So far, we learned a lot about the deployment of PROFIsafe. But what about safety applications and these safety functions?
Directives & Standards
In many countries, the safety requirements for hazardous machineries are regulated by law. Within the EU this is the Machinery Directive 98/37/EC. This directive contains a list of so-called harmonized standards. For a machine builder, there is presumption of conformity to the directives if the relevant standards are fulfilled.
Relevant standards in the context of PROFIsafe are, for example, the IEC 62061, ISO 13849-1, ISO 12100-1, and ISO 14121 (see Figure 2).
Risk Reduction Strategy
It is always better to design a machine with inherent safety such that it avoids any hazards. In the first part the ISO 12100-1 lists all kinds of possible hazards. In its second part it shows an iterative strategy on how to reduce the risk of any automated equipment via a risk assessment. This risk assessment consists of a risk analysis and a risk evaluation:
- Specify the limits and the intended use of the machine
- Identify the hazards and the associated hazardous situations during the whole life cycle of the machine
- Estimate the risk for each identified hazard and hazardous situation
- Evaluate the risk and take decisions about the need for risk reduction By using the "3-step-method"
- Inherently safe design measures,
- Safeguarding and possibly complementary protective measures,
- Information for use about the residual risk,
the designer can eliminate the hazards or reduce the risk associated with the hazards by protective measures.
Safeguarding and complementary protective measures are the building up of safety functions such as a light curtain, the associated logic operation, and a circuit breaker to de-energize the motor.
Application of IEC 62061
Both IEC 62061 and ISO 13849-1 provide methods for dealing with safety functions. While IEC 62061 fits well to the PROFIsafe technology and programmable safety controllers (F-Hosts), the ISO 13849-1 fills the gap for hydraulic, pneumatic, electric, and mechanical components.
The IEC 62061 requires a safety plan for the whole life cycle of the machinery covering design strategy, personnel roles and responsibilites, commissioning, change and maintenance until dismantling.
Both standards offer similar concepts for the risk evaluation of safety functions, based on ISO 14121:
Risk = severity of harm and probability of occurrence of that harm
The probability of occurrence consists of the exposure of persons, the occurrence, and the possibility of avoidance.
Both standards provide calculated characteristics. One is the required SIL and the other the required PL. It is possible to transform one into the other. In the long run it can be expected that the difference will disappear for the user when the risk evaluation is performed in engineering tools via "questionnaires".
Safety Function Design
IEC 62061 defines so-called safety-related control systems (SRECS) for safety functions with subsystems for sensing, processing, and actuation. Subsystems may contain elements (e.g. switches).
The easiest way to design a safety function is to use certified F-Devices (sensors, actuators) and a certified F-Host connected via PROFIsafe.
The F-Devices provide the necessary information in their safety manual to determine the achieved SIL of a particular safety function. In a first step, the least SILCL (claim limit) of all the safety devices (F-Devices, F-Host) is selected. This determines the maximum achievable SIL of the entire safety function. In some cases system manufacturers may offer system support to upgrade to a higher SIL via redundancy of F-Devices and corresponding system software.
In the second step, the PFHd values are added and the result is checked against the permitted value ranges for a particular SIL.
The least SIL value from these two steps determines the achievable SIL.
In the following you will see, how you can combine F-Modules within remote I/O with classic electromechanical safety devices such as emergency stop buttons, door switches, etc. as shown in Figure 4.
IEC 62061 provides 4 predetermined architectures A, B, C, and D for subsystems to connect classic safety devices. Formulas to calculate failure probabilities are provided for these circuits. With the help of B10 values for the switches, the estimated number of switch cycles, the diagnostic coverage, and a common cause factor, the necessary probability of dangerous failures can be calcuted with the formulas and added to determine the overall SIL.
The ISO 13849-1 defines so-called SRP/CS (Safety-Related Parts of Control Systems) also for hydraulic, pneumatic, electric, and mechanic components. A PL and a PFHd value can be determined for such a component with the help of this standard and transformed into the SIL determination for the safety function according to IEC 62061.
IEC 62061 requires a validation plan to be part of the overall safety plan. According to this plan the machinery shall be tested, checked, and documented.