Session Four Applying functional safety to machine interlock guards

Similar documents
NHP SAFETY REFERENCE GUIDE

Achieving Required Safety Levels Using a Pneumatic Safety Exhaust Valve

NHP SAFETY REFERENCE GUIDE

P33T Series Redundant Safety Exhaust Valve ENGINEERING YOUR SUCCESS.

P33T Series Redundant Safety Exhaust Valve ENGINEERING YOUR SUCCESS. Bulletin 0700-B13.

More than just a solenoid interlock AZM300

NHP SAFETY REFERENCE GUIDE

MKey9-series Safety Interlock Switch with Guard Locking

UNI EN ISO EN

F3S-TGR-KHL1/-KHL3/-KHL3R

Modern Industrial Pneumatics. Design and Troubleshooting Industrial Pneumatics PN111 PN121

AZM300 More than just a solenoid interlock

AS/NZS ISO :2013

Application of safety principles for a guidance system in public transport

ZB0050 / ZB0051 ZB0070 / ZB0071

CETOP POSITION PAPER PP 07

Selecting & Integrating Safety Exhaust Valves White Paper

Modern Safety Systems and Advanced Fluid Power Solutions

Investigation into UK socket-outlets incorporating USB charging points

Certification Memorandum. Approved Model List Changes

Transponder-coded. with guard locking

Electric Vehicle Charging Safety Guidelines Part 2: Selection and Installation Edition DRAFT

An important type of protective

Australian/New Zealand Standard

Sense7-series Non-contact coded safety switch

Transponder-coded. with guard locking

Technical support to the correlation of CO 2 emissions measured under NEDC and WLTP Ref: CLIMA.C.2/FRA/2012/0006

Guideline for Parallel Grid Exit Point Connection 28/10/2010

Operating instructions Safety sensor BNS About this document. Content. 6 Disassembly and disposal 6.1 Disassembly Disposal...

CEN/TC 198. EN :2005/FprA1:2010. Date: CEN/TC 198. Secretariat: DIN

Mechanical Trainstop Systems

E.V.READY Specification for Installer Training Content

Australian Standard. Electricity metering equipment (AC) Particular requirements

VOLUNTARY CODE OF PRACTICE FOR ELECTROMAGNETIC COMPATIBILITY (EMC) OF MOTOR VEHICLES (13 October 2014)

Hinge Wing Safety Interlock Switches

Rapid Response. Lineside Signal Spacing. Railway Group Standard GK/RT0034 Issue Three Date September 1998

Status of the Informal Working Group on ACSF

Safety Sensor CSS 180 Product Information

EEVC Report to EC DG Enterprise Regarding the Revision of the Frontal and Side Impact Directives January 2000

High Speed Passenger Rail Interoperability in North America

SHORT-STOP. Electronic Motor Brake Type G. Instructions and Setup Manual

Technical Article. ISO26262: ams deploys unique technology to meet every new safety requirement. Roland Einspieler

NOT PROTECTIVELY MARKED. Vehicle fleet

Compatibility of STPA with GM System Safety Engineering Process. Padma Sundaram Dave Hartfelder

SAFETY AND RELIABILITY ANALYSIS OF ELECTRIC POWER STEERING SYSTEM USED IN AUTOMOBILES

Certification Directorate. General Aviation and RPAS Department. Report

FLUID POWER FLUID POWER EQUIPMENT TUTORIAL PNEUMATIC CIRCUTS. This work covers part of outcome 3 of the Edexcel standard module:

Variable Valve Timing

Notice of Proposed Amendment Regular update of CS-25

Solenoid interlock AZM 200 The non-contact interlock.

National Unit Specification: General Information

COMMISSION REGULATION (EU) No /.. of XXX

Christian Theis 52 nd GRB, 6-8 September 2010, ASEP outline. Summary & Conclusion

Explanatory Note to Decision 2017/017/R

ELECTRICAL TECHNOLOGY 3 March 2008

English version of. Executive Order on vehicles' technical compatibility with the rail network (Bekendtgørelse nr af 30. november 2012) Preface

Tina 4A Connection block

PROTECT SRB s Safety relay modules with intrinsically safe monitoring circuits Ex i L-protection for ATEX zones 1, 2, 21 and 22.

AS/NZS :2013. Wheelchairs AS/NZS :2013. Australian/New Zealand Standard

POLLUTION PREVENTION AND RESPONSE. Application of more than one engine operational profile ("multi-map") under the NOx Technical Code 2008

Presented to the IAPMO Standards Review Committee on December 9, 2013

Australian/New Zealand Standard

Revised proposal to amend UN Global Technical Regulation No. 3 (Motorcycle brake systems) I. Statement of technical rationale and justification

Car Company Quality: A Vehicle Test Fit Study of 1,907 Car Company Service Parts

Notification of a Proposal to issue a Certification Memorandum. Approved Model List Changes

Transport of explosives from blasting explosives to low order explosives

Safety Control HR1S-AC. Safety Relay HR1S-AC

4 Redundant Control System

New Machinery Directive

Compatibility Between Electric Trains and Electrification Systems

The Automotive Industry

Specifications. Safety Ratings. Standards. Safety Classification. Certifications. Power Supply

PVP Field Calibration and Accuracy of Torque Wrenches. Proceedings of ASME PVP ASME Pressure Vessel and Piping Conference PVP2011-

SECTION 8 RAIL FREIGHT VEHICLE UNDERFRAME AND BODY STRUCTURES

Testing Directive. Changes to vehicle testing: STEERING AND SUSPENSION. Introduction

Continuing Education Course #206 Introduction to Designing Machine Control Systems Part 2

AS/NZS :2011. Gate valves for waterworks purposes AS/NZS :2011. Part 1: Metal seated. Australian/New Zealand Standard

Safety Integrated for entry level personnel SINAMICS. SINAMICS G converters Safety Integrated for entry level personnel. Hazards in plants and

Hinge Wing Safety Interlock Switches

Key elements of the AS3000 Wiring standards and some of the recent changes.

MCS. Important Information on MCS 012 Issue 2.1 for MCS Solar Photovoltaic and Solar Thermal Contractors. Last Updated: 25 th September 2017

SG-B1 SERIES / SG-A1 SERIES

Level 3 Award in the Requirements for Electrical Installations BS 7671:2018 ( )

Industrial Maintenance. Basic Controls. Courseware Sample F0

A REPORT ON THE STATISTICAL CHARACTERISTICS of the Highlands Ability Battery CD

IDEM MPC Non-Contact Coded Magnetic Safety Switches MPC Series Plastic Housing

AS/NZS 3112:2004 AS/NZS

CMP266 Removal of Demand TNUoS charging as a barrier to future elective Half Hourly settlement

BACS APPROVED BUREAU SCHEME SUPPORT GUIDELINES

Australian Standard. Uninterruptible power systems (UPS) Part 1.1: General and safety requirements for UPS used in operator access areas

This specification describes the minimum requirements for a hoist maintenance safeguard (HMS) system for mine hoists.

ISO :2015/DAM 1

An Investment in Plant Floor Safety. 802C Safety Cable Pull Switches 802E Hinge Safety Interlock Switches 802F Safety Interlock Switches

Model 277EC ENGINE IDLE LIMITER

IMILV08 Diagnose and rectify light vehicle chassis system faults

Copyright 2003 Advanced Power Technologies, Inc.

Universal Gate Box with Safety Interlocking TYPE: UGB-KLT FEATURES & APPLICATION:

Unit level 4 Credit value 15. Introduction. Learning Outcomes

Vehicle Systems and Technology

KEWTECH. KT56 digital multi function tester. Instruction manual

Transcription:

Session Four Applying functional safety to machine interlock guards Craig Imrie Technology Specialist: Safety, NHP Electrical Engineering Products Abstract With the recent Australian adoption of functional safety standards IEC 62061 Ed 1 and ISO 13849-1:2006, a greater emphasis has been placed on systematic failures and common cause failures for machine safety control systems. This has been a major issue when designing interlock guards and trying to achieve PL or SIL requirements. With the new revision of the AS 4024.1 series, ISO 14119:2013 has been adopted as AS 4024.1602. Due to this new standard, information is now at hand to provide guidance on designing interlock guards to achieve the requirements of PL and SIL. This paper explains the new design considerations of this standard. Introduction In recent times the primary reference for machine safety in Australia has been the AS 4024.1 series. AS 4024.1 is a collection of standards that cover fundamental aspects of machine safety such as: Risk Assessment Ergonomics Design of safety control systems Design of Guards Etc AS 4024.1 adopts European standards that cover these various topics, for example: AS 4024.1201 is equivalent to ISO 12100 for General principles for design Risk Assessment and Risk Reduction AS 4024.1602 is equivalent to ISO 14119 for Interlocking devices associated with guards AS 4024.1503 is equivalent to ISO 13849-1 for Safety-related parts of control systems General principles for design Etc AS 4024.1 is designed in this way so it can be updated and revised in a simple manner. When an international standard is revised the relevant part of AS 4024.1 can be updated to reflect this without altering the other parts of the edition. The preface of AS 4024.1100 reflects this idea by stating:..when new editions of relevant ISO, IEC or EN Standards became available, they could be adopted and published within the framework of AS 4024 with minimum delay, so ensuring continued international alignment. Safety Control Systems Conference 2015 1

Due to this desire to keep AS 4024.1 aligned with international standards, the series was revised in late 2014. Most of the parts that make up the 2014 series have been updated to adopt the current international standard. The parts concerned with Safety-related parts of control systems were of major interest. The 2006 version of AS 4024.1 included two parts: 1. AS 4024.1501-2006 : Design of safety related parts of control systems General principles for design 2. AS 4024.1502-2006 : Design of safety related parts of control systems Validation Both of these parts were based on design and validation according to Safety Categories. This design concept is widely used in Australia and has been part of the standard since 1996. However since 2012, Safety Categories have been superseded in international standards by ISO 13849.1:2006, this standard uses the design concept of Performance Level (PL). Due to this change in international standards the 2014 version of AS 4024.1 now has three parts concerned with Safety-related parts of control systems: 1. AS 4024.1501-2006 : Design of safety related parts of control systems General principles for design (Safety Categories) 2. AS 4024.1502-2006 : Design of safety related parts of control systems Validation (Safety Categories) 3. AS 4024.1503:2014 : Safety-related parts of control systems General principles for design (Performance Levels) The relationship between PL and Safety Categories is very strong because PL is based on the architecture of Safety Categories. However there are some additional design considerations with PL, as can be seen in Figure 1. Figure 1 - Inner mechanics of a PL As can be seen in Figure 1, PL inherits the well-tried architectures of Safety Categories, it also adds the following new design aspects: Safety Control Systems Conference 2015 2

Mean Time To Dangerous Failure (MTTF d ) This metric considers the reliability of the components used in the safety-related parts of the control system. Reliability data will usually be sourced from the manufacturer Diagnostic Coverage (DC) This metric evaluates the level of diagnostics the safety control system has in respect to dangerous failures Common Cause Failure (CCF) This aspect provides a method for the designer to avoid common cause failures in their safety system. A common cause failure would be multiple channels of a safety system failing due to the same event The relationship between Categories and PL can be seen graphically in Figure 2. It is demonstrated how the Category architecture in combination with the DC and MTTF d combine to create a PL. A certain Category can achieve multiple PL depending on the other aspects of design. Figure 2 - Relation between CAT and PL It can be seen that the PL design method includes new considerations that weren t applicable with Safety Categories. To aid users in transitioning to PL there has been significant changes made to the new interlock guard standard, AS 4024.1602:2014. This standard assists designers in transitioning to PL and provides guidance to design more reliable interlocking systems in the following ways: New classifications of interlock devices to better represent the current technologies available Safety Control Systems Conference 2015 3

Information of how to design interlocking systems to achieve diversity as part of the CCF method Information on how to evaluate the DC of series wired interlock guard functions Method for designing interlock guards to reduce the probability of users defeating the interlocking safety system New interlock classifications Since the 2006 version of AS 4024.1602 there has been significant advances in the technology of interlock devices, there has also been a transition in the types of devices used in industry. In recent years there has been development of interlock devices that provide higher levels of tamper resistance and diagnostic capabilities. The 2014 version of AS 4024.1602 has new classifications that better represent these interlock technologies. These classifications are then used in the standard to demonstrate aspects such as how to avoid defeat of the interlock systems, determine CCF tolerance and quantify the DC of the interlock system. The new classifications are separated depending on the following criteria: Actuation principle This determines if the switch is a mechanical or non-contact device. Coding The device is either coded or uncoded. The higher the degree of coding the more tamper resistant the device is. Coding is classified into 3 sub classes: o Low level coding 1 to 9 variations in coding o Medium level coding 10 to 1000 variations in coding o High level coding Over 1000 variations in coding Table 1 shows the classifications for interlock devices. Actuation Principle Actuator Example Type Coding Level Uncoded Limit switch, Hinge switch 1 None Mechanical Coded Tongue interlock Trapped key interlock 2 Low level Medium to High level Uncoded Magnetic, inductive 3 None Non-contact Coded Coded magnetic Coded RFID 4 Low level Medium to High level Table 1 - Classifications of interlock devices Safety Control Systems Conference 2015 4

Design interlock system to avoid Common Cause Failure (CCF) Designing the interlock system to avoid CCF is a major design consideration for achieving PL according to AS 4024.1503; it is also integral to achieving SIL according to AS 62061. The method to avoid CCF is explained in Annex F of AS 4024.1503. In this method the designer is presented with different measures that can be used in their system design, each measure is worth a certain score. As the designer achieves the requirements of each measure the cumulative score increases, once the designer achieves a score of 65 they have achieved the CCF avoidance requirements. Table 2 shows a summary of the measures and their associated score. Measure against CCF Score Separation/Segregation 15 Diversity 20 Design/Application/Experience 20 Assessment/Analysis 5 Competence/Training 5 Environment 35 Table 2 - Summary of CCF measure and associated scores, AS 4024.1503 As can be seen in Table 2, Diversity is a significant measure when the designer is attempting to reach a score of 65. The general requirements in AS 4024.1503 are vague on different approaches to achieve diversity; this led to confusion of how diversity could be achieved for common safety functions such as interlock systems. AS 4024.1602 now includes some guidance on how to achieve diversity in common interlock arrangements. Diversity with Type 1 interlocking devices One technique to achieve diversity when using Type 1 (Uncoded, mechanical device) interlocking devices is explained in clause 8.3.2 of AS 4024.1602. Here the combination of direct and non-direct mechanical action is used. In Figure 2, an example of direct and non-direct mechanical action is demonstrated. In this example a sliding guard is shown in its closed state; the guard will slide to the left to open. Safety Control Systems Conference 2015 5

Figure 3 Diversity with Type 1 devices In this example limit switches are used because they are Type 1 interlocking devices. Switch S1 is direct mechanical action mounted because the guard will directly actuate the switch when it is opened, by rolling on top the device. Switch S2 is non-direct mechanical action mounted because the guard will roll off the switch when opened. Due to the opposite actuating principles, diversity has been created with this combination of Type 1 interlocking devices. This is not a new concept and has been part of the standards for many years, however AS 4024.1602 now defines that the above arrangement will achieve the complete 20 points for Diversity as part of the CCF method in AS 4024.1503. This is clarity that was required as designers come to grips with the new requirements of AS 4024.1503. Power medium diversity Some machines have two or more energy sources required for hazardous movement, for example hydraulic and electrical energy. In this case diversity can be achieved by having two independent interlocking devices, each of which interrupts the supply from a different energy source. AS 4024.1602 states that 20 points of Diversity can be claimed for the CCF method according to AS 4024.1503. Quantify the DC of series connected interlock functions (*Coming soon) In order to achieve a PL or calculate a SIL, the DC of the system must be determined. In industry it is common to observe multiple interlock guards wired in series, this can reduce the amount of safety inputs needed in the safety relay system or safety PLC. The method to determine DC is explained in Annex E of AS 4024.1503, however there is no guidance given on how to evaluate series connected interlock guards. The DC achieved by series wired interlock guards can be complex to evaluate. The potential of masked faults in the system can be influenced by the following application characteristics: How many guards are wired in series? How many are guards are used frequently? How many individual devices are used on each guard? What wiring configuration is used? What type of evaluation is used to detect faults? Safety Control Systems Conference 2015 6

What type of cable is used? As you can imagine this has caused significant confusion on how to determine the DC achieved by series connected interlock guards. Clause 8.6 of AS 4024.1602 will shortly provide a solution for this problem. The clause references a technical report, ISO/TR 24119, which will provide a simple method to evaluate the maximum DC achieved by series connected interlock guards. This technical report is currently in draft stage, but hopefully will be released later this year and provide much needed clarity of this issue. Design to minimise defeat possibilities The previous sections of this paper explain various ways that AS 4024.1602:2014 can assist with transitioning to design methods such as PL or SIL. However the most significant improvement with this new standard is the defined process to avoid defeat of interlock guards. Many of the aspects and measures are not new, but this standard now provides a structured process to follow. This should result in improved compatibility between machine function and interlock guards. Figure 3 shows the flow diagram that designers can use to ensure motivation to defeat is minimised and resistance to defeat is present where needed. Safety Control Systems Conference 2015 7

Start Implement basic measures Is there a motivation to defeat? yes no Is it possible to eliminate or minimise motivation to defeat? yes no Use additional measures to minimise defeat possibility Implement design measures or add alternative modes End Figure 4 Flow diagram to minimize chance of defeat As seen in Figure 3, the first step is to implement basic measures, an example of these basic measures includes: Correct fastening of switches o Loosening of position switches, actuators and cams must require a tool o Type 1 position switches may require permanent fixing, such as pins or dowels o Self-loosening should be avoided Switch should be mounted appropriately o Access should be provided for maintenance o Switch should be mounted to protect against foreseeable damage o Switch should not be used as a mechanical stop o Type 1 or 2 switches should be direct mechanical action mounted, with direct opening action contact elements Safety Control Systems Conference 2015 8

Once the above basic measures are ticked off, the designer can use the method explained in Annex H of AS 4024.1602 to determine if a motivation to defeat the interlock system exists. This is a new method introduced with this version of the standard and provides guidance that has never been available before. Table 3 is an example of how the method in Annex H of AS 4024.1602 is documented. The process includes 4 steps: 1. All modes of operation of the machine are identified, eg Mode 1 = Automatic and Mode 2 = Maintenance (Listed as headings in Col 2 and 3) 2. All tasks should be listed as the rows of the table. An x is to be used to indicate what mode of operation the task needs to be performed in. (Listed in Col 1) 3. The next column (Col 4) indicates whether it s possible to perform the task in that mode without defeating the interlock guard a. If the answer is no then improvement of the machine design or implementing new modes of operation is mandatory 4. The following columns (Col 5 and above) identify if other benefits of defeating the interlock exist when completing that task a. These benefits will need to be addressed as per the flow diagram depicted in Figure 3 Col 1 Col 2 Col 3 Col 4 Col 5 Col 6 Col 7 etc Task Automatic Maintenance Task possible Faster to Better Reduced. Mode Mode without defeating complete task visibility travel Start-up x Yes 0 0 0 Machine operation x Yes 0 ++ 0 Material feeding x No ++ ++ 0 etc Benefit of defeat: 0 = None, + = Minor, ++ = Substantial Table 3 - Example of documenting motivation to defeat process In Table 3, there are 2 modes of operation and 3 tasks. For machine start-up, the task needs to be performed in Automatic mode and it is possible to complete the task without defeating the interlock guard. The following columns also indicate that no other benefits are achieved by performing this task with the interlock defeated. For material feeding it can be seen that this task needs to be performed in Automatic Mode, however the task is not possible in this mode without defeating the interlock guard. The material feeding task requires the ability to jog the machine with the interlock guard open, but the automatic mode won t allow operation with the interlock guard open. This result will require a new mode of operation to be added to allow the material feeding task to be performed in a safe way. For machine operation it can be seen that this task needs to be performed in Automatic mode and it is possible to complete the task without defeating the interlock guard. The following columns indicate that there is a substantial benefit of improved visibility when defeating the interlock guard. The designer Safety Control Systems Conference 2015 9

should consider what design measures could address this benefit, eg: Using a guard that provides the required visibility. If there are no design measures available then the designer would need to implement additional measures to minimise defeat possibility. Additional measures to minimise defeat possibility are used to address residual motivation to defeat once all possible design measures and alternative modes of operation have been exhausted. The measures are reliant on the level of coding incorporated by the interlock devices. The lower the level of coding; the more measures are required to avoid defeat, examples of measures used are: Mounting out of reach Mounting the interlock device in a position that is out of the reach limits of the operator Physical Obstruction/Shielding Mounting the interlock device behind physical obstructions, so the operator can t easily access the device Mounting the interlock device in a hidden position Status monitoring or cyclic testing - These two techniques are systems that ensure the interlock device s function is tested, thus the test will detect if the device has been defeated Non-detachable fixings These fixings prevent the switch, actuator or both being removed from their intended position in order to defeat the safety function Additional device Utilising two independent devices for the interlock function, thus if one device is defeated the safety function will still operate Table 4 indicates what measures are implemented for the different classifications of interlock devices. Safety Control Systems Conference 2015 10

Measures Type 1 or 3, except hinge switch Mount device out of reach Shield device Mount device in hidden position Status monitoring/ cyclic testing Non-detachable fixing for switch and actuator Non-detachable fixing for switch Non-detachable fixing for actuator X Hinge Switch Type 2 or 4 with low or medium coding level Additional device R R M X Type 2 or 4 with high coding level Trapped key system with medium or high level coding M M M M X = measure should be considered, M = measure is mandatory, R = measure is recommended Table 4 - Additional measures to minimise defeat possibility M Conclusion In conclusion the new version of AS 4204.1602 provides assistance for designers to achieve the requirements of AS 4024.1503:2014. The standard provides guidance on how to design interlock systems to avoid CCF and will provide a method to evaluate the DC of interlock functions that are series connected. The other significant improvement of this standard is the process to minimise the probability of defeat. This method ensures that interlock guards will be designed with the operation of the machine in mind. This will reduce the motivation for operators to defeat the interlocking systems. The process also provides a method to select the appropriate interlocking devices to address any residual motivation to defeat the interlock system. References AS 4024.1503:2014 AS 4024.1602:2014 Safety Control Systems Conference 2015 11

2024 © autodocbox.com Privacy Policy | Terms of Service | Feedback