HSE - Electrical and Functional Safety

Health Healthand andSafety Safety Executive Executive

PABIAC Safety-related Control Systems Workshop KEY STANDARDS FOR ELECTRICAL & FUNCTIONAL SAFETY OF PAPERMAKING MACHINES: APPLICATION & USE Steve Frost HM Principal Electrical Inspector Northern Specialist Group

What I’ll cover

f Background & introduction f An overview of key standards f Methodology & key principles f Relationship between BS EN 954-1 & BS EN 62061 f Way forward

BACKGROUND & INTRODUCTION – Traditionally interlocking schemes based on electromechanical technologies have been used to eliminate hazards at machinery; – Advances in machinery and control systems design have led to the widespread introduction of complex electronics - to facilitate increased automation and implement safety functions; – Important to deal effectively with functional safety of complex electrotechnical control systems – technical framework set out in IEC 61508/EN 61508.

Functional safety applicable across the wide range of machinery used throughout Manufacturing Industry

Legal requirement for machinery to be SAFE – use of appropriate standards can help to provide a “presumption of conformity”

AN OVERVIEW OF KEY STANDARDS: ELECTRICAL SAFETY

4 0 02 ER 6 EN ARLI S F B ED E O 5 ISH N IO UBL T I ED 06 P 0 R 2 : A 1 E Y S I TH

– BS EN 60204-1 (Ed 5) – New edition published in mid-2006 – Retained status as a harmonised standard under the Machinery Directive – Largely unchanged from 1997 (4th) edition – But…….there are some changes that will have significance

AN OVERVIEW OF KEY STANDARDS: ELECTRICAL SAFETY Some of these are: – Machine isolating (disconnecting) device can be any device that conforms with isolation requirements set out in IEC 60947-1/BS EN 60947-1; – Changes to measures that can be applied for protection against electric shock; – More detail on protective bonding circuit; – Introduction of requirements for functional bonding – protection against earth leakage currents; – Emergency stop at Cat. 0 or 1 can be performed by electrical and/or electronic means – need to satisfy requirements of sub-clause 9.4 (Control functions in the event of failure).

AN OVERVIEW OF KEY STANDARDS: FUNCTIONAL SAFETY

–

–

–

Functional safety of control systems has been an important development – EHSRs specifically cover this subject for machinery safety;

N

EbyNgroups, S Issue complicated by differing standards and their application B d n a rd 7 such as Notified Bodies and 3 party assessors; 1:199 -1 4 f 5 o 9 o s t u N t e l a E t b Presently the following B standards can behapplicable: s a S e e r y t a l n d d o e n n a e i c a s i t t t d c –nBS (aka ISO 13849-1:1999) t ar n ea d a v n v a a e I praEN 954-1:1997 t h l s e 5 r d 0 o e 0 t s 2 i ) : y n t C 1 i –6BS EN ISO 13849-2:2004 o 6 E m / 0 m r 7 2 3 fo ar / n h 8 o 9 d c ( e f s e o o v i t n p c – tBS EN 62061:2005 s o i e t n r i p ra D m u y r s e e r n i p h a c a – BS EN 61508 series e M giv e h t f o13849-1 (incorrectly) s R S – prEN ISO EH


–

BS EN 62061 – Published as a European Standard in May 2005 – Harmonised under the Machinery Directive – Sector implementation of IEC/EN 61508 – Simplification of some aspects of IEC/EN 61508 for application to machinery and industrial automation – Performance of safety-related E/E/PE control systems described in terms of SILs (only up to SIL3)


Objectives of the “62061” development: 9

To provide an unambiguous method for a meaningful quantitative/qualitative assessment of safety related electrical control systems on machines;

9

To add to the existing structural approach (BS EN 954-1 categories) by including “RELIABILITY” and SYSTEMATIC measures;

9

To provide flexibility of functionality and technology to optimise safety AND productivity.

9

Introduce concept of Safety Integrity Levels (SILs) and functional safety management into the Machinery Sector for the specification, design and integration of safety-related electrical control systems.


–

BS EN 954-1 (aka ISO 138491:1999) – Introduced in 1997 based on principles of earlier German national standards – Based on parts of control systems – Methodology uses fault resistance, architecture and reliability of components – Performance of safety related parts described in in terms of Categories (B,1,2,3,4) – Presently undergoing extensive revision

AN OVERVIEW OF KEY STANDARDS: FUNCTIONAL SAFETY BS EN 954-1 (Advantages & limitations) 9Applicable to ‘safety-related parts of control systems’ based on all operating media - electrical*, mechanical, pneumatic, hydraulic; 9 Designated ‘Categories’ – Qualitative – B, 1, 2, 3, 4 – non-hierarchical – described in terms of: ¾ component reliability – fault avoidance ¾ system structure – fault tolerance (redundancy) & fault detection (monitoring)

AN OVERVIEW OF KEY STANDARDS: FUNCTIONAL SAFETY BS EN 954-1 (Advantages & limitations) contd. Some limitations are: – Categories not a comprehensive measure of safety integrity – Not suitable for complex control systems such as those based on programmable electronic technology – Emphasis on satisfying category requirements rather than achieving safety – Lack of guidance on management of functional safety – Considered most applicable to low complexity systems, in which the failure modes of components are well defined and the behaviour of the system under fault conditions can be completely determined. – Also see EN 954-2 (validation) & PD CR 954-100 (Guidance)


–

-1 4 5 9 N E S B E E L C A A PL IMESC E R L WIL OUGH T LEAR C H N T U L A NS I A REM

Revision of BS EN 954-1 (prEN ISO 13849-1) – Substantial revision of the existing standard – Categories remain but are defined in terms of designated architectures – Software development included that refers in part to BS EN 61508 – Performance of safety related parts described in in terms of Performance Levels (a,b,c,d,e)

METHODOLOGY & KEY PRINCIPLES Both BS EN 954-1 and BS EN 62061 start from a similar point:1. Risk assessment using EN 1050/ISO 14121 No need Y T No E F A to use key S T A D E H T T A E L standards S E I R N G Y O T E C F E A R S O Yes O T T T AN I ES T L P R P O A P T for safety E IM N 3. RiskAassessment performance G O R I T T C E (Category OtoLBS N 954-1 or SIL to BS C U N F target EN A M CONTR EN 62061) PERFOR 2. Risk reduction by safety-related control function?

4. Develop and validate safety requirements specification 5. Design of safety-related control system using appropriate standard(s)

BS EN 954-1 Risk graph

BS EN 62061 SIL Assignment

Document No.:

Risk assessment and safety measures Product: Issued by: Date:

Black area = Safety measures required Grey area = Safety measures recommended

Consequences Death, losing an eye or arm Permanent, losing fingers Reversible, medical attention Reversible, first aid

Ser. Hzd. No. No.

Comments

Hazard

Severity Se 4 3 2 1

3-4 SIL 2

Se

5-7 SIL 2 OM

Fr

Part of: Pre risk assessment Intermediate risk assessment Follow up risk assessment

Frequency and Probability of hzd. Class Cl event, Pr 8 - 10 11 - 13 14 - 15 duration, Fr 5 Common 5 SIL 2 SIL 3 SIL 3 1 h - 1day - 2wks - 1 yr Pr

Av

Cl

Safety measure

Avoidance Av

Impossible Possible Likely Safe

5 3 1

CORRELATION BETWEEN “REQUIRED” CATEGORIES AND SILS: MPS PART 6 (EDITION 2:2005) “As an approximation, the relationship between the required Categories and SILs assigned to safety-related control functions to be implemented by electrical, electronic or programmable electronic safety-related control systems at a typical machine may be considered ….” Category of safety-related Target failure measure for control function in accordance safety-related control function with BS EN 954-1 in accordance with BS EN 61508/BS EN 62061

1 or 2

SIL 1

3

SIL 2

4

SIL 3

SELECTION OF STANDARDS

Mechanical Pneumatic Hydraulic

Electrical/Electronic/ Programmable Electronic Systems

Low complexity systems*

Systems of higher complexity

Select Standard

* "Low complexity" systems are those in which failure modes of components are well defined and the behaviour of the system under fault conditions can be completely determined.

Design using BS EN 954-1

Design using BS EN 62061

Hardware

Software

Validation

BS EN 62061: METHODOLOGY & KEY PRINCIPLES Subsystem element

System

INPUT

LOGIC SOLVING

OUTPUT

Subsystem an element in the top-level architectural design of the SRECS where a failure of any subsystem will result in a failure of the safety-related control function

BS EN 62061: METHODOLOGY & KEY PRINCIPLES What is involved in designing to achieve a SIL? At system level 1) Requirements to achieve “SYSTEMATIC INTEGRITY” 2) Probability of RANDOM HARDWARE FAILURE (PFHD) 3) ARCHITECTURAL CONSTRAINTS 4) Requirements for BEHAVIOUR ON DETECTION OF A FAULT INPUT

LOGIC SOLVING

OUTPUT

BS EN 62061: METHODOLOGY & KEY PRINCIPLES (EXAMPLE FOR PFHD ) Probability of DANGEROUS RANDOM HARDWARE FAILURE (PFHD) Example for SIL 2

System PFHD requirements = 10-6

(Using data provided by subsystem manufacturers) Subsystem 1

Subsystem 2

Subsystem 3

Subsystem 4

PFHD = 1x10-7

PFHD = 2x10-7

PFHD = 1x10-7

PFHD = 2x10-7

(1x10-7) + (2x10-7) + (1x10-7) + (2x10-7) = 6 x 10-7

BS EN 62061: METHODOLOGY & KEY PRINCIPLES ARCHITECTURAL CONSTRAINTS 6.6.3.3 Arch itectu ral con strain ts T he S IL achiev ed by the SRE CS according to the architectural constraints is less than or equal to the lowest SILCL of any subsystem (see 6.7.6) inv olv ed in the perf orm ance of the S RCF. Hardware fault tolerance (see note 1) Safe failure fraction 0

1

2

< 60 %

Not allowed (see note 3)

SIL1

SIL2

60 % - < 90 %

SIL1

SIL2

SIL3

90 % - < 99 %

SIL2

SIL3

SIL3 (see note 2)

SIL3 (see note 2)

SIL3 (see note 2)

≥ 99 %

SIL3 Provided by subsystem manufacturer

NOTE 1 A hardware fault tolerance of N means that N+1 faults could cause a loss of the safety function. NOTE 2 A SIL 4 claim limit is not considered in this standard . For SIL 4 see IEC 61508. NOTE 3 Exception see 6.7.7.

RELATIONSHIP BETWEEN BS EN 954-1 & BS EN 62061 BS EN 954-1 BS EN 62061

BS EN 61508

Category

Hardware fault tolerance

DC

It is assumed that subsystems with the stated category have the characteristics given below.

PDF threshold (per hour) that can be claimed for the subsystem PDF(MTTFsubsystem, Ttest, DC)1

1

0

0%

To be provided by supplier or use generic data (see Annex E)

2

0

60 ... 90 %

10–5

3

1

60 ... 90 %

10–6

4

>1 1

60 ... 90 %

10–7

> 90%

10–7

WAY FORWARD

– BS EN 62061 provides a complete explanation of functional safety rationale and has been developed to take account of BS EN 954-1. – Structured and systematic design approach from concept to reality has to be applied regardless of standard selected. – System designers/integrators should look for subsystems “packaged” for functional safety. – Not just logic solvers – also input sensors and output actuators.

WAY FORWARD

– Links to other existing and developing standards. – Essential guidance on issues related to safety-related control systems at papermaking machinery provided in PABIAC publication “Making paper safely Part 6: Managing safety in the papermaking process” (Edition 2:2005). – Liaison established between “62061” and “13849-1” to align approaches to facilitate possible future integration of both standards into a single publication (more on this later).

BEFORE FINISHING IF TIME ALLOWS…. A QUICK WORD ON SIL ASSIGNMENT

PRACTICAL EXAMPLE OF SIL ASSIGNMENT METHODOLOGY FROM ANNEX A OF BS EN 62061

Consider the following situation at a papermaking machine…


Description of hazard: “Trapping/entanglement in the event of unexpected start-up whilst personnel attempting to remove broken paper” Description of SRCF: “If the guard door is open, the speed of shaft rotation shall not be higher than specified”


– Risk estimation: – Severity (Se) – Se = death/loss of limb = 4

– Frequency and duration of exposure (Fr) –Fr = > 1 day to ≤ 2 weeks = 4 – Probability (Pr) – Pr = possible = 3 – Probability of avoiding or limiting harm (Av) – Av = rarely = 3


SIL assignment – Probability of occurrence of harm

Cl = Fr + Pr + Av Cl = 4 + 3 + 3 = 10


SIL assignment Severity (Se) 4 3 2 1

Class (Cl) 3–4

5–7

8 – 10

11 – 13

14 - 15

SIL 2

SIL 2

SIL 2

SIL 3

SIL 3

SIL 1

SIL 2

SIL 3

SIL 1

SIL 2 SIL 1


SIL assignment – Probability of occurrence of harm

Cl = Fr + Pr + Av Cl = 4 + 3 + 3 = 10

“If the guard door is open, the speed of shaft rotation shall not be higher than specified”

Safety integrity requirement: SIL 2


What next?

Risk estimation is an iterative process, this means that the process will need to be carried out more than once. This should ensure that residual risk is effectively minimised.

h T

u o y k an

…..ANY QUESTIONS??