1、 Printed Copies are Uncontrolled Page 1 of 11 Standard Number w-EL10 Issue Date: 2-06-06 Global Manufacturing Standards Programmable Safety Systems Rev: 1 1. PURPOSE AND SCOPE The aim of this Standard is to establish the principles for the: specification, use and maintenance of Programmable Safety S
2、ystems (PSS) that together, create a Safe System of Work. 1.1. Applicability/Scope: This Standard applies to Ford Motor Companys manufacturing facilities, worldwide. 1.2. Exceptions None 1.3. Mandatory and Preferred Items Mandatory requirements of this Standard and associated appendices are characte
3、rized by the use of the word “shall“. Departure from these requirements requires a written deviation prior to shipment to a Ford site. Preferred items are characterized by the use of the word “should“. 1.4. Objectives The objectives of this Manufacturing Standard are as follows: Specify mandatory re
4、quirements for the application of Programmable Safety Systems. Through the use of appendices, identify specific forms and Programmable Safety Controllers that meet the intent of this standard. Identify a means to control changes to Programmable Safety Systems and detect unauthorized change. Specify
5、documentation requirements and approved methods for the certification/re-certification of applications. 2. REFERENCE STANDARDS Whenever a specific Standard is referenced, it shall be the latest revision, unless otherwise specified. 2.1. Ford Standards and Specifications E1 QSL Qualified Source List.
6、 North American Electrical Equipment. (North America only) Program Approved Source Lists Printed Copies are Uncontrolled Page 2 of 11 Standard Number w-EL10 Issue Date: 2-06-06 Global Manufacturing Standards Programmable Safety Systems Rev: 1 2.2. Industry Standards 2.2.1. Programmable Safety Contro
7、llers: IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety-related systems. ANSI NFPA 79 - Electrical standard for industrial machinery ANSI UL508 Standard for Industrial Control Equipment. CSA C22.2 No. 0.8 and No. 14 2.2.2. Programmable Safety Controller Installat
8、ion IEC 62061 - Safety of machinery, Functional safety of safety-related electrical, electronic and programmable electronic control systems. IEC 60204 - Safety of machinery Electrical equipment for machines. ANSI NFPA 79 - Electrical standard for industrial machinery 2.2.3. Risk Assessment. ISO 1412
9、1 Safety of machinery - Principles of risk assessment. ISO 13849-1 (Note: equivalent to EN954-1:1997) Safety-related parts of control systems - Part 1: General principles for design Note: Used to define safety categories. Note: The following tools should be used to assist in the development of indiv
10、idual machine risk assessment. IEC 62061 Safety of machinery, Functional safety of safety-related electrical, electronic and programmable electronic control systems. ANSI RIA R15.06 Industrial robots and robot systems safety requirements. ANSI B11.TR3 Risk assessment and risk reduction A guide to es
11、timate, evaluate and reduce risks associated with machine tools. 2.3. Testing and Certification 2.3.1. Programmable Safety Controllers shall be CE Marked ( ) to meet IEC61508 and have NRTL certification to NFPA79 and UL508. Printed Copies are Uncontrolled Page 3 of 11 Standard Number w-EL10 Issue Da
12、te: 2-06-06 Global Manufacturing Standards Programmable Safety Systems Rev: 1 3. CONFORMANCE 3.1. Material and Components 3.1.1. All materials and components supplied to this Global Manufacturing Standard shall be equivalent in all respects to material upon which approval was originally granted. Any
13、 deviations from this Standard, without written notice and subsequent review and re-approval by the Ford Global Manufacturing Standards - Electrical Technical Committee, will be sufficient cause for removal from the Ford Global Manufacturing Standards - Electrical Qualifying Source List (E1-QSL). 3.
14、1.2. All products submitted for evaluation shall be “off-the-shelf“ catalog types manufactured with normal production procedures and quality control. Prototypes will not be considered. 3.1.3. The Programmable Safety Controller (PSC) supplier shall provide a written statement of their procedures shou
15、ld a safety recall or safety notice be required. 3.2. Data Sheets and Appendices 3.2.1. Suppliers shall submit a Programmable Safety Standard appendix numbered with this Standard. Suppliers shall also submit relevant Data Sheets and copies of test Agency certificates and associated letters and docum
16、entation which cite the actual standards their products were tested to. The Vice President (or equivalent) of Engineering or a higher officer of the Suppliers (Manufacturers) company shall sign the original copy of the appendix. 3.2.2. Approvals shall be made based on conformance to this Standard as
17、 certified by the above Data Sheet, the required Agency approvals, as well as laboratory and performance tests and documented Shop Trials. All documentation is subject to the review of Ford Global Manufacturing Standards - Electrical Technical Committee. 3.2.3. The following appendices identify mand
18、atory forms for use when applying Programmable Safety Systems: Appendix 1 PSS Design and Installation Assessment Appendix 2 PSS Permit to Work 3.3. Approved PSS Controller Appendices 3.3.1. The Programmable Safety Controllers listed below conform to the requirements of this standard. Appendix P1 Pil
19、z PNOZmulti Appendix R1 Rockwell Automation Allen Bradley GuardLogix Integrated Safety Appendix S1 - Siemens SINUMERIK Safety Integrated CNC system. Printed Copies are Uncontrolled Page 4 of 11 Standard Number w-EL10 Issue Date: 2-06-06 Global Manufacturing Standards Programmable Safety Systems Rev:
20、 1 4. DEFINITIONS 4.1. Application Code Software that is designed and written for a specific machine or equipment task. 4.2. Certified Design The approved hardware and software design referenced in the Declaration of Certification. 4.3. Checksum A unique value that is automatically generated by the
21、Programmable Safety Controller when the application is compiled. Any change to the application program will cause the generation of a new value. 4.4. Declaration of Certification - A written declaration that a Programmable Safety System application has been tested and complies with stated criteria.
22、4.5. OEM - Original Equipment Manufacturer. A machine tool or equipment supplier. 4.6. Permit to Work A documented procedure designed to maintain a safe system of work. 4.7. Program Approved Source Lists - A list of parts approved for use by the requisitioning authority. 4.8. Programmable Safety Con
23、troller - A programmable or configurable software and firmware-based system that meets the requirements of current standards by guaranteeing safety through redundancy, diversity, and self-monitoring. 4.9. Programmable Safety System (PSS) - A machine/equipment safety system that utilizes a Programmab
24、le Safety Controller. 4.10. Programming Software A software tool used to write Application Code. 4.11. Qualified Person - A person that has successfully completed all three levels of training specified in Section 5.3 of this standard. 4.12. Responsible Person A person empowered by the Ford managemen
25、t to make decisions and instruct Qualified Persons in work related to a specific task, and having the necessary knowledge and experience for that purpose. 4.13. Technical Guideline A document issued by the Programmable Safety Controller manufacturer to supplement their user manual. 4.14. Temporary C
26、hange An interim change to the Certified Design, implemented for a period of time necessary to resume production safely until the Certified Design or permanent change can be implemented. Printed Copies are Uncontrolled Page 5 of 11 Standard Number w-EL10 Issue Date: 2-06-06 Global Manufacturing Stan
27、dards Programmable Safety Systems Rev: 1 5. INSTRUCTIONS/REQUIREMENTS 5.1. Product Approval 5.1.1. Only manufacturers and Programmable Safety Controllers with an approved PSS Controller appendix shall be used. 5.1.2. Only part numbers listed in the E1 QSL Qualified Source List, North American Electr
28、ical Equipment and Program Approved Source List shall be used in North American applications. In other regions only part numbers listed in the Program Approved Source List shall be used. 5.1.3. For North America applications supporting safety devices, (e.g. gate switches; emergency stop switches etc
29、), shall be selected from parts listed in the E1 QSL Qualified Source List and Program Approved Source List. In other regions only part numbers listed in the Program Approved Source List shall be used. Whilst the supporting safety device manufacturer will remain responsible for the compliance of the
30、ir products; the Programmable Safety Controller supplier shall review the compatibility of supporting safety products listed on the Program Approved Source List. Technical justification shall be provided for any product not considered suitable. 5.2. Hardware and Software Configuration Requirements 5
31、.2.1. The PSS shall be designed to meet the risk category required by the application. 5.2.2. Hardware and software shall be selected, installed, and used in accordance with the manufacturers user manual and technical guidelines. 5.2.3. The PSS application code shall provide sufficient information t
32、o ensure appropriate fault messages are displayed on the main operator screen. 5.2.4. A copy of the application code shall be provided for each machine/equipment. Printed Copies are Uncontrolled Page 6 of 11 Standard Number w-EL10 Issue Date: 2-06-06 Global Manufacturing Standards Programmable Safet
33、y Systems Rev: 1 5.3. Training: 5.3.1. Training for the application, use and maintenance of Programmable Safety Systems is an essential element required to maintain system integrity. 5.3.2. The local Engineering Manager responsible for Controls Engineering and OEM shall manage training to ensure the
34、 competence of their employees. 5.3.3. Three levels of formal training shall be available for a Programmable Safety Controller, namely: Level 1 Awareness Training. Non product specific training to provide PSS fundamentals and a detailed understanding of the requirements and processes associated with
35、 the application and use of Programmable Safety Systems. Level 2 Maintenance Training. Product specific training for the maintenance of a particular Programmable Safety Systems. Level 3 Design and Configuration Training. Product specific training for the design, configuration and reconfiguration of
36、a Programmable Safety Systems. 5.3.4. A Qualified Person must complete all three levels. 5.3.5. Upon request a trained, or Qualified Person shall provide a copy of their Training Certificates for the Programmable Safety Controller being worked upon. 5.4. Certification or Recertification of Applicati
37、ons. 5.4.1. A PSS Design and Installation Assessment see Appendix 1 shall be completed for each PSS application. The assessment shall be made against the test procedure identified in the appropriate PSS controller appendix. 5.4.2. Prior to shipment to a Ford site a Qualified Person from the Machine
38、Tool/Equipment provider shall complete and sign the Design Criteria Assessment section of the PSS Design and Installation Assessment. 5.4.3. Prior to use in production a Qualified Person nominated by the responsible Ford Motor Company Manager shall complete and sign the Installation Criteria Assessm
39、ent section of the PSS Design and Installation Assessment. Testing shall include a functional check when the machine is fully installed and commissioned on site. 5.4.4. The successful completion of the PSS Design and Installation Assessments shall represent a Declaration of Certification. 5.4.5. The
40、 Declaration of Certification is only valid if the Design and Installation Criteria Assessment checksum values are identical. Printed Copies are Uncontrolled Page 7 of 11 Standard Number w-EL10 Issue Date: 2-06-06 Global Manufacturing Standards Programmable Safety Systems Rev: 1 5.4.6. Appropriate t
41、esting and a new Declaration of Certification is required if the Certified Design is changed in any way. 5.4.7. To demonstrate proof of process the OEM and end user plant shall retain appropriate records to include but not limited to: Declarations of Certification and Permits to Work. Responsibility
42、 for the records management within Ford Motor Company is decentralized across the enterprise and requires that departments and their employees comply with Global Information Standards (GIS). The minimum record retention period for safety records 16.14 is 10 years or until machine/equipment is scrapp
43、ed from a Ford facility which ever is the longer. 5.5. Change Management and Detection 5.5.1. The application code related to the PSS shall be password protected. Passwords shall not be used as the only means of change management. 5.5.2. The password shall be set to the value shown in the appropriat
44、e PSS controller appendix. 5.5.3. Each Ford Division shall implement and maintain documented PSS change control and periodic testing procedures to ensure no unauthorized changes are made to the PSS application. The Division Safety Office shall concur the Change Control Procedure. 5.5.4. The design o
45、f the PSS shall include a means to detect an unauthorized change. The recommended process for each system type shall be documented in the appropriate PSS controller appendix. 5.5.5. During the life of a PSS application it may become necessary to change the Certified Design on a temporary or permanen
46、t basis. To ensure the safety of people working in the area, the following procedure shall be used: 1/ Prior to work commencing the Responsible Person and Plant Safety Engineer shall: Survey the work to be carried out, Raise a Permit to Work Appendix 2 and document the work to be carried out. Evalua
47、te the hazard potential, Determine the detailed standards and procedures to be observed, For a permanent change; confirm that the Ford Manufacturing Engineering Manager or his/her designee has authorized a change to the Certified Design, For a temporary change identify the period of time until the C
48、ertified Design or permanent change can be implemented. Identify the Qualified Person that will carry out the work. Note that only Qualified Persons are authorized to change a Certified Design. 2/ Where appropriate, the Responsible Person shall instruct the named Qualified Person to put in place the
49、 safety measures identified at step 1 and complete the work detailed on the Permit to Work. Printed Copies are Uncontrolled Page 8 of 11 Standard Number w-EL10 Issue Date: 2-06-06 Global Manufacturing Standards Programmable Safety Systems Rev: 1 3/ On completion of the work and prior to the machine or equipments use in production the Responsible Person,
