SF02. An Introduction to ISO :2008 Functional Safety of Machinery

Transcription

1 SF02 An Introduction to ISO :2008 Functional Safety of Machinery

2 Agenda What is Functional Safety History of Safety Standards Who is affected by what? Primary Concepts of Example using 13849

3 What Is Functional Safety? IEC :2010 defines Functional Safety in section as part of the overall safety relating to the equipment under control and the control system that depends on the correct functioning of the electrical, electronic and programmable electronic safety-related systems and other risk reduction measures Practical Definition: The automatic action that must occur to ensure a safe state

4 Functional Safety Standards IEC/EN Functional safety of electrical, electronic, and programmable electronic safety-related systems (EEPE/CS) Process Machinery Software IEC/EN SIS (SIL1 SIL4) IEC/EN EEPE/CS (SIL1 - SIL3) ISO/EN SRP/CS (PLa - PLe)

5 Functional Safety of Machinery ISO and IEC are known as machinery functional safety standards. These standards look at how well a safety system needs to operate. This allows us to use new technologies to drive productivity and safety. These new technologies are called contemporary safety solutions. ISO and IEC will be combined in the near future to benefit from the strengths of each standard. The technical committee for has a draft in progress. ISO IEC 62061

6 History of Safety - USA Safety has been a growing part of the human integrated manufacturing environment. Our responsibility is required Massachusetts, required guarding of belts, shafts and gears 1890 Nine US states required machine guarding 1930 All US states had established job-related safety laws 1934 Bureau of Labor Standards (F. D. Roosevelt - Frances Perkins) Promote safety and health for working men and women 1970 Occupational Safety and Health Act (William Steiger s Act) Assure safe and healthy working conditions for men and women 1981 Lost Workday Incident Rates policy established by OSHA 1991 EN 292 Basic Concepts of Machine Safety 1996 EN 954 and EN 1050 Machinery Safety

7 Who s Responsible? OSHA requires that each employer shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to employees. OSHA specifies minimal standards, and offers little, if any, assistance in compliance solutions. OSHA uses industry standards as well as manufacturer s instructions when investigating accidents. Manufacturers and employers should apply consensus standards to help assure safety.

8 Who s Responsible? The Machinery Directive has a dual objective: to permit the free movement of machinery within the internal market whilst ensuring a high level of protection of health and safety. The protection of health and safety is both a fundamental duty and a prerogative of the Member States. Since the Machinery Directive harmonises the health and safety requirements for the design and construction of machinery at EU level, the responsibility of Member States to protect health and safety of people with regard to the risks associated with machinery implies ensuring that the requirements of the Machinery Directive are correctly applied.

9 Standards Organizations Abbreviation Sponsoring Organization Scope ANSI American National Standards Institute U.S.A. AS Australia Standard Australia ASME American Society of Mechanical Engineers U.S.A. ASSE American Society of Safety Engineers U.S.A. B11 Association of Manufacturing Technology U.S.A. CSA Canadian Standards Association Canada EN European Norm European Community IEC International Electrotechnical Commission Global ISO International Organization for Standardization Global NFPA National Fire Protection Association U.S.A. OSHA Occupational and Safety Health Administration U.S.A. PMMI Packaging Machinery Manufacturer s Association U.S.A. RIA Robotic Industries Association U.S.A. 9

10 Standards Comparison European Machine Directive 2006/42/EC OHSA Machine Safety 1910.xxx Machine Safety - Basic concepts EN/ISO Machine Safety - General Safety Requirements ANSI B11.GSR Machine Safety - Principles for Risk Assessment EN/ISO Machine Safety - safety-related parts of control systems ISO Non-electrical and simple electrical Machine Safety - Functional safety of EEPES control systems IEC Machine Safety - Principles for Risk Assessment ANSI B11.TR3 Machine Safety - Selection of Programmable Electronic Systems (PES/PLC) for Machine Tools ANSI B11.TR4 Machine Safety - Electrical equipment of machines IEC Electrical equipment of machines ANSI/NFPA 79

11 What do we need to do? The European & North American machinery directives/standards outlines the general requirements that shall be followed to ensure that machines are assessed and that proper protection methods have been implemented to ensure personnel protection. These harmonized standards (EN/ISO/ANSI) outline the requirements for assessments. Step 1 - Define the Requirements Step 2 Follow and Assessment Process Step 3 Utilize a defined Assessment Tool/Method The ISO and IEC standards address the design of the safety related parts of the control system including the requirements of design verification. Step 4 - Determine the design method and verify the design IEC/NEC/NFPA standards address electrical installation and wiring practices. Step 5 Follow the proper regional electrical installation standard

12 Globalized Safety Standards ANSI B11.0 ANSI B11.19 NFPA 79 UL 1998 PMMI B155.1 RIA ISO ISO IEC IEC IEC EN ISO EN ISO EN ISO EN ISO EN IEC EN IEC Standards are being adopted globally

13 What is it really?

14 14 ISO Concepts ISO is intended to give guidance to those involved in the design and assessment of the safety-related parts of control systems (SRP/CS) which perform safety functions. The ability of the SRP/CS to perform the safety function under foreseeable conditions is allocated on of five levels, called Performance Levels (PL), and defined in terms of probability of dangerous failure per hour (PFHd). The probability of dangerous failure of the safety function depends on factors including: Reliability of components the mean time to dangerous failure (MTTFd) Diagnostic Coverage the extent of fault detection mechanisms (DC) Common Cause Failure scoring process and quantification of measures against CCF Structure definition of five designated architectures that fulfil specific design criteria and behavior under a fault condition (Category) Systematic failures measures against systematic failures which should be applied

15 Changes from EN 954 EN 954 EN ISO Electrical Control Circuits Control circuits all technologies : Electrical Pneumatic Fluids Hydraulic Safety Categories B, 1, 2, 3 & 4 Safety provided by the structure of the control circuit Draw a diagram (schematic) Performance Levels PLa to PLe Safety provided by: The architecture/structure (categories) The reliability of the system (MTTF d, B10 d ) The diagnostic coverage of the system (DC) The preventive measures against common causes of failure (CCF) Draw a diagram and verification of PL Does PL(achieved) = PLr (required)?

16 Methodology Change Qualitative Quantitative Structure MTTF d Diagnostic Coverage (DC) Common Cause Failures (CCF) Software Systematic Failure Behavior Under Fault conditions Environmental EN 954 was basically a qualitative approach. Factors of time and component reliability are quantitative aspects which must now be considered when developing a safety control system using ISO

17 When to use ISO Maintain and Improve ISO ANSI B Risk Assessment ISO ANSI B11.0 Safety Life Cycle 4. Installation, Verification and Validation ISO ANSI B Design and Design Verification ISO ANSI B Functional Requirements Specification ISO ANSI B11.0

18 Risk Assessment Overview Determine the Limits of the Machinery Hazard Identification Risk Estimation Risk Evaluation Is the Risk Reduced? No Measures for Risk Reduction Refer to SF01 Risk and Hazard Assessment for more information on this process. Yes End

19 Risk Reduction Overview Measures for Risk Reduction 1) Inherently Safe Design 2) Safeguards & Complementary 3) Information for Use Is a Control System Needed? No Back to Risk Assessment Yes Design SRP/CS per ISO :2006 Refer to SF01 Risk and Hazard Assessment for more information on this process.

20 SRP/CS Design Overview Identify the Safety Functions Specify the Characteristics (SRS) Required Performance Level (PLr) Realization Identify SRP/CS Components Evaluate the Performance Level 1) Category/System Architecture 2) Mean Time to Dangerous Failure (MTTFd) 3) Diagnostic Coverage (DC) 4) Common Cause Failure (CCF) 5) Software (if existing) Verification Validation

21 Safety Functions & Specification Two steps are required before determining the PL of a safety control system. These are based on the Risk Assessment Identify the Safety Functions Specify the Characteristics (SRS)

22 Identify the Safety Functions Safety Function A control system function which reduces the risk presented by a particular hazard to an acceptable level. The safety functions are identified during the risk assessment process and take into consideration both the application and the hazard. Some examples: Stopping of the machine when a guard door is opened. Controlled location of the operator s hands during hazardous movement. Safe limited speed of the robot while the guard door is opened. Emergency stopping of the machine when an EStop is pressed. Input Logic Output

23 Safety Requirements Specification The Safety Requirements Specification (SRS) is a formal document which describes the various safety functions and provides all of the required information an engineer will need to design the control system to perform the safety functions. The SRS is considered a living document and shall have provisions for revision control and document management. The validation protocols for testing the safety functions are derived from the SRS. The SRS should include the following: Description of the function, environmental requirements, response times, operating modes, fault handling requirements, diagnostics, safe parameters, fault exclusion, failure modes, etc.

24 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

25 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

26 Performance Level Required The Risk Assessment determines the Performance Level required, PLr Creates the Foundation of the Safety System Functional Requirements, System Design and Validation Protocol Shows Due Diligence and compliance to standards Task/Hazard S1 S2 F1 F2 F1 F2 P1 P2 P1 P2 P1 P2 P1 P2 S = Severity F = Frequency or Duration of Exposure P = Avoidance Probability Performance Level, PLr a b c d e Contribution to Risk Reduction Low High

27 As determined from the risk assessment PLr Equivalents? Risk Categories RIA Performanc e Levels ISO Categories EN 954 ANSI B11.19 R1 e Cat 3+ Control Reliable (4.5.4) R2A d Cat 3+ Control Reliable (4.5.4) R2B d Cat 2 Single CH with Monitoring (4.5.3) R2B c Cat 2 Single CH with Monitoring (4.5.3) R2C c Cat 1 Single CH (4.5.2) R3A b Cat 1 Single CH (4.5.2) R3B b Cat B Simple (4.5.1) R4 Note: Intended to show approximate equivalency for guidance only; attaining the corresponding PL or SIL requires more information and calculation based on several additional factors a Cat B Simple (4.5.1)

28 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

29 Identify Component & Block Diagram Typical safety function diagram: INPUT LOGIC SOLVING OUTPUT Sensing element Control element Final element or actuator The designer shall select an architecture that will meet the needs of the safety function. Category B, 1, 2, 3 or 4

30 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

31 Performance Level Evaluate Performance Level ISO , Figure 5 a b c d e Cat B DC avg none Cat 1 DC avg none Cat 2 DC avg low Cat 2 DC avg med Cat 3 DC avg low Cat 3 DC avg med Cat 4 DC avg high MTTF d low MTTF d medium MTTF d high *Common Cause Failure and quality measures to avoid systematic failures not shown.

32 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

33 Category B The structure and behaviour of the safety function under fault conditions Designated Architecture Category B Typical Implementation Input Device i m Logic Device i m Output Device Contactor Motor Sensor Requirements Basic Safety principles Withstand expected operating stresses influence of the processed material other relevant external influences Behaviour under fault conditions A fault can cause a loss of the safety function. i m = Interconnecting Means Designed to product standards e.g. IEC (not specific safety standards) Designed for environment and electrical safety aspects e.g. IEC PLC is accepted solution Machine Control

34 Category 1 The structure and behaviour of the safety function under fault conditions Designated Architecture Category 1 Typical Implementation Input Device i m Logic Device i m Output Device Safety Contactor Motor Requirements Category B Well-tried components Well-tried safety principles Behaviour under fault conditions A fault can cause a loss of the safety function, but is less likely than Category B. Safety Sensor Machine Control i m = Interconnecting Means

35 Examples of well-tried Safety system designs include well-tried engineering principles and well-tried components Basic Safety Principles Well Tried Safety Principles Well Tried Components Installed per Instructions Use Mechanically Linked Contacts Direct Opening Switches Voltage & Current Ratings Redundant Devices E-Stop Devices Environmental Conditions Diverse Technologies Fuses/Circuit Breakers N.C. Inputs & N.O. Outputs Monitoring/Diagnostics Contactors Transient Suppression Limitation of Energy Mechanically Linked Contacts No Unexpected Start-up Over-Dimensioning (Factor of 2) Auxiliary Contactor/Relay Secure Mounting of Devices No Undefined States Interlocks Control Circuit Protection Separation of Safety & Non-Safety Temperature/Pressure Switches Proper Grounding Fail-to-Safe Operation Programmable Controller

36 Category 2 The structure and behaviour of the safety function under fault conditions Designated Architecture Category 2 Typical Implementation Input Device i m Logic Device i m Output Device Safety Contactor Motor m Test Equip i m Output Of TE Requirements Category B Well-tried safety principles Function is checked at suitable intervals Safety Sensor Safety Relay Machine Control Behaviour under fault conditions A fault can lead to the loss of the safety function between checks. i m = Interconnecting Means m = Monitoring

37 Category 3 The structure and behaviour of the safety function under fault conditions Designated Architecture Category 3 Input Device 1 Input Device 2 i m i m Logic Device 1 Logic Device 2 Requirements Category B, well-tried safety principles Single fault does not lead to a loss of safety Fault shall be detected at or before demand Behaviour under fault conditions When a single fault occurs the safety function is always performed. Some but not all faults will be detected. An accumulation of undetected faults can lead to the loss of the safety function c i m i m m m Output Device 1 Output Device 2 Safety Sensor Typical Implementation Safety Contactor Safety Contactor Safety Relay Contactor Monitoring Motor Machine Control i m = Interconnecting Means m = Monitoring c = Monitoring

38 Category 4 The structure and behaviour of the safety function under fault conditions Designated Architecture Category 4 Input Device 1 Input Device 2 i m i m Logic Device 1 Logic Device 2 Requirements Category B, well-tried safety principles Single fault does not lead to a loss of safety An accumulation of faults does not lead to a loss of safety Behaviour under fault conditions When a single fault occurs the safety function is always performed. The faults will be detected in time to prevent the loss of the safety function. An accumulation of undetected faults is taken into account. c i m i m m m i m = Interconnecting Means m = Monitoring c = Monitoring Output Device 1 Output Device 2 Safety Sensor Typical Implementation Safety Contactor Safety Contactor Safety Relay Contactor Monitoring Motor Machine Control

39 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

40 Mean Time to Dangerous Failure The value for MTTFd of each channel is given in three levels and shall be taken into account for each channel individually with a maximum of 100 years. MTTFd is a statistical value. Denotation of each channel Low Medium High Range of each channel 3 years <= MTTF d < 10 years 10 years <= MTTF d < 30 years 30 years <= MTTF d < 100 years For the estimation of MTTFd of a component, the hierarchical procedure for finding data shall be: 1) use manufacturer s data 2) use methods in Annexes C and D 3) Choose ten years

41 MTTFd Considerations For mechanical or electromechanical devices: Failure is dependent on operating frequency Manufacturers will quote a B10 d which is derived from testing Number of operations where 10% of the sample has failed to danger Example 100S Safety Contactor: Contactor B10d Days Hours Seconds NOP MTTFd 100S-C09 to C97 at AC Years Years Years

42 MTTFd Considerations For electronic devices: Failure is dependent on time, temperature or Environment.. Ratings generally in MTTFd or PFHd Mean time to failure dangerous Probability of danger failure per year MTTFd => 1 / PFHd (must convert years to hours) Example PowerFlex525 Safe Torque Off

43 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

44 5 Diagnostic Coverage The value for DC is given in four levels. DC is the number of detected dangerous failures divided by the number of all dangerous failures. This is a measure of the effectiveness of the diagnostics. For estimation of DC, failure mode and effects analysis or similar methods can be used. For SRP/CS consisting of several parts an average DC is used. For a simplified approach to estimating DC, see Annex E. Denotation of DC Range of DC None DC < 60% Low 60% DC < 90% Medium 90% DC < 99% High 99% DC

45 Calculation of the Average DC The Diagnostic Coverages for the individual Input-Logic-Output blocks are first determined. The individual values are then averaged for the entire safety channel. DC avg = 73.3%

46 Diagnostic Coverage The simplified approach is available with the use of Annex E.

47 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

48 Common Cause Failure Failure which is the result of one or more events and which causes simultaneous failures of two or more separate channels in a multi-channel system, leading to the failure of a safety related control function Failure Channel 1 Failure Channel 2 Common causes are: External stress such as excessive temperature or EMI. Systematic design failures due to the high complexity of the product or missing experience with the new technology. No spatial separation between channels such as common cables or close PCB traces. Human errors during maintenance and repair.

49 Common Cause Failure Annex F contains a score card with a list of measures typically used to mitigate Common Cause Failures. Must achieve a score of 65 out of 100 possible points. If the score is < 65, there is not a sufficient allowance for CCF and additional measures must be realized. These are failures of different items, resulting from a single event. The failures are not consequences of each other.

50 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

51 Safety-Related Software Software safety requirements (ISO :2006, Clause 4.6) All lifecycle activities of safety-related embedded or application software (RSLogix 5000) shall primarily consider the avoidance of faults introduced during the software lifecycle. The main objective of the following requirements is to have readable, understandable, testable and maintainable software.

52 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

53 PL Verification There are three ways to verify the Performance Level (PL) per ISO

54 Simplified Verification Procedure ISO Table 7

55 Performance Level Verification using DC, MTTFd & PL ISO , Figure 5 a b c d e Cat B DC avg none Cat 1 DC avg none Cat 2 DC avg low Cat 2 DC avg med Cat 3 DC avg low Cat 3 DC avg med Cat 4 DC avg high MTTF d low MTTF d medium MTTF d high *Common Cause Failure and quality measures to avoid systematic failures not shown.

56 ISO Table K.1 Verification by PFHd Equivalent

57 Relationship between PL and SIL You can convert a simple circuit calculated in ISO and apply it to IEC by using the chart below. Performance level (PL) Probability of dangerous failure (PFHd) Safety Integrity Level (SIL) a 10-5 to < 10-4 No special safety requirements b 3 x10-6 to < c 10-6 to < 3 x d 10-7 to < e 10-8 to < Combination of Table 3 and 4 from ISO :2008

58 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

59 Validation Validation is an evaluated inspection (including analysis and testing) of the safety functions and categories of SRP/CS. Validation requires fault injection and is typically done off-line. Goal: Proof that the SRP/CS complies to the overall safety requirements of the machinery, proof that the requirements EN or EN ISO are fulfilled. Method: Analysis and testing according to the validation plan Validation requirements are defined in ISO 13849, Part 2.

60 Validation Documentation Documents required for validation: Specification of the expected performance, of the safety functions and categories Drawings and specifications Block diagram with functional description of the blocks Circuit diagram including interfaces/connections Functional description of the circuit diagram Time sequence diagram(s) for switching components, signals relevant for safety Component lists with item designations, rated values, tolerances etc. Analysis of all relevant faults, including the justification of any excluded faults

61 Six Steps to Performance Level Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level. Step 1 Determine the required performance level (PLr) Step 2 Identify the SRP/CS Components & Design Block Diagram Step 3 Evaluate the Performance Level (PL) Step 3a - Category Step 3b - Mean Time to Dangerous Failure (MTTFd) Step 3c - Diagnostic Coverage (DC) Step 3d - Common Cause Failure (CCF) Step 4 Develop Safety-Related Software (If Required) Step 5 Verification of Performance Level (PL > PLr) Step 6 Validation that all requirements are met

62 Need resources? One hour is quick! SafeBook 4 An overview of safety standards including definitions and examples. Based on ISO Publication SAFEBK-RM002 Sample Safety Functions Rockwell Automation has complied a set of example applications based on ISO Visit Training Additional training classes are available Contact Werner Electric for more details Certification TUV Functional Safety certification is available through Rockwell Automation.

63 Questions? Thank you for attending