Safety instrumented system

Security systems are active or passive system components to make technical facilities for the people safe.

Of machinery, equipment and all other technical equipment are harmful to humans. Not only the operators but also maintenance personnel or bystanders are often at risk directly or indirectly. The risk depends on both the nature and operation of the machine or plant, as well as the behavior of the person. Among the most dangerous machines include, for example sawing or pressing, in which a person can seriously injure. To protect the people from all dangers, such dangerous machinery or equipment may be operated and serviced only with appropriate protective devices. Often protect people by a guard, which denied all access. Such gratings ( or fences ) help only during the operational phase of the machine. But while the machine is supplied with material, this is adjusted or cleaned, the person comes into contact with dangerous places. Here one must always be able to rely on, among other things, that the machine does not start up unexpectedly and thus leads to a possible violation of the person.

In general, machinery or equipment with electric or electronic systems are controlled. These systems are ultimately responsible for ensuring that the person does not enter into danger. Therefore, certain requirements are placed on the systems arising from the risk that exists for the person involved.

In order to classify the hazards of a machine or system, a risk analysis is performed to assess the risk and the risk graph is used for several decades.

Hazard analysis

" The manufacturer is obliged to carry out a risk analysis to identify all hazards associated with the machine. He must then design the machine account of his assessment and build. " ( EC Directive 98/37/EC (Machinery Directive ), Annex I) " Risk assessment is a sequence of logical steps that allow the systematic study of hazards of machinery. emanate " (EN ISO 14121 ) the EN ISO 14121 writes that shown in the following figure methodology for risk assessment before:

The process on the reduction of risk is so often to go through to the protection objective and the unit or the machine is safe. Specifically, the following individual steps have to be performed:

• Determining the boundaries
• Hazard identification
• Risk assessment
• Risk assessment
• Documentation

There are basically two different approaches to risk analysis:

• Deductive method
• Inductive method

In the deductive analysis, a final result is accepted and the events sought that can occur on this closing event. In inductive analysis of the failure of an element is assumed and determined the final event.

Risk graph

By the end of the 1970s there was any machine or equipment specific safety measures that were recommended or required to increase security. But there was little connection between the technology used, the actual risk and the possible hazard. Only at the beginning of the eighties, established a unified point of view. Created to precise technical or organizational requirements, which resulted in a uniform reduction of the risk based on the expected risk of a machine or system.

The risk (R ) is given here by a probability statement, which takes into account the expected frequency ( H) of the occurrence of harm and the expected extent of damage (S ) by the following calculation:

One of the basic methods, regardless of the machine type to find an appropriate measure to comply with the security, is to assess the risk using the risk graph.

EN 954-1 risk graph (withdrawn)

The risk graph image comes from the retracted EN 954-1 standard and assesses the risk according to several criteria:

• S: Severity of injury
• F ( F: frequency ): Frequency of
• P ( P: probability ): Possibility of Abwendbarkeit

Depending on which injuries can be assumed, how often the person exposed to the hazard and whether you can escape the danger possibly, the level of risk is classified. For risk assessment, the machine is considered without protective equipment. It then starts at the start point, then it is determined that the risk of injury is present. If the possible injuries are minor, the way S1 is taken ( minor injuries are reversible injuries such as minor cuts or bruises ). If the injuries are severe, however, the way S2 must be selected (serious injuries are irreversible injuries that leave permanent damage; included here is also the case of death ). The next step is to evaluate how often the dangerous condition occurs, or how often you are exposed to this. In the case of F1, the condition rarely occurs (eg during maintenance, which takes place every 3 months). In the event that the hazard occurs often or regularly, F2 is selected ( eg, a person must regularly go into the danger zone ). Finally, there is the possibility to assess whether you recognize the danger and can thus escape their policy. If you can escape the danger, so P1 is assumed (eg, a machine is running slowly and initially hazards are virtually impossible). But if escape is almost impossible, so P2 must be selected (eg, if a person puts a workpiece in a press and this suddenly closes).

An example is intended to represent a risk assessment: a person has to change a tool on a machine. When the machine starts up, then the person can seriously injure. After the risk graph results in the following classification:

• S2: Serious injury ( eg loss of a finger )
• F2: The tool change is carried out several times in the hour
• P1: As the machine starts slow, you can escape the danger

After the risk graph of the norm, this results in a classification by Category 3 The thick black dot indicates that this is the preferred classification. One can of course also choose a technique that corresponds to category 4 ( thick white point). However, it is also possible to choose a technique of category 2, but additional organizational measures are then necessary. The machine ( without organizational measures ) equipped right after the judgment is shown just to use a technique corresponding to the category 3. It reduces the risk to the extent that any risks are brought to a manageable level.

The classification presented here leads to 4 categories. Behind each of these categories there is a technical or organizational measure that is adequate for the machine. This yields an exact specification of solutions that fit to a anticipated hazard. The risk graph has established itself in similar structures in all international standards. For example, rate the standards EN 954-1, IEC 61508 or ISO 13849, the risk just by the same procedure. However, within the said standards, classifications quite different ( categories according to EN 954-1, SIL according to IEC 61508, DAL to DO-178B and PL to ISO 13849, SIL stands for Safety Integrity Level, DAL for Design Assurance Level and PL for Performance level, from the English " rate of return ").

The risk assessment in accordance with EN 954-1 leads to a classification according to 5 categories. To reduce the risk of a machine or system use techniques that meet the required category:

• B: based measures are taken into account ( eg, compliance with quality criteria)
• 1: Proven components and proven components that are to be used
• 2: A regular test of the safety function to be performed
• 3: The technology must be designed to be fault tolerant ( no single failure will not lead to failure and must be recognized, that is, the reconnection is not possible then )
• 4: Even if multiple errors occur in the technology, the safety function must not fail

Note: The base measures have to be planned well in the categories 1-4.

From the classification according to EN 954-1, certain security structures for electrical or electronic control or regulation of the machine or plant yield.

The standard EN 954-1 was withdrawn in September 2009. The transitional period first force was extended in late 2009 by two years on the last day. By the end of 2011, ie a manufacturer may apply the presumption of conformity yet according to this standard; in 2012 alone, according to EN ISO 13849-1.

ISO 13849 risk graph

The standard ISO 13849 replaces EN 954-1. Again, there is a risk graph, which leads to the classification of risk:

In the assessment is the same as for the known standard EN 954-1. However, the evaluation is no longer a category ( as specified in EN 954-1), but to a PL value (Performance Level ) results. The classification of the PL- value is from a ( lower contribution to risk reduction ) to e ( high contribution to risk reduction ). In contrast to the technical requirements of the EN 954-1 standard, the ISO 13849 standard allows for multiple ways to achieve a required PL value. The user can therefore combine appropriate measures that come closest to his ideas. Here, technical constraints or cost considerations may play a role. As before, set security structures should be used.

DIN EN 62061

Definition of " severity of injury ":

• 4 Irreversible: death, losing an eye or arm
• 3 Irreversible: broken limbs, loss of ( a ) a plurality of finger ( s )
• 2 Reversible: required treatment by a medical
• 1 Reversible: first aid required

Other variants

In the following, a simple risk graph is shown as it is, inter alia, in the EN 60601 used ( with modifications in the rating):

→ See also: ALARP

Security structures

This controls of machines or equipment to work safely, they must meet certain requirements. Here are four parameters in the foreground, which play a particularly important role in rating of electrical or electronic security systems:

The lower the failure rate of security units, the less it is feared that a failure to failure of the safety function. The failure rate indicates the number of failures per unit time. Usually a scale of 1 failure is selected in 109 hours (which is an extremely small unit, since only one failure in about 100,000 years corresponds to this, this value is also known as one fit, failure -in-time designated ).

An illustrative example will illustrate the mindset of safety technology: If you make yourself at home in its current line to work, so you should first be aware that the power is off, otherwise there is a risk of electric shock. One therefore uses a voltage tester which indicates a voltage present. If this does not signal voltage, so you can go to work. However - one thinks in security technology - could indeed also the tester is faulty and yet are voltage on the power line. So it makes sense to bring a different voltage tester and with this also to check the voltage. If this also does not signal voltage, it is very likely really is no tension in the cable. Unless both examiners are defective. A final certainty can therefore only be obtained if you now on a known voltage ( eg, a battery ) applies both examiners and thus prove that they are still in order. The presented approach can be translated into the security structures for safe control and regulation:

The security structures of control and regulation systems behave quite similar to the preceding example:

They can be designed either single-channel or dual-channel. They are tested regularly. They contain components or components with low failure rate and there are special measures are taken to avoid errors with a common cause.

Standardize

• EN ISO 13849-1, Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design (ISO 13849-1)
• EN ISO 13849-2, Safety of machinery - Safety-related parts of control systems - Part 2: Validation (ISO 13849-2 )
• EN 62061, VDE 0113-50, Safety of machinery - Functional safety of safety- related electrical, electronic and programmable electronic control systems
• IEC 61508, VDE 0803: Functional safety of electrical / electronic / programmable electronic systems, version November 2002, DIN (Chapter 1-7)
• EN 954-1: Safety-related parts of control systems ( was replaced by EN 13849-1)