Scribd
Upload
142 views177 pages

Functional Safety 2012

Uploaded by

danielle.cuthbert-botha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
142 views177 pages

Functional Safety 2012

Uploaded by

danielle.cuthbert-botha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 177

Functional Safety

Wayne Pearse
Safety Consultant
FSExpert (TÜV Rheinland, #203/13, Machinery)

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda

1. EU Machine Directive & Australian WHS Framework

2. ISO 13849

3. IEC 62061

4. Development Tools

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 2


EU Machine Directive 2006/42/EC

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
EU - Directive

EU-Directives define:
 Basic product requirements for health and safety protection of end
users.
 Basic requirements for safe operation of machines and thus for
health and safety of persons and quality of the environment.
 Minimum requirements for safety at work.
The directives require compliance with basic safety goals and for
that purpose state basic and general safety requirements. It is not
defined in detail how these safety goals shall be achieved.

Compliance with the standards is not mandatory; but it is a legal obligation to


obey the EU-directives.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


European Harmonised Standards

 DEFINITION:- A standard is a published specification that establishes a


common norm and is recognised document that defines good practice.

 A "European Harmonised Standard" is a standard that is in support of one or more


European Directives as a practical method of guaranteeing the high level of protection to
EU workers and citizens that is intended by essential requirements (EHSR’s) of the
Directives. In order to maintain the objectives of the free market they must be common
throughout the European Union.
The use of standards is not mandatory although some European Directives make direct
reference to them and therefore their application becomes obligatory. There is always a
presumption of conformity with the directives if a machine is built to the appropriate
Harmonised Standards.

 European Standards (or Euro Norms) are identified by the letters “EN” and may be
prefixed by the member states standards authority when adopted. In the United Kingdom
this prefix is BS (British Standards). Standards such as EN 62061 (BS EN 62061 in the
UK) and AS (Australian Standard) 62061 in AU are typical of the nomenclature.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 5
European Standards for Safety of Machinery

General Risk - Assessment


Type A principles
EN ISO 12100 EN ISO 12100

Basic and Safety Safety related Arm-/ hand- and


Generic Type B1 distances control systems approach speed.
Standards EN ISO 13857 EN ISO 13849-1 EN ISO 13855 others

Emergency- Electrical Electro-sens. and


Type B2 Stop equipment protect. equip.
EN ISO 13850 EN IEC 60204-1 EN IEC 61496 others
CEN
Standards
Woodworking Industrial Extruder
machines Robots EN 1114
EN 691 EN ISO 10218

Product Mechanical Packaging Rubber &


Type C presses machines plastic mach.
Standards EN 692 EN 415 EN 201

Hydraulic Conveyor Handling and


presses systems equipment others
EN 693 EN 620 EN 619

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Harmonised Standard

 A EN-standard is a harmonised standard, as soon as its


title is published in the “EU-Official journal”
 All EU member states have accepted the standard prior to
publication
 The defined requirements stated in the standard are
accepted by the EU member states and are considered as
sufficient in order to fulfil the basic safety- and health-
requirements of the according EU directive
 Valid standard  harmonised standard!
 Harmonised standards are listed on the internet
e. g.: http://ec.europa.eu/enterprise/policies/european-
standards/harmonised-standards/machinery/
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
EU – Machine Directive

EU-Directives define:
 Basic product requirements for health and safety protection of end
users.
 Basic requirements for safe operation of machines and thus for
health and safety of persons and quality of the environment.
 Minimum requirements for safety at work.
The directives require compliance with basic safety goals and for that
purpose state basic and general safety requirements. It is not
defined in detail how these safety goals shall be achieved.

Compliance with the standards is not mandatory; but it is a legal obligation to


obey the EU-directives.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Harmonised Standard

 A EN-standard is a harmonised standard, as soon as its


title is published in the “EU-official journal”
 All EU member states have accepted the standard prior to
publication
 The defined requirements stated in the standard are
accepted by the EU member states and are considered as
sufficient in order to fulfil the basic safety- and health-
requirements of the according EU directive
 Valid standard  harmonised standard!
 Harmonised standards are listed on the internet
e. g.: http://ec.europa.eu/enterprise/policies/european-
standards/harmonised-standards/machinery/
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
WHS Legislation 2012

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Framework of WHS Legislation 2012

WHS (Work Health and Safety) Act 2011


Commonwealth

WHS (Work Health and Safety)


Plant Regulations 2011
Commonwealth

WHS (Work Health and Safety)


Code of Practice (COP) 2012
Safe Work Australia

Note: WA & VIC still not signed up to WHS


Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 11
Code of Practice
1. INTRODUCTION
Plant is a major cause of workplace death and injury in Australian
workplaces. There are significant risks associated with using plant and
severe injuries can result from the unsafe use of plant, including:
• limbs amputated by unguarded moving parts of machines
• being crushed by mobile plant
• sustaining fractures from falls while accessing, operating or
maintaining plant
• electric shock from plant that is not adequately protected or isolated
• burns or scalds due to contact with hot surfaces, or exposure to flames
or hot fluids.
Other risks include hearing loss due to noisy plant and musculoskeletal
disorders caused by manually handling or operating plant that is poorly
designed.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 12


Code of Practice

1.1 THE MEANING OF KEY TERMS

Plant includes any machinery, equipment, appliance, container, implement


and tool, and includes any component or anything fitted or connected to any
of those things. Plant includes items as diverse as lifts, cranes, computers,
machinery, conveyors, forklifts, vehicles, power tools and amusement
devices.
Plant that relies exclusively on manual power for its operation and is
designed to be primarily supported by hand, for example a screw driver, is
not covered by the WHS Regulations. The general duty of care under the
WHS Act applies to this type of plant.
Certain kinds of plant, such as forklifts, cranes and some pressure
equipment, require a licence from the WHS regulator to operate and some
high-risk plant must also be registered with the WHS regulator.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 13


Code of Practice

1.1 THE MEANING OF KEY TERMS


Competent person means a person who has acquired through training,
qualification or experience the knowledge and skills to carry out the task.
A competent person has a more specific meaning in the following
circumstances:
• For design verification, the person must have the skills,
qualifications, competence and experience to design the plant or
verify the design.
• For inspection of plant for registration purposes the person must
have:
o educational or vocational qualifications in an engineering
discipline relevant to the plant being inspected, or
o knowledge of the technical standards relevant to the plant being
inspected.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 14


TÜV Rheinland Group

Worldwide Presence

As an international service group, they


document the safety and quality of new and
existing products, systems and services.

Worldwide
 61 countries
 490 sites
Employees worldwide
 approx. 13300

(Technischer Überwachungs-Verein)
Literally "Technical Watch-Over Association." A German certifying
body involved with product safety for the European community

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Code of Practice
1.3 OTHER PERSONS WITH DUTIES RELATED TO PLANT
Designers, manufacturers, suppliers, importers and installers of plant must also ensure, so
far as is reasonably practicable, that the plant is without risks to health and safety.
Designers
The safe design of plant plays a critical role in eliminating hazards and risks before plant is
introduced in the workplace.
Manufacturers
Manufacturers have a duty to ensure, so far as is reasonably practicable, that the plant is
manufactured to be without risks to workers throughout the lifecycle of the plant.
Importers and suppliers
Importers of plant from outside Australia must take all reasonable steps to obtain information
from the manufacturer and then pass this information on when supplying the plant. If this is
not available importers must carry out, or arrange the carrying out of, any calculations,
analysis, testing or examination that may be necessary to ensure, so far as is reasonably

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 16


International and Australian Standards

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Standards - EN, ISO and IEC

EXAMPLES:

Type A
EN ISO 12100 Safety of machinery. Basic terminology and
methodology
EN ISO 14121 Safety of machinery. Risk assessment

Type B
EN ISO 13849-1 - Safety related parts of control systems
EN ISO 13850 - Emergency stop function
EN / IEC 62061 - Functional safety of electrical control systems
EN / IEC 60204-1 - Safety of machinery. Electrical Equipment
EN 574 / ISO 13851 – Two hand controls

Type C
EN ISO 2860 - Earth Moving Machinery
EN ISO 8230 - Safety requirements for dry-cleaning
machines

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Australian Standards AS4024-1

(Confidential – For Internal Use Only)


Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Machine Safety

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
What is Safety? - Industry Definition

Safety is the freedom from


unacceptable risk of physical
injury or damage to the health
of people, either directly, or
indirectly as a result of damage
to property or the environment

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Why Do You Implement a Safety System?

Protect People Mitigate


& Equipment Risk
• Legal Requirements
• Insurance premiums
• Fines
• Healthcare costs
• Litigation costs
• Labor grievances

Comply with Global


Standards Competitiveness
• Required for entry to markets

22 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Solving the Problem
28% traceable to changes
1. Hazard or Risk
5. Maintain Assessment
& Improve

Safety
Life Cycle

4. Installation
& Validation 2. Functional
Requirements

Design & Verification


42% of Safety control accidents
3.
traceable to design & spec stage

System design based on integrating safety & machine functionality.


Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
23
What Is Functional Safety?

 Functional Safety (FS) of machinery are those parts of the machine


control system that ensures the safety of personnel and machinery.

 An example of Functional Safety is a simple interlock circuit.

The Safety Function could be described as follows:


 The Safety Gate is opened, the relay detects the SensaGuard
outputs going low and de-energises the contactors thus stopping the
associated motor.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
24
Evolution of Safety Systems

1960 1970 1980 1990 2000 2010 Future


Legacy Initial Safety Modern Safety
• High Productivity • Lower Productivity • High Productivity
• Low Safety • Medium to High Safety • High Safety
• No Assessment • Hazard Assessment • Risk Assessment

You invest in a safety system to protect people.


You invest in advanced safety technology to
enhance machine performance.
25 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Modern Safety Thinking

 It’s a Culture; It’s a Process; It’s a design Philosophy


 It is a combination of people, systems, technologies and work
habits
 It is a systematic approach – Not a component
approach!!!
 For Machine and Process Safety — it is a lifecycle
 From System Concept, through Risk Assessment,
Verification & Design, Install, Commissioning & Validation,
Operations and Decommissioning

Safety Specifications Drive the Safety Lifecycle

26 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Overview ISO 12100:2010

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
ISO 12100:2010

 Safety of machinery — General principles for design — Risk


assessment and risk reduction (ISO 12100:2010)

Note: ISO 12100:2010 combines ISO 12100:2010, ISO 12100-2 and ISO
14121-1 into one document. All three standards are complied into one
document with no editorial changes other than referential.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 28


Terms and Definitions ISO 12100:2010

 3.1 Machinery – assembly, fitted with or intended to be fitted with a drive system
consisting of linked parts or components, at least one of which moves, and which are
joined together for a specific application.
 3.2 Reliability – ability of a machine or its components or equipment, to perform a required
function under specified conditions and for a given period of time without failing.
 3.5 harm - physical injury or damage to health
 3.6 hazard - potential source of harm
 3.12 risk – combination of the probability of occurrence of harm and the severity of that
harm
 3.13 residual risk – risk remaining after protective measures have been taken.
 3.19 protective measure – measure intended to achieve risk reduction
 3.21 safeguarding – protective measure using safeguards to protect persons from the
hazards which cannot reasonably be eliminated or from the risk which cannot be
sufficiently reduced by inherently
 3.27 guard – physical barrier, designed as part of the machine, to provide protection
 3.28 protective devices – safeguards other than guards

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 29


Terms and Definitions ISO 12100

 Definitions 3.28.1-3.28.9 are new definitions additions


 3.30 safety function – function of a machine whose failure can result in an immediate
increase of the risk(s); i.e., harm
 3.33 fault – the state of an item characterised by inability to perform a required function.
 3.34 failure – the termination of the ability of an item to perform a required function
 3.35 common cause failure – failures of different items, resulting from a single event,
where these failures are not consequences of each other
 3.36 common mode failure – failures of items characterised by the same fault mode

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 30


Subclause 5 Risk Assessment

 5.0 General requirements for Risk Assessment


 5.1 General – this section specifies the general requirements for a risk assessment and
should be reviewed for general knowledge and understanding because all three
standards; e.g., ISO 13849, IEC 62061, IEC 61508 reference the requirements for
performing a risk assessment. The MD and most US and Australian standards also
require a Risk Assessment be performed.
 Risk assessment comprises (see Figure 1) risk analysis, comprising
1. determination of the limits of the machinery (see 5.3),
2. hazard identification (5.4 and Annex B), and
3. risk estimation (see 5.5), and risk evaluation (see 5.6).
 Risk analysis provides information required for the risk evaluation, which in turn allows
judgments to be made about whether or not risk reduction is required.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Subclause 5 ISO 12100:2010

 Subclause 5 – Determination of limits of machinery


 5.3.3 Space limits – aspect to consider; e.g., operator adjacent to machine,
operators locations, energy sources associated with machine
 5.3.4 Time – mission time of the machine and associated service intervals
 5.3.5 Other limits – consideration of limits such as; environmental, housekeeping,
quality assurance, etc.
 5.4 Hazard identification - After determination of the limits of the machinery, the
essential step in any risk assessment of the machinery is the systematic
identification of reasonably foreseeable hazards (permanent hazards and those
which can appear unexpectedly), hazardous situations and/or hazardous events
during all phases of the machine life cycle
 Human interaction during the whole life cycle of the machine
 Possible states of the machine
 Unintended behavior of the operator or reasonably foreseeable misuse of the machine

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 32


Risk Determination, - assessment and -
reduction

Each risk has to be reduced to an acceptable extent !


Risk Assessment
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Risk Assessment – EN954-1 / AS4024.1
Risk Graph acc. to EN 954-1 / AS4024.1 (ISO 13849-1:1999)

 Severity of injury
 S1 slight (usually reversible) injury
 S2 serious (usually irreversible) injury, including death
 Frequency and/or exposure time for hazard
 F1 seldom to less often and/or short duration of
exposure time
 F2 frequent to continuous and/or long duration of
exposition
 Possibilities of avoiding the hazard
 P1 possible under certain conditions
 P2 almost impossible

Choice of category B, 1 to 4 categories for safety related parts of


controls

Copyright © 2012 Rockwell(Confidential – For


Automation, Inc. Internal
All rights Use Only)
reserved. 34
Subclause 5 ISO 12100:2010

• 5.5.2.1 – Elements Risk


– The elements of risk are shown in Figure 3. Additional details are given in 5.5.2.2, 5.5.2.3
and 5.5.3.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Parameters at the Risk Analysis AS 62061

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 36


Parameters at the Risk Analysis AS 62061

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 37


Parameters at the Risk Analysis AS 62061

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 38


Parameters at the Risk Analysis AS 62061

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 39


Parameters at the Risk Analysis AS 62061

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 40


Parameters at the Risk Analysis AS 62061

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 41


Example form for SIL assignment 62061

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 42


Risk Assessment – The Foundation

Performance
Level, PLr Contribution to
Risk Reduction
P1
F1 a
P2
Low
S1
P1 b
Task/Hazard F2
P2
P1 c
F1
P2
S2
P1 d
F2
P2
e
S = Severity High
F = Frequency or Duration of Exposure
P = Avoidance Probability

• Provides Safety Performance Level – Design Target


• Creates the Foundation of the Safety System Functional
Requirements, System Design & Validation Protocol
• Shows “Due Diligence” & Compliance to Global Standards

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 43


Implications of These Changes in the EU

How does this affect me?


 Large multi-national end-users typically have a global safety policy,
therefore they prefer their machines to be compliant with international
standards
 For Machinery to be put into service internationally it may be required to
demonstrate compliance to directives, regulations or other regional
specific requirements. The simplest method is to follow harmonised
safety standards
 Harmonised Safety Standards offer a presumption of conformity with
directives, regulations or other regional specific requirements.

Global OEMs and our Global Account End Users


are already specifying Functional Safety Standards
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
44
What’s Up with EN 954 /AS4024-1?

 The standard provided the safety requirements and guiding principles for
design and integration of safety-related parts of control systems.
 The problem with EN 954 was that it was viewed as an over-simplification
of safety concepts that were very subjective or qualitative. The standard
failed to force designers to assess the reliability of the safety components.
 The superseding Functional Safety standards add quantitative
calculations to the qualitative requirements of the previous standard as a
way to factor in the likelihood of failure of any component that is part of the
safety system.
 A risk assessment is still necessary to determine the requirements of risk
reduction strategy.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


45
New Global Standards = More Opportunity

ISO 13849-1 IEC 62061

Performance Productivity

Sustainability
Time-to-Market

Information Compliance
Development Costs Ops & Maintenance Costs

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Standards - EN, ISO and IEC
EXAMPLES:

Type A
EN ISO 12100 Safety of machinery. Basic terminology
and methodology
EN ISO 14121 Safety of machinery. Risk assessment

Type B
EN ISO 13849-1 - Safety related parts of control
systems
EN ISO 13850 - Emergency stop function
EN / IEC / AS 62061 - Functional safety of electrical
control systems
EN / IEC / AS 60204-1 - Safety of machinery. Electrical
Equipment
EN 574 / ISO 13851 – Two hand controls

Type C
EN ISO 2860 - Earth Moving Machinery
EN ISO 8230 - Safety requirements for dry-cleaning
machines

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


47
Australian Standards AS4024-1

(Confidential – For Internal Use Only)


Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Solving the Problem
28% traceable to changes
1. Hazard or Risk
5. Maintain Assessment
& Improve

Safety
Life Cycle

4. Installation
& Validation 2. Functional
Requirements

Design & Verification


42% of Safety control accidents
3.
traceable to design & spec stage

System design based on integrating safety & machine functionality.


Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
49
Safety Related Parts of a Control System
SRP/CS
 The Safety Function consists of an Input Device, a Logic Solver and
an Output Device or final control device.
LOGIC
INPUT SOLVER OUTPUT

 The components in the circuit are referred to as the


Safety Related Parts of the Control Systems  SRP/CS

 The design of the Safety Function is governed by specific Safety


Standards

 EN 954 is the “old” standard for safety related parts of control systems

EN 954 has been withdrawn as of January 1, 2012


Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
50
Functional Safety Standards

Application Standards Rating


GENERIC
Electrical IEC EN AS 61508
Control Systems Top level standard

PROCESS
SIL
Electrical IEC AS 61511 Safety Integrity Level
Control Systems

MACHINERY
Electrical IEC EN AS 62061:2006
Control Systems

MACHINERY
Control Systems ISO 13849-1: 2008 PL
replaces EN 954-1 Performance
)
(All technologies Level

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


51
ISO 13849-1:2008 or IEC EN AS 62061
Both address the functional safety of machinery control systems
ISO13849-1:2008 IEC EN AS 62061:2006
• Can the system be designed simply • Are there complex safety functions
using the designated architectures? e.g. depending on complex logic
decisions?

• Will the system include technologies • Will the system require validation to
other than electrical? e.g. Hydraulics, SIL? e.g. Safety PLC, programmable
Pneumatics

IF the answer to either question is YES IF the answer to either question is YES
THEN select ISO 13849-1: 2008 THEN select IEC 62061

You can choose the most suitable standard for your use
– Two Methods to Achieve the Same Goal of Risk Reduction
– EN ISO13849-1: 2008 is the usual choice
52 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
52
Safety Categories Are Being Replaced
 EN 954 (Categories) only remained valid until December 31, 2011 in the EU
 SIL and PL assessment require more information and calculation than Categories  It is not a
direct conversion!
ANSI Required Category Performance Level Safety Integrity Level
Circuit Performance EN 954 ISO 13849-1: 2008 IEC 62061

Simple (4.5.1) Category B PLa -


Single CH (4.5.2) Category 1 PLb
Single CH with
SIL 1
Monitoring (4.5.3) Category 2 PLc
Control Reliable (4.5.4) Category 3 PLd SIL 2
Control Reliable (4.5.4) Category 4 PLe SIL 3
Note: Intended to show approximate equivalency for guidance only; attaining the
corresponding PL or SIL requires more information and calculation based on several
additional factors
Per ANSI B11.19 Control Reliable is equivalent to PLd and Cat 3
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
53
System Requirements – Old vs. New

EN 954 / AS4024-1 ISO 13849-1

New
Requirements

–Functional Safety standards bring additional requirements


Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
54
System Requirements – Old vs. New
EN 954 / AS 4024-1 ISO 13849-1

New
Requirements

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


55
Types of Categories (Structure)

CAT B/1 CAT 2 ISO 13849

CAT 3 CAT 4 (higher diagnostic coverage that CAT 3)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


56
The New, Additional Requirements

MTTFd Mean Time to Dangerous Failure


Low 0 -10 Years
Medium 10-30 Years
High 30-100 Years

DC Diagnostic Coverage = Ratio of Detected Dangerous Failures/ All Dangerous Failures


None DC < 60%
Low 60 < DC < 90%
Medium 90 < DC < 99%
High DC >99%

CCF Common Cause Failure  Two or more separate faults


having a common cause shall be considered as a single fault.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


57
Overview of ISO 13849-1:2008

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
International standards concerning the functional
safety of machinery control systems

 Scope of various generic standards concerning functional safety;


 SRP/CS: safety-related parts of a control system; SRECS: safety-related electrical
control system;
 SIS: safety instrumented system; E/E/PES: electrical/electronic/programmable
electronic system

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 59


What are Performance Level PL?

Hardware Fault Tolerance – Categories (structure)

Measures to avoid systematical failures (QM)


B 1 2 3 4
+
Reliability of the HW: Mean Time To Failure (dangerous – MTTFd)

Quality of the diagnostic measures: DC (CAT. 2 and higher)

Sufficient measures against Common Cause Failures (CCF)

=
Performance Level (PL) acc. to ISO 13849-1

a b c d e

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Steps in the design process

ISO 13849-1/2 IEC 62061


Terminology Terminology
Performance Levels – PL(a-e) Safety Integrity Level – SIL(1-3)
Categories Hardware Fault Tolerance – HFT (0-2)
Mean Time to Failure Dangerous - MTTFd Probability of Failure per Hour - PFHD
Diagnostic Coverage - DC Diagnostic Coverage – DC
Common Cause Failure - CCF Safe Failure Fraction - SFF
Common Cause Failure - CCF

Design requirements for the electrical safety of the machine.


IEC AS 60204 and NFPA 79

Iterative process to identify, design, verify and validate the requirements of the
safety related parts of a control system.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Risk Graph  Performance Level
Performance Contribution to
Level, PLr Risk Reduction

P1
F1 a Low
P2
S1
P1 b
F2
P2
P1 c
F1
P2
S2
P1 d
F2
S = Severity P2
F = Frequency or Duration of Exposure e
P = Avoidance Probability
High
Must be determined for each safety function!
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Levels of MTTFd and DC

 Three levels of Mean Time To Failure (dangerous) (MTTFd)


 Low, 3 ≤ MTTFd < 10 years
 Med, 10 ≤ MTTFd < 30 years
 High, 30 ≤ MTTFd ≤ 100 years

 Four levels of Diagnostic Coverage (DC)


 None, <60%
 Low, 60% ≤ DC < 90
 Med, 90 ≤ DC < 99
 High, ≥ 99%

 Common Cause Failure


 Must achieve ≥ 65 points for CAT 2-4 circuits. Not required for CAT B or 1

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Performance level estimation
What is the PLr required?
What does that mean?
Must choose the most suitable combination of Structure (Category), Reliability (MTTFd),
Diagnostics (DC) and Common Cause Failure (CCF)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 64


Steps the system designer must take

 ISO 13849-1:2008
 low complexity/simple
 Electrical, mechanical, pneumatic and hydraulic safety systems
 Performance levels a – e
 Categories 1 – 4, be able to define and determine Category requirements for
all categories. Must recognise on site and be able to define characteristics of
each category
 Establish MTTFd, must know how to calculate MTTFd data for electro-
mechanical and electronic safety functions
 Diagnostic Coverage, must be able to determine both individual component
and average DC for safety function.
 Evaluate CCF, must be able to declare CCF for safety functions
 Review Systemic failure - see Annex G for more information.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Relationship between PL and SIL

Performance Average probability of a Safety


level (PL) dangerous failure per hour Integrity Level
[1/h] (SIL)

a  10-5 to < 10-4 No special safety


requirements
b  3 x10-6 to < 10-5 1
c  10-6 to < 3 x10-6 1
d  10-7 to < 10-6 2
e  10-8 to < 10-7 3

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 66


Structure

 Typical safety function diagram:

INPUT LOGIC OUTPUT


SOLVING

Sensing element Control element Final element or


actuator

 The machine designer shall select an architecture that will


meet the needs of the safety function.
 Cat B, 1, 2, 3 or 4

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 67


Calculations for Electro-Mechanical Components

 B10d = Number of cycles until a component


fails dangerously

 dop = Number of days per year when the d op  hop  3600 s / h


nop 
machine is operational tcycle

 hop = Number of hours per day the machine


is operational

 tcycle = Mean time in seconds between the B10d


T10d 
beginning of two consecutive cycles of the nop
component

 To be determined:
 Number of switching cycles per year: T10d
 Operation time of the component until it MTTFd 
fails dangerously: 0.1
 Mean time to dangerous failure (MTTFd):

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 68


Two Types of Failure Data

 Mechanical or Electromechanical
 Failure is dependent on load and operating frequency
 B10d
 Number of operations where 10% of the sample has failed to danger.

 Electronic
 Failure is dependent on temperature and time.
 MTTFd or PFHd
 Mean time to failure - dangerous
• Probability of danger failure per year
 MTTFd ≈ 1 / PFHd (must convert years to hours)

 Need to convert these to one data type to complete the analysis.


 We convert B10d to MTTFd.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Average probability of dangerous failures

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Application Examples - EN ISO 13849-1

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Emergency Stop – PL b

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Evaluation of Functional Safety - Example 1:
Emergency stop, Performance Level b

 Single channel ES (one contact)


Safety relay
(SRECS, SRP/CS)
Logic: L
 K3 can be switched on, when
 ES switch has been released

From risk analysis:


PLr = PL b

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 73


Example 1:ES, Performance Level b

Safety Function (SF):


When ES-Button is pressed, switch off the
motor with K3.
Dangerous failure of the SF: K3 does not
switch off the motor, when ES-Button is
pressed.

ES Logic K3
Button

 Cat =  Cat =  Cat =


 MTTFd =  MTTFd =  MTTFd =
 DC =  DC =  DC =
 PL =  PL =  PL =

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Safety Loop

What must be considered?

 EN ISO 13849-1, Chapter 3.1.1, Note1: The combined safety-related parts of a


control system start at the point where the safety-related input signals are initiated
(including, for example, the actuating cam and the roller of the position switch) and
end at the output of the power control elements (including, for example, the main
contacts of a contactor).

the motor must not be considered!

75
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
Functional Safety Data

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 76


Functional Safety Data

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 77


Device information

 Logic Unit: from Manufacturer Cat 3, MTTFd = 200 a,


DC = med, PL d

 ES-Device: EN ISO 13849-1 (Tab. C.1) B10d = 6,050

 Contactor: EN ISO 13849-1 (Tab. C.1)


B10d = 2,000,000

 Application specific:
 2 demands per year,
mean time between two demands (successive cycles): 0.5 a = 15,768,000
sec

78
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
ISO 13849 Table C.1

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 79


Determination of MTTFd for Electro-mechanical
Components B10d

B10d
MTTFd 
0.1 nop
s
d op  hop  3600 B10d
nop  h T10d 
tcycle nop

nop mean number of annual operations


hop mean operation, in hours per day;
dop mean operation, in days per year;
tcycle is the mean time between the beginning of two successive
cycles of the component. (e.g. switching of a valve) in
seconds per cycle
T10d mean time until 10 % of the components fail dangerously

The Mission Time of the component is limited to T10d!

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 80


Determination of nop and MTTFd

 nop for ES-Device and Contactor d op  hop  3600


s
 nop = 2 demands/year nop  h
tcycle

 MTTFd for ES-Device and Contactor B10d


MTTFd 
 ES: If the given cycles B10d = 6050 are not exceeded, a fault 0.1 nop
exclusion can be made for the direct opening contact und the
mechanics.
 MTTFd_ES= ∞
 MTTFd_Contactor_ES = 2,000,000 / (0.1 x 2 [1/a]) = 10,000,000 a

81
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
Determination of DC
EN ISO 13849-1, Table E.1
 ES-Device
 Diagnosis not necessary because of the fault exclusion.

 Logic Unit
 DCL = med

 Contactor
 No diagnosis implemented: DCContactor = none

82
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
EN ISO 13849 Annex E -Table E.1 (Inputs)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 83


EN ISO 13849 Annex E -Table E.1(Logic)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 84


EN ISO 13849 Annex E –Table E.1(Outputs)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 85


Determination of the max. PL of the Subsystems
according to EN ISO 13849-1, Table E.1
 ES-Device
 Cat 1, MTTFd = high, DC = not required max. PL c

 Logic Unit:
 Information from Manufacturer max. PL d
 Contactors
 Cat 1, MTTFd high, DCContactor = none max. PL c
(well-tried component)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 86


Consideration of Functional Safety - Example 1:
ES, Performance Level b
Safety Function:
when ES-Button is pressed
 process information
 switch off the motor with K3
 switch on only if safety loop
is o.k.

ES Button Logic K3

 Cat 1  Cat 3  Cat 1


 MTTFd = ∞  MTTFd = 200 a  MTTFd = 10,000,000 a
 Fault Exclusion  DC = med  DC = none
 PL = c  PL = d  PL = c
• Evaluation according to simplified method:
2 subsystems with minimum PL c -> overall PL = c From risk analysis:
PLr = PL b
87
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
EN ISO 13849 Table 5

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 88


EN ISO 13849 Table 6

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 89


Result

 Category for all subsystems: minimum 1 • Achieved Performance Level (PL): c


 DCavg = low • Required Performance Level (PLr): b
 MTTFd = high

Cat: B 1 2 2 3 3 4
DCavg: 0 0 low medium low medium high

90
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
Example 1:ES, Performance Level b

Safety Function (SF):


When ES-Button is pressed, switch off the
motor with K3.

Overall Circuit
Cat = 1
MTTFd = High
DC = Low
PL = c
ES Button Logic K3 CCF = N/R
PLr = b
• Cat = 1 • Cat = 3 • Cat = 1
• MTTFd = ∞ • MTTFd = 200y • MTTFd = 10,000,000a
• DC = exclusion • DC = med • DC = none
• PL = c • PL = d • PL = c
• CCF = N/R • CCF = N/R • CCF = N/R

91
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
Safety Gate – Performance Level e - ISO 13849

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Example 3: Safety Gate, Performance Level e

 Two channel monitoring of safety gate

 K3 & K4 are switched off, when


 Q1 (S1) = High (active)
 Q2 (S2) = High (not active)
 NC K3 & K4 closed
K4
From risk analysis:
K3 PLr = PL e

S1 K3
CCF L CCF
S2 K4

• Cat = • Cat = • Cat =


• MTTFd = • MTTFd = • MTTFd =
• DC = • DC = • DC =
• CCF = • CCF = • CCF =
• PL = • PL = • PL =

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 93


Device Information: Example 3

 Logic Unit: from Manufacturer Cat 4, MTTFd = 200 a, DC = high, PL e

 Position switch: from Manufacturer B10d = 25,000,000

 Contactors: EN ISO 13849-1 (Table C.1) B10d = 2,000,000

 Application specific:
 average operations per day: 8 h/day
 average operating time: 250 days/year
 1 demand per hour,
mean time between two demands (successive cycles): 1 h = 3,600
sec

94
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
Determination of nop and MTTFd

 nop for Position Switches and Contactors s


 nop = 250 [d/a] x 8 [h/d] x 3,600 [s/h] / 3,600 [s] d op  hop  3600
nop  h
= 2,000 demands/year tcycle

 MTTFd Position Switches and Contactors


B10d
 MTTFd_Pos = 25,000,000 / (0.1 x 2,000 [1/a]) = 125,000 a MTTFd 
0.1 nop
 MTTFd_contactor = 2,000,000 / (0.1 x 2,000 [1/a]) = 10,000 a

95
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
Determination of DC: EN ISO 13849-1, Table E.1

 Position Switches
 Cross monitoring of inputs without dynamic test DCPos = 99 %
(because of frequent cycling, 1/h)

 Logic Unit
 DCL = high ( 99 %)

 Contactor
 Direct monitoring (monitoring of electromechanical devices by
mechanically linked contact element): DCContactor = 99 %

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 96


Determination of the max. PL of the Subsystems
according to EN ISO 13849-1, Table E.1

 Position Switches:
 Cat 4, 2-channel (2 switches), MTTFd = high, DCPOS = 99 %,
measures against common cause are sufficient max. PL e

 Logic Unit
 Cat 4, MTTFD = high, DCL = 99 %: max. PL e

 Contactors
 Cat 4, 2-channel (2 contactors), MTTFd = high, DCcontactors = 99 %,
measures against common cause are sufficient max. PL e

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 97


Consideration of Functional Safety - Example 3
Safety Gate, Performance Level e
• Safety function: Two channel monitoring
of safety gate
• K3 & K4 are switched off, when
– Q1 (S1) = High (active)
– Q2 (S2) = High (not active)
K4
– NC K3 & K4 closed
K3

S1 K3
CCF L CCF
S2 K4

• CAT = 4 • CAT = 4 • CAT = 4


• DC = 99 % • DC = 99 % • DC = 99 %
• MTTFd = 125,000 y • MTTFd = 200 y • MTTFd = 10,000 y
• CCF = 65 • CCF = N/R • CCF = 65
• PL = e • PL = e • PL = e

• Evaluation according to simplified method: 3 subsystems with minimum PL e ->


overall PL = e
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 98
Determination of the entire MTTFd for each channel

 Calculation of the entire MTTFd :


1 1 1 1
  
MTTFd MTTFPOS MTTFd _ L MTTFd _ contactor
MTTFd  195 y
 MTTFdChannel2 = MTTFdChannel1 = MTTFd = 195 y
Symmetrisation of MTTFd for each channel not necessary

 Limiting to 100 years (according to MTTFd, a maximum value of 100 years can be taken
into account. [EN ISO 13849-1, chapter 4.5.2)

 Acc. to table 5 the MTTFd can be classified as „high“ (30 y  MTTFd  100 y)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Determination of DCavg

• Calculation of the average diagnostic coverage:


• Note: all blocks have the same DC (= 99 %), therefore the
resulting DCavg= 99 %
• Acc. to table 6 the DCavg can be classified as “high“

100
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
Result

 Architecture: Cat. 4 • Achieved Performance Level: e


 MTTFd = high • Required Performance Level: e
 DCavg = high
 Measures against common cause faults have been sufficiently applied.

Cat: B 1 2 2 3 3 4
DCavg: 0 0 low medium low medium high

101
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
Example 3: Safety Gate, Performance Level e

• Safety function: Two channel monitoring of


safety gate
• K3 & K4 are switched off, when
– Q1 (S1) = High (active)
– Q2 (S2) = High (not active)
– NC K3 & K4 closed

K3
K4

S1 K3
CCF L CCF
S2 K4
Overall Circuit
• CAT = 4
• DC = High
• CAT = 4 • CAT = 4 • CAT = 4 • MTTFd = High
• DC = 99 % • DC = 99 % • DC = 99 % • CCF = considered
• MTTFd = 125,000 y • MTTFd = 200 y • MTTFd = 10,000 y • PL = e
• CCF = 65 • CCF = N/R • CCF = 65
• PL = e • PL = e • PL = e • PLr = e

102
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Copyri
SISTEMA

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Functional Safety
 Introduction:
 EN 954-1 has been withdrawn at the end of 2011 – it designated safety related control
systems as “Categories” (B, 1, 2, 3, 4). EN 954-1 has been replaced by EN ISO 13849-1 in
December 2011.
 EN ISO 13849-1 is a standard for machinery safety related control systems that is available
for use now. It designates safety related control systems as “Performance Levels”
(PL – a, b, c, d, e)
1996-2006 2006-2011 2012 ->
All safety
Transition systems
EN 954-1
to in Europe must
ISO 13849-1 meet EN ISO
13849-1 or EN
IEC 62061

EN 954-1 remained effective until December 31st 2011, at


which point it was replaced with ISO 13849-1
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
ISO 13849-1: SISTEMA

SISTEMA is a software tool for the implementation of ISO 13849-1


(safety related parts of control systems for machinery)

• Safety Integrity Software Tool for Evaluation of Machine Application


• SISTEMA is the RA’s preferred tool, as well as the only tool
recommended by TÜV
• It is free for use
• There is a Rockwell Automation Data Library available for it
– Includes all necessary data for all RA safety products
• It is developed and maintained by IFA (Formerly BGIA) in Germany

• SISTEMA is the RA’s preferred tool, as well as the only tool


recommended by TÜV
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
105
IFA SISTEMA

 What is SISTEMA and its role?


 SISTEMA is a free functional safety software tool designed by Germany’s IFA (Institute for Occupational
Safety & Health) to evaluate the Performance Level (PL) of a safety function using EN ISO 13849-1.
 The tool offers automated calculation of a safety function’s attained PL given product data provided by
safety product manufacturer.
 Who are SISTEMA’s intended users?
 Machine builders, system designers and end users who need to comply with EN ISO 13849-1.

SISTEMA
Safety Integrity Software Tool for the Evaluation of Machine Applications
Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA), 2010

SISTEMA simplifies the PL calculation of a safety function for customers


if they have access to the appropriate vendor product data

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 106


Introduction to SISTEMA

 What are the benefits of using SISTEMA vs. using a vendor-developed tool or manually
calculating PL?
 Users are spared time-consuming calculations
and table lookups
 Users can assess system design changes with
little effort.
 Software allows for PDF report generation.
 Software indicates when a condition of EN ISO
13849:1 is not satisfied and when limit values are
exceeded.
 Software is developed by IFA, a well-respected,
neutral government authority on Functional Safety in machinery.
 Software allows use of vendor-created product data libraries to further simplify PL calculations.
 TÜV recommends SISTEMA over other vendor-developed EN ISO 13849-1 calculation tools.

SISTEMA simplifies the PL calculation of a safety function for customers


if they have access to the appropriate vendor product data

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 107


How Is RA Supporting SISTEMA And EN
ISO 13849-1?

Question Answer
How is RA supporting RA has developed a free, downloadable product library for use
SISTEMA and helping with SISTEMA (available for download on the Safety Portal -
customers transition to EN http://discover.rockwellautomation.com/).
ISO 13849-1?
How does the RA SISTEMA Saves time for customers by providing them with a centralized
product library help repository of product data required to calculate PL in a
customers? convenient, applicable format.
What does the RA SISTEMA Downloadable file for SISTEMA containing Functional Safety
product library include? data required for compliance with EN ISO 13849-1 for over 70
commonly-used RA safety product families.

When used with the SISTEMA tool, the RA Product Library will save time and
simplify Performance Level calculations for customers.

(Confidential – For Internal Use Only)


Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
ISO 13849-1: SISTEMA

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


109
EN ISO 13849-2 Validation

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
ISO 13849-2 Validation

 Describes procedures and conditions to be followed for


validation of safety-related parts of control systems (SRP/CS)

 Contains tables with


 Basic safety principles
 Well-tried safety principles
 Well-tried components
 Faults to consider
 Fault exclusions

for mechanical, pneumatic, hydraulic and electrical systems.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


ISO 13849-2 Validation

 Validation is an evaluated inspection (including analysis and


testing) of the safety functions and categories of SRP/CS

 Goal:
Proof that the SRP/CS comply to the overall safety
requirements of the machinery, proof that the requirements EN
954-1 or ISO 13849-1 are fulfilled.

 Method:
Analysis and testing according to the validation plan

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


ISO 13849-2 Validation

 Validation of the design of the SRP/CS

 Proof that the SRP/CS fulfils


 all requirements of the specified category and the specified
safety characteristics of the safety functions provided by
that part, as set out in the design rationale

 Validation shall consist of the following elements :


 Selection of the validation strategy (validation plan)
 Management and execution of the validation activities (test
specification, test techniques, analysis techniques)
 Documentation (verifiable reports or all validation activities
and decisions)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Validation process

Start

Design
Fault lists considerations Validation plan Validation
principles

Documents Analysis

Criteria for fault No


exclusion Is analysis
sufficient?

Yes Testing

Is testing No
complete?

End Validation record Yes

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Validation plan

Content of the validation plan

 Requirements for carrying out the validation process


 Means to be employed to validate the specified safety functions
and categories
 Where appropriate:
 the identity of the specification documents
 the operational and environmental conditions
 the basic safety principles
 the well-tried safety principles
 the well-tried components
 the fault assumptions and fault exclusions to be considered
 the analyses and tests to be applied

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Information for validation (Documents)
 Specification of the expected performance, of the safety
functions and categories
 Drawings and specifications
 Block diagram with functional description of the blocks
 Circuit diagram including interfaces/connections
 Functional description of the circuit diagram
 Time sequence diagram(s) for switching components, signals
relevant for safety
 Component lists with item designations, rated values,tolerances
etc.
 Analysis of all relevant faults, including the justification of any
faults exclusions
 Analysis of the influence of processed materials
 Category specific information in accordance with table 2
 software documentation....(next slide)
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Information for validation (software documentation)

where software is relevant, the software documentation shall


include:
 a specification which is clear and unambiguous and states the
safety performance the software is required to achieve, and
 evidence that the software is designed to achieve the required
safety performance, and
 details of tests carried out to prove that the required safety
performance is achieved.

Only restricted applicable for complex and/or programmable electronic systems (PES).
 Reference to IEC 61508.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Documentation requirements for
categories (Table 2)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


What shall be validated?

Validation of ...
 the safety functions
 the category
 the combination of safety-related parts
 the environmental requirements
 the maintenance requirements

The validation covers the whole safety system. Therefore it will be done on system level.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


EN IEC AS 62061:2005 General Scope and overview

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Functional Safety Standards

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Basic Standard and
Application sector and product Standards

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Overview – AS 62061- Table of contents

 Introduction
 1 Scope and object
 2 Normative references
 3 Terms, definitions and abbreviations
 4 Management of functional safety
 5 Requirements for the specification of SRCFs SIL
 6 Design and integration of the SRECS FSM
&
 7 Information for use of the SRECS Life cycle
 8 Validation of the safety-related electrical control system
 9 Modification
 10 Documentation
 Annex
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Overview and objectives of IEC 62061 (1)
 Requirement Management of functional safety (Clause 4)
 To specify the management and technical activities which are necessary for the
achievement of the required functional safety of the SRECS.
 Requirements for the specification of safety-related control functions (Clause 5)
 To set out the procedures to specify the requirements for safety-related control
functions.
 Design and integration of the safety related electrical control system (Clause 6)
 To specify the selection criteria and/or the design and implementation methods of the
SRECS to meet the functional safety requirements.
 Information for use of the machine (clause 7)
 To specify requirements for the information for use of the SRECS, which has to be
supplied with the machine.
 Validation of the safety related electrical control system (clause 8)
 To specify the requirements for the validation process to be applied to the SRECS.
 Modification of the safety related electrical control system (clause 9)
 To specify the requirements for the modification procedure that has to be applied when
modifying the SRECS.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Overview – AS 62061- Annex
 Annex A - SIL assignment
 Annex B - Example of safety related electrical control system (SRECS)
design using concepts and requirements of Clauses 5 and 6
 Annex C - Guide to embedded software design and development
 Annex D - Failure modes of electrical/electronic components
 Annex E - Electromagnetic (EM) phenomenon and increased immunity
levels for SRECS intended for use in an industrial environment according
to IEC 61000-6-2
 Annex F - Methodology for the estimation of susceptibility to common
cause failures (CCF)
 Annex ZA - Normative references to international publications with their
 corresponding European publications
 Annex ZZ - Coverage of Essential Requirements of EC Directives

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Annex F - Criteria for the Determination
of CCF

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Terms, definitions and abbreviations
(clause 3)
 IEC 62061:
 E/E/PES - electric, electronic,  MTTF - Mean Time To Failure
programmable electronic system  MTTFD - Mean Time To Failure
 SRECS - Safety related electrical
Dangerous
control system  MTTR - Mean Time To Restoration
 MTBF - Mean Time Between Failure
 SRCF - Safety related control
 PTE - Probability of dangerous
function Transmission Error
 CCF - Common Cause Failure(s)  SFF - Safe Failure Fraction
 DC - Diagnostic Coverage  SIL - Safety Integrity Level
 EMC - Electromagnetic  SILCL - Safety Integrity Level (SIL)
Compatibility Claim Limit (for subsystems)
 FB - Function Block
 SRS - Safety Requirements
Specification
 FVL - Full Variability Language
 LVL - Limited Variability Language
 PFHD - Probability of dangerous
Failure per Hour
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Scope of IEC 62061

This standard provides a methodology and defines requirements, in order to:

 determine the required SIL for any safety related function, which is
executed by SRECS (Risk Estimation)

 enable the design of the SRECS in accordance to the determined SIL


rating (which requirements have to be fulfilled by any (sub-)system for the
Hardware, Software, QM and documentation),

 integrate safety-related subsystems, which have been designed in


accordance with EN/ISO 13849 (which devices can be combined, in order
to meet the requested requirements)

 validate the SRECS.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Hardware and Systematic Safety Integrity

Faults

Systematic Random Faults


Faults
Systematic Safety Integrity

Hardware Safety Integrity


Failure avoidence Failure detection/control

QM-System Design / Architecture

Functional Safety Management Probability – PFHD

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Functional Safety Management (FSM)

 Considers the aspect Quality Management, Quality Assurance and documentation


 Describes the process to guarantee quality and functional safety and the requested
organisational measures (development process, production, installation, operation,
maintenance etc.)

Life cycle model:


 Over the entire life time (all phases in the life of a product) by appropriate quality
assurance measures it shall be ensured, that:
 Creation of systematic failures is avoided as much as possible
 Systematic failures are recognised by testing/verification activities
 All phases in the life of the product have to be sufficiently documented, both product
design and records of the test/verification activities

Installation and application of a Functional Safety Management System (FSM)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Qualitative requirements (QM) over the
Machine Life Cycle
Concept / Scope

Hazard Analysis & Risk Assessment


Functional Safety Management

ANALYSIS

Safety Requirement Specifications

Conceptional Design

Detailed Design REALISATION

Installation, Commissioning, Validation

Operation & Maintenance Modifications


OPERATION
Decommissioning
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Qualitative Requirements (QM) (1)

 Functional Safety Management:


 Definition of management and technical activities to ensure the
required quality and safety of the product
 Responsibilities of people and departments

 Requirements on the specification:


 Functional and safety requirement specification

 Architecture and Development:


 Selection and design of the suitable system architecture, Hard- &
Software
 Hardware and Software design
 Verification of Hardware, Software and System
 Annex C states useful methods and techniques for QM for embedded
Software development and test
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Qualitative Requirements (QM) (2)

 Information for the user:


 User Manual, Installation and Operating Manual
 Maintenance, periodic manual tests

 Validation of the safety system:


 Test of the system against the safety and functional specification

 Procedures for modification:


 Specification of the modification procedures
 formal and procedure by content
 activities for verification

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Management of Functional Safety (1)

 Establishment of a Plan for the Functional Safety (Safety Plan):


 Determination of procedures, in order that the activities during development
and verification of the product (Safety Life Cycle) can be controlled and
monitored
 Description of the strategy to achieve the functional safety during
development of the system, HW and SW, integration, verification and
validation
 Determination of persons, departments and other resources, which are
responsible for the execution and the supervision of the activities during the
various phases
 Determination of procedures and means to protocol and maintain the
relevant information, in order that the proof of the functional safety is
illustrated reproducibly and always up-to-date
 Strategy for a configuration management (authorized persons and internal
structures)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Management of Functional Safety (2)
 Determination concerning the establishment of a Verification Plan:
 Details, when the verifications have to be performed
 Persons, departments and organisations, which have to carry out the
verifications
 Techniques and procedures, which are to be applied for verification
 Definition of the equipment for testing, tools
 Criteria for acceptance
 Means, procedures for documentation and assessment of the results of the
verification steps
 Determination concerning the establishment of a Validation Plan:
 Details, when the validations have to be performed
 Identification of the relevant operating modes of the machine (Teach-In, normal
operation, etc.)
 Strategy of the validation (analytical, statistical procedures)
 Criteria for acceptance and definition, how to proceed in case of deviations
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Specification of the safety related control
function (SRCF)
 Complete specification of the functional requirements (description,
operating conditions, timing, requirements for service, interfaces, ..)
 Specification of the safety related requirements (SIL for any SRCF)
 Results of the risk analysis of the machine, definition of all safety functions
 Definition of all operating characteristics (operating modes, response
times, cyclic times environmental conditions, reaction times, necessary
operators, maintenance, cleaning …)
 Description of the behavior of the machine
 Interfaces between different SRCF and other units
 Specification of any SRCF

Note: the SRS has to be verified for completeness and consistency (inspection, analysis,
check lists, reviews, involvement of other persons, departments, organisations)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Information for use of the SRECS –
Requirements (clause 7)
Comprehensive documents shall provide information about the equipment,
installation, mounting, operation and maintenance, including
 Information on the physical environment (lighting, noise levels,
atmospheric contaminants etc.)
 For safety related software - programming information
 Specification for periodic testing, Proof Tests, preventive and corrective
maintenance
 Description of Maintenance requirements:
 Procedures for fault diagnosis und repair
 Procedures for confirming correct operation after repairs
 Overview diagrams, circuit diagrams, block diagrams etc.
 etc.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Safety-related software - Overview

Safety Related
Embedded Software
(SRESW)
Clause 6.11.1
- Firmware of microprocessor
- Operating system Software for
Parameterisation

Clause 6.11.2
Safety Related
Application Software
(SRASW)
Clause 6.11.3
- Application programs for
programmable Safety systems

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Hardware Fault Tolerance (HFT) (1)

HFT = 0 E / E / PES 1oo1

Channel 1
HFT = 1 1oo2
Channel 2

Channel 1

HFT = 2 Channel 2 1oo3

Channel 3

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Hardware Fault Tolerance (HFT) (2)
Channel 1
2 1 1

HFT = 1 Channel 2 2oo3


3 3 2

Channel 3

HFT describes the maximum number of failures (random Hardware


faults), which can occur without resulting in a dangerous condition.
HFT describes the structure.

General:
HFT = N: N + 1 faults can result in a loss of the safety function

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Safe Failure Fraction (SFF)

λS λD λDD

Safe Dangerous
Detected
Dangerous

Dangerous
UnDetected
λDU

λ𝑆+ λ𝐷𝐷
SFF=
λ𝑡𝑜𝑡

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Fault Tolerance - Structural and
Quantitative Requirements
• Architectural constraints (Safety structure – required SFF)
• Safety Integrity Level: SIL1, SIL 2 und SIL3

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Evaluation of Diagnostic Coverage (DC)

λS λD λDD

Safe Dangerous
Detected
Dangerous

Dangerous
UnDetected
λDU

λ𝐷𝐷 λDD = 𝜆𝐷 ∗ 𝐷𝐶
DC =
λ𝐷 λDU = 𝜆 𝐷 ∗ (1 − 𝐷𝐶)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Common Cause (CCF) Failure (b - factor)

 Common Cause Failures (CCF) result from a single cause and affect more than one
channel.
 One part of the failures in both channels reveals as CC failures; that means due to one
cause a failure in one channel is followed by the same failure in the other channel,
either at the same time or some time later.
 Common causes are:
 External stress as excessive temperature, high e/m-interferences, e. g.
 Systematic design failures due to the high complexity of the product or missing
experience with the new technology
 No spatial separation between channels, use of common cables, on one PCB etc.
 Human errors during maintenance and repair
 The b-factor describes the fraction of the failures, which effects both channels as
common cause failure.
 Annex F

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.(Confi


Terminology for the Description of a
Safety Function
System (SRECS)

Input
Logic Solving Output

Subsystem elements

Subsystem

• A safety function is executed by a System


• A system is consisting of Subsystems
• A subsystem consists of Subsystem elements

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Basic subsystem architecture A & B: single fault tolerance with-out a
diagnostic function (IEC 62061 clause 6.7.8.2.3 & …2.4)

Subsystem A
PFHD = DssX * 1h
HFT = 0
Subsystem Subsystem
element n:
no diagnosis
element 1:
D1 Dn DssA = D1 + ...+ Dn

Subsystem B
HFT = 1
Subsystem no diagnosis
element 1:
D1
DssB= (1-b)2 * D1* D2* T+ b* (D1+ D2 )/2
Common Cause
effect
b D1, D2 = Failure rate of dangerous failures
Subsystem
element 2: T = Proof Test Interval
D2 b = Common Cause Factor

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Basic subsystem architecture C & D: zero fault tolerance with
a diagnostic function (IEC 62061 clause 6.7.8.2.4 & …2.5)
Subsystem C

Subsystem Subsystem PFHD = DssX * 1h


element 1: element n: HFT = 0
D1 DC1 Dn DCn Diagnosis with DC
DssC = D1(1-DC1) + ...+ Dn (1-DCn)
Diagnostic functions

Subsystem D

Subsystem
element 1:
D1 DC1 HFT = 1
Common Cause
Diagnosis with DC1 and DC2
Diagnostic function(s) effect DssD  (1  b ) 2   D1  D 2  ( DC1  DC2 )  TD 2
b
 D1  D 2  (2  DC1  DC2 ) 
T
2

 b  D1  D 2   1
Subsystem
element 2: 2
D2 DC2

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Basic subsystem architecture D: single fault
tolerance with a diagnostic function(s) (2)

This architecture is such that a single failure of any subsystem element does
not cause a loss of the SRCF, where:
 T2 is the diagnostic test interval;
 T1 is the proof test interval or lifetime whichever is the smaller.
 b is the susceptibility to common cause failures; λ D = λ DD + λ DU;
 where λ DD is the rate of detectable dangerous failures
 and λ DU is the rate of undetectable dangerous failure.

 λ DD = λ D x DC or DC = λ DD / λ D
 λ DU = λ D x (1 – DC)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Safety Gate – SIL 3 IEC 62061

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Functional Safety – Example 1
Safety Gate, SIL 3

 Two channel monitoring of safety gate


 K3 & K4 are switched off, when
 Q1 (S1) = High (active)
 Q2 (S2) = High (not active)
 NC K3 & K4 closed

From risk analysis:


SIL 3
K3
K4

S1 K3
Diagnostic CCF L Diagnostic CCF
S2 K4

HFT = HFT = HFT =


PFHD_Pos = PFHD_Logic = PFHD_Con =
SFF = SFF = SFF =
SIL CLPos = SIL CLLogic = SIL CLCon =

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Device Information

• Logic Unit: from Manufacturer SIL CL 3, PFHD = 1.2x10-8


• Position Switch: from Manufacturer SIL CL 3, PFHD = 1.4x10-8 (C = 1/h)
• Motor: PFHD = 0 for this application

• Contactor: ISO 13849-1 (Tab. C.1) B10d = 2,000,000 B10 = 1,000,000

• Application specific:
• 1 demand per hour (opening of safety gate): C = 1/h

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Design of Subsystems
Subsystems

S1 Position switches with direct opening contacts


homogenous redundancy: PFHD_Pos1 = PFHD_Pos2 =
Diagnostic CCF PFHD_Pos
DC1 = DC2 = DCPos
S2

K3 Contactors K3 and K4: similar contactors,


homogenous redundancy : K3 = K4 = contactor
Diagnostic CCF DC1 = DC2 = DCcontactor
K4

Subsystem architecture D (homogenous redundancy with diagnosis):

PFH D  (1  b ) 2   2D  (2  DC)  TD


2 TD = 1/C = 1h
T = 20 years
 2D  (2  2  DC)  T
2
  b  2  D  1 2

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Design of Subsystems

PFH D _ Pos  (1  b ) 2   2D _ Pos  (2  DC)  TD


Subsystem Position Switches
2
  b  2D _ Pos  1 2
S1

CCF  2D _ Pos  (2  2  DC)  T


Diagnostic 2
S2
DC = 99 % (fault detection with the logic unit)
Common Cause Faults CCF: b = 5 %
PFHD = ?

SFF = ?

 Proof of the required SFF through


 the applied DC = 99 % and/or
 the statement of SIL CL.

 SIL CL 3 means, that the switch can be used in


application up to SIL 3 when used in an HFT = 1
structure, thus complies to SFF requirements.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Design of Subsystems

Subsystem Contactors
PFH D _ contactors  (1  b ) 2   2D _ contactor  (2  DC)  TD
K3 2
Diagnostic CCF  2D _ contactor  (2  2  DC)  T
2
  b  2D _ contactor 1 2
K4 DC = 99 % (Fault detection by monitoring of direct contacts)
Common Cause Failures CCF: b = 5 %

S _ contactor  D _ contactor  DC
SFF 
contactor
 For this calculation S_contactor, D_ contactor and  contactor is necessary.
Alternative: Estimation via DC..

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Determination of the Failure Rate of a
Single Component

Contactor:
D = 0.1 x C / B10d
B10d = 2,000,000
C= 1/h
D_Contactor = 0.1 x (1/ h) / 2,000,000
= 5 x 10-8 1/h

Position Switch: from Manufacturer SIL CL 3, PFHD = 1.4 10-8 1/h (C = 1/h)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Design of Subsystems
Subsystem-Elements
PFHD = D_ Pos = 1.4 x 10-8
D_Contactor = 5 x 10-8 1/h

Homogenous redundancy (similar devices)


 1=  2 = ; DC1= DC2= DC
TD = 1 / C
PFHD = (1  b ) 2   2 D  (2  DC)  TD T = 20 years
Subsystem 2
 2 D  (2  2  DC)  T
2
  b  2D  1 2

DC = 99 %  SFF = 99 % PFHD = 0.7 x 10-9


Common Cause Failures
Fault detection by CCF: b = 5 % C=1/h
comparison in PLC  SIL CL 3

DC = 99 %  SFF = 99 % PFHD = 2.5 x 10-9


CCF: b = 5 %
Fault detection by monitoring  SIL CL 3 C=1/h
of direct contacts

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Consideration of Functional Safety

Safety Function
Two channel monitoring of safety gate
• K3 & K4 are switched off, when
• Q1 (S1) = High (active)
• Q2 (S2) = High (not active)
• NC K3 & K4 closed
K3

K4

S1 K3
Diagnostic CCF L Diagnostic CCF
S2 K4 SIL 3

• HFT = 1 • HFT = NR • HFT = 1


• PFHD = 0.7 x 10-9 • PFHD = 1.2 x 10-8 • PFHD = 2.5 x 10-9
• SFF= 99% • SFF = NR • SFF = 99% SIL 3
1.5 x 10-8  10-7
• SILCL: 3 • SILCL: 3 • SILCL: 3
The PFHD of each subsystem are added together = 1.5 x 10-8
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
ISO 13849 Table K.1

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 159


ISO 13849 Amendment 1- 2012

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 160


AS62061

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 161


Safety Services

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Supporting Your Solution

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


The Value of RA Machine Safety
Services

• Help customers comply with current


and emerging standards by
providing Consulting Services for
safety critical controls
• Our solutions can help customers:
• Reduce lost-time accidents
• Enhance work-place Safety
• Reduce unplanned downtime
• Improve employee morale
• These solutions ultimately deliver
enhanced productivity

Global Support. Local Address. Peace of Mind.


Copyright © Rockwell Automation, Inc. All rights reserved. Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Specific Services in the Safety Life Cycle
• Production Floor Support • Risk Assessment
• Conformance Audits • Hazard Assessment
• Safety Protocol Assessments • Safety Audit 1. Hazard or Risk
Assessment
5. Maintain
& Improve

Safety • Development of
Safety Requirements
Life Cycle Specification (SRS)

4. Installation
& Physical Validation Functional
• Safety Circuit Analysis 2.
• Installation Services • Safety Circuit / Logic Design Requirements
• Safety Product Training • Machine Stop Time and
• Verify Safety Distance 3. Design & Safety Distance Calculation
Calculation Verification • Safety Product Training

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Safety Assessments

• Rockwell Automation Machine Safety Services include the following


Safety Assessments:
– Team-based risk assessments
– Safety audits
– Hazard assessments
– North America only  Arc Flash analysis

166 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Safety Circuit Analysis

RA Safety Services – Safety Circuit Analysis


 RA Safety Consultant will review the machine safety circuit supplied by the customer
for compliance to the safety circuit performance level specified by the customer
 If the circuit is not found to be in compliance, the corresponding areas of the drawing
will be “red-lined” with notations that reference back to the standard showing the
deficiency of the design
 A short written report will be provided documenting the findings

Why would you want a Safety Circuit Analysis?


 To get a third party opinion that a safety circuit design conforms to the appropriate
standards
 Especially appropriate for customers with less safety design experience

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Machine Stop Time Measurements

RA Safety Services – Machine Stop Time


Measurements
 RA Safety Consultant will perform a physical measurement to determine the stop time
of the machinery
 How long does it take the machine to reach a safe state?
Why would you want a Stop Time Measurement?

 The stop time is used to determine what type of safeguarding techniques can be used
as well as the appropriate mounting position
 For example, how far away from the hazard does a light curtain need to be
mounted in order to give the machine enough time to stop after the light curtain
determines that something is approaching the hazard

 Machine Stop Time is a key component of the safety distance calculation

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Compliance Consulting

• Rockwell Automation Safety Services include the following areas of


Compliance Consulting:
– Compliance audits
• ISO, ANSI, IEC, CE, OSHA, NFPA, CSA, AS
• Functional Safety (EN ISO 13849:1 and IEC/EN 62061)
• CE Mark Conformance
– Lockout/Tagout compliance (North America)
– Conformance audits
– Safety protocol assessments

169 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Machine Safety Seminar

RA Safety Services – Machine Safety Seminar


 One day on-site training program

 THE starting point for Machine Safe Guarding. Topics include:


 Risk Assessment process training
 Machine guarding requirements
 Safety circuit architectures
 Presence sensing safety device applications
 Standards and their application.

Why would you want a Machine Safety Seminar?

 Looking for a starting point on the implementation of modern machine safety


techniques

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Validation Services

• Rockwell Automation Safety Services include the following Validation


Services:
– Safety system validation and design reviews
– Safety circuit analysis
– Machine stop time and safety distance calculations

171 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Installation and Production Services

 Rockwell Automation Machine Safety Services include the following


Installation and Production Services:
 Project management
 Material procurement
 RA products
 Third party products
(e.g. hard-guarding)
 Installation / assembly services
 Start-up assistance
 Factory acceptance
 Field support services
 Preventative maintenance programs
 Production floor safety system support

172 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Qualitative requirements (QM) over
the Machine Life Cycle

Copyright © 2012 Rockwell(Confidential – For


Automation, Inc. Internal
All rights Use Only)
reserved. 173
Summary

 Help customers comply with current and emerging standards by providing


consulting services for safety critical controls
 RA Machine Safety Services include the following categories:
 Safety Assessments
 Validation Services
 Compliance Consulting
 Safety Training
 Design, Installation and Production Services
 Our solutions can help customers to:
 Reduce lost-time accidents
 Enhance work-place safety
 Reduce unplanned downtime
 Improve employee morale

 These solutions ultimately deliver enhanced productivity


174 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Integrated Safety Architecture

Addsassets
Shared significant
acrossvalue throughout
standard & safetythe manufacturing
control process.
drives cost savings.
Copyright © 2009 Rockwell Automation, Inc. All rights reserved. Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Where to begin

Rockwell Automation Can Help You Get Started


Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 176
Join our Safety Community

Rockwell Automation
Safety Portal
http://discover.rockwellautomation.com/Safety

RAGuard
http://www.twitter.com/raguard

Safety Automation Forum group


http://www.linkedin.com/groups?gid=1950912

Rockwell Automation Safety Solutions

November 7-8, 2012


Philadelphia, PA
www.safetyautomationforum.com

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.


Questions.

Follow ROKAutomation on Facebook & Twitter.


Connect with us on LinkedIn.

www.rockwellautomation.com

Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

You might also like