best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
Functional safety of collision avoidance systems in mines marcus punch
1. 1
February 2011Copyright 2010.
Presented by
Marcus Punch
TÜV FSExpert (Machinery), ID:154/10
Marcus Punch Pty. Ltd
Risk and Reliability
Mobile: +61 (0)432168849
Email: marcus@marcuspunch.com
Web: www.marcuspunch.com
Functional Safety of Proximity
Detection and Collision
Avoidance Systems in Mines
2. 2
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
Objectives
The objectives of this presentation are:
To prepare the end-users (mine personnel) for the
rest of the seminar - so that you know what
questions to ask the manufacturers / designers /
suppliers.
To give an appreciation of the regulatory environment
and the obligations on mines and manufacturers /
designers / suppliers regarding functional safety.
To provide guidance on how the functional safety
approach may be undertaken when proximity detection
and collision avoidance technologies are to be used for
risk reduction in mines.
3. 3
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
MINE: Requisite Standard of Care
NSW Coal Mine Health and Safety Regulation 2006, Clause 13:
Clause 13(1)(e)(v)…. to provide electrical safeguards for electrical and
non-electrical hazards, with a probability of failure appropriate to the
degree of risk posed by the hazard.
Clause 13(1)(f) (viii)…. to provide safeguards for mechanical plant and
installations, with a probability of failure appropriate to the degree of risk
posed by the hazard.
NSW DPI Legislation Update LU07-05 (CMH&SR2006)
Mandates the use of AS61508, AS62061 and/or AS4024 to fulfil these
requirements.
MDG15 (Guideline for Mobile and Transportable Equipment for Use
in Mines) Amendment No.2, Clause 2.4.6.1:
“The appropriate integrity level or category level shall be applied to
safety critical systems in accordance with AS 4024:1501 & 4024:1502,
AS/IEC 62061, AS/IEC 61508 or other similar standards”.
4. 4
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
MINE: Go Back to Basics
safeguards .... with a probability of failure appropriate
to the degree of risk posed by the hazard.
That is, for each plant installation:
1.What are the hazards?
2.What is the risk posed?
3.What are the safeguards to be used against the hazards?
4.What is an appropriate probability of dangerous failure to
be specified for those safeguard/s?
5.Will the specified probability of dangerous failure of the
safeguard/s be achieved?
5. 5
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
SUPPLIERS: Requisite Standard of Care
NSW OH&S Act, Part II, Division 1, Clause 11:
A person who designs, manufactures or supplies any plant or
substance for use by people at work must
(a) ensure that the plant or substance is safe and without risks to
health when properly used, and
(b) provide, or arrange for the provision of, adequate information
about the plant or substance to the persons to whom it is
supplied to ensure its safe use.
NSW OH&S Regulation, Chapter 5, Part 5.2, Division 2, Clause 99:
Importers of plant manufactured outside the State to ensure that
manufacturer’s responsibilities are met.
NOH&SC Safe Design Project 2001, page 17-18:
Standards, guidelines and codes of practice may be used as evidence
of what a reasonable duty holder would do to comply with the legal
obligation for which the document provides guidance.
9. 9
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
MINE: Concept and Scope Stage
Develop a Functional Safety Management Plan
1. Describe the overall policy and strategy to achieve the functional safety
requirements.
2. Identify the relevant safety lifecycle activities that are to be conducted.
3. Identify the persons and organizations responsible for carrying out the
safety lifecycle activities,
4. Identify the procedures for recording and maintaining information
relevant to functional safety,
5. Describe the overall strategy to achieve functional safety for the
application software.
6. Describe a strategy for configuration (engineering change)
management,
7. Establish the need for a verification plan,
8. Establish the need for a validation plan,
10. 10
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
MINE: Hazard and Risk Analysis
Aim: Identify hazards, assess risk, determine safeguards.
List all items of mobile/moving plant on site.
Consider all potentially dangerous interactions.
Machine–to-Machine.
Machine-to-Person.
Machine-to-Infrastructure.
Assess consequences and likelihood of each – use your standard
risk assessment procedures and risk matrix.
Also refer to the risk assessment process and techniques in
MDG1010 and MDG1014.
Use the hierarchy of risk controls to determine the most effective
and appropriate risk controls.
Remember - hazard elimination / substitution trumps an
engineered electronic protection system.
11. 11
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
MINE: Hazard and Risk Analysis
The following collision hazards are ones where risk
‘elimination’ or ‘substitution’ may be an option:
Manned dozer falls into coal valve – fatality.
Option 1 (Prevention): Collision avoidance, but at SIL3.
Option 2 (Substitution): Remote control dozer.
HV / HV head-tail collision (reversing / rear-ender) – fatality.
Option 1 (Prevention): Collision avoidance, but at SIL2.
Option 2 (Elimination): Re-design to prevent nose-to-tail
collisions crushing a driver’s cabin.
12. 12
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
MINE: Hazard and Risk Analysis
HV / HV head-head collision (drive-by opposite directions)
Option 1 (Prevention): Collision avoidance, but at SIL2.
Option 2 (Substitution): One-way or divided traffic flows
on mine roads used by heavy vehicles.
13. 13
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
MINE: Safety Requirements Allocation
If possible attempt one of the ‘quantitative’ or semi-quantitative methods of
SIL allocation, per AS61508-5. These methods include:
Fault Tree Analysis (FTA).
Event Tree Analysis (ETA).
Layer of Protection Analysis (LOPA).
Absolutely avoid the temptation to skip this step and just
specify everything as SIL2 etc.... SIL allocation is an opportunity
for us to think more deeply about hazards and the sequence of
events that leads to harm.
And always keep the following in mind:
What is my ‘tolerable risk target’. Is it reasonable? How will I justify it?
Can I reasonably achieve a lower target for certain hazards?
The hierarchy of risk controls - is hazard elimination / substitution still
possible?
Will my risk be ALARP with all safeguards in place?
14. 14
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
The Safety Requirements Specification (SRS) is the key
interface between ‘analysis’ and ‘realisation’ stages.
The specification should fundamentally address the
following:
Functional requirements and safety integrity (ie. SIL)
requirements for the electrical / electronic safety-related
systems,
Functional requirements and safety integrity (ie. CAT)
requirements for the ‘other technology’ (ie. mechanical,
hydraulic, pneumatic, etc...) safety-related systems,
Information on the other risk reduction facilities to be used
(eg. guards, exclusion zones, procedures, etc...)
See AS61508-2 Clause 7.2 for a full checklist of what
should be included in the specification.
MINE: Safety Requirements Specification
15. 15
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
Any argument or dispute arising from a supplier’s assertion or
opinion may that they do not need to comply with AS61508 /
AS4024 / AS62061 can be avoided, if the contract requires
compliance and the payment schedule is linked to successful
delivery.
The Safety Requirements Specification (SRS) should therefore
be clear and unambiguous, referencing the key requirements of
the standards and be a core part of the Statement of Work
(SOW) and the contract of supply.
Simply stating: “...the supplier shall comply with AS61508”, or
words to that effect, is not enough.
MINE: Safety Requirements Specification
Ask the suppliers if they agree in principle that they are obliged to
comply with the functional safety / machinery safety standards!
Ask them if they already have (or are in the process of) implementing a
design approach based on one of the relevant standards!
Ask the suppliers if they sell into the EU, and if so, do their products
comply with Machinery Directive 2006/42/EC!
16. 16
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
SUPPLIERS: The AS61508/AS62061 Approach
Under AS61508 and AS62061 the following
fundamental aspects are to be demonstrated in order
to substantiate a SIL claim for each safety function.
Probability of Failure Prediction, appropriate to the ‘demand’ mode
Probability of Failure on Demand (low demand)
Probability of Dangerous Failure per Hour (high / continuous demand)
“Architectural” SIL Claim Limit, based on
Hardware Fault Tolerance
Safe Failure Fraction
System Type
Systematic Failure Avoidance and Control
General requirements on system performance, design techniques and
activities that shall / should be undertaken (see AS62061 and
AS61508 Parts 2, 3 & 6).
Ask the suppliers what SIL capability they claim for their
product /s and how they can prove it to you!
17. 17
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
SUPPLIERS: A New Approach
AS61508:1999/2001 is based on IEC61508:1998.
IEC61508:1998 was updated in 2010 as IEC61508:2010
This standard is now under review by a Standards
Australia committee for adoption as AS61508:201?.
Under IEC61508:2010 there are now two (2) routes
available for SIL verification, including a ‘proven-in-use’
approach (Route 2) for the verification of safety devices
with previous field use.
A legal precedent exists concerning the status of
international and draft Australian standards: see Engineers
Australia March 2009 issue, pages 38-39.
18. 18
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
SUPPLIERS: A New Approach
Route 1 (‘probabilistic’ and ‘deterministic’ verification of
un-fielded / new design)
As per AS61508 requirements (shown on previous slide).
Route 2 (‘proven-in-use’ verification of fielded / existing design)
SIL2 (high demand) and SIL3 only allowed for redundant designs.
SIL2 (low demand) and SIL1 allowed for non-redundant designs.
All devices containing programmable logic elements must be
capable of detecting ≥60% of dangerous failures.
Dangerous failure probability to be calculated on the basis of field
feedback data (at 90% confidence).
‘Proven-in-use’ argument to be made for all hardware and
software.
Ask the suppliers what SIL capability they claim for their
product/s and how they can prove it to you!
19. 19
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
•System designers and suppliers of safety devices are not
exempt from the safety lifecycle. If they are responsible for a
portion of the safety lifecycle then they need to be aware of and
achieve the requirements.
•Audits by the supplier and on the supplier should be performed
and documented to ensure compliance.
•For the process to work past Phase 5, the scope of supply
needs to be clear, responsibilities known and the SIL / CAT
targets and other requirements stated, as part of the contract.
•The key document is the Safety Requirements Specification.
•A safety validation (Phase 13) should be conducted during /
after commissioning to ensure that the requirements of the
Safety Requirements Specification are met. (See AS62061
Clause 8)
MINE/SUPPLIER: The Relationship
20. 20
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
Designers, manufacturer’s and suppliers should be expected to
produce information sufficient to allow independent verification
that the safety requirements have been met within their scope of
supply, such as:
1.Safety-related system architecture and detailed design,
2.PFD / PFH and SIL Claim Limit calculations, design FMEA
and supporting data,
3.Evidence of compliance to systematic failure avoidance and
control (for SIL) or equivalent (for CAT).
4.Documentation of Safety Lifecycle activities undertaken.
5.“Information for use” per AS62061 Clause 7.
All of this is consistent with the designer / manufacturer /
supplier obligations under NSW OH&S Act, Part II, Division 1,
Clause 11.
MINE/SUPPLIER: The Relationship
Ask the suppliers if they have this information available now!
21. 21
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
MINE/SUPPLIER: The Relationship
IEC61508-2:2010 Clause 7.4.9.7, Note 2:
“ There may be commercial or legal restrictions on the
availability of evidence. These restrictions are outside
the scope of this standard. If such restrictions deny
the functional safety assessment adequate access to
the evidence, then the element is not suitable for
use in E/E/PE safety-related systems”.
Ask the suppliers if they will provide access to all evidence of
compliance!
22. 22
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
At the end of commissioning, ‘operations’ must take
operational ownership of the SRS.
- Operations must be satisfied that the SRS and risk
reduction facilities are all tested and operational.
- The Operators should have an understanding via formal
training and/or commissioning exposure as to the extent
and functionality of the SRS.
MINE: Operations Responsibilities
Key Issue: Operator awareness, understanding and
competence.
23. 23
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
The Maintenance personnel have the following roles:
- Perform preventative / periodic maintenance on the risk
reduction measures.
- Perform functional tests as per the PFD / PFH calculation
results.
- Respond to reported failures.
- Be aware of what other protection layers are in place.
MINE: Maintenance Responsibilities
- The logging of the functional test results and any failure
details so that ‘real’ equipment failure rates can be
documented.
Key Issue: Compliance to maintenance requirements.
24. 24
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
This “owner” has several responsibilities:-
- Single point of contact regarding the ‘state’ of the SRS.
- Advising other personnel as to modifications,
functionality, procedures etc.
- Audits on procedures
- Spares and technical support is available
- Security / passwords are current
- Any conditions of use are complied with.
MINE: Engineering Responsibilities
Key Issue: Control of engineering changes.
- Configuration (engineering change) management.
25. 25
MarcusPunchPty.Ltd.www.marcuspunch.com
RiskandReliability0432168849
February 2011Copyright 2011.
This material may be copied or reproduced by the recipient, provided that the markings of Marcus Punch Pty. Ltd. as the source remain in place.
Finally, a short note about the possible...
Other industries have dealt with the
dual issues of compliance to the
functional safety approach and the
introduction of proximity detection &
collision avoidance technologies.
Rail industry suppliers, through
considerable ‘encouragement’ by railway
owners, have pioneered ‘collision
avoidance’ protection for trains.
The suppliers are now able to deliver
systems that have been independently
certified to SIL4.
This happened because the customer
demanded it and was willing to pay for it,
and the supplier saw the future
competitive advantage to be gained by
complying.