programmable safety systems

8/8/2019 Programmable Safety Systems

http://slidepdf.com/reader/full/programmable-safety-systems 1/38

Chapter 6

145P r o gr amm a b l e S af e t y

S y s t em s

Programmable Safety Systems

Contents

6.0 Concept

6.1 Method

6.2 Hardware

6.2.1 Test pulses6.2.2 Input modules6.2.2.1 Typical connection6.2.3 Output modules6.2.3.1 Typical connection6.2.4 Input/output module with test pulse6.2.4.1 Typical connection6.2.5 Dual-pole input/output module

6.2.5.1 Typical connection

6.3 Software

6.3.1 MBS System: Transfer lines6.3.2 MBS System: Eccentric presses6.3.3 MBS System: Hydraulic presses6.3.4 MBS System: Tank farm installations6.3.5 MBS System: Burner management

6.4 Security

6.5 Certification

6.6 Reliability and availability

6.7 Typical failsafe program




S y s t em s




S y s t em s

6.0 Concept

The introduction of European Directives has helped turn attentiontowards the concept of machinery safety. In some cases, theemphasis placed on the suitability and integrity of safety systems hasled to concern and confusion among machinery designers and users.The safety circuits of simple, stand-alone machines generally userelatively basic safety-related controls, designed with high-integrityhard-wired components. When these simple machines grow intoproduction lines or are incorporated into larger, complex machines, thesafety-related control systems may need to be more complex to suit.

Complex hard-wired systems can be unreliable and have poordiagnostic capabilities, especially those that have a requirement forextensive interlocking for functions such as setting or teaching. In awell-designed system, any unreliability or failure will lead to a safestate, but will still have an adverse effect on production. When suchunreliability causes a loss of revenue, the production departmentnormally wins the day and short cuts are taken. This is when mostaccidents occur.

In 1992 Pilz decided to examine how a programmable safety systemcould be produced for application in a high-integrity system. Figs. 49and 50 outline the thinking of the design team. Fig. 49 shows atraditional design, in which the machine or process is controlled by aconventional PLC, while the safety section is overseen by a separatehard-wired system. Clearly, if it were possible to incorporate thesetwo sections into a single unit, as in Fig. 50, costs could be reducedand reliability increased.

2




S y s t em s

When complex relay-based systems were the only choice forcontrols, overall reliability was poor and fault-finding was oftendifficult and time consuming. Engineers had to work their way throughthe cascaded circuits, following the control philosophy until the faultwas located. During the 1970s programmable controllers wereintroduced and engineers began to use these extensively to replacerelay circuits.

This simplified the implementation process, although initially therewas no noticeable improvement in reliability. Arguably the mostsignificant advantage was the level of diagnostics that could beachieved. Problem areas could be identified and located quickly,making repair work quicker and easier. Once the reliability of thehardware and software improved as development progressed, thecontrol engineer had a powerful tool for the majority of control

applications.

3

External

Safety

Hardware

Process Process

Fig. 49: Safety functions controlled by Fig. 50: Safety functions controlledseparate hardware through one system

Standard PLC PSS 3000 Safety System




S y s t em s

4

However, safety was one area where these devices could not besanctioned for use. Modern PLCs are very reliable, but on failurethey can, and do, fail into an unsafe mode. The normal failure modefor a semiconductor device is short circuit, and as the PLC outputsare either semiconductors or relays controlled by semiconductors,these outputs often fail in the “on” position. Alongside potentialhardware failures, there is also the possibility of unseen softwareproblems, such as a glitch in the processor operating system orprogram compilers. It is accepted that software systems will alwayscontain undetected (systematic) faults that will only show up undercertain circumstances. These circumstances may not arise duringtesting, but could arise during the lifetime of the system, withdangerous consequences for health and safety. The aim of the PSSdesign team was to bring the flexibility and powerful diagnostics of aPLC into a safety controller, coupled with the integrity of a hard-wiredsystem.




S y s t em s

6.1 Method

The only way to build a programmable system with the desired level ofintegrity was to take a leaf out of the petrochemical control engineers’book. Programmable safety control has been used in the petrochemicalindustry for many years, guided by advice given in publications such as“PES - Programmable electronic systems in safety-relatedapplications”, published by the HSE, and “Fundamental Safety Aspectsto be Considered for Measurement and Control Equipment” (DIN19250). The ideas from these and other documents are beingcombined into the international standard IEC 61508 (Functional safety.Safety-related systems). The advice is mainly based on therequirement for diverse processors used in a voting format.

Fig. 51: Three controllers in one system

5

PSS 3000

Standard PLC Standard PLC Standard PLC




S y s t em s

Fig. 51 shows the basis of the PSS-range of programmable safetysystems. Effectively, the system is made up of three separatecontrollers, which are all different. If the processors or software areall the same, systematic faults may lead to common cause failures.To remove this possibility, the internal processors are all from differentmanufacturers and have totally different operating systems. To makedoubly sure that a systematic failure is unlikely to occur, the compilersfor each system are written by different companies. Data isprocessed in parallel via the three controllers, as shown in Fig. 52.

Fig. 52: Three-channel structure of the PSS system

6

I/Register 1

Processor

AProcessor

BProcessor

C

&

DPR DPR

DPR

I/Register 2 I/Register 3

O/Register 1 O/Register 2 O/Register 3




S y s t em s

Each processor has its own input and output register. The outputregister in each device is compared in an “AND” gate. An output willonly be enabled when all three agree. This is the case for all “bit”and “word” functions. In other words, the PSS operates as a 3 out of3 (3oo3) voting system.

In order to achieve the requirements for a safety controller andstandard PLC in a single unit, the PSS was designed with 2 workingbuses, one for the triple-voting failsafe (FS) section and the other forthe standard (ST) section. All three processors are used in the FSsection, but only processor “A” is used in the ST section. Thisprocessor also controls the synchronisation of the overall system.

Users have to write the FS program once only. When the program isfinished it can be downloaded to the controller. The runtime versionof the program is loaded via the three independent compilers. Eachversion of the program has its own check sum and these arecompared in all three systems. Provided that the program wascorrectly written at the start, the triple checking during use will ensurefailsafe operation. The ST program is written as for the majority ofconventional PLCs.

7




S y s t em s

6.2 Hardware

PSS safety systems are available in two designs: compact andmodular. Compact systems contain the CPU, power supply and I/Oswithin a single housing. These systems can communicate with othertypes of controller but are not individually configurable and cannot beexpanded. Compact systems have no standard I/Os but have 32, 56or 60 failsafe I/Os, depending on the individual version.

Modular systems are built up individually within module racks. Asingle base module rack has a maximum configuration of 288 I/Os, allof which can be used as failsafe I/Os. Expansion racks can be addedto give a maximum configuration of 768 I/Os. However, a maximumof 256 of these can be used as failsafe I/Os (failsafe modules cannotbe used on an expansion rack). New developments in safe bustechnology have raised the maximum number into thousands of I/Os.SafetyBus p (see Chapter 7) can support 64 nodes, each of whichcan either be an active PSS system or a simple I/O module.

6.2.1 Test pulses

Continuous signal input devices (constant signals such as those froman E-Stop button) can supply an unchanging signal over a long

8

Test periodTest pulses:Outputs on thePSS DIOT

T0

T1

T2

T15

Ax.16

Ax.17

Ax.18

Ax.31

=

=

=

=

=

Fig. 53: Simplified diagram of the test pulses




S y s t em s

period of time. During this time, the integrity of the periphery unitscan only be monitored to a limited extent. Errors that arise mayremain undetected and will therefore accumulate. To avoid this, testpulses should be used to check continuous signal input devices aspart of each cycle.

The PSS system supplies up to 16 staggered signals (short “off”pulses) at a defined point in each cycle. The number of test pulsesand their allocation to PSS inputs are configured using the PSSprogramming software.

6.2.2 Input modules

Each input on a digital input module has a single-channel structure asfar as the optocoupler. Only after the optocoupler is the input signalprocessed in three channels. The three-channel section of the inputmodule is automatically tested by the PSS operating system. Digitalinput modules can be used for single, dual or multi-channel inputdevices, with or without test pulses. They can also be used togenerate process alarms.




S y s t em s


The example shows safety gates wired in a number of different ways.The categories (in accordance with EN 954-1) arise from the differentwiring methods.

0V0V

I 00I 01I 02I 03I 04I 05I 06

I 08I 09I 10I 11I 12I 13I 14

I 07

E x 06

E x 07

I 15PSS DI

0V0V

I 00I 01I 02I 03I 04I 05I 06

0V0V

I 08I 09I 10I 11I 12I 13I 14

I 07

I 15

0V0V

I 16

I 18I 19I 20I 21I 22I 23

I 17

0V0V

I 24I 26I 27I 28I 29I 30I 31

I 25

Safetycategory

E x 19

E x 17E x 18

E x 26E x 24E x 25

E x 27

Low

T0

Highest

Safety Gates

T0Test signal

24V0V

Higher

T1

Fig. 54: Typical safety gate connections with Pilz PSS DI module




S y s t em s

6.2.3 Output modules

Each output on a digital output module has a monitoring input, whichis evaluated by the operating system.


Fig. 55: Typical relay connections with Pilz PSS DO module

PSS DO

24V0V

O00O01O02O03O04O05O06

0V0V

O08O09O10O11O

12O13O14

O07

A x 03 A x 04

A x 08 A x 09

O15

24V0V

O16O18O19O20O21O22O23

O17

24V0V

O24O26O27O28O29O30O31

O25

Safetycategory Low Higher Highest

Relay

Feedback loopto PSS DI

With continuous signals, this wire mustbe connected to a test output (test

signal). The N/C contact is bestsuited for this (zero signal principle)

24V0V




S y s t em s

The example shows various actuators (relays and valves), with andwithout redundancy. This accounts for the different categories inaccordance with EN 954-1. One output is required per actuator. Ifredundancy is not built into the actuators (e.g. by connecting the relaycontacts in series), category 2 will be the highest category achievableunder EN 954-1). Even if redundancy is built into the actuators,category 4 cannot be achieved as the module has no additionalshutdown route, should both transistors at the output be defective.

6.2.4 Input/output module with test pulse

This I/O module (DIO T) can be used to supply test pulses. It has 16inputs and 16 push-pull outputs, which can either be used to generatetest pulses or as outputs to control actuators.





S y s t em s

24V0V

PSS DIOT

0V0V

I 00I 01I 02I 03I 04I 05I 06

0V0V

I 08I 09I 10I 11I 12I 13I 14

I 07E x 06E x 07

I 15

24V0V

O16

O18O19O20O21O22O23

O17

24V0V

O24O26O

27O28O29O30O31

O25

PSS DI

0V0V

I 00I 01I 02I 03I 04I 05I 06

0V0V

I 08

I 09I 10I 11I 12I 13I 14

I 07E x 06E x 07

I 15

0V0V

I 16

I 18I 19I 20I 21I 22I 23

I 17

0V0V

I 24

I 26I 27I 28

I 29I 30I 31

I 25

E x 31

T0T1

A x 24 A x 25 A x 26

Only possible with a pulsed signal!

E - STOP Redundant relay(with feedback loop)

E-Stop

Fig. 56: Typical E-Stop connection with Pilz PSS DIO T module




S y s t em s


PSS DIO Z

0V0V

I 00I 01I 02I 03I 04I 05I 06

0V0V

I 08I 09I 10I 11I 12I 13I 14

I 07E x 06E x 07

I 15

24V24V

O16

O 17

O 18

O 19

0V0V

O 20

O 21

O 22

O 23

PSS DI

0V0V

I 00I 01I 02I 03I 04I 05I 06

0V0V

I 08I 09I 10I 11I 12I 13I 14

I 07

E x 08E x 09

I 15

0V0V

I 16

I 18I 19I 20I 21I 22I 23

I 17

0V0V

I 24

I 26I 27I 28I 29I 30I 31

I 25

A x 16

A x 17

E x 10E x 11

T0

T1

PSV

Presssafety valve

0V24V

Fig. 57: Typical press safety valve connection with Pilz PSS DIO Z module




S y s t em s

The example in Fig. 57 requires 4 PLC inputs, whose correctoperation must be monitored through the PSS user program. Shortcircuits, shorts across the input contacts and any breaks in the relaycoils of the press safety valve (PSV) will be detected. The feasibilitycheck for the PSV is performed through the user program.

161




S y s t em s

6.3 Software

When it came to preparing the software for the programmable safetysystem, it was decided that the less the user had to program, the lessmargin there was for error. For this reason, all common safetyfunctions, such as emergency stop, two-hand control and gatemonitoring, have their own pre-written function blocks which havebeen checked and approved by BG or TÜV. Once approved, all blocksare sealed to prevent alteration. The user can only address the blocksin order to configure the operating mode and assign inputs and outputs.

In addition to the common functions mentioned above, morespecialised blocks have also been developed and are available aspackages for use on specific types of machinery. The Pilz ModularBlock System (MBS) has specialist packages available for transferlines, eccentric/hydraulic presses, tank farm installations and burnermanagement. By using pre-programmed function blocks, the busyengineer can save valuable time and effort while reducing costs andthe potential for error. All safety-related blocks carry approvals torelated standards, either from BG or TÜV.

6.3.1 MBS System: Transfer lines

The package designed for transfer lines includes dedicated blocks formonitoring and muting electrosensitive protective equipment (ESPE)and optoelectronic protective devices (AOPDs), as well as the moregeneral blocks for emergency stopping, gate monitoring, etc.

6.3.2 MBS System: Eccentric presses

The package designed for eccentric presses includes dedicatedblocks for controlling the sequence of the press, and for monitoringand muting ESPE and AOPDs. Press safety valves, brokenshearpins, enable switches and cams can also be monitored usingthese blocks.



6.4 Security

Security is vital on any safety system, but in general it is this factorthat is most ignored. The usual way to affect the performance of ahard-wired system is to link out the functions either inside or outsidethe control panels. Generally speaking, the only reason for doing thisis to override a system, illegally, to make production easier but lesssafe, or to overcome persistent fault conditions. These faults are oftenthe result of over-complex hard-wired circuits. A programmablesafety system will overcome the second of these problems and insome situations can monitor for the first. In both respects, theapplication of a Pilz PSS will offer improved safety options.

The security of the software, however, is still a problem. Linking ahard-wired system leaves physical evidence, but changes in softwarecan remain invisible and undetected. The solution is to preventunauthorised access to the FS section of the program, and this isachieved in three ways. Firstly, the PSS software has to be used tomake the changes. Secondly, access to the FS section is passwordcontrolled. The final control lies in the program source codes. Asstated earlier, the program loaded into the controller is a runtimeversion. To edit this, the source codes need to be resident in theprogramming device.

These three levels of security should be sufficient. If one orpreferably all of these control measures are in place, it will not bepossible to make changes to the software. An encryption packagecan also be used to add a further level of security. Once the programhas been finalised and verified it can be sealed as read-only,permitting access to the diagnostics but not allowing changes. Ifnecessary, it is also possible to lock the program completely so thatnot even the monitoring functions can be accessed. In some casesthis may be the preferred solution to prevent unauthorised changes.


S y s t em s




S y s t em s

Fig. 58: PSS memory

Fig. 58 shows the layout of the memory in the FS section. Eachprocessor has its own independent Flash-EPROM. The programblocks are compiled and loaded into each memory chip. Thesememory chips are soldered on to the CPU card and cannot be

changed. The standard (ST) section of the program is stored in aremovable memory cartridge. This program does not need thesecurity expected for the FS section. The ST section operates in thesame way as a conventional PLC, allowing the user to make changes“on-line”. The user has full control over the security of the safetysoftware program. During operation, a system check sequencecontinuously tests the internal system software control as well as thecontrol of the hardware functions.

Fig. 59: Time characteristics of the processors

165

Failsafe Section

Flash-EPROM in the CPU

CPU 1 CPU 2 CPU 3

OB101 OB101 OB101

PB040

FB005

2B225

PB040

FB005

2B225

PB040

FB005

2B225

Processor A:

Processor B:

Processor C:

IR(FS)

IR(FS)

IR(FS)

FS User Program

FS User Program

FS User Program

IR(FS) FS-User Program (OB001) Syn

Syn

Syn OR

OR

OR Systemmanagement

Systemmanagement

Systemmanagement Syn

Syn

Syn

1 PLC cycle




S y s t em s

Fig. 59 shows the relationship between the three processors.Processor A is the key. It controls its share of the FS requirements,runs the ST section and is also in charge of synchronising eachsystem scan. When the system is running, the contents of the outputregisters (OR) are compared after initial synchronisation. The systemmanagement check sequence is then carried out before finalsynchronisation. This is the case for each scan.

The system management check effectively has two areas, as shownin Fig. 60.

Fig. 60: System management check

Processor

Flash-EPROM

RAM

DPR

Periphery Test

Run

OS:eg.:Read in IR

FS-

User program:

ST-

User program:

OS:eg.:Output OR

Stop

FS-STOPto

FS-RUN

Self test

CyclicalProgram

ST-RUN

FS-RUN

ST-RUN

FS-RUN

0000




S y s t em s

On power up, the PSS runs an internal check of all its functions,testing the internal system software, firmware and hardware. Thecheck sums of the three memories are compared, together with thestatus of the internal and external power supplies. This is also wherethe dual-pole outputs are tested for operation. This pre-start checktakes approximately 40 seconds. During this time the CPU displayhas all its segments lit and the system is in “stop”. If everything iscorrect, the FS section is allowed to run and the display will show aline of zeros. The periphery devices are then checked. The systemwill shut down and the specific error code will be displayed if any ofthe following problems are found during the check of the I/O status:

If an output is on and should not be on

If a dual-pole output cannot be switched on and off

If there is a test pulse fault.

The power supplies are then checked and the program block runtimeis monitored. These are both failsafe functions and any deviationsfrom normal will result in a shutdown. All these pre-start checks areactive once the system is running. The I/O status checks, powersupply and block runtime are inspected at the end of each scan. The40 second pre-start check is effectively running in the background, asshown in Fig. 61. The initial check is split up into about 40,000 test

slices of about 1 ms each. This whole check is completed on powerup, but a number of these test slices are also performed duringoperation in conjunction with the normal end of scan test.

167




S y s t em s

Fig. 61: Test slices on the PSS

The number of test slices to be included in the end of scan test is setwhen the user configures the system software. The number chosenwill depend on the level of system integrity required by the application.The more test slices selected, the sooner an internal system fault canbe detected. For example, if the program cycle time is 50 ms and twotest slices are processed in each cycle, it will take 20,000 cycles toprocess all 40,000 test slices. With this setting, the full test will take1,000 seconds. If the number of test slices is increased to 10 percycle, the cycle time will increase to 60 ms, but the tests will becompleted in 4,000 cycles, or approximately 240 seconds.

Self Test

approx. 40 000

Test Slices

Processor

Flash-EPROM

RAM

DPR

Periphery Test

Cyclical Program Processing

Run

OS:eg.:Read in IR

FS-

User program:

ST-

User program:

OS:eg.:Output OR

eg.: 3 Test Slices

3 Test Slices

1 ms



P r o gr amm a b l e S af e t y

S y s t em s

This critical testing regime lies behind the decision to design a 3oo3controller as opposed to a 2oo2, with its lower complexity. Should afault occur within one of the processor sections during operation, andit is not a fault that can be detected by the end of scan test, it will bedetected by the relevant test slice. During this fault period, the PSSstill operates as a failsafe device as it still has two of its systemsoperable, i.e. it is now operating as a 2oo3 system.

A conventional 2oo2 controller needs to carry out a greater number oftest slices at the end of each scan, because if a fault does occur, thesystem will operate as a 1oo2 system (i.e. not failsafe) until the faultis detected. Clearly this time must be kept to a minimum in order toachieve the required integrity. The PSS method allows for muchfaster scan times than would be required for a less complex 2oo2system, as fewer test slices need to be run.

169




S y s t em s

6.5 Certification

For many years, control systems engineers working on machineryapplications have been told that safety systems must be hard-wiredand must not rely on electronic logic or software. Indeed, thestandards that such engineers rely on for advice suggest that:

“in the present state of the art, single electronic devices

do not have the necessary integrity for use in safety circuits”.

This may (or may not) have been true when the standards werewritten, but it is important to remember that standards are intended tobe adaptable and are expected to evolve alongside technology.Future versions of any standard are subject to discussion incommittee before publication. It is vital that committees are aware ofthe advances in technology relating to the standard being discussed,so that any relevant changes can be included. There are times whenthe “state of the art” may move faster than the meetings of theStandards Committee, with the result that some clauses in thestandards may be open to debate.

As far as machinery is concerned, the legal requirement is to complywith The Supply of Machinery (Safety) Regulations. The regulationsstate that the best way to show compliance is to demonstrate thatboth the design and construction follow the advice given in theharmonised standards. The important thing to remember is that theharmonised standards are a means to an end (i.e. safe machinery),not an end in themselves. The standards are advisory documents, somanufacturers may deviate from the methods described in thestandards and attempt to achieve the ends by a different route.




S y s t em s

However, the alternative method must be at least as effective as theone described in the standard. If required (for example, if there is areportable incident), it may be necessary to validate the chosenalternative and demonstrate how it exceeded the requirements of thestandard. In the case of the PSS system, this validation was achievedby submitting the product to independent test houses.

EN 954-1 (Safety of machinery. Safety-related parts of controlsystems. General principles for design) is the standard that has to bemet. Most design engineers involved with control circuits are awareof the information on risk assessments given in this standard.

Preferred categories for reference points

Possible categories which can require additional measures

Measures which can be overdimensioned for the relevant risk

S = Severity of injuryS1 Slight injury (normally reversible) i.e. slight cut or bruise.S2 Serious (normally irreversible) injury including death.

F = Frequency and/or exposure time to the hazardF1 Seldom to quite often and/or the exposure time is short.F2 Frequent to continuous and/or the exposure time is long.

P = Possibility of avoiding the hazardP1 Possible under specific conditions.P2 Scarcely possible.

•

1 2 3 4B

P1

P2

P1

P2

F1

F2

S2

S1

Categories

•

••

•• •

••

•

Fig. 62: Extract from EN 954-1: risk assessment chart




S y s t em s

The technique used in Fig. 62 was developed from the Germanstandard DIN 19250, which contained extra levels, as shown in Fig. 63.

Fig. 63: Extra risk assessment levels from DIN 19250

DIN 19250 expands on the parameter S (severity of injury). Whenconsidering machinery applications, the number of people exposed toa hazard is generally limited (normally only the operator). However, apotential fault within a petrochemical or nuclear site could exposethousands of people, hence the addition of S3 and S4.

DIN 19250 lists 8 levels (“Anforderungsklassen”), normally shortenedto AK, e.g. AK6. IEC 61508 has seven parts and covers all aspects

of hardware/software implementation and validation. The techniquesfor categorising a system draw heavily on DIN 19250 but lead to a“Safety Integrity Level” (SIL). This standard lists 4 SILs. To get aclear picture of all these standards and their implications it isadvisable to read them in their entirety, but the following chart gives arepresentation of how the three standards fit together.

S1

S4

S3

S2




S y s t em s

DIN 19250 EN 954-1 IEC 61508

AK Category SIL

1 / 2 B -2 / 3 1 / 2 1

4 3 25 / 6 4 3

7 - 4

8 - -Fig. 64: “Safety levels” shown in relation to the main risk assessment standards

BG has certified the hardware of the PSS-range of programmable safetysystems to the highest level under EN 954-1. This certification wasgranted using relevant parts from many standards. As mentioned earlier,the machinery standards, particularly EN 60204-1, advise thatprogrammable systems are not suitable for use in safety applications.

However, tests by BG, using DIN 19250, IEC 61508, DIN 0801* andEN 418** as reference, showed that the PSS systems at least met andin some cases exceeded the requirements of EN 60204-1 and EN 954-1.

BG’s interest lies primarily in machinery applications. As PSSsystems can be used outside this area, there was clearly a need toseek more general approval from another source. The mostinternationally well-known German test house is the Technischer

Überwachungs-Verein (TÜV), which offers test and approval facilitiesacross all industrial sectors. The PSS-range has been certified byTÜV to AK 6, SIL 3. This means that the product carries thenecessary approvals for use in many high-integrity areas, includingoffshore installations.

*DIN 0801 (Principles for Computers in Safety Related Systems)**EN 418 (Safety of machinery. Emergency stop equipment. Functional aspects.

Principles for design)




S y s t em s

In addition to general use certificates, BG has also certified the rangefor use in power press applications under the standards EN 692 andprEN 693, covering both eccentric and hydraulic presses. TÜV hasalso approved its use in gas burner control applications to EN 298.

Software was also considered for approval. It is not possible topre-approve complete user software, but function-specific blocks canbe tested and certified. Fig. 65 illustrates such a block.

Fig. 65: Block header for function block SB 061

SB 061 is an approved emergency stop function block, which canonly be addressed via its inputs and outputs (marked B and X).Inputs are shown on the left and outputs on the right. The block

header shows that the block description is SB 061 NA_1 and that theblock was created at 15.48 on 13.03.96. The Hex number 4ACB isthe check sum for this block. If any changes are attempted, thisnumber will differ from the standard and will not be recognised.

Once complete, it is possible to have the whole system certified by anapproved test house, but this is a costly exercise and this level ofapproval is not generally considered necessary. However, for some

exceptional risk areas, the authorities may require additional approval.

SB 061

NA_1

13.03.96

15.48

4ACB

B - SSNR

X - EIN

X - S1_O

X - S2_O

X - QAutX - QAut

FG -X ApprovedBlock




S y s t em s

6.6 Reliability and availability

Reliability is a difficult subject to both define and quantify. The onlymeaningful data is that gathered from equipment in service. Clearly,the longer a system is in service the more reliable the data will be.For any new product, the only way to generate reliability figures thatwill carry any credibility is to use tried and tested data aboutcomponents and sub-assemblies. Such data was used to calculate atheoretical Mean Time Between Failures (MTBF) for the PSS-range.The results are shown below.

Product Temp. 40 ºC Temp. 60 ºC Operation 265days. 16 hours

per day at 40 ºC

PSS Hours Years Hours Years Years

PS 254,000 29.0 101,000 11.5 63.5

CPU 130,000 14.8 56,000 6.4 32.4

DIOT 190,000 21.6 94,000 10.7 46.0DIOZ 210,000 23.9 108,000 12.4 52.0

DIF 450,000 51.9 226,000 25.9 112.0

DO 205,000 23.3 108,000 12.4 51.0

3056 52,300 6.0 25,000 2.9 13.1

Fig. 66: MTBF figures for PSS 3000 and PSS 3056

The chart shows the calculated MTBF for general system failures. Asfar as safety systems are concerned these figures refer to failuresinto a safe condition. The calculated figures for failures into an unsafecondition are shown below:

Risk of failure due to simultaneous multiple faults:

4 * 10-20/h

Risk of failure due to an accumulation of undetected

faults: 3.2 * 10-13/h




S y s t em s

Both of these figures show the theoretical MTBF to a dangerous statein terms of hundreds of millions of years.

The following example takes a typical safety application, required tobe in service 24 hours a day at a maximum expected temperature of40 ˚C. The application requires a PSS 3000 with the following parts(listed with their MTBF in years):

PSS PS 29.0

PSS CPU 14.8

3 off PSS DI 49.4

2 off PSS DO 23.3

PSS DIOT 21.6

This combination would give an expected failure at 3.4 years. Thisfigure is only valid for the PSS. The figure for all the connected itemsmust also be included to give an overall system MTBF. Compare thiswith a safety control system based on the use of relays. To meet theI\O requirement of the PSS specification, this system would need tocontain at least 100 individual relays. You could use the followingindustry data to calculate an MTBF:

Relay MTBF (typical): 46 years

Relay MTBF to danger: 570 years

A system containing 100 relays would show a typical MTBF of lessthan 6 months, but more relevant is the potential to fail to danger.Using the above figures, this could be expected every 6 years. Againthe figures for the connected items must be included to give anoverall system MTBF.




S y s t em s

Reliability is not the only key factor. In some cases, availability canbe even more important. The key to a system with high availability isa quick repair time. The repair time can only be reduced to aminimum if the diagnostics are powerful enough to locate problemswhen they occur. This was one of the main design criteria requiredfrom the design team in 1992. The in-built hardware and softwarediagnostics on the PSS can identify whether:

A card is at fault

A wire is open or has a short circuit or

An input/output device has failed.

Availability is normally given as a percentage of available “up-time”.This is calculated using MTBF data and a “Time to Repair” (MTTR).Both values are stated in hours.

The calculation comes from:System MTBF

100 *System MTBF + MTTR




S y s t em s

Using the values already calculated for MTBF and estimating anMTTR for the PSS-based system at 2 hours (due to the diagnostics)and an MTTR for the relay-controlled system at 5 hours, theavailability figures are as follows:

PSS availability 3.4 * 24 * 365100 * = 99.99328 %

3.4*

24*

365 + 2

Relay availability 0.5 * 24 * 365100 * = 99.886 %

0.5 * 24 * 365 + 5

Although it is clear that theory-based calculations can only be usedas a guide, it should be remembered that the theory is based onreliable information. The figures show that PSS is good news forproduction staff, as both reliability and availability are better than onan equivalent relay safety system. At the time of writing, over 3,000PSS-based systems are in operation. Initial data regarding failures issignificantly better than these calculations show, but it will benecessary to gather information from many millions of hours of useunder all conditions before this data can be regarded as significant.




S y s t em s

6.7 Typical failsafe program

Fig. 67 shows a small application program for the failsafe section of aPSS system. It can be compared to a PNOZ (Pilz two-channel E-Stop relay); it controls a relay in conjunction with an E-Stop button.

This program uses the following function blocks:

SB 061 E-Stop monitoring

SB 067 Feedback loop monitoring

Both these blocks have been approved by a number of test houses.The CAL-command can be used to incorporate the blocks into theprogram and parameters can then be set. As stated earlier, theblocks are sealed once approved, so that users are unable even tolook at their internal structure and functionality, let alone modify them.

This application program, consisting of OB 101, only calls uptwo blocks:

CAL SB 061

CAL SB 067

Once these have been entered, the block headers for the functionblocks will appear. The following actual parameters are required:

E-Stop button = E 00.00 and E 00.01

Reset button = E 02.08

Feedback loop = E 00.02

Main relay = A 02.16

These parameters depend exclusively on the user’s planned wiring.

Other parameters will depend on the required function:




S y s t em s

QAnf = Start-up reset required

QAut = Automatic reset when E-Stop

button is released

FG = Enable

Fig. 67: Typical failsafe program

I 00

0V0V

0V0V

DI

0V0V

0V0V

O17 +O17 -O18 +O18 -O19 +O19 -24V

0V

O20 +O20 -O21 +O21 -O22 +O22 -O23 +O23 -24V

PSS DIOZ

E2.08

A2.16

E 0.00E 0.01E 0.02

PROGRAM LISTING FROM OB 101

E-STOP : Segment 00: CAL SB 061

SB 061

NA_1

13.03.96

15.48

4AC8 APPROVED BLOCK

KB 001E 2.08E 0.00E 0.01M 110.00 .RLO_ZEROM 110.00 .RLO_ZERO

-B- SSNR-X- EIN-X- S1_Ö-X- S2_Ö-X- QAnf-X- QAut

FG -X- M 070.00

Output relay : Segment 01: CAL SB 067

SB 067

RFK_K4

04.06.96

09.05

F309 APPROVED BLOCK

KB 002E 0.02E 0.02E 2.08M 070.00

-B- SSNR-X- RFK1-X- RFK2-X- RSet-X- EIN

FG -X- M 070.00K -X- A 2.16

: BE

I 01I 02I 03I 04I 05I 06I 07

I 08I 09I 10I 11I 12I 13I 14I 15

I 16I 17I 18

I 00I 01I 02I 03I 04I 05I 06I 07

I 08I 09I 10I 11I 12I 13I 14I 15

O16 +O16 -




S y s t em s

Fig. 68 shows a typical program using three 2-channel E-Stops withoutput feedback monitoring. The program can be written inStatement List (as shown) or in Ladder Diagram.

: CAL SB 061

SB 061

NA_1

13.03.96

15.48

4AC8 APPROVED BLOCK

KB 001E 2.08 .Reset buttonE 0.00 .E-STOP-1 S1_N/CE 0.01 .E-STOP-1 S1_N/CM 110.00 .RLO_ZEROM 110.00 .RLO_ZERO


FG -X- M 070.00 . FG:E-STOP - 1

SB 061

NA_1

13.03.95

15.48

4AC8 APPROVED BLOCK



FG -X- M 070.01 . FG:E-STOP - 2

SB 061

NA_1

13.03.96

15.48

4AC8 APPROVED BLOCK



FG -X- M 070.02 . FG:E-STOP - 3

: CAL SB 061

: CAL SB 061

All E-STOP buttons are monitored in this block segment

E - STOP : Segment 00*********************************************************************************************************

*********************************************************************************************************

OB101

zyklus

11.10.96

11.21



Fig. 68: Typical program using three two-channel E-Stops with output feedbackmonitoring


S y s t em s

SB 067

RFK_K4

04.06.96

09:05

F309 APPROVED BLOCK

KB 004E 0.02 .FL from 1K1E 0.02 .FL from 1K1E 2.08 .Reset buttonM 071.00 .FG:E-STOP logic

-B- SSNR-X- RFK1-X- RFK2-X- RSet-X- Ein

FG -X- M 070.03 . FG:FL from 1K1

: CAL SB 067

:L M 070.00 .FG:E-STOP - 1:U M 070.01 .FG:E-STOP - 2:U M 070.02 .FG:E-STOP - 3:= M 071.00 .FG:E-STOP - Logic:

E-STOP buttons logically connected.

E - STOP : Segment 01*********************************************************************************************************

*********************************************************************************************************

Output to relay 1K1.

Output relay : Segment 02*********************************************************************************************************

*********************************************************************************************************

K -X- A 2.16 . .Relay: 1k1

PB 001

CopyFehl

19.09.96

13.12

:A DB 15:I DW 1015:BE:

: CAL PB 001

The MBS block diagnostics are carried out in this block segmentMBS - Diagnostics : Segment 03*********************************************************************************************************

*********************************************************************************************************

programmable safety systems

Documents