complying with new functional safety standards

2 © 2012 Eaton Corporation. All rights reserved.

Complying with New

Functional Safety Standards


This webinar will be available afterwards at

designworldonline.com & email

Q&A at the end of the presentation

Hashtag for this webinar: #DWwebinar

Before We Start

http://www.designworldonline.com/


Moderator

Natasha Townsend

Design World

Presenter

Jacob Feutz

Eaton

© 2012 Eaton Corporation. All rights reserved.

Functional Safety Webinar

June 14, 2012


Questions to answer

• What is Functional Safety?

• What is happening in the Functional Safety market?

• What standard should I use for my machine?

• What do I have to consider when applying that

standard?

• How do I determine what level of safety to design to?

• What values go into a calculation? Can you walk me

through one?

• Others?


What is functional safety?

The complete explanation: The EU Machinery Directive 2006/42/EC stipulates that

a machine should not pose any danger. However, as

there is no 100% safety in engineering, the aim is to

reduce these dangers to a tolerable level of residual risk

by means of risk reduction measures.

The overall safety of a machine defines the state in

which it can be considered as being free of unwarranted

risks to persons or as free of danger. The functional

safety is part of the overall safety of a system which

depends on the correct functioning of the safety-related

systems and external risk reduction facilities.


Functional safety is not:

• Arc flash

• Grounding

• Fire suppressions systems

• Short circuit protection

• Surge protection

• Motor protection

• Others

• www.eaton.com/ElectricalSafety

http://www.eaton.com/ElectricalSafety


What is happening in the functional safety market in North America?

• Engineered based drivers:

• The desire to have standards based methods

and testing that a machine can be certified to

• Customer based drivers:

• Selling machines to European customers –

where it is required for CE mark

• Selling machines to NA customers who are

now requiring safety assessments

• Corporate based drivers:

• NA companies that are owned or are now

managed by European parent companies

• Limit liability by designing to accepted

standards


The Eaton Safety Manual

eaton.com/FS


What standard should I use for my machine?



• Different “types” of standards:



IEC 62061

• Applies only to electrical,

electronic and programmable

electronic systems

• For mixed systems use ISO

13849

• Any architecture can be used

• Suitable as evidence of safety

of devices and the overall safety

functionality through calculation

ISO 13849-1

• Can be used without limitation for

hydraulic, pneumatic and

electromechanical systems

• Limited use for programmable

electronic systems

Specific architecture

Up to PL d only

• Calculation concept based on

defined architectures

• Suitable as evidence of safety of

devices and the overall safety

functionality using tables


What do I have to consider when applying that standard? – ISO 13489-1

• Which necessary safety functions are performed by the safety-related parts of the controls system (SRP/CS)?

• Which properties are required for the safety function?

• Which performance level is required?

• Which safety-related parts perform the safety function?

• Which performance level (PL) was achieved for the SRP/CS?

• Was the PL for the safety functions achieved?


How do I determine what level of safety to design to? – ISO 13849-1

Risk estimation: PLr


What values go into a calculation?– ISO 13849-1

• Control architecture (category)

• MTTFd – mean time to dangerous failure

• DC – diagnostic coverage

• CCF – common cause failure

• Relationship between the above


SISTEMA software

http://www.dguv.de/ifa/de/pra/softwa/sistema


SISTEMA software


Control architecture - category


Control architecture – Cat. B

The safety-related parts of the control system shall, as a minimum,

be designed in accordance with the current state of the art. They

shall withstand the influences which are to be expected.


Control architecture – Cat. 1

The safety-related parts of the control system must be designed and

constructed using well-tried components and well-tried safety

principles. A well-tried safety principle is, for example, the use of

position switches with positively opening contacts. Normally, the

category cannot be implemented with electronic components.



The safety functions of the safety-related parts of a control system

must be checked at suitable intervals. The check can be performed

automatically or manually and at least with each startup and before a

hazardous situation occurs. The check can also be carried out

periodically during operation as determined by the risk analysis. A

hazardous situation may occur on the machine between the checks.



A single fault in a safety-related part of the control system does not

lead to the loss of the safety function. An accumulation of undetected

faults may cause a hazardous situation on the machine, since not all

faults must be detected. An example of this is the use of a redundant

circuit without self monitoring.



A single fault in a safety-related part of the control system does not lead to the loss of the safety function. This fault must be detected immediately or before the next potential danger, e.g. when closing the door before a restart of the machine. If this is not possible, the accumulation of faults must not lead to the loss of the safety function.


Calculating MTTFd - Manually


Calculating MTTFd – using SISTEMA


Calculating DC - Manually


Calculating DC – using SISTEMA


Calculating CCF - Manually


Calculating CCF – using SISTEMA


Relating values to an achieved PL


Achieved PL in SISTEMA


What values go into a calculation?– IEC 62061

• Risk assessment

• Control architecture

• Safety characteristics of the subsystems

• λd – Dangerous failure rate

• DC – Diagnostic coverage

• β – Common cause failures (CCF)

• T1 – proof test or life time

• T2 – Diagnostic test interval

• PFHd – Probability of dangerous failure

• SIL – Safety integrity level of the subsystem

• SFF – Safe failure fraction

• SIL CL – SIL claim limit

• SIL – Safety integrity level of the entire system


Application example - products

Input

Control

Output

• Application: Dual channel

emergency stop with

redundant series contactors

• Monitored Manual Restart

• Cross Circuit Recognition

• Controlling three motors

• Pushbutton start/stop control

• Protection Level Required: e


Application example – control diagram


Application example – power diagram


Application example – calculated values


Application example - products

Input

Control

Output

•Application: Single channel

position switch

•Monitored Manual Restart

•Controlling two motors.

Pushbutton input to

programmable controller.

•Protection Level Required: c


Application example – control diagram


Application example – power diagram


Application example – calculated values


Thank You


Questions?

Design World

Natasha Townsend

[email protected]

Phone: 440.234.4531

Twitter: @DW_Electrical

Eaton

Jacob Feutz

[email protected]

Phone: 414.449.7356

Twitter: @eatoncorp

Eaton.com/fs

mailto:[email protected]

mailto:[email protected]


Thank You

This webinar will be available at

designworldonline.com & email

Tweet with hashtag #DWwebinar

Connect with

Twitter: @DesignWorld

Facebook: facebook.com/engineeringexchange

LinkedIn: Design World Group

YouTube: youtube.com/designworldvideo

Discuss this on EngineeringExchange.com

http://www.designworldonline.com/

http://www.engineeringexchange.com/

complying with new functional safety standards

Technology

eaton corporation

eaton safety manualeaton

overall safety

level of safety

functional safety market

evidence of safety

functional safety webinarjune

safetyrelated systems