t06 - machine safety: achieving and maintaining regulatory ... · t06 - machine safety: achieving...

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E

PUBLIC INFORMATION

T06 - Machine Safety: Achieving and Maintaining Regulatory Compliance

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION

Session Description

2

The trends for machine safety continue to grow as the world evolves and regulatory

compliance becomes more common. Rockwell Automation safety consultants have

been helping automation users like you help protect their workforce and operations

for many years. New global standards change how automation systems are

classified. Are you familiar with the new standards and do you know how to address

them? During this session, we will discuss the process that is used to identify and

migrate safety concerns.

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 3

Agenda

Safety Functional Requirements Specification (SFRS)

Fundamental Assessment Process

What is Risk?

One Persons View of the“Journey of Safety Standards”

Safety Life Cycle


ANSI publishes the list of recognized standards that can be followed!

ANSI publishes the list of standards that can be utilized to achieve the requirements of OSHA.

ANSI now references ISO13849 and IEC62061 as recognized safety standards that can be followed.

In recent years there has been a move towards globalizing safety standards. This has resulted in a re-write of many of the EN, ANSI and ISO standards. Many of the changes took place in December of 2011.

Many of these changes include harmonization, consolidation & simplification. This has resulted in Global adoption of the ISO standards in most parts of the globe.


Safety Standards of Yesterday

Withdrawn

EN 954

CATEGORY

FAULT

TOLERANCE

DIAGNOSTICS

2005/6 2011


These new standards are called “Functional Safety Standards”

because they look at how well the safety system needs to function!

ISO 13849-1 IEC 62061

Safety Categories are no longer in effect since EN954-1 waswithdrawn in December of 2011. EN954-1 outlined the requirements for Categories.

ISO 13849-1 has replaced EN954-1 as the most commonly followed international machine safety standard.

ISO 13849-1 and IEC 62061 are functional safety standards that evaluate how well the safety system needs to function!.


Safety Standards of Today

EN954 Withdrawn

2005/6 2011

FAULT TOLERANCE

DIAGNOSTICS SRS

RELIABILITY

SYSTEMATIC

FSMIEC/EN 62061 SIL

EN ISO 13849 PL

EN 954

CATEGORY

FAULT

TOLERANCE

DIAGNOSTICS

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION Copyri

ght ©

Transition from EN954-1 to ISO-13849-1

EN954-1 was initially published in 1996 and was withdrawn in December of 2011. It described the requirements for Categories/Structure. EN954-1 identified these categories as:

Cat B

Cat 1

Cat 2

Cat 3

Cat 4

In 2006 the European Union began a new approach to applying safety standards. The most utilized standard is ISO-13849. ISO-13849 uses Performance Levels as shown below:

PLa

PLb

PLc

PLd

PLe


The difference between Categories and Performance Levels is

added requirements to ensure enhanced performance!

A Category is a simple definition of circuit requirements that comes from

EN954. Categories were based on basic electro-mechanical devices,

not solid state devices that exist today!

A Performance Level is an improved definition of circuit performance

that comes from ISO13849. It includes guidance on design

requirements for all technologies!

Performance Levels use Categories and adds additional requirements to

ensure proper system performance. The added requirements are:

Diagnostic Coverage (Fault monitoring capability)

Component Reliability (MTTFd and B10d)

Common Cause Failure Fractions (Design considerations)

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION Copyri

ght ©

EN/ISO 13849-1 Explanation

EN/ISO 13849-1 is the result of improvements to the old EN-954

standard. It introduced many new design concepts that provide

guidance on the design and integration of safety components to meet

required performance levels (PLr).

Category Performance Level

A performance Level is an improved Category!


Performance Level Components/Attributes


Additional reasons for the change from EN 954 and ISO 13849!

EN 954 EN ISO 13849

Electrical Control Circuits Control circuits all technologies :

• Electrical

• Pneumatic

• Fluids

• Hydraulic

Safety Categories B, 1, 2, 3 & 4 Performance Levels PLa to PLe

Safety provided by the structure of

the control circuit

Safety provided by:

• The architecture/structure (categories)

• The reliability of the system (MTTFd, B10d)

• The diagnostic coverage of the system (DC)

• The preventive measures against common causes

of failure (CCF)

Draw a diagram (schematic) Draw a diagram and verification of PL

Does PL(achieved) = PLr (required) ?

Not just electrical anymore!


Agenda


Fundamental Assessment Process

What is Risk?

One Persons View of the“Journey of Safety Standards”

Safety Life Cycle


Functional Safety Life Cycle

Safety Life Cycle

STEP 5MAINTAIN & IMPROVE

SAFETY SYSTEM

STEP 1TEAM BASED RISK

ASSESSMENT

STEP 4SAFETY SYSTEM INSTALLATION &

VALIDATION

STEP 2SAFETY SYSTEM

FUNCTIONALREQUIREMENTS

STEP 3SAFETY SYSTEM

DESIGN & VERIFICATION


Why?

15

It is quite common for any group, whether it be a new equipment OEM or a

facility End-user, to have a multitude of questions and concerns when

starting at the beginning of the machine safety system lifecycle.

–What does the word safety really mean, and how is it achieved? –What is risk? How is it measured? –Do I need a PHD in mathematics to analyze probability and risk?–How safe do I need to make this machine?–How do I go about identifying hazards

The most valuable attribute of a risk assessment process is that it answers most of these questions for us


As Referenced in U.S. Standards

Risk assessment is often referenced throughout mainstream U.S. machinery safety standards:

ANSI Z244.1

Control of Hazardous Energies / LOTO



Risk assessment is often referenced throughout

mainstream U.S. machinery safety standards:

ANSI B11.19

Performance Requirements for Safeguarding



Risk assessment is often referenced throughout mainstream U.S. machinery safety standards:

ANSI / RIA R15.06

This standard provides a detailed risk assessment methodology

Industrial Robots and Robot Systems – Safety Requirements



Risk assessment is often referenced throughout

mainstream U.S. machinery safety standards:

NFPA 79

Electrical Standard for Industrial Machinery


In Europe

Risk assessment is a requirement for machinery directive compliance (2006/42/EC). Applies to those delivering CE compliant machinery to Europe.


The Foundation:Begins with a Risk Assessment

Provides Safety Performance Level – Design Target

Creates the Foundation of the Safety System Functional

Requirements, System Design and Validation Protocol.

Shows “Due Diligence” and compliance to Global standards

S1

S2

F2

F1

PerformanceLevel, PLr

a

b

P1

P2

e

c

d

P1

P2

P1

P2

P1

P2

F2

F1

S = SeverityF = Frequency or Duration of ExposureP = Avoidance Probability

Task/Hazard

Contribution to Risk

Reduction

Low

High


Risk CategoriesRIA 15.06

R1

As determined from the risk assessment

Risk Categories to Circuit Performance

R2A

R2B

R2B

R2C

R3A

R3B

R4 a

b

b

c

c

d

d

e

Performance Levels

ISO13849-1

Control Reliable (4.5.4)


Single CH with Monitoring (4.5.3)


Single CH (4.5.2)

Single CH (4.5.2)

Simple (4.5.1)

Simple (4.5.1)

Cat 3+

Cat 3+

Cat 2

Cat 2

Cat 1

Cat 1

Cat B

Cat B

CategoriesFrom

EN954

ANSIB11.19


Safety Categories Are Being Replaced

EN 954 (Categories) withdrawn December 31, 2011

SIL and PL assessment require more information and calculation than Categories It is

not a direct conversion!

Note: Intended to show approximate equivalency for guidance only; attaining the corresponding PL or SIL requires more information and calculation based on several additional factors

SIL 3PLeCategory 4

SIL 2PLdCategory 3

PLcCategory 2SIL 1

PLbCategory 1

-PLaCategory B

Safety Integrity LevelIEC 62061

Performance LevelISO 13849-1: 2008

CategoryEN 954

Per ANSI B11.19 Control Reliable is equivalent to PLd and Cat 3 23




Single CH (4.5.2)

Simple (4.5.1)

ANSI RequiredCircuit Performance


The Purpose of Risk Assessment

24

The process serves as an effective tool for properly identifying and assessing the real hazards involved in operating a particular machine.

Risk assessment provides a method for determining equivalent levels of protectionwhen designing safeguards and stating OSHA’s minor service exception.

The process takes away the guesswork when estimating risk and prescribing safety system performance.

Risk assessment is an active, documented process that can be filed and maintained for the entire life of the machine, and serves as documented proof of your “due diligence”.

Risk assessment establishes the foundation and early framework for the design and implementation of an effective machine safety program.


What is “Safety” Exactly?

25

Before we can understand what exactly we achieve through risk assessment, it will be important to provide an answer for the first few questions.

What does the word safety really mean, and how is it achieved?

Safety, with respect to machinery operation is defined in IEC 62061:2005 as:

…Safety is freedom from unacceptable risk

This immediately gives us a definition for safety in terms of risk, so it now starts to become more clear how risk assessment plays a part in achieving safety?!?


What is Risk?

Now we must define risk? Under the same standard, risk can be defined as:

Risk is the combination of the Severity of harm, and the probability of occurrence of that harm (Frequency of exposure + Avoidability).

26

What severity of harm would come to the skydiver if his parachute did not open?

+What is the probability that the parachute(s) will not open and the skydiver will experience this harm?

Probability factors might be:How frequent does the person skydive?

+If the parachute(s) do not open, is the skydiver able to avoid

or limit the harm from the fall?


Defined Risk Scale

27

• If we can then define risk in terms of parameters that can be easily selectedand summed together, then we will have a simple method for estimating risk relative to machine hazards.

• Risk assessment methodologies provided in machine standards provide this method through risk graphs and matrices, as we will see later.

Risk = Severity of Harm + Probability of Occurrence of Harm

Negligible

Low

Medium

High


Acceptable Risk

28

• Acceptable risk may differ from organization to organization, and therefore this value is not purely defined in any standard or methodology. The important thing is that your organization (and the risk assessment team) determine this threshold prior to starting the risk assessment.

• Since safety is freedom from unacceptable risk, we will need to establish a value on our range that determines a threshold between acceptable, and unacceptable. Various standards will provide guidance on how to determine when acceptable risk has been achieved.

NegligibleLow

Medium

High

Acceptable Risk


29

The risk assessment analyzes each person’s

activities and identifies those activities that have risk!

Task / Hazard Identification

Step 1 Step 2 Step 3

Identify Affected

Personnel

Identify Hazards

Identify Tasks


Hazard Identification

30

Operators and helpers, maintenance personnel

Quality control, material handlers Engineers, technicians, sales personnel Trainees, supervisors, safety personnel Administrative personnel, passers-by

Considers ALL affected personnel



31

Packing, transportation, unloading, unpacking System installation, start up, commissioning Set up, try out, teach, operation (all modes) Tool change, planned and unplanned

maintenance Troubleshooting, house cleaning, accident

recovery And for CE, risk must be assessed entirely

through to de-commissioning and disposal of the machine!

Considers ALL tasks being performed on the machine



32

Mechanical hazards:

Crushing / Shearing / Cutting / Severing / Stabbing

Entanglement / Drawing in / Trapping / Impact / Abrasion

High pressure fluid injection / part ejection

As well as other hazards such as

Electrical, thermal, noise, vibration, radiation, dangerous substance handling, bad ergonomics, etc.

Considers ALL reasonably foreseeable hazard scenarios



33

Unexpected start-up

Over-run, over-speed, or variations in operating speed of to (or any similar malfunction)

Variations in the rotational speed of tools

Failure of power supplies and various control circuits

Systematic errors in software code / Specifications

Effects of EMC / EMI

Effects of the installed environment (Temp, moisture, etc.)

Operator “mode confusion”

Lack of proper procedures and/or training

Considers ALL reasonably foreseeable hazard scenarios


Fundamental Process

Risk Evaluation


Risk Reduction

RiskReduction

Complete for particular hazard

OK

Unacceptable

Define all known machine characteristics and limits

Risk Estimation

Next hazard



35

Risk Evaluation


Risk Reduction

RiskReduction


OK

Unacceptable

Risk Estimation

Next hazard



36

The first pass of hazard identification is performed on the machine while ignoring all current safeguards that may be in place.

All risks must be identified and estimated

It needs to be determined whether or not the existing safeguard and it’s performance are applicable and appropriate for the level of risk.

All tasks are broken down into individual steps

Allows each step to be assessed more thoroughly for exposure to hazards.

Provides a flow and outline for the risk assessment process


Risk Estimation

37

Risk Evaluation


Risk Reduction

RiskReduction


OK

Unacceptable

Risk Estimation

Next hazard


Risk Evaluation

38

Risk Evaluation

Risk Reduction

RiskReduction


OK

Unacceptable

The process of risk reduction may have to be implemented several times before the risk is mitigated to an acceptable value

Risk Estimation

Once the risk is acceptable, we can then move on to the next hazard.


Risk Evaluation

39

Risk Evaluation


Risk Reduction

RiskReduction


OK

Unacceptable

Risk Estimation

Next hazard


Risk Graphs/Matrix/Chart

40

For example purposes, we will utilize the ISO 13849-1:2006 Risk Graph


Risk Graphs/Matrix/Chart

41

But depending on our objectives, we could use various other methods. We should consider that one objective is to define our safety performance, and that our risk graph should provide a method for doing so…..


Typical Worksheet

42

A typical risk assessment worksheet will look similar to the one below, with a column provided for each item of data that will be collected and/or determined.


Typical Worksheet

43

With a task and hazard identified, we enter this data into our worksheet

Task

Step

Hazard:

a. Details of potential hazard

b. Event leading to hazard or failure mode

c. Hazardous Energy Source(s)

d. Reference to a supporting photo or drawing.


RIA R15.06 Risk Estimation

Task: Loading part to fixture Frequency: 30 times per hour

AffectedPersonnel

Area Hazard Potential

Incidents /

Accidents

Operators /

Supervisors /

Technicians /

Engineers

“A” –

Load

Station #1

Impact /

pinch

points

Struck by

moving

Robot

Hazard Potential

Incidents /

Accidents

Severity Exposure Avoidance Initial

Rating

Impact Struck by

moving

robot

Example

A

Load Station

#1

C

Robot

Load

Fixture

S2 E2 P2

On the first pass, assume no safeguards are in place

Estimate the Risk Level

PLe


Risk Reduction

Accident Potential Risk Reduction techniques

Struck by Robot Redesign: Automate loading

Interlocked Hard Guarding (manual or

automatic safety gate)

Light Curtain

Floor mat / Area Scanner

Assuming risk reduction is in place, repeat the assessment process: Identify hazards / Estimate Risks / Evaluate Risks until an acceptable level of risk has been achieved.

A

Load Station

#1

C

Robot

Load

Fixture

Manual Loading Station to Robotic Processing CellExample

Task: Loading part to fixture

Frequency: 30 times per hour A

Load Station

#1

C

Robot

Load

Fixture


Risk Assessment Work Sheet

• The Rating Columns are filled in and the Risk Reduction Category is filled in

• Risk Estimation

Risk Assessment Worksheet Sheet #: Date:______

Machine: Panel Assembly Cell

Prior to Safeguards With SafeguardsTask

Potential Incidents

/AccidentsSeverity of Injury

Exposure

Avoid ance

Risk Reduction Category

Potential Safeguards

Recommend-ations Expos

ureAvoid ance

Sev erity

Residual Risk

Impact / Pinch points due to Robot motion

S2 E2 A2 PLeLoading 3 lb. Part into Fixture, 30 times per hour


ISO 13849 Risk Estimation

47

Risk Parameters:

• Severity

• Frequency and/or Exposure

• Probability of avoiding hazard or limiting harm

Safety Function Performance Level(Determined from graph)

We now enter the risk estimation parameter selections into our worksheet


Risk Assessment Work Sheet

• The Potential Safeguard and Recommendation Columns are filled in • Risk Reduction

Risk Assessment Worksheet Sheet #: Date:______

Machine:Panel Assembly Cell

Prior to Safeguards With SafeguardsTask

Potential Incidents

/AccidentsSeverity of Injury

Exposure

Avoid ance

Risk Reduction Category

Potential Safeguards

Recommen--dations Expos

ureAvoid ance

Sev erity

Residual Risk

Impact / Pinch points due to Robot motion

S2 E2 A2 Ple Redesign:Automate Part Loading

Guarding:Light Curtains, Floor Mat, Interlocked Gate, Automated Gate

Short Term:Add Light Curtain

Guarding solution.

Loading 3 lb. Part into Fixture, 30 times per hour



49

1. We evaluate the initial risk

Risk Evaluation

3. We then adjust risk parameters affected by the existing and installed safeguards

2. If risk is unacceptable, we must then evaluate the application of our existing and newly recommended safeguards and mitigation measures

4. Then evaluate the residual risk to determine if it is acceptable

We now enter the risk estimation parameter selections into our worksheet



50

Each step of a task will result in a completed worksheet (example below)



51

Step 1: Select

Severity of the hazard.

S1: Slight (normally reversible injury)

S2: Serious

(normally irreversible injury or death)

* Note: Annex A will provide more detailed guidance on the selection of this parameter.

S1

S2

F2

F1


a

b

P1

P2

e

c

d

P1

P2

P1

P2

P1

P2

F2

F1

13849-1/Annex A, Figure A.1

Step 1



52

Step 2: Select Frequency and/or exposure to hazard.

F1: Seldom to less often and/or exposure time is short

F2: Frequent to continuous and/or exposure time is long


S1

S2

F2

F1


a

b

P1

P2

e

c

d

P1

P2

P1

P2

P1

P2

F2

F1


Step 2



53

Step 3: Select

Possibility of avoiding the hazard or limiting harm.

P1: Possible under specific conditions

P2: Scarcely possible


S1

S2

F2

F1


a

b

P1

P2

e

c

d

P1

P2

P1

P2

P1

P2

F2

F1


Step 3


Design it out

Fixed enclosing guard

Interlocked guard and safety devices

Awareness Means

Training & supervision

Personal protectiveequipment

Hierarchy of Risk Reduction Measures

54

More Details in Future SafeDesign Webinars



Safety Life Cycle


SAFETY SYSTEM


ASSESSMENT


VALIDATION

STEP 2SAFETY SYSTEM


STEP 3SAFETY SYSTEM




56

Rockwell’s Typical Scope of Work (SOW)

Review the initial mitigation functionality recommendations from the

risk assessment

Discussions with the Customer Safety, Engineering, Operations and

Management to “double check” and verify that the plans will not

impede production and maintenance, and where possible, enhance

daily tasks while achieving safety goals.



57

Rockwell Automation Delivers the SFRS via a 3 Step Process

Step 1 - On-site review of the recommended mitigation options as defined within the completed Risk Assessment by others or Rockwell Automation. The effort will include discussions and additional on-site checks, panel inspections, cable routing plans, and measurements. The primary purpose is to document what and how the safety function is to be performed. The process ensures any changes are agreeable to all Customer name parties. The on-site review is estimated to take XX days, with the remainder of the documentation generation being performed off-site.

Step 2 - Documentation of the agreed functionality. The functionality will be documented in tabular form, as shown on next slide. The Safety Function will be defined, and corresponding E-Stop, Electrical, Guarding, Pneumatic and Hydraulic safety category and related functions will be documented. The integration details of the required new and existing components (Safety and Standard) will be determined and documented. Additional, primary circuit components and system controls will be defined, along with guard dimensions and types. When complete, Customer name will be asked to formally approve the SFRS (sign-off). (Refer to the example tables below).

Step 3 - Review of the initial mitigation design to determine if any changes are required based on the approved SFRS.



58


Scalable Assessment Slide

59



Safety Life Cycle


SAFETY SYSTEM


ASSESSMENT


VALIDATION

STEP 2SAFETY SYSTEM


STEP 3SAFETY SYSTEM



Questions?

61

t06 - machine safety: achieving and maintaining regulatory ... · t06 - machine safety: achieving...

Documents