SISTEMA - little guidence

[rQx]

Hi,

Need a little bit guiding using SISTEMA software. As I understand a subsystem consist of components and are the same category. I'm confused because when I build a system in Safety Automation BUilder from rockwell it just enters all components as subsystem which I think is wrong.

So if I have Inputs, Logic and Output all beeing PLc.

The Logic (safety relay) is a encapsuled safety system and is therefore a seperate subsystem.All input and output in this case is PLc and can be grouped into a subsystem.

Is this correct statement?

I'm also a little but unsure about if I need to have all interlocks represented. They are activated all at the same time so I think I have to, if they wouldn't operate att the same time I could have them as "one" just like the e-stop? It fullfills my PLr so it's not an problem but it would be nice to have it the right way.

 

[Paladin]

rQx, it's impossible to say what's the "right" way without seeing your SRS. I'm curious as to why you have two contactors for a single channel SF.

Like programming, there's multiple ways to skin a cat. I generally give each component type is its own subsystem. Makes copy/pasting between SF easier for different projects. The relay is "Logic" and given its own SB. I would continue that through your other components.
Ex. your E-stop PB is a SB. It's "Input" and could be single or dual channel (looks like the former in your case).

Here is a Siemens example which demonstrates subsystem blocks in an SF.

Concerning your interlock switches: you'll know if you need them all there based on the hazard analysis and SRS. Are all three on the same access point to the hazard, or represent three different access points? If the latter, then each access point might be considered its own SF, and you need only include one switch.

 

[rQx]

rQx, it's impossible to say what's the "right" way without seeing your SRS. I'm curious as to why you have two contactors for a single channel SF.

In this case it's because I'm not sure when to use the electrical block or the mechanical block?

Like programming, there's multiple ways to skin a cat. I generally give each component type is its own subsystem. Makes copy/pasting between SF easier for different projects.

From what I interpret the manuals and examples you should keep the same category in its own subsystem (SB). If you have them divided into separate SBs, you get a very unfavorable adding the subsystems regarding the PL. For example, you can have a maximum of 2 PLc SBs, if you have 3 PLc SBs you get downgraded to PLb for the SF

Here is a Siemens example which demonstrates subsystem blocks in an SF.

This is not an example using Sistema and PL, it's an example using SIL. A diffrent standard.


-------------------------------------------------

I have attached a wiring and the block diagram. As there is three interlocks on the one lid I think I can reduce this to one block. I'm unsure if I should group the input and output in one subsystem, they are same category but are not physically wired as one system.

In the examples from IFA report 2/2017 they use only one subsystem in a safety circuit that doesn't contain a safety relay. But then everything is wired in "series". If they use a encapsuled system like a safety relay, they group the input and output seperate. So I have done a slightly diffrent grouping now, (and still unsure about the output contactor)

 

[Paladin]

In this case it's because I'm not sure when to use the electrical block or the mechanical block?

The difference is whether there will be load on the contactor when its de-energized. That is, does your machine have a locked access point which can only be unlocked when the machine is stopped (and the machine can be made safe by opening the contactor)? Then the contactor will open when the machine is not running, i.e. no load. Or, can the access point be opened while the machine is running, and the contactor will open while there's a load present? In the latter case, the life of the contactor is shorter and the fraction of dangerous failures increases, due to arcing.

From what I interpret the manuals and examples you should keep the same category in its own subsystem (SB). If you have them divided into separate SBs, you get a very unfavorable adding the subsystems regarding the PL. For example, you can have a maximum of 2 PLc SBs, if you have 3 PLc SBs you get downgraded to PLb for the SF

Are you referring to 13849-1 Table 11 Calculation of PL for series alignment of SRP/CS? Notice the explanation of that method above the table, where it states:
"If the PFHd values of all individual SRP/CSi are not known, then as a worst case alternative... the PL... may be calculated using Table 11..."
That's a shortcut for determining PL. Since you're using SISTEMA, you definitely have values for your subsystems and need not (should not) use that table.

This is not an example using Sistema and PL, it's an example using SIL. A diffrent standard.

PL and SIL are very similar and interchangeable. See 13849-1 Table 3. But point taken, sorry for the bad example. The takeaway is both standards sum subsystem PFH to determine the achieved safety.

As there is three interlocks on the one lid I think I can reduce this to one block.

If any one interlock is triggered, does the machine need to stop? Put another way, if any one interlock fails dangerously (maybe a corner of the lid is opened while the other corners/switches aren't triggered) can someone access the hazard? If yes to either, I think you have to keep all three, since they are series mitigations to a single hazard.

I'm unsure if I should group the input and output in one subsystem, they are same category but are not physically wired as one system.

Since you're single channel Category 1, it doesn't make difference mathematically. SISTEMA will sum the components PFH and determine PL. The subsystem architecture comes into play with dual channel circuits, where the channels are not symmetrical (see 13849-1 Annex I).

 

[rQx]

The difference is whether there will be load on the contactor when its de-energized. That is, does your machine have a locked access point which can only be unlocked when the machine is stopped (and the machine can be made safe by opening the contactor)? Then the contactor will open when the machine is not running, i.e. no load. Or, can the access point be opened while the machine is running, and the contactor will open while there's a load present? In the latter case, the life of the contactor is shorter and the fraction of dangerous failures increases, due to arcing.

Thanks for this explanation, then the electrical is the one to choose

Are you referring to 13849-1 Table 11 Calculation of PL for series alignment of SRP/CS? Notice the explanation of that method above the table, where it states:
"If the PFHd values of all individual SRP/CSi are not known, then as a worst case alternative... the PL... may be calculated using Table 11..."
That's a shortcut for determining PL. Since you're using SISTEMA, you definitely have values for your subsystems and need not (should not) use that table.

Yes, but category 1 (PLc) is always PFHd 1,1E-6 so when you have three category 1 subsystems you get a higher value then the accepted 3,0E-6 PFHd required for PLc. So the diffrent methods is similar. Try to put in three category 1 subsystems and you will see Sistema changes it for you to PLb for the SF. This is why I wan't to really go to the bottom with if I have interpreted Sistema correct as to that I can have several blocks in one subsystem as I have in my example.

If any one interlock is triggered, does the machine need to stop? Put another way, if any one interlock fails dangerously (maybe a corner of the lid is opened while the other corners/switches aren't triggered) can someone access the hazard? If yes to either, I think you have to keep all three, since they are series mitigations to a single hazard.

Good point, thanks!

Since you're single channel Category 1, it doesn't make difference mathematically. SISTEMA will sum the components PFH and determine PL. The subsystem architecture comes into play with dual channel circuits, where the channels are not symmetrical (see 13849-1 Annex I).

But it does (as I stated above) you can only have two category 1 subsystems for a SF to reach PLc. That's why I think that you should group the categories in subsystems with regard also to the physicall wiring.

--------------------

If you look at the IFS cookbook for sistema they that a subsystem is:

a) Group of blocks within a rigid structure (Category)
or
b) Safety component with statement by the manufacturer of the PL, PFH and Category (encapsulated subsystem)

I also interpret the IFA report 2/2017 to also go for this way. They have many examples where they have added many blocks (sensors etc) in one subsystem

 

[Paladin]

category 1 (PLc) is always PFHd 1,1E-6

Why? The contactor and interlock switch have different B10d values, therefore their MTTFd values will be different.

 

[rQx]

Why? The contactor and interlock switch have different B10d values, therefore their MTTFd values will be different.

Maybe always is a strong word, but the MTTFd is capped to 100years in sistema. And since my MTTFd is higher I guess that PFHd value of 1,6e-6 is the lowest I can get on a category 1 system. And summing three subsystems of category 1 will result in a PLb rating.

Do a test for yourself and you will see

 

[Paladin]

MTTFd is capped at 100 years per channel. See 13849-1 4.5.2. Individual components are not limited and can be thousands of years. Only once the channel MTTFd is calculated is the limitation applied. See 13849-1 Annex I for an example.
So for single channel architecture, your overall channel MTTFd is capped at 100 years.

 

[Paladin]

That said, it does look like SISTEMA limits each SB MTTFd to 100 years, and therefore the PFHd as well, since we're only cat 1. I hadn't noticed that behavior. I generally review two channel Category 3/4 systems where the MTTFd limitation isn't as critical. Learn something everyday.

In that case, separating them as you have with Input, Relay, and Output SBs matches the IFA report and SISTEMA cookbook 6.

 

[rQx]

That said, it does look like SISTEMA limits each SB MTTFd to 100 years, and therefore the PFHd as well, since we're only cat 1. I hadn't noticed that behavior. I generally review two channel Category 3/4 systems where the MTTFd limitation isn't as critical. Learn something everyday.

In that case, separating them as you have with Input, Relay, and Output SBs matches the IFA report and SISTEMA cookbook 6.

Thanks alot for your responses and guidance

 

[rQx]

One more thing came to my mind.

If I add for example an Allen Bradley MSR127 safety relay it's added as an encapsuled subsystem and giving PLe and a very low PFHd along with it. If I use the safety relay as a PLc one channel circuit as described in the manual for the MSR127, is it correct for it to still be PLe as subsystem?

 

[Paladin]

Yes, it's reliability isn't diminished by using it in a lower category. It just won't be the weak link in the chain, and the overall rating is limited by your final architecture.