sf03 - functional safety standards and the changing compliance landscape

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

PUBLIC INFORMATION

Functional Safety and the Changing Compliance Landscape

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED 2

Agenda

Closing & Wrap-up

How can you confirm that you are compliant

Trends in Safety

OSHA Requirements

History of Safety

What is functional safety


History of Safety in USA

1877 – Massachusetts, required guarding of belts, shafts and gears

1890 – Nine US states required machine guarding

1930 – All US states had established job-related safety laws

1934 – Bureau of Labor Standards (F. D. Roosevelt - Frances Perkins)

Promote safety and health for working men and women

1970 – Occupational Safety and Health Act (William Steiger’s Act)

1981 – Lost Workday Incident Rates policy established by OSHA

1991 – EN 292 – Basic Concepts of Machine Safety

1996 – EN 954 and EN 1050 – Machinery Safety

3

Safety has been around long before OSHA and all states had laws to protect people in the 1930’s.


Agenda

Closing & Wrap-up


Trends in Safety

OSHA Requirements

History of Safety



In 1970 the William Steiger Act became law!

1970 Williams Steiger

Occupational Safety and Health Act

Purpose: The Congress declares it to be its purpose and policy ... to

assure so far as possible every working man and woman in the Nation safe

and healthful working conditions and to preserve our human resources.

Check out their website on www.osha.gov


Employer Requirements Defined by OSHA

OSHA requires that each employer shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees.

OSHA specifies minimal standards, and offers little, if any, assistance in compliance solutions.

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED Copyri

ght ©

7

OSHA Enforcement - Section 6

(a) “...the Secretary shall...by rule promulgate as an occupational

safety or health standard

any national consensus standard, and

any established Federal standard,

unless he determines that the promulgation of such a standard would not result in improved safety or health for specifically designated employees…”

• The legal effect of incorporation by reference is that the material is treated

as if it were published in full in the Federal Register (5 U.S.C. 552(a)).

• When a national consensus standard is incorporated by reference in

one of the subparts, that standard is considered the law.

OSHA - Incorporation By Reference


8

Some key standards to recognize!

Initials Sponsoring Organization Scope

ANSI American National Standards Institute U.S.A.

AS Australia Standard Australia

ASME American Society of Mechanical Engineers U.S.A.

ASSE American Society of Safety Engineers U.S.A.

NR-12 Brazilian Safety Standard Brazil

CSA Canadian Standards Association Canada

EN European Norm European

Community

IEC International Electro-technical Commission Global

ISO International Organization for Standardization Global

NFPA National Fire Protection Association U.S.A.

GB Chinese Safety Standard China

PMMI Packaging Machinery Manufacturer’s Association U.S.A.

RIA Robotic Industries Association U.S.A.

In the US ANSI publishes a list of standards that must be followed. In Europe EN standards are

followed. There are also International standards that outline global requirements.


ght ©

OHSA/US Standards Hierarchy

OHSA Machine Safety

CFR29 Part 1910

Machine Safety - General Safety

Requirements

ANSI B11.0

Machine Safety - Principles for Risk

Assessment

ANSI B11.TR3

Machine Safety - Selection of

Programmable Electronic Systems

(PES/PLC) for Machine Tools

ANSI B11.19

Electrical equipment of machines

ANSI/NFPA 79


EN/ISO Machinery Directive & Standards Hierarchy

The Machinery Directive 2006/42/EC

Machine Safety - Basic concepts

EN/ISO 12100


Assessment

EN/ISO 14121

Machine Safety -

safety-related

parts of control

systems

EN/ISO 13849-1

Non-electrical and

simple electrical

Machine Safety - Electrical equipment of

machines

IEC 60204-1

Machine Safety -

Functional safety

of EEPES control

systems

IEC 62061


ght ©

EN/ISO and OHSA/ANSI Standards Hierarchy Comparison

OHSA Machine Safety

CFR29 part 1910

Machine Safety - General Safety

Requirements

ANSI B11.0


Assessment

ANSI B11.TR3

Machine Safety - Selection of

Programmable Electronic Systems

(PES/PLC) for Machine Tools

ANSI B11.19

Electrical equipment of machines

ANSI/NFPA 79

European Machine Directive 2006/42/EC

Machine Safety - Basic concepts

EN/ISO 12100


Assessment

EN/ISO 14121

Machine Safety -

safety-related

parts of control

systems

ISO 13849-1

Non-electrical and

simple electrical

Machine Safety - Electrical equipment of

machines

IEC 60204-1

Machine Safety -

Functional safety

of EEPES control

systems

IEC 62061


What does this mean to us? What are the steps?

Step 1 - Defines the

Requirements

Step 2 – Defines the

methods

to follow for risk

assessment & reduction


assessment process


requirements for electrical

design

The European & North American the machinery

directives & OSHA outline the general

requirements that shall be followed.

ANSI B11.0 & ISO12100 outline the

requirements for risk assessments and risk

reduction.

ANSI B11.19 & ISO13849 and IEC 62061

outline the design requirements of the safety

control system.

IEC/NEC/NFPA standard s address the design

requirements for electrical control panels.

Step 4 - Defines the

design requirements and

methods


Agenda

Closing & Wrap-up


Trends in Safety

OSHA Requirements

History of Safety



Trends in Safety

In recent years there has been a move towards globalizing & harmonizing safety standards. This has resulted in many countries adopting or referencing international standards.

The new standards are called “Functional Safety Standards” because they look at how well the safety system needs to perform.

Performance is now being measured in terms of Performance Levels and Safety Integrity Levels.

Employers and equipment manufacturers are encouraged to use risk assessments to determine the required system performance and are encouraged to do design verification calculations to verify that their design is adequate. (There was no way to do this in the past).


Evolution of Safety Systems

15 Copyright © Rockwell Automation, Inc. All rights reserved.

1960 1970 2000 Future1980 1990

You invest a safety system to protect people. You invest in advanced safety technologies to enhance

machine performance.

2010

Legacy• High Productivity

• Low Safety

• No Assessment

• No Guarding

Initial Safety• Lower Productivity

• Medium to High Safety

• Hazard Assessment

• Fixed Guarding

Modern Safety• High Productivity

• High Safety

• Risk Assessment

• Modern Guarding


Safety Standards of Yesterday

Withdrawn

EN 954

CATEGORY

FAULT TOLERANCE

DIAGNOSTICS

1999 2011Published


EN954-1 was withdrawn because it did not address modern technologies!

EN954-1 did not address all of the technologies that

exist today and did not tell us how to apply those

technologies in a safety-related way?

EN 954 was developed for basic electro-mechanical

devices & systems (Relays/Contactors/Etc.).

ISO 13849 & IEC 620161 are standards that were

developed for all technologies including solid-state

products. (Safety PLC’s/Controllers/Drives/Servo’s)17


Safety Standards of Today were published in 2005/6

EN954

Withdrawn

2011

2005/6Published

EN 954

CATEGORY

FAULT TOLERANCE

DIAGNOSTICS

IEC/EN 62061 SIL FSM

SYSTEMATIC

SRSEN ISO 13849 PL

RELIABILITY

FAULT TOLERANCE

DIAGNOSTICS


EN954

Withdrawn

2011

2005/6Published

EN 954

CATEGORY

FAULT TOLERANCE

DIAGNOSTICS

Dec 2016

IEC/IS

O

17305PL

The Safety Standard of the Future

DIAGNOSTICS

IEC/EN 62061 SIL FSM

SRS

SYSTEMATIC

RELIABILITY

FAULT TOLERANCE

EN ISO 13849 PL


Why are the 2 standards being combined?

Because there is overlap & duplication between the 2

standards.

To simplify the selection and design process.

To take advantage of the benefits of the 2 standards.

To have 1 uniform standard for global use.

ISO13849 IEC62016

IEC/ISO17305


Key Dates for 17305!

One Global Safety Standard

Initial Publication


There is also a new standard for door interlocking devices.

22

This happened because there are so many interlock device types and so many technologies as there was no direction for implementation or design.

The new standard outlines the requirements for the design& implementation of interlocking devices.


ISO14119 covers the requirements for selection,

installation, design and control of interlocking devices.

23


Agenda

Closing & Wrap-up


Trends in Safety

OSHA Requirements

History of Safety

Introduction to Functional Safety


ComplianceProductivityPerformance Profits

Functional safety is a new term that is being used in the industry to

look at how well the safety system needs to perform/function.

What is Functional Safety?


The Changing to Functional Safety

ISO 13849-1PL

IEC 62061SIL

ISO 13849-1 and IEC 62061 are known as functional safety standards.

These standards use terms like Performance Levels and Safety Integrity

Levels.


The differences in the new standards

Page

27

EN 954 EN ISO 13849 IEC 62061

Electrical Control

Circuits

Control circuits all technologies :

• Electrical/Electronic/Prog. Elec.

• Pneumatic

• Fluids

• Hydraulic

Control circuits all technologies :

• Electrical

• Electronic

• Programmable Electric

Safety Categories B,

1, 2, 3 & 4

Performance Levels PLa to PLe Safety Integrity Levels SIL1 to SIL3

SIL4 is not allowed for machine safety

Safety provided by

the structure of the

control circuit

Safety provided by:

• The architecture/categories

• The reliability/MTTFd, B10d

• The diagnostic coverage/DC

• Common causes failures/CCF

Safety provided by:

• The architecture/categories

• The reliability/MTTFd, B10d

• The Safe Failure Fraction/SSF

• Common causes failures/CCF

Draw a diagram

(schematic)

Draw a diagram, select components

& design verification

Draw a diagram, select the electrical

components & design verification


ght ©

ISO 13849-1 Explanation

ISO 13849-1 is the result of improvements to the old EN-954-1 standard. EN954 was developed for simple electro-mechanical devices. ISO13849 allows for the use of solid state devices!

ISO13849 introduces new design concepts that provide guidance on the design and integration of safety components to meet required performance levels (PLr).

Required Performance Levels (PLr) is determined by doing a risk assessment!

Category Performance Level

A performance Level is an improved Category!


Categories still exist but only as a subpart of ISO13849!

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechEDCopyright © Rockwell Automation, Inc. All rights reserved. 30

Categories are still the major piece of the puzzle

but there are additional factors.

30

CAT

B/1CAT 2

CAT 3 CAT 4 (higher diagnostic coverage that CAT 3)


Structure + Reliability + Monitoring = Safe

Systems

31

MTTFd Mean Time to Dangerous Failure

Low 0 -10 Years

Medium 10-30 Years

High 30-100 Years

DC Diagnostic Coverage = Detected Dangerous Failures / All Dangerous Failures

None DC > 60%

Low 60 < DC = 90%

Medium 90 < DC = 99%

High DC < 99%

We have to calculate Reliability and DC to verify the design.


a

b

c

d

ePer

form

ance

Lev

el

Designated

Architecture

Designated

Architecture

Designated

Architecture

Designated

Architecture

Designated

Architecture

Designated

Architecture

Designated

Architecture

Cat B Cat 1 Cat 2 Cat 2 Cat 3 Cat3 Cat 4

DC avg DC avg DC avg DC avg DC avg DC avg DC avg

<60% <60%

60% to <

90%

90% to <

99%

60% to <

90%

90% to <

99% 99%

Structure (Category)

Diagnostic Coverage (DC)

Reliability (MTTF)

Confirming PLr is achieved by…Balancing Structure, Reliability and Diagnostic Coverage


Agenda

Closing & Wrap-up


Trends in Safety

OSHA Requirements

History of Safety



By following the standards!

Companies have 2 choices when dealing with machine safety.

Choice 1 – Lock-out/Tag-out

(Also known as Energy Isolation)

Choice 2 – Alternative means

(Also known as Machinery Safety)


Most companies are mapping job tasks to

determine when to use LOTO or Alternative Means.

Machine Maintenance Regulation: Lockout / Tagout or

Energy Isolation

Requirement: Release stored energy

Tasks: Isolation of Mechanical / Electrical Equipment for Service and Maintenance

Production Operation Regulation: Machine Guarding or

alternative protection means

Requirement: Protect operators from machine production hazards

Tasks: Operator Interaction for Regular Machine Production

Alternative means can be used for production and minor servicing tasks if they are

routine, repetitive and integral to the operations of the machinery!.

Minor Servicing Exception

• minor jams, minor tool changes & adjustments, exchange

Regulation: Machine Guarding or alternative protection means

• Requirement: Protect operators from machine production

hazards when performing minor servicing

• Tasks: Minor servicing such as clearing of work piece, etc.

Minor Service

Exception to Lockout Tagout

Must provide alternative

Measures that offer effective protection


Lock-out/Tag-out or Energy Isolation Purpose

The purpose is to protect against the consequences of unexpected "energization" or start-up of mechanical systems, or the release of stored energy.

36

• An employee is required to remove or bypass a guard or other safety

device.

• Anytime an employee is required to place his or her body into a

hazardous area of a machine.

The standards say Lock-out Tag-out will be followed when:


There is an exception to Lock-out Tag-out!

Note of Exception:

Minor tool changes and adjustments, and other minor servicing activities, which take place during normal production operations, are not covered by this standard if they are routine, repetitive, and integral to the use of the equipment for production, provided that the work is performed using alternative measures which provide effective protection.

“Alternative Measures” include machine safeguarding and should be determined thru the use of a risk assessment.

37


What is Routine, Repetitive & Integral according to ANSI Z244.1!

When the tasks are routine, repetitive and integral to the production process or traditional lockout/tagout prohibits the completion of those tasks, alternative methods of control that provide effective personal protection shall be used.

Note: Tasks that are routine, repetitive and integral to production generally exhibit most of the following characteristics:

Short in duration

Relatively minor in nature

Occur frequently during the shift, day or week

Usually performed by operators, setup, service or maintenance personnel

Do not involve extensive disassembly

Represent predetermined cyclical activities

Expected to occur regularly

Minimally interrupt the production process

Exist even when optimal operating levels are achieved

Require task-specific personnel training

The reason for intervention is to sustain the machine, equipment or process continuity within the nominal performance range and output quality. This usually occurs when the machine, equipment or process is operating normally and the need for periodic service or adjustment is predictable.

38


ANSI also defines the requirements for the circuits that

are to be implemented!

As comprehensive as LO/TO may be, the standard also allows for both alternative methods and industry-specific examples to achieve worker safety.

Depending on circumstances and the type of equipment used, ANSI Z244.1 lists five alternative methods: engineered safeguards, warning and alerting techniques, administrative controls, training and personal protective equipment. The following describes the alternate use of dedicated safety equipment as a method to control hazardous energy.

ANSI Z244.1 defines a dedicated safety system as a system with dual-channel, low-voltage safety switches. It uses redundant circuits and monitoring by safety interface modules to provide control reliable operation.

39

This is the reason that many companies selected Category 3/PLd as a minimum unless otherwise determined by a risk assessment!


How do you apply alternative measures?

Alternative measures should be determined by the use of a safety or risk assessment.

The assessment will determine the task and hazard pairs.

The assessment will determine the required system performance .

The assessment will also suggest possible mitigation solutions.


The first step in the safety design process

is doing a Risk Assessment!

Risk Analysis to Determine the Requested Performance Level PLr.

For our example the result of S3+E2+A1 = High = PLd & Cat3.


The second step is determining the functional requirements of the system.

This would include determination of the possible mitigation techniques for every task in every mode of operation.

These mitigation techniques could include determination of the products that are required to deliver the mitigation technique.

These products are combined into Safety Functions that include input, logic and output devices.

Copyri

ght ©

+ + =Safety

Inputs

Safety

Logic

Devices

Safety

Outputs

Complete

Safety

Functions

A machine may have 1 or multiple Safety Functions depending on complexity and the required

performance.


The next step is selecting the components that are

required to complete each safety function.

43

Inputs Logic Outputs+ + =Complete

Safety

Function

Safety Functions are the result of the combination of input, logic and output components/hardware!

http://www.ab.com/industrialcontrols/products/push_buttons/touch-palm/images/800Z-GP-lg.gif

http://www.ab.com/industrialcontrols/products/push_buttons/touch-palm/images/800Z-GP-lg.gif

http://www.ab.com/industrialcontrols/products/relays_timers_and_temp_controllers/industrial_relays_and_timers/images/700s-p_med.jpg

http://www.ab.com/industrialcontrols/products/relays_timers_and_temp_controllers/industrial_relays_and_timers/images/700s-p_med.jpg


a

b

c

d

ePer

form

ance

Lev

el

Designated

Architecture

Designated

Architecture

Designated

Architecture

Designated

Architecture

Designated

Architecture

Designated

Architecture

Designated

Architecture

Cat B Cat 1 Cat 2 Cat 2 Cat 3 Cat3 Cat 4

DC avg DC avg DC avg DC avg DC avg DC avg DC avg

<60% <60%

60% to <

90%

90% to <

99%

60% to <

90%

90% to <

99% 99%

Structure (Category)

Diagnostic Coverage (DC)

Reliability (MTTF)

The final step is Confirming the Required Performance Level (PLr) is achieved.


Agenda

Closing & Wrap-up


Trends in Safety

OSHA Requirements

History of Safety



The perspective has changed because the

methods have changed!

In the past OEM’s and End Users saw safety as counterproductive.

But now they believe that a properly implemented safety system

increases productivity and safety!


future

present

past

• Modular Relay Systems

and controllers

• Easy to Apply

• Easy to trouble-shoot

• Diagnostics at the relay and

at local diagnostic screens

• User friendly

• Safety Relays Systems

• Cumbersome

• Difficult to Apply

• Difficult to Trouble-shoot

• Diagnostics at the relay

• Often Bypassed

• Less Productive

The reason is that safety has evolved with new technologies.

• Safety PLC Systems

• Flexible

• Easy to Apply

• Easy to trouble-shoot

• Local diagnostics

• Task Oriented

• User friendly

New technologies and technique make machines safer and more productive!

Productivityenhancing!


Companies are combining safety and standard control into

smart systems that enhance performance.

In the past, safety and production control systems shared little, if any information

Harmonizing your safety and production control systems offer tremendous opportunities to improve productivity

Shared diagnostics on common HMI for faster troubleshooting

Safety system that changes parameters based on the state of the production system

Zone control to enable continued production flow when one zone is shut down

Better shut down and restart of production systems after a safety event

Operating

Equipment

Control

System

Safety

System

• A machine control strategy that includes both

safety and production control systems– Purpose of production system is to produce

– Purpose of safety system is to protect


Contemporary safety brings things together!

ControlLogix® chassis

PowerFlex® 755

Armor®

Block I/O

EtherNet/IP™

PV+ EOI

Safety

RelaySafety

Relay

Stratix 8000

E

T

A

P

POINT I/O™

Safety System

An ethernet

switch may

not be

required.

Safety

functionality

can now be

integrated

into

GuardLogix.

Data &

diagnostics

can be

displayed on

one HMI.

Benefits

Information enabled.

Fewer components.

Less training.

Streamlinedmaintenance.

Optimalconnectivity with multiple networks.

Kinetix®

6000

DeviceNet™

Safety relays

& contactors

may not be

required.

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechEDCopyright © 2011 Rockwell Automation, Inc. All rights reserved. 50

Rockwell Automation® Safety Services Overview

Present State Analysis & Budgetary Est.

Plant-wide Assessment

Remediation Estimate

Detailed Risk Assessment (Training)



1. Risk-based Prioritized Plan

2. Project Funding

Regional, BU, Global Plan

Common Processes

Standard & Modular Solution

Plant Level Plan

Unique or “1-off’s issues

A

D

C

E

B

Present State Analysis & Budgetary Est.



Detailed Risk Assessment (Training)



1. Risk-based Prioritized Plan

2. Project Funding

Regional, BU, Global Plan

Common Processes

Standard & Modular Solution

Plant Level Plan

Unique or “1-off’s issues

A

D

C

E

BSafe

Work

Place

GloballyNew

Equipment

Existing

Equipment

Competency

&

Capability

Effective Training comes over time in different formats

Global Safety Program with focus in 3 Key Areas Complete Mitigation Solutions

Scalable Solutions for compliance

• Optimized Financial

Performance

• Reduced Time to Implement

Risk Remediation Process for Existing Equipment

• Reduced Risk / Liability

• Superior Consistency

OEM Support Model for New Equipment Training Solutions to improve Safety Competency & Capability

• Assess the existing Competency of

plant personnel

• Provide a comprehensive safety

training portfolio

• OJT via Team-based Risk

Assessment

• Web-based Safety Resource

Center

• Webinars (live and archive)

• White Papers. Legislation,

others

• Risk Assessment Training

• TUV Training

Understand how OEMs Risk Assess /Compliance process today

Develop Corporate generic safety standards

Develop Standards by machine type for OEMs to follow

Pre-delivery validation the machine conforms to safety standards


Local Support worldwide for your safety needs!

Rockwell Automation is the global leader in safety products, services andSolutions an can help develop your roadmap to success.

Safe

Work

Place

GloballyNew

Equipment

Existing

Equipment

Competency

&

Capability

www.rockwellautomationteched.com

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Questions?

DeviceNet and EtherNet/IP are trademarks of the ODVA.

sf03 - functional safety standards and the changing compliance landscape

Technology

rockwell automation

rokteched history of

improved safety

machinery safety

osha osha

rokteched copyri

jobrelated safety laws

health standard