4 david schepers certification process safety relay modules for machinery applications

Certification Process: Safety Relay
Modules for Machinery Applications

Dr. David Schepers

TÜV Rheinland Industrie Service GmbH
Automation and Functional Safety
Am Grauen Stein
51105 Cologne – Germany

Mailto

+49 221 806 4506
david.schepers@de.tuv.com

Certification Process: Safety Relay Modules
Overview
• Introduction
• Relevant Standards
• Required Documentation for Certification
• Design Requirements of FS Standards (EN ISO 13849 / EN 62061)
• Requirements for Electrical Equipment/Electrical safety
• V&V-Activities, Practical Tests
• Special Design Requirements, Examples
• User Manual
• EC Declaration of Conformity
• UL Certification: Special Requirements / Considerations
• Summary

Certification Process: Safety Relay Modules for Machinery Applications

Safety Relay Modules: Introduction
Fields of Application
• Typical applications of safety relay modules:
− Emergency stop control
− Two-hand control
− Zero-speed monitoring
− Monitoring of position switches
− Door-lock control
− Light curtain control
− Universal relay modules for various applications
− … and others
• Required safety levels:
Up to SIL 3 (EN 62061 / IEC 61508) and PL e / Cat. 4 (EN ISO 13849)


Safety Relay Modules: Introduction
Classification of Safety Relay Modules according to 2006/42/EC, Annex IV
• ……
• 15. Guards for removable mechanical transmission devices
• 19. Protective devices designed to detect the presence of persons.
• 20. Power-operated interlocking movable guards designed to be used as
•

safeguards in machinery (presses, plastics-molding machinery, rubber-

•

molding machinery each with manual loading or unloading)

• 21. Logic units to ensure safety functions.
• 22. Roll-over protective structures (ROPS).
• 23. Falling-object protective structures (FOPS).

Safety relay modules have to be qualified
in accordance with EN ISO 13849-1:2008 and / or EN 62061:2005.
An EC Type Examination Certificate is issued by a Notified Body.

Safety Relay Modules: Relevant Standards
General Standards (Functional Safety / Electrical Safety)
• EN ISO 13849-1: Safety of Machinery – Safety Related Parts of Control Systems –
Part 1: General Principles for Design (successor of EN 954 which is not valid anymore)
• EN 62061: Safety of Machinery – Functional Safety of Safety-Related Electrical,
Electronic and Programmable Electronic Control Systems
• IEC 61508 (not harmoized under EC Machinery Directive!): Functional Safety of
Electrical/Electronic/Programmable Electronic Safety-Related Systems
• EN 60204-1: Safety of machinery – Electrical equipment of machines –
Part 1: General requirements
• EN 60664-1: Insulation coordination for equipment within low-voltage systems –
Part 1: Principles, requirements and tests


Safety Relay Modules: Relevant Standards
Application Specific Standards (Examples)
• EN ISO 13850: Safety of machinery – Emergency stop – Principles for design
• EN 574: Two-hand control devices – Functional aspects and principles for design
• EN 61496-1: Safety of machinery – Electro-sensitive protective equipment –
Part 1: General requirements and tests
• EN 61800-5-2: Adjustable speed electrical power drive systems –
Part 5-2: Safety Requirements – Functional
• … and others


Required Documentation (EN ISO 13849 / EN 62061)
Required Documents for Concept Phase:
• Safety Plan:
Project organization, documentation system, responsibilities, product life cycle,
measures for fault avoidance, configuration management, …
• Safety Requirement Specification (SRS):
Description of product & application, definition of safety functions, definition of
inputs/outputs, definition of temporal behavior, …
• Verification and Validation Plan (V&V-Plan):
Planning of V&V-activities, applied tools, applied testing techniques/measures, …

TÜV Rheinland may provide appropriate templates and support
the creation of the above mentioned documents!


Required Documentation (EN ISO 13849 / EN 62061)
Documents for Main Approval (Products without Software):
• Document list: List of safety relevant documents including name, content and version
• Technical documentation: Schematics, PCB layout (e.g. Gerber files), partlist (BOM),
design of housing
• Test reports: Functional/fault insertion tests (FIT), EMC, environmental tests
• FMEA: Failure Mode and Effects Analysis
• Calculation of safety relevant parameters
• User documentation
• EC declaration of conformity
• Other technical documentation, proof for fault exclusion, further test reports etc.


Design Requirements (as a result of risk assessment)
Determination of required safety level (PL) according to EN ISO 13849
Determination of PL (EN ISO 13849, successor of EN 954):
low
Risk
F1
S1
F2

Start

F1

Severity of injury:
S1 slight
S2 serious

S2

Frequency and/or exposure time for hazard:
F1 seldom / short duration of exposure time
F2 frequent to continuous / long duration of exposition

F2

P1
P2
P1
P2
P1
P2
P1
P2

Possibilities of avoiding the hazard
P1 possible under certain conditions
P2 almost impossible


Required
Performance
Level PLr

a
b
c
d
e
high
Risk

Design Requirements
Category / Performance Level / SIL
Depending on the risk, the standards of functional safety require:
• Performance Level (EN ISO 13849, includes Categories of EN 954)
• Safety Integrity Level (EN 62061)
High risks demand high safety levels (for example Performance Level e / Category 4 /
Safety Integrity Level 3).
⇒The design is significantly influenced by the required safety level!
⇒The higher the safety level, the higher the effort for technical realization.


Design Requirements
Characteristics of the Categories in EN ISO 13849-1 (successor of EN 954)

B

Compliant to standard, use of basic safety principles, specified function under
specified conditions, not fail safe!

1

See B and use of well-tried components and safety principles, not fail safe!

2

See B and use of well-tried safety principles, test after power-on and within
suitable time intervals

3

See B and use of well-tried safety principles,
safe for single faults, fault detection

4

See B and use of well-tried safety principles, safe for 2 faults in combination or
detection of fault before or at next demand of safety function


Design Requirements
Typical Safety Structure for Safety Levels up to PL e / Category 4 / SIL 3

Characteristics:
• Two-channel structure
(Hardware Failure Tolerance HFT = 1)
• Power supply: Single channel (HFT = 0)
• Monitoring/cross-comparison (diagnostics)
Questions:
• Realization of diagnostics (without
complex electronics)?
• 2-fault safety for single channel part
(power supply)?
• Which faults must be considered?


Design Requirements
Realization of Diagnostics within Safety Relay Modules

• „Intelligent“ testing (e.g. test pulses)
not possible without complex electronics
• Idea: In case of failure, device must
enter safe state (switch relay
outputs off) and remain in lock-out
state (no restart possible)
• Appropriate design and application
of (certified) relays with forcibly
guided contacts!


Design Requirements
Characteristics of Relays with Forcibly Guided Contacts
• Mechanical linkage between the contacts such,
that never NO and NC contacts are closed simultaneously.
• If a NO contact is closed, the forcibly guided NC contact
cannot be closed too. Minimum contact separation: 0.5mm
• If a NC contact is welded,
the forcibly guided NO contact
cannot be closed too.

• Used in safety circuits, where contact
monitoring is required in order to detect
failure conditions. The NO contacts
can be monitored by a NC contact.

L

K1
Control/
Monitoring

• The positively guidance of contacts is
a relay feature, which cannot fail, not even
under failure conditions (fault exclusion).

+UB

k11

k12

k21

k22

K2

Monitoring

NO: Normally Open / NC: Normally Closed (when relay is de-energized)


Load
N

Design Requirements
Application of Relays with Forcibly Guided Contacts
L

• Application of the NO contacts as outputs
• Monitoring of NO contacts by means of NC
contacts (forcibly guided contacts)
• NC contacts shall be applied such, that in
case of failure a restart is not possible =>
device is in lock-out state and failure detected

SR

• Failures can only be detected at state change:
Execution of safety function must be guaranteed
either by application or be demanded by user manual
• Recommendation of Vertical Group 11 (European Coordination of Notified Bodies):
- at least every month for PL e / Cat. 4 / SIL 3 with HFT = 1
- at least every 12 month for PL d / Cat. 3 / SIL 2 with HFT = 1


M

Design Requirements
Deterministic Fault Consideration / Fail-Safety
In order to prove the fail-safety (safe behavior of a device in case of a fault) the following
shall be considered:
• Which faults (failures) have to be assumed?
• Which faults can be excluded?
• Under which conditions/constraints can these faults be excluded?
• How are the effects of faults?
• When is a fault revealed (time until fault detection)?
Fault lists / fault models can be found in :
• ISO 13849-2 (EN 954-2) (various technologies)
• Annex B of IEC / EN 61496-1 (electrical / electronic components)

Most relevant faults for low complex electronic circuits:
Open/short circuit, component drift.

Design Requirements
Consideration of Single Channel Parts (e.g. Power Supply)
• Fail-safe design or high quality diagnostics (99% of failures detectable)
necessary for high safety levels (e.g. Cat.4 / PL e / SIL 3)!
• In some cases fault detection is difficult to realize,
especially for protective elements (overvoltage protection)
• For Category 4: Combination of two failures must be considered,
if failures cannot be detected
• If necessary, two-fault safety must be guaranteed by redundancy (application of
redundant protective elements)


Requirements for Electrical Safety
Installation / Environmental Conditions
• Assumption of pollution degree II
(IP54 housing or mounted in cabinet)
• Overvoltage category III (industrial applications)
• Application of 24 V DC SELV/PELV power supply,
SELV: Safety Extra Low Voltage,
PELV: Protective Extra Low Voltage
• Maximum voltage at output relay contacts: 230 V AC
• EN 60947-1 (Low-voltage switchgear and controlgear – Part 1: General rules):
Annex N3.2 defines requirements for insulation if device is connected to
SELV / PELV supply

EN 60947-1 demands double or reinforced insulation for separation
between SELV / PELV circuits and 230 V circuits!

Clearances / Creepage Distances for Double / Reinforced Insulation

(Source: Extract from EN 60664-1, rated impulse voltage for nominal voltage 230/400V and OVC III)

Requirements of EN 60664-1:
• Basic insulation: Value corresponding to nominal voltage of supply system and
overvoltage category. For 230V/400V three phase and overvoltage category III: 4kV
• Reinforced insulation: One step higher than corresponding value of basic insulation!
For 230V/400V three phase and overvoltage category III: 6kV!

Example: Clearances for reinforced insulation
• 230/400V three phase supply,
overvoltage category III
• Rated impulse voltage: 6kV (reinforced
insulation, see previous slide)
• Polution degree: 2
(if IP54 housing or mounted in cabinet)
• Resulting clearances: 5.5 mm

(Source: Extract from EN 60664-1,Clearances for rated impulse voltage)


Special Requirements for Clearances
• Attention: Solder mask layer on PCB might
be damaged or suffer aging => all circuit lines
on top or bottom layer of PCB must fulfill
specified clearances (not creepage distances!)
• For same reason: Solder mask does not allow
reduction of pollution degree!
• For Inner layers of multi-layer PCBs the distances
are considered as clearances as layers may
delaminate
• For fault exclusion additional requirements must be
considered (e.g. fault exclusion „short circuit“ between
two adjacent circuit paths: see EN ISO 13849-2, Table D.5)
• Other conditions (higher pollution degree, higher voltages, etc.) might require higher
clearances or creepage distances


Safety Relay Modules: V&V Activities, Practical Tests
Overview of Required V&V Activities
• Functional Test
• Fault Insertion Tests
• Environmental Tests
• IP Protection Degree
• EMC Tests
• Design Analysis (FMEA)
• Calculation of safety relevant parameters
• All V&V Activities must be documented!


Functional & Fault Insertion Tests
• Performed in cooperation (witness tests) or by TÜV Rheinland
• Functional Test:
- Specified Functionality
- Reaction Time
- etc.
• Fault Insertion Tests:
- Short circuit / open connection at input/output pins
- Overvoltage test (SELV/PELV: Maximum 60V DC)
- Open ground connection
- Internal faults at any electronic components
(open connection, short circuit, drift, …)
- Any test which might be necessary to
proof functional safety („surprise tests“)


Environmental Tests / IP Protection Degree
• Verification of product specifications (during storage/transport and operation)
• For safety relay modules:
- Cold
- Dry Heat
- Damp Heat
- Temperature Change
- Mechanical Shock
- Vibration
• Test sequences: see IEC 60068 series
• IP protection degree test: see IEC 60529


EMC Tests with Increased Immunity Levels (IEC 61326-3-1)
Port

Phenomenon

Basic Levels (IEC 61000-6-2)

Increased Levels (IEC 61326-3-1)

Enclosure

ESD

4 kV / 8 kV

6 kV /8 kV contact / air discharge

EM field

10 V/m (80 MHz – 1 GHz)

20 V/m (80 MHz – 1 GHz)
6 V/m (1.4GHz – 2.0 GHz)
3 V/m (2.0 GHz – 2.7 GHz)

DC Power

Burst

2 kV

4 kV

Surge

0.5 kV (line to line),
0.5 kV (line to ground)

1 kV (line to line),
2 kV (line to ground)

Conducted RF

10 Vrms

10 Vrms

…

Where a product standard for functional safety products (e. g. IEC / EN 61496-1) specifies
different test levels, those different test levels are applicable.

FMEA (Failure Mode and Effects Analysis)
A failure modes and effects analysis
• is a systematic procedure to analyze a system
• shall identify potential failure modes
• shall determine their cause and their consequences
on a system behavior
• may be performed on functional block or component level


Design Analysis: FMEA for Interlocking Device

Circuit Example: Simple Interlocking Device (Door Monitoring), Category 3


FMEA for Interlocking Device on Component Level
device fault
S1
open-circuit on all 4
wires
short circuit between 2
wires:
KS1
KS2

12 3 456
S2

K1

K11

K12
K13

KS3
KS4
KS5
KS6
mechan. blocked
(closed-position)
mechan. blocked
(open-position)
open
short circuit
mech. blocked
mech. blocked (open
position)
does not drop-out
does not close
Welded
does not close
welded
does not close
welded

fault consequences
K1 , K2 drop out, or keep being dropped out
Safety ensured by S2
in closed-pos. K1 shutdown by S2
in open-pos. K2 shutdown by S1 and S2
Safety validated by S2.
In open position K2 shutdown by S2.
Safety validated over S2
like KS1
like KS2
are already connected
Safety validated by S2, no redundancy
Shutdown of K2 if door opens, K1 does not switch on. If
closed again K2 does not switch on.
K2 keeps being dropped out

yes

like S1
like S1
like S1
no initialisation if door closed

yes
yes
yes
yes

output open
K1 no self-lock; if closed K1 drops out before K2
switches on
k13 open , output open
K2 does not switch on if door closed
K13 open (positively driven)
output open
K11, K13 open (positively driven), no initialisation

yes
yes

K2
.


fault detection?
yes
undetected

undetected
undetected
undetected
undetected
undetected
yes

yes
yes
yes
yes
yes

Calculation of Safety Relevant Parameters
The following parameters shall be determined according to EN ISO 13849 / EN 62061:
• DC (Diagnostic Coverage): Determination by FMEA and/or estimation
• SFF (Safe Failure Fraction): Determination by FMEA and consideration of DC
• λD (Dangerous Failure Rate): Summing up failure rates λ
(possible source: Siemens Standard SN 29500) and determination
of λD under consideration of SFF / DC
• MTTFd (Mean Time to Dangerous Failure): MTTFd = 1 / λD
• PFHD: Calculation according to formulas of EN 62061

TÜV Rheinland may support you in performing the FMEA and
calculating the safety relevant parameters for your product!

Calculation of Safety Relevant Parameters
Example: Estimation of DC for relay output contacts (extract of Annex E / EN ISO 13849)

Note: Remember the VG11 recommendation!!
1 signal change per year for PL d / Cat.3 / SIL2 (HFT=1),
1 signal change per month for PL e / Cat.4 / SIL3 (HFT=1)


MTTFd for components with mechanical wear
For electro-mechanical components (e.g. relays) the B10d value is provided.

MTTFd =
nop =

d op x hop x 3600

B10 d
0.1 x nop

s
h

tcycle

T10 d =

B10 d
nop

nop

average number of operating cycles per year

hop

average number of operating hours per day;

dop

average number of operating days per year;

tcycle

average time in sec between 2 operating cycles.

T10d

mean time until 10 % of the components fail dangerously

(Note: The operation time of the component is limited to T10d)


Additional Notes
• Recommendation: Application of certified relays to avoid that most test sequences
according to EN 60947-1 / EN 60947-5-1 must be repeated
• For tests performed at manufacturer or external laboratories: Assessment or
accreditation acc. to ISO/IEC 17025 necessary for acceptance
• All V&V activities and practical tests must be documented
• Appropriate documentation system must be installed
• Documents must contain at least title, version/date, signatures of responsible persons
• Test protocols must contain all information to keep results reproducible (list of applied
measurement equipment, measurement accuracy, test conditions, etc.)


Safety Relay Modules: Special Design Requirements,
Examples
Monitoring of Start Signal
For detection of short circuit/welded contacts at start button: Dynamic signal monitoring


Examples
Overvoltage Protection Circuit
In case of fault (60V ramp), combination of Zener diode/Voltage Dependent Resistor and
fuse might fail (Z-Diode/VDR might unsolder itself due to heat before fuse reacts).

Other solutions might be necessary than above shown circuit. For Category 4, elements
should be implemented redundantly to guarantee two failure safety.


Examples
Clearances at Relay Output Pins
Due to contact pads it may be difficult to reach 5.5mm for reinforced insulation between
24V and 230V circuits:

It might be necessary to flatten contact pads to reach 5.5 mm!

Safety Relay Modules: User Manual
Contents of User Manual
• Business name and full address of the manufacturer and of his authorized
representative
• Type designation and general description of the device
• General specifications and safety levels
• Drawings, diagrams, descriptions and explanations
• Examples for typical applications
• Warnings about residual risks / how the device shall not be used
• Installation and connection instructions
• Original language manual must be marked as “original version”
• All translations must be marked as “translation”
• Translation of the manual in all official languages of the countries where the product
shall be sold (in European Union) must be provided


Safety Relay Modules: EC Declaration of Conformity
Contents of EC Declaration of Conformity
• Business name and full address of the manufacturer (and authorized representative)
• Name and address of the person authorized to compile the technical file, who must be
established in the (European) Community
• Description and identification of the device
• A sentence expressly declaring that the machinery fullfils all the relevant provisions of
the relevant Directives
• Name, address and identification number of the notified body which carried out the EC
type-examination
• List of harmonized / technical standards which were used
• Place and date of the declaration
• Identity and signature of the person empowered
to draw up the declaration


Safety Relay Modules: UL Certification
Special Requirements/Considerations for UL Certification
• UL Certification: In case of ANY change, the whole certification
process has to be repeated (high costs!)
• Recommendation: EC Type Examination from TÜV Rheinland
should be performed first
• In case of changes: TÜV Rheinland offers the possibility to
perform an influence analysis
• By means of the influence analysis it must be shown that the
changes have no influence on safety (functional safety, electrical
safety, environmental aptitude)


Safety Relay Modules: Summary
Summery of Necessary Steps for Successful Certification
• TÜV Rheinland should already be involved in concept phase
• Concept documents: Safety Plan, V&V-Plan, Safety Requirement Specification (SRS)
• Appropriate Design: 2-channel architecture (if possible),
application of certified relays with focibliy-guided contacts,
2-fault safety by redundancy, etc.
• V&V activities: Functional/Fault Insertion Tests, EMC,
Environmental Tests
• FMEA, Calculation of Safety Relevant Parameters
• User Documentation
• TÜV Rheinland may support you during the whole
certification process!


4 david schepers certification process safety relay modules for machinery applications

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to 4 david schepers certification process safety relay modules for machinery applications

Similar to 4 david schepers certification process safety relay modules for machinery applications (20)

Recently uploaded

Recently uploaded (20)

4 david schepers certification process safety relay modules for machinery applications