drive functional safety
TRANSCRIPT
DRIVE FUNCTIONAL SAFETY
Guide to design, according to EN ISO13849-1, safety related part of controlsystem of machining centres and tur-ning machines, using DDS or ACSDservo drives
Ref.1406
Responsibility exemption
The information described in this manual may be subject to changesdue to technical modifications. Fagor Automation S. Coop. reservesthe right to change the contents of this manual without prior notice.
Fagor Automation S. Coop. will not be held responsible for any loss-es or damage, direct, indirect that could result from the information inthis document because this document is a draft.
Responsibility and warranty claims are excluded in case of shippingdamage, wrong usage of the unit in wrong environments or when notused for the purpose for which it has been designed, ignoring thewarnings and safety indications given in this document and/or legalones that may be applied to the work place, software modificationsand/or repairs made by unauthorized personnel, damage caused bythe influence of other nearby equipment.
Warranty
The warranty terms may be requested from your Fagor Automationrepresentative or through the usual commercial channels.
Registered trademarks
All registered trade marks, even those not indicated are also acknowl-edged. When some are not indicated, it does not mean that they arefree.
May 2014 / Ref.1406
All rights reserved. No part of this documentation may be copied,transmitted, transcribed, stored in a backup device or translated intoanother language without Fagor Automation’s permission.
OR
IGIN
AL
INS
TR
UC
TIO
NS
3
INDEX
FUNCTIONALSAFETY
Ref.1406
1 Information about this file ............................................................................................................... 5
1.1 Responsibility exemption............................................................................................................ 51.2 Introduction................................................................................................................................. 51.3 Purpose of this document........................................................................................................... 51.4 Related files................................................................................................................................ 61.5 Scope of this document .............................................................................................................. 61.6 Versions of the Standards .......................................................................................................... 7
2 Legal regulations in the European Community............................................................................. 8
2.1 Directives and CE Mark.............................................................................................................. 82.2 Harmonized Standards............................................................................................................... 82.3 FAGOR Declaration of Conformity ............................................................................................. 92.4 TÜV Certificate for FAGOR ...................................................................................................... 10
3 Focused Machines ......................................................................................................................... 11
3.1 Turning machines group 3 - ISO 23125 - ................................................................................. 113.2 Machining Centres - EN 12417 - .............................................................................................. 11
4 Operating Modes, Risk Analyses, Safety Functions Components............................................ 12
4.1 Operating modes...................................................................................................................... 134.2 Safety Functions Components and its PLr ............................................................................... 15
5 Safety Functions. Emergency Stop and Operation with Open Guards (SLS) .......................... 17
5.1 Emergency Stop ....................................................................................................................... 185.2 Operation with Open Guards (SLS).......................................................................................... 18
6 Safety system architecture............................................................................................................ 19
7 Cabling ............................................................................................................................................ 20
8 Hardware analysis. FMEA, fault consideration & fault exclusion.............................................. 21
8.1 Fault consideration ................................................................................................................... 218.2 Fault exclusion.......................................................................................................................... 21
9 Use of “SISTEMA” to calculate MTTFd, DCavg and CCF ........................................................... 22
9.1 Using “SISTEMA” tool .............................................................................................................. 229.2 Results from “SISTEMA” tool for the example.......................................................................... 23
10 Safety-related application software (SRASW) ............................................................................. 28
11 Validation ........................................................................................................................................ 29
12 Maintenance.................................................................................................................................... 30
13 Manufacturer´s internal technical documentation ...................................................................... 31
14 Information for use......................................................................................................................... 32
A Categories and PL.......................................................................................................................... 34
A.1 Definitions................................................................................................................................. 34A.2 Introduction to quantifiable aspects of the PL........................................................................... 34A.3 Introduction to categorization of architectures and behaviour. The case of category 3 ........... 36A.4 Resulting PL ............................................................................................................................. 37
B Drawings for CNC 8055 and CNC 8065 ........................................................................................ 40
C FagorPLC_Door_SpeedLim_Routines ......................................................................................... 96
C.1 Subroutines for milling machine with 8065 ............................................................................... 96C.2 Subroutines for turning machine with 8055 .............................................................................. 97
D Terms............................................................................................................................................. 100
5
FUNCTIONALSAFETY
Ref.1406
FUNCTIONAL SAFETYGuide to design, according to EN ISO 13849-1, safety related part of controlsystem of machining centres and turning machines, using DDS or ACSD servodrives.
1 Information about this file
1.1 Responsibility exemption
Machines designers must know and apply the applicable EU regulations, specially Euro-pean Machinery Directive, ISO 13849-1, EN 12417 and ISO 23125.
1.2 Introduction
Accidents caused while being used may be minimized by integrating safety into the ma-chine design and manufacturing stages and with proper installation and maintenance.
Hazards should be eliminated or reduced through a hierarchy of measures by:
design of the machine.
safeguarding.
information about residual risk.
This document deals with the design and validation of safety related parts of control system(SRP-CS) that implements Safety Function-s (SF). SF often control mobile safeguards,limit velocity or stop the machine.
1.3 Purpose of this document
See please “1.1 Responsibility exemption” clause.
This document is a practical guide to develop Safety Related Parts of machines withFAGOR Control System, (Machining Centre and Turning Machines) according to 13849. Itis not an academical course about standards, so we skip parts that we do not consider rel-evant and we focus on the most usual systems of FAGOR clients.
It describes:
Information to use DDS or ACSD drives and Safety Controller with SLS to developsafety-related parts of control systems (SRP/CS) according to clause “Scope of this do-cument”.
using Category 3 architecture
reaching PL d
doing it according EN 12417 (Milling) or ISO 23125 (Turning) that harmonized forEuropean Machinery Directive
This is an introductory document, it isn't an exhaustive information. It is a draft thathasn't been validated according to 13849-2.
Complementary mandatory safety information in “man_dds_hard.pdf”:
Chapter 9. FUNCTIONAL SAFETY.
Refers to Safe Torque OFF that is implemented by external main contactor - KM1 andDriveEnable input to the DDS servo drives.
Gives Functional Safety mandatory information reviewed by TÜV SÜD.
WARNING. Fagor Automation S. Coop. will not be held responsible for anylosses or damage, direct, indirect that could result from the information inthis document because this document is a draft. Note that some sections ofEN ISO 13849-1 have not been developed.
NOTE. To develop SRP/CS these standards ask to fulfil with ISO 13849. The EN12417 standard still refers to EN 954.
Functional Safety
32
Info
rmat
ion
abou
t th
is fi
le
6
FUNCTIONALSAFETY
Ref.1406
Clause. SAFETY CONDITIONS.
Describes environmental, EMC and Electrical Safety conditions and measurements todesign, install, repair, etc, of the DDS servo systems. It also describes the symbols thatsignal complementary instructions along “man_dds_hard.pdf” and “man_acsd_so.pdf”.
1.4 Related files
FAGOR hardware manuals.
DRIVE DDS: man_dds_hard.pdf
DRIVE ACSD: man_acsd_so.pdf
Datasheets.
FAGOR controller: DDS Drive Module
DINA controller: Safe Line Module DNSL-ZMRSafe Line Module DNSL-DS
Sick Stegmann Encoder: SNS50-HBA-S01SRS50-HFA0-K21SRM50-HFA0-K21
Schneider Electric: Door Safety Switch XCSTE7312
Euchner: Hand-Held Pendant Stations HBA-121900
Documents.
SISTEMA Msapp.ssm
Electric Wiring Diagram Annex B
1.5 Scope of this document
Machinery Functional Safety standard
This document is about using ISO 13849-1 standard. IEC 62061 is the other internationalstandard but in practice ISO 13849-1 is easier and used more often.
Machines
Turning machines group 3 from ISO 23125.
Machining centres covered by EN 12417.
FAGOR servo drives covered
DDS and ACSD families.
The examples show the DDS and ACSD drives. With ACSD drives, it is neccesary to adda second contactor in parallel.
Parts of safety covered by this document
Functional Safety.
Parts of safety NOT covered by this document
These parts are described in “SAFETY CONDITIONS” of “man_dds_hard.pdf” and“man_acsd_so.pdf”.
Primary Safety.
Electrical
Fire
Environmental, vibrations, ...
EMC.
Technologies covered by this documents
Yes: Electrical, electronic, programmable electronic.
No: Mechanical, pneumatic, hydraulic, ...
Staff target group
Machine design, install & repair personal.
PL d
We will focus on PL d because is the highest PL required in Machining Centres (EN 12417)and Turning Machines (ISO 23125).
Functional Safety
Info
rmat
ion
abou
t th
is fi
le
7
FUNCTIONALSAFETY
Ref.1406
Extension to other types of machines with PL d / SIL 2
Developing the SRP-CS is easier if there is a standard “C”. Otherwise, both analyzing therisks and defining the safety functions are more cumbersome.
Cat 3
We will describe more in depth Cat 3, because is the most suitable architecture to get PL d.
Countries where this document is applicable
Every country where ISO 13849-1, EN 12417 and ISO 23125 are applicable.
EU.
We will use “SISTEMA”
“SISTEMA” is a free tool widely used to calculate parameters asked by ISO 13849 such asMTTFd, DCavg, ... It makes much more easier to calculate these parameters. Using“SISTEMA” avoids deeper mathematical acknowledge.
1.6 Versions of the Standards
ISO 13849-1:2006.
ISO 13849-2:2012.
ISO 23125 First edition 2010-05-01.
EN 12417:2001 +A2:2009/AC:2010.
Functional Safety
32
Leg
al r
egu
latio
ns
in th
e E
uro
pean
Com
mu
nity
8
FUNCTIONALSAFETY
Ref.1406
2 Legal regulations in the European Community
2.1 Directives and CE Mark
At list these EC Directives are mandatory for machines:
Directive 2006/95/EC on Low Voltage.
Directive 2006/42/EC on Machinery.
Directive 2004/108/EC on Electromagnetic Compatibility.
2.1.1 Machinery Directive
The essential health and safety requirements should be satisfied as defined in annex A.
Machinery manufactured in conformity with a harmonised standard shall be presumed tocomply with the essential health and safety requirements covered by such a harmonisedstandard.
Manufacturers retain full responsibility for certifying the conformity of their machinery to theprovisions of this Directive. Nevertheless, for certain types of machinery having a higherrisk factor, a stricter certification procedure is desirable, usually this is not the case for theMachining Centers shown in EN 12417 or for the Turning Machines shown in ISO 23125.
2.2 Harmonized Standards
Machinery manufactured in conformity with a harmonised standard shall be presumed tocomply with the essential health and safety requirements covered by such a harmonisedstandard.
The main harmonized standards used in this document are:
EN 12417 Machine tools – Safety – Machining centres.
ISO 23125 Machine tools – Safety – Turning machines.
ISO 13849 Safety of Machinery – Safety – related parts of control systems.
Part 1: General principles for design
Part 2: Validation
In the FAGOR Declarat ion of Conformity, see “man_dds_hard.pdf” and/or“man_acsd_so.pdf”, there is the list of harmonized standards that FAGOR drives fulfil forthe three directives. The are much more harmonized standard for several components andsubject of the whole machine but they are outside FAGOR components.
Functional Safety
Leg
al r
egu
latio
ns
in th
e E
uro
pean
Com
mu
nity
9
FUNCTIONALSAFETY
Ref.1406
2.3 FAGOR Declaration of Conformity
Here you have the declaration for DDS drives. You can find in FAGOR web similar decla-rations for ACSD drives, CNC, I-O, motors, scales and encoders.
Functional Safety
32
Leg
al r
egu
latio
ns
in th
e E
uro
pean
Com
mu
nity
10
FUNCTIONALSAFETY
Ref.1406
2.4 TÜV Certificate for FAGOR
FAGOR has certified in TÜV the DDS servo drives.
Functional Safety
Fo
cuse
d M
achi
nes
11
FUNCTIONALSAFETY
Ref.1406
3 Focused Machines
3.1 Turning machines group 3 - ISO 23125 -
Groups of turning machines:
FAGOR clients are mainly in group 3: Numerically controlled turning machine and turningcentre turning machine with numerical control (NC) providing automatic function.
3.2 Machining Centres - EN 12417 -
Below there is one of the four illustrative figures in annex C.
GROUP 1 Manually controlled turning machines without numerical control
GROUP 2Manually controlled turning machines with limited numerically controlledcapability
GROUP 3 Numerically controlled turning machines and turning centres
GROUP 4 Single - or multi - spindle automatic turning machines
Functional Safety
32
Ope
ratin
g M
ode
s, R
isk
Ana
lyse
s, S
afet
y F
unct
ions
Com
pon
ents
12
FUNCTIONALSAFETY
Ref.1406
4 Operating Modes, Risk Analyses, Safety Functions Components
The machine shall be designed and constructed so that the principles of ISO 13849-1 are fully tak-en into account.
ISO 23125 and EN 12417 define Operating Modes, Risk Analyses, Safety Functions and PLr forpreferred types of these machines. Usually the actual machine deviates from these types and riskanalisys should be done for these parts.
Safety Functions Components and their PLr are the inputs for the next design step.
Machines fully covered by ISO 23125 or EN 12417
These standards provides the following information for preferred types of machines:
Determination of the limits.
Hazard identification.
ISO 23125 or EN 12417 give a list of hazards and hazardous situations.
The risk assessment assumes foreseeable access from all directions, as well asunexpected start-up. It takes into account various conditions (e.g. commissioning,set-up, production, maintenance, repair and decommissioning) during the life of themachine.
The assessment includes an analysis of the effect of failure in the control system.
Risk estimation.
Risk evaluation.
Safety requirements and/or measures to eliminate or reduce these risks.
Machine shall be designed and safeguarded in accordance with the specific re-quirements and/or protective measures listed.
Specific requirements resulting from failure of the control circuit hazards.
In general the safety function shall initiate a Safe Stop 1 (IEC 618000-5-2) alsocalled category 1 stop in IEC 60204-1 and shall preclude unexpected start-up.
Safety function specification, included required PL.
In this machines the maximum resulted PL d.
Machines with components not covered by ISO 23125 or EN 12417
The designer shall confirm through a risk assessment, that the risk assessment is complete for themachine under consideration.
If your Turning machine or Machining Centre is not fully covered by these standards, you shoulddo additional risk assessment / risk reduction according procedure described in figure 1 of ISO13849.
Functional Safety
Ope
ratin
g M
ode
s, R
isk
Ana
lyse
s, S
afet
y F
unct
ions
Com
pon
ents
13
FUNCTIONALSAFETY
Ref.1406
4.1 Operating modes
Operating modes of ISO 23125 and EN 12417
4.1.1 EN 12417. Machining centres
Each user type will have authorization for the modes he's been properly trained for. Accesswill require a password. Usually a key is used.
Safe operating mode 1
Mode comprising any of the operations to be carried out when producing parts (CNCautomatic mode). Being in this mode, means that any operation must be carried outwith the doors closed. No element of the machine must move (axes, spindles, etc.) ifthe doors are open.
Safe operating mode 2
Setup mode, used by the user to carry out operations such as manual tool calibration,part zero search, etc. while the doors are open. Only authorized personnel can work inthis mode. This possibility is usually enabled through a password. There must also bea push-button on the machine to enable certain specific functions.
Thus, this operating mode will allow the movements of some elements of the machinebut with the following restrictions:
The maximum feed rate of the axes will be 2 m/min.
The spindle will have to stop in 2 revolutions.
No axes can be interpolated; i.e. only one axis can move at a time.
The spindle can only be started if the enable button is pressed.
The spindle will only turn while the enable button stays pressed.
Block execution will only be possible if the start and enable buttons are kept pres-sed.
There must be a redundant control (using two channels) to ensure that the speed ofthe axes and the spindle is the right one and to comply with the limitations set forthis mode.
Safe operating mode 3
Manual intervention mode. Only for qualified users. Similar to previous mode 2, except:
The maximum feed rate of the axes will be 5 m/min.
The spindle will have to stop in 5 revolutions.
Axes can be interpolated; i.e. several axes can move simultaneously.
4.1.2 ISO 23125. Turning machines
The main operating modes are:
Safe operating mode 0 - Manual
These requirements are also relevant for other machine groups when working in Mode0 Automatic.
Safe operating mode 1 - Automatic
With similar philosophy as for milling; i.e. only changing the part to be machined will beallowed while the doors are open. On a lathe, the part is attached to the spindle, it ispossible to act upon the claws and the tailstock and the spindle may be turned at limitedrpm to check that the part is properly secured same as during setup.
Main characteristics:
Spindle speed is limited to 50 rpm on small lathes.
The axes cannot be moved.
While the door is closed, it must be verified that the spindle speed does not exceedthe maximum value.
Functional Safety
32
Ope
ratin
g M
ode
s, R
isk
Ana
lyse
s, S
afet
y F
unct
ions
Com
pon
ents
14
FUNCTIONALSAFETY
Ref.1406
Safe operating mode 2 - Setup
This mode is mandatory for group 3, that means that Safe Limited Speed safetyfunction to monitor movements with open door is mandatory.
This mode is almost identical to that of the milling machine.
Axis feedrate is limited to 2 m/min.
The speed of the main spindle (the one turning the part) is limited to 50 rpm.
The speed of the spindle for the live tool is also limited to 50 rpm.
If the turret is indexed (without an axis moving it), it may be moved in incrementalmode by pressing the Enable button and pressing a safe key (hold to run) at thesame time.
If the turret has a controlled axis, the feedrate is limited to 50 rpm (with a limit of 1.3m/s) and it will move like an axis.
Functional Safety
Ope
ratin
g M
ode
s, R
isk
Ana
lyse
s, S
afet
y F
unct
ions
Com
pon
ents
15
FUNCTIONALSAFETY
Ref.1406
4.2 Safety Functions Components and its PLr
Although these two standards talk about “Safety Function”, they are actually “Safety Func-tions Components” used to build real “Safety Functions” like those described in section 5.Emergency stop and Operation with Open Guards (SLS).
4.2.1 ISO 23125. Machine tools - Safety - Turning machines
Safety Functions Components shall meet the following requirements for the performancelevel of ISO 13849-1.
4.2.2 EN 12417. Machine tools - Safety - Machining centres
This standard has not yet been adapted to ISO 13849 and use yet the ISO 954-1 that EUdoesn't yet accepts. ANY WAY, usually Cat 3 of ISO 954-1 is translated to PL d of ISO13849-1.
1) Interlocking device associated with a movable guard in thefollowing areas, electro-sensitive protective equipment (ESPE) orother safety equipment applied to:
Performance Level PLr required
according toISO 13849-1:2006
Category required
according to EN 954-1:1996
i) work zone by the operator;work zone only for maintenance
d, category 3c
31
ii) transmissions, drive mechanisms c or d10) 1 or 310)
iii) tool changer, tool magazine d 3
iv) handling device for workpiece loading/unloading device c or d10) 1 or 310)
v) pallet changer c or d10) 1 or 310)
vi) swarf/chip conveyor c 2
vii) access to pits, gates in perimeter fencing c or d10) 1 or 310)
viii) bar feed devices c 1ix) mechanical power transmission drives accessible during normal
operationc or d11) 1 or 311)
2) Hold-to run control d12) 312)
3) Control system with electronic handwheel see 6) see 6)
4) Enabling device d 35) Speed limit monitoring for spindles [see 5.8 d)] d 3
6) Feed rate limit monitoring for axes (electronic handwheel included) c 2
7) Control system of tool clamping and workpiece clamping b 18) Emergency stop [see 5.11 c)] c 1 or 313)
9) Prevention of crushing hazard at power-operated guards/doorswith edge protection by e.g. pressure-sensitive protective devices (PSPD)
d 2 or 314)
10) Operation mode selection function c 1
11) Safe category 2 stop in accordance with IEC 61800-5-2:2007 c 2 or 315)
12) Control function to prevent unintended descent of vertical or slantaxis
c or d16) 2 or 316)
13) Start and restart function [see 5.8 c)] c 1
14) Start axis movement [see 5.8 e)] c 1
10) Based on S1 and P2, decision F1 or F2 depend on frequency of access. If this occurs once every hour or more often, use PLr =d or category 3. If this occurs less often than once every hour, use PLr = c or category 1.
11) If it is pretty unlikely to avoid the danger (P2, see chapter F.2), the latching device must meet PLr = d or category 3. If it is prettyunlikely to avoid the danger (P1, see chapter F.2), the latching device must meet PLr = c or category 1.
12) If it is not possible to reach PLr = d or a category 3, a combination of a hold-to-run button and a validation device must be usedthat meets PLr = d or category 3.
13) Category 1 must be used if the emergency stop function is wired. Otherwise, category 3 must be used.
14) Based on risk evaluation and considering the weight and speed of the door.
15) Category 2 for moving axes and category 3 for axis rotation.
16) When a hazardous descent of a vertical or slant axis occurs, PLr = c or category 2 can only be selected if a realistic chance ofavoiding an accident or significantly reducing its effect is given; PLr = d or category 3 can be selected if there is almost nochance of avoiding the hazard.
Functional Safety
32
Ope
ratin
g M
ode
s, R
isk
Ana
lyse
s, S
afet
y F
unct
ions
Com
pon
ents
16
FUNCTIONALSAFETY
Ref.1406
4.2.3 PLr calculation for machines different to those preferred in ISO 23125 or EN12417
If your Turning Machine or Machining Centre is not fully covered by these standards, youshould calculate the PLr using the procedure described in figure A.1 “Risk graph for deter-mining required PLr for safety function” of ISO 13849.
Key 1 starting point for evaluation of safety function's
contribution to risk reductionL low contribution to risk reduction H high contribution to risk reduction PLr required performance level
S severity of injury
S2 serious (normally irreversible injury or death) F frequency and/or exposure to hazard
Risk parameter:
S1 slight (normally reversible injury)
F1 seldom-to-less-often and/or exposure time is short F2 frequent-to-continuous and/or exposure time is long P possibility of avoiding hazard or limiting harm P1 possible under specific conditions
P2 scarcely possible
Functional Safety
Saf
ety
Fun
ctio
ns. E
mer
genc
y S
top
an
d O
pera
tion
with
Ope
n G
uard
s (S
LS)
17
FUNCTIONALSAFETY
Ref.1406
5 Safety Functions. Emergency Stop and Operation with Open Guards(SLS)
From the Operating Modes and Safety Function Components defined in ISO 23125 and EN 12417FAGOR has designed these two Safety Function: Emergency Stop and Operation with OpenGuards (SLS) Safety Function, implementing:
designing architecture.
designing schematic.
designing safety software in Safety Controller with SLS.
calculating and validating MTTFd, DCavg and CCF using “SISTEMA” tool.
Functional Safety
32
Saf
ety
Fun
ctio
ns. E
mer
genc
y S
top
an
d O
pera
tion
with
Ope
n G
uard
s (S
LS)
18
FUNCTIONALSAFETY
Ref.1406
5.1 Emergency Stop
5.2 Operation with Open Guards (SLS)
Functional description
This functional safety monitors overspeed. These speed limits depend on:
The selected mode: Automatic, Set-up, Semiautomatic
Guards are opened
Operator is pushing the Enabling Device
If overspeed, the safety controller activates STO and SBC (if there is a brake).
INPUT LOGIC OUTPUT
SAFETY CONTROLLER
EMERGENCY
STO
MAINCONTACTORKM1
KA1
KA2
BUILT-IN BRAKE
- Speed Enable- Drive Enable
AXD/SPD DRIVE
SBC
INPUT LOGIC OUTPUT
SAFETY CONTROLLER
GUARDS
STO
MAINCONTACTORKM1
KA1
KA2
BUILT-IN BRAKE
- Speed Enable- Drive Enable
AXD/SPD DRIVE
SBC
MODE SELECTOR
ENABLING DEVICE
MOTOR FEEDBACK
Functional Safety
Saf
ety
syst
em a
rchi
tect
ure
19
FUNCTIONALSAFETY
Ref.1406
6 Safety system architecture
In the figure, the safety components are:
Safety Controller with SLS
It is the yellow box in the figure.
It is the most important safety component.
It has the Safe Limited Speed function.
It evaluates the encoder pulses and monitor if pulses excess the actual limit.
I has the logic:
Depending on the state of Door Position Switch, Mode Selector, Enabling Device andSpeed it changes of mode, enables opening the door, selects the right speed limits, ...
Safe Torque Off function (STO)
1st channel KM1 main contactor
2nd channel Drive Enable. TÜV certified input of the AXD/SPD drive.
Safe Brake Control (SBC)
1st channel RL relay
2nd channel RL relay
Mode Selector, Door Position Switch, Emergency Buttons & Enabling Device.
NOTE. CN is not part of the SPR/CS.
O
OI
EXTERNAL SAFETY
CONTROLLERWITH SLS
24 V
Built-inmotorbrake
RL
RL
M
0 V0 V
0 V
Functional Safety
32
Cab
ling
20
FUNCTIONALSAFETY
Ref.1406
7 Cabling
Drawings for CNC 8055 and CNC 8065 in annex B describe cabling for:
safety related part (SRP/CS) and
non safety related parts that made easier using the SRP/CS
Functional Safety
Ha
rdw
are
anal
ysis
. FM
EA
, fau
lt co
nsid
erat
ion
& fa
ult e
xclu
sio
n
21
FUNCTIONALSAFETY
Ref.1406
8 Hardware analysis. FMEA, fault consideration & fault exclusion
Several clauses of ISO 13849-1 and ISO 13849-2 deals with fault analysis.
A FMEA on safety related hardware should be done. As the architecture uses safety components,this FMEA focuses on cabling.
8.1 Fault consideration
Based on experience, ISO 13849-2 lists the important faults and failures for the varioustechnologies.
8.2 Fault exclusion
Fault exclusion is a compromise between technical safety requirements and the theoreticalpossibility of occurrence of a fault.
Functional Safety
32
Use
of “
SIS
TE
MA
” to
ca
lcul
ate
MT
TF
d, D
Ca
vg a
nd C
CF
22
FUNCTIONALSAFETY
Ref.1406
9 Use of “SISTEMA” to calculate MTTFd, DCavg and CCF
SISTEMA (Safety Integrity Software Tool for the Evaluation of Machine Applications). See Annex A for a detailed description of the calculation.
9.1 Using “SISTEMA” tool
The “SISTEMA” tool project calculates MTTFd, DCavg and CCF and confirms that PLr isreached. It also help to document the safety application.
Using “SISTEMA” tool avoid to do manually some times complex calculation.
Writing data
Create a project
Create Safety Function (SF) one by one
Define PLr for each SF, e.g. PL d
Define the serial subsystems of a SF:
Input, logic and output
If there are several inputs (e.g. Door Position Switch & Enabling Device) or out-puts (e.g. STO & SBC) the Lambda value should be added; i.e. mathematicallythey are in series.
For each subsystem chose a preferred architecture
In FAGOR applications it will be usually Cat 3.
This implies that there will be two channels. In some cases it is internal, e.g. in usual Safety Controller.
For each channel enter DCavg
You can select measures from a list (library icon) of all diagnostic measuresdefined in Annex E of ISO 13849-1, each one has defined its % of DCavg.
For each channel enter MTTFd
In case of electromechanical components enter
B10d
Nop. Data of use of the SF necessary to calculate number of operationper hour.
Days of use per year
Hours per day of use
Second between two uses of the Safety Function
Verification and validation. PFH
If any part of the system don't reaches the required level “SISTEMA” tool shows it by yellowand read messages.
For PL d, the system PFH must be 10E-6 > PFH 10E-7.
Common Cause Failure. CCF
Every subsystem has to reach al least 65 CCF points.
In “SISTEMA” tool you can calculate the total CCF selecting measures from a list (libraryicon) of all the measures against Common Cause Failure described in annex F of ISO13849-1. This is better documented than to enter total CCF directly.
Functional Safety
Use
of “
SIS
TE
MA
” to
ca
lcul
ate
MT
TF
d, D
Ca
vg a
nd C
CF
23
FUNCTIONALSAFETY
Ref.1406
9.2 Results from “SISTEMA” tool for the example
9.2.1 Emergency Stop
9.2.2 Operation with Open Guards (SLS)
Functional Safety
32
Use
of “
SIS
TE
MA
” to
ca
lcul
ate
MT
TF
d, D
Ca
vg a
nd C
CF
24
FUNCTIONALSAFETY
Ref.1406
9.2.3 “SISTEMA” report
Functional Safety
Use
of “
SIS
TE
MA
” to
ca
lcul
ate
MT
TF
d, D
Ca
vg a
nd C
CF
25
FUNCTIONALSAFETY
Ref.1406
Functional Safety
32
Use
of “
SIS
TE
MA
” to
ca
lcul
ate
MT
TF
d, D
Ca
vg a
nd C
CF
26
FUNCTIONALSAFETY
Ref.1406
Functional Safety
Use
of “
SIS
TE
MA
” to
ca
lcul
ate
MT
TF
d, D
Ca
vg a
nd C
CF
27
FUNCTIONALSAFETY
Ref.1406
Functional Safety
32
Saf
ety-
rela
ted
appl
icat
ion
softw
are
(SR
AS
W)
28
FUNCTIONALSAFETY
Ref.1406
10 Safety-related application software (SRASW)
See please section 4.6.3 Safety-related application software (SRASW) of ISO 13849-1.
Functional Safety
Val
idat
ion
29
FUNCTIONALSAFETY
Ref.1406
11 Validation
See please ISO 13849-2. Safety of machinery - Safety-related parts of control systems - Part 2: Validation.
Functional Safety
32
Mai
nte
nan
ce
30
FUNCTIONALSAFETY
Ref.1406
12 Maintenance
The information on using the SRP/CS shall include instructions on their maintenance (includingperiodic inspections if necessary).
For maintenance of functional safety of DDS drives, please see MAINTENANCE clause in chapter9. FUNCTIONAL SAFETY of “man_dds_hard.pdf”.
Functional Safety
Man
ufac
ture
r´s
inte
rna
l tec
hni
cal d
ocum
enta
tion
31
FUNCTIONALSAFETY
Ref.1406
13 Manufacturer´s internal technical documentation
See please chapter 10. TECHNICAL DOCUMENTATION of ISO 13849-1.
Functional Safety
32
Info
rmat
ion
for
use
32
FUNCTIONALSAFETY
Ref.1406
14 Information for use
Information important for the safe use of the SRP/CS shall be given to the user:
This shall include, but is not limited to the following:
Limits and any fault exclusions
Limits and any fault exclusions for which information for modification, maintenance and repairshall be given
Effects of deviations from the specified performance on the SF
Interfaces to the SRP/CS and protective devices
Response time
Operating limits (including environmental conditions)
Indications and alarms
Muting and suspension of safety functions. Note. FAGOR example has not muting.
Control modes
Maintenance
Maintenance check lists
Accessibility and replacing of internal parts
Trouble shooting
Applications
Checking test intervals where relevant
Categories and PL
Date of ISO 13849 (i.e. “ISO 13849-1:2006”)
Category B, 1, 2, 3, or 4
PL
In FAGOR example: ISO 13849-1:2006 Category 3 PL d
ANNEX A
Functional Safety
38
34
FUNCTIONALSAFETY
Ref.1406
A Categories and PL
A.1 Definitions
SRP/CS
Safety-Related Part of a Control System.
Part of a control system that responds to safety-related input signals and generates safety-related output signals.
Note 1. The combined safety-related parts of a control system start at the point where thesafety-related input signals are initiated (including, for example, the actuating cam and theroller of the position switch) and end at the output of the power control elements (including,for example, the main contacts of a contactor).
Note 2. If monitoring systems are used for diagnostics, they are also considered asSRP/CS.
PL
Performance Level.
Discrete level used to specify the ability of safety-related parts of control systems to per-form a safety function under foreseeable conditions.
The levels are a, b, c, d, e.
Each level has the following requirements:
QualitativeTechniques to prevent systematic errors when designing hardware and software.
ProbabilityProbability of dangerous system failures due to any of the components of the safety cir-cuits.
A.2 Introduction to quantifiable aspects of the PL
A.2.1 Category
In order to assist the designer and help facilitate the assessment of achieved PL, ISO13849-1 employs a methodology based on the categorization of structures according tospecific design criteria and specified behaviours under fault conditions. These categoriesare allocated one of five levels, termed categories B, 1, 2, 3 and 4.
The SRP/CS shall be in accordance with the requirements of one or more of the five cate-gories. See below the explanation for category 3.
The machine needs other lower level safety functions.
A.2.2 MTTFd
Mean time to dangerous failure.
Of each channel!
Categories 3 and 4 assume the values for MTTFd for each channel are the same.
If the MTTFd of the channels differ, there are two possibilities:
As a worst case assumption, the lower value should be taken into account.
Equation D.2 can be used as an estimation of a value that can be substitutedfor MTTFd for each channel. AGAIN: “SISTEMA” WILL DO IT FOR YOU.
Limit for single channel
In the formulae, for single channel, don't use a value higher than 100 years, but you canuse it for components. “SISTEMA” will limit them for you.
Hierarchical procedure to find MTTFd of a component:
Manufacturer’s data
Data bases
It is not mentioned in ISO 13849, but other safety standards mentions them.
See from [49] at the end of the standard.
Methods in Annexes C and D
Ten years
Low, medium and high ranges
MTTFdDenotation of each channel Range of each channelLow 3 years MTTFd < 10 yearsMedium 10 years MTTFd < 30 yearsHigh 30 years MTTFd < 100 years
Functional Safety
35
FUNCTIONALSAFETY
Ref.1406
A.2.3 DCavg
DC
Diagnostic Coverage
Measurement of the diagnostic effectiveness, given as a ratio between the probability ofdangerous failures and the total dangerous failures.
Definition 3.1.26 according to ISO 13849-1, adapted from 3.8.6 according to EN 61508-4.
Four levels have been set as per the table below for the system‘s diagnostic coverage value:
As the table shows, there are three key values in logarithmic distribution: 60 %, 90 % and 99 %.
60 % It is empirically proven that a diagnostic covering less than 60 % of the system affects verylittle its reliability.
99 % More than 99 % of coverage is very difficult to get in complex systems.
There are DC estimating methods like the “FMEA failure mode and effects analysis” describedin IEC 60812.
However, the tables in annex E of ISO 13849-1 may be used for a simplified estimate.
A.2.4 CCF
CCF estimate
Common Cause Failure
Failure of several elements, result of a single event where these failures are not a conse-quence of each other.
Failures occurring in more than one channel of a multi-channel system can cause system fail-ure.
They are measures to prevent failures in both channels, in architectures of category 3 and 4.Annex F of UNE-EN ISO 13849-1 includes the table of measures (each one with its own rat-ing) and must be higher than 65 points out of 100.
DD = Probability of detected dangerous failures
Dtotal = Probability of total dangerous failures
DC
Description RangeNone DC < 60 %Low 60 % DC < 90 %
Medium 90 % DC < 99 %High 99 % DC
DCDD
Dtotal--------------------------=
CHANNEL 1 FAILURE
CHANNEL 2 FAILURE
CCF
Functional Safety
38
36
FUNCTIONALSAFETY
Ref.1406
A.3 Introduction to categorization of architectures and behaviour. Thecase of category 3
Scope of this document
This document focus on category 3 because is the most feasible to reach PL d. See thestandard for the others categories. As category 3 asks also to fulfil requirements of cate-gory B, we will also show category B.
A.3.1 Requirements of category B
The SRP/CS shall, as a minimum, be designed, constructed, selected, assembled andcombined in accordance with:
the relevant standards
and using basic safety principles
13849-2, Annex D. Electrical systems, Table D.1. Fundamental safety principles.
for the specific application to withstand:
the expected operating stresses, e.g. the reliability with respect to breaking capacityand frequency,
the influence of the processed material, e.g. detergents in a washing machine, and
other relevant external influences, e.g.
mechanical vibration
electromagnetic interference
power supply interruptions or disturbances
Specific requirements for electromagnetic compatibility are found in the relevant productstandards, e.g. IEC 61800-3 for power drive systems. For functional safety of SRP/CS inparticular, the immunity requirements are relevant. If no product standard exists, at leastthe immunity requirements of IEC 61000-6-2 should be followed.
A.3.2 Requirements of category 3
Requirements from category B
“Well-tried safety principles”
13849-2, Annex D.D.3. Electrical systems, Table D.2.
A single fault does not lead to the loss of the safety function
Whenever reasonably practicable, the single fault shall be detected at or beforethe next demand upon the safety function
It does not mean that all faults will be detected.
Consequently, the accumulation of undetected faults can lead to an unintend-ed output and a hazardous situation at the machine
Examples of practicable faults detection:
feedback of mechanically guided relay contacts
monitoring of redundant electrical outputs
Diagnostic coverage (DCavg) = low
At least “low” ; if it is “medium”, a higher PFH will be reached
MTTFd of each channels = low-to-high, depending on the PLr.
CCF Annex F.
Category 3 system behaviour allows that
when the single fault occurs the safety function is always performed,
some but not all faults will be detected,
accumulation of undetected faults can lead to the loss of the safety function.
Functional Safety
37
FUNCTIONALSAFETY
Ref.1406
Architecture
A.4 Resulting PLThe “SISTEMA” tool will calculate the resulting PL, so you don't need to use use the ap-proximation of figure 5 of ISO 13849. Relationship between categories, DCavg, MTTFd ofeach channel and PL.
I1 O1L1
I2 O2L2
im m
im
m
imim
Dashed lines represent reasonably practicable fault detection.
c
Key im interconnecting means c cross monitoring I1, I2 input device. e.g. sensor logic L1, L2 m monitoring O1, O2 output device. e.g. main contactor
Key PL performance level 1 MTTFd of each channel = low 2 MTTFd of each channel = medium 3 MTTFd of each channel = high
38
Functional Safety
FUNCTIONALSAFETY
Ref.1406
ANNEX B
Functional Safety
40
40
FUNCTIONALSAFETY
Ref.1406
B Drawings for CNC 8055 and CNC 8065
Annex B. describes cabling for:
safety related part (SRP/CS)
non safety related parts that made easier using the SRP/CS
ANNEX C
Functional Safety
98
96
FUNCTIONALSAFETY
Ref.1406
C FagorPLC_Door_SpeedLim_Routines
Routines on FAGOR PLC that made easier using the SRP/CS.
C.1 Subroutines for milling machine with 8065
C.1.1 DOORS
This subroutine help CNC to manage the 3 machine work modes.
There are 3 machine work modes: AUTOMATIC, SETUP, and SEMIAUTOMATIC.
AUTOMATIC mode
The doors may only be opened if the CNC is not in execution, S stopped, maga-zine/arm home and machine with power. If the door is open, neither the axes nor S canbe moved, and it checks that the axes do not move.
SETUP mode
The doors may be opened if the CNC is not in execution, S stopped, magazine/armhome and machine with power.
With open door, the F is limited to F=2000 mm/min and S is limited to a maximum speedthat allows to stop in 2 turns. It monitors that the S and F limits are not exceeded andthat no more than one axis moves at a time.
With open doors and the enabling device pressed, it is possible to command S to turnand execute in MDI. Releasing the enabling device interrupts the execution and exe-cutes an M5 to stop the S.
With open doors and the enabling device pressed, only one axis can be moved in MDIor JOG modes (hand-wheel, continuous and incremental motions). Releasing the en-abling device axis motion is interrupted.
SEMIAUTOMATIC mode
The doors may be opened if the CNC is not in execution, S stopped, magazine/armhome and machine with power.
With open door, the F is limited to F=5000 mm/min and S is limited to a maximum speedthat allows to stop in 5 turns. It monitors that the S and F limits are not exceeded.
With open doors and the enabling device pressed, it is possible to command S to turnand execute in MDI. Releasing the enabling device interrupts the execution and exe-cutes an M5 to stop the S.
With open doors and the enabling device pressed, axes can be moved in MDI or JOGmodes (hand-wheel, continuous and incremental motions). Releasing the enabling de-vice axes motion are interrupted.
In any mode:
With open door, it cancels the jog spindle turning keys of the operator panel of the CNC,only the HBA has the control in SETUP mode or SEMIAUTOMATIC mode.
With open door, it is not possible to move the chip conveyor, the magazine or the changerarm.
C.1.2 LIMIT_F_SP1
This subroutines is used for limitation of F (feed-rate) and S (spindle speed).
In AUTOMATIC mode and with open doors, spindle(S) and axes(F) can not be moved.
In SETUP mode and with open doors, it limits:
The axis feed-rate F to 2000 mm/min
The spindle speed S to 500 rpm (spindle stops in less than 2 turns)
In SEMIAUTOMATIC mode and with open doors, it limits:
The axis feed-rate F to 5000 mm/min
The spindle speed S to 1000 rpm (spindle stops in less than 5 turns)
Cancel the rapid key:
If the doors are open and it is not in manual mode
If the axes have not been homed
Functional Safety
97
FUNCTIONALSAFETY
Ref.1406
C.2 Subroutines for turning machine with 8055
C.2.1 DOORS
This subroutine help CNC to manage the 2 machine work modes.
There are 2 machine work modes: AUTOMATIC and SETUP.
AUTOMATIC mode:
The doors may only be opened if the CNC is not in execution, S and S2 stopped, turretnot moving and machine with power. If the door is open, the axes can not be moved,and it checks that the axes do not move.
Both the main spindle S and the second spindle S2 can with a limit of 50 rpm while thedoor is open.
With open doors and the enabling device pressed, it is possible to command S and S2to turn and execute in MDI. Releasing the enabling device interrupts the execution andexecutes an M5 to stop the S and S2.
SETUP mode:
The door may be opened if the CNC is not in execution, S stopped, turret not moving,machine with power.
With open door, the F is limited to F=2000 mm/min. main spindle is limited to S=50 rpmand spindle of life tool is limited to S2=50 rpm.
It monitors that the S, S2 and F limits are not exceeded, and that no more than 1 axismoves at a time.
With open doors and the enabling device pressed, it is possible to command S and S2to turn and execute in MDI. Releasing the enabling device interrupts the execution andexecutes an M5 to stop the S and S2.
With open doors and the enabling device pressed, only one axis can be moved in MDIor JOG modes (hand-wheel, continuous and incremental motions). Releasing the en-abling device axis motion is interrupted
In any mode:
With open door, it cancels the jog spindle turning keys of the operator panel of the CNC,only the HBA has the control in SETUP mode.
With open door, it is not possible to move the turret.
C.2.2 LIMIT_F_SP1
This subroutines is used for limitation of F (feed-rate), S (spindle speed) and S2 (life tool).
In AUTOMATIC mode and with open doors, axes can not be moved and spindles speedare limited:
The spindle speed S, and S2 to 50 rpm
In SETUP mode and with open doors, it limits:
The axis feed-rate F to 2000 mm/min
The spindle speed S to 50 rpm
Cancel the rapid key:
If the doors are open and it is not in manual mode
If the axes have not been homed
98
Functional Safety
FUNCTIONALSAFETY
Ref.1406
ANNEX D
Functional Safety
100
100
FUNCTIONALSAFETY
Ref.1406
D Terms
CCF
See please annex A. Categories and PL
DCavg
See please annex A. Categories and PL
FMEA
Failure Modes and Effects Analysis
Lambda
1/MTTF
MTTFd
Mean Time To dangerous Failure
Units: hour
Mission Time
Period of time covering the intended use of an SRP/CS
Usually 20 years
You should substitute the component after its Mission Time has expired
PFH
Average frequency of a dangerous failure per hour according to IEC 61508-4
Units: 1/hour
PL
See please annex A. Categories and PL
PLr
PL required
SIL
Safety Integrity Level
Definition that IEC 62061 (Machinery) and IEC 61800-5-2 (Servo Drives) have inherited from theIEC 61508 series:
Discrete level (one out of a possible three) for specifying the safety integrity requirements of thesafety-related control functions to be allocated to the SRECS, where safety integrity level threehas the highest level of safety integrity and safety integrity level one has the lowest.
One definition of the possible three provided by the IEC 62061 standard on Machinery Safety.Some other standards inherited from the IEC 61508 series give up to 4 definitions.
Note. [IEC 61508-4, 3.5.6 modified]. SIL 4 is not considered in this standard, as it is not relevantto the risk reduction requirements normally associated with machinery. For requirements applica-ble to SIL 4, see IEC 61508-1 and IEC 61508-2.
SF
Safety Function
Function of the machine whose failure can result in an immediate increase of the risk(s)
SLS
Safe Limited Speed
STO
Safe Torque Off
SBC
Safe Brake Control
SRP/CS
Safety Related Part of Control Systems.
Part of a control system that responds to input signals and generates safety related output signals.
See please annex A. Categories and PL
Note. IEC 62061 uses the term SRECS: Safety-Related Electrical Control System
Fagor Automation S. Coop.
Bº San Andrés, 19 - Apdo. 144E-20500 Arrasate-Mondragón, SpainTel: +34 943 719 200
+34 943 039 800Fax: +34 943 791 712E-mail: [email protected]
FAGOR AUTOMATION