1、STD-BSI PD CR 954-100-ENGL 1999 lb24bb9 OB10030 Yb9 W PUBLISHED DOCUMENT Safety of machinery - Safety-related parts of control systems - Part 100: Guide on the use and application of EN 9541:1996 ICs 13.110 PD CR 954-100:1999 i-( n-m U- NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRI
2、GH LAW u COPYRIGHT European Committee for StandardizationLicensed by Information Handling ServicesSTD.BSI PD CR 954-100-ENGL 1999 1b24bb9 0810031 8T5 PD CR 964100:1999 Amd. No. National foreword Date Comments This Published Document reproduces verbatim CR 954-100:1999. The UK participation in its pr
3、epasaton was entrusted to Technical Committee MCE/3, Safeguarding of machinery, which has the responsibility to: - aid enquirers to understand the tea - present to the responsible internao - monitor related international and European developments and promulgate them in the UK. A list of organization
4、s represented on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international referred to in this document may be found in the BSI Standards Catalogue under the section entitled “International Standards Correspondence Index“, or by
5、using the “Find“ facility of the BSI Standards Electronic Catalogue. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immun
6、ity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, the CR title page, pages 2 to 6, an inside back cover and a back cover. The BSI copyright notice displayed in this document indicates when the document was last issued. This Published Document,
7、 having been prepared under the direction of the Engineering Sector Committee, was published under the authority of the Standards Committee and comes into effect on 15 November 1999 0 BSI 11-1999 ISBN O 580 35428 8 COPYRIGHT European Committee for StandardizationLicensed by Information Handling Serv
8、ices STD-BSI PD CR 954-100-ENGL 1979 m 1b24bb9 0830032 731 m CEN REPORT RAPPORT CEN CEN BERICHT August 1999 ICs English version Safety of machinery - Safety-related parts of control systems - Part 100: Guide on the use and application of EN 954-1 :1996 Wurit des machines - Pafes des systmes de comma
9、nde relatives la s6curit - Partie 100: Guide dutiliWon et dapplication de IEN 954-1 :i 996 Sichemeit von Maschinen - Simeitsbezogene Taie von Steuerungen - Teil 100: Leitfaden fr Benuzung und Anwendung der EN 954-1 :1996 This CEN Repon was approved by CEN on 10 March 1999. It has been drawn up by th
10、e Technical Committee CEWC 114. CEN members are the national standards bodies of Austria, Belgium. Czech Republic, Denmark. Finland, France, Qennany, Greece, Iceland, Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal. Spain, Sweden, Switzerland and United Kingdom. EUROPEAN COhMITEE FOR STAND
11、ARDIZATION EUROPISCHES KOMITEE FUR NORMUNG COMITE EUROPEEN DE NORMALISATION Central Secmtariak rua de Starsort. 36 51050 BrusseIr O 1999 CEN All rights of exploitation in any form and by any means resewed worldwide for CEN national Members. Ref. No. CR 954-100:1999 E COPYRIGHT European Committee for
12、 StandardizationLicensed by Information Handling ServicesSTD.BS1 PD CR 5V-LOO-ENGL 1999 D lb24bb9 0830033 b78 Page 2 CR 954-1 00:1999 Foreword This CEN Report has been prepared by Joint Working Group 6 (JWG 6) of CEN Technical Committee 114, the secretadat of which is held by DIN. It is offered for
13、all to see because JWG 6 is concerned that EN 954-1: 1996 is at times being incorrectly used and interpreted. JWG 6 is preparing an Amendment to EN 954-1:1996 to incorporate the ideas in this CEN Report together with some additional points. I O Introduction EN 954-1 was published in 1996 and from ex
14、perience gained it is clear that there have been difficulties in understanding how this standard is to be used. This CEN Report gives advice on how to avoid misinterpretations. EN 954-1:1996 gives guidance on the principles to be followed in: - designing safety-related parts of control systems (EN 9
15、54-1:1996, clause 4); - the characteristics of safety functions (EN 954-1:1996, clause 5); - the requirements for the categories of safety-related parts of control systems (EN 954-1:1996, clause 6). Feedback from users indicates that the scope of EN 954-1:1996 is not fully understood. Therefore it m
16、ust be emphasised that the standard does not give guidance on: - the systematic application of the risk reduction process to the selection of the categories of safety-related parts of the control system; -the application of the risk reduction process to the overall safety requirements of the machine
17、 (see EN 954-1:1996, step 2 in figure 1); - the detailed implementation of safety-related parts utilising different technologies and in particular when different technologies are combined within one safety function. 1 Purpose This CEN Report provides guidance on the appropriate use and interpretatio
18、n of EN 954-1 : 1996. It also gives further information on the following topics: - how the control system contributes to reducing risk in the machine; - what is meant by the safety-related parts of the control system in relation to safety functions; - the proper selection and use of categories; - th
19、e role of annex B of EN 954-1 :1996. 2 Normative references Not appropriate. For references referred to within this CEN Report, see annex A. 3 The issues presented in EN 954-1:1996 are complex. The clauses of the standard are interrelated and cannot be used alone. It is therefore necessary to take i
20、nto account ALL clauses of the standard. Correct use of EN 954-1:1996 4 The overall design procedure is given in EN 292-1 : 1991, clause 5. Part of this process is a risk assessment , the principles of which are given in EN 1050. This risk assessment covers the whole machine life cycle. If it is fou
21、nd that there are risks which must be reduced, then appropriate measures must be chosen. EN 292-2 : 1991 gives guidance on the measures for risk reduction. Part of the risk reduction process is to determine the safety functions (see EN 292-1 : 1991, 3.13) of the machine. This will include the safety
22、 functions of the control system, e.g. emergency stop function, start and restart (see EN 954-1 : 1996, clause 5). A safety function may be implemented by one or more safety-related parts of the control system. The designer may use any of the technologies available, singularly or in combination. A s
23、afety function can also be an operational function, e.g. a two-hand control as a means of cycle or process initiation. Explanation of the design procedures COPYRIGHT European Committee for StandardizationLicensed by Information Handling Services- STD.BSI PD CR 954-100-ENGL 1999 1624669 0810034 SO4 P
24、age 3 CR 954-1 00:1999 A typical safety function is given in figure 1 showing safety-related parts (SRP) for: - input (SRPJ; - logidprocessing (SRPJ; - outpuvpower control elements (SRPJ; - interconnecting means (i components consist of one or more elements. NOTE 2: All interconnecting means are inc
25、luded in the safety-related parts. NOTE 3: An example of a safety function is shown in figure 2 and the associated text. Each safety-related pari of the safety function may be made from different technologies. Different technologies may be used for implementing within each safety-related part, e.g.
26、an input comprising a mechanical actuator linked to a light-activated signal converter. Having established the safety functions of the control system, it is then necessary to identity the safety-related parts of the control system (see EN 954-1 : 1996,3.1 and clause 8) and then decide how important
27、the contribution is to the risk reduction process. The protective measures provided by the control system depend on this contribution and not directly on the overall risk reduction for the hazard being considered. NOTE 4: The loss of a safety function does not lead automatically to an injury or a da
28、mage to health if other effective protective (safety) measures have been taken. The greater the reduction of risk is dependent on the safety-related parts of control systems, then the ability of those parts to resist faults is required to be higher (according to EN 954-1 : 1996, 4.2). Therefore prot
29、ective measures to reduce the risk must be taken, principally: - Reducing the probabillty of faults at the component level. The aim is to reduce the probability of faults or of failure modes which affect the safety function. This can be made by increasing the reliability of components, e.g. by selec
30、tion of well-tried components and/or applying well-tried safety principles, in order to exclude critical faults or failure modes. EN 954-1 : 1996 does not give a systematic view on reliability requirements. - Improving the structure of the system. The aim is to avoid the dangerous effect of a fault.
31、 Some faults may be detected and a redundant and/or monitored structure may be needed. COPYRIGHT European Committee for StandardizationLicensed by Information Handling ServicesPage 4 CR 954-1 00: 1999 Both measures can be used separately or in combination. With some technologies, the required risk r
32、eduction can be achieved by selecting reliable components and by fault exclusions, but with other technologies, risk reduction may require a redundant and/or monitored system with two or more parts. In addition, common cause failures should be taken into account. One way of describing these measures
33、 is to use the system of five categories established in EN 954-1 : 1996, clause 6. 5 Categories Categories (for definition see EN 954-1 : 1996,3.2) are intended to classify safety-related parts of the control system which carry out a safety function, on the basis of their performance in case of faul
34、t. These parts may be used singly or in combination. The categories should be considered as reference points for the performance of a safety-related part of a control system with respect to the occurrence of faults (see EN 954-1 : 1996, clause O). Categories cannot and never should be considered as
35、having accurately delineated limits because the assessment of the parameters being considered can be subjective. The common conception that the categories of EN 954-1 : 1996 always or alone correspond to levels of risk is not correct. In choosing a category, the designer must also consider the safet
36、y performance to be achieved and this will depend upon both the structure and the reliability of those safety-related parts. EN 954-1 : 1996 does not fuuiiy specify reliability requirements. Therefore all that can be said about the safety performance for a given technology is: 1) Categories 1, 2, 3
37、and 4 are all better than Category B; 2) In categories 6, 1 and 2 a single fault can lead to the loss of the safety function; 3) Categories 3 and 4 will not fail due to a single fault (common mode faults are considered as a single fault); 4) Category 4 has the best performance as regards to fault to
38、lerance because an accumulation of faults is considered. Control systems employing certain technologies cannot always be designed to satisfy every category, e.g. a mechanical link which meets the requirements of Category 1 but which cannot meet the requirements of Categories 3 or 4. However, the exp
39、ectation that the safety function will be performed can be equal to, or higher than, that of some other systems which meet Categories 2, 3 or 4. When a safety function is implemented by several safety-related parts of the control system, three possibilities can occur: a) each of the safety-related p
40、arts has the same category and can be assigned the same overall category; b) safety-related parts to different categories but used in combination in such a way that an overall category is assigned; c) an overall category cannot be assigned because the technologies used cannot be designed to satisfy
41、every category. Detection of a fault by the control system in a Category 3 is not always necessary when a fault is self evident, e.g. when the machine itself reveals the fault by not allowing a start or restart. Type4 standard writers and designers should be aware of the limitations of setting out t
42、he parformance of the safety function in terms of an overall category because of the limitations in the category requirements, particularly for iellability. 6 Selection of categories When selecting categories for the safety-related parts which carry out the safety function(s) (see EN 954-1 : 1996, c
43、lause 6). faults which can occur in those parts must be considered under two aspects : - evaluating the probability of failure or effect of a fault in those parts; - considering the effect of failure or a fault in those parts on the safety function. The required performance of the safety function de
44、pends upon the levei of risk; if the risk is high, the required performance is high and vice versa. When determining the performance, the essential safety and health requirements of directive(s) must be followed. The relevant harmonised standards reflect the state of the art in various applications
45、and this information should be taken into account when selecting categories. COPYRIGHT European Committee for StandardizationLicensed by Information Handling ServicesSTD-BSI PD CR 954-LOO-ENGL L999 = Lb24bb9 0830036 387 Page 5 CR 954-1 001 999 The probability of occurrence of faults is usually estab
46、lished by qualitative estimation, because there is seldom enough data to give a basis for quantitative procedures. This means that in most cases Failure Mode and Effects Analysis (FMEA - see IEC 60812) or similar methods should be used. All relevant faults and/or failure modes should be considered a
47、nd the actual performance of the safety function in case of a fault should be checked against the required performance. Some fauits or failure modes can be excluded if the probability of their occurrence is very low. This probability depends upon the application conditions. One important considerati
48、on is the frequency of demands on the safety function which can vary enormously (from infrequent, e.g. emergency stop device, to continuous, e.g. control of moving machine parts). Because of this, average values or estimates of acceptable failure rates cannot usuaily be given. After the whole proced
49、ure of risk reduction, a validation (see EN 954-1 : 1996, clause 8) should be made. This validation is part of the validaiion of the whole machine system. Output signal Fluidic directional valve Fluidic actuators Hazardous movement Checking function 6 Guard 7 Input signal 8 Electronic control logic 9 Position device 10 SCOW Of EN 954-1 NOTE: The stop and start functions have been omitted to keep the example simple. Figure 2: Example to explain the use of categories Figure 2 is a schematic diagram of the safety-related parts to provide one of the functions to cont
