Danfoss Functional Safety User guide
MAKING MODERN LIVING POSSIBLE
Technical Information
Functional Safety An overview
powersolutions.danfoss.com
Technical Information |
Functional Safety - An overview |
|
Contents |
General......................................................................................................................................................................................... |
3 |
|
Introduction................................................................................................................................................................................. |
3 |
|
European Union standards structure................................................................................................................................. |
3 |
|
Designing a safe machine................................................................................................................................................... |
4 |
|
The process.................................................................................................................................................................................. |
4 |
|
Hazard and Risk Analysis......................................................................................................................................................... |
4 |
|
Determine machinery limits............................................................................................................................................ |
4 |
|
Hazard identification.......................................................................................................................................................... |
5 |
|
Harm sequence.................................................................................................................................................................... |
5 |
|
Risk estimation..................................................................................................................................................................... |
6 |
|
Risk evaluation...................................................................................................................................................................... |
7 |
|
Risk reduction....................................................................................................................................................................... |
7 |
|
Determining the safety requirement................................................................................................................................. |
9 |
|
Applying ISO 13849.......................................................................................................................................................... |
10 |
|
Severity of injury.......................................................................................................................................................... |
10 |
|
Frequency of exposure.............................................................................................................................................. |
10 |
|
Possibility of avoidance............................................................................................................................................. |
10 |
|
PLr...................................................................................................................................................................................... |
10 |
|
Applying EN 62061............................................................................................................................................................ |
11 |
|
SRP/CS architecture................................................................................................................................................................ |
13 |
|
Category B............................................................................................................................................................................ |
13 |
|
Category 1............................................................................................................................................................................ |
13 |
|
Category 2............................................................................................................................................................................ |
14 |
|
Category 3............................................................................................................................................................................ |
14 |
|
Category 4............................................................................................................................................................................ |
14 |
|
System mapping...................................................................................................................................................................... |
15 |
|
Selecting the components................................................................................................................................................... |
17 |
|
Validation of the system........................................................................................................................................................ |
18 |
|
Applying ISO 13849.......................................................................................................................................................... |
18 |
|
Applying EN 62061............................................................................................................................................................ |
20 |
|
Speaking functional safety.............................................................................................................................................. |
22 |
2 |
L1326395 • Rev AA • Oct 2013 |
Technical Information |
Functional Safety - An overview |
|
|
General |
Introduction |
|
The purpose of this document is to provide a brief overview of applicable standards in regards to |
|
functional safety and to highlight the cooperation needed between OEM customers and Danfoss as |
|
sub-supplier. |
|
A safety system has three important key elements; the user(s), the instructions/manuals and the |
|
machine itself. This document only shows aspects related to the machine Functional Safety (FS), |
|
defined as all the measures aiming to protect the machine operator or bystander from risk during |
|
work with and/or around the machine. Not in scope are risks due to other hazards such as electro- |
|
magnetic capability (EMC), explosive atmospheres (ATEX) etc. These should, however, be evaluated |
|
by the machine manufacturer. |
|
WARNING |
|
The manufacturer has the sole responsibility for the machine |
|
Design, including all three parts of the safety system. |
|
European Union standards structure |
|
In order to be freely marketed in the countries of the European Community, every device or piece of |
|
machinery must comply with Community Directives. The Community Directives establish a series of |
|
general principles preventing manufacturers from placing products on the market that are hazardous |
|
for the operator or bystanders. Any hazard to an operator or bystander due to machine functioning is |
|
governed by the Machinery Directive 2006/42/EC. |
|
A series of harmonized standards are issued, which translate the content of directives into technical |
|
requirements in order to protect the operator and bystanders from risks as well as being used for the |
|
risk assessment of a machine. Any manufacturer who applies these standards to his machine is also |
|
presumed to conform to the directives. |
Machinery Directive
2006/42/EC
Type A - Bacis safety standards
Type B - Generic safety standards
ISO 12100
|
ISO 13849 |
Type C - Machine safety |
|
ISO 62061 |
standards |
ISO |
ISO 4413 |
ISO 25119 ISO 15998 ISO 12999 |
14121 |
IEC 61508 |
|
|
|
P301 568
It is not mandatory to follow the harmonized standards* when releasing a machine on the market. However, the machine must always comply to the requirements given by the Machinery Directive and the simplest way to meet EU directives is to comply to the harmonized standards.
If applying the standards, the manufacturer of devices or machines must first verify whether the product is covered by a type C standard. If so, this standard provides the safety requirements. If not, type B standards for any device or specific aspect of the product shall apply. Failing further requirements, the manufacturer must follow general guidelines as stated in the type A standards.
*http://ec.europa.eu/enterprise/policies/european-standards/harmonised-standards/machinery/index_en.htm
L1326395 • Rev AA • Oct 2013 |
3 |
Technical Information |
Functional Safety - An overview |
|
|
Designing a safe machine |
The process |
|
A user expects a safe machine. The machine |
|
design also has a significant impact on safety. |
|
When working with and/or around a machine, |
|
they expect to complete the tasks unharmed. |
|
Therefore, it is vital to think of functional safety |
|
in machine development. Applying functional |
|
safety to the machine is a process like many |
|
others in the development project. Dividing the |
|
complete process into steps will allow for a |
|
systematic approach starting with defining the |
|
boundaries and requirements and ending up |
|
with an evaluation of the safety level achieved. |
Hazard and Risk Analysis
There is no such thing as a risk-free machine or application. It is impossible to make a machine that will never fail nor expose the operator or bystander to some extent of hazard. Everybody faces risks every single day. Risks that could potentially harm us but we live with these risks because they are tolerable. Therefore, the challenge is to design a machine with a tolerable risk level.
A standard way of identifying and analyzing the hazards and the risk are found in the standard ISO 12100. This standard describes an iterative cyclic model that will run until a satisfactory result is achieved.
Hazard and risk analysis
Determining safety requirement
SRP/CS architecture
System mapping
Component
selection
System validation
P301 569
Determine machinery limits
In order to identify, and later evaluate the exact risk that is associated with an application/machine, it is tremendously important to create a clear overview of the operational limits of the particular machine in question. Defining very clear and basicl set of boundaries will vastly aid in the risk identification and make sure the end result will fit the application without compromising any use cases.
The first step is to define the machine type. The overall type should already be clear when applying a type B standard, as it must be ensured that the machine type is not subject to any type C standards. Below each machine category, a sub-category may exist e.g. distinguished by weight or power. If so, the particular machine sub-category should be clearly specified.
It is also relevant to identify the specific tasks that the machine is designed to handle. A clear understanding of these will be needed in the next step when identifying hazards.
Another subject to consider when defining the operational limits is the operational environment. It will have an impact on the risk estimation where the machine is used. Naturally, other risks will be present if a machine is operated in a close-quarter, urban environment compared to operating in a forest. One major difference is the people interacting with the machine in operation such as unrelated bystanders.
4 |
L1326395 • Rev AA • Oct 2013 |
Technical Information |
Functional Safety - An overview |
|
|
Designing a safe machine
(continued)
<![if ! IE]><![endif]>sis al y d AanrHa z 12100) ISO o ding o r tac( c
<![if ! IE]><![endif]>Evaluation Risk 12100) ISO to (according
Determine machinery limits
Identify Hazards
Harm sequence
Estimate the Risk
Evaluate the Risk
Is the machine safe?
•What is the machine type
•What tasks does the machine handle
•What is the operating environment
•Who are potentialy at Risk
•Unexpected movement
•Sharp edges
•Falling objects
•Pinch points
•Machine designation
•Hazard descroption
•Harm sequence
•Severity of Harm
•Probability of Hazard
•Probability that soemone is expossed to Hazard
•Probability that contact with Hazard is inevitable
• Can I reduce the Risk
•Does the Risk feel comfortable
•Is it safe enough for my family
• Can I justify the decision to anyone
S
• YES → |
The End |
• NO → |
Take measures for Risk reduction according to ISO 12100 |
P301 570
Hazard identification
When the boundaries of the machine are clearly defined, the next step is to identify the hazards. Without clear boundaries, a lot of resources will be wasted trying to solve hazards that are not relevant to the actual operating situation.
The identification of a hazard can also be described as the identification of unexpected occurrances during an operating situation. It is crucial to both discover all hazards and to understand them. If either of these fail, a person may get injured and/or it will require a great deal of resources to correct the design.
To aid the identification of the hazards, it would be valueable to assemble a multi-functional team with different backgrounds within all aspects of work with the machine. To facilitate the identification process, an incident history or database might also be of value.
Harm sequence
Once the machine limits and possible hazards are known, these can be put together into a harm sequence. The harm sequence will be the basis for risk estimation later on in the process. Another way of describing the harm sequence is as a “chain of events”.
The harm sequence always starts with a task within the machine’s operational limits and ends with injury to a person. The goal of the harm sequence is to remove one single element which will prevent the final harm or injury.
L1326395 • Rev AA • Oct 2013 |
5 |
Technical Information |
Functional Safety - An overview |
|
|
Designing a safe machine An example of a harm sequence can be seen below.
(continued)
Machine designation:
Warehouse truck model X2012.
Hazard description:
An unexpected change of direction due to steering system failure.
Harm sequence:
yy Machine is travelling inside a factory facility yy Failure of steering system occurs
–– Hose breaks, loss of hydraulic pressure
–– Or valve spring failure
yy Unexpected change of direction occurs yy Bystander in close proximity
–– On-coming warehouse truck
–– Worker passing by on foot
yy Machine operator unable to avoid collision
–– Shut off machine
yy Bystander unable to avoid collision
–– Stopping or steering
yy Machine collides with another truck
yy Impact energy is sufficient to cause injury yy Machine operator is injured
yy Possible injuries are lacerations or broken bones.
S
Risk estimation
Estimating the risks is very important as it is the prerequisite for risk evaluation. Estimating the risk will give a clear indication of the safety level of the machine and in turn the need of implementing safety functions.
Severity of
harm
Risk
Probability of occurence
P301 572
A good approach to organize the risk estimation is to make a scorecard with both severity and occurrence. For each hazard identified, a score for all severities and occurrence probability should be given. It is important not only to look at worst case. There is no ranking governed by the standards on severity or occurrence. Multiplying the two scores will give a numerical expression of the seriousness of a risks associated with a specific hazard.
6 |
L1326395 • Rev AA • Oct 2013 |
Technical Information |
Functional Safety - An overview |
|
|
Designing a safe machine |
Risk evaluation |
(continued) |
The risk evaluation is the point in the process where the safety level of the machine and the possible |
|
need for safety features to reduce risk are decided. By completing the risk evaluation, a guide to risk |
|
reduction is made. |
|
For each risk identified and scored in the risk estimation, an evaluation must be performed. The |
|
purpose of the evaluation is to decide if the current safety level are sufficient to the machine builder. |
|
In other words, the risk evaluation determines if the risk present is tolerable. It is important to keep in |
|
mind that there is no such thing as a risk-free machine or application. The goal is to design and build a |
|
machine which only has tolerable risks. |
|
If the risk is tolerable by the way the machine is designed, the hazard and risk analysis is complete and |
|
the machine/application is compliant with all regulations and conforms with the machinery directive. |
|
If the risk is not tolerable, measures for risk reduction must be taken. |
|
Risk reduction |
|
The aim of the risk reduction is to reduce the risks to what reasonable practical or mitigate to a |
|
tolerable level of residual risk. But as the word reduction indicates, the purpose is to reduce the risks |
|
that are found as there will always be risk that cannot be eliminated. A rule of thumb is that if a risk |
|
can be reduced, then it must be reduced. |
Avoid Risk by design
Avoid Risk by safeguard
| <![if ! IE]> <![endif]>reductionRisk 12100)ISOto(according |
Avioid Risk by |
|
|
|
information |
|
SRP/CS |
|
De ne safety |
|
function |
Resedual
Risks?
• Design the machinery in such a way that the Risk does not appear
• Incorporate guards to minimize the Risk
• Warning labels
•User manual
•Training
•Is the safety measure dependant on a control system?
•Yes: De ne safety functions based on applicable level B standard
•No: Consider resedual Risks
•Example 1: Machinery cannot move unless an operator is present
•Example 2: Deliver no ow when neutral set point is given
•Return to Hazard and Risk Analysis according to 14121
P301 573
L1326395 • Rev AA • Oct 2013 |
7 |
Technical Information |
Functional Safety - An overview |
|
|
Designing a safe machine The optimum way of reducing a risk, is to design the machine in such a way that the risk cannot be (continued) visible. However, this is not always possible if this will limit or conflict with machine operational limits.
The commercial realities of putting a machine on the market also have a significant impact on the machine design and cost of same. Examples of risk reduction by design are openings made too small for human limbs to enter or rotating spoke-discs replaced by plate-discs.
Another way of reducing risks is to incorporate safe guards on the machine. Safe guards are not seen as a way to design out the risk, but as a separate way of reducing them. Examples of safe guards are light curtains, two hand control and system interlocks.
The last way of reducing the risk is to inform the user about them. This covers training, manuals, etc. It is important to have in mind that training the user will only affect the probability of harm to the user. Bystanders and similar will not be effected by this and the probability of harm will therefore not decrease much. Examples of information could bewarning labels, display information or use cases in manuals.
This document does not cover Information on use.
Please refer to DIN 4844-2 for warning symbols
When the risk reduction measures are identified, their method of implementation must be evaluated. If the risk reduction measure is realized by a control system, a safety function of each risk must be defined. The activation of the safety function will result in a defined safe state. A failure to perform the safety function is equal to an increased risk. A safety function is not part of a machine/application standard operation, meaning that in case the safety function fails, the machine/application can still operate but with an increased risk.
The process of reducing the risks is repetitive. Whenever a measure for risk reduction has been decided and implemented it must be evaluated if this addition or design change to the machine/ application has caused new risks not present before. If so, one must return to hazard identification and repeat the process from there.
8 |
L1326395 • Rev AA • Oct 2013 |
Loading...