Application Note. AC500-S Triggering Safety Actions using Standard HMI

Pages 46
Views 14
of 46
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Description
Application Note AC500-S Triggering Safety Actions using Standard HMI Contents 1 Introduction Purpose Document history Validity Important user information Definitions,
Transcript
Application Note AC500-S Triggering Safety Actions using Standard HMI Contents 1 Introduction Purpose Document history Validity Important user information Definitions, expressions, abbreviations References / Related documents Triggering safety actions using standard HMI Overview Task Solution Example General Safety function Functional description Design features Implementation details Common cause failures Systematic failures Safety function response time Calculation of the probability of failure and correspondence to PL (ISO ) Conclusion 45 Page 2/46 1 Introduction 1.1 Purpose There are industrial applications like those in harbors, logistic centers, airport and mining applications in which safety actions for selection of substations, machines or pre-defined safely limited values are required to re-configure implemented safety control functions. Such safety actions are further validated in machines on the application level by responsible qualified personal to make sure that performed safety actions to re-configure the safety function control were successfully executed. In practice, one or more mechanical or electro-mechanical mode selector switches connected to digital safety inputs of the safety PLC are often used to perform safety actions for selection of substations, machines or pre-defined safely limited values. However, this approach with mechanical or electro-mechanical mode selector switches has significant drawbacks because of its limited user-friendliness, low flexibility if modifications are required, limited number of selection options and relatively high additional controls cost (both for mode selector switches and required digital safety input channels). In this application note, we present a method and an example with AC500-S safety PLC on how safety actions for selection of substations, machines or pre-defined safely limited values can be performed using standard (non-safety) HMI (Human Machine Interface) with the satisfaction of PL d (ISO ) requirements. The functional safety calculation according to ISO is used as an example to show the compliance of the proposed approach with the relevant functional safety requirements for PL d (ISO ). The functional safety calculation and analysis according to IEC or IEC standards can be similarly done. Page 3/46 1.2 Document history Rev. Description of version / changes Who Date First release ABB Validity The data and illustrations found in this documentation are not binding. ABB reserves the right to modify its products in line with its policy of continuous product development. ABB assumes no liability or responsibility for any consequences arising from the use of this document information. ABB is in particular in no way liable for missed profits, loss of income, loss of life, loss of use, loss of production, capital costs or costs associated with an interruption of operation, the loss of expected savings or for indirect or follow up damages or losses no matter of what kind. 1.4 Important user information This documentation is intended for qualified personnel familiar with functional safety. You must read and understand the safety concepts and requirements presented in AC500-S Safety User Manual [1] as well as further referenced documents prior to operating AC500-S safety PLC system. The following special notices may appear throughout this documentation to warn of potential hazards or to call attention to specific information. DANGER The notices referring to your personal safety are highlighted in the manual by this safety alert symbol, which indicates that death or severe personal injury may result if proper precautions are not taken. NOTICE This symbol of importance identifies information that is critical for successful application and understanding of the product. It indicates that an unintended result can occur if the corresponding information is not taken into account. Page 4/46 1.5 Definitions, expressions, abbreviations AC500 AC500-S AB CCF CPU DC ABB PLC, refer also to for further details ABB Safety PLC for applications up to SIL3 (IEC 61508:2010 and IEC 62061) and PL e (ISO ), refer also to for further details Automation Builder (ABB Automation Builder is the integrated software suite for machine builders and system integrators which covers the engineering of ABB AC500 PLC, AC500-S safety PLC, control panels, drives, motion and robots) Common Cause Failure Central Processing Unit Diagnostic Coverage DCavg Diagnostic Coverage average (ISO ) DPRAM EMC FB FSDT GUI Dual-ported Random Access Memory Electromagnetic compatibility Function Block Functional Safety Design Tool (ABB tool for functional safety calculation according to ISO and/or IEC 62061) Graphical User Interface HFT Hardware Fault Tolerance (IEC 61508:2010) HMI IEC I/O MTBF MTTFd PC Human Machine Interface International Electro-technical Commission Standard Input/Output Mean Time Between Failures Mean Time To Failure dangerous Personal Computer PFHavg Probability of Failure per Hour (1/h) average (ISO ) PL Performance Level according to ISO PLC PM SFRT Programmable Logic Controller Processing Module Safety Function Response Time SIL Safety Integrity Level (IEC 61508) TÜV Technischer Überwachungs-Verein (Technical Inspection Association) Page 5/46 1.6 References / Related documents [1] AC500-S Safety User Manual, 3ADR025091M0204 [2] Cyclic Non-safe Data Exchange between SM560-S Safety CPU and PM5xx Non-Safety CPU, 3ADR025195M0201 [3] AC500 Documentation, refer to and then navigate to Downloads area [4] BGIA Report 2/2008e, Functional safety of machine controls - Application of EN ISO [5] HVBG Hauptverband der gewerblichen Berufsgenossenschaften: Prüfgrundsatz für die Prüfung und Zertifizierung von Bussystemen für die Übertragung sicherheitsrelevanter Nachrichten. HVBG, Sankt Augustin, Page 6/46 2 Triggering safety actions using standard HMI 2.1 Overview In this document, we discuss the usage of standard HMI for safety actions to select substations, machines or pre-defined safely limited values. AC500-S safety PLC is used for safety control (refer to [1] for more details about AC500-S safety PLC). The following principles, which can be also found in examples with hard-wired switches to safety digital inputs of AC500-S safety PLC, are similarly used in this application note with standard HMI and AC500-S safety PLC: 1. 2-channel input functionality (see Figure 1 with an example of 2-channel input using hard-wired approach); 2. Mode selector switch functionality (see Figure 2 with an example, in which 1-channel inputs instead of 2-channel inputs are used for simplicity in the hard-wired approach). Figure 1. 2-channel inputs using AC500-S safety I/O modules Page 7/46 Figure 2. Mode selector switch functionality using AC500-S safety I/O modules Figure 3 provides an overview of an exemplary minimal AC500-S configuration with a connected standard HMI through Ethernet interface. This system setup will be used to demonstrate the proposed method and perform functional safety analysis to confirm that PL d (ISO ) functional safety requirements for selection of substations, machines or pre-defined safely limited values are satisfied. Figure 3. Exemplary setup with standard HMI and AC500/AC500-S modules Page 8/46 Any standard HMI, which satisfies the following prerequisites and features, can be suitable for triggering safety actions in combination with AC500-S safety PLC. The following key requirement for standard HMI (Operator panel, industrial PC, etc.) shall be fulfilled to pre-qualify for triggering safety actions: Support of at least 2 different Ethernet based communication protocols (see Figure 4). These protocols shall be also supported by AC500 PLC. In this application note, we recommend usage of Modbus/TCP and CODESYS ETH communication protocols (see [3] for more details) for communication to PM5xx standard CPU from standard HMI and then acyclic DPRAM based data exchange (DPRAM_SM5XX_SEND and DPRAM_SM5XX_REC FBs) [1] and Cyclic non-safe data exchange [2] for communication between PM5xx and SM560-S safety CPU (see Figure 4); MTBF value ( 22.5 years) which shall be suitable to reach PL d (ISO ), as one can see from the functional safety calculation in Chapter 3.5. If MTBF value is 22.5 years, then only PL c (ISO ) can be reached. Figure 4. Two communication paths between standard HMI and SM560-S safety CPU through PM583-ETH CPU (example only) Additional information related to AC500 PLC, engineering, operator panels and communication options can be found in [3]. Page 9/46 2.2 Task In this application note, we describe a method how safety actions up to PL d (ISO ) can be triggered using standard HMI and AC500-S safety PLC. NOTICE The safety action term is defined in this application note as a user configuration activity to change the internal safety state of the given safety application in safety CPU module and NOT as a safety function. Even though the functional safety analysis for the safety action is performed using requirements listed for safety functions in ISO , the consequences of possible faults in safety action execution are different to those found in safety functions, for example: There are no SFRT requirements on a safety action, because if a safety action is not executed then previous state of the safety function configuration would remain valid and there shall be no dangerous situation (special organizational procedures have to be defined in the application to handle this situation, e.g., temporary safe stop of involved machines with a restart after successful reconfiguration). It is different to the safety function which has SFRT requirements on it. Since there are no SFRT requirements on safety actions, then even if no safety action can be executed at all, then no dangerous situation is expected, as it was described in the previous item. The following dangerous cases in safety actions on the application level are similar to those, which can be found with mode selector switches, for example: o More than one mode is active; o Wrong mode is selected. These potential dangerous cases shall be avoided using proper safety integrity measures, as described in Chapter 2.3. Page 10/46 NOTICE The safety action to select substations, machines or pre-defined safely limited values shall comply also with the following generic mode selection requirements: 2006/42/EC: It must be possible to start machinery only by voluntary actuation of a control provided for the purpose. EN ISO : 2003: shall be fitted with a mode selector which can be locked in each position. Each position of the selector shall be clearly identifiable and shall exclusively enable one control or operating mode to be selected IEC , Ed. 5.0: 2003: ... When a hazardous condition can result from a mode selection, unauthorized and/or inadvertent selection shall be prevented by suitable means (e.g., key operated switch, access code). Mode selection by itself shall not initiate machine operation. A separate action by the operator shall be required.... Indication of the selected operating mode shall be provided... ISO : 2003: Restart following power failure/spontaneous restart; Manual reset. Customer benefits from using standard HMI for triggering safety actions for functional safety applications up to PL d (ISO ) are: Ability to use standard HMIs for triggering safety functions up to PL d (ISO ) because the number of available off-the-shelf safety HMIs is very limited and usage of hard-wired mode selector switches may be not an option because of limitations described in Chapter 1.1; Reuse of existing standard HMI for both standard control and functional safety control functions results in cost savings on additional HMIs and potentially user-friendlier interface to operators. It is the responsibility of the project administrator to setup proper user management (e.g., user roles, password protection, limited access, etc.) on the standard HMI for the given safety application at the end-customer site to avoid unauthorized access to safetyrelevant controls on the standard HMI. DANGER Before any deployment of a safety application with standard HMI for triggering safety actions, an assessment of dangerous threats such as eavesdropping or data manipulation shall be executed. In case of threats, appropriate security measures shall be implemented. Page 11/46 NOTICE It is always highly recommended to use PL (ISO ) certified HMI for functional safety applications up to PL d (ISO ). Thus, the presented approach with the usage of standard HMI is only an option if no suitable PL (ISO ) certified HMI is available. 2.3 Solution The proposed solution is based on the design analysis and additional diagnostic safety measures which can be implemented using AC500-S setup (see Figure 3) to enable usage of standard HMI in functional safety applications up to PL d (ISO ). Figure 5 shows an overview on reachable Performance Levels depending on Category, DCavg and MTTFd values, as defined in ISO As one can see from Figure 5 (see a selection in blue), one of the possible approaches to satisfy PL d requirements is the usage of Category 2, DCavg = Medium and MTTFd = High. Figure 5. Relationship between Categories, DCavg, MTTFd (1 = Low, 2 = Medium and 3 = High) of each channel and PL from ISO Category 2 architecture based on ISO is shown in Figure 6. Page 12/46 Figure 6. Category 2 architecture from ISO Key requirements for Category 2 (ISO ) are: Requirements of Category B (refer to ISO for details) and the use of well-tried safety principles shall apply; Safety function shall be checked at suitable intervals by the machine control system; The occurrence of a fault can lead to the loss of the safety function between the checks; The loss of safety function is detected by the check. Category 2 architecture realization using standard HMI and AC500/AC500-S modules is shown in Figure 7 (refer also to Figure 3). Page 13/46 Figure 7. Category 2 equivalent architecture using standard HMI and AC500/AC500- S modules for triggering safety actions As one can see from Figure 7, safety logic processing is fully covered by SM560-S safety CPU (SIL3, PL e) and the output functionality is not applicable in the given application because only re-configuration of SM560-S safety CPU (SIL3, PL e) program execution is done on the logic part. However, we need an additional analysis for the input part in which standard (non-safety) HMI can be used. This input part will be always application-specific and will require additional measures to satisfy PL d requirements, as described below. To fulfill PL d (ISO ) requirements for input part, special DC (Diagnostic Coverage) measures shall be implemented according to ISO The following measure was selected for the input part with standard HMI and PM5xx standard CPU: Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of electromechanical devices by mechanically linked contact elements), which provides DC = 99% (see Annex E, ISO ). SM560-S safety CPU will take over the function of direct monitoring for input part with standard HMI. Page 14/46 The exemplary realization of this measure using standard HMI and AC500/AC500-S setup is presented in Figure 8 and is based on the setup in Figure 3 with the following assumptions, which are later described in more details in Chapter 3: Two standard communication paths (diverse principle) for data exchange in both directions shall be established for standard HMI and SM560-S safety CPU: o Path 1 (see normal lines in Figure 8): As an example, usage of Modbus/TCP communication protocol to PM5xx standard CPU, then storage in a dedicated array (Data array 1) in the application program of PM5xx standard CPU and transfer to SM560-S safety CPU using acyclic DPRAM based data exchange (DPRAM_SM5XX_SEND and DPRAM_SM5XX_REC FBs). o Path 2 (see dashed lines in Figure 8): As an example, usage of CODESYS ETH communication protocol to PM5xx standard CPU, then storage in a dedicated array (Data array 2) in the application program of PM5xx standard CPU and transfer to SM560-S safety CPU using Cyclic non-safe data exchange (see [2] for more details). 4 different types of push buttons shall be created on the standard HMI. These push buttons shall be triggered one after another ( disable or hidden features for buttons on the standard HMI can be used to support users in the selection procedure): o Select buttons with unique integer signatures (e.g., 2784, 5362, 8493, etc.) defined for each button, which will form the first channel of 2-channel architecture with Confirm buttons as a second channel. If Select button is triggered, the relevant stored integer signature value will be transferred to the SM560-S safety CPU using communication path 1 (normal lines in Figure 8). o Confirm buttons with a negated integer value of the signature from relevant Select buttons, which will form the second channel of 2- channel architecture with Select buttons. This negated integer signature value (62751, 60173, 57042, etc.) are defined for each Confirm button. If Confirm button is triggered, then the stored negated signature will be transferred to the SM560-S safety CPU using communication path 2 (dashed lines in Figure 8). o ACK1 buttons with unique integer signatures (e.g., 35552, and 41261, etc.) defined for each buttons, which will form the first channel of 2-channel architecture with ACK2 buttons as a second channel. If ACK1 button is triggered, the relevant stored signature will be transferred to the SM560-S safety CPU using communication path 1 (normal lines in Figure 8). o ACK2 buttons with a negated integer value of the signature from relevant ACK1 buttons, which will form the second channel of 2- Page 15/46 channel architecture with ACK1 buttons. This negated integer signature value (29983, 27405, 24274, etc.) is defined for each ACK2 button. If ACK2 button is triggered, the relevant stored negated signature will be transferred to the SM560-S safety CPU using communication path 2 (dashed lines in Figure 8). The selection of signature values from the list of values from 0x0001 to 0xFFFE, the uniqueness of signature values and later handling including assignment to relevant buttons on the standard HMI is the responsibility of safety application engineers. These activities shall be performed according to ISO or IEC functional safety requirements for the given application safety integrity level. DANGER 0x0000 and 0xFFFF values shall not be used for signatures to avoid usage of 0 values in the selection procedure. 0 values have a special status in functional safety applications and, thus, shall be avoided. In this application note, the selection range from 0x0001 to 0xFFFE for signature values also defines the maximum number of selection options to (65534 / 2 = 32767). It means that there are unique signature values for selection buttons and unique signature values for acknowledgement buttons, respectively. The responsibility for correct implementation, verification and validation of the proposed approach is fully within the endcustomer responsibility. All unique integer signature values shall be pre-defined and stored in SM560- S safety CPU (SIL 3, PL e), for example, in memory flash during commissioning. This allows direct supervision of 2-channel input (transferred signature and negated signature values) coming from respectively Select and Confirm as well as ACK1 and ACK2 buttons on the standard HMI. This approach implements a direct monitoring of the user selection on the standard HMI from SM560-S safety CPU as defined by ISO Both integer signature and negated integer signature values from respectively Select and Confirm as well as ACK1 and ACK2 buttons after transfer to SM560-S safety CPU and appropriate transformations shall be evaluated in the safety application program against stored in SM560-S safety CPU signature values for push buttons. This includes the usage of SF_Equivalent FBs [1], in which D
Advertisements
Related Documents
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x