Download presentation
Presentation is loading. Please wait.
Published byAmbrose Edwards Modified over 9 years ago
1
Introduction to SISTEMA
2
Schneider Electric 2 - Mac - Safety – March 2010 Introduction ●Introduction In Europe: ●Manufacturers are used to designing the safety-related part of control system (electrical, hydraulic, pneumatic & mechanical) for machines and equipments in accordance to the standard EN 954-1, based on a qualitative approach. ●However, EN 954-1 does not cover the development of Electronic and Programmable Electronic Control Systems new European and international standards (EN ISO 13849, EN IEC 61508 & EN IEC 62061) based on a quantitative (probabilistic) approach.
3
Schneider Electric 3 - Mac - Safety – March 2010 Introduction ●Introduction ●SIL calculation according to EN/IEC 62061 ●What is SISTEMA ? ●Web page for SISTEMA ●Downloading the SISTEMA software ●SISTEMA library – Schneider Electric ●7 basic items of SISTEMA ●SISTEMA – Schneider Electric emergency stop system number 1 ●Emergency stop device by means of a safety module – Category 3 – PLe
4
Schneider Electric 4 - Mac - Safety – March 2010 Introduction ●EN 954-1 not sufficient for increasingly complex control systems ●The qualitative approach of the EN 954-1 is no longer sufficient for modern controls based on new technologies (Electronic and Programmable Electronic systems): ●no consideration for programmable systems, ●risk graph not specific enough ●The EN 954-1 has been recently replaced by the new standard EN ISO 13849-1, which will upgrade the qualitative approach by the addition of the new quantitative (probabilistic) approach ●EN 954-1 stays valid up to 31/11/2009 (transition period where both standards are valid) ●EN ISO 13849-1 tackles electric hazards, pneumatic, hydraulic, etc
5
Schneider Electric 5 - Mac - Safety – March 2010 Introduction ●Select the suitable standard
6
Schneider Electric 6 - Mac - Safety – March 2010 Introduction ●For complex machines, the international sector specific standard IEC 62061 based on standard IEC 61508, must be used. Published on December 31 2005 Harmonized to the Machinery Directive Restricted to electric, electronic and electronic programmable safety-related control systems Possible overlap with EN ISO 13849-1 IEC 61513 Nuclear power plants Instrumentation and control for systems important to safety IEC 61508 Functional safety of Electrical / Electronic / Programmable Electronic (E/E/PE) safety-related systems EN/IEC 62061 Safety of machinery Functional safety of E/E/PE control systems IEC 61511 Functional safety Safety instrumented systems for the process industry sector
7
Schneider Electric 7 - Mac - Safety – March 2010 Introduction ●The probability of failure associated to the required SIL level depends on the frequency of usage of the safety function to be performed: Safety Integrity Level Low demand mode of operation (Average probability of failure to perform its design function on demand) High demand (>1/y. or 2 x proof- check freq.) or continuous mode of operation (Probability of a dangerous failure per hour) 4≥ 10 -5 to < 10 -4 ≥ 10 -9 to < 10 -8 3≥ 10 -4 to < 10 -3 ≥ 10 -8 to < 10 -7 2≥ 10 -3 to < 10 -2 ≥ 10 -7 to < 10 -6 1≥ 10 -2 to < 10 -1 ≥ 10 -6 to < 10 -5 Safety of Machinery application EN IEC 62061
8
Schneider Electric 8 - Mac - Safety – March 2010 Introduction EN IEC 62061 EN ISO 13849- 1 (EN 954-1) => PL => SIL Assigning a SIL level
9
Schneider Electric 9 - Mac - Safety – March 2010 Introduction ●Determination of performance level PL ●In this example the Safety Function is the disconnection of a motor when the safety guard is open. Without the guard the possible harm is to loose an arm. With the answers for S2, F2 and P2 the graph leads to a required performance level of PL r = e.
10
Schneider Electric 10 - Mac - Safety – March 2010 Introduction ●PL estimation according to EN/ISO 13849-1 Example calculation for an application ●All parts which carry out to the safety function must be identified; in our example we use a redundant structure with 2 inputs, 2 logic channels and 2 outputs switching the power. ●Each block in the diagram represents one hardware device implementing the safety function: LOGIC SRP/CS b OUTPUT SRP/CS c INPUT SRP/CS a Interlocking Switch 1 SW1 Interlocking Switch 2 SW2 Safety Module XPS Contactor 1 CON1 Contactor 2 CON2
11
Schneider Electric 11 - Mac - Safety – March 2010 Introduction ●Evaluate the performance level PL Example SRP/CSB 10 (operations) B 10d (operations) MTTF d (years) DC Interlocking Switches SW1, SW2 10 000 00020 000 0004 734 => 10099% Safety Module XPS (XPSAK) 191,5 => 10099% Contactors CON1, CON2400 00094,799%
12
Schneider Electric 12 - Mac - Safety – March 2010 Introduction ●Verify the achieved performance level ●We put the data for the example SRP/CS with MTTF d = high, DC avg = 99% and category 4 in the graph below in order to find the achieved performance level for our safety function. Achieved PL = e
13
Schneider Electric 13 - Mac - Safety – March 2010 SIL calculation according to EN/IEC 62061 ●Safety specification of the function blocks ●The safety requirements for each function block are derived from the safety requirements specification of the corresponding safety-related control function (SRCF). In our example each function block needs a SIL 2 capability. (i.e. FB1 →SILCL2, etc). The SIL Claim Limited (SILCL) is the maximum SIL capability of a subsystem.
14
Schneider Electric 14 - Mac - Safety – March 2010 SIL calculation according to EN/IEC 62061 ●The subsystems ●Each function block is allocated to a subsystem within the structure of the safety-related control system (SRECS). ●The subsystems must achieve at the least the same SIL capability as assigned to the entire safety-related control function (SRCF).
15
Schneider Electric 15 - Mac - Safety – March 2010 SIL calculation according to EN/IEC 62061 ●Select the devices ●For each subsystem select the devices or design and develop the safety solution.
16
Schneider Electric 16 - Mac - Safety – March 2010 SIL calculation according to EN/IEC 62061 ●Design the diagnostic tests
17
Schneider Electric 17 - Mac - Safety – March 2010 SIL calculation according to EN/IEC 62061 ●Calculation of subsystems SS1 and SS3
18
Schneider Electric 18 - Mac - Safety – March 2010 SIL calculation according to EN/IEC 62061 ●Verify the achieved SIL
19
Schneider Electric 19 - Mac - Safety – March 2010 SIL calculation according to EN/IEC 62061 ●Example of Risk Assessment
20
Schneider Electric 20 - Mac - Safety – March 2010 What is SISTEMA ? ●SISTEMA is a software tool safety related parts of control systems for machinery implementing EN ISO ●This software was developed by BGIA in Germany ●SISTEMA stands for “Safety Integrity Software Tool for the Evaluation of Machine Applications” ●Here is the link to obtain the SISTEMA software : http://www.dguv.de/ifa/en/pra/softwa/sistema/index.jsp
21
Schneider Electric 21 - Mac - Safety – March 2010 SISTEMA ●(Institute for Occupational Safety and Health of the German Social Accident Insurance)
22
Schneider Electric 22 - Mac - Safety – March 2010 Click on “Download Version 1.1.2”
23
Schneider Electric 23 - Mac - Safety – March 2010 Downloading the SISTEMA software ●After clicking on the key for “Download Version 1.1.1” ●Submit e-mail address for the link to the download page ●Register, download and follow installation instructions ●Here is the link for the library for various manufacturers: http://www.dguv.de/ifa/en/pra/softwa/sistema/bibliotheken/index.jsp
24
Schneider Electric 24 - Mac - Safety – March 2010 SISTEMA library – Schneider Electric ●Scroll down to Schneider Electric Automation GmbH then click
25
Schneider Electric 25 - Mac - Safety – March 2010 Schneider Electric Automation GmbH ●Scroll down to “Click here to download the “Preventa library for SISTEMA” “ Then click on this link ●Save the file on to the hard drive of the computer, preferably using a download manager ●After this has been completed then you are ready to use the SISTEMA software and Schneider Electric’s library files
26
Schneider Electric 26 - Mac - Safety – March 2010 7 basic items of SISTEMA ●When the SISTEMA project is being created it comprises the following basic items: ●Project - PR - this generally refers to the portion of the machine that is to be analysed by SISTEMA ●Safety Function - SF – this refers to the determination of the increase in risk due to failure analysis of any function of the machine ●Subsystem - SB - there can multiple subsystems, and can consist of safety-related signals and safety-related processing ●Channel - CH - a subsystem consists of one or two channels which are used for structuring the control system ●Test channel – there are test channels in subsystems and these have the function of repeated testing
27
Schneider Electric 27 - Mac - Safety – March 2010 7 basic items of SISTEMA (continued) ●Block - BL - subdivides a channel into various logical function units, for example safety devices (such as emergency stop buttons and various safety switches), the logic unit (such as a safety module), main contactors ●Element - EL – the last item of items in the hierarchy. An element can be electromechanical, an item on a pneumatically operated system, or an item on a hydraulically operated system
28
Schneider Electric 28 - Mac - Safety – March 2010 7 basic items of SISTEMA - summary
29
Schneider Electric 29 - Mac - Safety – March 2010 SISTEMA – general example of an emergency stop system
30
Schneider Electric 30 - Mac - Safety – March 2010 SISTEMA – Schneider Electric emergency stop system number 1
31
Schneider Electric 31 - Mac - Safety – March 2010 Figure (1) Example Schematic of Category 4 E-stop Circuit Redundancy + Periodic Checking/ Self monitoring K3
32
Schneider Electric 32 - Mac - Safety – March 2010 7 basic items of SISTEMA – summary with Schneider Electric products
33
Schneider Electric 33 - Mac - Safety – March 2010 Emergency stop device by means of a safety module – Category 3 – PLe ●Emergency stop device by mean of a safety module (emergency stop function, STO) ●Safety function ●Emergency stop function, STO by actuation of an emergency stop device ●Functional description ●Hazardous movements or states are interrupted or prevented by actuation of an emergency stop device. Refer to figure (1), each emergency stop device triggers a safety function of its own. S1 is evaluated in a safety module K3, which actuates two redundant contactors KM1 and KM2
34
Schneider Electric 34 - Mac - Safety – March 2010 Emergency stop device by means of a safety module – Category 3 – PLe ●Emergency stop device by means of a safety module (emergency stop function, STO), (continued) ●The signals from the emergency stop devices are read redundantly into the safety module K3 for fault detection. K3 also features internal test measures. The contactors KM1 and KM2 are also monitored in K3, by means of mechanically link feedback contacts. KM1 and Km2 are operated by switch S3 at each start-up command. S1K3 KM1 KM2
35
Schneider Electric 35 - Mac - Safety – March 2010 Emergency stop device by means of a safety module – Category 3 – PLe ●Emergency stop device by means of a safety module (emergency stop function, STO), (continued) ●Design features ●Basic and well-tried safety principles are observed and the requirements of Category B are met. ●The emergency stop device S1 is a switching device with direct opening contacts in accordance with IEC 60947-5-1, Annex K. ●The supply conductors to the switching devices are laid separately or with protection. ●The safety module K3 satisfies all requirements for category 4 and PLe. ●KM1 and KM2 possess mechanically linked elements to IEC60947-5-1, Annex L.
36
Schneider Electric 36 - Mac - Safety – March 2010 Emergency stop device by means of a safety module – Category 3 – PLe ●Emergency stop device by means of a safety module (emergency stop function, STO), (continued) ●Calculation of the probability of failure: ●S1 the emergency stop device is a standard emergency stop devices to EN ISO 13850. ●The probability of failure of the final safety module K3 is added at the end of the calculation (2.31 x 10 -9 per hour [M], suitable for Ple). For the subsystem KM1/KM2, the probability of failure is calculated as follows :
37
Schneider Electric 37 - Mac - Safety – March 2010 Emergency stop device by means of a safety module – Category 3 – PLe ●Emergency stop device by means of a safety module (emergency stop function, STO), (continued) ●MTTF d : for the contactors KM1 and KM2, the B 10 value corresponds under an inductive load (AC3) to an electrical lifetime of 1,000,000 switching operations [M]. If 50% of failures are assumed to be dangerous, the B 10d value is produced by doubling of the B 10 value. With three demands upon the emergency stop function and 24 start commands per year, n op is 27 cycles per year and the MTTF d is 740,740 years. This is also the symmetrical MTTF d for the channel, which is capped to 100 years (“high”). ●DC avg : the DC of 90% for KM1 and KM2 is based upon testing by the safety module K3. This is also the DC avg (“medium”). ●Adequate measures against common cause failure (70 points); separation (15), well-tried components (5), overvoltage protection etc. (15) and environmental conditions (25 + 10).
38
Schneider Electric 38 - Mac - Safety – March 2010 Emergency stop device by means of a safety module – Category 3 – PLe ●Emergency stop device by means of a safety module (emergency stop function, STO), (continued) ●The subsystem KM1/KM2 corresponds to Category 3 with a high MTTF d is (100) years and medium DC avg (90%). This results in an average dangerous failure of 4.29 x 10 -8 per hour. Following addition of the subsystem K3, the average probability of dangerous failure is 4.52 x 10 -8 per hour. The PL r of d is thus surpassed. S1K3 KM1 KM2
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.