4 david schepers certification process safety relay modules for machinery applications

Certification Process: Safety Relay Modules for Machinery Applications

Dr. David Schepers

TÜV Rheinland Industrie Service GmbHAutomation and Functional Safety

Am Grauen Stein51105 Cologne – Germany

� +49 221 806 4506Mailto [email protected]

Certification Process: Safety Relay Modules

• Introduction

• Relevant Standards

• Required Documentation for Certification

• Design Requirements of FS Standards (EN ISO 13849 / EN 62061)

• Requirements for Electrical Equipment/Electrical safety

• V&V-Activities, Practical Tests

• Special Design Requirements, Examples

• User Manual

• EC Declaration of Conformity

• UL Certification: Special Requirements / Considerations

• Summary

Overview

Certification Process: Safety Relay Modules for Mac hinery Applications

Safety Relay Modules: Introduction

• Typical applications of safety relay modules:

− Emergency stop control

− Two-hand control

− Zero-speed monitoring

− Monitoring of position switches

− Door-lock control

− Light curtain control

− Universal relay modules for various applications

− … and others

• Required safety levels: Up to SIL 3 (EN 62061 / IEC 61508) and PL e / Cat. 4 (EN ISO 13849)

Fields of Application


Safety Relay Modules: Introduction

• ……

• 15. Guards for removable mechanical transmission devices

• 19. Protective devices designed to detect the presence of persons.

• 20. Power-operated interlocking movable guards designed to be used as

• safeguards in machinery (presses, plastics-molding machinery, rubber-

• molding machinery each with manual loading or unloading)

• 21. Logic units to ensure safety functions.

• 22. Roll-over protective structures (ROPS).

• 23. Falling-object protective structures (FOPS).

Classification of Safety Relay Modules according to 2006 /42/EC, Annex IV

Safety relay modules have to be qualified in accordance with EN ISO 13849-1:2008 and / or EN 62061:2005. An EC Type Examination Certificate is issued by a N otified Body.


Safety Relay Modules: Relevant Standards

• EN ISO 13849-1: Safety of Machinery – Safety Related Parts of Control Systems –Part 1: General Principles for Design (successor of EN 954 which is not valid anymore)

• EN 62061: Safety of Machinery – Functional Safety of Safety-Related Electrical, Electronic and Programmable Electronic Control Systems

• IEC 61508 (not harmoized under EC Machinery Directive!): Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

• EN 60204-1: Safety of machinery – Electrical equipment of machines –Part 1: General requirements

• EN 60664-1: Insulation coordination for equipment within low-voltage systems –Part 1: Principles, requirements and tests

General Standards (Functional Safety / Electrical S afety)


Safety Relay Modules: Relevant Standards

• EN ISO 13850: Safety of machinery – Emergency stop – Principles for design

• EN 574: Two-hand control devices – Functional aspects and principles for design

• EN 61496-1: Safety of machinery – Electro-sensitive protective equipment –Part 1: General requirements and tests

• EN 61800-5-2: Adjustable speed electrical power drive systems –Part 5-2: Safety Requirements – Functional

• … and others

Application Specific Standards (Examples)


Required Documentation (EN ISO 13849 / EN 62061)

• Safety Plan: Project organization, documentation system, responsibilities, product life cycle, measures for fault avoidance, configuration management, …

• Safety Requirement Specification (SRS): Description of product & application, definition of safety functions, definition of inputs/outputs, definition of temporal behavior, …

• Verification and Validation Plan (V&V-Plan): Planning of V&V-activities, applied tools, applied testing techniques/measures, …

Required Documents for Concept Phase :

TÜV Rheinland may provide appropriate templates and support the creation of the above mentioned documents!


Required Documentation (EN ISO 13849 / EN 62061)

• Document list: List of safety relevant documents including name, content and version

• Technical documentation: Schematics, PCB layout (e.g. Gerber files), partlist (BOM), design of housing

• Test reports: Functional/fault insertion tests (FIT), EMC, environmental tests

• FMEA: Failure Mode and Effects Analysis

• Calculation of safety relevant parameters

• User documentation

• EC declaration of conformity

• Other technical documentation, proof for fault exclusion, further test reports etc.

Documents for Main Approval (Products without Software):


Design Requirements (as a result of risk assessment)

Determination of PL (EN ISO 13849, successor of EN 954):

Determination of required safety level (PL) accordi ng to EN ISO 13849

highRisk

Start

S1

S2

F1

P1

P2

F2

lowRisk

RequiredPerformanceLevel PL r

F1

F2

P1

P2P1

P2P1

P2 e

d

c

b

a

Severity of injury: S1 slightS2 serious

Frequency and/or exposure time for hazard: F1 seldom / short duration of exposure timeF2 frequent to continuous / long duration of exposition

Possibilities of avoiding the hazard P1 possible under certain conditionsP2 almost impossible


Design Requirements

Depending on the risk, the standards of functional safety require:

• Performance Level (EN ISO 13849, includes Categories of EN 954)

• Safety Integrity Level (EN 62061)

High risks demand high safety levels (for example Performance Level e / Category 4 / Safety Integrity Level 3).

⇒The design is significantly influenced by the required safety level!

⇒The higher the safety level, the higher the effort for technical realization.

Category / Performance Level / SIL


Design Requirements

Characteristics of the Categories in EN ISO 13849-1 (successor of EN 954)

BCompliant to standard, use of basic safety principles, specified function under

specified conditions, not fail safe!

1 See B and use of well-tried components and safety principles, not fail safe!

2See B and use of well-tried safety principles, test after power-on and within

suitable time intervals

3See B and use of well-tried safety principles,

safe for single faults, fault detection

4See B and use of well-tried safety principles, safe for 2 faults in combination or

detection of fault before or at next demand of safety function


Design Requirements

Characteristics:

• Two-channel structure(Hardware Failure Tolerance HFT = 1)

• Power supply: Single channel (HFT = 0)

• Monitoring/cross-comparison (diagnostics)

Questions:

• Realization of diagnostics (withoutcomplex electronics)?

• 2-fault safety for single channel part (power supply)?

• Which faults must be considered?

Typical Safety Structure for Safety Levels up to PL e / Category 4 / SIL 3


Design Requirements

• „Intelligent“ testing (e.g. test pulses) not possible without complex electronics

• Idea: In case of failure, device must enter safe state (switch relay outputs off) and remain in lock-out state (no restart possible)

• Appropriate design and application of (certified) relays with forcibly guided contacts!

Realization of Diagnostics within Safety Relay Modul es


Design Requirements

• Mechanical linkage between the contacts such, that never NO and NC contacts are closed simultaneously.

• If a NO contact is closed, the forcibly guided NC contact cannot be closed too. Minimum contact separation: 0.5mm

• If a NC contact is welded, the forcibly guided NO contact cannot be closed too.

• The positively guidance of contacts is a relay feature, which cannot fail, not even under failure conditions (fault exclusion).

• Used in safety circuits, where contact monitoring is required in order to detect failure conditions. The NO contacts can be monitored by a NC contact.

NO: Normally Open / NC: Normally Closed (when relay is de-energized)

Characteristics of Relays with Forcibly Guided Cont acts

Control/

Monitoring

+UB

Monitoring

K1

K2

k21

k11 k12

k22

L

Load

N


Design Requirements

• Application of the NO contacts as outputs

• Monitoring of NO contacts by means of NC contacts (forcibly guided contacts)

• NC contacts shall be applied such, that in case of failure a restart is not possible => device is in lock-out state and failure detected

• Failures can only be detected at state change: Execution of safety function must be guaranteed either by application or be demanded by user manual

• Recommendation of Vertical Group 11 (European Coordination of Notified Bodies): - at least every month for PL e / Cat. 4 / SIL 3 with HFT = 1- at least every 12 month for PL d / Cat. 3 / SIL 2 with HFT = 1

Application of Relays with Forcibly Guided Contacts

L

M

SR


Design Requirements

In order to prove the fail-safety (safe behavior of a device in case of a fault) the following shall be considered:

• Which faults (failures) have to be assumed?

• Which faults can be excluded?

• Under which conditions/constraints can these faults be excluded?

• How are the effects of faults?

• When is a fault revealed (time until fault detection)?

Fault lists / fault models can be found in :

• ISO 13849-2 (EN 954-2) (various technologies)

• Annex B of IEC / EN 61496-1 (electrical / electronic components)

Deterministic Fault Consideration / Fail-Safety

Most relevant faults for low complex electronic circuits: Open/short circuit, component drift.


Design Requirements

• Fail-safe design or high quality diagnostics (99% of failures detectable) necessary for high safety levels (e.g. Cat.4 / PL e / SIL 3)!

• In some cases fault detection is difficult to realize, especially for protective elements (overvoltage protection)

• For Category 4: Combination of two failures must be considered, if failures cannot be detected

• If necessary, two-fault safety must be guaranteed by redundancy (application of redundant protective elements)

Consideration of Single Channel Parts (e.g. Power S upply)


Requirements for Electrical Safety

• Assumption of pollution degree II (IP54 housing or mounted in cabinet)

• Overvoltage category III (industrial applications)

• Application of 24 V DC SELV/PELV power supply, SELV: Safety Extra Low Voltage, PELV: Protective Extra Low Voltage

• Maximum voltage at output relay contacts: 230 V AC

• EN 60947-1 (Low-voltage switchgear and controlgear – Part 1: General rules): Annex N3.2 defines requirements for insulation if device is connected to SELV / PELV supply

Installation / Environmental Conditions

EN 60947-1 demands double or reinforced insulation for separation between SELV / PELV circuits and 230 V circuits!



Requirements of EN 60664-1:

• Basic insulation: Value corresponding to nominal voltage of supply system and overvoltage category. For 230V/400V three phase and overvoltage category III: 4kV

• Reinforced insulation: One step higher than corresponding value of basic insulation! For 230V/400V three phase and overvoltage category III: 6kV!

Clearances / Creepage Distances for Double / Reinfor ced Insulation

(Source: Extract from EN 60664-1, rated impulse voltage for nominal voltage 230/400V and OVC III)



• 230/400V three phase supply, overvoltage category III

• Rated impulse voltage: 6kV (reinforced insulation, see previous slide)

• Polution degree: 2(if IP54 housing or mounted in cabinet)

• Resulting clearances: 5.5 mm

Example: Clearances for reinforced insulation

(Source: Extract from EN 60664-1,Clearances for rated impulse voltage)



• Attention: Solder mask layer on PCB might be damaged or suffer aging => all circuit lines on top or bottom layer of PCB must fulfill specified clearances (not creepage distances!)

• For same reason: Solder mask does not allow reduction of pollution degree!

• For Inner layers of multi-layer PCBs the distances are considered as clearances as layers may delaminate

• For fault exclusion additional requirements must be considered (e.g. fault exclusion „short circuit“ between two adjacent circuit paths: see EN ISO 13849-2, Table D.5)

• Other conditions (higher pollution degree, higher voltages, etc.) might require higher clearances or creepage distances

Special Requirements for Clearances


Safety Relay Modules: V&V Activities, Practical Tests

• Functional Test

• Fault Insertion Tests

• Environmental Tests

• IP Protection Degree

• EMC Tests

• Design Analysis (FMEA)

• Calculation of safety relevant parameters

• All V&V Activities must be documented!

Overview of Required V&V Activities



• Performed in cooperation (witness tests) or by TÜV Rheinland

• Functional Test: - Specified Functionality- Reaction Time- etc.

• Fault Insertion Tests: - Short circuit / open connection at input/output pins- Overvoltage test (SELV/PELV: Maximum 60V DC)- Open ground connection- Internal faults at any electronic components

(open connection, short circuit, drift, …)- Any test which might be necessary to

proof functional safety („surprise tests“)

Functional & Fault Insertion Tests



• Verification of product specifications (during storage/transport and operation)

• For safety relay modules: - Cold- Dry Heat- Damp Heat- Temperature Change- Mechanical Shock- Vibration

• Test sequences: see IEC 60068 series

• IP protection degree test: see IEC 60529

Environmental Tests / IP Protection Degree



EMC Tests with Increased Immunity Levels (IEC 61326 -3-1)

Port Phenomenon Basic Levels (IEC 61000-6-2) Increased Levels (IEC 61326-3-1)

Enclosure ESD 4 kV / 8 kV 6 kV /8 kV contact / air discharge

EM field 10 V/m (80 MHz – 1 GHz) 20 V/m (80 MHz – 1 GHz)

6 V/m (1.4GHz – 2.0 GHz)

3 V/m (2.0 GHz – 2.7 GHz)

DC Power Burst 2 kV 4 kV

Surge 0.5 kV (line to line),

0.5 kV (line to ground)

1 kV (line to line),

2 kV (line to ground)

Conducted RF 10 Vrms 10 Vrms

…

Where a product standard for functional safety products (e. g. IEC / EN 61496-1) specifies different test levels, those different test levels are applicable.



A failure modes and effects analysis

• is a systematic procedure to analyze a system

• shall identify potential failure modes

• shall determine their cause and their consequenceson a system behavior

• may be performed on functional block or component level

FMEA (Failure Mode and Effects Analysis)



Design Analysis: FMEA for Interlocking Device

Circuit Example: Simple Interlocking Device (Door Monitoring), Category 3



FMEA for Interlocking Device on Component Level device fault fault consequences fault detection? S1 open-circuit on all 4

wires K1 , K2 drop out, or keep being dropped out Safety ensured by S2

yes

short circuit between 2 wires: KS1

in closed-pos. K1 shutdown by S2 in open-pos. K2 shutdown by S1 and S2 Safety validated by S2.

undetected

KS2 In open position K2 shutdown by S2. Safety validated over S2

undetected

KS3 like KS1 undetected KS4 like KS2 undetected KS5 are already connected undetected KS6 Safety validated by S2, no redundancy undetected mechan. blocked

(closed-position) Shutdown of K2 if door opens, K1 does not switch on. If closed again K2 does not switch on.

yes

mechan. blocked (open-position)

K2 keeps being dropped out yes

S2 open like S1 yes short circuit like S1 yes mech. blocked like S1 yes K1 mech. blocked (open

position) no initialisation if door closed yes

does not drop-out output open yes K11 does not close K1 no self-lock; if closed K1 drops out before K2

switches on yes

Welded k13 open , output open yes K12 does not close K2 does not switch on if door closed yes welded K13 open (positively driven) yes K13 does not close output open yes welded K11, K13 open (positively driven), no initialisation yes K2 .

12 3 456



The following parameters shall be determined according to EN ISO 13849 / EN 62061:

• DC (Diagnostic Coverage): Determination by FMEA and/or estimation

• SFF (Safe Failure Fraction): Determination by FMEA and consideration of DC

• λD (Dangerous Failure Rate): Summing up failure rates λ(possible source: Siemens Standard SN 29500) and determination of λD under consideration of SFF / DC

• MTTFd (Mean Time to Dangerous Failure): MTTFd = 1 / λD

• PFHD: Calculation according to formulas of EN 62061

Calculation of Safety Relevant Parameters

TÜV Rheinland may support you in performing the FMEA and calculating the safety relevant parameters for your product!



Example: Estimation of DC for relay output contacts (extract of Annex E / EN ISO 13849)

Calculation of Safety Relevant Parameters

Note: Remember the VG11 recommendation!!1 signal change per year for PL d / Cat.3 / SIL2 (HFT=1), 1 signal change per month for PL e / Cat.4 / SIL3 (HFT=1)



For electro-mechanical components (e.g. relays) the B10d value is provided.

MTTFd for components with mechanical wear

nop average number of operating cycles per year

hop average number of operating hours per day;

dop average number of operating days per year;

tcycle average time in sec between 2 operating cycles.

T10d mean time until 10 % of the components fail dangerously

(Note: The operation time of the component is limited to T10d)

cycle

opop

op th

shd

n3600 x x

=

op

dd n

BMTTF

x1.010=

op

dd n

BT 10

10 =



• Recommendation: Application of certified relays to avoid that most test sequences

according to EN 60947-1 / EN 60947-5-1 must be repeated

• For tests performed at manufacturer or external laboratories: Assessment or

accreditation acc. to ISO/IEC 17025 necessary for acceptance

• All V&V activities and practical tests must be documented

• Appropriate documentation system must be installed

• Documents must contain at least title, version/date, signatures of responsible persons

• Test protocols must contain all information to keep results reproducible (list of applied

measurement equipment, measurement accuracy, test conditions, etc.)

Additional Notes


Safety Relay Modules: Special Design Requirements, Examples

For detection of short circuit/welded contacts at start button: Dynamic signal monitoring

Monitoring of Start Signal



In case of fault (60V ramp), combination of Zener diode/Voltage Dependent Resistor and fuse might fail (Z-Diode/VDR might unsolder itself due to heat before fuse reacts).

Overvoltage Protection Circuit

Other solutions might be necessary than above shown circuit. For Category 4, elements should be implemented redundantly to guarantee two failure safety.



Due to contact pads it may be difficult to reach 5.5mm for reinforced insulation between 24V and 230V circuits:

Clearances at Relay Output Pins

It might be necessary to flatten contact pads to reach 5.5 mm!


Safety Relay Modules: User Manual

• Business name and full address of the manufacturer and of his authorized representative

• Type designation and general description of the device

• General specifications and safety levels

• Drawings, diagrams, descriptions and explanations

• Examples for typical applications

• Warnings about residual risks / how the device shall not be used

• Installation and connection instructions

• Original language manual must be marked as “original version”

• All translations must be marked as “translation”

• Translation of the manual in all official languages of the countries where the product shall be sold (in European Union) must be provided

Contents of User Manual


Safety Relay Modules: EC Declaration of Conformity

• Business name and full address of the manufacturer (and authorized representative)

• Name and address of the person authorized to compile the technical file, who must be established in the (European) Community

• Description and identification of the device

• A sentence expressly declaring that the machinery fullfils all the relevant provisions of the relevant Directives

• Name, address and identification number of the notified body which carried out the EC type-examination

• List of harmonized / technical standards which were used

• Place and date of the declaration

• Identity and signature of the person empowered to draw up the declaration

Contents of EC Declaration of Conformity


Safety Relay Modules: UL Certification

• UL Certification: In case of ANY change, the whole certification process has to be repeated (high costs!)

• Recommendation: EC Type Examination from TÜV Rheinlandshould be performed first

• In case of changes: TÜV Rheinland offers the possibility to perform an influence analysis

• By means of the influence analysis it must be shown that the changes have no influence on safety (functional safety, electrical safety, environmental aptitude)

Special Requirements/Considerations for UL Certific ation


Safety Relay Modules: Summary

• TÜV Rheinland should already be involved in concept phase

• Concept documents: Safety Plan, V&V-Plan, Safety Requirement Specification (SRS)

• Appropriate Design: 2-channel architecture (if possible), application of certified relays with focibliy-guided contacts, 2-fault safety by redundancy, etc.

• V&V activities: Functional/Fault Insertion Tests, EMC, Environmental Tests

• FMEA, Calculation of Safety Relevant Parameters

• User Documentation

• TÜV Rheinland may support you during the whole certification process!

Summery of Necessary Steps for Successful Certifica tion


4 david schepers certification process safety relay modules for machinery applications

Technology

safety plan

safety levels

safety of machinery

safety requirements

definition of safety

design en

machinery applications

tests en