Safety Control Systems - Rockwell Automation

Rockwell Automation
Safety Solutions
Safety Control Systems
Stephen Podevyn
Business Leader Safety
Copyright 2008 Rockwell Automation, Inc. All rights reserved.
Work processes
Safe condition = slow process
Non safety-related state; slow process
Highly
available
System
Failsafe
Systems
Safe condition = fast process
Non safety-related state; fast process
What is Functional Safety?

1. What is UNSAFE?
2. What is SAFE?
Machinery
Continuous Process
Fault
Fault Tolerant
Tolerant
Fail
Fail Safe
Safe
1. Continued Motion
2. Stopping
1. Stopping
2. Maintain Control
Machine Safety is different than Process Safety

Fail-Safe Behavior = Machine
Safety
When a fault occurs in the safety system outputs
normally turn off.
Safety System may be designed to be used as a
regular part of the machine operation.
Equipment Under Control (EUC) can tolerate a
safety stop because:
Lost production cost is minimal due to ability to
quickly restart
The scale of operation is relatively small (per
machine, not a plant/process)
Fault Tolerant Behavior = Process

Safety
When a fault occurs another control path
maintains control of the process.
Safety System is normally a separate system
designed to engage only if the BPCS fails to
maintain control.
Equipment Under Control (EUC) cannot tolerate
a uncontrolled safety stop because:
An uncontrolled stop could be dangerous, resulting
in a loss of equipment, production and damage to
the environment and possible danger to personnel
Process Safety must manage kinetic and potential

energy.
Responses include:
go to recycle,
route to flare,
blow down,
Ignition sequence and
orderly shutdown.
Typical Machinery Safety Applications
Emergency Stop Systems

Presses
Two Hand Control
Amusement Rides
Perimeter Guarding
Robotic Safety
People Movers
Process Safety Applications
Emergency Shutdown
Burner Management
Fire and Gas
Critical Process Control
Turbine Control
Compressor
High Pressure Protection
Systematic Risk analysis
Start
Determination of the
machines design limits
Risk reduction
1.
Risk
analysis
Hazard identification
Mechanical
measures
2.
Electrical
measures
3.
.....
Risk assessment
Risk evaluation
No
Is the machine safe?
Yes
End
Risk reduction according to EN 954 - 1
S_ Severity of injury:
Category
1 = Slight (normally reversible) injury

2 = Serious (normally irreversible) injury including
S1
death
F_ Frequency and/or exposure time to

the hazard:
1 = Seldom to quite often and/or the exposure time is
S2
short
2 = Frequent to continuous and/or the exposure time
is long
P1
F1
P2
P1
F2
P2
P_ Possibility of avoiding the hazard

1 = Possible under specific conditions
2 = Scarcely possible
B_Categories for safety-related parts of the control

system
Category
B, 1, 2, 3, or 4
EN ISO 13849-1:2006 Performance levels

Category
Estimation of the Performance Level (PL)

required
B1 2 3 4
Performance
Performance
Level,
Level,PLr
PLr
P1
F1
aa
P2
S1
P1
F2
bb
cc
F1
P2
S2
P1
F2
P2
1 = Slight (normally reversible injury)

2 = Serious (normally irreversible injury
including death)
F_Frequency and/or exposure

to a hazard
P2
P1
S_ Severity of the injury
dd
1 = Seldom to less often and/or the

exposure time is short
2 = Frequent to continuous and/or the
exposure time is long
P_Possibilities for the avoidance of the

hazard
S = Severity
1 = Possible under specific conditions
ee
F = Frequency or Duration of Exposure
2 = Scarcely possible
P = Avoidance Probability
Overview: Risk categories - standards

IEC 62061
IEC 61511
Avg. probability
of a dangerous
Performance Level failure per hour
[1/h]
EN 954-1
IEC 61508
Categories
Safety Integrity
Level
No special safety requirement
10-5 < PDF < 10-4
1, 2
3x10-6 < PDF< 10-5
1, 2
10-6 < PDF < 310-6
10-7 < PDF < 10-6
10-8 < PDF < 10-7
Cat
SIL
prEN 13849-1
10-8 < PDF
PL
10
Where Trouble Starts

HSE study of accident causes involving control systems:
Installation &
Commissioning
6%
Design &
Implementation
15%
Specification
44%
Operations &
Maintenance
15%
Changes after
commissioning
20%
11
The Safety LifeCycle Approach
Identify
Identify
IEC 61508
IEC 61511
Verify
Verify
Assess
Assess
IEC 62061
ISO13849-1
Design
Design
12
Safety Lifecycle
Concept
Concept//Scope
Scope
Hazard
HazardAnalysis
Analysis&&Risk
RiskAssessment
Assessment
ANALYSIS
Safety
SafetyRequirement
RequirementSpecifications
Specifications
Conceptional
ConceptionalDesign
Design
Detailed
DetailedDesign
Design
REALIZATION
Installation,
Installation,Commissioning,
Commissioning,Validation
Validation
Operation
Operation&&Maintenance
Maintenance Modifications
Modifications
OPERATION
Decommissioning
Decommissioning
13
Requirements of EN 61508
Competency
of the persons
+
Safety
management
+
Technical
requirements
14
Work processes
Safe condition = slow process
Failsafe
Systems
Safe condition = fast process
15
Logic Solver Dedicated Safety Relays

MSR100 Family
Single or dual channel safety circuits
Connect E-Stops, Interlock Switches, Light Curtains,
Safety Mats
CAT4 (EN954-1) certification
MSR200
Modular Safety Relay system

Scalable with up to 20 Safety Inputs
Mix of different Input Devices
DeviceNet communication for Diagnostic
SingleZone control with up to 10 Output Contacts
MSR300 Family
suitable for MultiZone control (max. 3 Zones)

Max. 20 Safety Inputs (10 Modules)
Max. 18 NO- & 6 NC- Safety Outputs (6 Modules)
Inputs Modules configurable via rotary switches
CAT4 (EN954-1), SIL3 (IEC61508) certification
Communication:
DeviceNet & RS232
Multicolor LED`s for diagnostics
16
Prototype tested safety functions

software blocks for safety controller
Function hardware software
E-STOP
Safety gate
Two-hand
Operating mode
selection
Valve control
17
IEC61508
Safety Integrity Level & RA Safety Systems
SIL 3
SIL 2
SIL 1
ControlLogix
CAT 1
CAT 2
CAT 3
CAT 4
EN954-1
18
GuardLogix Safety Integration
Logix Integrated Safety

Dual Processor Solution (1oo2 Architecture)
1oo2 is recognized as the best safety architecture
SIL-3 Certification per IEC 61508

ISO 13849 Performance Level e (Category 4)
Programs with RSLogix5000
Extensive suite of certified safety application instructions
Simplifies design, validation, maintenance
Dual Channel suite
Muting & Press Suite
CIP Safety comms for safety rated interlocking or safety I/O on Ethernet
Copyright 2010 Rockwell Automation,
19
Inc. All rights reserved.
19
Guardlogix
Primary Controller
Safety Partner
1756-L6xS
1756-LSP
certified
certified
Power Supply
1756-Pxxx
EtherNet/IP
Bridge
not certified
1756-ENBT
DeviceNet
Interface
1756-DNB
not certified
Note:
Due to the design of the CIP Safety control
system, CIP safety bridge devices, like the 1756-ENBT
and 1756-DNB, are not required to be certified.
not certified
Chassis
1756-Axx
not certified
20
Software Architecture
Internal architecture of embedded software in a standard ControlLogix
System Time
Diagnostics
Communications
Logix Engine
Operating System
Hardware Abstraction Layer
Primary Processor Hardware
1756-L61
21
Software Architecture
Internal architecture of embedded software in GuardLogix
Logix Engine
Communications
Safety Protocol
Replication
Operating System
Primary Processor Hardware
1756-L61S
Logix Engine
Diagnostics
System Time
System Time
Diagnostics
Communications
Operating System
Safety Partner Hardware
1756-LSP
22
What`s new for the user in a safety controller
Safety Task
Same structure as Standard-Task

Controls the Safety-Outputs
Configurable Priority
Configurable Period
Same number of Programs (100)
23
RSLogix 5000 Explicit Safety Environment

Safety Controller
Status
Safety Instruction
Palette
Periodic Safety Task
Routine Information
Box with Class
Watermark for
Safety Editing
Screen
24
Benefits of integrated Safety controller
Reduced Engineering Efforts

Single Engineering Software RSLogix 5000 for standard control and safety
Less networks and communication between systems
Data exchange between standard and safety part using tags
Reduces Maintenance Efforts

Single Network for safety and standard
Less training requirements
Reduces Inventory
Shares components with ControlLogix
Single Network
Increases Diagnostics
Increases Flexibility without compromising security
25
Work processes
Non safety-related state; slow process
Highly
available
System
Non safety-related state; fast process
26
Why High Availability?

To Keep on going
To prevent a unplanned shutdown of the automated Process
Maintain production against system component failure
Protect against equipment or product losses
Protect against unplanned interruptions and potential hazards
Types of Availability*
Disaster recovery: the ability to recover systems and data after a major disaster; may take
hours, days, or even weeks depending on the type of outage.
High Availability: maintains a high degree of application uptime, minimizing downtime but
not necessarily eliminating it completely for all types of failures
Attributes for Availability that we Include:

Reliability (MTBF)
Maintainability, diagnostics, repairabilityall with ability to edit and change on-line
Redundancy
* MARATHON technologies
27
Things to consider
The degree of availability should be a economically based
engineering driven choice about what is critical to the application*
Cost of the implementation
Likelihood of a failure (Failure Rate, PFD, MTBF)
Cost associated with down time (costs of unsafe operations should always
be presumed exorbitantly high)
Recovery time
Cost of maintenance
Availability is measurable as a %: A = MTBF/MTBF + MTTR
(Or is the cost of the device failure times its probability of failure greater or less than the cost of the High Availability)
* ControlGlobal.com Special report
28
Availability terms - MTTF,MTTR, MTBF

MTBF (Mean Time Between Failure)
MTTF (Mean Time To Failure)
MTTR (Mean Time To Repair)
Successful Operation
Failure
TIME
MTBF is a term that applies only to repairable systems.
MTD (Mean Dead Time) is another commonly used term instead of MTTR.
29
Availability
Reliability
The Probability of success for

an interval of time
The Probability of success at

a moment in time
R = e - (T/MTBF)
Availability
A = MTBF/MTBF + MTTR
30
The reliability of the ControlLogix in the core

system
Availability %
Probable
Downtime per
Year
99%
3.65 days
99.9%
8.76 hours
99.99%
52.6 minutes
99.999%
5.26 minutes
99.9999%
30 seconds
= 1 day every 3 years

Standard
ControlLogix
Redundant
CLX
Standard ControlLogix Controllers can provide Availability > 99.99%

Redundant ControlLogix Controllers can even exceed 99.9999%
31
Non Redundant Attributes for HA

System Maintainability
Add I/O on line (unscheduled)

Add / remove Controllers and IO under power
Online changes to controller code
Upgrade Controller firmware on line; multiple version work together
Create and deploy Operator Workstation Displays on line
Module and system Diagnostics
Field Device diagnostics (HART, FF, PA)

I/O module diagnostics
Controller diagnostics
Network diagnostics (with Stratix / Cisco switches)
Server Diagnostics
Module and device Repairability

Hot Swappable controller & I/O modules
Automated Device Replacement (ADR)
Disaster recovery with Asset Centre (controller programs)
32
Basic Architectures
Channel =
Input
Logic Solver
Output
Simplex 1oo1
Fault Tolerance=0
Channel 1
33
Basic Architectures
Duplex 1oo2
Channel 1
Diagnostics
Duplex 1oo2d
Channel 2
Fault Tolerance = 1
Duplex 2oo2
Two channels with

Redundant outputs
in series
to ensure safe off
Channel 1
D
Two channels with
Redundant outputs
in parallel
to ensure availability
Voting
Channel 2
34
Basic Architectures
Channel 1
Triplex 2oo3
Three channels with

Redundant outputs
in parallel and voting
1
Voting
Fault Tolerance = 2
Channel 2
Voting
Channel 3
TMR Triple Modular Redundancy

35
Basic Architectures
Channel 1
Diagnostics
Quad
Channel 2
Fault Tolerance = 2
D
Channel 3
Diagnostics
Channel 4
36
Availability, Fault Tolerance, Safety

Fault Tolerance
Availability
Fault Tolerant
24/7/365
2oo3 (3-3-2-0)
SIL3
Standard Controllers
(Redundant)
High MTBF
Passive Redundancy (RM)
Redundant Power Supplies
Redundant Media
Single IO / supervised wiring
ICS Triplex
CLX SIL2
I/O Redundancy
Fault Tolerant or Failsafe
Controller BackUp Optional
Standard Controllers
Active Redundancy
Safety Controllers
Failsafe
High DC
1oo2
SIL3
High MTBF
Single Controller
Single Power Supply
Single IO
Copyright 2010
2007 Rockwell Automation, Inc. All rights reserved.
Safety
37
Rockwell Automation vandaag

Volledig toegespitst op Industrile Automatisatie
19.000 werknemers, waaronder:

3.400 in Europa
58 in BeLux
62 in EMEA HQ te Brussel
4,3 milliard $ omzet wereldwijd

820 miljoen omzet in Europa
Aanwezig in meer dan 80 landen
Een echte cultuur van partnership

Technologisch
Integrators, distributie
Copyright 2010 Rockwell Automation, Inc. All rights

reserved.
Copyright
2010 Rockwell Automation, Inc. All rights reserved.
38
Een erfenis van Kwaliteit en Innovatie

De
De oorsprong
oorsprong
((Meer
Meer dan
dan 100
100 jaar
jaar))
vandaag
vandaag
39
Belgi / Groothertogdom van Luxemburg
58 werknemers om u te dienen
Hoofdkantoor te Strombeek-Bever
(Brussel Heizel)
19 werknemers in de afdeling Customer
Support & Maintenance
9 werknemers ter ondersteuning voor
Customer Application Design en
Marketing
9 Account Managers voor de opvolging van
onze klanten
Verschillende bijzondere functies:
Global Account Management
Global Account technical consultant
OEM support engineer
High power drives expertise
Global project coordination
Passie is een onderdeel van onze

ondernemingscultuur !
40
De know-how van Rockwell Automation

Expertise en oplossingen
Automatisatieoplossingen voor een industrile
omgeving
Laagspanningsschakelmateriaal
Oplossingen voor de verwerking en het
infomatiebeheer van uw productiegegevens
De ondersteunende diensten voor elke fase in
de levenscyclus van uw productiemiddelen
41
We zijn aanwezig in het hart van de

productie
Productie per lot
(batch)
Sturing van het continue

productieproces
AC/DC aandrijvingen
Precisie
aandrijvingen
PLC
Energie- en HVAC
beheer in productie
Veiligheid
42
Producten en oplossingen van wereldklasse

Een ongevenaarde betrouwbaarheid en
gebruiksgemak
Ontworpen om te functioneren in de meest
veeleisende industrile omgeving
Wereldwijde certificatie
Kwaliteit
Gebruiksvriendelijkheid
Een technologische strategie die de

continuteit en productmigratie maximaal
ondersteunt
Open Technologie
43
Gentegreerde Architectuur: ons ngemaakt

platform
Modulair
Multi-discipline
En unieke ontwerpsoftware
Informatie en IT-enabled
Programmeerbare sturingen
Supervisie en sturing van de productie
Manufacturing Execution System
Netwerken en industrile switches
Bescherming en sturing van motoren

AC/DC aandrijvingen
Bewaking van roterende machines
Precisie servo-motoren
Laagspanningsschakelmateriaal en sensoren
Materiaal en oplossingen voor machineveiligheid
Materiaal en oplossingen voor procesveiligheid

44
Een waaier aan diensten

Voorspellen
Voorkomen
Reageren
Opleiding en vervolmaking van uw personeel

Upgrade van de machines naar de nieuwe
veiligheidsnormen
Ter beschikkingstelling van wisselstukken
Tijdelijke versterking/ondersteuning van uw
technische ploeg
Technische ondersteuning per telefoon
Een snelle behandeling van uw herstellingen
Ondersteuning bij migratieprojecten
45
Samenvattend
Onze troeven
Een gepassioneerd team !
Een ervaren team !
Een ondernemersspirit binnen een grote
technologische groep
Een netwerk van solide partners
Gentegreerde oplossingen, gebruiksvriendelijk
tijdens het ontwerp, het gebruik en het
onderhoud van uw productieapparaat.
46

Safety Control Systems - Rockwell Automation

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Safety Control Systems - Rockwell Automation

Загружено:

Авторское право:

Доступные форматы

Rockwell Automation

Copyright 2008 Rockwell Automation, Inc. All rights reserved.

Safe condition = slow process

Non safety-related state; slow process

Safe condition = fast process

Non safety-related state; fast process

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

What is Functional Safety?

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

Machine Safety is different than Process Safety

Fault Tolerant Behavior = Process

Process Safety must manage kinetic and potential

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

Typical Machinery Safety Applications

Emergency Stop Systems

Process Safety Applications

Systematic Risk analysis

Is the machine safe?

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

Risk reduction according to EN 954 - 1

1 = Slight (normally reversible) injury

F_ Frequency and/or exposure time to

P_ Possibility of avoiding the hazard

B_Categories for safety-related parts of the control

EN ISO 13849-1:2006 Performance levels

Estimation of the Performance Level (PL)

1 = Slight (normally reversible injury)

F_Frequency and/or exposure

S_ Severity of the injury

1 = Seldom to less often and/or the

P_Possibilities for the avoidance of the

Overview: Risk categories - standards

No special safety requirement

10-5 < PDF < 10-4

3x10-6 < PDF< 10-5

10-6 < PDF < 310-6

10-7 < PDF < 10-6

10-8 < PDF < 10-7

10-8 < PDF

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

Where Trouble Starts

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

The Safety LifeCycle Approach

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

Safe condition = slow process

Safe condition = fast process

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

Logic Solver Dedicated Safety Relays

Modular Safety Relay system

suitable for MultiZone control (max. 3 Zones)

Prototype tested safety functions

Function hardware software

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

Safety Integrity Level & RA Safety Systems

GuardLogix Safety Integration

Logix Integrated Safety

SIL-3 Certification per IEC 61508

Internal architecture of embedded software in a standard ControlLogix

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

Internal architecture of embedded software in GuardLogix

Copyright 2010 Rockwell Automation, Inc. All rights reserved.

What`s new for the user in a safety controller

Same structure as Standard-Task

Copyright 2010 Rockwell Automation, Inc. All rights reserved.