Continue to Site

Eng-Tips is the largest engineering community on the Internet

Intelligent Work Forums for Engineering Professionals

Register Log in
  • Congratulations GregLocock on being selected by the Eng-Tips community for having the most helpful posts in the forums last week. Way to Go!

BS EN ISO 13849:2015 splitting up safety functions

Status
Not open for further replies.
tommatwalker

tommatwalker

Electrical
Apr 15, 2020
5
Good afternoon all!

I am wondering if you can help settle a dispute I am having with one of my colleagues. We work in amusement devices and specifically reviewing designs for electrical/control systems.

I am currently doing a design review for a client where they have split up some of their safety functions into seperate parts. Such as below (not real systems just representative):
Unintended startup (Part A movement)
Unintended startup (Part B movement)
Unintended startup (Part C movement)

Now the hazards introduced by these different components moving may be different and the severeity of damage may be different as well coming out at different performance levels.

My opinion is that "Unintended Startup" should be considered as a whole SRP/CS and splitting it up may throw the maths out. Section 6.3 of the aforementioned standard is about combining seperate SRP/CS but it seems to suggest a method of joining them rather than stating that they must be joined to make the maths work.

I was wondering if anyone else on here has had any dealings with this and can shed any light on any other sections of 13849 that may shed more light on this?

Thanks in advance!

Tomm
 
Replies continue below

Recommended for you

Sort by date Sort by votes
I would say that it depends upon the relationship of these moving parts to each other, and where relevant, this is something that should be addressed in the risk assessment. For example, if stopping Part A but not stopping Part B introduces a foreseeable hazard due to the foreseeable continued motion of Part B, then that is a situation that may warrant countermeasures - such as stopping both together, or if the risk is of a lesser magnitude, addressing it in the information for use.

Is the intent of separating the analysis to actually physically stop the parts of the machine separately (e.g. a stopping function at one part of the machine does not stop another part of the machine), or is the intent to stop everything together but to facilitate less stringent hardware, circuit, and logic designs on lower-risk parts of the machine?

The former should be addressed by an overall risk assessment that extends beyond the analysis of strictly the SRP/CS, and additionally, standards specific to the equipment under discussion may dictate certain courses of action. The latter is completely legitimate (but whether it's worthwhile or not is quite another matter). In the system architectures that I normally deal with in this day and age, the furthest this might ever go would be to use a single contactor instead of double contactors, or not bother with a redundant monitored safety pneumatic valve, for low-risk functions. No one is going to split up the safety PLC and its safety inputs into high-risk and low-risk sections!
 
Upvote 0 Downvote
The intent of seperating the circuits is not to stop the different parts of the machine independantly as all parts of the machine would need to be stopped in the same way (according to the category of stop). I believe it is purely to make managing the control circuit calculations simpler for the manufacturer.

In terms of the level of risk, there is potentially scope that Part A moving unexpectedly would create a higher risk than part B moving unexpectedly (which has been covered by the risk assessment) so that may well be a part of the reasoning for this splitting up as well?

In my opinion as this SRP/CS has a single set of inputs (2 start buttons) which seperates into three seperate outputs for parts A, B and C of the machine then it would need to be considered as a whole?

Thanks for the help!
 
Upvote 0 Downvote
Look at that risk assessment and compare its required countermeasures to the actual control system design. Has the control system design adequately implemented the required countermeasures? Are there foreseeable failure modes that would lead to risks that have not been accounted for? Are there residual risks that can not be fully addressed by technological means, that warrant being addressed in the information for use? Are they so addressed?

Answering that ... is your job as the reviewer!

It's not really enough to just identify that something has been split up in a way that's different than what you would have done as a designer. ISO 13849 is not prescriptive in how to be implemented. It is a performance standard. If the required performance is achieved, that's good. If it isn't, that's not.
 
Upvote 0 Downvote
I agree that 13849 isn't particularly prescriptive. Just wanted to make sure that there wasn't something obvious that I had missed!

I've done the maths both ways and the performance level comes out the same regardless so I'll give them that this time!

Thanks for the assistance.

Tom
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

spray_arc
  • Locked
  • Question
ISO 3834 and EN 1090 Certifications for EURCODE 3
Replies
3
Views
591
kingnero
kingnero
spray_arc
  • Locked
  • Question
ISO 15614 Level 2 and ISO 9606
Replies
1
Views
458
kingnero
kingnero
TED7
  • Locked
  • Question
Metric threads - ISO 965-1 and BS 3643
Replies
0
Views
415
TED7
TED7
O.Rezzik
  • Locked
  • Question
Clarification for ISO 6892 Annex E - E.2.2 Longitudinal or transverse strip
Replies
0
Views
399
O.Rezzik
O.Rezzik
Ganeshrnair9
  • Locked
  • Question
ISO standard for welding procedure and welder qualification on Alu Zinc coated steel sheet
Replies
1
Views
468
kingnero
kingnero

Part and Inventory Search

Sponsor

Back
Top Bottom