intelligent safety design begins with a risk assessment

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

Session C

Intelligent Safety Design Begins with a Risk AssessmentMike Miller & Derek Jones


ISO 13849-1 IEC 62061

SustainabilityTime to market

Information Compliance

ProductivityPerformance

Development Costs Ops & Maintenance Costs

What is it? It’s NOT just about Equations,Standards and schematics…

It’s about ……………

What is functional safety?



• It is about things working safely and productively




• It is about evidence of due diligence, can we prove it is right…





• It is about implementing a solution that is both technically and commercially viable





• It is about implementing a solution that is both technically and commercially viable

• It is about a logical concept for design


What makes safety special

• Is a domestic float valve a safety device

?



• What happens if valve doesn’t work?

• How does it fail?• Does the valve fail In the

on/off/unknown state?• Do any of these states represent

a dangerous state?• In this case, most of the failures

are inconvenient rather than dangerous


• Process vessel – is a domestic float valve good enough?• How do we know• What do we need to do to check that it is good enough



How Good Is It??

• Valves could be anywhere between 0-100% reliable

• Relatively inexpensive plastic float valve to stainless steel

MTTFD = Mean time to a dangerous failure


• The same principle applies for electrical switches

• We could select an inexpensive plastic switch compared to a state of the art RFiD non-contact switch

Improve reliability

MTTFD = Mean time to a dangerous failure MTTFD = Mean time to a dangerous failure

Is this all we need?


Do We Need Two?

• What if our single valve fails?


Do We Need Two?

• Do we need 2 float valves?

• Increased risk – we might need two..

FT = Fault tolerant


Fault Tolerance - Redundancy

• Electrically we could have redundant switches to switch off the motor

• Is this all we need?

FT = Fault tolerant FT = Fault tolerant


What If One Fails

• If one fails – do we know?

• Do we need to know??

DC = Diagnostic Coverage


What If One Fails

• In this case we have no diagnostics and the fault is not detected



What If One Fails

• Without diagnostics we could get a subsequent fault.



How do we check

• Fault detection may be desirable



How do we check


• In this instance the fault is indicated


How to achieve DC

• Electrically we would wire the switches back to a monitoring safety relay


DC = Diagnostic Coverage DC = Diagnostic Coverage


What If They Both Fail

• Both fail together?

CCF = Common cause failure


What If They Both Fail

• One means of addressing CCF is to adopt diversity



Diversity using differing technologies


• Diversity reduces common cause failure




What If The Process Changes?

• Contents of vessel changes

• Change in pressure from 10-100PSi


SYS =Systematic integritySYS =Systematic integrity


Have we maintained the installation?

• Is the valve replaced every 5 years as per the installation sheet

• Do we have the sufficient competency

• Is this all we need???

FSM = Functional safety management FSM = Functional safety management


The Acronyms…

• MTTFd – Mean Time To Dangerous Failure

• HFT – Hardware Fault Tolerance• DCavg – Diagnostic Coverage• CCF – Common Cause Failure• SYS – Systematic Integrity• FSM – Functional Safety

Management

• If some of the points listed above aren’t dealt with properly we will fail to achieve our goal of a functionally safe system and the consequences can be significant


Safety Management – Roles and Responsibilities


What is Functional safety?“part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.”

What is safety?“the freedom from unacceptable risk of physical injury or damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment.”

Rockwell Automation EnhancementMore than compliance. It improves the functional operation of the machine. It also helps to increase worker safety,

efficiency and productivity, while reducing waste.

Recap - What is Functional Safety?



Introduction to ISO 13849

• Let’s begin by introducing some terms, definitions and requirements• All information is taken from the current version of:

Safety of machinery - Safety-related parts of control systems -Part 1: General principles for design (ISO 13849-1:2006)

What are Performance Level PL?

Hardware Fault Tolerance – Categories (structure)

B 1 2 3 4

Reliability of the HW: Mean Time To Failure (dangerous – MTTFd)

Quality of the diagnostic measures: DC (CAT. 2 and higher)

Sufficient measures against Common Cause Failures (CCF)

Performance Level (PL) acc. to ISO 13849-1

a b c d e

+

=

Mea

sure

s to

avo

id s

yste

mat

ical f

ailu

res

(QM

)



What is required for ISO 13849?

HFT

MTTFd

DCCCF

System

FSM


• Design according to relevant standards• Withstand expected influences• Hardware Fault Tolerance of zero, single fault will lead to the

loss of the safety function• Mainly characterized by selection of components

What are requirements for Category B?What are requirements for Category 1?


• Requirements for category B apply• Well-tried safety principles• SF has to be checked in suitable intervals• Hardware Fault Tolerance of zero, but the loss of the SF is detected• Mainly characterized by structure

What are requirements for Category 2?



• Requirements for category B apply• Well-tried safety principles• Hardware Fault Tolerance of one• Some but not all faults are detected• Accumulation of undetected faults can

lead to the loss of the SF• Mainly characterized by structure
