safety control systems - rockwell automation

Copyright © 2008 Rockwell Automation, Inc. All rights reserved.

Rockwell Automation Safety Solutions

Safety Control Systems

Stephen PodevynBusiness Leader Safety

Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 2

Work processes

FailsafeSystems

Safe condition = slow process

Safe condition = fast process

Highly available

System

Non safety-related state; slow process

Non safety-related state; fast process


What is Functional Safety?

1. What is UNSAFE?2. What is SAFE?

1. Continued Motion2. Stopping

1. Stopping2. Maintain Control

Machinery Continuous Process

Fail SafeFail SafeFail Safe Fault Tolerant Fault Tolerant Fault Tolerant


Machine Safety is different than Process Safety

Fail-Safe Behavior = Machine Safety

• When a fault occurs in the safety system outputs “normally” turn off.

• Safety System may be designed to be used as a regular part of the machine operation.

• Equipment Under Control (“EUC”) can tolerate a safety stop because:

– Lost production cost is minimal due to ability to quickly restart

– The scale of operation is relatively small (per machine, not a plant/process)

Fault Tolerant Behavior = Process Safety

• When a fault occurs another control path maintains control of the process.

• Safety System is normally a separate system designed to engage only if the BPCS fails to maintain control.

• Equipment Under Control (“EUC”) cannot tolerate a uncontrolled safety stop because:

– An uncontrolled stop could be dangerous, resulting in a loss of equipment, production and damage to the environment and possible danger to personnel

• Process Safety must manage kinetic and potential energy.

• Responses include: • go to recycle, • route to flare, • blow down, • Ignition sequence and• orderly shutdown.


Typical Machinery Safety Applications

• Emergency Stop Systems

• Presses

• Two Hand Control

• Amusement Rides

• Perimeter Guarding

• Robotic Safety

• People Movers


• Emergency Shutdown

• Burner Management

• Fire and Gas

• Critical Process Control

• Turbine Control

• Compressor

• High Pressure Protection

Process Safety Applications


Systematic Risk analysis

Start

Determination of the machine‘s design limits

Hazard identification

Risk assessment

Risk evaluation

Is the machine safe?No EndYes

Riskanalysis

Risk reduction

1. Mechanical measures

2. Electrical measures

3. .....


CategoryB, 1, 2, 3, or 4

Risk reduction according to EN 954 - 1

B 1 2 3 4S1

S2

F1

F2

P1

P1

P2

P2

Category• S_ Severity of injury:

1 = Slight (normally reversible) injury2 = Serious (normally irreversible) injury including death

• F_ Frequency and/or exposure time to the hazard:1 = Seldom to quite often and/or the exposure time is short2 = Frequent to continuous and/or the exposure time is long

• P_ Possibility of avoiding the hazard1 = Possible under specific conditions2 = Scarcely possible

• B_Categories for safety-related parts of the control system


Estimation of the Performance Level (PL)required

CategoryB 1 2 3 4

S1

S2

F2

F1

PerformanceLevel, PLr

PerformanceLevel, PLr

aa

bb

P1

P2

ee

cc

dd

P1

P2P1

P2

P1

P2

F2

F1

S = SeverityF = Frequency or Duration of ExposureP = Avoidance Probability

EN ISO 13849-1:2006 Performance levels

S_ Severity of the injury1 = Slight (normally reversible injury)2 = Serious (normally irreversible injury including death)

F_Frequency and/or exposure to a hazard1 = Seldom to less often and/or the exposure time is short2 = Frequent to continuous and/or the exposure time is long

P_Possibilities for the avoidance of the hazard1 = Possible under specific conditions2 = Scarcely possible


- No special safety requirement a 10-5 < PDF < 10-4

1, 2 1 b 3x10-6 < PDF< 10-5

1, 2 1 c 10-6 < PDF < 3·10-6

3 2 d 10-7 < PDF < 10-6

4 3 e 10-8 < PDF < 10-7

- 4 10-8 < PDF

EN 954-1 IEC 61508 prEN 13849-1 Avg. probability of a dangerous failure per hour

[1/h]Categories Safety Integrity

LevelPerformance Level

“PL““Cat“ “SIL“

Overview: Risk categories - standards

IEC 62061IEC 61511


Where Trouble Starts

Changes after commissioning

20%

Specification44%

Design & Implementation

15%Installation &

Commissioning6%

Operations & Maintenance

15%

HSE study of accident causes involving control systems:


The Safety LifeCycle Approach

IdentifyIdentifyIdentify

AssessAssessAssess

DesignDesignDesign

VerifyVerifyVerify

IEC 61508

IEC 61511

IEC 62061

ISO13849-1


Safety Lifecycle

ANALYSISANALYSIS

REALIZATIONREALIZATION

OPERATIONOPERATION

Concept / ScopeConcept / ScopeConcept / Scope

Hazard Analysis & Risk AssessmentHazard Analysis & Risk AssessmentHazard Analysis & Risk Assessment

Safety Requirement SpecificationsSafety Requirement SpecificationsSafety Requirement Specifications

Conceptional DesignConceptional DesignConceptional Design

Detailed DesignDetailed DesignDetailed Design

Installation, Commissioning, ValidationInstallation, Commissioning, ValidationInstallation, Commissioning, Validation

Operation & MaintenanceOperation & MaintenanceOperation & Maintenance ModificationsModificationsModifications

DecommissioningDecommissioningDecommissioning


Requirements of EN 61508

Competencyof the persons

Technicalrequirements

Safety management

+

+


Work processes

FailsafeSystems

Safe condition = slow process

Safe condition = fast process


Logic Solver – Dedicated Safety Relays

• MSR100 Family– Single or dual channel safety circuits– Connect E-Stops, Interlock Switches, Light Curtains,

Safety Mats– CAT4 (EN954-1) certification

• MSR200– Modular Safety Relay system– Scalable with up to 20 Safety Inputs– Mix of different Input Devices– DeviceNet communication for Diagnostic– SingleZone control with up to 10 Output Contacts

• MSR300 Family– suitable for MultiZone control (max. 3 Zones)– Max. 20 Safety Inputs (10 Modules)– Max. 18 NO- & 6 NC- Safety Outputs (6 Modules) – Inputs Modules configurable via rotary switches– CAT4 (EN954-1), SIL3 (IEC61508) certification– Communication:

• DeviceNet & RS232– Multicolor LED`s for diagnostics


• Function hardware software– E-STOP– Safety gate– Two-hand– Operating mode

selection– Valve control

Prototype tested safety functionssoftware blocks for safety controller


SIL 3SIL 3

SIL 2SIL 2

SIL 1SIL 1

CAT 1CAT 1 CAT 4CAT 4CAT 3CAT 3CAT 2CAT 2

ControlLogix

IEC

6150

8IE

C61

508

EN954EN954--11

Safety Integrity Level & RA Safety Systems


GuardLogix Safety Integration

• Logix Integrated Safety– Dual Processor Solution (1oo2 Architecture)

• 1oo2 is recognized as the best safety architecture– SIL-3 Certification per IEC 61508– ISO 13849 Performance Level e (Category 4) – Programs with RSLogix5000

• Extensive suite of certified safety application instructions– Simplifies design, validation, maintenance– Dual Channel suite– Muting & Press Suite

– CIP Safety comm’s for safety rated interlocking or safety I/O on Ethernet


Guardlogix

Chassis1756-Axx

not certified

Safety Partner1756-LSPcertified

Primary Controller1756-L6xScertified

Power Supply1756-Pxxx

not certified DeviceNet Interface

1756-DNBnot certified

EtherNet/IP Bridge

1756-ENBTnot certified

Note: Due to the design of the CIP Safety control system, CIP safety bridge devices, like the 1756-ENBT and 1756-DNB, are not required to be certified.

!


Software Architecture

Operating System

Primary Processor HardwareHardware Abstraction Layer

Logix Engine

Communications

Syste

m Tim

eDi

agno

stics

1756-L61

Internal architecture of embedded software in a standard ControlLogix


Software Architecture

Operating System

Primary Processor HardwareHardware Abstraction Layer

Logix Engine

Communications

Syste

m Tim

eDi

agno

stics Logix Engine

Operating System

Hardware Abstraction LayerSafety Partner Hardware

Communications

Diag

nosti

csSy

stem

TimeSafety Protocol

Replication

1756-L61S 1756-LSP

Internal architecture of embedded software in GuardLogix


What`s new for the user in a safety controller

• Safety Task

Same structure as Standard-TaskControls the Safety-OutputsConfigurable PriorityConfigurable PeriodSame number of Programs (100)


RSLogix 5000 Explicit Safety Environment

• Safety Controller Status

• Safety Instruction Palette

• Periodic Safety Task

• Routine Information Box with Class

• Watermark for Safety Editing Screen


Benefits of integrated Safety controller

• Reduced Engineering Efforts– Single Engineering Software RSLogix 5000 for standard control and safety– Less networks and communication between systems– Data exchange between standard and safety part using tags

• Reduces Maintenance Efforts– Single Network for safety and standard– Less training requirements

• Reduces Inventory– Shares components with ControlLogix– Single Network

• Increases Diagnostics• Increases Flexibility without compromising security


Work processes

Highly available

System

Non safety-related state; slow process

Non safety-related state; fast process


Why High Availability? “To Keep on going”

• To prevent a unplanned shutdown of the automated Process– Maintain production against system component failure– Protect against equipment or product losses– Protect against unplanned interruptions and potential hazards

• Types of Availability*– Disaster recovery: the ability to recover systems and data after a major disaster; may take

hours, days, or even weeks depending on the type of outage. – High Availability: maintains a high degree of application uptime, minimizing downtime but

not necessarily eliminating it completely for all types of failures

• Attributes for Availability that we Include:– Reliability (MTBF) – Maintainability, diagnostics, repairability…all with ability to edit and change on-line– Redundancy

* MARATHON technologies


Things to consider…

• The degree of availability should be a economically based engineering driven choice about what is critical to the application*– Cost of the implementation– Likelihood of a failure (Failure Rate, PFD, MTBF)– Cost associated with down time (costs of unsafe operations should always

be presumed exorbitantly high)– Recovery time – Cost of maintenance

* ControlGlobal.com – Special report

Availability is measurable as a %: A = MTBF/MTBF + MTTR(Or is the cost of the device failure times its probability of failure greater or less than the cost of the High Availability)


Availability terms - MTTF,MTTR, MTBF

Successful Operation

Failure

TIME

MTBF (Mean Time Between Failure)

MTTF (Mean Time To Failure) MTTR (Mean Time To Repair)

MTBF is a term that applies only to repairable systems.MTD (Mean Dead Time) is another commonly used term instead of MTTR.


Availability

Availability

The Probability of success foran interval of timeReliability

The Probability of success at a moment in time=

=R = e - (T/MTBF)

A = MTBF/MTBF + MTTR


The reliability of the ControlLogix in the core system

30 seconds99.9999%

5.26 minutes99.999%

52.6 minutes99.99%

8.76 hours99.9%

3.65 days99%

Probable Downtime per

Year

Availability %

Standard ControlLogix

Redundant CLX

Standard ControlLogix Controllers can provide Availability > 99.99% Redundant ControlLogix Controllers can even exceed 99.9999%

= 1 day every 3 years


Non Redundant Attributes for HA

System Maintainability– Add I/O on line (unscheduled)– Add / remove Controllers and IO under power– Online changes to controller code– Upgrade Controller firmware on line; multiple version work together– Create and deploy Operator Workstation Displays on line

Module and system Diagnostics – Field Device diagnostics (HART, FF, PA)– I/O module diagnostics– Controller diagnostics– Network diagnostics (with Stratix / Cisco switches)– Server Diagnostics

Module and device Repairability– Hot Swappable controller & I/O modules– Automated Device Replacement (ADR)– Disaster recovery with Asset Centre (controller programs)


Basic Architectures

Simplex 1oo1

Fault Tolerance=0 Channel 1

Logic Solver

Channel =

Input Logic Solver Output


Basic Architectures

Duplex 1oo2d

Duplex 2oo2

Duplex 1oo2

Fault Tolerance = 1

Diagnostics

Channel 1

Channel 2

Voting

Channel 1

Channel 2

Two channels withRedundant outputs in series to ensure safe off

DTwo channels withRedundant outputs in parallel to ensure availability


Basic Architectures

Triplex 2oo3

Fault Tolerance = 2

Three channels withRedundant outputs in parallel and voting

Voting

Channel 1

Voting

Channel 2

Channel 3

1 2

3

1

2

3

TMR Triple Modular Redundancy


Basic Architectures

Quad Fault Tolerance = 2 D

D

Diagnostics

Channel 1

Channel 2

Diagnostics

Channel 3

Channel 4

Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 37Copyright © 2007 Rockwell Automation, Inc. All rights reserved. 37

Availability, Fault Tolerance, Safety

Availability

Safety

Standard Controllers Safety Controllers• Failsafe• High DC• 1oo2• SIL3

CLX SIL2• I/O Redundancy• Fault Tolerant or Failsafe• Controller BackUp Optional

ICS Triplex• Fault Tolerant• 24/7/365• 2oo3 (3-3-2-0)• SIL3

Fault Tolerance

‘Active’ Redundancy

• High MTBF• Single Controller• Single Power Supply• Single IO

• High MTBF•‘ Passive’ Redundancy (RM)• Redundant Power Supplies• Redundant Media• Single IO / supervised wiring

Standard Controllers (Redundant)


Rockwell Automation vandaag

• 19.000 werknemers, waaronder:– 3.400 in Europa– 58 in BeLux– 62 in EMEA HQ te Brussel

• 4,3 milliard $ omzet wereldwijd• 820 miljoen € omzet in Europa

• Aanwezig in meer dan 80 landen

• Een echte cultuur van partnership– Technologisch– Integrators, distributie

Volledig toegespitst op Industriële Automatisatie



Een erfenis van Kwaliteit en Innovatie

De oorsprong(Meer dan 100 jaar)

De De oorsprongoorsprong((MeerMeer dandan 100 100 jaarjaar)) vandaagvandaagvandaag


België / Groothertogdom van Luxemburg

• Hoofdkantoor te Strombeek-Bever(Brussel – Heizel)

– 19 werknemers in de afdeling « CustomerSupport & Maintenance »

– 9 werknemers ter ondersteuning voor« Customer Application Design » en Marketing

– 9 Account Managers voor de opvolging van onze klanten

– Verschillende bijzondere functies:• Global Account Management• Global Account technical consultant• OEM support engineer• High power drives expertise• Global project coordination

• Passie is een onderdeel van onze ondernemingscultuur !

58 werknemers om u te dienen


• Automatisatieoplossingen voor een industriële omgeving

• Laagspanningsschakelmateriaal

• Oplossingen voor de verwerking en het infomatiebeheer van uw productiegegevens

• De ondersteunende diensten voor elke fase in de levenscyclus van uw productiemiddelen

De know-how van Rockwell Automation

Expertise en oplossingen


We zijn aanwezig in het hart van de productie

Sturing van het continue productieproces

Precisieaandrijvingen

PLC

Veiligheid

Productie per lot (batch)

AC/DC aandrijvingen

Energie- en HVAC beheer in productie


Producten en oplossingen van wereldklasse

KwaliteitGebruiksvriendelijkheid

• Een ongeëvenaarde betrouwbaarheid en gebruiksgemak

• Ontworpen om te functioneren in de meest veeleisende industriële omgeving

• Wereldwijde certificatie

• Een technologische strategie die de continuïteit en productmigratie maximaal ondersteunt

• Open Technologie


• Programmeerbare sturingen• Supervisie en sturing van de productie• Manufacturing Execution System• Netwerken en industriële switches

• Bescherming en sturing van motoren• AC/DC aandrijvingen• Bewaking van roterende machines• Precisie servo-motoren• …

• Laagspanningsschakelmateriaal en sensoren• Materiaal en oplossingen voor «machine»-

veiligheid• Materiaal en oplossingen voor «proces»-

veiligheid• …

ModulairMulti-disciplineEén unieke ontwerpsoftwareInformatie en IT-enabled

Geïntegreerde Architectuur: ons ééngemaaktplatform


Een waaier aan diensten

• Opleiding en vervolmaking van uw personeel • Upgrade van de machines naar de nieuwe

veiligheidsnormen• Ter beschikkingstelling van wisselstukken • Tijdelijke versterking/ondersteuning van uw

technische ploeg• Technische ondersteuning per telefoon • Een snelle behandeling van uw herstellingen • Ondersteuning bij migratieprojecten

VoorspellenVoorkomenReageren


Samenvattend

• Een gepassioneerd team… !• Een ervaren team… !

• Een ondernemersspirit binnen een grote technologische groep

• Een netwerk van solide partners

• Geïntegreerde oplossingen, gebruiksvriendelijk tijdens het ontwerp, het gebruik en het onderhoud van uw productieapparaat.

Onze troeven

safety control systems - rockwell automation

Documents