technology cpu application description january 2013 · 2015. 1. 19. · applications & tools...

Applications & Tools

Answers for industry.

Cover sheet

Technology CPU 317TF-2 DP: Example for determining the Performance Level (PL) according to ISO 13849-1

Technology CPU

Application Description January 2013

2 Determination of PL according to ISO 13849-1

V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Siemens Industry Online Support

This document is taken from Siemens Industry Online Support. The following link takes you directly to the download page of this document:

http://support.automation.siemens.com/WW/view/en/47393794

Caution: The functions and solutions described in this entry are mainly limited to the realization of the automation task. In addition, please note that suitable security measures in compliance with the applicable Industrial Security standards must be taken if your system is interconnected with other parts of the plant, the company's network or the Internet. More information can be found under entry ID 50203404.


If you have any questions about this document, please contact us at the following e-mail address:

[email protected]

For further information on this topic you may also actively use our Technical Forum in the Service & Support Portal. Add your questions, suggestions and problems and discuss them in our large forum community:

http://www.siemens.com/forum-applications

http://support.automation.siemens.com/WW/view/en/47393794�


mailto:[email protected]�

http://www.automation.siemens.com/WW/forum/guests/Conference.aspx?ForumID=230&Language=en�

Determination of PL according to ISO 13849-1 V1.0, Entry ID: 47393794 3

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

s

SIMATIC Determination of PL according to ISO 13849-1

Technology CPU 317TF-2 DP

Application Example

1

Application of the SET

2 Risk Analysis and Risk Assessment

3

Specification and Realization

4

Determination of the SIL achieved by SRECS

5

User Information and Validation

6

Project File for the Application Example

7

Links & Literature

8

History

9

Warranty and Liability


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Warranty and Liability Note The application examples are not binding and do not claim to be complete

regarding configuration, equipment and any eventuality. The application examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of your responsibility to use sound practices in application, installation, operation and maintenance. When using these application examples, you recognize that we will not be liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these application examples at any time without prior notice. If there are any deviations between the recommendations provided in this application example and other Siemens publications (e.g. catalogs), the contents of the other documents shall have priority.

We do not accept any liability for the information contained in this document.

Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this application example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or violation of fundamental contractual obligations (“wesentliche Vertragspflichten”). However, claims for damages arising from the violation of fundamental contractual obligations shall be limited to the foreseeable damage which is intrinsic to the contract, unless caused by intent or gross negligence or based on mandatory liability for personal injury, bodily harm or damage to health. The above provisions do not imply a change in the burden of proof to your detriment.

It is not permissible to transfer or copy these application examples or excerpts thereof without express authorization from Siemens Industry Sector.

Preface


Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

47

393

794

_C

PU

317

TF

-2D

P_

Sa

fety

-Le

vel_

ISO

13

849

-1_

DO

KU

_E

N_

_13

-02

-08_

09-0

4.d

oc

Preface

Objective of this application

Using an example, this documentation introduces the determination of the performance level (PL) of an application with the Technology CPU 317TF-2 DP according to ISO 13849-1 using the safety evaluation tool (SET).

Core topics of this application

The following main topics are discussed in this application:

• Introduction of the application example which is used for illustrating the determination of the performance level (PL).

• Identification of the safety functions (SFs) required for the application example.

• Determination of the required performance (SIL) using the safety evaluation tool (SET).

• Design and realization of the derived safety functions (SFs).

• Determination of the reached performance (PL) using the safety evaluation tool (SET).

Validity

The procedure introduced here is aimed at using the technology CPU 317TF-2 DP, however, it applies to fail-safe SIMATIC-CPUs in general.

Representation of the screen masks of the safety evaluation tool (SET)

The screen masks of the safety evaluation tool (SET) are contained in the PDF version of this document in high resolution. For a detailed viewing of the screen masks please use the zoom function of your PDF reader.

For the printed version of this document the project file of the safety evaluation tool (SET) is available as a download on the download page of this application example. You can also use this project file to directly view the screen masks in the safety evaluation tool (SET).

Table of Contents


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Table of Contents Warranty and Liability ................................................................................................. 4 Preface .......................................................................................................................... 5 1 Application Example ......................................................................................... 8

1.1 Problem definition of the application example ..................................... 8 1.2 Overview of solution in the application example .................................. 9 1.2.1 Safety Function 1 ................................................................................. 9 1.2.2 Safety Function 2 ................................................................................. 9 1.2.3 Safety Function 3 ............................................................................... 10 1.2.4 Safety system..................................................................................... 10

2 Application of the SET .................................................................................... 12 2.1 Basics................................................................................................. 12 2.1.1 Safety Evaluation Tool (SET)............................................................. 12 2.1.2 Support by the safety evaluation tool (SET)....................................... 12 2.2 Creating a SET project ....................................................................... 12 2.2.1 Creating a Project............................................................................... 12 2.2.2 Creating a safety area........................................................................ 13 2.2.3 Creating the safety function ............................................................... 14

3 Risk Analysis and Risk Assessment ............................................................. 16 3.1 Performing a risk analysis .................................................................. 16 3.2 Performing the risk assessment......................................................... 17 3.2.1 Risk assessment for hazard 1............................................................ 18 3.2.2 Risk assessment for hazard 2............................................................ 20 3.2.3 Classification of safety function 3....................................................... 22 3.2.4 Summary of the risk assessment ....................................................... 23

4 Specification and Realization......................................................................... 25 4.1 Developing the SRCF specification.................................................... 25 4.1.1 Specification of SF 1 .......................................................................... 25 4.1.2 Specification of SF 2 .......................................................................... 26 4.1.3 Specification of SF 3 .......................................................................... 28 4.2 Architecture of overall system ............................................................ 30 4.2.1 Segmentation of safety functions into function blocks (SRP/CS) ...... 30 4.2.2 Specifying the requirements for the SRP/CS..................................... 31 4.2.3 Specification of the hardware components ........................................ 34 4.2.4 Assigning function blocks (SRP/CS) to subsystems.......................... 35 4.2.5 Function block subsystem 1: “position of the protective door” ........... 36 4.2.6 Function block subsystem 2: “position of the protective cover” ......... 41 4.2.7 Function block subsystem 3: “emergency-stop” ................................ 45 4.2.8 Function block subsystem 4............................................................... 48 4.2.9 Function block subsystem 5............................................................... 50 4.2.10 Summary ............................................................................................ 53 4.3 Realizing the subsystems .................................................................. 54

5 Determining the achieved Performance Level ............................................. 57 5.1 Evaluation via the safety evaluation tool (SET) ................................. 57 5.1.1 Conditions for the required PL ........................................................... 57 5.1.2 Results report of the safety evaluation tool (SET) ............................. 57 5.2 Safety function 1 (SF 1)...................................................................... 58 5.3 Safety function 2 (SF 2)...................................................................... 59 5.4 Safety function 3 (SF 3)...................................................................... 60 5.5 Implementing the overall system........................................................ 61

Table of Contents


Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

6 User Information and Validation .................................................................... 62 6.1 Generating user information............................................................... 62 6.2 Performing a validation....................................................................... 62

7 Project File for the Application Example....................................................... 63 7.1 Downloading the project file ............................................................... 63 7.2 Content of the project file ................................................................... 63 7.2.1 Variant 1 of the overall system........................................................... 63 7.2.2 Variant 2 of the overall system........................................................... 64

8 Links & Literature ............................................................................................ 65 8.1 Literature ............................................................................................ 65 8.2 Internet Links...................................................................................... 65

9 History............................................................................................................... 66

1 Application Example

1.1 Problem definition of the application example


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


1.1 Problem definition of the application example

A machine contains two axes which are independent of each other. The axes are controlled via technology CPU 317TF-2 DP. An encapsulated axis is located under the protective cover in the machine. The other axis is freely accessible for the operator. A paling fence must be set up around this hazardous area of the machine, which can be accessed through a protective door (slide door) secured with a door contact switch. The protective cover of the encapsulated axis is monitored by a protective cover hinge switch and a protective cover contact switch.

Both axes of the machine can be safely stopped via an emergency-stop control unit attached on the outside of the paling fence.

Figure 1-1 Example machine for the application example

The following safety functions shall be realized at this machine:

• Safety function 1 (SF 1): Safely reduced speed If the protective door is opened while the machine is running, the freely accessible axis of the machine must be brought to a safely reduced speed. The Safely-Limited Speed (SLS) safety function of the SINAMICS S120 shall be used for this.

• Safety function 2 (SF 2): “Safe stopping of all axes” If the protective cover of the encapsulated axis at the machine is opened, both axes of the machine shall be stopped. The Safe Stop 1 (SS1) safety function of the SINAMICS S120 shall be used for this.

• Safety function 3 (SF 3): “Emergency-stop of all axes” If the emergency stop button is pressed, both axes of the machine shall be stopped. The Safe Torque Off (STO) safety function of the SINAMICS S120 shall be used for this.

Encapsulated axis

Protective door (slide

door)

Emergency stop control

unit

Freely accessible

axis

Protective cover contact

switch (position switch with separate actuator)

Protective cover hinge

switch

Door contact switch

(position switch)


1.2 Overview of solution in the application example


Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Note The function of the emergency-stop control unit is a supplemented safety function which, according to the 2006/42/EG machine guideline chapter 1.2.4.3, is generally demanded at a machine and normally needs not be included into the discussion of the safety related control functions illustrated here.

In order to explain the procedure for determining the performance level (PL), the function of the emergency-stop control unit is included in the calculation here.


1.2.1 Safety Function 1

Safe speed reduction of the freely accessible machine axes. • Name of the safety function:

“Safe reduction of the axis speed”

• Function of the safety function: When the protective door is opened, the speed of the freely accessible axes of the machine is reduced to a given safe speed and monitored via the Safely-Limited Speed (SLS) safety function of the SINAMICS S120.

• Demanded performance level (PLr) of the safety function according to the risk analysis (see chapter 3.2.1): PLr d

Figure 1-2 Possible realization of safety function 1

Safety function

Information ActionsDetection Evaluation Reaction


Switching off both machine axes when opening the protective cover of the encapsulated axis at the machine:

• Name of the safety function: “Safe stopping of the machine axes”

• Function of the safety function: When the protective cover is opened, both machine axes are stopped using the Safe Stop 1 (SS1) safety function of SINAMICS S120.

• Demanded performance level (PLr) of the safety function according to the risk analysis (see chapter 3.2.2): PLr d




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


Safety function



Emergency-stop of both machine axes when pressing the emergency stop control unit at the machine:

• Name of the safety function: “Emergency-stop of machine axes”

• Function of the safety function: When the emergency-stop control unit is operated, both machine axes are stopped using the Safe Torque Off (STO) safety function of SINAMICS S120.

• Demanded performance level (PLr) of the safety function according to the classification of the safety-related control function (see chapter 3.2.3): PLr d


Safety function


1.2.4 Safety system

The safety system for performing the safety functions (SF 1, SF 2 and SF 3) consists of five sub-systems:




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Table 1-1 Subsystems of a safety system (SRECS)

Subsystem Function to be executed Components

Subsystem 1 SF 1: “Detection” Monitoring the protective door using two position switches.

SIRIUS

Subsystem 2 SF 2: “Detection” Monitoring the protective cover using a hinge switch and a position switch with separate actuator.

SIRIUS

Subsystem 3 SF 3: “Detection” Monitoring the state of the emergency-stop control unit for stopping all of the machine axes.

SIRIUS

Subsystem 4 SF 1 / SF 2 / SF 3: Evaluation Processing the signals in a fail-safe controller (F-PLC)

SIMATIC S7 Distributed Safety

Subsystem 5 SF 1 / SF 2 / SF 3: “Reaction”

• Executing the internal Safely-Limited Speed (SLS) safety function of the drive.

• Executing the internal Safe Stop 1 (SS1) safety function of the drive.

• Executing the internal Safe Torque Off (STO) safety function of the drive.

SINAMICS

Figure 1-5 Safety system

Safety system

Subsystem 4

Information Actions

Subsystem 2

Subsystem 1

Detection Evaluation Reaction

Subsystem 5

Subsystem 3

Subsystems 1, 2 and 3 are designed subsystems; subsystems 4 and 5 are prefabricated subsystems.

2 Application of the SET

2.1 Basics


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


2.1 Basics

2.1.1 Safety Evaluation Tool (SET)

The safety evaluation tool (SET) is a TÜV-certified online tool by the Siemens Industry sector for the IEC 62061 and ISO 13849-1 standards which aids the evaluation of the safety functions at your machine. The result is output in a standards-compliant report which can be integrated into the documentation of your machine as a safety proof.

The safety evaluation tool (SET) can be accessed online at the following link:

http://www.siemens.com/safety-evaluation-tool

A “SET Getting Started” instruction and a “SET Tutorial” (video) is also available.

2.1.2 Support by the safety evaluation tool (SET)

The safety evaluation tool (SET) supports the following activities when determining the performance level (PL) according to ISO 13849-1:

• Design of the safety system architecture

• Realizing the subsystems (SRP/CS) of the safety system

• Determining the achieved performance level (PL)

Note A complete application of the ISO 13849-1 additionally requires further activities which exceed the application of the safety evaluation tool (SET). These activities include, for example, generating additional documentations and validation documents.

Respective information is available in the ISO 13849-1 and ISO 13849-2 standards.

2.2 Creating a SET project

2.2.1 Creating a Project

When creating a new project in the safety evaluation tool (SET), you already must decide the standard to be applied to the project. In this application example, the application of the ISO 13849-1 standard is explained in greater detail.

Figure 2-1 Creating a SET project – Selecting the standard to be applied

http://www.siemens.com/safety-evaluation-tool�




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

In subsequent screen mask you can specify a name for the project and enter further details on the project.

Figure 2-2 Creating a SET project

Note In order to receive a standards-compliant report on the safety evaluation tool (SET) as a safety proof, all relevant fields of the screen masks of the safety evaluation tool (SET) must be filled in.

Since the displays in this document originate from an application example, the screen masks are not filled in completely to provide a better overview.

2.2.2 Creating a safety area

You can divide your entire machine into different safety areas to which individual safety functions are then assigned.

In the application example on hand, a substitutional safety area is created in which the safety functions to be represented are integrated.

Figure 2-3 Creating a safety area




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

2.2.3 Creating the safety function

Within the safety area, only the individual safety functions can now be created. The appropriate setup of the safety function must be selected accordingly.

In the application example on hand, the classic setup of the safety-related control function is selected with three function blocks:

Figure 2-4 Function blocks of the safety function

Safety function

Information ActionsFunction block 1:Detection

Function block 2:Evaluation

Function block 3:Reaction

The setup of the safety function in the safety evaluation tool (SET) is selected via the following screen mask.

Figure 2-5 Creating a safety function – Selecting a subfunction

This creates three subfunctions in the safety evaluation tool (SET). The risk evaluation can then be performed in the screen mask on the safety function, as illustrated in chapter 3.2.

Figure 2-6 Creating a safety function




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Create the following three or safety functions (SF) with three respective function blocks:

• Safety function 1 (SF 1): “Safely reduced speed”


Safety function


• Safety function 2 (SF 2): “Safe stopping of all axes”


Safety function


• Safety function 3 (SF 3): “Emergency-stop of all axes”


Safety function



3.1 Performing a risk analysis


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


3.1 Performing a risk analysis

A risk analysis has to be performed for the machine before the actual application of ISO 13849-1. The risk analysis is not contained in the ISO 13849-1.

The risk analysis examines…

• …the hazards posed by the machine.

• ...the safety functions necessary in order to reduce the hazard risk.

The risk of a hazard depends on the following two factors:

• severity of the possible harm that may be caused by the hazard

• probability of occurrence of the harm

Applied in the application example

The risk analysis for the application example yields the following result:

Table 3-1

Hazard Required safety functions (SF)

1 When accessing the hazardous area through the safety door, the operator may suffer severe damage at the freely accessible axis.

SF 1: reducing the speed of the freely accessible machine axes to a safe upper limit.

2 When opening the protective cover of the machine, the operator may suffer severe injury at the gear wheels rotating in the machine which are connected with both machine axes.

SF 2: immediate stopping of both axes at the machine.

Note For realizing the Safety function 3 “emergency-stop”, no risk analysis needs to be performed, since the classification of the “emergency-stop” can generally be selected by the user, unless there is a type C standard which dictates the classification.

Note The Safety function 3 “emergency-stop” is a supplementary safety function which must not replace an independent safety function.


3.2 Performing the risk assessment


Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


After the analysis the risk assessment is performed for each hazard identified at the machine.

Figure 3-1 Performing the risk assessment

Risk parameter 1:

Severity of injury

S

Risk reduction estimation

Identifying PLr

Risk parameter 3:

Possibility of avoiding the hazard or limiting the harm

Risk parameter 2:

Frequency and/or exposure time to hazard

F

P

Start

PLr a

PLr b

PLr c

PLr d

PLr e

P1

P2

P1

P2

P1

P2

P1

P2

F1

F2

F1

F2

S1

S2

High Risk

LowRisk

In the risk assessment it is examined for each hazard which measure must be taken for reducing the risk. If the measure is a safety function, the required performance level (PLr) must be defined for this safety function. The PLr is defined in such a way that the remaining risk (residual risk) of the hazard is acceptably low.

The safety evaluation tool (SET) supports you in the risk assessment through the guided determination of the demanded performance level (PLr) for the individual safety functions.

Figure 3-2 Guided determination of the demanded performance level (PLr)




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Pressing the “Evaluate” button takes you to the guided determination of the required performance level (PLr), as described in the following chapters.

3.2.1 Risk assessment for hazard 1

Performing the risk assessment for hazard 1 determined in the risk analysis in chapter 3.1 (see Table 3-1).

Hazard

Severely injured operator due to the freely accessible axes.

Figure 3-3 Hazard 1

Evaluation 1: Severity of the harm

Table 3-2 Risk assessment - Severity of the harm

Severity of the harm S

Slight injury (usually reversible) 1

Severe injury (usually irreversible), including death 2

Applied to the application example

There may be broken limbs due to flying parts ejected form the machine. 2

Evaluation 2: Frequency and/or duration of the exposure to the hazard

Table 3-3 Risk assessment - Exposure to hazards

Exposure to hazards F

Rarely to less frequently and/or the duration of the hazard is too short. 1

Frequently to permanently and/or the duration of the hazard is too long. 2


Within one hour, the operator needs to access the hazardous area several times for a maximum of 10 minutes.

2

Hazard 1: Freely accessible

axis




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Evaluation 3: Possibility of avoiding or limiting the harm

Table 3-4 Risk assessment - Avoiding or limiting the harm

Possibility of avoiding or limiting the harm P

Possibility under certain conditions 1

Hardly possible 2


The operator is given sufficient space and can, under certain conditions, evade the flying path of an ejected part.

1

Evaluation of the risk assessment: Determination of the demanded performance level PLr

Figure 3-4 Evaluation – Determination of the demanded performance level PLr

Identifying PLr

Start

PLr a

PLr b

PLr c

PLr d

PLr e

P1

P2

P1

P2

P1

P2

P1

P2

F1

F2

F1

F2

S1

S2

HighRisk

LowRisk

Figure 3-5 Evaluation – Determination of the demanded PLr using the SET




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

After selecting the respective evaluations , the required performance level (PLr) is output in the mask of the safety evaluation tool (SET).

3.2.2 Risk assessment for hazard 2

Performing the risk assessment for hazard 2 determined in the risk analysis in chapter 3.1 (see Table 3-1).

Hazard

Severe harm to the operator due to rotating gear wheels connected to both machine axes.

Figure 3-6 Hazard 2

Evaluation 1: Severity of the harm

Table 3-5 Risk assessment - Severity of the harm

Severity of the harm S

Slight injury (usually reversible) 1

Severe injury (usually irreversible), including death 2


If the operator makes contact with the rotating gear wheels of the machine, loss of a limb may result.

2

Evaluation 2: Frequency and/or duration of the exposure to the hazard

Table 3-6 Risk assessment - Exposure to hazards

Exposure to hazards F

Rarely to less frequently and/or the duration of the hazard is too short. 1

Frequently to permanently and/or the duration of the hazard is too long. 2


The operator must open the protective cover for the gear wheels of the machine a maximum of 4 times per day in the course of a maintenance procedure.

2

Hazard 2: Rotating gear

wheels




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Evaluation 3: Possibility of avoiding or limiting the harm

Table 3-7 Risk assessment - Avoiding or limiting the harm

Possibility of avoiding or limiting the harm P

Possibility under certain conditions 1

Hardly possible 2


The operator is given sufficient space and can, under certain conditions, evade the toothed wheels of the machine.

1

Evaluation of the risk assessment: Determination of the demanded performance level PLr

Figure 3-7 Evaluation – Determination of the demanded performance level PLr

Identifying PLr

Start

PLr a

PLr b

PLr c

PLr d

PLr e

P1

P2

P1

P2

P1

P2

P1

P2

F1

F2

F1

F2

S1

S2

HighRisk

LowRisk

Figure 3-8 Evaluation – Determination of the demanded PLr using the SET




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

After selecting the respective evaluations , the required performance level (PLr) is output in the mask of the safety evaluation tool (SET).

3.2.3 Classification of safety function 3

The “Emergency-stop of machine axes” safety function (SF 3) is a supplementary safety function generally demanded at a machine according to machine guideline 2006/42/EG, chapter 1.2.4.3. A risk assessment is therefore not performed for SF 3.

Figure 3-9 Safety function 3 – “emergency-stop”

In the example on hand a performance level (PLr) of PL d is required following the example of the risk assessment performed for the two other safety functions (SF 1 and SF 2).

Table 3-8 Risk assessment - summary

Safety function (SF) Demanded PL

SF 3 “Emergency-stop of machine axes”

PLr d

This required PLr is set directly in the safety evaluation tool (SET) via the screen mask of the safety function .

Safety-related control function

"Emergency stop“




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Figure 3-10 Determination of the demanded PLr on the basis of the performed classification

Note In practice, the highest performance level (PL) of the other safety functions (SF) at the machine is used for the classification of the “Emergency stop”.

3.2.4 Summary of the risk assessment

Independently of each other, the respective performance level (PL) was determined or specified for each hazard, and the respectively required safety function (SF), determined in the risk analysis.

Table 3-9 Risk assessment - summary

Required safety function (SF) Demanded PL

SF 1 “Safe reduction of the axis speed”

Safety related control function (SRCF)


PLr d




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Required safety function (SF) Demanded PL

SF 2 “Safe stopping of the machine axes”



PLr d

SF 3 “Emergency-stop of machine axes”



PLr d

Now the safety functions SF 1, SF 2 and SF 3 need to be specified and realized. Each safety function (SF) must meet the performance level (PL) determined for you.

4 Specification and Realization

4.1 Developing the SRCF specification


Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d



The specification of a safety function (SF) basically consists of the following parts:

• Information on the safety function (SF)

• Requirements regarding the functionality of the safety function (SF)

• Requirements regarding the safety integrity of the safety function (SF)

The specification must be made separately for each safety function (SF).

4.1.1 Specification of SF 1

Table 4-1

SF Specified SF

1 Reducing the axis speed of the freely accessible machine axes to a safe upper speed limit.

Information on the SF

Table 4-2

Topic Information

Hazard at the machine which the SRCF should prevent.

When accessing the hazardous area through the safety door, the operator may suffer severe damage at the freely accessible axis.

Persons at the machine Operating staff, maintenance staff

Mode of the machine in which the SRCF is to be active.

In each operating mode of the machine

Requirements for the SF functionality Table 4-3

Topic Requirement

Function of the SF When opening the protective door of the protection zone the axis speed of the freely accessible axis must be reduced to a safe upper speed limit.

Conditions under which the SF must be active or disabled.

The SF must always be active at the machine.

Required reaction time When the door of the protection zone is opened, the axis speed must be reduced to a safe upper speed limit within 200ms at the latest.




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Topic Requirement

When a fault occurs, the reaction must be as follows:

• immediate stopping of the axes

• switching the “Disturbance” indicator light on

Reaction to a fault

Switching the axis back on must only be possible if the following requirements have been met: • the fault has been corrected

• the protective door is closed

• the operator has acknowledged the fault via a button at the machine

Rate of operating cycles for the electromechanical components.

Position switch of the protective door of the protection zone:

• The operator needs to access the hazardous area several times within the hour for approximately 10 minutes. Maximal 6 times per hour

Note The required reaction time depends on the conditions at the machine. There must not be any hazard for the operator.

For determining the reaction time, the S7FCOTIA.XLS table or the S7FCOTIB.XLS table (see \E\) can be used.

Note The sequence of the conditions for switching the axis back on after a reaction to a fault ensures that the operator has exited the hazardous area.


Topic Requirement

Demanded performance level (PLr) of the SF

On the basis of the risk assessment (chapter 3.2.1) the following demanded performance level (PLr) results: PLr d

PFHD value (PFHD) of the SF Based on the demanded performance level (PLr), the following PFHD value results: PFHD < 10-6


Table 4-5

SF Specified SF

2 Immediate stopping of both axes at the machine.




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


Table 4-6

Topic Information

Hazard at the machine which the SF should prevent.

When opening the protective cover of the machine, the operator may suffer severe injury at the gear wheels rotating in the machine which are connected with both machine axes.

Persons at the machine Operating staff, maintenance staff

Mode of the machine in which the SF is to be active.



Topic Requirement

Function of the SF After opening the protective cover of the machine, all axes of the machine must be stopped immediately.



Required reaction time When the protective cover is opened, the blade has to be stopped after 150ms at the latest.


• immediate stopping of all machine axes


Reaction to a fault

Switching the machine axes back on must only be possible if the following requirements have been met:

• the fault has been corrected

• the protective cover is closed



Hinge switch and position switch of the protective cover:

• The operator must open the protective cover for the gear wheels of the machine a maximum of 4 times per day in the course of a maintenance procedure. 4 times per day

Note The required reaction time depends on the conditions at the machine. There mustn't be any hazard for the operator.


Note The sequence of the conditions for switching the axis back on after a reaction to a fault ensures that the operator has exited the hazardous area.




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


Topic Requirement


On the basis of the risk assessment (chapter 3.2.2) the following demanded performance level (PLr) results: PLr d



Table 4-9

SF Specified SF

3 Emergency-stop for all axes at the machine.


Table 4-10

Topic Information

Hazard at the machine which the SF should prevent.

None. SF 3 “emergency-stop” is a supplementary safety function which must not replace an independent safety function. Therefore, a hazard cannot be specified for this SF.

Persons at the machine All

Mode of the machine in which the SF is to be active.



Topic Requirement

Function of the SF After the emergency stop control unit is actuated, the all axes of the machine must be stopped immediately.



Required reaction time After the emergency-stop control unit has been actuated, the blade must stop after 150ms at the latest.




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Topic Requirement


• immediate stopping of all machine axes


Reaction to a fault

Switching the machine axes back on must only be possible if the following requirements have been met:

• the fault has been corrected

• emergency-stop button unlocked



Emergency-stop control unit:

• The operator must actuate the emergency-stop control unit once per week. 1 time per week

Note The required reaction time depends on the conditions at the machine. There must not be any hazard for the operator.


Note The sequence of the conditions for switching the axis back on after a reaction to a fault ensures, that the axis cannot start up automatically after an error.


Topic Requirement


On the basis of the classification (chapter 3.2.3) the following demanded performance level (PLr) results: PLr d



4.2 Architecture of overall system


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


4.2.1 Segmentation of safety functions into function blocks (SRP/CS)

The segmentation of the safety functions (SF) of the overall system into individual function blocks (SRP/CS = Safety related part of the control system) was already performed in chapter 2.2.3 during the generation in the safety evaluation tool (SET).

Segmentation into function blocks (SRCF /CS) was performed so that each individual SRF/CS of the SF is performed in a separate function block, and a failure of one SRP/CS of the SF causes the failure of the entire SF (“series connection of the function blocks”).

Figure 4-1 Segmentation of the safety functions into function blocks (SRP/CS)

Safety function (SF)

Information ActionsSRP/CS 1:Detection

SRP/CS 2:Evaluation

SRP/CS 3:Reaction

Note In the ISO 13849-1 standard, only the SRP/CS (Safety related part of the control system) is used for structuring the functionality.

In this documentation, the following two terms are additionally used for structuring the system:

• The safety function contains all of the functions blocks (SRP/CS) required for executing the desired safety function.

• The overall system contains all safety functions of the system.

Safety function 1 (SF 1)

Figure 4-2 Safety function 1 (SF 1)



SRP/CS 2:Evaluation

SRP/CS 3:Reaction

Table 4-13 Function of the SRP/CS – SF 1

SRP/CS Function

1: Detection Detecting the position of the protective door of the protection zone

2: Evaluation Evaluation of the detected position of the protective door of the protection zone, and triggering an appropriate action (controlling the SINAMICS S120 drive)

3: Reaction Triggering the safety function in the SINAMICS S120 drive




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d





SRP/CS 2:Evaluation

SRP/CS 3:Reaction


SRP/CS Function

1: Detection Detecting the protective cover position

2: Evaluation Evaluation of the detected position of the protective cover of the protection zone, and triggering an appropriate action (controlling the SINAMICS S120 drive)






SRP/CS 2:Evaluation

SRP/CS 3:Reaction


SRP/CS Function

1: Detection Detecting the state of the emergency-stop control unit

2: Evaluation Evaluation of the detected state of the emergency-stop control unit and triggering an appropriate action (controlling the SINAMICS S120 drive)


4.2.2 Specifying the requirements for the SRP/CS

The requirements for the individual function blocks (SRP/CS) of the safety function (SF) are now described in detail using uniform tables.




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


Table 4-16 Detailed function of the function blocks (SRP/CS) – SF 1

SRP/CS Function

1: Detection

Input Position of the protective door of the protection zone: “open” or “closed”

Output Information on the position of the protective door of the protection zone:

• Protective door of the protection zone is open

• protective door of the protection zone is closed

Function Detecting the position of the protective door of the protection zone in all operating modes of the machine.

2: Evaluation

Input Information on the position of the protective door of the protection zone: (Output of SRP/CS “Detection”)

Output Command for controlling the SINAMICS S120 drive:

• triggering the reduction of the axis speed in the integrated technology of the fail-safe technology CPU by triggering a PLCopen function.

• triggering “Safely-Limited Speed” (SLS) in the SINAMICS S120 drive for monitoring the reduction of the axis speed.

In terms of safety, both actions are combined in a command for controlling the SINAMICS S120.

Function Evaluating the detection of the position of the protective door of the protection zone, and appropriate control of the integrated technology of the fail-safe technology CPU and the SINAMICS S120 drive in all operating modes of the machine.

3: Reaction

Input Command for controlling the SINAMICS S120 drive: (Output of SRP/CS “Evaluation”)

Output ---

Function Reducing the axis speed to a safe upper speed limit:

• reducing the axis speed

• monitoring the reduction of the axis speed within a defined delay time via “Safely-Limited Speed” (SLS) of the SINAMICS S120.

In terms of safety, both actions are combined in a function of the SINAMICS S120.



SRP/CS Function

1: Detection

Input Position of the protective cover: “open” or “closed”

Output Information on the position of the protective cover:

• protective cover is open

• protective cover is closed




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

SRP/CS Function

Function Detecting the position of the protective cover in all operating modes of the machine.

2: Evaluation

Input Information on the position of the protective cover: (Output of SRP/CS “Detection”)


• triggering “Safe Stop 1” (SS1) in the SINAMICS S120 drive.

Function Evaluating the detection of the position of the protective cover, and appropriate control of the SINAMICS S120 drive in all operating modes of the machine.

3: Reaction


Output ---

Function Safe stopping of all axes of the drive:

• activating “Safe Stop 1” (SS1) for all axes of the SINAMICS S120.



SRP/CS Function

1: Detection

Input State of the emergency-stop control unit: “triggered” or “not triggered”

Output Information on the state of the emergency-stop control unit:

• emergency-stop control unit triggered (actuated):

• emergency-stop control unit not triggered (not actuated):

Function Detecting the state of the emergency-stop control unit in all operating modes of the machine.

2: Evaluation

Input Information on the state of the emergency-stop control unit: (Output of SRP/CS “Detection”)


• triggering “Safe Stop 1” (SS1) in the SINAMICS S120 drive.

Function Evaluating the state of the emergency-stop control unit, and appropriate control of the SINAMICS S120 drive in all operating modes of the machine.

3: Reaction


Output ---

Function Safe stopping of all axes of the drive:

• activating “Safe Stop 1” (SS1) for all axes of the SINAMICS S120.




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

4.2.3 Specification of the hardware components

In order to verify the possibility for realizing the individual function blocks (SRP/CS) with the safety evaluation tool (SET) and to calculate the demanded performance level (PLr), hardware components must be specified for the individual function blocks (SRP/CS) which can be used for performing the verification. Should the specified hardware components not meet the desired performance level (PLr), the list of the hardware components can be adjusted accordingly in a further iteration step.

Table 4-19 List of the hardware components

SF HW component Order number Manufacturer

SRP/CS “Detection”

1 Position switch Contacts: 1 NO + 1 NC

3SE5 232-0HE10

1 Position switch Contacts: 1 NO + 1 NC

3SE5 232-0HE10

2 Hinge switch Contacts: 1 NO + 1 NC Switching angle: 10°

3SE5 232-0HU22

Position switch with separate actuator Contacts: 1 NO + 2 NC

3SE5 232-0QV40 2

Standard actuator 3SE5 000-0AV01

3 Emergency-stop control unit: casing with actuator Contacts: 2 NC

3SB3801-0EG3

Siemens AG

SRP/CS “Evaluation”

CPU 317TF-2 DP

6ES7317-6TF14-0AB0 1/2/3

SM 326 – DI 24xDC24V

6ES7326-1BK02-0AB0

Siemens AG

SRP/CS “Reaction”

SINAMICS S120

Depending on the version

Control Unit CU 320

6SL3040-0MA00-0AA1

Rectifier/regenerative unit Smart Line Module

6SL3430-6TE21-6AA0

Power unit Double Motor Module

6SL3420-2TE11-7AA0

1/2/3

Servo-motor 1FK7 motor

1FK7022-5AK71-1DG0

Siemens AG




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

4.2.4 Assigning function blocks (SRP/CS) to subsystems

Finally, the function blocks (SRP/CS) of the safety functions (SF 1, SF 2 and SF 3) are assigned to subsystems of the overall system:

The assignment or realization of the subsystems is explained in greater detail in the subsequent chapters of this documentation. The realization options are suggested on the basis of the connecting options of the sensors and actuators and evaluated using Table 7 from ISO 13849-1 for a simplified determination of the performance level (PL).

Table 4-20 Simplified determining the achieved performance level (PL)

Achieved performance level (PL)

Category B 1 2 2 3 3 4

DCavg none none low medium low medium high

low a --- a b b c --

medium b --- b c c d -- MTTFd

per channel high --- c c d d d e

For the categories mentioned in the table and suitable for realizing the, the following definitions apply according to chapter 6.2 or according to table 10 of ISO standard 13849-1:

• Category B: The function blocks (SRP/CS) of the safety-related and/or their protective equipment, as well as their components, must be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence. Basic safety principles must be used.

• Category 1: The requirements of category B must be met. Well-proven components and well-proven safety principles shall be applied.

• Category 2: The requirements of category B and the use of well-proven safety principles must be fulfilled. The safety function shall be tested at suitable intervals by the machine control system.

• Category 3: The requirements of category B and the use of well-proven safety principles must be fulfilled. Safety-related parts shall be designed, so that...

– ...a single fault in any of these parts does not lead to the loss of the safety function, and...

– ...whenever reasonably practicable, the single fault will be detected.

• Category 4: The requirements of category B and the use of well-proven safety principles must be fulfilled. Safety-related parts shall be designed, so that...

– ...a single fault in any of these parts does not lead to the loss of the safety function, and...

– ...the single fault is detected at or before the next demand upon the safety function. If this is not possible, then an accumulation of faults shall not lead to a loss of the safety function.




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Note In chapter 4.5.4 of ISO 13849-1 a test rate increased by the factor 100 relative to the usage rate of the subsystem has been defined for the application in Table 7 with regards to category 2. For electromechanical components, these requirements can generally not be fulfilled, therefore, the application of category 2 is normally not considered for these components.

Additionally, the average time until a hazardous failure of the MTTFd,TE test equipment occurs must be larger than half of the time until a hazardous failure of the MTTFd,L evaluation logic occurs.

4.2.5 Function block subsystem 1: “position of the protective door”

For the subsystem for monitoring the protective door of the protection zone, three realization options are shown in the table below and evaluated according to the table for simplified determination of the achieved performance level (PL).

Table 4-21 Realization options for subsystem 1

Realization option 1 Realization option 2 Realization option 3

The subsystem consists of one subsystem element.


The subsystem consists of two subsystem elements.

• Single channel structure Category B or 1

Result: No realization option, since in this category the performance level PL d cannot be achieved. The category is defined on the basis of the Note in chapter 4.2.4.

• Mechanical single channel structure / electrical two channel structure Category B or 1


• Two channel structure Category 3 or 4

• Required diagnostic coverage: 60% ≤ DC < 90% (DC = low) or 90% ≤ DC < 99% (DC = medium) or 99% ≤ DC (DC = high)

• Required MTTFd: 30a ≤ MTTFd ≤ 100a (MTTFd = high) or 10a ≤ MTTFd < 30a (MTTFd = medium)

Distinctive features of realization option 3: The two channel structure of the subsystem enables a realization according to category 3 as well as according to category 4. For an average time of 30..100 years (high) until a hazardous failure (MTTFd) the subsystem can be realized with a diagnostic coverage (DC) of low, average or high.




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

The requirements for safety function 1 (SF 1) mentioned in chapter 4.1.1 result in the following number of actuations or the resulting test interval:

Table 4-22

Requirements for the SF Actuations / Test interval

The operator needs to access the hazardous area several times within the hour for approximately 10 minutes. Maximal 6 times per hour

6.0 per hour

With the information on hand the achievable performance level (PL) for the various realization options can be now determined using the safety evaluation tool (SET).

Realization option 3 according to category 3

Two channel structure with two subsystem elements. A cross comparison of the input signals in the logic is possible via the two channel structure (principle of the SIMATIC F CPUs), which yields a diagnostic coverage (DC) of 90% (average) for category 3 (without short-circuit detection) and of 99% (high) for category 4 (with short-circuit detection) .

Figure 4-5 Determining the diagnostic coverage DC in the SET

Furthermore, the requirement of category 3 according to Table 10 of ISO standard 13849-1, which states that a single fault does not cause the loss of the safety function and, for example, a single fault can be detected by means of the cross comparison of the input signals, can be met.

Category 3

Category 4




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Figure 4-6 View of the realization option 3 (channel 1) according to category 3 in SET


Entering all required values and parameters here also immediately enables reading the resulting performance level (PL) and the respective PFHD value via the safety evaluation tool (SET).




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Note As of category 2 measures against susceptibility to common cause failures (CCF) must be taken into consideration. The estimate is performed according to the table in Appendix F of ISO 13849-1. Points are assigned for the individual measures, whereby only the full number of points or zero can be assigned. A measure that is only fulfilled partially is therefore given zero points. The overall number of points must be ≥65 points.

Note If in the safety evaluation tool (SET) the S7 connection is selected via ET 200 M , i.e. directly via the fail-safe I/O-modules of the S7-300 controller family, the “S7 sensor group” is automatically inserted in the safety evaluation tool (SET) in the “Evaluation” subsystem, and there it can be supplied with the required parameters for the calculation.

If the connection is not specified, the S7 sensor group can in the “Evaluation” subsystem also be inserted manually in order to connect the sensor group.


The two channel structure of the subsystem with two subsystem elements also enables fulfilling the category 4 requirements from Table 10 of ISO standard 13849-1, which states that a single fault does not cause the loss of the safety function and, through cross comparison of the input signals for example, a single fault can be detected during or prior to requesting the safety function.

A cross comparison of the input signals also yields a diagnostic coverage (DC) of 99% (high) , as displayed in Figure 4-5.





V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d



Note If in the safety evaluation tool (SET) the S7 connection is selected via ET 200 M , i.e. directly via the fail-safe I/O-modules of the S7-300 controller family, the “S7 sensor group” is automatically inserted in the safety evaluation tool (SET) in the “Evaluation” subsystem, and there it can be supplied with the required parameters for the calculation.

If the connection is not specified, the S7 sensor group can in the “Evaluation” subsystem also be inserted manually in order to connect the sensor group.

Evaluation of the realization options

Since realization options 1 and 2 according to Table 10 of ISO standard 13849-1 only enable achieving category 1 at the most, however, a performance level PL d not being possible in this category, these realizations are not taken into consideration for the application.

Realization option 3 according to Table 10 of ISO standard 13849-1 enables achieving category 3 or 4. Using the given parameter values, the performance level PL d can be achieved easily in both categories. Therefore, a two channel structure with these position switch types is necessary for subsystem 1.




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

4.2.6 Function block subsystem 2: “position of the protective cover”

For the subsystem for monitoring the protective cover, three realization options are shown in the table below and evaluated according to the table for simplified determination of the achieved performance level (PL).


Realization option 1 Realization option 2 Realization option 3



The subsystem consists of two subsystem elements.



• Mechanical single channel structure / electrical two channel structure Category B or 1

Result: No realization option, since in this category the performance level PL d cannot be achieved. The category is defined on the basis of the Note in chapter 4.2.4

• Two channel structure Category 3 or 4


• Required MTTFd: 30a ≤ MTTFd ≤ 100a (MTTFd = high) or 10a ≤ MTTFd < 30a (MTTFd = medium)

Distinctive features of realization option 2: The mechanical single channel structure of this solution can be compensated by a so-called fault exclusion (according to ISO 13849-2, Table A4):

• Error exclusion possible if material, (over) dimensioning, ... have been selected according to the fixed live cycle.

Therefore, this setup can be considered a two channel structure. The subsystem hence achieves category 3 of ISO 13849-2. In this case, the realization option 2 behaves similar to the realization option 3 of this subsystem. However, PL e cannot be achieved with a fault exclusion (according to ISO 13849-2, Table D.8, Note 2).


Table 4-24

Requirements for the SF Actuations / Test interval

The operator must open the protective cover for the gear wheels of the machine a maximum of 4 times per day in the course of a maintenance procedure. 4 times per day

4.0 per day

With the information on hand the achievable performance level (PL) for the various realization options can be now determined using the safety evaluation tool (SET).




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Realization option 2 according to category 3 (with fault exclusion)

Two channel structure with one subsystem element. The two channel structure enables a cross comparison of the input signals in the logic which yields a diagnostic coverage (DC) of 90% (average) .







Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


Two channel structure with two subsystem elements. The two channel structure enables a cross comparison of the input signals in the logic which yields a diagnostic coverage (DC) of 90% (average) .







V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


Two channel structure with two subsystem elements. The two channel structure enables a cross comparison of the input signals in the logic which yields a diagnostic coverage (DC) of 99% (high) .







Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


Since realization option 1 according to Table 10 of ISO standard 13849-1 only enable achieving category 1 at the most, however, a performance level PL d not being possible in this category, these realizations are not taken into consideration for the application.

Realization option 2 and Realisation option 3 enable reaching a performance level PL d without problems. Therefore, with these position switch types, subsystem 2 of safety function 2 (SF 2) requires a two channel structure, or a mechanical single channel and electrical two channel structure with fault exclusion.

Note In order to reach the required performance level, an applied fault exclusion must always be sufficiently documented.

Note In order to further illustrate the calculation of the performance level (PL), this example, for didactical reasons, uses realization option 3 for monitoring the protective cover.

The calculation of the performance level (PL) for the realization option 2 can be performed analog to this.

4.2.7 Function block subsystem 3: “emergency-stop”

For the subsystem for monitoring the state of the emergency-stop control unit, two realization options are shown in the table below and evaluated according to the table for simplified determination of the achieved performance level (PL).


Realization option 1 Realization option 2





• Mechanical single channel structure / electrical two channel structure using proven components Category 3 or 4


• Required MTTFd: 30a ≤ MTTFd ≤ 100a (high) or 10a ≤ MTTFd < 30a (medium)




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Note Note on fault exclusion at emergency-stop fixtures (ISO 13849-2):

For emergency-stop fixtures according to IEC 60947-5-5 a fault exclusion for mechanical aspects is permitted if a maximum number of actuations is taken into consideration.


Table 4-26

Requirements for the SRCF Actuations / Test interval

The operator must actuate the emergency-stop control unit once per week. 1 time per week

1 time per week

With the information on hand the achievable performance level (PL) can now be determined using the safety evaluation tool (SET).


Two channel structure with one subsystem element. The two channel structure enables a cross comparison of the input signals in the logic which yields a diagnostic coverage (DC) of 90% (average) .





Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d



Two channel structure with one subsystem element. The two channel structure enables a cross comparison of the input signals in the logic which yields a diagnostic coverage (DC) of 99% (high) .





V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d



Since realization option 1 according to Table 10 of ISO standard 13849-1 only enable achieving category 1 at the most, however, a performance level PL d not being possible in this category, these realizations are not taken into consideration for the application.

Realization option 2 enables reaching a performance level PL d without problems . Therefore, a two channel structure is necessary for subsystem 3 of safety function 3 (SF 3).

4.2.8 Function block subsystem 4

For subsystem 4 the fail-safe technology CPU 317TF-2 DP is used in conjunction with a fail-safe input module SM 326 – DI 24xDC24V. According to the manufacturer, performance level PL e can be achieved with both modules.

In the safety evaluation tool (SET) both modules must be entered an evaluated independently of each other:

• the technology CPU 317T-2 DP is created as a “Logic group”

• The fail-safe input module SM 326 – DI 24xDC24V is created as an “S7 sensor group”.

Note If in the “Detection” function block of the safety evaluation tool (SET) the “ET200M” setting has been selected respectively for the S7 connection of the sensors, the S7 sensor group is automatically inserted in the “Evaluate” subsystem of the safety evaluation tool (SET).




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Figure 4-20 Viewing the logic group in the SET

Figure 4-21 Viewing the S7 sensor group in the SET

Selecting the employed hardware components directly yields the resulting SIL performance level (PL) and the respective PFHD value from the safety evaluation tool (SET) for subsystem 4.




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

4.2.9 Function block subsystem 5

For subsystem 5 the fail-safe SINAMICS S120 drive is used, which, according to the manufacturer, can achieve a maximum of performance level PL d.

In the safety evaluation tool (SET) the drive must be entered via the individual components of the SINAMICS S120 including the employed motors or encoders. This can be performed in two different ways:

• Using the wizard for entering the components of the SINAMICS S120

• Manual input of the individual components of the SINAMICS S120

Using the wizard for entering the components of the SINAMICS S120

For using the wizard for the input of the components of the SINAMICS S120 an actuator group must be created as a new subsystem in the “Reaction” function block.

In the accordingly created actuator group the “SIL/PL exists” type must be selected and entered as “SINAMICS S120 modular” product group . Then, the wizard for entering the components of the SINAMICS S120 can be accessed via the screwdriver icon in the safety evaluation tool (SET).

Figure 4-22 Calling the wizard in SET

Now, the individual screen masks of the wizard can be filled in, which then creates the individual components of the SINAMICS S120 in the safety evaluation tool (SET).

Creating the components of the SINAMICS S120 via the wizard




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Figure 4-23 Wizard for selecting the sub-structure of subsystem 5 (SINAMICS S120)

Note The “Smart Line Module” rectifier/regenerative unit of the SINAMICS S120 needs, in the selected structure of the drive system, not be viewed in the safety evaluation tool (SET), since it is not relevant for the calculation in this configuration.

Then the data of the individual components in the safety evaluation tool (SET) need to be completed, as illustrated in the following block.

Manual input of the individual components of the SINAMICS S120

Figure 4-24 Viewing the control unit in the SET




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Figure 4-25 Viewing the double motor module in the SET

Figure 4-26 Viewing motor 1 (freely accessible axis) in the SET




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Figure 4-27 Viewing motor 2 (encapsulated axis) in the SET

Selecting the employed hardware components and the specifying the sub-structure of SINAMICS S120 directly yields the resulting SIL performance level (PL) and the respective PFHD value from the safety evaluation tool (SET) for subsystem 5.

4.2.10 Summary

The table shows the assignment of the function blocks of the safety function (SF) to the subsystems of the overall system.

Table 4-27 Subsystems of a safety system (SRECS)

Subsystem Function Components

Subsystem 1 Detecting the position of the protective door. (SF 1)

SIRIUS

Subsystem 2 Detecting the protective cover position. (SF 2)

SIRIUS

Subsystem 3 Detecting the emergency-stop control unit. (SF 3)

SIRIUS

Subsystem 4 Evaluation of the signals. (SF 1 / SF 2 / SF 3)

SIMATIC S7 Distributed Safety

Subsystem 5 Reacting to the evaluated signals. (SF 1 / SF 2 / SF 3)

SINAMICS


4.3 Realizing the subsystems


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Figure 4-28 Overall system

Safety system

Subsystem 4

Information Actions

Subsystem 2

Subsystem 1


Subsystem 5

Subsystem 3

PL ePL e

PL d

PL e

PL e


The final realization of the subsystems of the overall system now occurs after the architecture of the overall system has been designed.

The overall system must be realized in such a way that it meets all requirements according to the required performance level (PLr). The objective is to sufficiently reduce the probability of faults which cause a dangerous state on the machine.

The following considerations apply for realizing the subsystems:

• Consideration of the structural restriction The structure (architecture) of the subsystem must be realized in such a way that the demanded performance level (PLr) of the subsystem is at least equal to the performance level (PL) of the safety function (SF).

• Viewing the PFHD value (PFHD) The PFHD value (PFHD) of the safety function (SF) equals the sum of the PFHD values (PFHD) of the subsystems. The subsystems must thus be realized in such a way that the total PFHD value (PFHD) of the SF is not exceeded.

• Consideration of the diagnosis Additional diagnostic functions enable designing a subsystem in such a way that the demanded performance level (PLr) is improved:

– Further diagnosis enables setting up the subsystem in a higher category and improves the diagnostic coverage (DC) (better fault detection)

– Setting up the subsystem in a higher category improves the PFHD value (PFHD) according to ISO 13849-1 Appendix K (reducing the PFHD)

The diagnostic functions do not have to be performed in the considered subsystems themselves. For example, the diagnosis of subsystem 1 (Detection) can be performed in subsystem 4 (Evaluation).




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

• Consideration of the systematic safety integrity level In the subsystems, measures have to be taken to achieve the systematic safety integrity. The following respective measures can be taken (according to \5\):

– avoidance of systematic faults

– control of systematic faults (e.g. through diagnostics)

An overview of the realization of the subsystems in this application example is provided by the graphic below.

Figure 4-29 Overview of the setup of the overall system

The hardware components finally used for the realization of the overall system are listed in the subsequent table.

Table 4-28 List of the hardware components

HW component Order number Manufacturer

1.1 Position switch Contacts: 1 NO + 1 NC

3SE5 232-0HE10

1.2 Position switch Contacts: 1 NO + 1 NC

3SE5 232-0HE10

2.1 Hinge switch Contacts: 1 NO + 1 NC Switching angle: 10°

3SE5 232-0HU22

Position switch with separate actuator Contacts: 1 NO + 2 NC

3SE5 232-0QV40 2.2

Standard actuator 3SE5 000-0AV01

Siemens AG




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

HW component Order number Manufacturer

3 Emergency-stop control unit: casing with actuator Contacts: 2 NC

3SB3801-0EG3

CPU 317TF-2 DP

6ES7317-6TF14-0AB0 4

SM 326 – DI 24xDC24V

6ES7326-1BK02-0AB0

Siemens AG

SINAMICS S120

Depending on the version

Control Unit CU 320

6SL3040-0MA00-0AA1

Rectifier/regenerative unit Smart Line Module

6SL3430-6TE21-6AA0

Power unit Double Motor Module

6SL3420-2TE11-7AA0

5

Servo-motor 1FK7 motor

1FK7022-5AK71-1DG0

Siemens AG

5 Determining the achieved Performance Level

5.1 Evaluation via the safety evaluation tool (SET)


Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


5.1 Evaluation via the safety evaluation tool (SET)

5.1.1 Conditions for the required PL

Here, it is checked whether with the overall system, the demanded performance level (PLr) is achieved for each safety function (SF).

The following conditions must be fulfilled:

• The demanded performance level (PLr) of each subsystem of the SF must correspond at least to the performance level (PL) of the SF.

• The sum of PFHD values (PFHD) of all subsystems of the SF must not exceed the PFHD value (PFHD), which is given by the performance level (PL) of the SF.

• If a subsystem is used by different SFs, the demanded performance level (PLr) of the subsystem must meet the highest performance level (PL) of the SF.

5.1.2 Results report of the safety evaluation tool (SET)

The evaluation and application of the above mentioned conditions is in the safety evaluation tool (SET) given via the results report.

Figure 5-1 Creating a report in SET

To create a report in the safety evaluation tool (SET) you first select the desired project in the project tree and then press the “Create report” button in the selection menu. The report is then offered as a PDF file for download.


5.2 Safety function 1 (SF 1)


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Figure 5-2 Report as PDF file


Table 5-1

SF Specified SF

1 Reducing the axis speed of the freely accessible machine axes to a safe upper speed limit.

Figure 5-3 Safety function 1 (SF 1) of the overall system

Safety system

Subsystem 4

Information Actions

Subsystem 2

Subsystem 1


Subsystem 5

Subsystem 3

SF 1




Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Figure 5-4 Report of safety function 1 (SF 1)

Result

Safety function 1 (SF 1) achieves the demanded performance level PL d.

Note The PFHD value of the safety function (SF 1) would allow a performance level of PL e. Since however, subsystem 5 only achieves a performance level (PLr) of PL d, the maximal achievable performance level of the safety function (SF 1) is limited to performance level PL d.


Table 5-2

SF Specified SF

2 Immediate stopping of both axes at the machine.


Safety system

Subsystem 4

Information Actions

Subsystem 2

Subsystem 1


Subsystem 5

Subsystem 3

SF 2




V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


Result




Table 5-3

SF Specified SF

3 Emergency-stop for all axes at the machine.


Safety system

Subsystem 4

Information Actions

Subsystem 2

Subsystem 1


Subsystem 5

Subsystem 3

SF 3


5.5 Implementing the overall system


Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


Result



5.5 Implementing the overall system

The implementation of the overall system occurs according to the following steps:

Implementing the hardware

The overall system must be implemented in accordance with the documented design of the overall system.

Specifying the software

In our application, the safety function (SF) requires application software (SRASW). The application software (SRASW) is executed by the fail-safe CPU of subsystem 4.

According to ISO 13849-1, a specification has to be developed for this application software (SRASW).

Designing and developing software

The application software (SRASW) specified according to ISO 13849-1 chapter 4.6, or chapter 4.6.3, must be realized according to the requirements of ISO 13849-1. These requirements are based on the IEC 61131-3 languages.

Integrating and testing

The integration of the overall system must occur in accordance with the requirements of ISO 13849-1. Tests must be performed, which review the correct interaction of all subsystems and subsystem elements, including the application software (SRASW). The tests have to be defined in the safety plan (test cases) and performed accordingly.

Installing

Upon installation, the overall system is ready for the validation.

6 User Information and Validation

6.1 Generating user information


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

6 User Information and Validation

6.1 Generating user information

To ensure the functional safety of the overall system during usage and maintenance, a user information must be created which contains the following elements, for example:

• Description of the equipment, installation and mounting

• Circuit diagram

• Proof test interval or lifetime

• Description of the interaction of overall system and machine

• Description of the maintenance requirements of the overall system

6.2 Performing a validation

During the validation, it is checked on the basis of ISO 13849-2 : 2012 whether the overall system meets the requirements described in the “Specification of the safety function (SF)”. The following is required for the validation:

• All tests must be documented

• Each SF must be validated by test and/or analysis.

• The systematic safety integrity of the overall system must be validated.

After successful validation, the generation of a overall system according to ISO 13849-1 has been completed.

7 Project File for the Application Example

7.1 Downloading the project file


Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d


7.1 Downloading the project file

For the application example on hand, a project file for the safety evaluation tool (SET) is also available as a download.

Figure 7-1 Downloading the project file

With “File” > “Load projects” the project file on the application example can be downloaded into the safety evaluation tool (SET).

7.2 Content of the project file

The project file contains the calculation of the performance level (PL) according to ISO 13849-1 (category 3) or the safety integrity level (SIL) according to IEC 62061 for two respective variants of the overall system illustrated in this documentation.

7.2.1 Variant 1 of the overall system

Variant 1 of the overall system contained in the project file is represented as follows:

Figure 7-2 Variant 1 of the overall system

Safety system

Subsystem 4

Information Actions

Subsystem 1


Subsystem 5

Subsystem 2

Subsystem 3

SF 1

SF 2

SF 3


7.2 Content of the project file


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

Subsystem 2 of the safety system is realized according to realization option 2 illustrated in this documentation. All other subsystems are contained according to the realization options selected in the documentation.

7.2.2 Variant 2 of the overall system

Variant 2 of the overall system contained in the project file is represented as follows:

Figure 7-3 Variant 2 of the overall system

Safety system

Subsystem 4

Information Actions

Subsystem 1


Subsystem 5

Subsystem 2

Subsystem 3

SF 1

SF 2

SF 3

Subsystem 2 of the safety system is realized according to realization option 3 illustrated in this documentation. All other subsystems are contained according to the realization options selected in the documentation.

8 Links & Literature


Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

8 Links & Literature

8.1 Literature

This list is by no means complete and only presents a selection of related references.

Table 8-1

Topic Title

/1/ Safety Function Example

SIMATIC Safety Integrated for Factory Automation Practical Application of IEC 62061 Illustrated Using an Application Example with SIMATIC S7 Distributed Safety (Functional Example: AS-FE-I-013-V12-EN Siemens AG Order no. 6ZB5310-0NM02-0BA0

8.2 Internet Links

This list is by no means complete and only presents a selection of suitable information.

Table 8-2

Topic Title

\1\ Link to this document


\2\ Siemens I IA/DT Customer Support

http://support.automation.siemens.com

\3\ Safety Evaluation Tool

http://www.siemens.com/safety-evaluation-tool

\4\ Standards Ordering standards http://www.iec-normen.de

Official status of a standard: http://www.dke.de

Lists of harmonized standards in the Official Journal of the European Union http://www.newapproach.org/

\5\ Siemens Safety Integrated

Safety Integrated at SIEMENS http://www.industry.siemens.com/topics/global/en/safety-integrated/Pages/functional-safety.aspx

Safety Integrated System Manual http://support.automation.siemens.com/WW/view/en/12490443

\6\ Siemens Safety Integrated Function examples

SIMATIC Safety Integrated for Factory Automation

Practical Application of IEC 62061 Illustrated Using an Application Example with SIMATIC S7 Distributed Safety

(Functional Example: AS-FE-I-013-V12-EN


Safety Integrated Functional Examples http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&siteid=csius&aktprim=4&extranet=standard&viewreg=WW&objid=20810941&treeLang=en Order number for manual and CD:

6ZB5310-0MK01-0BA0


http://support.automation.siemens.com/�

http://www.siemens.com/safety-evaluation-tool�

http://www.iec-normen.de/�

http://www.dke.de/�

http://www.newapproach.org/�

http://www.automation.siemens.com/mcms/safety-integrated/de/Seiten/funktionale-sicherheit.aspx�

http://www.automation.siemens.com/mcms/safety-integrated/de/Seiten/funktionale-sicherheit.aspx�



http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&siteid=csius&aktprim=4&extranet=standard&viewreg=WW&objid=20810941&treeLang=en�



9 History


V1.0, Entry ID: 47393794

Co

pyr

igh

t

Sie

me

ns

AG

20

13

All

righ

ts r

ese

rve

d

The following list contains internet links to entries which provide information and values required for the calculations:

Table 8-3

Topic Title

\A\ SIMATIC PFHD values

FAQ: Which values can be used for F-CPUs and for products of the ET 200 family for PFD, PFH and the proof test interval ? http://support.automation.siemens.com/WW/view/en/27832836

\B\ SINAMICS S/G PFHD values

FAQ: PFH values of the drive systems with integrated safety functions SINAMICS S120, SINAMICS S150, SINAMICS G130 and SINAMICS G150 http://support.automation.siemens.com/WW/view/en/28556736

Note: The respective document is currently only available in the Siemens intranet. Please contact your sales representative, technical advisor or the SINAMICS hotline. This document is already in preparation to be published on the internet.

\C\ SINAMICS G PFHD values

FAQ: SINAMICS G120, G120D, SIMATIC ET200S: safety values (PFHD, PFD, PFH) for determining the reached safety integrity http://support.automation.siemens.com/WW/view/en/31593618

\D\ SIRIUS B10 value

Recommendation of the technical assistance: Recommendation of the standard B10 values for the application of DIN EN 62061.

Mail of the technical assistance after the request:

Note:

The respective document is currently only available via a direct request at the technical assistance of the Siemens AG. Email: [email protected]

\E\ Table S7FCOTIA.XLS S7FCOTIB.XLS

Download: S7 Distributed Safety: F execution times, F runtimes, F monitoring and reaction times http://support.automation.siemens.com/WW/view/en/25412441

9 History

Table 9-1

Version Date Revisions

V1.0 01/2013 First issue




mailto:[email protected]�


technology cpu application description january 2013 · 2015. 1. 19. · applications & tools...

Documents