sample reading guidelines - engineering safety festo · pdf filesil. apart from the average...

Safety engineering guidelines

_HB_Safety_030408_en.qxp 03.04.2008 13:41 Uhr Seite 1

Festo

Safety Engineerin

g Guidelin

es - Reading Sample

Simple and helpful: In the

second part of the brochure, you

can find sample circuit diagrams

for the most common safety

functions related to pneumatic

drives and the associated prod -

uct combinations from Festo.

These can be used to solve many

safety functions.

If you have further requirements,

our specialists worldwide will be

happy to help.

At Festo, quality has many

aspects – one of these is hand-

ling ma chines safely. This is the

reason behind our safety-orien-

tated automation technology. It

gives you the certainty that your

workplace is as safe as possible.

This brochure is intended as a

guide.

It covers the core questions

relat ing to safety-orientated

pneumatics:

• Why use safety-orientated

pneumatics?

• How can I identify the risk

posed by a system or machine

to the operator or user?

• Which standards and

directives apply?

• What safety measures are

derived from these?

• What are the most common

safety measures?

Your partner in safety

2


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

In general, the simpler the safety

engineering used in the appli -

cation, the more efficient it is.

The complexity of safety en -

gineering is in the variety of

state combinations and tran -

sitional states.

As a result, it would seem al -

most impossible to implement

standardised safety engineering

concepts.

Due to their flexible application,

pneumatic drive systems from

Festo need to be included in the

risk analysis and assessment for

each machine, depending on the

application.

Festo provides solutions on the

basis of risk analyses and

assessments for the most com-

mon applications. This ensures

that the electrical safety func-

tions for your pneumatic

system’s controllers are en -

hanced with the appropriate

safety concepts.

5

Simple – but safe!


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

10

Risk assessment

Directives and standards de-

scribe the process of risk assess-

ment. Every manufacturer is

obliged to carry out a risk

assessment. This is followed

by a risk evaluation and, if

necessary, suitable meas ures

for reducing risk have to be

implemented.

Focusing on risk reduction

This guide is primarily concerned

with the area of risk reduction in

the form of technical safety

measures. We assume that all

pos sible design measures for

reducing risk have already been

explored.

Source: EN 1050, Section 5ISO 14121 Source: EN ISO 12100; 5.2

Source: EN ISO 12100; 5.3

Source: EN 1050, Section 6ISO 14121

Source: EN 1050, Section 7ISO 14121

Determination of the limits of the machinery

Start

Hazard identification

Risk estimation

Specification of the machinelimits• Use limits• Space limits• Time limits

Determining/defining states & transitional states

Source: EN 1050, Appendix B

• Preliminary hazard analysis(PHA)

• WHAT-IF method• Failure mode and effects

analysis, failure effects analysis (FMEA)

• Failure simulation for con-trol systems

• MOSAR procedure• Fault tree analysis (FTA) –

DELPHI-Technique• Human interaction during

whole life cycle• Possible states of the

machine• Unintended behaviour of

the operator or reasonablyforeseeable misuse

Risk evaluation of safety

design measures – Is themachine

safe?

no

yes

Source: Directive 2006/42/EC, Appendix I, 1)

All possible instructive measures

used

End

no

yes

Riskevaluation

of technical safetymeasures–

Is the machinesafe?

no

yes

Ris

k as

sess

men

tS

ourc

e: E

N I

SO

105

0/14

121

Ris

k an

alys

isS

ourc

e: E

N I

SO

121

00, 3

.14

Ris

k ev

alua

tion

Sou

rce:

EN

IS

O 1

2100

-1, 5

.3


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

11

When estimating the risk and

identifying the required perfor-

mance level, the degree of risk

reduction is established.

Whether or not the required

risk reduction level has been

achieved for technical safety

measures depends on the follo-

wing parameters:

1) Control architecture

2) Mean Time To Failure (MTTFd)

3) Diagnostic coverage (DC)

4) Common Cause Failure (CCF)

In all cases, the performance

level (PL) must be equivalent to

at least the required PLr.

Source: DIN EN ISO 13849-1, 4.2 Figure 3

Source: EN 12100-2, Section 4

Design measurese.g. inherent safety

Technical safety measures and supplementary safety measures

Identify the safety function to be performed

For each safety function specify the required characteristics

Determining the required PLr

Design and technical implementation of the safetyfunction

Determining the PL

Category MTTFd DC CCF

User information on the machine and in the usermanual

PL PLr

yes

no

Source: EN 12100-2, Section 6

For

all

safe

ty f

unct

ions

Ris

k re

duc

tion

Sou

rce:

EN

IS

O 1

2100

-1, 5

.4

≤


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

10–8 ≤ PFHd < 10–7

12

Evaluating technical safety measures – determination of the performance level

The figure shows the simplified

procedure for determining the

performance level (PL) of a safe-

ty function. The PL is a function

of categories B to 4, diagnostic

coverage “none to high”, various

MTTFd areas and the common

cause failure.

The PL can be assigned to a spe-

cific SIL level. However, it is not

possible to infer the PL from the

SIL. Apart from the average pro-

bability of a dangerous failure

per hour, other measures are

needed to achieve a specific PL.

Risk graph: Which performance level isrequired? PL a to e

Designated architectures: How is thecontrol chain or safety function structured? Cat B to 4

Quality of components in the control chain. Determining the MTTFd for the entire process chain – from sensors toactuators

Diagnostic coverage: Which dangerous failures are identified?

Common cause failure (CCF): measuresto reduce CCF

Determination of the MTTFd = mean time to failure (dangerous)

Det

erm

inat

ion

th

e P

L =

Per

form

ance

Lev

el

Det

erm

inat

ion

of

the

SIL

= S

afet

y In

tegr

ity

Leve

l

a

b

c

d

e

Cat 2

60% ≤ DC < 90%

low

90% ≤ DC < 99%

medium

90% ≤ DC < 99%

medium

Cat 3

60% ≤ DC < 90%

low

Cat 4

99% ≤ DChigh

DIN EN ISO 13849-1Chapter 4.5.4

Cat 1

DC < 60%none

Cat B

CCF not relevant CCF 65%

DC < 60%none

1

2

3

1

1

2

2

3

3

4

4

5

5

Evaluation

Low

Medium

High

Source: DIN EN ISO 13849-1, Chapter 4.5.2

MTTFd

3 years ≤ MTTFd < 10 years

10 years ≤ MTTFd < 30 years

30 years ≤ MTTFd ≤ 100 years

10–5 ≤ PFHd < 10–4

3 x 10–6 ≤ PFHd < 10–5

10–6 ≤ PFHd < 3 x 10–6

10–7 ≤ PFHd < 10–6

≤


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

18

Control architecture of category 2

I im imL O

im

m

TE OTE

Category Summary of requirements System behaviour

2 • Requirements of B and the well-tried safety principles shall apply

• Safety-related parts of control systems must check safety functions

at suitable intervals by the machine control system: when the machi-

ne starts up and before a hazardous situation arises, e.g. the start of

a new cycle; at the start of other movements and/or periodically

during operation, if the risk assessment and the operation mode

show that this is necessary.

• Fault tolerance: zero, but the

loss of the safety function is

detected by the check

• The occurrence of a fault can

lead to the loss of the safety

function between the checks

• Testing at suitable intervals

(test frequency must fulfil one

hundred times the requirement

rate (safety function))

• Mainly characterised by structure


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

19

Safety function

Exhausting

Example*

Entire control chain = cat. 2

Hardware structure Wiring

*The example shows the schematic representation of a specific category. Depending

on the safety relay, the wiring may be different and the connections may have

different designations. A fault examination has to be carried out for each concrete

application.

EM

ERGENCYS T O P


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

30

Reducing pressureand force

Exhausting

Reversing a movement

Tamper-proof, prevention ofunexpected starting up

Free of forces Stopping, holding and blocking a movement

Reducing speed

Maintainingpressure

Two-handoperation

Pressurising

Set-up and service operation

Normal operation

Initial position, standstill

Emergency operation

4 operation modes – 10 safety functions


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

31

During the risk assessment, the

hazardous situation also has to

be determined and, sub -

sequently, the risks have to be

evaluated. This applies to a

machine’s entire service life.

The following four operating

modes in particular are used for

operating a machine:

• Initial position/standstill

• Normal operation

• Set-up and service operation

• Emergency operation

Specific safety functions can be

derived from these operation

modes:

• Pressurising of machines

• Maintaining pressure

• Reducing pressure and force

• Exhausting of machines

• Two-hand operation

• Tamper-proof

• Reducing speed

• Free of forces

• Stopping, holding and blocking

a movement

• Reversing a movement

You can find these safety func-

tions both in the suggested cir-

cuits and in the products and

solutions. The information spe -

cified always refers to very spe-

cific safety functions.

This will enable you to quickly

de cide whether the information

is relevant to your current task,

both in the sample circuits and

in the products.


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

The varying requirements and areas of application for installations mean that the results of risk

analyses are very variable – as are the solutions for them. Here we present some important examples.

Power-driven interlocking

guards

Safety measures

1. Prevention of unexpected

start-up, as per EN 1037

2. Single-channel for safety func-

tion exhausting, as per

EN 13849-1

3. Stop category “1” as per

EN 60204-1

32

Examples of safety-orientated pneumatics

Picking & Placing discrete

goods

Safety measures

1. Prevention of unexpected

start-up, as per EN 1037

2. Two-channel stop, as per

EN 13849-1

3. Stop category “1” as per

EN 60204-1


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

Function Description (max. possible)

Control architecture Cat. 2

Number of channels 1

Diagnostic coverage Medium

Performance level d

CCF > 65%

Part no. Identifier Type Product designation

3527 WV1 ZSB-1/8 Control block for

two-hand start

6817 WV2 SV-3-M5 Front panel valve

6817 WV3 SV-3-M5 Front panel valve

9270 DR VD-3-PK-3 Pressure sequence valve

Description

The control block for two-hand

start ZSB 1/8 is a pneu matic

AND gate. If inputs 11 and 12

are pressurised within a

max. of 0.5 s of each other, the

assembly switches through and

there is an output signal at

port 2.

The system is controlled by two

external 3/2-way push-button

valves. If both push-button

valves are activated, outlet

port 2 is pressurised. If one or

both pushbuttons are released,

outlet port 2 is unpressurised.

The system exhausts from 2 to 3.

Note

All the information that relates

to standards is identified with

“max. possible”. Whether the

values are reached does not only

depend on the pneumatics.

It is only possible to assess

whether a specific function is

achieved or not by observing

the complete system. The design

of the electrical engineering,

mechanics, hydraulics and pneu-

matics all play a role.

34

Sample circuit diagram – two-hand control block

Safety function

Two-hand operation

Control chain


Festo

Safety Engineerin

g Guidelin

es - Reading Sample

sample reading guidelines - engineering safety festo · pdf filesil. apart from the average...

Documents