logging in or signing up aaaa aSGuest51569 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 33 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: June 27, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript The MELSEC QS Safety PLC & CC-Link Safety Network : Presentation to [Insert customer name/logo here] The MELSEC QS Safety PLC & CC-Link Safety Network Overview : Overview What this document covers Background on safety Product features & benefits Conclusions Part 1: Background on Safety : Part 1: Background on Safety Safety standards : Safety standards Multiple standards exist to govern the safe design & operation of machines The QS & CC-Link Safety are certified to IEC 61508 SIL 3 EN 954 Category 4 These are the accepted industry standards for safety control systems What do the standards relate to? : What do the standards relate to? IEC 61508 In general, defines the required level of reliability EN 954 Defines how a system should be designed in order to be safe Overview of IEC 61508 : Overview of IEC 61508 Standard of the International Electrotechnical Commission Geneva, Switzerland Titled “Functional Safety of Electrical/Electronic/Programmable Electronic Safety Related Systems” Functional safety is defined by the IEC as “part of the overall safety that depends on a system or equipment operating correctly in response to its inputs” What does that mean? : What does that mean? The QS has been designed in such a way that it is unlikely to fail as a result of its design or components The likelihood of a failure still exists, but is very small The chance of failure is defined by Safety Integrity Levels (SIL) But… : But… IEC61508 only guarantees the performance of the QS from the point of view of its design It does not guarantee the operation of the controller There are no standards for “safe” programming, other than to use certified function blocks Even then, the overall program still needs to be certified Once a system is designed, programmed and commissioned, it still usually requires a third party review to insure it is safe This is a legal requirement in Canada Safety Integrity Levels : Safety Integrity Levels SILs are defined by IEC61508 as a way to determine how likely a system is to fail when needed Probability of Failure on Demand (PFD) Low demand operation Probability of Failure per Hour (PFH) High demand operation SIL 1 is lowest, 4 the highest QS is certified to SIL 3 Standard for all safety PLCs on the market SIL 3 : SIL 3 SIL 3 requirements For low demand operation, PFD applies “Low demand” defined as operation required once per year 1 x 10 -4 <=PFD <= 1 x 10 -3 i.e. chance of the system failing on demand lies between one in 10,000 and one in 1,000 (between 99.9 and 99.99% reliable) SIL 3 : SIL 3 SIL 3 requirements For high demand operation, PFH applies “High demand” defined as operation required more than once per year 1 x 10 -8 <=PFH <= 1 x 10 -7 i.e. chance of the system failing on demand lies between one in 100,000,000 and one in 10,000,000 (between 99.99999 and 99.999999% reliable) Or put another way : Or put another way For a SIL 3 system in high demand mode If the system operates every hour… …It will be at least 1,141 years before it is likely to fail How do you define what SIL level is necessary? : How do you define what SIL level is necessary? For most industrial applications, SIL 3 is mandated However, IEC 61508 presents a decision tree that assists with this determination Further reading : Further reading To obtain the IEC 61508 standard, it must be purchased from the IEC However, the IEC makes free information available at http://www.iec.ch/zone/fsafety/fsafety_entry.htm See also our own Safety Application Guidebook SH(NA)080613ENG-B Overview of EN 954 : Overview of EN 954 EN is “European Norm”, a standard adopted by the European Union Titled “Safety of machinery. Safety related parts of control systems. General principles for design” How does it differ from IEC 61508? : How does it differ from IEC 61508? IEC 61508 is essentially concerned with reliability EN 954 is concerned with insuring a system operates safely What does that mean? : What does that mean? EN 954 defines five categories of certification B, 1, 2, 3, 4 These categories define how well a system can detect a fault that would lead to an unsafe condition… …and hence respond to it QS complies to Category 4 How do you define what category is necessary? : How do you define what category is necessary? Again, the standard provides a decision tree Category definitions : Category definitions Key points: QS is Category 4 certified, i.e. the following applies: All requirements of Cat. B “Well-Tried” safety principles apply A single fault does not cause a loss of safety functions A single fault is detected before the next demand on the safety function Accumulation of faults does not lead to loss of the safety function Risk assessment : Risk assessment Risk assessment is the key starting point of any system design Intended to identify hazards and determine their severity, frequency and possibility of avoidance Other standards apply for the determination of risk assessment, eg. ISO 12100 (Safety of machinery - Basic concepts, general principle for design) specifications ISO 14121 (Safety of machinery - Principles of risk assessment) This should be performed by the customer or a qualified third party before a system is designed The future : The future Moves are underway in Europe to change the current standards At present, outcome is uncertain Result is expected within two years Circa 2009? Why European standards? : Why European standards? The majority of safety standards have originated in Europe In the Americas, organizations such as ANSI & RIA are also involved with setting standards Tend to follow European ones ANSI RIA R15.06 covers risk assessment, and is similar to EN 954 Why can’t Q Series be a safety PLC? : Why can’t Q Series be a safety PLC? The safety standards require specific design methodologies be followed in order to comply While Q Series was designed to rigorous internal MELCO standards… …these are different to those required by the safety certification community Hence the development of QS Who certifies QS? : Who certifies QS? Our functional safety certification is from TUV German certification body Technischer Überwachungs-Verein (Technical Monitoring Association) Essentially an international de facto standard for industrial safety controller certification SAMPLE Part 2: Overview of the MELSEC QS : Part 2: Overview of the MELSEC QS QS Overview : QS Overview A safety PLC based on the Q Series Automation Platform A standalone platform Links to Q Series via NET/H Handles I/O (safety and non-safety) via CC-Link Safety A new version of CC-Link Uses GX Developer as normal No new programming techniques to learn Why is QS a standalone platform? : Why is QS a standalone platform? IEC 61508 recommends that safety and non-safety systems be separated Section 7.4.23 “Where an E/E/PE safety-related system is to implement both safety and non-safety functions, then all the hardware and software shall be treated as safety-related unless it can be shown that the implementation of the safety and non-safety functions is sufficiently independent (i.e. that the failure of any non-safety-related functions does not cause a dangerous failure of the safety-related functions). Wherever practicable, the safety-related functions should be separated from the non-safety-related functions.” Mitsubishi has followed this recommendation QS Overview : QS Overview Key components QS001 Safety CPU QS034B-E Safety Base Rack QS061P-A1 Safety Power Supply QS0J61BT12 CC-Link Safety Master QS0J65BTB2-12DT CC-Link Safety I/O blocks These are all separate products to the existing Q Series line-up All are marked as a safety product by a distinctive yellow stripe across the top of the unit Standard NET/H modules can also be used with the QS Yellow stripe Key application areas : Key application areas QS should be used where ever there is a requirement for safety control Production lines Large machines Etc. Why use a QS instead of safety relays? : Why use a QS instead of safety relays? QS has sufficient scalability to handle the safety requirements of a whole production line/large machine Offers cost savings over “safety islands” implemented using separate safety relay panels Offers more flexibility for future changes via programmability Offers diagnostics Safety PLC market is similar to PLC market, circa 1975 Why use a QS instead of a safety controller? : Why use a QS instead of a safety controller? Safety controllers typically only aggregate a few safety I/O to control a single cell or machine QS offers the capability to integrate many cells or machines together Saves system costs Simplifies maintenance How does a QS system connect to other systems? : How does a QS system connect to other systems? Currently, this is handled via a NET/H connection between QS & Q Q can “see” into the QS to monitor conditions Other system components are integrated via an associated Q Series system Safety CPU : Safety CPU QS001CPU QS001CPU overview : QS001CPU overview Two operation modes Safety Locks the CPU Prevents unauthorized access during safety operation Test Allows normal program development & debugging during system development & maintenance QS001CPU overview : QS001CPU overview Logging capabilities Records up to 3000 events related to system operation RAS (Reliability, Availability & Serviceability) functions Additional memory diagnostics Redundant CPUs (contained within the one physical CPU) 1oo2 operation Hardware based diagnostics USB program interface QS001CPU performance specification : QS001CPU performance specification 100ns; same as Q01CPU, slower than the Q02H’s 34ns Same as a regular Q CPU in general Same as Q01CPU Note program memory is larger than program size, to allow for storage of comments and other data The three files are: program, comments and parameters 1024 physical I/O points can be addressed What’s different about the QS CPU? : What’s different about the QS CPU? Dual CPU architecture Uses a “1oo2” (one out of two) voting architecture to insure the program has been executed correctly Required for safety certification Differences would fault the processor and cease system execution Both CPUs are contained in one physical case So why can’t a redundant Q system be used for safety control? : So why can’t a redundant Q system be used for safety control? Not SIL 3 certified Difference in philosophy Redundant control aims to avoid an interruption to the process at all costs Safety control is looking for any excuse to shut the process down! What’s different about the QS CPU? : What’s different about the QS CPU? Memory diagnostics Checks mandated by IEC61508 Part 7 8 hour cycle CRC 16 checks Block division walking bit pattern test Hardware based diagnostics Overvoltage/undervoltage detection on the power supply CPU clock stop detection What’s different about the QS CPU? : What’s different about the QS CPU? Currently a QS system has no facility to accept any I/O of any type on its back plane Only NET/H modules and CC-Link Safety modules can be installed This means that the QS does not support any of the standard Q Series I/O or special function module line-up Because none of these products are safety certified What’s different about the QS CPU? : What’s different about the QS CPU? Physical size Wider than a regular Q CPU Due to two CPUs inside Since it has its own dedicated rack, not really an issue No memory card slot No RS232 port; offers USB instead Manuals available : Manuals available Hardware manual IB(NA)0800340ENG User’s Manual (Hardware Design, Maintenance & Inspection) SH(NA)080626ENG User’s Manual (Function Explanation, Program Fundamentals) SH(NA)080627ENG Programming Manual SH(NA)080628ENG Safety guidebook SH(NA)080613ENG-B Test & Safety Modes : Test & Safety Modes Two main modes of operation Safety Mode Test Mode Safety Mode is used to insure the system operates correctly when in actual use Test Mode permits development & maintenance before systems are put into action Test Mode : Test Mode Permits all usual programming & maintenance functions to be carried out Modify program Modify parameters Modify device data, etc. However, note that the operation of the system in Test Mode is NOT considered to be “safe” Once the system development is complete, the QS must be switched to Safety Mode Refer to the GX Developer Safety PLC manual (IB(NA)0800366ENG), section 1.2.2 for a full overview of the permitted operations in Test & Safety Modes Safety Mode : Safety Mode The actual operating status of the QS Switching between the two modes is established by password control In general, prohibits anything that could compromise safe operation Attempting to change programs Changing device data Changing security settings Modifying memory contents (format, clear, etc.) Etc. Again, the GX Developer Safety PLC Manual lays out the permitted operations Effect of access control on Test & Safety Modes : Effect of access control on Test & Safety Modes QS also allows restrictions to be placed on CPU access Established by password control This can also be used to further restrict permitted actions in Test & Safety Modes Access control : Access control QS restricts access to three classes of user Administrator (highest) Developer (medium) User (lowest) Your class defines your level of access in both Test & Safety Modes Up to 128 users can be allowed access to a project Access level is defined separately for each user Each user has a unique user name & password Administrator : Administrator Highest, most complete level of access Full access to program and device memory in Test Mode Can determine the level of access and permitted functions for all other lower level users Would equate to original system designer, maintenance management, etc. Developer : Developer Similar access to an Administrator Generally same level of access to program & device memory as Administrator Cannot define access control settings for other users Would equate to maintenance technicians, plant electricians, etc. User : User Lowest level of access Generally restricted to just viewing the program, but not being able to change it in any significant way Would equate to high level operator or low-level maintenance technician Programming the QS Safety PLC : Programming the QS Safety PLC In general, the QS programs the same way as any other Q Series sequence CPU Uses existing GX Developer No new software to buy Minimizes learning curve Accessible to shop floor electricians and other maintenance personnel Builds on customer’s existing MELSEC expertise Additional features have been added in GX-Developer to support the new safety related features Supported in current version of GX-Developer (8.45X as of June 2007) GX Developer safety features : GX Developer safety features Security operation CPU operation Security operation : Security operation A new option on the Project menu Allows general definitions of who has access to the QS Security operation: user name & password : Security operation: user name & password All projects require definition of a user name and password on creation Prevents unauthorized access to a project during development or later Insures development accountability and traceability No back door! Security operation: access levels : Security operation: access levels Set administrator, developer and user levels for everyone with access to the system Allows a specific log on to be created for up to 128 users Each has their own user name & password Security operation: automatic operation lock : Security operation: automatic operation lock To prevent unauthorized access to a project while the programmer is absent Set a time-out duration after which access to GX Developer is prevented without a valid log-in Lockout can also be performed on demand CPU operation : CPU operation A new option on the Online menu Covers miscellaneous CPU operations CPU operations: Test/Safety Mode switch : CPU operations: Test/Safety Mode switch Used to switch between Test & Safety Modes Note the CPU has to be in STOP mode before a switch can be made CPU operations: display ROM information : CPU operations: display ROM information Insures traceability during operation of CPU Date, time & identity of those performing downloads Assigns an ID to both the program and the parameters CPU operations: CPU password : CPU operations: CPU password In addition to the passwords which control access to the project, the CPU can also be password protected separately If this password is lost, a full reset of the CPU is required Project can be downloaded again afterwards CPU operations: PLC memory initialization : CPU operations: PLC memory initialization Returns the QS to the factory default state Use to reset a QS in general, or to recover a system for which the password has been lost Requires program to be downloaded again CPU operations: CPU monitoring selection : CPU operations: CPU monitoring selection The QS CPU contains two separate CPUs Allows either one to be monitored separately Since both function as a 1oo2 model, results of each should identical Differences would cause a fault Display of safety programs : Display of safety programs QS uses regular ladder logic to remove the learning curve Ladder logic is displayed the same as usual but… …devices related to the safety function… I/O, data registers, etc …are highlighted Color is user definable Yellow used here Parameter settings : Parameter settings In general, parameter settings are similar to a regular Q Series sequence CPU However a considerable number of parameters that apply to the regular Q Series do not apply to the QS Largely because the QS does not support any rack based I/O or special function modules Writing programs to Standard ROM : Writing programs to Standard ROM Despite having no memory card slot, QS still offers a boot feature System boots from program in Standard ROM memory Allows a back-up copy of the program to be retained if the CPU battery back-up fails Diagnostics : Diagnostics QS stores a comprehensive log of errors for viewing by GX Developer Up to 3000 events are logged by the CPU Considerably greater than most other systems Extremely comprehensive diagnostic code list give a clear picture of system status Network communications : Network communications Currently QS has the following connectivity on networks CC-Link Safety I/O network only MELSECNET/H For linking to Q Series systems Permits monitoring No other networks are currently supported Ethernet is planned for 2008 Integration with other systems : Integration with other systems For Mitsubishi systems Connect via NET/H Requires a Q Series on the installed base For non-Mitsubishi systems No connectivity is possible at the moment NET/H link between Q & QS Safety Power Supplies : Safety Power Supplies QS061P-A1 & A2 Power supply overview : Power supply overview QS offers two choices of PSU QS061P-A1 120VAC; North America QS061P-A2 240VAC; Europe Click here for manual What’s different about the safety power supplies? : What’s different about the safety power supplies? As with all other parts of the QS, was designed according to functional safety standards Additional standards relating to over & under voltage performance apply Error contact provided to signify diagnostic issues Turns off when a fault occurs Safety Base Unit : Safety Base Unit QS034B-E Base unit overview : Base unit overview 4 slots One CPU (QS only) Accepts only CC-Link Safety master (up to two) NET/H master (one only) QG60 blank slot filler No other type of I/O or special function module can be installed currently Safety rack based I/O is planned GOT bus connection is not supported Extension racks are not supported Click here for manual What’s different about the safety base unit? : What’s different about the safety base unit? Superficially similar to a normal base unit, but… Different slot spacing to accommodate QS001’s additional width Designed according to functional safety requirements CC-Link Safety : CC-Link Safety QS0J61BT12 CC-Link Safety Master Overview of CC-Link Safety : Overview of CC-Link Safety Same performance specifications as CC-Link 10Mbit/s 1200m bus 64 stations Additional protocol extensions to insure compliance with IEC 61508 Chiefly related to additional communication error detection functions Allows use of non-safety CC-Link devices on the same network as safety stations Permits safety and non-safety I/O to share the same network Reduces cost Still uses GX Developer for parameter settings Key differences between CC-Link & CC-Link Safety : Key differences between CC-Link & CC-Link Safety Number of stations on a safety network : Number of stations on a safety network CC-Link Safety supports up to 64 stations When all are safety I/O, total is 42 (same as remote device total on CC-Link) See CC-Link Safety Master User’s Manual for complete calculation details for mixed networks Communication functions : Communication functions In general, CC-Link Safety supports the same functions as CC-Link Some new safety related functions also added Data link stops when safety CPU experiences an error Slave station outputs can be forced off when safety CPU stops Collection of error history data Safety interlock; prevents automatic restart of I/O data with remote station after a communication error Unique identification of safety I/O modules Support for CC-Link Safety in GX Developer : Support for CC-Link Safety in GX Developer In general, GX Developer uses same parameter settings as before to configure CC-Link Safety New capabilities have been added to configure I/O operation We’ll examine these later Future plans for CC-Link Safety : Future plans for CC-Link Safety Since this is an open network, CLPA is administering it Plans are underway to recruit third party vendors MELCO also plans to add to their line-up of CC-Link Safety products CC-Link Safety I/O Module : CC-Link Safety I/O Module QS0J65BTB1-12DT Safety I/O for the QS : Safety I/O for the QS QS supports I/O via the CC-Link Safety network By means of specially designed safety I/O blocks… …QS can meet the necessary requirements for connection to safety devices E-stops Light curtains Etc. What’s different about safety I/O? : What’s different about safety I/O? As well as being functionally safe (IEC 61508)… …I/O has to support the ability to keep a system safe (EN 954) This requires a range of features not required on conventional I/O Dual redundant wiring Test pulses Timing checks EN 954 revisited : EN 954 revisited QS is certified to EN 954 Category 4 A category 4 circuit is required to be Designed so it can withstand the “expected influence” Uses “well tried” safety principles Able to prevent a single fault from losing the safety function Able to detect the single fault at or before the next demand on the safety function If this is not possible, an accumulation of faults should not lead to a loss of the safety function How are these requirements realized? : How are these requirements realized? “Designed so it can withstand the “expected influence” Follows normal MELCO design requirements (combined with the demands of functional safety) Temperature, humidity, vibration, shock Also has electrical protection functions Overvoltage, overcurrent How are these requirements realized? : How are these requirements realized? “Uses “well tried” safety principles” Designed according to IEC 61508 SIL 3 principles Third party certified by TUV How are these requirements realized? : How are these requirements realized? “Able to prevent a single fault from losing the safety function” Uses dual wiring on input circuits Hence loss of a single channel does not prevent sensing a safety input Uses dual wiring on output circuits Outputs can be configured as sink & source together, or source & source Note: single channel wiring is not supported Use conventional CC-Link I/O for this How are these requirements realized? : How are these requirements realized? “Able to detect the single fault at or before the next demand on the safety function” Use of test pulses Allows the integrity of input and output circuits to be checked on a near continuous basis How are these requirements realized? : How are these requirements realized? “An accumulation of faults should not lead to a loss of the safety function” QS and its safety I/O has multiple layers of safety diagnostics Faults in the system will be detected and lead to a safe shutdown Input/output test pulses : Input/output test pulses Allow detection of miswiring, short circuits and open circuits on I/O devices Each “T” terminal generates a unique signal pattern The QS expects this pattern to appear at a given I/O point If not, a fault is detected Pulse train is configurable Input/output test pulses : Input/output test pulses Detection of short circuits For example, T0 & T1 shorted Two pulses would be superimposed on the same channel: fault detected Detection of open circuits T0 or T1 lost A pulse would be lost: fault detected Miswiring T0 wired to X1 Wrong pulse sensed at a channel: fault detected Why test pulses are not always needed : Why test pulses are not always needed Sometimes, it may be necessary to disable test pulses If a device (such as a light curtain) generates its own pulses Disable the QS test pulses for this channel to prevent a conflict of signals and hence a false fault Input timing discrepancy detection : Input timing discrepancy detection For detection of a welded or open channel in a dual redundant circuit If both channels do not activate within a predefined time window Fault is detected Window is adjustable Input noise filter : Input noise filter To allow for the effect of contact bounce, etc Prevents response to a signal shorter than a specified interval Has to be longer than the OFF period of the test pulse Output wiring combinations : Output wiring combinations Outputs are transistor Two wiring options Source-source Sink-source Use according to output device polarity Configuring category 3 and category 4 : Configuring category 3 and category 4 Selection of required category depends on I/O configuration Cat 3 does not use test pulses or equivalent feature in the safety device Cat. 3 configuration route Cat. 4 configuration route Block parameter setting : Block parameter setting I/O is configured using standard GX Developer Network Parameter tools for CC-Link Select “Station Information” to access I/O configuration screens Block parameter setting : Block parameter setting “Safety remote station settings” dialog contains all parameters to set noise filter, discrepancy detection, test pulses, etc. Block coding : Block coding Safety I/O can have a unique serial number assigned Track service replacements Switch settings : Switch settings As well as the usual station number & baud rate settings, other features exist Loop back test Insures correct function of block before installation Error log Set to read diagnostic info Used to read buffered error log data if communication is lost Conclusions : Conclusions The QS represents Mitsubishi’s commitment to safety controls It offers a high capacity flexible alternative to discrete safety relays or controllers CC-Link Safety offers an open, cost effective, high performance way to network critical safety devices Together, they form a safety solution that readily integrates with the rest of the Mitsubishi automation solution You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
aaaa aSGuest51569 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 33 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: June 27, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript The MELSEC QS Safety PLC & CC-Link Safety Network : Presentation to [Insert customer name/logo here] The MELSEC QS Safety PLC & CC-Link Safety Network Overview : Overview What this document covers Background on safety Product features & benefits Conclusions Part 1: Background on Safety : Part 1: Background on Safety Safety standards : Safety standards Multiple standards exist to govern the safe design & operation of machines The QS & CC-Link Safety are certified to IEC 61508 SIL 3 EN 954 Category 4 These are the accepted industry standards for safety control systems What do the standards relate to? : What do the standards relate to? IEC 61508 In general, defines the required level of reliability EN 954 Defines how a system should be designed in order to be safe Overview of IEC 61508 : Overview of IEC 61508 Standard of the International Electrotechnical Commission Geneva, Switzerland Titled “Functional Safety of Electrical/Electronic/Programmable Electronic Safety Related Systems” Functional safety is defined by the IEC as “part of the overall safety that depends on a system or equipment operating correctly in response to its inputs” What does that mean? : What does that mean? The QS has been designed in such a way that it is unlikely to fail as a result of its design or components The likelihood of a failure still exists, but is very small The chance of failure is defined by Safety Integrity Levels (SIL) But… : But… IEC61508 only guarantees the performance of the QS from the point of view of its design It does not guarantee the operation of the controller There are no standards for “safe” programming, other than to use certified function blocks Even then, the overall program still needs to be certified Once a system is designed, programmed and commissioned, it still usually requires a third party review to insure it is safe This is a legal requirement in Canada Safety Integrity Levels : Safety Integrity Levels SILs are defined by IEC61508 as a way to determine how likely a system is to fail when needed Probability of Failure on Demand (PFD) Low demand operation Probability of Failure per Hour (PFH) High demand operation SIL 1 is lowest, 4 the highest QS is certified to SIL 3 Standard for all safety PLCs on the market SIL 3 : SIL 3 SIL 3 requirements For low demand operation, PFD applies “Low demand” defined as operation required once per year 1 x 10 -4 <=PFD <= 1 x 10 -3 i.e. chance of the system failing on demand lies between one in 10,000 and one in 1,000 (between 99.9 and 99.99% reliable) SIL 3 : SIL 3 SIL 3 requirements For high demand operation, PFH applies “High demand” defined as operation required more than once per year 1 x 10 -8 <=PFH <= 1 x 10 -7 i.e. chance of the system failing on demand lies between one in 100,000,000 and one in 10,000,000 (between 99.99999 and 99.999999% reliable) Or put another way : Or put another way For a SIL 3 system in high demand mode If the system operates every hour… …It will be at least 1,141 years before it is likely to fail How do you define what SIL level is necessary? : How do you define what SIL level is necessary? For most industrial applications, SIL 3 is mandated However, IEC 61508 presents a decision tree that assists with this determination Further reading : Further reading To obtain the IEC 61508 standard, it must be purchased from the IEC However, the IEC makes free information available at http://www.iec.ch/zone/fsafety/fsafety_entry.htm See also our own Safety Application Guidebook SH(NA)080613ENG-B Overview of EN 954 : Overview of EN 954 EN is “European Norm”, a standard adopted by the European Union Titled “Safety of machinery. Safety related parts of control systems. General principles for design” How does it differ from IEC 61508? : How does it differ from IEC 61508? IEC 61508 is essentially concerned with reliability EN 954 is concerned with insuring a system operates safely What does that mean? : What does that mean? EN 954 defines five categories of certification B, 1, 2, 3, 4 These categories define how well a system can detect a fault that would lead to an unsafe condition… …and hence respond to it QS complies to Category 4 How do you define what category is necessary? : How do you define what category is necessary? Again, the standard provides a decision tree Category definitions : Category definitions Key points: QS is Category 4 certified, i.e. the following applies: All requirements of Cat. B “Well-Tried” safety principles apply A single fault does not cause a loss of safety functions A single fault is detected before the next demand on the safety function Accumulation of faults does not lead to loss of the safety function Risk assessment : Risk assessment Risk assessment is the key starting point of any system design Intended to identify hazards and determine their severity, frequency and possibility of avoidance Other standards apply for the determination of risk assessment, eg. ISO 12100 (Safety of machinery - Basic concepts, general principle for design) specifications ISO 14121 (Safety of machinery - Principles of risk assessment) This should be performed by the customer or a qualified third party before a system is designed The future : The future Moves are underway in Europe to change the current standards At present, outcome is uncertain Result is expected within two years Circa 2009? Why European standards? : Why European standards? The majority of safety standards have originated in Europe In the Americas, organizations such as ANSI & RIA are also involved with setting standards Tend to follow European ones ANSI RIA R15.06 covers risk assessment, and is similar to EN 954 Why can’t Q Series be a safety PLC? : Why can’t Q Series be a safety PLC? The safety standards require specific design methodologies be followed in order to comply While Q Series was designed to rigorous internal MELCO standards… …these are different to those required by the safety certification community Hence the development of QS Who certifies QS? : Who certifies QS? Our functional safety certification is from TUV German certification body Technischer Überwachungs-Verein (Technical Monitoring Association) Essentially an international de facto standard for industrial safety controller certification SAMPLE Part 2: Overview of the MELSEC QS : Part 2: Overview of the MELSEC QS QS Overview : QS Overview A safety PLC based on the Q Series Automation Platform A standalone platform Links to Q Series via NET/H Handles I/O (safety and non-safety) via CC-Link Safety A new version of CC-Link Uses GX Developer as normal No new programming techniques to learn Why is QS a standalone platform? : Why is QS a standalone platform? IEC 61508 recommends that safety and non-safety systems be separated Section 7.4.23 “Where an E/E/PE safety-related system is to implement both safety and non-safety functions, then all the hardware and software shall be treated as safety-related unless it can be shown that the implementation of the safety and non-safety functions is sufficiently independent (i.e. that the failure of any non-safety-related functions does not cause a dangerous failure of the safety-related functions). Wherever practicable, the safety-related functions should be separated from the non-safety-related functions.” Mitsubishi has followed this recommendation QS Overview : QS Overview Key components QS001 Safety CPU QS034B-E Safety Base Rack QS061P-A1 Safety Power Supply QS0J61BT12 CC-Link Safety Master QS0J65BTB2-12DT CC-Link Safety I/O blocks These are all separate products to the existing Q Series line-up All are marked as a safety product by a distinctive yellow stripe across the top of the unit Standard NET/H modules can also be used with the QS Yellow stripe Key application areas : Key application areas QS should be used where ever there is a requirement for safety control Production lines Large machines Etc. Why use a QS instead of safety relays? : Why use a QS instead of safety relays? QS has sufficient scalability to handle the safety requirements of a whole production line/large machine Offers cost savings over “safety islands” implemented using separate safety relay panels Offers more flexibility for future changes via programmability Offers diagnostics Safety PLC market is similar to PLC market, circa 1975 Why use a QS instead of a safety controller? : Why use a QS instead of a safety controller? Safety controllers typically only aggregate a few safety I/O to control a single cell or machine QS offers the capability to integrate many cells or machines together Saves system costs Simplifies maintenance How does a QS system connect to other systems? : How does a QS system connect to other systems? Currently, this is handled via a NET/H connection between QS & Q Q can “see” into the QS to monitor conditions Other system components are integrated via an associated Q Series system Safety CPU : Safety CPU QS001CPU QS001CPU overview : QS001CPU overview Two operation modes Safety Locks the CPU Prevents unauthorized access during safety operation Test Allows normal program development & debugging during system development & maintenance QS001CPU overview : QS001CPU overview Logging capabilities Records up to 3000 events related to system operation RAS (Reliability, Availability & Serviceability) functions Additional memory diagnostics Redundant CPUs (contained within the one physical CPU) 1oo2 operation Hardware based diagnostics USB program interface QS001CPU performance specification : QS001CPU performance specification 100ns; same as Q01CPU, slower than the Q02H’s 34ns Same as a regular Q CPU in general Same as Q01CPU Note program memory is larger than program size, to allow for storage of comments and other data The three files are: program, comments and parameters 1024 physical I/O points can be addressed What’s different about the QS CPU? : What’s different about the QS CPU? Dual CPU architecture Uses a “1oo2” (one out of two) voting architecture to insure the program has been executed correctly Required for safety certification Differences would fault the processor and cease system execution Both CPUs are contained in one physical case So why can’t a redundant Q system be used for safety control? : So why can’t a redundant Q system be used for safety control? Not SIL 3 certified Difference in philosophy Redundant control aims to avoid an interruption to the process at all costs Safety control is looking for any excuse to shut the process down! What’s different about the QS CPU? : What’s different about the QS CPU? Memory diagnostics Checks mandated by IEC61508 Part 7 8 hour cycle CRC 16 checks Block division walking bit pattern test Hardware based diagnostics Overvoltage/undervoltage detection on the power supply CPU clock stop detection What’s different about the QS CPU? : What’s different about the QS CPU? Currently a QS system has no facility to accept any I/O of any type on its back plane Only NET/H modules and CC-Link Safety modules can be installed This means that the QS does not support any of the standard Q Series I/O or special function module line-up Because none of these products are safety certified What’s different about the QS CPU? : What’s different about the QS CPU? Physical size Wider than a regular Q CPU Due to two CPUs inside Since it has its own dedicated rack, not really an issue No memory card slot No RS232 port; offers USB instead Manuals available : Manuals available Hardware manual IB(NA)0800340ENG User’s Manual (Hardware Design, Maintenance & Inspection) SH(NA)080626ENG User’s Manual (Function Explanation, Program Fundamentals) SH(NA)080627ENG Programming Manual SH(NA)080628ENG Safety guidebook SH(NA)080613ENG-B Test & Safety Modes : Test & Safety Modes Two main modes of operation Safety Mode Test Mode Safety Mode is used to insure the system operates correctly when in actual use Test Mode permits development & maintenance before systems are put into action Test Mode : Test Mode Permits all usual programming & maintenance functions to be carried out Modify program Modify parameters Modify device data, etc. However, note that the operation of the system in Test Mode is NOT considered to be “safe” Once the system development is complete, the QS must be switched to Safety Mode Refer to the GX Developer Safety PLC manual (IB(NA)0800366ENG), section 1.2.2 for a full overview of the permitted operations in Test & Safety Modes Safety Mode : Safety Mode The actual operating status of the QS Switching between the two modes is established by password control In general, prohibits anything that could compromise safe operation Attempting to change programs Changing device data Changing security settings Modifying memory contents (format, clear, etc.) Etc. Again, the GX Developer Safety PLC Manual lays out the permitted operations Effect of access control on Test & Safety Modes : Effect of access control on Test & Safety Modes QS also allows restrictions to be placed on CPU access Established by password control This can also be used to further restrict permitted actions in Test & Safety Modes Access control : Access control QS restricts access to three classes of user Administrator (highest) Developer (medium) User (lowest) Your class defines your level of access in both Test & Safety Modes Up to 128 users can be allowed access to a project Access level is defined separately for each user Each user has a unique user name & password Administrator : Administrator Highest, most complete level of access Full access to program and device memory in Test Mode Can determine the level of access and permitted functions for all other lower level users Would equate to original system designer, maintenance management, etc. Developer : Developer Similar access to an Administrator Generally same level of access to program & device memory as Administrator Cannot define access control settings for other users Would equate to maintenance technicians, plant electricians, etc. User : User Lowest level of access Generally restricted to just viewing the program, but not being able to change it in any significant way Would equate to high level operator or low-level maintenance technician Programming the QS Safety PLC : Programming the QS Safety PLC In general, the QS programs the same way as any other Q Series sequence CPU Uses existing GX Developer No new software to buy Minimizes learning curve Accessible to shop floor electricians and other maintenance personnel Builds on customer’s existing MELSEC expertise Additional features have been added in GX-Developer to support the new safety related features Supported in current version of GX-Developer (8.45X as of June 2007) GX Developer safety features : GX Developer safety features Security operation CPU operation Security operation : Security operation A new option on the Project menu Allows general definitions of who has access to the QS Security operation: user name & password : Security operation: user name & password All projects require definition of a user name and password on creation Prevents unauthorized access to a project during development or later Insures development accountability and traceability No back door! Security operation: access levels : Security operation: access levels Set administrator, developer and user levels for everyone with access to the system Allows a specific log on to be created for up to 128 users Each has their own user name & password Security operation: automatic operation lock : Security operation: automatic operation lock To prevent unauthorized access to a project while the programmer is absent Set a time-out duration after which access to GX Developer is prevented without a valid log-in Lockout can also be performed on demand CPU operation : CPU operation A new option on the Online menu Covers miscellaneous CPU operations CPU operations: Test/Safety Mode switch : CPU operations: Test/Safety Mode switch Used to switch between Test & Safety Modes Note the CPU has to be in STOP mode before a switch can be made CPU operations: display ROM information : CPU operations: display ROM information Insures traceability during operation of CPU Date, time & identity of those performing downloads Assigns an ID to both the program and the parameters CPU operations: CPU password : CPU operations: CPU password In addition to the passwords which control access to the project, the CPU can also be password protected separately If this password is lost, a full reset of the CPU is required Project can be downloaded again afterwards CPU operations: PLC memory initialization : CPU operations: PLC memory initialization Returns the QS to the factory default state Use to reset a QS in general, or to recover a system for which the password has been lost Requires program to be downloaded again CPU operations: CPU monitoring selection : CPU operations: CPU monitoring selection The QS CPU contains two separate CPUs Allows either one to be monitored separately Since both function as a 1oo2 model, results of each should identical Differences would cause a fault Display of safety programs : Display of safety programs QS uses regular ladder logic to remove the learning curve Ladder logic is displayed the same as usual but… …devices related to the safety function… I/O, data registers, etc …are highlighted Color is user definable Yellow used here Parameter settings : Parameter settings In general, parameter settings are similar to a regular Q Series sequence CPU However a considerable number of parameters that apply to the regular Q Series do not apply to the QS Largely because the QS does not support any rack based I/O or special function modules Writing programs to Standard ROM : Writing programs to Standard ROM Despite having no memory card slot, QS still offers a boot feature System boots from program in Standard ROM memory Allows a back-up copy of the program to be retained if the CPU battery back-up fails Diagnostics : Diagnostics QS stores a comprehensive log of errors for viewing by GX Developer Up to 3000 events are logged by the CPU Considerably greater than most other systems Extremely comprehensive diagnostic code list give a clear picture of system status Network communications : Network communications Currently QS has the following connectivity on networks CC-Link Safety I/O network only MELSECNET/H For linking to Q Series systems Permits monitoring No other networks are currently supported Ethernet is planned for 2008 Integration with other systems : Integration with other systems For Mitsubishi systems Connect via NET/H Requires a Q Series on the installed base For non-Mitsubishi systems No connectivity is possible at the moment NET/H link between Q & QS Safety Power Supplies : Safety Power Supplies QS061P-A1 & A2 Power supply overview : Power supply overview QS offers two choices of PSU QS061P-A1 120VAC; North America QS061P-A2 240VAC; Europe Click here for manual What’s different about the safety power supplies? : What’s different about the safety power supplies? As with all other parts of the QS, was designed according to functional safety standards Additional standards relating to over & under voltage performance apply Error contact provided to signify diagnostic issues Turns off when a fault occurs Safety Base Unit : Safety Base Unit QS034B-E Base unit overview : Base unit overview 4 slots One CPU (QS only) Accepts only CC-Link Safety master (up to two) NET/H master (one only) QG60 blank slot filler No other type of I/O or special function module can be installed currently Safety rack based I/O is planned GOT bus connection is not supported Extension racks are not supported Click here for manual What’s different about the safety base unit? : What’s different about the safety base unit? Superficially similar to a normal base unit, but… Different slot spacing to accommodate QS001’s additional width Designed according to functional safety requirements CC-Link Safety : CC-Link Safety QS0J61BT12 CC-Link Safety Master Overview of CC-Link Safety : Overview of CC-Link Safety Same performance specifications as CC-Link 10Mbit/s 1200m bus 64 stations Additional protocol extensions to insure compliance with IEC 61508 Chiefly related to additional communication error detection functions Allows use of non-safety CC-Link devices on the same network as safety stations Permits safety and non-safety I/O to share the same network Reduces cost Still uses GX Developer for parameter settings Key differences between CC-Link & CC-Link Safety : Key differences between CC-Link & CC-Link Safety Number of stations on a safety network : Number of stations on a safety network CC-Link Safety supports up to 64 stations When all are safety I/O, total is 42 (same as remote device total on CC-Link) See CC-Link Safety Master User’s Manual for complete calculation details for mixed networks Communication functions : Communication functions In general, CC-Link Safety supports the same functions as CC-Link Some new safety related functions also added Data link stops when safety CPU experiences an error Slave station outputs can be forced off when safety CPU stops Collection of error history data Safety interlock; prevents automatic restart of I/O data with remote station after a communication error Unique identification of safety I/O modules Support for CC-Link Safety in GX Developer : Support for CC-Link Safety in GX Developer In general, GX Developer uses same parameter settings as before to configure CC-Link Safety New capabilities have been added to configure I/O operation We’ll examine these later Future plans for CC-Link Safety : Future plans for CC-Link Safety Since this is an open network, CLPA is administering it Plans are underway to recruit third party vendors MELCO also plans to add to their line-up of CC-Link Safety products CC-Link Safety I/O Module : CC-Link Safety I/O Module QS0J65BTB1-12DT Safety I/O for the QS : Safety I/O for the QS QS supports I/O via the CC-Link Safety network By means of specially designed safety I/O blocks… …QS can meet the necessary requirements for connection to safety devices E-stops Light curtains Etc. What’s different about safety I/O? : What’s different about safety I/O? As well as being functionally safe (IEC 61508)… …I/O has to support the ability to keep a system safe (EN 954) This requires a range of features not required on conventional I/O Dual redundant wiring Test pulses Timing checks EN 954 revisited : EN 954 revisited QS is certified to EN 954 Category 4 A category 4 circuit is required to be Designed so it can withstand the “expected influence” Uses “well tried” safety principles Able to prevent a single fault from losing the safety function Able to detect the single fault at or before the next demand on the safety function If this is not possible, an accumulation of faults should not lead to a loss of the safety function How are these requirements realized? : How are these requirements realized? “Designed so it can withstand the “expected influence” Follows normal MELCO design requirements (combined with the demands of functional safety) Temperature, humidity, vibration, shock Also has electrical protection functions Overvoltage, overcurrent How are these requirements realized? : How are these requirements realized? “Uses “well tried” safety principles” Designed according to IEC 61508 SIL 3 principles Third party certified by TUV How are these requirements realized? : How are these requirements realized? “Able to prevent a single fault from losing the safety function” Uses dual wiring on input circuits Hence loss of a single channel does not prevent sensing a safety input Uses dual wiring on output circuits Outputs can be configured as sink & source together, or source & source Note: single channel wiring is not supported Use conventional CC-Link I/O for this How are these requirements realized? : How are these requirements realized? “Able to detect the single fault at or before the next demand on the safety function” Use of test pulses Allows the integrity of input and output circuits to be checked on a near continuous basis How are these requirements realized? : How are these requirements realized? “An accumulation of faults should not lead to a loss of the safety function” QS and its safety I/O has multiple layers of safety diagnostics Faults in the system will be detected and lead to a safe shutdown Input/output test pulses : Input/output test pulses Allow detection of miswiring, short circuits and open circuits on I/O devices Each “T” terminal generates a unique signal pattern The QS expects this pattern to appear at a given I/O point If not, a fault is detected Pulse train is configurable Input/output test pulses : Input/output test pulses Detection of short circuits For example, T0 & T1 shorted Two pulses would be superimposed on the same channel: fault detected Detection of open circuits T0 or T1 lost A pulse would be lost: fault detected Miswiring T0 wired to X1 Wrong pulse sensed at a channel: fault detected Why test pulses are not always needed : Why test pulses are not always needed Sometimes, it may be necessary to disable test pulses If a device (such as a light curtain) generates its own pulses Disable the QS test pulses for this channel to prevent a conflict of signals and hence a false fault Input timing discrepancy detection : Input timing discrepancy detection For detection of a welded or open channel in a dual redundant circuit If both channels do not activate within a predefined time window Fault is detected Window is adjustable Input noise filter : Input noise filter To allow for the effect of contact bounce, etc Prevents response to a signal shorter than a specified interval Has to be longer than the OFF period of the test pulse Output wiring combinations : Output wiring combinations Outputs are transistor Two wiring options Source-source Sink-source Use according to output device polarity Configuring category 3 and category 4 : Configuring category 3 and category 4 Selection of required category depends on I/O configuration Cat 3 does not use test pulses or equivalent feature in the safety device Cat. 3 configuration route Cat. 4 configuration route Block parameter setting : Block parameter setting I/O is configured using standard GX Developer Network Parameter tools for CC-Link Select “Station Information” to access I/O configuration screens Block parameter setting : Block parameter setting “Safety remote station settings” dialog contains all parameters to set noise filter, discrepancy detection, test pulses, etc. Block coding : Block coding Safety I/O can have a unique serial number assigned Track service replacements Switch settings : Switch settings As well as the usual station number & baud rate settings, other features exist Loop back test Insures correct function of block before installation Error log Set to read diagnostic info Used to read buffered error log data if communication is lost Conclusions : Conclusions The QS represents Mitsubishi’s commitment to safety controls It offers a high capacity flexible alternative to discrete safety relays or controllers CC-Link Safety offers an open, cost effective, high performance way to network critical safety devices Together, they form a safety solution that readily integrates with the rest of the Mitsubishi automation solution