security system

from Wikipedia, the free encyclopedia

Safety systems are active or passive system components that are intended to make technical systems safe for people.

Machines, systems and all other technical equipment pose a risk to people. Often, not only the operators, but also maintenance personnel or bystanders are directly or indirectly at risk. The hazard depends on the type and functionality of the machine or system as well as the behavior of the person. Particularly dangerous machines include saws or presses, on which a person can seriously injure themselves. In order to protect people from all dangers, such dangerous machines or devices may only be operated or maintained with suitable protective devices. Often people are protected by a protective grillethat denies any access. Such grids (or fences) only help during the operating phase of the machine. But while the machine is being supplied with material, adjusted or cleaned, people come into contact with dangerous areas. Here you always have to be able to rely on the machine u. a. does not start unexpectedly and thus lead to possible injury to the person.

As a rule, machines or systems are controlled with electrical or electronic systems . These systems are ultimately responsible for ensuring that people do not run into any danger. Certain requirements are therefore placed on the systems, which result from the risk that exists for the person involved.

In order to be able to classify the dangers of a machine or system, a risk analysis is carried out and the risk graph has been used for several decades to assess the risk.

Risk analysis

“The manufacturer is obliged to carry out a risk analysis in order to determine all dangers associated with the machine. He must then design and build the machine taking into account his analysis. ”(EC Directive 2006/42 / EC ( Machinery Directive ), Appendix I)“ Risk assessment is a sequence of logical steps that allow the systematic investigation of hazards from machines out. "( DIN EN ISO 14121 ) DIN EN ISO 14121 prescribes the procedure for a risk assessment shown in the following figure (DIN EN ISO 14121-1 was withdrawn in March 2011. The" practical guidelines and process examples "in Part 2 (DIN EN ISO 14121-2) retained its validity) The following diagram is the content of DIN EN ISO 14121, but not the successor standard DIN EN ISO 12100:

Risk assessment flowchart

The process for reducing the risk must be run through until the protection goal is achieved and the device or machine is safe. The following individual steps have to be carried out:

There are basically two different approaches to risk analysis:

Deductive analysis assumes a final result and searches for the events that make this final event occur. In the inductive analysis, the failure of an element is assumed and the final event is determined.

Risk graph

development

Until the end of the 1970s, there were specific safety measures that were recommended or prescribed for each machine or system to increase safety. There was hardly any connection between the technology used, the actual risk and the possible hazard. It was not until the beginning of the 1980s that a uniform perspective was established that is also used in other areas (see risk matrix ). With the Product Liability Act (1990), the requirements for risk assessments became greater and so the procedures, for example for the area of ​​safety systems, were specified in standards.

Action

On the basis of the expected risk of a machine or system, precise technical or organizational requirements were drawn up that resulted in a uniform reduction in the risk.

The risk (R) results from a probability statement that takes into account the expected frequency (H) of the occurrence of damage and the expected extent of damage (S) according to the following calculation:

One of the basic methods of finding a suitable measure for maintaining safety, regardless of the machine type, is to assess the risk using the risk graph.

EN 954-1 risk graph (withdrawn)

The risk graph shown in the picture comes from the withdrawn standard EN 954-1 and assesses the risk according to several criteria:

  • S ( severity ): severity of the injury
  • F ( frequency ): frequency of stay
  • P ( probability ): Possibility of avoidance

Risk graph according to EN 954

The level of risk is classified depending on which injuries can be assumed, how often the person is exposed to the danger and whether it is possible to escape the danger. To assess the risk, the machine is considered without protective devices. You then start at the starting point, after which it is determined what risk of injury there is. If the possible injuries are minor, then path S1 is taken (minor injuries are reversible injuries, such as small cuts or bruises ). If, on the other hand, the injuries are serious, then path S2 must be chosen (serious injuries are irreversible injuries that leave behind permanent damage; this also includes death ). The next step is to assess how often the dangerous condition occurs or how often one is exposed to it. In the case of F1, the condition occurs rather rarely (e.g. during maintenance that takes place every 3 months). In the event that the hazard occurs often or regularly, F2 is selected (e.g. a person must regularly go into the danger zone). Finally, there is still the possibility to assess whether one can recognize the danger and thus possibly escape it. If one can escape the danger, then P1 is assumed (e.g. a machine starts up slowly and initially there are hardly any hazards possible). However, if escape is almost impossible, then P2 must be selected (e.g. if a person puts a workpiece in a press and it suddenly closes).

The risk assessment should be an example: A person has to change a tool on a machine. If the machine starts, the person can be seriously injured. The following classification results from the risk graph:

  • S2: Serious injury (e.g. loss of a finger)
  • F2: The tool change is carried out several times per hour
  • P1: Since the machine starts up slowly, you can escape the danger

According to the risk graph of the standard, this results in a classification according to category 3. The thick black point indicates that this is the preferred classification. Of course, you can also choose a technology that corresponds to Category 4 (thick white point). However, it is also possible to choose a category 2 technology, but additional organizational measures are then necessary. In order to equip the machine correctly (without organizational measures), a technology that corresponds to category 3 must be used according to the assessment just presented. It reduces the risk to such an extent that all dangers are reduced to a bearable level.

The classification shown here leads to 4 categories. Behind each of these categories there is a technical or organizational measure that is appropriate for the machine. This gives an exact specification of solutions that match an assumed hazard. The risk graph has established itself in similar structures in all international standards. For example, the standards EN 954-1, IEC 61508 or ISO 13849 classify the risk using exactly the same procedure. However, the classifications within the named standards are quite different (categories according to EN 954-1, SIL according to IEC 61508 , DAL according to DO-178B and PL according to ISO 13849 , SIL stands for Safety Integrity Level , DAL for Design Assurance Level and PL for performance Level , from the English "degree of performance").

The risk assessment according to EN 954-1 leads to a classification according to 5 categories. To reduce the risk of a machine or system, technologies that correspond to the required category must be used:

  • B: Basic measures must be taken into account (e.g. compliance with quality criteria)
  • 1: Proven structural elements and proven components are to be used
  • 2: A regular test of the safety function must be carried out
  • 3: The technology must be designed to be fault-tolerant (a single fault must not lead to failure and must be recognized, i.e. switching on again is then not possible)
  • 4: Even if several errors occur in the technology, the safety function must not fail

Note: The basic measures must also be planned for categories 1–4.

The classification according to EN 954-1 results in certain safety structures for the electrical or electronic control or regulation of the machine or system.

The EN 954-1 standard was withdrawn in September 2009. The initially applicable transition period was extended by two years on the last day, at the end of 2009. Until the end of 2011 a manufacturer can apply for the assumption of conformity according to this standard; from 2012 only according to EN ISO 13849-1.

ISO 13849 risk graph

The EN ISO 13849 standard replaces the EN 954-1 standard. Here, too, there is a risk graph that leads to the classification of the risk:

Risk graph according to ISO 13849

The procedure for the assessment is the same as for the already known standard EN 954-1. However, the evaluation no longer leads to a category (as in EN 954-1), but to a PL value ( performance level ). The classification of the PL value ranges from a (low contribution to risk reduction) to e (high contribution to risk reduction). In contrast to the technical requirements from the EN 954-1 standard, the ISO 13849 standard allows several ways to achieve a required PL value. The user can therefore combine suitable measures that come closest to his ideas. Technical boundary conditions or cost considerations can play a role here. Defined security structures must still be used.

DIN EN 62061

Definition of "severity of injury":

  • 4 Irreversible: death, loss of an eye or an arm
  • 3 irreversible: broken limbs, loss of (one) multiple fingers
  • 2 Reversible: Treatment by a medical professional required
  • 1 Reversible: first aid required

Other variants

A simple risk graph is shown below, such as a. in EN 60601 (with modifications in the evaluation) is used:

Risk graph according to EN 60601

Security structures

In order for the controls of machines or systems to work safely, they must meet certain requirements. The focus here is on 4 parameters that play a particularly important role in the evaluation of electrical or electronic safety systems:

System architecture and structure
Safety systems can be single-channel, two-channel or multi-channel. While single-channel systems usually react to errors with a failure, two-channel or multi-channel systems can check each other and identify any errors. The measured variable for the architecture is the HFT value (from English: Hardware Fault Tolerance ). If the HFT value is 0, there is no hardware fault tolerance and any fault can lead to failure. A two-channel system (like using two voltage testers ) is better than a single-channel system
Diagnostic coverage
Both single-channel and dual-channel (or even multi-channel) structures can fail. However, if you regularly test the function of the structure, you can identify a failure or a defect. Of course you have to carry out a meaningful test that also detects the errors. The diagnostic coverage (DC: from the English Diagnostic Coverage ) indicates the probability with which the errors will be revealed by a test. Security systems need to be tested to see if they are still working. The diagnostic coverage depends on the quality of the test. Bad tests reveal only a few, good tests reveal many or even all errors.
Failure rate
If the failure rate is low, there is little need to fear defects. For example, if the failure rate for the voltage tester is 0, it never fails (there is no such thing, but theoretically it can be assumed) and it always shows the correct voltage. You don't need a second device and you never need to test it. Since this is not in practice, you have to rely on another device or a test.

The lower the failure rate of safety units, the less you have to fear that a failure will lead to failure of the safety function. The failure rate indicates the number of failures per unit of time. As a rule, a scale of 1 failure in 10 9 hours is chosen (this is an extremely small unit, since only one failure in approx. 100,000 years corresponds to this, this value is also referred to as 1 fit, failure in time ).

Common cause failure
Influencing variables are meant here that affect several systems at the same time. For example, the voltage in the cable could be so high that both voltage testers are overwhelmed and show nothing at all. A single cause has a fatal effect on all devices. It would be extremely dangerous to conclude that the cable is dead. Even if systems have two or even more channels, these are even tested and also rarely fail, a single malicious influence can influence all systems or even switch them off. For example, extreme voltage levels (such as lightning strikes ) are known in electronics , which can suddenly make several units unusable. These common cause failures (CCF: from the English Common Cause Failure ) must always be avoided.

A clear example is intended to illustrate the way security technology thinks: If you tamper with your power line at home, you should first be aware that the power has been switched off, otherwise there is a risk of electric shock. A voltage tester is therefore used which shows the presence of voltage. If this signals no tension, you can get to work. However - this is how one thinks in security technology - the voltage tester could also be defective and there is still voltage in the power line. So it makes sense to get another voltage tester and use this to check the voltage as well. If this also indicates no voltage, it is very likely that there is really no voltage in the cable. Unless both testers are defective. A final certainty can therefore only be obtained if you now apply both testers to a known voltage (e.g. a battery) and thus prove that they are still OK. The procedure presented here can be translated into the safety structures for safe control and regulation.

The safety structures of controls and regulations behave very similarly to the example presented.

They can either be single-channel or two-channel. They are continuously tested. They contain parts or components with a low failure rate and special measures are taken to avoid common cause failures.

The Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA) has developed the software assistant SISTEMA (safety of controls on machines). Within the framework of the DIN EN ISO 13849-1 standard, this offers help in assessing the safety of controls. The Windows tool simulates the structure of the safety-related control parts on the basis of the so-called intended architectures and calculates reliability values ​​on various levels of detail. SISTEMA is available online free of charge. The liability is on intent or gross negligence is limited or on fraudulently concealed defects.

The free software assistant SOFTEMA helps to evaluate the safety of controls on machines within the framework of the relevant standards. According to these standards (e.g. DIN EN ISO 13849-1), application programs must be developed according to a structured work process and error-avoiding measures must be implemented. In cooperation with the Bonn-Rhein-Sieg University of Applied Sciences and regional mechanical engineering companies, the so-called IFA matrix method was developed to validate and test safety-related application programs. SOFTEMA is used for the efficient application of the matrix method and is intended to support machine manufacturers in developing programs and external bodies in testing them.

Protective devices and their manipulation

Around a third of all protective devices on machines used in industry are manipulated regularly. If protective devices on a machine make it difficult to carry out certain work tasks, there is an incentive to bypass these protective devices. The greater the advantage (e.g. the time saved) that results from the manipulation for operating the machine, the sooner the protective device will be overridden. However, companies must provide the operator with safe machines: Machines with a high incentive to manipulate are to be regarded as unsafe and may not be operated.

The Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA) has developed a procedure that evaluates the incentive to manipulate protective devices. This method can also be found in the DIN EN ISO 14119 standard . The assessment can be carried out with an MS Excel table or with the aid of an app for use on smartphones and tablets . The software is available free of charge.

The software can be used at any time, but should be carried out by a person who has good knowledge of how to operate the machine. If there is an incentive to manipulate protective devices, measures to reduce this incentive must be implemented.

Norms

  • EN ISO 13849-1, Safety of machines - Safety-related parts of control systems - Part 1: General principles for design (ISO 13849-1)
  • EN ISO 13849-2, Safety of machinery - Safety-related parts of control systems - Part 2: Validation (ISO 13849-2)
  • EN 62061, VDE 0113-50, Safety of machines - Functional safety of safety-related electrical, electronic and programmable electronic control systems
  • IEC 61508, VDE 0803: Functional safety of safety-related electrical / electronic / programmable electronic systems, Version November 2002, DIN (Chapters 1–7)
  • EN 954-1: Safety-related parts of controls (has been replaced by EN 13849-1)

literature

  • Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA): BGIA Report 2/2008, Functional Safety of Machine Controls - Application of DIN EN ISO 13849 . German Social Accident Insurance (DGUV), Sankt Augustin 2008, ISBN 978-3-88383-771-0 ( [1] ).
  • Patrick Gehlen: Functional safety of machines and systems - implementation of the European Machinery Directive in practice . Publicis Corporate Publishing, ISBN 978-3-89578-281-7 .
  • Josef Börcsök: Electronic security systems . Hüthig, Heidelberg 2004, ISBN 3-7785-2939-0 .
  • Josef Börcsök: Functional Safety Basics of safety systems . Hüthig, Heidelberg 2006, ISBN 3-7785-2985-4 .
  • Winfried Gräf: Machine safety . Vogel-Verlag, Würzburg 2004, ISBN 3-7785-2941-2 .
  • Peter Wratil, Michael Kieviet: Security technology for components and systems . Hüthig, Heidelberg 2007, ISBN 3-7785-2984-6 .
  • Peter Wratil: Programmable logic controllers in automation technology . Vogel-Verlag, Würzburg 1989, ISBN 3-8023-0235-4 .
  • SICK AG: “Safe Machines” guidelines . 2008.
  • Carsten Gregorius: Functional safety of machines . Beuth-Verlag, 2016, ISBN 978-3-410-25249-8 .
  • AVENTICS GmbH: "Machine Safety - Expertise for Pneumatics" . 2017.

Individual evidence

  1. Communication 2009 / C 321/09 (PDF) in the Official Journal of the European Union
  2. ^ Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA): SISTEMA software assistant. Accessed January 30, 2019 .
  3. ^ Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA): Safety-related application software for machines - The IFA matrix method (IFA Report 2/2016). Retrieved January 24, 2020 .
  4. ^ Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA): SOFTEMA software assistant. Retrieved January 24, 2020 .
  5. berufssicherheit.de: Detect manipulation of protective devices. Retrieved August 6, 2018 .
  6. ^ A b Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA): Incentives for manipulating protective devices. Retrieved August 6, 2018 .
  7. ^ Mannheim Association for the International Promotion of Machine and System Safety eV: Preventing the manipulation of protective devices on machines. Retrieved August 6, 2018 .