complying with new functional safety standards

2 © 2012 Eaton Corporation. All rights reserved.

Complying with New

Functional Safety Standards

3 © 2012 Eaton Corporation. All rights reserved.

This webinar will be available afterwards at

designworldonline.com & email

Q&A at the end of the presentation

Hashtag for this webinar: #DWwebinar

Before We Start

4 © 2012 Eaton Corporation. All rights reserved.

Moderator

Natasha Townsend

Design World

Presenter

Jacob Feutz

Eaton

© 2012 Eaton Corporation. All rights reserved.

Functional Safety Webinar

June 14, 2012

6 © 2012 Eaton Corporation. All rights reserved.

Questions to answer

• What is Functional Safety?

• What is happening in the Functional Safety market?

• What standard should I use for my machine?

• What do I have to consider when applying that

standard?

• How do I determine what level of safety to design to?

• What values go into a calculation? Can you walk me

through one?

• Others?

7 © 2012 Eaton Corporation. All rights reserved.

What is functional safety?

The complete explanation: The EU Machinery Directive 2006/42/EC stipulates that

a machine should not pose any danger. However, as

there is no 100% safety in engineering, the aim is to

reduce these dangers to a tolerable level of residual risk

by means of risk reduction measures.

The overall safety of a machine defines the state in

which it can be considered as being free of unwarranted

risks to persons or as free of danger. The functional

safety is part of the overall safety of a system which

depends on the correct functioning of the safety-related

systems and external risk reduction facilities.

8 © 2012 Eaton Corporation. All rights reserved.

Functional safety is not:

• Arc flash

• Grounding

• Fire suppressions systems

• Short circuit protection

• Surge protection

• Motor protection

• Others

• www.eaton.com/ElectricalSafety

9 © 2012 Eaton Corporation. All rights reserved.

What is happening in the functional safety market in North America?

• Engineered based drivers:

• The desire to have standards based methods

and testing that a machine can be certified to

• Customer based drivers:

• Selling machines to European customers –

where it is required for CE mark

• Selling machines to NA customers who are

now requiring safety assessments

• Corporate based drivers:

• NA companies that are owned or are now

managed by European parent companies

• Limit liability by designing to accepted

standards

10 © 2012 Eaton Corporation. All rights reserved.

The Eaton Safety Manual

eaton.com/FS

11 © 2012 Eaton Corporation. All rights reserved.

What standard should I use for my machine?

12 © 2012 Eaton Corporation. All rights reserved.

What standard should I use for my machine?

• Different “types” of standards:

13 © 2012 Eaton Corporation. All rights reserved.

What standard should I use for my machine?

14 © 2012 Eaton Corporation. All rights reserved.

What standard should I use for my machine?

15 © 2012 Eaton Corporation. All rights reserved.

What standard should I use for my machine?

IEC 62061

• Applies only to electrical,

electronic and programmable

electronic systems

• For mixed systems use ISO

13849

• Any architecture can be used

• Suitable as evidence of safety

of devices and the overall safety

functionality through calculation

ISO 13849-1

• Can be used without limitation for

hydraulic, pneumatic and

electromechanical systems

• Limited use for programmable

electronic systems

Specific architecture

Up to PL d only

• Calculation concept based on

defined architectures

• Suitable as evidence of safety of

devices and the overall safety

functionality using tables

16 © 2012 Eaton Corporation. All rights reserved.

What do I have to consider when applying that standard? – ISO 13489-1

• Which necessary safety functions are performed by the safety-related parts of the controls system (SRP/CS)?

• Which properties are required for the safety function?

• Which performance level is required?

• Which safety-related parts perform the safety function?

• Which performance level (PL) was achieved for the SRP/CS?

• Was the PL for the safety functions achieved?

17 © 2012 Eaton Corporation. All rights reserved.

How do I determine what level of safety to design to? – ISO 13849-1

Risk estimation: PLr

18 © 2012 Eaton Corporation. All rights reserved.

What values go into a calculation?– ISO 13849-1

• Control architecture (category)

• MTTFd – mean time to dangerous failure

• DC – diagnostic coverage

• CCF – common cause failure

• Relationship between the above

19 © 2012 Eaton Corporation. All rights reserved.

SISTEMA software

http://www.dguv.de/ifa/de/pra/softwa/sistema

20 © 2012 Eaton Corporation. All rights reserved.

SISTEMA software

21 © 2012 Eaton Corporation. All rights reserved.

What values go into a calculation?– ISO 13849-1

• Control architecture (category)

• MTTFd – mean time to dangerous failure

• DC – diagnostic coverage

• CCF – common cause failure

• Relationship between the above

22 © 2012 Eaton Corporation. All rights reserved.

Control architecture - category

23 © 2012 Eaton Corporation. All rights reserved.

Control architecture – Cat. B

The safety-related parts of the control system shall, as a minimum,

be designed in accordance with the current state of the art. They

shall withstand the influences which are to be expected.

24 © 2012 Eaton Corporation. All rights reserved.

Control architecture – Cat. 1

The safety-related parts of the control system must be designed and

constructed using well-tried components and well-tried safety

principles. A well-tried safety principle is, for example, the use of

position switches with positively opening contacts. Normally, the

category cannot be implemented with electronic components.

25 © 2012 Eaton Corporation. All rights reserved.

Control architecture – Cat. 2

The safety functions of the safety-related parts of a control system

must be checked at suitable intervals. The check can be performed

automatically or manually and at least with each startup and before a

hazardous situation occurs. The check can also be carried out

periodically during operation as determined by the risk analysis. A

hazardous situation may occur on the machine between the checks.

26 © 2012 Eaton Corporation. All rights reserved.

Control architecture – Cat. 3

A single fault in a safety-related part of the control system does not

lead to the loss of the safety function. An accumulation of undetected

faults may cause a hazardous situation on the machine, since not all

faults must be detected. An example of this is the use of a redundant

circuit without self monitoring.

27 © 2012 Eaton Corporation. All rights reserved.

Control architecture – Cat. 4

A single fault in a safety-related part of the control system does not lead to the loss of the safety function. This fault must be detected immediately or before the next potential danger, e.g. when closing the door before a restart of the machine. If this is not possible, the accumulation of faults must not lead to the loss of the safety function.

28 © 2012 Eaton Corporation. All rights reserved.

What values go into a calculation?– ISO 13849-1

• Control architecture (category)

• MTTFd – mean time to dangerous failure

• DC – diagnostic coverage

• CCF – common cause failure

• Relationship between the above

29 © 2012 Eaton Corporation. All rights reserved.

Calculating MTTFd - Manually

30 © 2012 Eaton Corporation. All rights reserved.

Calculating MTTFd – using SISTEMA

31 © 2012 Eaton Corporation. All rights reserved.

What values go into a calculation?– ISO 13849-1

• Control architecture (category)

• MTTFd – mean time to dangerous failure

• DC – diagnostic coverage

• CCF – common cause failure

• Relationship between the above

32 © 2012 Eaton Corporation. All rights reserved.

Calculating DC - Manually

33 © 2012 Eaton Corporation. All rights reserved.

Calculating DC – using SISTEMA

34 © 2012 Eaton Corporation. All rights reserved.

What values go into a calculation?– ISO 13849-1

• Control architecture (category)

• MTTFd – mean time to dangerous failure

• DC – diagnostic coverage

• CCF – common cause failure

• Relationship between the above

35 © 2012 Eaton Corporation. All rights reserved.

Calculating CCF - Manually

36 © 2012 Eaton Corporation. All rights reserved.

Calculating CCF – using SISTEMA

37 © 2012 Eaton Corporation. All rights reserved.

What values go into a calculation?– ISO 13849-1

• Control architecture (category)

• MTTFd – mean time to dangerous failure

• DC – diagnostic coverage

• CCF – common cause failure

• Relationship between the above

38 © 2012 Eaton Corporation. All rights reserved.

Relating values to an achieved PL

39 © 2012 Eaton Corporation. All rights reserved.

Achieved PL in SISTEMA

40 © 2012 Eaton Corporation. All rights reserved.

What values go into a calculation?– IEC 62061

• Risk assessment

• Control architecture

• Safety characteristics of the subsystems

• λd – Dangerous failure rate

• DC – Diagnostic coverage

• β – Common cause failures (CCF)

• T1 – proof test or life time

• T2 – Diagnostic test interval

• PFHd – Probability of dangerous failure

• SIL – Safety integrity level of the subsystem

• SFF – Safe failure fraction

• SIL CL – SIL claim limit

• SIL – Safety integrity level of the entire system

41 © 2012 Eaton Corporation. All rights reserved.

Application example - products

Input

Control

Output

• Application: Dual channel

emergency stop with

redundant series contactors

• Monitored Manual Restart

• Cross Circuit Recognition

• Controlling three motors

• Pushbutton start/stop control

• Protection Level Required: e

42 © 2012 Eaton Corporation. All rights reserved.

Application example – control diagram

43 © 2012 Eaton Corporation. All rights reserved.

Application example – power diagram

44 © 2012 Eaton Corporation. All rights reserved.

Application example – calculated values

45 © 2012 Eaton Corporation. All rights reserved.

Application example - products

Input

Control

Output

•Application: Single channel

position switch

•Monitored Manual Restart

•Controlling two motors.

Pushbutton input to

programmable controller.

•Protection Level Required: c

46 © 2012 Eaton Corporation. All rights reserved.

Application example – control diagram

47 © 2012 Eaton Corporation. All rights reserved.

Application example – power diagram

48 © 2012 Eaton Corporation. All rights reserved.

Application example – calculated values

49 © 2012 Eaton Corporation. All rights reserved.

Thank You

50 © 2012 Eaton Corporation. All rights reserved.

51 © 2012 Eaton Corporation. All rights reserved.

Questions?

Design World

Natasha Townsend

ntownsend@wtwhmedia.com

Phone: 440.234.4531

Twitter: @DW_Electrical

Eaton

Jacob Feutz

JacobBFeutz@eaton.com

Phone: 414.449.7356

Twitter: @eatoncorp

Eaton.com/fs

52 © 2012 Eaton Corporation. All rights reserved.

Thank You

This webinar will be available at

designworldonline.com & email

Tweet with hashtag #DWwebinar

Connect with

Twitter: @DesignWorld

Facebook: facebook.com/engineeringexchange

LinkedIn: Design World Group

YouTube: youtube.com/designworldvideo

Discuss this on EngineeringExchange.com

53 © 2012 Eaton Corporation. All rights reserved.