Safety by Design: Soft Safety, Safe PLC and Integrated Drive Technology

Safety by Design: Soft Safety
(Safe PLC and Integrated Drive Safety)

CMA/Flodyne/Hydradyne
Safety by Design Technical Symposium 2010
April 13th-14th, 2010
Gary Thrall, BRUS/ETC

Safety by Design - Drive for Technology Symposium 2010
Standards

Challenge
New Machine Directive 2006/42/EG PFH
Change of standards PL SIL
- EN 954-1 is going to be replaced Safety Plan
- Probabilistic approach
- Functional Safety Management Software Testing
- Safety requirements for application
programming
Safety concept of all machines to be used Validation & Verification
after Nov 2011 needs to be revised
From the user standpoint

Electric Drives and Controls 2008-03-06; BRC/PRM3; J. Ost 2
© Alle Rechte bei Bosch Rexroth AG, auch für den Fall von Schutzrechtsanmeldungen. Jede Verfügungsbefugnis, wie Kopier- und Weitergaberecht, bei uns.

Standards

How to avoid any hazard ?
The European Machine Directive
(MRL) requires
that the operation, set-up,
maintenance of a machine
does not lead to any hazard
avoidance or minimization of
the hazard
additional measures if the
hazard can‘t be eliminated
information about the
remaining risk

The machine builder has to prove
that everything was done that has
to be done



Harmonized European Standards
Presumption of conformity
- Fulfilling harmonized standards the machine builder can assume
that the safety aspects of the machine directive are met
State of the Art
- The manufacturer should be sure that the used measures /
technology are state of the art

Type A Basic Standards
Standards ISO 12100 (Principles and Definitions for all Machines)
ISO 14121

EN 954 Type B1
IEC 62061 IEC 60204
ISO 13849 Superior Safety Aspects
Type B
Standards
EN 574 EN 418 EN 61496-1 Type B2
Two-Hand Emergency Stop Safety light curtains Requirements for Safety Devices

Printing Machine tools Presses Packaging
Type C Type C
EN 1010 EN 12417 EN 692 EN 415
EN 12415 EN 693 Specific Requirements
Standards for specific machines
EN 12478


Standards

Change of Standards

European Machine Directive
98/37/EG 2006/42/EG

January 2012
Machine Builder

EN 954-1
Valid Standard Period 3 years invalid

EN ISO 13849-1 Transition
Valid Standard
November 2006 November 2011
EN 62061
Valid Standard
January 2006
Components

EN 61800-5-2
Valid Standard
November 2007
IEC 61508
Valid Standard


Standards

Change of Standards

Standards
Safety on Machines

Technology

Source: TÜV Rheinland


Standards

Change of Standards – Shortcomings of EN 954

Standards intended for complex and programmable electronic Systems
Is not
SafetyFailure Models are not adapted to complex electronic (µC, ASIC’s)
on Machines
Does not consider all aspects of the functional safety
- Failure avoidant safety measures
- Avoidance and control of systematic failures
- Documentation
- Validation
Does not take the probability of dangerous failure into consideration
- categorizes the structural design of safety relevant parts
(hardware) and their reliability and therefore the resistance
against failures and the behavior in case of a failure only

Technology


Standards

Factory Automation Process Industry
Electric, electronic and
programmable electronic
control systems (E/E/PES)
C-Standards
C-Standards
EN 12417
EN 12417
EN 12415
EN 12415
EN 1010
EN 1010
EN 415
EN 415
…..
….. EN 62061
EN 62061 EN IEC 61511
EN IEC 61511
Safety of Machines
(all technologies)

Two competing standards
EN ISO 13849-1 Does this help building IEC 61508
EN ISO 13849-1 IEC 61508
machines safer?
Machine Builder Vendor

EN 954-1 Invalid after DIN VDE 0801
DIN VDE 0801
EN 954-1
Oct. 30th, 2011

Standards

Change of Standards

EN ISO 13849-1:2006
+

Deterministic Probabilistic
EN 954-1 IEC 61508

Proven Methods New Concepts

safety functions quantification: reliability
risk graph and testing quality
categories (structure) failures of common
cause


Standards

What’s necessary to make a machine safe?

Risk
Inherent Process Risk
Risk = Severity x Probability
Change of
Process Design
The higher the contribution to risk reduction
The higher the contribution to risk reduction
Additional Measures the more resistant the safety function must
the more resistant the safety function must
be, that means the small probability of
be, that means the small probability of
dangerous failure is allowed!
dangerous failure is allowed!
Safety
Instrumented
System

EN 62061
residual risk
which is accepted by public IEC 61508
EN 61800-5-2

EN ISO 13849-1:2006


Standards

Safety Integrity Level Probability of dangerous Performance Level
SIL failure per hour (1/h) PL
IEC 61508 PFHd ISO 13849
- >= 10-5 to 10-4 a

ISO 13849
IEC 62061

1 >= 3 x 10-6 to 10-5 b
1 >= 10-6 to 3 x 10-6 c
2 >= 10-7 to 10-6 d
3 >= 10-8 to 10-7 e
4 < 10-8 -

electrical, electronic and Safety-related Parts of Control System
programmable electronic control of all Technologies
Systems
Simplified Estimation (worst case)
calculation formula regarding to:
for subsystem architectures HW Structure (Category like EN 954)
Diagnostic Coverage (DC)
Reliability MTTFd
Failure of Common Cause (CC)

Safety Software Requirements
Measures for control and avoidance of systematic failures

Standards

Simplified V-model of software safety life-cycle (Annex J)
General requirement: readable, understandable, testable, maintainable

Safety Safety related Validation Validated
Functions Software Validation Software
Specification specification

System Integration
design Testing
Verification Software
Specification:
- erroneous interpretation Module Module
- avoiding gaps Design Testing
- precisely defining conditions
- all the possible cases are handled
- consistency tests Verification Coding:
Coding
- the different parameterizing cases Programming Guide Lines
- the reaction following a failure
Verification
Output


Standards

Software Safety Requirements (Extract)
PL c to e
- Software design
– State diagram or program flow chart
Safety – Modularrelated structured programming
Safety and Validation
Validated
Functions Software Validation
– Function blocks of limited size of coding
specification
Software
Specification
– Code execution inside FB should have one entry and one exit
point
System Integration
– Architecture: input –> processing ->Testing
design output
– Assignment of a safety output at only one program location
– Techniques Modulefor detection of external failure and for defensive
Module
programming Design Testing
– Safety related and non-safety related application Software shall
be coded in different function blocks with well-defined data links
Coding
– No logical combination of non-safety and safety related data that
lead to downgrading of the integrity level (e.g. no OR allowed)


Standards

Harmonization of International Standards

North America Europe

ISO 12100 / ISO 14121

OSHA Machine Directive
ISO 13849-1

ANSI/PMMI B155.1 EN ISO 13849-1
IEC 61508
ANSI B65.1 EN 62061
NFPA 79:2007 EN 60204
etc. IEC 60204

IEC 62061

IEC 61800-5-2


Standards

NFPA 79: 2007 (examples from Annex A)
- A9.2 Information on the safety-related aspects of control
functions is under consideration within IEC 62061 and ISO
13849 (revision)
- A9.4.1 IEC 62061, ISO 13849-1, ISO 13849-2 and ANSI
B11-TR4 give guidance on design according to the
determined risk reduction in the risk assessment.
- A9.4.3.2 IEC 62061, ISO 13849-1, ISO 13849-2 provide
requirements for the design of control systems incorporating
the use of software- and firmware-based controllers to
performing safety-related functions. IEC 61508 provides
requirements for the design of software- and firmware-based
safety controllers. IEC 61800-5-2 and IEC 61508 give
guidance to the drive manufacturer on the design of drives
intended to provide safety functions.


Standards

NFPA 79:2007
- 9.2.5.4.1.4* Where a Category 0 or Category 1 stop is used for
the emergency stop function, it shall have a circuitry design
(including sensors, logic, and actuators) according to the
relevant risk as required by Section 4.1 and 9.4.1. Final
removal of power to the machine actuators shall be ensured
and shall be by means of electromechanical components.
Where relays are used to accomplish a Category 0 emergency
stop function, they shall be non retentive relays.
Exception: Drives, or solid state output devices, designed
for safety-related functions shall be allowed to be the final
switching element, when designed according to relevant
safety standards
(Annex A refers to the European Standards)
A.9.2.5.4.1.4 IEC 61508 and IEC 61800-2 - Designed for Safety
Without this design confirmation the system will still require the
electromechanical means of final disconnect.


Standards

ANSI/PMMI B155.1
- This version of the standard has
been harmonized with
international (ISO) and European
(EN) standards by the introduction
of hazard identification and risk
assessment as the principal
method for analyzing hazards to
personnel and achieving a level of
acceptable risk. This version of the 1)
standard is a major revision that
integrates the requirements of
ISO 12100 parts 1 and 2, and ISO
14121, as well as U.S. standards.
Suppliers meeting the requirements
of ANSI/PMMI B155.1:2006 may
simultaneously meet the
requirements of these three ISO 1) Risk Scoring like ISO 13849
may be used.
standards.

Standards

ANSI/PMMI B155.1
- 7.2.8 Programmable electronic systems (PES) used in safety
functions
– 7.2.8.1 General
PES may include a programmable logic controller (PLC),
servo motion controller, computer numerical control (CNC),
personal computer, human-machinery interface (HMI) or
programmable limit switch (PLS). American National
Standard ANSI/PMMI B155.1-2006 Page 29. A PES can
be applied to safety functions when the design and use of
the system meets the requirement(s) of the risk
assessment. The design measures of the PES shall be
chosen so the safety related performance provides
adequate risk reduction per ISO 13849-1, and meets the
appropriate safety integrity level (SIL) per IEC 62061. The
PES shall be installed and validated to ensure that the
specified performance for each safety function has been
achieved. See also SIL in IEC 61508-5, IEC TR 61508-0..

Standards

ANSI/RIA/ISO 10218-1-2007 (Robots for Industrial Environment –
Safety Requirements) Part 1 – Robots
- In 2007, according to Roberta Nelson Shea, U.S. robot users
may soon gain greater access to these and other emerging
technologies. That will come with the approval by ANSI - the
American National Standards Institute - of ISO 10218 Part 1,
an international robot safety standard that was published last
June by the International Organization for Standardization
(ISO)...
- Approved by ANSI 8/17/2007 as ANSI, RIA, and ISO standard


Standards

Benefits of Harmonization of International Standards
End User
- Same standards for machines sourced worldwide coming
into their plant
- Multi-nationals can use same standards for plants at
locations worldwide
Machine builder
- Same standards for users worldwide – reducing need for
design variants
Equipment and Component suppliers
- Same standards for users worldwide – reducing need for
certification to different (and in the past sometimes
conflicting) standards
All
- Same methodologies defined by IEC-61508 to be used in
all industries and applications


Standards

Listed Testing Laboratories by the Occupational Safety and Health
Administration (OSHA)

Standards approvable by NRTL

NRTLs listed by OSHA


Integrated Safety on Levels of IndraMotion

Challenge
New Machine Directive 2006/42/EG PFH
Change of standards PL SIL
- EN 954-1 is going to be replaced Safety Plan
- Probabilistic approach
- Functional Safety Management Software Testing
- Safety requirements for application
programming
Safety concept of all machines to be used Validation & Verification
after Nov 2009 needs to be revised
From the user standpoint
Chance
Make it right from the beginning. Upgrade it to state of the art
Modern safety technology offer advantages for machine builders
and end users
International harmonized standards make global business easier
since ANSI refers on newer IEC standards
Using certified components makes life easier


Safety on Board offers a simple and safe implementation of functional
safety in accordance with safety standards and keeps the availability of
the machine at the highest level
SafeLogic increases the flexibility of the safety application
SafeMotion raises the productivity of the machine

Safe Process
Flow Control
Control
Safe Processing

Transmission
Safe Data
Network
Safe Communication

Safe Movement
Drive
Avoidance of unintended movement



Drive based Safety Functions

Safely monitored Deceleration
Safe Torque Off
Safe Operational Stop
Safe Stop 1
Safe Stop 2
Safely limited Speed
Safe Maximum Speed
Safely limited Increment
Safe Direction
Safely limited Position
Safe Position Switches
Safe Homing Procedure
Safe Door Locking
Safe I/O interface for Safety-PLC
Safe Braking and Holding System



Safe Braking and Holding System – A New Milestone!

Fall protection on axes with gravity loads
World’s only onboard solution which
complies with EN 954-1 Category 3
Two independent brakes separately
controlled and monitored by redundant,
diverse channels in the drive
Escalation strategy to protect the
mechanical subsystems
Applications
Presses
Reel Stands
Loading gantries
Vertical guard doors
…

Electric Drives and Controls 2008-03-08;
2008-03-06; BRC/PRM3; J. Ost 25


Safety On Board with IndraDrive

Dynamization

3 principles are realized to detect latent failures
Dual channel data operation with diversity
Cross data comparison of safety related functions
Dynamization of static modes



IndraDrive Certificates – For global Business!
SIBE Certificate accepted by TÜV Rheinland
- EN 954-1, ISO13849-1:1999
NRTL listing by TÜV Rheinland North America
- NFPA 79, UL 508C, CAN/CSA C22.2,
ISO 13849-1:1999
IEC 61508 certification by TÜV Rheinland and TÜV
Rheinland of North America in work
- IEC 61508, IEC 61800-5-2, ISO 13849-1: 2006
- with MPx06Vxx in 4Q/2008
- S2, L2 control units
IndraDrive Mi and IndraDrive Cs with
safety technology
- Expected availability: 2010

Electric Drives and Controls 2007-11-05; BRC/PRM3; J. Kobs
2008-03-06; BRC/PRM1; G.Ost 27


IndraDrive with Safety Functions – A Convincing Technology!

Safety Technology made by the experts having more
than 8 years field experience
Scalable Safety Functions minimize the potential of
tampering and therefore reduce the hazard for injury
caused by bypassing the safety measures
Increased productivity by reducing downtime
Online Testing (Failure Detection) during runtime
Cost savings by reduction of external components and
wiring
Minimal Movement in case by detecting failures within
2ms
High reliability due to a encapsulated, certified solution
Independent, whether wired, or with or without a safety
PLC



Example Printing

Safety Functions
“ASP“ used for E-Stop and
“Stop/Locking“. (Machine stop
synchronized by the virtual master
axis)
Safe Operational Stop when guards
are open
Safely limited speed in combination
with safe direction for jogging
forward and backward



Example Printing

“ASP“ used for E-Stop and “Stop/Locking“.
(Machine stop synchronized by the virtual master
axis)

Safe operational stop at printing
cylinder for sleeve change

Safely limited speed for cylinder
washing or jogging with open
guards



Example printing
Tool plate could come off
Safe Mode:
if centrifugal force
- Safe Drive Interlock (ASP) becomes higher than
- Safe Operational Stop (SBH) magnetic force
- Safely limited Speed (SBB)
- Safely limited Speed with Safe Direction
Normal Operation:
- Safe Maximum Speed


Modern Safety Technology on Machines

Flexibility

Safety-Field bus

connection to periphery
E30 E1
E1
E30

E1

E1 Safety-Installation bus

also parameterizable,
modular Safety Modules

Complexity
A B C D


Directly Hooked up to the Drive (A)
No-Safety PLC
Door interlock can be controlled by the drive
Connection to periphery
Both channels discrete wired
- Requires open-contactor and
antivalent signals (may require relays
with ESPE, E-Stop, Enabling)
One channel via the command variable
- Requires open-contactor (may require
relays with ESPE)
Diagnosis
By reading drive parameter
In case of direct wiring of both channels
extra wiring to the controller necessary for
detailed information
A



Directly Hooked up to the Drive (A)

Discrete inputs allow multiple safety functions
ASP
Operation Mode (normally series
connection of all safety devices which put
the drive in SBH
Enabling
SB1 / SB2 switch

When to use?
Small machine with limited safety
functions
Just wiring and parameterization of the
drive

A



Safety Modules (B)
No-Safety PLC
via Safety Modules
- One channel direct wired
- One channel via the command
E1
variable
E30 (Parameterizeable) Safety Modules can
offer the possibility to build groups
(simple “AND” “OR”) at reduced wiring
efforts
E1
Diagnosis
also parameterizable, Safety Modules offer diagnosis
capabilities which might be linked to the
standard control via field bus
B



Safety Modules (B)

Discrete inputs allow multiple safety
functions
ASP
connection of all safety devices
E1
which put the drive in SBH
E30
Enabling
SB1 / SB2 switch

E1
When to use?
Small machine with less
also parameterizable, complex safety functions
Just wiring and parameterization of
the drive
B



Safety Modules (B) - Example

Euchner SK

qTür_Arbeitsraum_entreiegln
PLC Drive Drive

qAx_SafOpModeSwitch (E2)
qNormal_operation
Diagnosis & Diagnosis &

qDynam (EA30)
Dynamization Dynamization-
Master Slave

EA10n

EA20n
EA10n

EA20n

EA30
EA30

E2n
E2n
PNOZ Load door

K11

K12

Euchner TZ

K11 K12

K21 K22
PNOZ Work space door
K30

K21

K22



Safety Modules with limited logic processing functionality (C)

Safety Controller with limited capabilities
(Parameterizable) Safety Controller can
offer some logic processing capabilities
Limited number of I/Os
Connection to periphery E30 E1
via Safety Controller
- One channel direct wired
- One channel via the command E1
variable
Installation bus reduces wiring efforts
Diagnosis Safety-Installation bus

Safety Modules offer diagnosis
capabilities which might be linked to the
C
standard control via field bus



Safety Modules with limited logic processing functionality (C)

Discrete inputs allow multiple safety
functions
ASP
connection of all safety devices
E30 E1
which put the drive in SBH)
Enabling
SB1 / SB2 switch
E1

When to use?
Machines with mid-range Safety-Installation bus
complexity
Wiring and parameterization of the
drive and safety processing unit
C



Safety Modules with some logic processing functionality (C)
Euchner TP3 PLC IndraDrive IndraDrive IndraDrive

iAx_SafCtrlOutputState (A10)

qAx_SafOpModeSwitch (E2)

qDynamization (EA30)
Diagnosis & Diagnosis & Diagnosis &
Dynamization Dynamization Dynamization
Master Slave Slave

qDoor_Lock

EA20n
EA20n

EA20n
EA10

EA30
EA10

EA30
EA30

EA10
E2n

E2n
E2n
+24V

+24V

PNOZ i0 i1 i2 L1 o4
Multi
i5 i6 i3 o0 i4
-A1

+24V

Example for a drive group

Simple wiring recommendations for drive groups

Special connector kit for
9 pin ribbon cable
going over from standard wiring
to 9 pin ribbon cable

Hardwiring from safety relays to
9 pin ribbon cable
Ease of use by
crimp connectors
Ease of diagnostics by
24Volt signals
Standard wiring


Safety Modules with some logic processing functionality (C)



EStop Door 1 Door 2 Door n

Sicherer Sicherer Sicherer Sicherer
AS-i Slave AS-i Slave AS-i Slave AS-i Slave

IndraDrive IndraDrive IndraDrive IndraDrive

EA30
EA30

EA30

EA30

E1n
E2n
E3n
E1n
E2n
E3n

E1n
E2n
E3n

E1n
E2n
E3n
AS-i
EStop Safety
Monitor

AS-i
Protection Safety
Area I/O Monitor

Enable AS-i
Safety
Monitor

iEnable
Consent

iProtection_Area_not_IO PLC
iEStop
qDynamization



Programmable Safety Control (D)

Programmable Safety Controller
Flexible (IEC61131-1) programming
- FBs Safety-Field bus

- OEM libraries
“unlimited” number of I/Os
Safety-I/O
- Built-in diagnosis
Safety Field bus
- Standard, Safety-I/O and Drive on one
field bus
- reduces wiring efforts
Diagnosis
D
Implicit diagnosis of the Safety-I/Os
within the standard diagnosis


Programmable Safety Control (D)

Safety-Field bus allows unlimited
safety functions
Boolean Control and Status Bits Safety-Field bus
Feedback and Command values
Drive as I/O unit

When to use?
Machines with higher complexity
Common powerful diagnosis
Common engineering
Programming of safety functions
(instead of wiring)

D



Why a Safety-PLC is not enough!
However
- Many machines can be done without a Safety-PLC
- Bosch Rexroth can offer real safe motion which is the key to
increase the productivity and safety, since the operator can
do his job, he does not get hindered and motivated to tamper
the safety measures.
- There are alternative concepts possible even with a
competitors PLC
Our competitors may offer a Safety-PLC
- But they can’t offer safe drives which provide more than a
safe stop or standstill
- There is no alternative available
Bosch Rexroth is on it’s way to offer an integrated Safety-
Control for all system solutions and all platforms



Why Safe Logic Processing?
Complex machines with
Multiple access areas
Multiple safety zones
Multiple operation panels
Fine-scaled safety functions
Escalated reaction rather than
always shutting down
Safety Levels regarding the
authorization Levels of
Machine operator
Maintenance people
Cleaners
Service
Maintenance
Personnel Versatility
Cleaners
Modular machine design
Machine
Service Operators Tailored to customer preferences


Traditional Solutions offer Potential for Improvements
Failure detection
Minimizing the residual risk
Standard Safety Wiring
Control Control
Cost cutting of hardware and
soft costs
Different
Engineering Tools Interfaces
Additional Safety
Reduction of interfaces and
Data Exchange IO minimizing the data exchange
and programming effort
Standard
Discrete Signals
IO Auto Set-up
Availability
Limit safety
Functions Integration of the drive based
safety functions in the overall
engineering (diagnosis)
Validation
+
+ Effort reduction by using
certified functions
SafeMotion
SafeMotion -


Integrated Solutions – Standard and Safety merge together

One certified automation system
Standard
MC
Safety
SI Standard + Safety
Control Control
SafeLogic One certified engineering system
Standard + Safety
One certified communication system
Safety
IO Standard + Safety

Standard Certified FBs to represent the drive
IO Auto Set-up
based safety functions in the PLC
Certified FBs for analysis of the
safety periphery
SI
Data exchange between motion and
+
+ safety on system level
SafeMotion
SafeMotion -


Flexible connection of all components via one single network

Standard Safety Control
Control
IO
Safety I/O
Drives
Safety
IndraWorks SafeLogic
SafeLogic Safety Drive
Engineering Control
IO
IndraControl L IndraControl V
Drives
One-cable Safety-Network
IndraDrive SERCOS safety
Inline Inline
Consistent Engineering
IndraDyn IndraDyn with IndraWorks

Integration of 3rd party components
PROFIsafe


SafeLogic – Just added when needed!

Safety Function Module converts standard
controller into a safety controller
Safety
Optional extendible (can be upgraded
later)
No interference (constant cycle times,
standard program and safety program
Logic Motion
have no influence on each other)
Seamless engineering and diagnostics in
the standard control context
IEC 61131-3
IEC61131-3
No need for synchronization interfaces
between the safety controller and the
standard controller
Hardware
Applications program


Safety by Design: Soft Safety, Safe PLC and Integrated Drive Technology

Safety by Design: Soft Safety, Safe PLC and Integrated Drive Technology

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (14)

Andere mochten auch

Andere mochten auch (18)

Ähnlich wie Safety by Design: Soft Safety, Safe PLC and Integrated Drive Technology

Ähnlich wie Safety by Design: Soft Safety, Safe PLC and Integrated Drive Technology (20)

Mehr von CMA/Flodyne/Hydradyne

Mehr von CMA/Flodyne/Hydradyne (15)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Safety by Design: Soft Safety, Safe PLC and Integrated Drive Technology