本文所论述的智能仓储系统包括轨道穿梭车,自动化仓储货架,传输系统,堆垛机,提升机以及核心逻辑控制单元和上位机管理系统。考虑到系统的复杂性,根据其操作的先后功能共划分为了十个区域。结合EN ISO 13849-1 和 EN 62061国际标准对其每种操作及可预见的误操作进行分析,依据风险水平矩阵识别出所需的安全功能,从而确定相关安全部件的性能,数量及位置,最终完成安全硬件架构。
The Intelligent Logistic System described in this paper is designed for a Switzerland company whose plant is located in China. Tough it is not located in EU; client want the safety comply with latest EU requirements. The system is mainly consisted of Logistic Storage System and Rail Guided Vehicle (RGV) System. Logistic Storage System includes automatic warehouse (storage rack), material automatic transportation system (chain conveyor and roller conveyor), stacker, pallet lift, logistic control & management system, etc.
The system is divided into the following areas for risk assessment.
- Area 1 automatic warehouse including total 4 stackers
- Area 2, buffer zone in front of the warehouse (mainly chain conveyors)
- Area 3, tunnel 1 area including RGV and conveyor
- Area 4, Loading, Debitage and unloading area
- Area 5, Tunnel 1 and Tunnel 2 transhipment area (mainly 2 pallet lift (2 floors), RGV and conveyors)
- Area 6, Tunnel 2 area located in the second floor, which is used for transferring load by RGV among pallet lifts
- Area 7, Unpacking area in the first, second and third floor (mainly two pallet lifts, conveyors)
- Area 8, Independent pallet lift area (total three)
- Area 9, Mini loader area (total two mini stackers, storage rack, total nine load inlet and outlet)
Machinery safety starts always with risk assessment.
The goal is to minimize the (remaining) risk to to a justifiable amount! Before risk assessment, we have to face many challenges.
First, the whole system is large and complicacy and need high cooperation among systems (above areas mainly).
Second, the risk assessment task involves the cross application of two independent technologies.
Risk assessment is an important tool both when designing a new machine or when assessing risks on used machines. A well thought-out risk assessment supports manufacturers/ users of machines to develop
friendly safety solutions. This minimizes the risk of the safety system being defeated.
There is the following requirement in Machinery Directive 2006/42/EC:
“The manufacturer of machinery or his authorized representative must ensure that a risk assessment is
carried out in order to determine the health and safety
requirements which apply to the machinery. The machinery must then be designed and constructed taking into account the results of the risk assessment.”
Safety is a relative term in the directives and standards.
In fact, it is impossible and not necessary to implement the so-called ‘zero risk guarantee’ where nothing can happen under operating conditions. This is why we permit residual risk exist.
After the risk has been identified, a risk evaluation should be made as part of an iterative process to achieve the required safety level. In every step, we have to decide whether it is necessary and/or enough to reduce the risk. If it is to be further reduced, suitable protective measures shall be selected and applied.
The evaluation must then be repeated.
It is clear that the addition of protective measures as a means of risk reduction has the effect of reducing the ‘Probability of occurrence of that harm’ element of the risk. The degree to which risk is reduced is proportional to the probability of the protective measure performing its function. This ‘reliability’ of the safety function is the basis of functional safety (FS).
We should prioritize safety measures based on the below five steps. (Figure 1.)
It is important that all of the parts and components that involved in implementing the safety relevant function fulfills FS requirements. Based on our project experiences, always one or some components are not considered during design safety architecture especially those in “end circuit”.
2 Risk Estimations
Mangy standards and/or regulations or other documentation describe the relationship between safety control level and the impact factors of Hazard Severity/Frequency/Probability/Avoidance Categories. Based on our lots of project experiences, and considering actual application that is not machinery solely, we reference some useful info in process safety fields and made below table 1.
The full requirements of the respective standard shall be taken into account. New standard ISO/IEC 17305 will improve and merge the EN ISO 13849 and IEC 62061 in near future. * stands for use next control level in table 2.
3 Safety Control System
3.1 General
For ensure control system reach required safety level, there are some factors given in related standards, e.g. EN ISO 13849-1, EN 62061 etc.
- Hardware architecture
- Components reliability
- DC
- CCF
- Processing
One of the important factor related to FS is component reliability or failure rate. Normally the component failure rate complies with Figure 2. Curve.
Before using FS standard, we should know which one is more appropriate for the control system. Their scope shall be clear in your mind. Refer to below Figure 3.
Based on the actual control technologies, we used EN ISO 13849 and IEC 62061 for design the systems.
The design of safety control system is planned acc. to Figure 4. procedure and in each step, documentation shall be prepared.
3.2 Interlocking
Trapped Key Interlocking Systems
Because the hazardous area is large and more than one, the risk shall be assessed when one operator enters somewhere, the moving parts are unintended to be running. To avoid this hazard, there are many solutions and firstly we recommend the below trapped key interlocking system which is produced by Fortress Interlocks UK to client. Figure 5.
The concept of trapped key interlocking is based on the principle that a key can only be in one place at one time. However, client select LOTO procedure finally.
www.fortressinterlocks.com
Some key interlocking functions used are listed in table 2.
Output devices monitoring
Safety control hardware architecture is category 3 acc. to standard definition. One point that usually is ignored by designer is output device monitoring.
For better diagnostics, output state reliable feedback is necessary and this is realized by using contactors provided "Mechanically Linked," positively guided contacts which are required in feedback circuits for safety applications. During its whole life cycle, NC and NO contacts always are not closed simultaneously.
In this system, client select AB 100S-F series contactors. Figure 6.
Avoid faults masking
Acc. to table 2. Interlocking matrix, more interlocking devices used and normally they are connected in series to safety input module. However, such design has an obvious disadvantage – faults masking. Figure 7. More interlocking devices used and more operating frequency, leads to higher faults masking and lower DC; even if end users perform regularly function check and/or maintenance every year, performance level can reach up to PLd and this is decided by safety management (human factor).
Based on above reasons, we select ABB Eden coded non-contact safety sensor which is self-checked more than one time by its electronics every second and it is easily reach up to PLe. And such design no need operator’s function checks in intervals.
Safety software
Failures of software are inherently systematic in nature. Failures are caused by the way it is conceived, written or compiled. So, software failures are mainly caused by system under which it is produced, not by application. However, we do not need to go into details inside the software architecture, e.g. classic V model.
In actual application, most programmable safety devices are provided with “certified” function blocks or routines. This simplifies the validation task for designer and/or end user, but it shall be noticed that the completed application program still needs to be validated. The used safety blocks and their link and
|
FACTOR |
CATEGORY |
CRITERIA |
|
|
Severity (Se) |
1 |
Moderate |
Minor injuries with the possibility of time away from work (lost time accident). Reversible adverse health effects. Medical Treatment / Loss Time |
|
2 |
Major |
Major injuries to personnel not resulting in fatality. Irreversible health effects -Full disability case or partial disability. |
|
|
3 |
Critical |
Fatality on site (One to three deaths), Major Injuries on site >3 severe irreversible adverse health effects/ permanent damage /full disability cases / requiring extended periods of hospitalization. Life changing / Major Injuries off-site |
|
|
4 |
Catastrophic |
Multiple Fatalities (>3)) on-site fatalities or single off-site fatality. Major Injuries on ≥5 on site or cases off site major injury resulting in severe irreversible adverse health effects / permanent damage /full disability cases / requiring extended periods of hospitalization. |
|
|
Frequency and duration of exposure (Fr) |
2 |
If duration<10min, select above lower level.
|
>1year |
|
3 |
>2 weeks to ≤1 year |
||
|
4 |
>24h to ≤2 weeks |
||
|
5 |
>1h to ≤24h |
||
|
5 |
Any time |
≤1h |
|
|
Probability of occurrence of a hazardous event (Pr) |
1 |
Negligible 10-5 y |
Unlikely to happen in the life time of the asset or facilities. Rare occurrences in similar facilities internal or external to the company. |
|
2 |
Rarely 10-4 y |
Unlikely to happen in the life time of the asset. Some occurrences noted in similar facilities internal or external to the company. |
|
|
3 |
Possible 10-3 y |
Slight possibility, similar events have occurred within the life of this asset, similar facilities internal or external to the company. |
|
|
4 |
Likely 10-2 y |
Similar event has occurred, or is likely to occur within the life of this asset. |
|
|
5 |
Very high 10-1 y |
Likely to occur once a year, or has probably happened in the last ten years |
|
|
Probability of avoiding or limiting harm (Av) |
1 |
Probable |
– sudden, fast or slow speed of appearance of the hazardous event; – spatial possibility to withdraw from the hazard; – the nature of the component or system, i.e. electricity is dangerous by nature but not visible; – possibility of recognition of a hazard, i.e. high noise prevent person hearing a machine start. |
|
3 |
Rarely |
||
|
5 |
Impossible |
||
Table 1. Hazard Severity/Frequency/Probability/Avoidance Classification
Table 2. Some interlocking matrix (not list completely)
|
No. |
Interlock |
Number and positon |
PLr / SIL |
Function |
Reset/restore required |
Compliant design |
|
1 |
PILZ / PSENmag Safety interlocking door |
4 located in right and 2 located in side Area 1 |
PLd/ SIL2 |
Monitor if there is a person in the laneway area. |
Manual reset Yes |
Yes |
|
2 |
PILZ/ PSENmag Safety interlocking door Area 1 |
1 Located in the maintenance passage |
PLd/ SIL2 |
Monitor if there is person in passage. interlocked with stackers (STO) |
Manual reset Yes |
Yes |
|
3 |
Leuze / MLC Safety light curtain Area 1 |
4 Located in emergency escape way |
PLd/ SIL2 |
Monitor if there is person enter adjacent laneway through escape way. Interlocked with stackers (STO) |
Manual reset Yes |
Yes |
|
4 |
TURCK / BI5-M18-Y1X-H1141 Safety pin monitor |
1 Each platform Area 4,7,8 |
PLd/ SIL2 |
Monitor if the safety pin insert or not when maintenance, also monitor if it is pulled out after maintenance |
No |
Yes |
|
5 |
Leuze/ MLC Safety light curtain Area 2,4,9 |
2 Located in loading & unloading opening |
PLd/ SIL2 |
Monitor if there is person enter tunnel 1 area through opening, interlocked with STO (RGV) |
Manual reset Yes |
Yes |
parameterized also shall be proved correct and valid for the intended task.
Siemens S7-1500 CPU 1511F-1PN and ET200SP input/output safety modules are used in this system.
Acc. to SIMATIC Configuring and Programming Manual, we prepare below table.3 for verify final application of software.
Table 3. check list for safety program
|
No |
Main checklist for safety software |
|
1 |
Hardware Configuration (F-I/O, CPU, addresses) Safety-related parameters of all configured F-I/O |
|
2 |
Collective signature (F block & Safety program) |
|
3 |
Utilized elements of the internal system libraries (from "Instructions" and F blocks) along with ver. |
|
4 |
Information about the F-runtime groups (F-monitoring time, F-monitoring time warning limit, F-blocks and names) |
|
5 |
Safety relevant communication (instructions, addresses, calling block and calling F-runtime G) |
|
6 |
Absolute addresses and names of the F-shared DB tags that can be accessed from the standard program |
|
7 |
safety function is all realized by calling for standard FB? Is there block related to safety which is programmed by user? |
|
8 |
Consistency of the safety program |
|
9 |
Completeness of the safety program |
|
10 |
Compliance of F-Block (name, function, associated F-runtime group, signature) with the NB certificate |
|
11 |
Correctness of the communication configuration |
|
12 |
Validity check for data transfer from standard to the safety program |
|
13 |
Related Safety Function Test |
Safety control level requires calculations. To do this in a manageable way a software tool provides excellent help. We choose to use SISTEMA, a software tool developed by BGIA, now called IFA. With SISTEMA it is possible to “build” safety functions, verify them and generate the technical documentation required.
5 Summary
In the past, we focus on productivity/ efficiency and disregard safety. This leads to increased injury and risks. Today most of manufacturer and end users considered safety as important as productivity. We use safety related devices and implement the directives & standards, and adopt better diagnostics.
In near future, obviously, integrated and intelligent safety controlling systems will be used especially in Industry 4.0. More advanced control algorithm and sensors will be widely used in robot, AGV/RGV or other automatic equipment. Safety devices will be configurable and programmable with safety network. In general, future safety will be transparent for designer and user.
6 References
[1] 2006/42/EC the European parliament and the council on Machinery directive
[2] EN ISO 12100:2010 Safety of machinery — General principles for design — Risk assessment and risk reduction (ISO 12100:2010)
[3] EN ISO 13849-1:2015 Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design (ISO 13849-1:2015)
[4] EN 62061:2005 Safety of machinery — Functional safety of
safety-related electrical, electronic and programmable electronic control systems IEC 62061:2005
[5] www.fortressinterlocks.com
[6] ISO/TR 24119 Safety of machinery — Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts
[7] SIMATIC Industrial Software – Configuring and Programming manual 03/2007
[8] Siemens Safety Integrated - Navigating Standards for Safety-Related Parts of Control Systems
[9] 2014/34/EU the European parliament and the council on the approximation of the laws of the Member states concerning equipment and protective system intended for use in potentially explosive atmosphere
[10] EN 1127-1:2011 Explosive atmospheres — Explosion prevention and protection Part 1: Basic concepts and methodology
[11] EN 13463-1:2009 Non-electrical equipment for use in potentially explosive atmospheres Part 1: Basic method and requirements
[12] CLC/TR 50404:2003 Electrostatics- Code of practice for the avoidance of hazards due to static electricity
[13] IEC 61882:2016 Hazard and operability studies (HAZOP studies) - Application guide