Directiva Europea de Seguridad en MH

8/3/2019 Directiva Europea de Seguridad en MH

http://slidepdf.com/reader/full/directiva-europea-de-seguridad-en-mh 1/14

Functional Safety & Implementation of the New Machinery Directive |

Machine Sa ety

Functional Sa ety & Implementationo the New Machinery Directive



| Functional Safety & Implementation of the New Machinery Directive




Contents

1. European Machinery Directive p 4 The European Machinery Directive 2006/42/EC, published in 2010, supersedesthe ormer Machinery Directive 98/37/EC. At the same time the standardsavailable or the design o Sa ety-related Control Systems have changed.

2. Functional Sa ety Approach p 6 The new unctional sa ety standards are intended to encourage designers to

ocus more on the unctions that are necessary to reduce each individual risk,and on the per ormance required or each unction, rather than simply relyingon particular components. These standards make it possible to achieve greaterlevels o sa ety throughout the machine’s li e.

3. Which Standard? p 10EN 62061 and EN ISO 13849-1 both deal with the unctional sa ety o machinecontrol systems, but they use slightly di erent terms and techniques todetermine per ormance. Many users are con used by con icting guidance romsuppliers, who may pre er one standard over another.

4. Putting Functional Sa ety in Context p 12Functional sa ety is an integral part o the design o sa e control systems. Otheractors need to be considered when designing control systems, however.




The European Machinery Directive 2006/42/EC,published in 2010, supersedes the ormerMachinery Directive 98/37/EC. Users o EN 954-1 will be amiliar with the old «risk graph» used to designsa ety-related parts o electrical control circuits in categories B, 1, 2, 3

or 4. Users had to subjectively assess the severity o injury, the requencyo exposure, and the possibility o avoidance in order to determine therequired category or each sa ety-related part. This category then specifedthe required behaviour o the sa ety circuit under ault conditions but did notaddress the likelihood o a ault occurring.

With the increasing use o programmable and non-programmable electronicsin these systems, sa ety can no longer be measured purely in terms o categories. Furthermore, the previous standard provides no in ormation onthe probability o ailure.

In recent years, the concept o functional safety has emerged: it re ers to theoverall sa ety o the Equipment Under Control (EUC) and the EUC controlsystem. Functional sa ety depends on the correct unctioning or operationo the electrical/electronic/programmable electronic systems and othertechnology sa ety-related systems, as well as on external risk reductionacilities. It is not an attribute o any particular component or specifc kind o device, but rather concerns the entire EUC and its control system. Functionalsa ety applies to all the parts contributing to the per ormance o a sa etyunction, e.g. input switches, logic solvers such as sa ety relays, sa etycontrollers and sa ety PLCs (including their so tware and frmware), as well asoutput devices such as contactors and variable-speed drives.

The term correct functioning means that operation is correct, not merely whatis expected. There ore appropriate selection o the unctions is essential.

In the past, designers tended to choose components in the highest-levelcategory o EN 954-1, instead o choosing components in a lower categorywhich might actually o er more suitable unctions. This was o ten due to themisconception that EN 954-1 categories are hierarchical, e.g. that category 3is necessarily «better» than category 2.

1New European

Machinery Directive




The new EN ISO 13849-1 and EN 62061 standards help address theweaknesses o EN 954-1. Although they still require consideration o circuit

architecture as in EN 954-1, they also take into account the reliability o thesa ety circuit components and the circuit’s ability to detect/diagnose aultsas well as the probability o common cause ailure. The per ormance o eachsa ety unction is specifed as either a SIL (Sa ety Integrity Level 1, 2 or 3)under EN 62061, or a PL (Per ormance Level a, b, c, d or e) underEN ISO 13849-1.

Fundamental rightsfrom EU

Free circulation(CE marking)

Machinery2006/42/EC

Use of work equipment89/391/EC

Seveso II2008/99/EC

96/82/EC

MachineBuilder

End UserSystem Integrator

End UserSystem Integrator

Workersprotection

Environmentprotection

European UnionDirective

Sector of Activity

Generic StandardEN 61508

Harmonized Standards

EN ISO 13849-1EN 62061

EN ISO 13849-1

EN 62061EN 61508 EN 61511

Safety Standards

European Directives and Sa ety Standards Overview according to sector o activity




The new unctional sa ety standards are intendedto encourage designers to ocus more on theunctions that are necessary to reduce eachindividual risk, and on the per ormance requiredor each unction, rather than simply relying on

particular components. These standards makeit possible to achieve greater levels o sa etythroughout the machine’s li e. Under the old standard, EN 954-1, categories (B, 1, 2, 3 and 4) dictated howa sa ety-related electrical control circuit must behave under ault conditions.Designers can ollow either EN ISO 13849-1 or EN 62061 to demonstratecon ormity with the Machinery Directive. These two new standards considernot only whether a ault will occur, but also how likely it is to occur.

This means there is a quantifable, probabilistic element in compliance:

machine builders must be able to determine whether their sa ety circuitmeets the required sa ety integrity level (SIL) or per ormance level (PL).Panel builders and designers should be aware that manu acturers o thecomponents used in sa ety circuits (such as sa ety detection components,sa ety logic solvers and output devices like contactors) must provide detaileddata on their products.

2Functional Sa ety

Approach

Safety of Systems and Equipment

EN 61508Functional safety of electrical / electronic /programmable electronic safety-related systems Safety-related parts of control systems

Machine safetyFunctional safety of control electrical / electronic /programmable electronic safety-related systems

Machines

EN 62061

EN ISO 13849-1

This data can be a minefeld, however. The new standards have di erentrequirements, it can be di fcult to understand the meaning o all the fguresand acronyms.




Here are the main points machine builders should keep in mind forEN ISO 13849-1:• Performance Level (PL) is determined by the circuit architecture (similarto categories B, 1, 2, 3, and 4 in EN 954-1) as well as bythe MTTFd and DC. The ISO standard defnes fve Per ormance Levelsranging rom PL a (the highest ailure probability) to PL e (the lowest).I a manu acturer states a specifc PL or a component (such as a sa etyrelay), it means this is the highest PL that a circuit incorporating thecomponent can achieve.

• Mean Time To Dangerous Failure (MTTFd) is the average period be orethe ailure o a component will cause a ailure o a sa ety unction. MTTFd israted as high (30-100 years), medium (10-30 years) or low (3-10 years). Note:i the component’s MTTFd is 100 years, this does not guarantee it will not ailbe ore.• Diagnostic Coverage (DC) is the ability o a component or circuit todetect/diagnose a ault concerning it (a short circuit, or example). The higherthe DC, the lower the probability o hazardous hardware ailures.

• Common Cause Failures (CCF) are ailures due either to a common issue(such as a short circuit) or to a single unrelated event. Steps can be taken toprevent common cause ailures; or instance, the designer can use di erentcomponents driven in di erent modes in dual-channel systems.

Key points for EN 62061:• Safety Integrity Level (SIL) is the discrete level or determining the sa ety

integrity requirements o the sa ety-related control system. The standarddefnes three levels, rom one (low) to three (high). Should a manu acturerclaim a specifc SIL or a component (such as a sa ety PLC), then that is themaximum SIL that can be claimed or any system using this component asa subsystem.

• SIL Claim Limit (SILCL) applies to subsystems within a sa ety system. A subsystem is defned as a part o a sa ety system/circuit whose ailurewould bring about a breakdown o the sa ety unction. SILCL is the highestSIL that can be claimed regarding architectural constraints and systematicsa ety integrity.

• Probability of Dangerous Failure per Hour (PFH) is a measure o thedependability o a component, a subsystem, or an entire sa ety system/circuit

– it corresponds to MTTFd in EN ISO 13849-1.• Safe Failure Fraction (SFF) o a subsystem is the ratio o the average rateo sa e ailures plus dangerous detected ailures o the subsystem to the totalaverage ailure rate o the subsystem.




B10 and B10d, used or compliance with both standards, are reliabilityparameters or electromechanical components. B10 is the number o operations at which 10% o the population will have ailed and B10d isthe number o cycles a ter which 10% o the population has ailed toa dangerous state.

There are no published MTTFd or PFHd fgures or electromechanicalcomponents, since ailure rates depend upon the hourly actuation rate, whichis application-specifc. However, designers can use B10 or B10d with knownmachine data (e.g. guard switches might activate a known number o timesper hour when loading a machine), in order to calculate the MTTFd or PFHdo subsystems containing these components.

P e r f o r m a n c e

l e v e

l E N I S O

1 3 8 4 9 - 1a

b

c

d

e

Cat. BDC

avg=

0

MTFFd

of each channel = low

MTFFd

of each channel = medium

MTFFd

of each channel = high

DCavg

=0

DCavg

=low

DCavg

=low

DCavg

=high

DCavg

=medium

DCavg

=medium

Cat. 1 Cat. 2 Cat. 2 Cat. 3 Cat. 3 Cat. 4

Safety category level according to EN ISO 13849-1

Determination o the PL achieved by the sa ety-related parts o controlsystems (SRP/CS)






0 | Functional Safety & Implementation of the New Machinery Directive

EN 62061 and EN ISO 13849-1 both deal with theunctional sa ety o machine control systems, butthey use slightly di erent terms and techniquesto determine per ormance. Many users arecon used by conficting guidance rom suppliers,

who may pre er one standard over another.It is not ideal to have two standards or designers to choose rom. This canlead to integration issues between components and can a ect relationshipsbetween manu acturers, machine builders and end users. However, theEuropean Committee or Electrotechnical Standardization (CENELEC) and theEuropean Committee or Standardization (CEN) both have clear ideas o howto regulate unctional sa ety when building machines. As such, both have setout standards that can provide a presumption o con ormity to the relevantMachinery Directive requirements.

Both EN 62061 (published by the CENELEC) and EN ISO 13849-1 (published

by the CEN) have the same objective: to de-emphasize the behaviour o individual components and to ocus instead on the unctional sa ety o theoverall machine. Both standards are intended to reduce the possibility o injury; used correctly, they o ten reduce the likelihood o machine ailure.While these standards can provide similar risk reduction levels, they achievethat goal in very di erent ways.

The standards use di erent terms or circuit unctional sa ety levels:EN 62061 defnes three Sa ety Integrity Levels (SILs), whereasEN ISO 13849-1 specifes fve Per ormance Levels (PLs). Despite thesedi erences in terminology, some requirements (such as the probabilityo dangerous ailure per hour) are simple to compare. The standards takedi erent approaches, however.

Both EN 62061 and EN ISO 13849-1 have strengths and weaknesses, andthere is an argument or and against using either one, depending on theapplication and manu acturer’s individual pre erences. Unless a machine-specifc type-C standard specifes a SIL or PL, designers are ree to choosewhich standard to use. Whatever the standard, however, it must be used inits entirety and the two cannot be mixed in a single system.

3

Which Standard?




Designers amiliar with the old categories o EN 954-1 may fnd EN ISO13849-1 easier to use. Like its predecessor, the standard applies a simple-looking ”risk graph” to determine the required per ormance level (PL) o individual sa ety unctions a ter a risk assessment has been per ormedin accordance with EN ISO 12100. This means sa ety unctions can beassigned to the appropriate per ormance in order to deal with each individualrisk. However, use o the risk graph alone is o ten insu fcient; the systemdesigner must also make urther choices.

The PL is not determined by the system architecture alone. It is also based onthe Mean Time to Dangerous Failure (MTTFd) and the Diagnostic Coverage(DC). A major beneft o this approach is that designers can use simpler

circuitry as long as they choose high-reliability components, or componentswith higher MTTFd fgures. This is because the fve Per ormance Levels(PLs) defned in EN ISO 13849-1 are bands o values rather than discretecategories.

The advantage o EN ISO 13849-1 over the old standard is that it can makesa ety more cost-e ective or designers, allowing them to design sa etycircuits using ewer, more reliable components. For example, with the newstandard a PL d can be achieved using either a category 2 single-channeldesign with higher reliability components, or category 3 dual-channelarchitecture with lower reliability components. Thus the designer has abroader choice.

Tools are available (such as SISTEMA rom the German Institute o Occupational Sa ety and Health Insurance) to help developers and testersevaluate machine sa ety according to EN ISO 13849-1.

For applications with more robust requirements or managing unctionalsa ety, EN 62061 may be more suitable. It provides more guidance on theorganisational requirements to ensure unctional sa ety is achieved andmaintained. In addition, this standard is better at considering the e ect o modifcations that might be made either when commissioning new equipmentor during the machine’s operating li etime. For example, commissioningengineers need to consider the likely e ects o any proposed modifcation,and how much the control system can be modifed be ore revalidation is

required.

A joint IEC-ISO working group has developed a comparison o the twostandards. This document has been published by both organisations as a

Technical Report -- not the same status as a standard but quicker to publish. The ultimate goal o the joint work is to develop a single standard, but this willtake a number o years.

Requiredperformancelevel PLr

Starting point forthe evaluation of thecontribution to therisk reduction of asafety function

L = Low contribution to risk reductionH = High contribution to risk reduction

P1 a

b

c

d

e H

LP2

P1

P2

P1

P2

P1

P2

F1

F2

F1

F2

S1

S2

Risk graph to obtain the per ormancelevel required (PLr) accordingto EN ISO 13849-1




Functional sa ety is an integral part o the designo sa e control systems. Other actors need tobe considered when designing control systems,however.

Although unctional sa ety is important, it is only relevant when other actorshave been considered in order to put the unctional sa ety calculation intocontext. This means looking at aspects such as the basic design o themachine and its electrical equipment, as well as its pneumatic and hydraulicequipment.

Furthermore, unctional sa ety standards are only use ul in the context o more undamental standards such as EN ISO 12100 (Sa ety o machinery– General principles or design – Risk assessment and risk reduction),and EN 60204-1 (Sa ety o machinery – electrical equipment o machines).

Although EN ISO 13849-1 and EN 62061 are the pre erred unctionalsa ety standards or control systems, they do not replace the need or a

risk assessment and a risk reduction plan prior to designing sa ety-relatedcontrol systems. In addition, they do not replace good engineering practice.Per ormance Levels (PLs) and Sa ety Integrity Levels (SILs) are not a precisescience but rather fgures o merit, and should be used or guidance only.

4Putting Functional

Sa ety in Context

Riskrelatedto the

potentialhazard

= x

Severityof the

potentialharm

Probabilityof

occurenceFrequency and

duration of exposure

Possibility of avoiding or limiting

the probabilityof an eventthat could

cause harm




Risk assessment and reduction should be carried out in accordance withEN ISO 12100. The main ocus is on reducing risk as ar as is reasonablypracticable. The risk reduction hierarchy can be described in three stages.

• Stage 1: eliminate the hazard i possible (inherently sa e design) ollowingEN ISO 12100. Example: use a non- ammable solvent or cleaning tasks toremove the fre hazard o ammable solvents.

• Stage 2: sa eguard against hazards where inherently sa e design is notpractical. Example: implement protective measures via sa ety-related controlsystems such as guards with interlock switches, or open access areasprotected by a light curtain.

• Stage 3: apply complementary protective measures. Example: provide sta training, warning signs, usage guidance, and personal protective equipment.

Users should repeat this cycle o risk assessment ollowed by risk reduction inorder to reduce the risks to a tolerable level, and to ensure no additional riskshave been introduced.

The risk reduction process may require the use o sa ety-related controlsystems designed with EN ISO 13849-1 and EN 62061. However, the overallsa ety o a machine will also depend on compliance with other standardssuch as EN 60204-1 or the complete electrical equipment.

Start

Determination of machine limits

Identification of thepotential hazards

Risk evaluation

Risk reduction

End

Yes

No

Risk estimation

R i s k

a n a

l y s

i s

R i s k

e v a

l u a

t i o

n

Is themachine

safe?

Practical riskcovered by othertechnologysafety-related

systems

Practical risk coveredby electrical / electronic /programmable electronicsafety-related systems

Necessary risk reduction

Actual risk reduction

Practical riskcoveredby external riskreduction facilities

Risk reduction achieved by all safety-related systemsand external risk reduction facilities

Residualrisk

Tolerablerisk

Equipment undercontrol risk

Iterative process o riskassessment in accordancewith EN ISO 12100 Standard

Risk reduction according to EN 62061and EN ISO 13849-1

A clear and concise guide detailing the requirements o these two unctionalsa ety standards and o ering concrete examples is available or downloadrom the Machine Sa ety page o the Schneider Electric website.

For further information, please visit:http://www.schneider-electric.com/sites/corporate/en/solutions/oem/machine-safety/machine-safety.page



Schneider Electric Industries SAS

Head O fce

35 rue Joseph Monier92506 Rueil-Malmaison Cedex- France

Tel.: +33 (0)1 41 20 70 00www.schneider-electric.com ©

2 0 1 1 S c

h n e

i d e r

E l e c

t r i c ,

A l l R i g h t s R e s e r v e

d .

Documents

Directiva Europea de Seguridad en MH