How it Works
Danfoss
Loading...
Functional Safety
User guide
24 pgs2.06 Mb0
Table of contents
Loading...

Danfoss Functional Safety User guide

MAKING MODERN LIVING POSSIBLE
Technical Information
Functional Safety
An overview
powersolutions.danfoss.com
Technical Information Functional Safety - An overview
Contents
General ........................................................................................................................................................................................ 3
Introduction ................................................................................................................................................................................ 3
European Union standards structure ................................................................................................................................ 3
Designing a safe machine .................................................................................................................................................. 4
The process ................................................................................................................................................................................. 4
Hazard and Risk Analysis ........................................................................................................................................................ 4
Determining the safety requirement ................................................................................................................................ 9
Applying ISO 13849 .......................................................................................................................................................... 10
Severity of injury ......................................................................................................................................................... 10
Frequency of exposure ............................................................................................................................................. 10
Possibility of avoidance ............................................................................................................................................ 10
PLr ..................................................................................................................................................................................... 10
Applying EN 62061 ........................................................................................................................................................... 11
SRP/CS architecture ................................................................................................................................................................ 13
Category B ........................................................................................................................................................................... 13
Category 1 ........................................................................................................................................................................... 13
Category 2 ........................................................................................................................................................................... 14
Category 3 ........................................................................................................................................................................... 14
Category 4 ........................................................................................................................................................................... 14
System mapping .....................................................................................................................................................................15
Selecting the components .................................................................................................................................................. 17
Validation of the system ....................................................................................................................................................... 18
Applying ISO 13849 .......................................................................................................................................................... 18
Applying EN 62061 ........................................................................................................................................................... 20
Speaking functional safety ............................................................................................................................................. 22
L1326395 • Rev AA • Oct 20132
Technical Information Functional Safety - An overview

General

Introduction

The purpose of this document is to provide a brief overview of applicable standards in regards to functional safety and to highlight the cooperation needed between OEM customers and Danfoss as sub-supplier.
A safety system has three important key elements; the user(s), the instructions/manuals and the machine itself. This document only shows aspects related to the machine Functional Safety (FS), dened as all the measures aiming to protect the machine operator or bystander from risk during work with and/or around the machine. Not in scope are risks due to other hazards such as electro­magnetic capability (EMC), explosive atmospheres (ATEX) etc. These should, however, be evaluated by the machine manufacturer.
WARNING
The manufacturer has the sole responsibility for the machine Design, including all three parts of the safety system.

European Union standards structure

In order to be freely marketed in the countries of the European Community, every device or piece of machinery must comply with Community Directives. The Community Directives establish a series of general principles preventing manufacturers from placing products on the market that are hazardous for the operator or bystanders. Any hazard to an operator or bystander due to machine functioning is governed by the Machinery Directive 2006/42/EC. A series of harmonized standards are issued, which translate the content of directives into technical requirements in order to protect the operator and bystanders from risks as well as being used for the risk assessment of a machine. Any manufacturer who applies these standards to his machine is also presumed to conform to the directives.
Machinery Directive
Type A - Bacis safety standards
Type B - Generic safety standards
ISO
12100
2006/42/EC
ISO
14121
It is not mandatory to follow the harmonized standards* when releasing a machine on the market. However, the machine must always comply to the requirements given by the Machinery Directive and the simplest way to meet EU directives is to comply to the harmonized standards.
If applying the standards, the manufacturer of devices or machines must rst verify whether the product is covered by a type C standard. If so, this standard provides the safety requirements. If not, type B standards for any device or specic aspect of the product shall apply. Failing further requirements, the manufacturer must follow general guidelines as stated in the type A standards.
ISO 13849
ISO 62061
ISO 4413
IEC 61508
Type C - Machine safety standards
ISO 25119 ISO 15998 ISO 12999
P301 568
* http://ec.europa.eu/enterprise/policies/european-standards/harmonised-standards/machinery/index_en.htm
L1326395 • Rev AA • Oct 2013 3
Technical Information Functional Safety - An overview

Designing a safe machine

The process

A user expects a safe machine. The machine design also has a signicant impact on safety. When working with and/or around a machine, they expect to complete the tasks unharmed. Therefore, it is vital to think of functional safety in machine development. Applying functional safety to the machine is a process like many others in the development project. Dividing the complete process into steps will allow for a systematic approach starting with dening the boundaries and requirements and ending up with an evaluation of the safety level achieved.

Hazard and Risk Analysis

There is no such thing as a risk-free machine or application. It is impossible to make a machine that will never fail nor expose the operator or bystander to some extent of hazard. Everybody faces risks every single day. Risks that could potentially harm us but we live with these risks because they are tolerable. Therefore, the challenge is to design a machine with a tolerable risk level.
A standard way of identifying and analyzing the hazards and the risk are found in the standard ISO 12100. This standard describes an iterative cyclic model that will run until a satisfactory result is achieved.
Hazard and risk
analysis
Determining
safety
requirement
SRP/CS
architecture
System
mapping
Component
selection
System
validation
P301 569P301 569

Determine machinery limits

In order to identify, and later evaluate the exact risk that is associated with an application/machine, it is tremendously important to create a clear overview of the operational limits of the particular machine in question. Dening very clear and basicl set of boundaries will vastly aid in the risk identication and make sure the end result will t the application without compromising any use cases.
The rst step is to dene the machine type. The overall type should already be clear when applying a type B standard, as it must be ensured that the machine type is not subject to any type C standards. Below each machine category, a sub-category may exist e.g. distinguished by weight or power. If so, the particular machine sub-category should be clearly specied.
It is also relevant to identify the specic tasks that the machine is designed to handle. A clear understanding of these will be needed in the next step when identifying hazards.
Another subject to consider when dening the operational limits is the operational environment. It will have an impact on the risk estimation where the machine is used. Naturally, other risks will be present if a machine is operated in a close-quarter, urban environment compared to operating in a forest. One major dierence is the people interacting with the machine in operation such as unrelated bystanders.
L1326395 • Rev AA • Oct 20134
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
• What is the machine type
• What tasks does the machine handle
Determine
machinery limits
• What is the operating environment
• Who are potentialy at Risk
(according to ISO 12100)
Hazard Analysis
Identify Hazards

Harm sequence

Estimate the Risk
(according to ISO 12100)
Risk Evaluation
Evaluate the Risk
• Unexpected movement
• Sharp edges
• Falling objects
• Pinch points
• Machine designation
• Hazard descroption
• Harm sequence
• Severity of Harm
• Probability of Hazard
• Probability that soemone is expossed to Hazard
• Probability that contact with Hazard is inevitable
• Can I reduce the Risk
• Does the Risk feel comfortable
• Is it safe enough for my family
• Can I justify the decision to anyone
S
Is the
machine
safe?
• YES The End
• NO Take measures for Risk reduction according to ISO 12100
P301 570
Hazard identication
When the boundaries of the machine are clearly dened, the next step is to identify the hazards. Without clear boundaries, a lot of resources will be wasted trying to solve hazards that are not relevant to the actual operating situation.
The identication of a hazard can also be described as the identication of unexpected occurrances during an operating situation. It is crucial to both discover all hazards and to understand them. If either of these fail, a person may get injured and/or it will require a great deal of resources to correct the design.
To aid the identication of the hazards, it would be valueable to assemble a multi-functional team with dierent backgrounds within all aspects of work with the machine. To facilitate the identication process, an incident history or database might also be of value.
Harm sequence
Once the machine limits and possible hazards are known, these can be put together into a harm sequence. The harm sequence will be the basis for risk estimation later on in the process. Another way of describing the harm sequence is as a “chain of events”.
The harm sequence always starts with a task within the machine’s operational limits and ends with injury to a person. The goal of the harm sequence is to remove one single element which will prevent the nal harm or injury.
L1326395 • Rev AA • Oct 2013 5
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
An example of a harm sequence can be seen below.
Machine designation:
Warehouse truck model X2012.
Hazard description:
An unexpected change of direction due to steering system failure.
Harm sequence:
y Machine is travelling inside a factory facility y Failure of steering system occurs
– Hose breaks, loss of hydraulic pressure – Or valve spring failure
y Unexpected change of direction occurs y Bystander in close proximity
– On-coming warehouse truck – Worker passing by on foot
y Machine operator unable to avoid collision
– Shut o machine
y Bystander unable to avoid collision
– Stopping or steering
y Machine collides with another truck y Impact energy is sucient to cause injury y Machine operator is injured y Possible injuries are lacerations or broken
bones.
S

Risk estimation

Estimating the risks is very important as it is the prerequisite for risk evaluation. Estimating the risk will give a clear indication of the safety level of the machine and in turn the need of implementing safety functions.
Severity of
harm
Risk
Probability
of
occurence
P301 572
A good approach to organize the risk estimation is to make a scorecard with both severity and occurrence. For each hazard identied, a score for all severities and occurrence probability should be given. It is important not only to look at worst case. There is no ranking governed by the standards on severity or occurrence. Multiplying the two scores will give a numerical expression of the seriousness of a risks associated with a specic hazard.
L1326395 • Rev AA • Oct 20136
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)

Risk evaluation

The risk evaluation is the point in the process where the safety level of the machine and the possible need for safety features to reduce risk are decided. By completing the risk evaluation, a guide to risk reduction is made.
For each risk identied and scored in the risk estimation, an evaluation must be performed. The purpose of the evaluation is to decide if the current safety level are sucient to the machine builder. In other words, the risk evaluation determines if the risk present is tolerable. It is important to keep in mind that there is no such thing as a risk-free machine or application. The goal is to design and build a machine which only has tolerable risks.
If the risk is tolerable by the way the machine is designed, the hazard and risk analysis is complete and the machine/application is compliant with all regulations and conforms with the machinery directive.
If the risk is not tolerable, measures for risk reduction must be taken.

Risk reduction

The aim of the risk reduction is to reduce the risks to what reasonable practical or mitigate to a tolerable level of residual risk. But as the word reduction indicates, the purpose is to reduce the risks that are found as there will always be risk that cannot be eliminated. A rule of thumb is that if a risk can be reduced, then it must be reduced.
Avoid Risk by
design
• Design the machinery in such a way that the Risk does not appear
Avoid Risk by
safeguard
• Incorporate guards to minimize the Risk
(according to ISO 12100)
Risk reduction
Avioid Risk by
information
SRP/CS
Dene safety
function
Resedual
Risks?
• Warning labels
• User manual
• Training
• Is the safety measure dependant on a control system?
• Yes: Dene safety functions based on applicable level B standard
• No: Consider resedual Risks
• Example 1: Machinery cannot move unless an operator is present
• Example 2: Deliver no ow when neutral set point is given
• Return to Hazard and Risk Analysis according to 14121
P301 573
L1326395 • Rev AA • Oct 2013 7
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
The optimum way of reducing a risk, is to design the machine in such a way that the risk cannot be visible. However, this is not always possible if this will limit or conict with machine operational limits. The commercial realities of putting a machine on the market also have a signicant impact on the machine design and cost of same. Examples of risk reduction by design are openings made too small for human limbs to enter or rotating spoke-discs replaced by plate-discs.
Another way of reducing risks is to incorporate safe guards on the machine. Safe guards are not seen as a way to design out the risk, but as a separate way of reducing them. Examples of safe guards are light curtains, two hand control and system interlocks.
The last way of reducing the risk is to inform the user about them. This covers training, manuals, etc. It is important to have in mind that training the user will only aect the probability of harm to the user. Bystanders and similar will not be eected by this and the probability of harm will therefore not decrease much. Examples of information could bewarning labels, display information or use cases in manuals.
This document does not cover Information on use. Please refer to DIN 4844-2 for warning symbols
When the risk reduction measures are identied, their method of implementation must be evaluated. If the risk reduction measure is realized by a control system, a safety function of each risk must be dened. The activation of the safety function will result in a dened safe state. A failure to perform the safety function is equal to an increased risk. A safety function is not part of a machine/application standard operation, meaning that in case the safety function fails, the machine/application can still operate but with an increased risk.
The process of reducing the risks is repetitive. Whenever a measure for risk reduction has been decided and implemented it must be evaluated if this addition or design change to the machine/ application has caused new risks not present before. If so, one must return to hazard identication and repeat the process from there.
L1326395 • Rev AA • Oct 20138
Loading...
+ 16 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use