SAFETY RELATED CONTROL SYSTEMS

Practical Implementation of an MPS System using IEC 61508 as the Framework

Drummond Davidson

Overview
IEC 61508 Safety Lifecycle:
Flowchart Key Points

MPS Systems & Safety PLC Safety System Architecture & SafetyBUS Work Through the Safety Lifecycle:
1. Concept 3. Risk Assessment 5. Safety Requirements Allocation 8. Overall Installation & Commissioning Planning 9. E/E/EP Safety Related Systems 12. Installation & Commissioning 15. Modifications & Retrofit

Summary

IEC 61508

Overall Safety Lifecycle

EN 61508 Key Points

Section 3 Risk Assessment; performed by Production Staff to establish non trivial hazards Section 5 Safety Requirement Allocation; written by Mill Engineer to mitigate against these Section 9 Safety Related Systems Realisation; produced by the Supplier detailing how the above is to be met Section 15 Mods and Retrofits to solve any production problems SRS has introduced The whole process is FULLY documented in a controlled manner Accountability & Documentation at every stage of the process

MPS Systems
Systems designed and developed to meet Making Paper Safely (MPS) guidelines Non-complex safety systems are designed to EN954 Complex safety systems are designed to IEC61508 Being supplemented by IEC 62061

Safety PLC
Large or complex machines need complex Safety Control Systems Guard Interlocking, Zoning & Discrete Control Stations make a hard wired approach unwieldy, potentially unreliable & inflexible. Adaptability is required for setting or maintenance functions & unforeseen issues whilst developing the system Programmable devices solve these problems Standard PLCs are single channel/processor devices so introduce single point failures May not fail safe or self check This particular application used Pilz PSS 3000 Safety PLC Inspired by Petrochemical Industry where 3 entirely different PLCs were used to control critical processes

Three Channel PSS

I/p register 1 I/p register 2 I/p register 3

Processor A

Processor B

Processor C

O/p register 1

O/p register 2

O/p register 3

&

System Architecture

SafetyBUS
Open system developed by Pilz in 2000
Based on the proven CANbus system Suitable for Safety Systems to SIL 4 Manages Communications Failures / Failsafe Open to other Safety Component Manufacturers Cable runs up to 3.5km

1. Concept (notes from initial meeting)

formal drawings

 more formal drawings

 & documents.
Detailing the equipment to be considered Documenting the outline proposals

3. Risk Assessment

Written by the Mill Production Engineers

5. Safety Requirements Allocation

The responsibility of the Mill Engineer to define. Outlines the Functional Requirements of the Safety System Safety Related Control System needs to be designed to Satisfy ALL aspects of this document

9. Safety Related Systems: E/E/PES (Realisation)

The following slide is the contents and document history for the Functional Safety Requirements Specification. The complete document is available for viewing.

Functional Safety Requirements SS DSS2 Description

Issued by Checked by Authorised by Issue Number 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

9.1 B9 MPS Phase 3

03/10/02 date // date // date

Functional Safety Requirements SS DSS2 Description

2. Document History.

9.1 B9 MPS Phase 3

.... signed D D Davidson print .... signed .... print .... signed .... print 3 Contents. Document History. Introduction. Hazard Analysis and Risk Assessment. Safety System Description. Safety Functions. Common Safety Controls. Dryer 1 Guard Interlocking. Dryer 2 Guard Interlocking. Dryer 3 Guard Interlocking. Dryer 4 Guard Interlocking. Size Press Guard Interlocking. Dryer 6(After Dryer) Guard Interlocking.

25th July 2002 : Issue 1 : Original Functional Safety Requirements Specification, incorporating the Main PLC panel and the Remote I/O panel for Dryer 1. 6th August 2002 : Issue 2 : Remote I/O panels for Dryers 2 & 3 added. 3rd October 2002 : Issue 3 : Remote I/O panels for Dryers 4 & 6 and Size Press added.

8. Overall Installation and Commissioning Planning

Overall Installation & Commissioning Planning SS DSS2 Description B9 MPS Phase 3

8/61508-1:7.9

Issued by Checked by Installation Schedule

.... signed Malcom Nobbs. print .... signed John Green. print

13/11/02 date 13/11/02 date

10/12/02 @ 2:00pm CSL will arrive on-site to overview the progress of the prerequisites for installation. 11/12/02 @ 6:00am DPS & CSL will start work to finalise the wiring for the three sub panels, speed signal connections to the Main PLC analogue input terminals, modifications to the three respective drive cubicles including their DM900 panels and modifications to the relevant sections of the Master Relay Panel. 11/12/02 @ 10:00am DPS &/or CSL will have finished the wiring for Dryer 4, Size Press and Dryer 6 remote I/O panels within the ex-D5 cubicle and also the modifications within Dryer 4 and Size Press drive cubicles. 11/12/02 @ 11:00am DPS &/or CSL will have finished the terminations in the Main Safety p.l.c panel and the modifications to the relevant sections of the Master Relay Panel. 11/12/02 @ 13:00pm DPS &/or CSL will finish the wiring in the Size Press cubicle.

Personnel & Responsibility A.N Other The Customer Safety Paul Baran DPS Installation D Davidson CSL Installation, Overall supervision Malcolm Nobbs CSL Installation Peter Turner CSL Installation

Installation Procedure Three additional MPS safety remote I/O panels will be mounted in an emptied drive cubicle and interconnected to the relevant drive cubicles and the Master Relay Panel. Modifications will be carried out to the existing drive and Master Relay Panel as per drawings and instructions issued by CSL. Additional speed monitoring signals will be connected to a second analogue input card being added to the main p.l.c. Prestart signals for the three new m/c sections will be connected at the main p.l.c. cubicle. The safety bus will be extended to the three new I/O panels.

Overall Installation & Commissioning Planning SS DSS2 Description B9 MPS Phase 3

8/61508-1:7.9

Overall Installation & Commissioning Planning SS DSS2 Description B9 MPS Phase 3

8/61508-1:7.9

Pre-requisites for Installation All cables, as per harness schedules, should be distributed under the drive suite before panels are fitted. All three new remote I/O panels are due for mounting in the same ex-Dryer 5 cubicle. This is isolated from all mains and control voltages supplies and should now be emptied of all existing equipment. This means it is possible to safely mount these three panels and terminate interconnecting wiring prior to the shut, dependant on site conditions. One panel is already on site (Dryer 4), the remaining two will be delivered on completion of testing.

Personnel & Responsibility D Davidson CSL Commissioning, Final Handover Peter Hockley CSL Commissioning, Software Modifications John Green CSL Commissioning, Software Modifications, Final Handover Malcom Nobbs CSL Commissioning, Software Modifications E. Engineer The Customer - Safety, Final Handover Paul Baran DPS Commissioning Peter Turner CSL Commissioning

Commissioning Procedure See document: Commissioning Schedule 11/12/02 @ 11:00am CSL will arrive on-site and begin wiring checks on the three remote I/O panels, the Main PLC and the field wiring. Once the modifications have been completed by DPS &/or CSL on the existing drive cubicles and Master Relay Panel, CSL will then carry out wiring checks on these. 11/12/02 @ 2:00pm CSL will power up the Main PLC. 11/12/02 @ 2:00pm CSL will power up the first two available remote I/O panels, emphasis will be placed on commissioning the logic functions of the MPS system. The speed monitoring function will be commissioned last as this can be commissioned at a later date should time run out. 11/12/02 @ 3:00pm CSL will power up the third remote I/O panel, emphasis will be placed on commissioning the logic functions of the MPS system. The speed monitoring function will be commissioned last as this can be commissioned at a later date should time run out. 12/61508-1:7.13 Main Panel 12/61508-1:7.13 Dryer 3 12/61508-1:7.13 Dryer 4 12/61508-1:7.13 Size Press 12/61508-1:7.13 Dryer 6

11/12/02 @ 7:00pm CSL will finish commissioning the first two available drives. 11/12/02 @ 8:00pm CSL will finish commissioning the third drive.

12. Overall Installation & Commissioning

Only a selection of pages shown to illustrate:
Responsibility and Accountability

Overall Installation & Commissioning SS DSS2 Description B9 Phase 1 Dryer 1

Issued by Checked by .... signed .... signed .......... print .......... print

12/61508-1:7.13

Overall Installation & Commissioning SS DSS2 Description B9 Phase 1 Dryer 1

12/61508-1:7.13

// date // date

Check wiring of speed signal from F/V to main PLC panel. Check wiring of speed signal from DCVT to main PLC panel. Check wiring of safety outputs from safety panel into existing circuit as per drawings. Check modifications to existing circuit as per drawings. Change firmware in DM900. Record firmware version. 1.02__

Installation Completed Completed by .... signed Checked by .... signed Commissioning Completed Completed by .... signed Checked by .... signed Installation Activities Table 1 : Checks prior to power-up TEST Check PLC panel installation. Check PLC panel earthing arrangements. Check supply wiring. Check safety bus connectors wired correctly.

.......... print .......... print

// date // date

.......... print .......... print

// date // date

Record DM900 S/N

900.034

Installation Failures & Incompatibilities

Complete

Commissioning Activities Table 1 : Checks after panel switched on TEST Check 110V supply voltage. Record value. Check 24V supply from PSU1. Record value. Complete 113.5 V 24.2 V

Check safety bus module node address switches set correctly (shown on circuit drawings). Check wiring to following. Coast Stop PB 1 Dryer Access Key A switch contacts 1 Dryer Access Key A solenoid 1 /2 Dryer Access Key B switch contacts 1st/2nd Dryer Access Key B solenoid 1 Dryer Access Key A Release PB 1st/2nd Dryer Access Key B Release PB Inch Forward PB Inch Reverse PB Main Contactor N/O Feedback circuit Main Contactor N/C Feedback circuit Crawl Relay (CR) Run Relay (RR) Check wiring of Inch Forward and Inch Reverse buttons into DM900 inputs. Check DCVT circuit wiring.
st st nd st st

Check safety bus modules SM1 and SM2 are active on safety bus. Inhibit drive operation and check inputs to safety modules. SM1-I0 : Coast Stop PB Ch.1 SM1-I1 : Coast Stop PB Ch.2 SM1-I2 : 1st Dryer Access Key A Ch.1 SM1-I3 : 1st Dryer Access Key A Ch.2 SM1-I4 : 1st/2nd Dryer Access Key B Ch.1 SM1-I5 : 1st/2nd Dryer Access Key B Ch.2 SM2-I1 : Inch Forward PB Ch.1 SM2-I2 : Inch Forward PB Ch.2 SM2-I3 : Inch Reverse PB Ch.1 SM2-I4 : Inch Reverse PB Ch.2 SM2-I5 : Main Contactor N/O Feedback SM2-I6 : Main Contactor N/C Feedback

15. Overall Modification & Retrofit

Overall Modification and Retrofit SS DSS2 Description

15/61508-1:7.16 B9 MPS Phase 3 030422

Requested by Authorised by Completed by Checked by

.... signed T. Customer print .... signed Comp Engineer print .... signed John Green print .... signed Peter Hockley print

15/04/03 date 16/04/03 date // date // date

Proposed Change Increase the initial overshoot threshold on all dryer sections from 20m/min approx to 25m/min approx, also increase the crawl trip threshold from 17.3m/min approx to 20m/min approx. Increase the speed mismatch threshold of the size press from 1.5v to 3v.

Reason for Change Operators are trying to run blockages through the dryer sections via the inch and crawl facility. The blockages are causing an increased starting load that is resulting in the drives over-compensating and thus exceeding the normal 20m/min overshoot threshold. The follow-on crawl threshold has also been increased to accommodate the longer starting time in these situations. When the size press is not required it is run with the nips open and the drive running, however the paper sheet is still running around the top roll and is therefore pulling the top roll round at an increased speed. Impact on Existing System The proposed software modification will be made by CSL but will be installed by The Customer. The modification will be made to the latest software installed in the B9 machine and no logic functions will be altered.

Personnel & Responsibility John Green CSL Programming A.N Engineer The Customer Installation, Commissioning

Validation & Testing to be Carried Out No testing is required to prove the proposed modifications. However at the present time there is a data logging system attached to the B9 machine, this data logging system should remain in place as the operating characteristics are still unknown for the B9 machine.

Summary
Used EN61508 Overall Safety Lifecycle as framework for the process Close liaison with Mill Engineers essential Supplier flexibility required throughout the process to deal with production issues Whole process fully documented Each stage signed-off by those responsible and accountable

Thank You
Drummond Davidson
Masterpower Electronics Ltd Moulton Park Business Centre Red House Road, Mouton Park Northampton, Northamptonshire NN3 6AQ

Tel: 01604 497 534 E-mail: ddd@masterpower.co.uk