Emergency stop (enabling device) ms ok operated 9 Emergency stop 3 operated ms ok 20 Door 3 open ok 2 Emergency stop 4 operated ms ok 22 Enabling device not operated ok )... SLS activated 2)... SLS not activated

44 86 C- Example: Machine tool 9th step: Software requirements Using the SafeLogic Designer s simulation mode (Fig. C-.3), the dierent test cases are simulated. The results are compared to the expectations and documented in the test report. Table C-.7 shows an extract of the checklist for software programming to verify the suitability of the tool, software design, combination of standard and safety program and its implementation. Input/output is activated Input/output is deactivated not relevant Fig. C-.3: Simulation of the inputs and outputs within the SafeLogic Designer engineering tool