Low voltage switchgear and controlgear functional safety aspects

Similar documents
New developments about PL and SIL. Present harmonised versions, background and changes.

Service & Support. Functional Safety One Position switch. Safe Machine Concepts without Detours. benefit from the Safety Evaluation Tool.

FMEDA Report Failure Modes, Effects and Diagnostic Analysis and Proven-in-use -assessment KF**-CRG2-**1.D. Transmitter supply isolator

Options for ABB drives. User s manual Emergency stop, stop category 0 (option +Q951) for ACS880-07/17/37 drives

Failure Modes, Effects and Diagnostic Analysis

MANUAL Functional Safety

Functional safety manual RB223

Functional Example AS-FE-I-013-V13-EN

Safety-related controls SIRIUS Safety Integrated

MANUAL Functional Safety

SAFETY MANUAL SIL Switch Amplifier

ACT20X-(2)HTI-(2)SAO Temperature/mA converter. Safety Manual

Type 9160 / Transmitter supply unit / Isolating repeater. Safety manual

Safety manual. This safety manual is valid for the following product versions: Version No. V1R0

Proline Prowirl 72, 73

Options for ABB drives. User s manual Prevention of unexpected start-up (option +Q957) for ACS880-07/17/37 drives

MANUAL Functional Safety

ISO INTERNATIONAL STANDARD. Safety of machinery Safety-related parts of control systems Part 1: General principles for design

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Safety Manual VEGASWING 61, 63. Relay (DPDT) With SIL qualification. Document ID: 52082

Soliphant M with electronic insert FEM54

Safety Manual. Vibration Control Type 663. Standard Zone-1-21 Zone Edition: English

FUNCTIONAL SAFETY CERTIFICATE

MANUAL Functional Safety

Applications & Tools. Speed monitoring with 3TK according to SIL 3 per EN or PL e per EN ISO :2006.

Type Switching repeater. Safety manual

Options for ABB drives. User s manual Emergency stop, stop category 1 (option +Q964) for ACS880-07/17/37 drives

Vibrating Switches SITRANS LVL 200S, LVL 200E. Relay (DPDT) With SIL qualification. Safety Manual. Siemens Parts

What functional safety module designers need from IC developers

Soliphant M with electronic insert FEM57 + Nivotester FTL325P

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S

Hardware Safety Integrity. Hardware Safety Design Life-Cycle

Hardware safety integrity (HSI) in IEC 61508/ IEC 61511

Failure Modes, Effects and Diagnostic Analysis

FUNCTIONAL SAFETY CHARACTERISTICS

Options for ABB drives. User s manual FPTC-01 thermistor protection module (option +L536) for ACS880 drives

ISO SINAMICS G110D FAQ

SIRIUS Safety Integrated. Modular safety system 3RK3

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

Siemens Safety Integrated Take a safe step into the future

Original operating instructions Fail-safe inductive sensor GI711S / / 2010

Options for ABB drives. User s manual Prevention of unexpected start-up (option +Q950) for ACS880-07/17/37 drives

OPTISWITCH 5300C. Safety Manual. Vibrating Level Switch. Relay (2 x SPDT) With SIL qualification

Original operating instructions Fail-safe inductive sensor GF711S / / 2013

DK32 - DK34 - DK37 Supplementary instructions

Failure Modes, Effects and Diagnostic Analysis

WHITE PAPER. Drive-based functional safety How variable speed drives are playing an increasingly important role in machine safety

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

OPTIONS FOR ABB DRIVES CPTC-02 ATEX-certified thermistor protection module, Ex II (2) GD (+L537+Q971) User s manual

Applications & Tools. Calculation examples for safety functions according to EN ISO SINUMERIK 840D sl

FMEDA and Prior-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

BT50(T) Safety relay / Expansion relay

Application Note. AC500-S Usage of AC500 Digital Standard I/Os in Functional Safety Applications up to PL c (ISO )

Assessment of Safety Functions of Lignite Mining Equipment according to the requirements of Functional Safety.

NHP SAFETY REFERENCE GUIDE

Options for ABB drives. User s manual FPTC-02 ATEX-certified thermistor protection module, Ex II (2) GD (option +L537+Q971) for ACS880 drives

Original operating instructions Safety relay with relay outputs G1501S / / 2016

Applications & Tools. Technology CPU 317TF-2 DP: Example for determining the Safety Integrity Level (SIL) according to IEC

Safety modules. 8/4 inputs PROFIsafe S20-PSDI8/4

HART Temperature Transmitter for up to SIL 2 applications

Application Technique. Safety Function: Safety Camera with E-stop

Options for ABB drives. User s manual FPTC-02 ATEX-certified thermistor protection module, Ex II (2) GD (option +L537+Q971) for ACS880 drives

Failure Modes, Effects and Diagnostic Analysis

Original operating instructions Safety relay with relay outputs with and without delay G1502S / / 2016

CAPIEL Position Paper WEEE Scope

FSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1

FUNCTIONAL SAFETY CERTIFICATE

Mobrey Hydratect 2462

FMEDA and Proven-in-use Assessment. G.M. International s.r.l Villasanta Italy

Failure Modes, Effects and Diagnostic Analysis

SAFETY RELAY YRB-4EML-31S MAIN FEATURES

Report. Certificate Z Rev. 00. SIMATIC Safety System

HART Temperature Transmitter for up to SIL 2 applications

Safety Manual. VEGABAR series ma/hart - two-wire and slave sensors With SIL qualification. Document ID: 48369

Emergency Stop Devices (MD Annex I ) Background

Report. Certificate M6A SIMATIC S7 Distributed Safety

Options for ABB drives. User s manual FSE-31 pulse encoder interface module

Failure Modes, Effects and Diagnostic Analysis

Safety Manual Safety technology for machines and systems in accordance with the inter national standards EN ISO and IEC 62061

Product Substitution Details - Safety Modules

ELR H3-IES-PT- 24DC/500AC-...

Report. Certificate Z SIMATIC S7 F/FH Systems

Special Documentation Liquicap M FMI51, FMI52

FUNCTIONAL SAFETY ASSESSMENT: AN ISSUE FOR TECHNICAL DIAGNOSTICS

MACX MCR-SL-(2)I-2)I-ILP(-SP)

PowerFlex 700H AC Drive Safe Torque Off Option

Controller CMXH. Description STO. Safe Torque Off (STO) [ ]

SECTION 16 LED DIAGNOSTIC FEATURES: EXPANSION UNITS: SCR-31P-i. SCR-73-i. SEU-31-i. SCR-31-42TD-i. SEU-31TD-i

Technical Report Reliability Analyses

Online data sheet. TR4-SDM03P TR4 Direct NON-CONTACT SAFETY SWITCHES

Micropilot M FMR230/231/232/233/240/244/245

Welcome to the Safety functions training module for ACS880 cabinet-built industrial drives.

Datasheet AZM 161 Z ST1 AS RA

AS-Interface Safety at Work

Report. Certificate M6A SIMATIC Safety System

Functional safety manual Liquiphant M/S with FEL58 and Nivotester FTL325N

SIRIUS Monitoring and Controlling. Overview of safety relays. Safety Integrated. Answers for industry.

CONTROL SYSTEMS DESIGN SPECIFICATION

to 12a Added Standard and Electrical requirements for UL table 1.1

Transcription:

Low voltage switchgear and controlgear functional safety aspects Guidance how to use low voltage switchgear and controlgear in functional safety applications Picture Siemens AG

A message from the CAPIEL Presidents Philippe Sauer CAPIEL President In the recent years machinery has become more and more complex. Based on the European Machinery Directive the requirements for safety have also increased. Therefore the European Union is very influential with regard to functional safety in machine systems. This has a major effect on CAPIEL products as well. Some CAPIEL products may not meet the definition for a safety component, but nevertheless they can have features or functions which allows a machine builder to use them as a part of a system intended for safety applications. Karlheinz Kaul CAPIEL Vice-President It is one of our most important duties, as CAPIEL, to work with regulators in order to ensure that features or functions are consistent with our common safety objectives. It is our responsibility to make sure that these are clearly defined, understandable and correctly interpreted by designers, installers and other users of electrical products, systems and solutions. This brochure provides information concerning the application of current standards and the European Machinery Directive relevant to the implementation of low voltage switchgear and controlgear in functional safety applications. We hope that you will find it of interest. Yours sincerely Philippe Sauer & Karlheinz Kaul CAPIEL is the European Coordinating Committee of Manufacturers of Electrical Switchgear and Controlgear CAPIEL notably provides various start, control & safety solutions for machines. CAPIEL plays an active role in driving emerging technologies, especially regarding innovations in the areas of environmental preservation and sustainability, but also in health and safety. Sensor Logic ACTUATOR MOTOR

Safety factors Safety Factors n The Machinery Directive 2006/42/EC has applied since 2009. Machine manufacturers have to consider how they can demonstrate compliance with the Machinery Directive (2006/42/EC), concerning safety in control systems, preferably using the following harmonized EN Standards: n EN ISO 13849 n EN 62061 (identical to IEC 62061) n To ensure these EN Standards can be applied effectively, CAPIEL manufacturers provide functional safety related data to machine manufacturers in order to help them design suitable safety related control systems. The type of data supplied depends on the type of product and its use. (See page 11) n The format of the data provided in this document is relevant for use in the simplified calculation methods given in EN ISO 13849 and EN 62061. n Functional safety is also important for process industry, explosive atmospheres, railway application and others. There is a range of applicable Directives and standards, e.g.: n ATEX Directive 94/9/EC (will be replaced by 2014/34/EU): EN 50495 n Process industry: EN 61511 n Railway application: EN 50155 t Factors for Functional safety for electromechanical products n To make a machine safe it is necessary to consider a number of factors: depending on the B 10 values and the number of operations in the application Random Failures Systematic Failures have to be considered in the design of the product and the application Common Cause Failures Architecture could be designed into the product by the component manufacturer or determined by the designer of the application the designer of the application has to address these aspects Diagnostic could be designed into the product by the component manufacturer or determined by the designer of the application 3 Low voltage switchgear and controlgear functional safety aspects

Safety factors t Why is it necessary to differentiate between types of failures? SYSTEMATIC FAILURE FSM Functional Safety Management RANDOM FAILURE Failure avoidance HFT Hardware Fault Tolerance (EN 62061) Category SFF Safe Failure Fraction (EN 62061) DC avg Diagnostic Coverage Failure control, failure detection Failure control, failure detection PFH D PFD Probability of Failure per Hour (EN 62061) Probability of Failure on Demand (EN 61511) Probabilistic n The difference between systematic failures and random failures is the way they are caused. n Systematic failures are caused mainly by the design of a system. These failures are present in the products or systems from the beginning of their life (e.g.wrong requirements or specification, wrong dimensioning, software fault). n Random failures are difficult to predict because there is virtually no way to identify the fault before the failure happens. This is why statistical methods are used. t What is the difference between low demand and high demand? n The most important objective for low demand with wear based applications is to reduce the systematic failures. The types of measure employed to reduce the systematic failures are the same for both high demand and low demand applications, for example failure avoidance, quality management, use of proven principles or prior use. Evaluation of Failures Low demand High demand Random failures Systematic failures Number of demands of the safety function Mode of operation Demand: safety function is performed in order to transfer the equipment into a specified safe state Low demand mode frequency of demands 1 / year loss of safety function does not neccessarily lead to a hazardous situation at the same time High demand mode frequency of demands > 1 / year loss of safety function leads to a hazardous situation Low voltage switchgear and controlgear functional safety aspects 4

Responsibilities Responsibilities n The machine manufacturer is responsible for the overall development and safety of the machine. n This is fundamental irrespective of whether Option A or B is chosen in the chart below. n During the selection of the products to be used, the machine manufacturer chooses either to use safety elements to design the safety sub-systems or to use pre-designed sub-systems. DEFINITION OF SAFETY FUNCTIONS IN THE MACHINE OPTION A Safety control system built by the Machine Manufacturer OPTION B Safety control system built by the Manufacturer of the Safety Control System SAFETY CONTROL SYSTEM WITH SIL/PL INSTALLATION (MECHANICAL AND ELECTRICAL), PROGRAMMING TOTAL FUNCTION - VALIDATING Machine manufacturer Manufacturer of the Safety Control System Safety element 5 Low voltage switchgear and controlgear functional safety aspects

Safety Product Implementation Levels Guard door Safety Logic To protect humans against dangerous motions in the machine area often a guard door is used. To stop dangerous motion the guarding is a part of the safety control system. Guard door Monitoring The guard door as access the machine area has to be monitored and the numbers of contacts relates to the safety level A safety subsystem which evaluates the monitoring switches Motor Starter A motor starter can have more than one contact in series depending on the safety level. Disconnecting Switch Safety Control System Safety subsystem Safety element Generic element Example: Protection cover with monitoring and actuating function (no single CAPIEL product) Example: subfunction to stop dangerous motion of a conveyor realized by a motor starter with integrated safety features. Other examples: Safety relay Example: contactor (with B 10d ) Other examples: relay with positively driven contacts, emergency stop device, interlocking device. Example: Disconnecting switch Other examples: contactor (without B 10d ), relay, push button, terminal block, standard-plc, proximity switches, disconnector, indicating towers. All examples without safety function. Low voltage switchgear and controlgear functional safety aspects 6

Safety Product Implementation Levels t What safety product related values are needed overview For each implementation level, different data is required in order for the machine manufacturer to verify of the required PL/SIL of the safety functions. The following table shows the data required. Information to be provided by product manufacturer Implementation levels Safety control system Safety subsystem Safety Element Generic element tb wb tb wb tb wb tb wb SIL and/or PL SILCL and/or PL PFH D and/or PFD Operation limit MTTF d or MTTF and RDF B 10d or B 10 and RDF MTBF B 10 T M Mandatory field, data required, tb Time based, e.g. electronic products Optional field, data optional (application-specific), wb Wear based, e.g. electro-mechanical products PL Performance Level SIL Safety Integrity Level (EN 61508) SILCL Safety Integrity Level Claim Limit (EN 62061) PFH D Probability Failure per Hour (EN 62061) T M Mission time MTBF Mean Time Between Failure MTTF d Mean Time To Dangerous Failure RDF Ratio of Dangerous Failures B 10 10% of the devices failed B 10d 10% of the devices failed dangerous PFD Probability of failure on Demand (EN 61511) Operation maximum number of limit operations that is used in the calculation on the PFH D 7 Low voltage switchgear and controlgear functional safety aspects

Case Study: High Demand Application Case Study A movable protective guard is monitored by means of a door monitoring switch (may be two depending on required PL/SIL) with a separate actuator. Picture Eaton Industries GmbH Conditions in this example: n This guard is opened four times per hour, (C=4). n Architecture is a two channel n B 10 = 1 000 000 n RDF = 20% n CCF, b = 10% (Common Cause Factor EN 62061) n T 1 = 20 year (Proof Test Interval EN 62061) 200 000 hours n DC = 0 Calculation of the SIL Claim for the safety subsystem 1: Ratio of Dangerous Failure (RDF) and the B 10 are given by the product standard or the manufacturer, e.g. 20% and 1 000 000*. The B 10d value used in EN ISO 13849 can be determined as follows: B 10d = B 10 = 1 000 000 = 5 000 000 RDF 0.2 The total failure rate λ D according EN/IEC 62061 of the position switch is as follows: λ D = 0.1 x C = 0.1 x 4 B 10d 5 000 000 = 8 x 10-8 In this example the function of the sensors is not monitored, therefore λ DD =0. Also λ S =0, this is because not closing faults are not part of the safety function and are therefore not relevant for the SFF calculation. SFF = (λ DD + λ S )/ (λ D + λ S ) = (0+0)/(8 x 10-8 +0)= 0 For calculation of SFF only failures relevant for the safety function should be used. The no effect failure is not used for SFF calculations**. PFH D 2*λ D 2 *T 1 /2+β*λ D PFH D 2*(8 x 10-8 ) 2 *200 000/2+0,1*8 x 10-8 = 8 x 10-9 [1/h] *See also CAPIEL WHITE PAPER, Low voltage controlgear products and functional safety, www.capiel.eu. **See also EN 61508-4 2nd Ed subclause 3.6.14/15 Low voltage switchgear and controlgear functional safety aspects 8

Case Study With the 3 factors given from the application two channel = HFT = 1 SFF = 0 PFH D =8 x 10-9 Maximum allowable safety integrity level for a safety function carried out by a safety-related element or subsystem: Hardware Fault Tolerance (HFT) HFT 0 HFT 1 HFT 2 Safe Failure Fraction of an element (SFF) Not allowed SIL 1 SIL 2 < 60% SIL 1 SIL 2 SIL 3 60% < 90% SIL 2 SIL 3 SIL 3 90% < 99% SIL 3 SIL 3 SIL 3 99% (Reference: EN 62061) Safety integrity levels target failure measures for a safety function operating in high demand mode of operation or continuous mode of operation: Average frequency of dangerous failure of the safety function (PFH D ) Safety Integrity Level (SIL) 10-6 PFH D < 10-5 SIL 1 10-7 PFH D < 10-6 SIL 2 10-8 PFH D < 10-7 SIL 3 (Reference: EN 62061) The result for the safety subsystem 1 = SILCL 1 In this example the PFH value is good enough for SIL 3, but the SIL is limited by SFF and HFT to SIL 1. 9 Low voltage switchgear and controlgear functional safety aspects

Case Study: Low Demand Application Case Study Picture Vega Grieshaber KG Level switch in a process application signals when the tank is full. Three possibilities of evaluation according to IEC 61511: n calculation according to IEC 61508 n prior use (field experience) n fault exclusion Operating in low demand mode: n Main failures are systematic, random failures are not determined by the wearing of the products but based on other causes n B 10 value not applicable for PFD calculation n Failure rate is determined by field data For low demand applications in the process industry the reliability data is taken from relevant databases or from the safety manual of the manufacturer. Manufacturer value: λ D = 20 FIT = 20 x 10-9 = 2 x 10-8 failure/h User Value: T 1 =1 year (8760 hours) PFD =λ D *T 1 /2 With the 3 factors, given from the application single channel = HFT = 0 SFF = 0 PFD = 8.76 x10-5 Maximum allowable safety integrity level for a safety function carried out by a type A safety-related element or subsystem: Hardware Fault Tolerance (HFT) HFT 0 HFT 1 HFT 2 Safe Failure Fraction of an element (SFF) SIL 1 SIL 2 SIL 3 SFF < 60% SIL 2 SIL 3 SIL 4 60% SFF 90% SIL 3 SIL 4 SIL 4 90% SFF 99% SIL 3 SIL 4 SIL 4 SFF 99% (Reference: IEC 61508-2) Safety integrity levels target failure measures for a safety function operating in low demand mode of operation: Average probability of a dangerous failure on demand of the safety function (PFD avg ) Safety Integrity Level (SIL) 10-2 PFD avg < 10-1 SIL 1 10-3 PFD avg < 10-2 SIL 2 (Reference: IEC 61508-1) 10-4 PFD avg < 10-3 SIL 3 10-5 PFD avg < 10-4 SIL 4 The result for the safety subsystem 1 = SIL 1 In this example the PFD value is good enough for SIL 4, but the SIL is limited by SFF and HFT to SIL 1. Low voltage switchgear and controlgear functional safety aspects 10

Conclusions & References Conclusions n The machine manufacturer is responsible for the overall development and safety of the machine. n When designing a machine, the manufacturer can: n Select an appropriate safety control system for his application. The safety control system supplier will provide relevant functional safety data. n Select and combine suitable safety subsystems in order to create a safety control system that provides the required level for a safety function. n Design a subsystem using safety elements and combine it with other subsystems to create a safety control system that provides the required level for a safety function. n If a generic element is used in a safety related application, the machine manufacturer has to justify its usage as a safety element. This includes deriving all functional safety values and ensuring its suitability for the intended function. The table on page 7 shows which safety related values will be provided by the component manufacturer. n Probabilistic determination methods are not always suitable when evaluating reliability. Therefore a systematic analysis of all possible sources of failure of the system and its components shall always be carried out before designing the system. n The calculation is just one of a range of verification measures that are required to show that a sufficient safety level has been achieved. n Probabilistic values for random failures in low demand mode are provided by the manufacturer or taken from relevant databases or field data. n Some examples of common databases: n Exida Electrical & Mechanical Component Reliability Handbook n MIL HDBK 217F n NAMUR NE 93 n RAC FMD 91 n SN29500 n SN31920 n VDE 2180 n IEC/TR 62380 n IEC 61709 n White paper CAPIEL PG5 References EN 61508 Functional safety of electrical/ electronic/programmable electronic safety-related systems EN ISO 13849-2 Safety of machinery Safetyrelated parts of control systems Part 2: Validation EN 62061 EN 61511 Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems Functional safety Safety instrumented systems for the process industry sector EN ISO 13849-1 Safety of machinery Safetyrelated parts of control systems Part 1: General principles for design EN 60947-series Low-voltage switchgear and controlgear EN 61649 VDMA 66413 EN 50495 Weibull analysis VDMA-Specification Safety devices required for the safe functioning of equipment with respect to explosion risks EN 50155 Railway applications Electronic equipment used on rolling stock 11 Low voltage switchgear and controlgear functional safety aspects

Capiel Members Capiel at a glance CAPIEL represents 9 national associations from 8 European countries comprising more than 550 manufacturers. Members of national associations represented by CAPIEL include small, medium and large-sized companies employing 120,000 people directly in Europe and have a combined turnover of 18.25 billion. CAPIEL membership includes global players such as Siemens, Schneider Electric, ABB, Eaton, Rockwell Automation, etc. www.capiel.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback