HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (8 Feb 2025)

GB/T 16855.1-2018 PDF English


Search result: GB/T 16855.1-2018 English: PDF (GB/T16855.1-2018)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 16855.1-2018English905 Add to Cart 0-9 seconds. Auto-delivery. Safety of machinery -- Safety-related parts of control systems -- Part 1: General principles for design Valid
GB/T 16855.1-2008EnglishRFQ ASK 10 days Safety of machinery -- Safety-related parts of control systems -- Part 1: General principles for design Obsolete
GB/T 16855.1-2005EnglishRFQ ASK 9 days Safety of machinery -- Safety-related parts of control systems -- Part 1: General principles for design Obsolete
GB/T 16855.1-1997English959 Add to Cart 6 days Safety of machinery--Safety related parts of control systems--Part 1: General principles for design Obsolete
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 16855.1-2018     Related standards: GB/T 16855.1-2018

PDF Preview: GB/T 16855.1-2018


GB/T 16855.1-2018: PDF in English (GBT 16855.1-2018)

GB/T 16855.1-2018 Safety of machinery - Safety-related parts of control systems - Part 1.General principles for design ICS 13.110 J09 National Standards of People's Republic of China Replace GB/T 16855.1-2008 Safety related components of machinery safety control system Part 1.General Design Rules 2018-12-28 released 2019-07-01 implementation State Administration for Market Regulation Issued by China National Standardization Administration Table of contents Preface Ⅲ Introduction Ⅳ 1 Scope 1 2 Normative references 1 3 Terms and definitions, symbols and abbreviations 2 3.1 Terms and definitions 2 3.2 Symbols and abbreviations 6 4 Design considerations 8 4.1 Safety goals in design 8 4.2 Risk reduction strategies 9 4.3 Determining the required performance level (PLr) 11 4.4 Design of SRP/CS 12 4.5 Evaluation of required performance level PL and its relationship with SIL 12 4.6 Software safety requirements 18 4.7 Verify that the achieved PL meets PLr 21 4.8 Design in terms of human efficacy 21 5 Security features 22 5.1 Safety Function Specification 22 5.2 Details of safety functions 23 6 Categories and their relationship with DCavg, CCF and MTTFD per channel 25 6.1 General requirements 25 6.2 Category specification 26 6.3 SRP/CS combination to achieve total PL 33 7 Fault considerations and troubleshooting 34 7.1 General requirements 34 7.2 Failure considerations 34 7.3 Troubleshooting 34 8 Confirmation 34 9 Maintenance 34 10 Technical documents 34 11 Use Information 35 Appendix A (informative appendix) Determination of required performance level (PLr) 36 Appendix B (informative appendix) Module method and safety-related modules Figure 39 Appendix C (informative appendix) Calculation or evaluation of the MTTFD value of a single component 41 Appendix D (informative appendix) A simplified method for estimating the MTTFD of each channel 47 Appendix E (informative appendix) Function and module diagnostic coverage (DC) estimation 49 Appendix F (informative appendix) Estimation of Common Cause Failure (CCF) 52 Appendix G (informative appendix) Systemic failure 54 Appendix H (Informative Appendix) Examples of combinations of safety-related components of control systems 56 Appendix I (informative appendix) Example 59 Appendix J (Informative Appendix) Software 66 Appendix K (informative appendix) Figure 5 Numerical representation 69 References 73 Preface GB/T 16855 "Safety Related Parts of Machinery Safety Control System" consists of the following two parts. ---Part 1.General Design Rules; ---Part 2.Confirmation. This part is Part 1 of GB/T 16855. This section was drafted in accordance with the rules given in GB/T 1.1-2009. This part replaces GB/T 16855.1-2008 "Mechanical Safety Control System Relevant Safety Components Part 1.General Design Rules." versus Compared with GB/T 16855.1-2008, the main technical changes except for editorial changes are as follows. ---Revised the standard name to "Safety Related Components of Machinery Safety Control System Part 1.General Design Principles"; --- Deleted Table 1 in the introduction (see the introduction of the.2008 edition); --- Modify the term "system failure" to "systematic failure" (see 3.1.7,.2008 version 3.1.7); --- Modify the term "average dangerous failure time" to "average dangerous failure time" and modify its acronym to "MTTFD" (See 3.1.25, 3.1.25 of the.2008 edition); ---Added the term "high demand or continuous mode" "proven use" and its definition (see 3.1.38 and 3.1.39); ---Revised Figure 1 (Figure 1, Figure 1 of the.2008 edition); ---Added the requirements of SRP/CS output part by category description (see 4.5.5); ---Modified the calculation or estimation of the MTTFD value of a single component (see Appendix C, Appendix C of the.2008 edition); ---Re-drafted Appendix I (see Appendix I, Appendix I of the.2008 edition). The translation method used in this part is equivalent to the adoption of ISO 13849-1.2015 ``Safety Related Parts of Machinery Safety Control System Part 1.Design General Rules of Planning. The Chinese documents that have a consistent correspondence with the international documents cited in this section are as follows. ---GB 28526-2012 Mechanical electrical safety safety related electrical, electronic and programmable electronic control system functional safety (IEC 62061.2005, IDT); ---GB/T 30175-2013 Mechanical safety application GB/T 16855.1 and GB 28526 design safety-related control system Guide (ISO /T R23849.2010, IDT). This section has made the following editorial changes. ---The editorial errors in Table 1 were revised, "Table 3" was changed to "Table 2", "Table 4" was changed to "Table 3", and "Table 7" was changed to "Table 6." This part is proposed and managed by the National Machinery Safety Standardization Technical Committee (SAC/TC208). Drafting organizations of this section. Pilz Electronics (Changzhou) Co., Ltd., China Machinery Productivity Promotion Center, Anhui Leku Intelligent Parking Equipment Co., Ltd. Company, Suzhou Angao Intelligent Safety Technology Co., Ltd., Xiamen Rituo Electric Technology Co., Ltd., Nan'an China National Machinery Standardization Research Institute Co., Ltd. Company, Fujian Minxuan Technology Co., Ltd., Soft Control Co., Ltd., China Software Evaluation Center, Enschlung (Shanghai) Mechanical and Electrical Trading Co., Ltd. Company, Huace Testing and Certification Group Co., Ltd., Nanjing University of Science and Technology, Xi’an Xumai Intelligent Appliance Technology Co., Ltd., Nanjing Forestry University The National and Local Joint Engineering Research Center of Biomass Materials for Mechanical and Electrical Products Packaging, Nan’an Quality Metrology and Testing Institute, Lihong Safety Equipment Engineering Cheng (Shanghai) Co., Ltd., Zhejiang Thunderbird Supply Chain Management Co., Ltd. The main drafters of this section. Zhang Xiaofei, Huang Zhijiong, Li Qin, Zhu Bin, Sun Zhenchao, Li Liyan, Zhao Yangyang, Wang Baozhen, Yu Mingjin, Liu Fawang, Lu Xiaoguang, Guo Yongzhen, Liu Panchao, Curie Kai, Cheng Hongbing, Bai Honghai, Ju Ronghua, Ji Kun, Hou Hongying, Huang Dongsheng, Yin Zhiyao, Fu Huiqing, Liu Ying, Chen Zhuoxian, Li Zhong, Liu Zhiyong, Song Xiaoning, Li Yali, Zhou Aiping. The previous releases of the standards replaced by this part are. ---GB/T 16855.1-1997, GB/T 16855.1-2005, GB/T 16855.1-2008. introduction The structure of safety standards in the machinery sector is as follows. a) Type A standards (basic safety standards), giving the basic concepts, design principles and general characteristics applicable to all machinery; b) Type B standard (general safety standard), which involves a safety feature of machinery or a type of safety device with a wide range of use. ---B1 category, specific safety features (such as safety distance, surface temperature, noise) standards; ---B2 category, safety devices (such as two-hand control devices, interlocking devices, pressure sensitive devices, protective devices) standards. c) Class C standards (safety standards for mechanical products), which specify detailed safety requirements for a specific machine or a group of machines. In accordance with the provisions of GB/T 15706, this section belongs to the B standard. This part is particularly relevant to the following stakeholders related to machinery safety. ---Machine manufacturer; ---Health and safety agency. Other stakeholders affected by the level of machinery safety are. ---Machine users; ---Machine owner; ---Service provider; ---Consumers (for machinery intended to be used by consumers). The above-mentioned stakeholders may participate in the drafting of this section. In addition, this section is intended to be used for standardization bodies drafting Type C standards. The requirements specified in this section can be supplemented or modified by Type C standards. For machines that are within the scope of the C standard and have been designed and manufactured in accordance with the C standard, the requirements in the C standard are preferred. The purpose of this part is to provide guidance for the control system involved in the design and evaluation of the control system, and to formulate and revise Class B or Type C standards provide guidance. As part of the overall risk reduction strategy for machines, designers are generally willing to adopt one or more The safety function of the protective device to achieve a certain degree of risk reduction. The machine control system components used to provide safety functions are called control system safety-related components (SRP/CS), and they are composed of hardware and software. The component composition can be independent of the machine control system or a component of the machine control system. In addition to providing safety functions, SRP/ CS can also provide operating functions (for example. two-handed operation device as a means of process start). The ability of the safety-related components of the control system to perform safety functions under expected conditions is divided into five levels, which are called performance levels (PL). These ones The performance level is defined by the probability of dangerous failures per hour (see Table 2). The probability of a dangerous failure of a safety function depends on several factors, including. software and hardware structure, the scope of the fault detection mechanism (diagnostic coverage (DC)], component reliability [mean time to dangerous failure (MTTFD), common cause failure (CCF)], design process, operating load, environment Conditions and operating procedures, etc. In order to facilitate the designer to evaluate the achieved PL, this section adopts specific design criteria and specific behaviors under fault conditions. For the method of structural classification. These categories are divided into 5 categories. Category B, Category 1, Category 2, Category 3, Category 4. Performance levels and categories apply to the following safety-related components of control systems, such as. ---Protection devices (e.g. two-hand control devices, interlocking devices), electro-sensitive protection devices (e.g. gratings), pressure-sensitive devices; ---Control unit (e.g. logic unit for control functions, data processing, monitoring, etc.); ---Power control components (for example. relays, valves, etc.); And the control systems that perform safety functions on all machines---from simple devices (e.g. small kitchen cookers or automatic doors, etc.) to Complex manufacturing equipment (for example. packaging machinery, printing machinery, presses, etc.). The purpose of this section is to provide a clear basis for evaluating the design and performance of the application SRP/CS (and machine), for example. third-party reviews Price, self-evaluation or independent laboratory evaluation. Information about IEC 62061 and the recommended applications of this part Both IEC 62061 and this part specify the design and implementation requirements for safety-related components of machine control systems. According to these two standards Any one of these standards can be assumed to meet the relevant basic safety requirements. ISO /T R23849 is the safety-related control The application of IEC 62061 and this part of the standard provides guidance in the design of control systems. Safety related components of machinery safety control system Part 1.General Design Rules 1 Scope This part of GB/T 16855 specifies the design and integration of control system safety related components (SRP/CS) including software design Safety requirements and guidelines. This section specifies the characteristics of these SRP/CS components, including the performance levels required to perform safety functions. This section applies to SRP/CS with high requirements and continuous mode on all types of machinery, regardless of the technology and energy (electric Pneumatic, hydraulic, pneumatic, mechanical, etc.). This section does not specify safety functions or performance levels in special applications. This section provides specific requirements for SRP/CS using programmable electronic systems. This section does not give the specific design requirements of SRP/CS products, but the categories or performance levels given can be used. Note 1.Examples of SRP/CS products. relays, solenoid valves, position switches, PLCs, motor control units, two-hand controls, pressure-sensitive devices, etc. Such products The design needs to refer to special standards, such as. GB/T 19671, GB/T 17454.1 and GB/T 17454.2. Note 2.See 3.1.24 for the definition of required performance level. Note 3.The requirements for programmable electronic systems given in this part are related to electrical, electronic and programmable control systems related to mechanical safety given in IEC 62061. The overall design and development methods are consistent. Note 4.The safety-related embedded software for components with PLr=e is in Chapter 7 of IEC 61508-3.1998. 4 Design considerations 4.1 Safety goals in design The design and structure of SRP/CS should fully consider the principles in GB/T 15706 (see Figure 1 and Figure 3). Should also consider all Misuse and reasonably foreseeable misuse. a See GB/T 15706-2012. b See this section. Figure 1 Overview of risk assessment/risk reduction 4.2 Risk reduction strategy 4.2.1 Overview GB/T 15706-2012 6.1 gives a strategy for reducing machine risk. GB/T 15706-2012 6.2 (Intrinsic safety Design measures) and 6.3 (safety protection and additional protection measures) give further guidance. The risk reduction strategy covers the entire life cycle of the machine. The hazard analysis and risk reduction process of the machine requires the following measures to gradually eliminate or reduce the risk. --- Eliminate hazards or reduce risks through design (see GB/T 15706-2012 in 6.2); --- Reduce the risk through protective devices and possible additional protective measures (see GB/T 15706-2012 in 6.3); --- Reduce the risk by using the provisions on the residual risk in the information (see 6.4 in GB/T 15706-2012). 4.2.2 The effect of the control system on risk reduction The purpose of following the overall design procedure of the machine is to achieve safety goals (see 4.1). The SRP/CS designed to provide the required risk reduction is A sub-process of the overall machine design process. SRP/CS provides safety functions with a PL that can achieve the required risk reduction. In terms of providing safety functions, no matter as essential Part of the safety design is still used as an interlocking protection device or a protection device controller. The design of SRP/CS is a risk reduction strategy Part. The design process is an iterative process, see Figure 1 and Figure 3. Note. The non-safety-related components of the control system or the purely functional components of the machine do not need to adopt this risk reduction strategy (see Chapter 3 in GB/T 35081-2018). For each safety function, its characteristics (see Chapter 5) and the required performance level should be specified and recorded in the safety requirements specification. The performance level in this section is defined as the probability of dangerous failure per hour. The performance level is divided into 5 levels, from the lowest PL=a to the highest PL=e, each corresponds to a clear range of dangerous failure probability per hour (see Table 2). In order to realize a PL, in addition to quantitative factors, it is also necessary to meet the qualitative requirements of PL (see 4.5). Table 2 Performance Level (PL) Beginning with the risk assessment of the machine (see GB/T 15706), the designer should determine each type of correlation that needs to be performed by SRP/CS. The role of the safety function on risk reduction. This effect on risk reduction does not cover all the risks of controlled machines, for example. The whole risk of a mechanical press or a washing machine, but the part of the risk reduced by the use of specific safety functions. Display of such functions For example, such as the stop function triggered by the electro-sensitive protection device on the press or the door lock function of the washing machine. Risk reduction can be achieved through the use of various protective measures (SRP/CS and non-SRP/CS), and ultimately reach a safe state (see Figure 2). 4.3 Determine the required performance level (PLr) For each selected safety function performed by SRP/CS, the required performance level (PLr) should be determined and recorded (Guidelines for determining PLr) See Appendix A). The determination of the required performance level is the result of the risk assessment and refers to the risk reduction achieved by the safety-related components of the control system. Small amount (see Figure 2). The greater the risk reduction required for SRP/CS, the higher the PLr. 4.4 Design of SRP/CS Determining the safety function of the machine is part of the risk reduction process. This also includes determining the safety function of the control system, such as preventing accidental startup. One security function may be implemented by one or more SRP/CS, and several security functions may be shared by one or more SRP/CS. Same realization (for example. logic unit, power control component). A single SRP/CS may also perform multiple safety functions and standard control functions. The designer may use any available technology alone or in combination. SRP/CS may also provide operational functions (e.g. AOPD as A way to start the cycle). 4.5 Evaluation of the required performance level PL and its relationship with SIL 4.5.1 Performance level PL In this section, the ability of safety-related components to perform safety functions is expressed by determining the performance level PL. For each SRP/CS and/or SRP/CS combination selected to perform the safety function, an estimate of its PL should be completed. The PL of SRP/CS should be determined by estimating the following parameters. ---The value of the MTTFD of a single component (see Appendix C and Appendix D); ---DC (see Appendix E); ---CCF (see Appendix F); ---Structure (see Chapter 6); ---The performance of the safety function under fault conditions (see Chapter 6); ---Safety related software (see 4.6 and Appendix J); ---Systemic failure (see Appendix G); ---The ability to perform safety functions under expected environmental conditions. Note 1.Other parameters, such as. operating conditions, request rate, test rate, etc. have a certain impact. These parameters can be divided into the following two groups according to the relationship with the evaluation process. a) Quantifiable parameters (MTTFD value, DC, CCF, structure of a single component); b) Non-quantifiable parameters that affect the performance of SRP/CS (behavior of safety functions under fault conditions, safety-related software, systemic failures, and environmental conditions). Among the quantifiable parameters, the influence of reliability (such as MTTFD, structure) varies with the technology used. For example. adopt a certain technology The single-channel safety-related components with high reliability, compared with other technologies but lower reliability fault-tolerant structures, (in certain Under restrictions) may provide the same or higher PL. There are several methods to estimate the quantifiable parameters of PL of any type of system (e.g., complex structure), such as Markov model, generalized random Machine Petri net (GSPN), reliability block diagram (see GB/T 20438, etc.). In order to make it easier to evaluate the quantifiable parameters of PL, this section gives a simplified method based on the definition of 5 specified architectures. The specific architecture meets specific design criteria and performance under fault conditions (see 4.5.4). For the SRP/CS or SRP/CS combination designed in accordance with Chapter 6, the average probability of dangerous failure can be based on the method and appendix in Figure 5 A~Appendix H, Appendix J and Appendix K are given in the procedures to estimate. For SRP/CS that deviates from the specified architecture, detailed calculations should be provided to prove that it has reached the required performance level (PLr). In applications where SRP/CS is regarded as a simple structure and the required performance level is a~c, the basic principles of design can be used to qualitatively estimate PL (see also 4.5.5). Note 2.For the design of complex control systems, such as PES designed to perform safety functions, other relevant standards (e.g. GB/T 19436 Or GB/T 20438). The methods recommended in 4.6 and Appendix G can be used to prove the qualitative parameters of the PL obtained. In the standards based on GB/T 20438, the ability of safety-related control systems to complete safety functions is given by SIL. Table 3 gives The relationship between the two concepts (PL and SIL) is shown. PL=a has no corresponding level with SIL. It is mainly used for slight risk reduction, usually recoverable injuries. SIL4 is dedicated to streaming For possible disaster events in the process industry, SIL4 has nothing to do with the risk of the machine. Therefore, PL=e corresponding to SIL3 is the highest level. 4.5.2 Mean time between dangerous failures (MTTFD) per channel The value of the average time between dangerous failures for each channel is given in 3 levels (see Table 4), and each channel should be considered separately (for example. Single channel, each channel of redundant system). For each SRP/CS (subsystem) in Table 4, the maximum MTTFD value of each channel is 100 years. For category 4 SRP/CS (Subsystem), the maximum MTTFD value of each channel is increased to 2500. Note. A higher value is reasonable, because in category 4, other quantitative factors, structure and DC have reached the maximum. This allows more than 3 category 4 Subsystems (SRP/CS) are connected in series, and according to 6.3, PL=e can be achieved. 4.5.3 Diagnostic coverage (DC) The value of DC is given in 4 levels (see Table 5). In most cases, failure mode and impact analysis (FMEA, see GB/T 7826) or similar methods can be used to estimate DC. At this In this case, all relevant faults and/or failure modes should be considered. Refer to Appendix E for a simplified method of estimating DC. 4.5.4 Simplified procedure for estimating quantifiable factors of PL PL can be estimated by considering all relevant parameters and appropriate calculation methods (see 4.5.1). This chapter gives a simplified procedure for estimating the quantifiable factors of SRP/CS based on the specified framework. To get an estimate of PL, its His similar structure can be transformed into the designated structure in this chapter. The designated architecture is represented by a block diagram and listed in each category in 6.2.Information about the module method and safety-related module diagrams is in Given in 6.2 and Appendix B. The designated architecture gives a logical representation of the system structure of each category. The technical implementation (for example. functional circuit diagram) may look completely different. The specified architecture is drawn for the SRP/CS combination. It starts with the triggering of safety-related signals and ends with the power control components. Output (see also Appendix A in GB/T 15706-2012). The specified architecture can also be used to describe the response to input signals in the control system and generate A component or subcomponent of a safety-related output signal. Therefore, "input" can represent the light curtain (AOPD), the input circuit of the control logic component, or the output Enter the switch and so on. "Output" can represent the output of an output signal switching device (OSSD) or a laser scanner, etc. The specified architecture is based on the following typical assumptions. ---The mission time is 20 years (see Chapter 10); ---The failure rate is constant within the mission time; --- For category 2, the required rate is less than or equal to 1% of the test rate (see also the note in Appendix K), or once the safety function is required Test immediately, and the total time to detect the fault and put the machine in a non-hazardous condition (usually the machine stop) is less than the touch Dangerous time (see GB/T 19876); ---For category 2, the MTTFD of the test channel is greater than half of the MTTFD of the functional channel. This method considers the category as a framework with a prescribed DCavg. The PL of each SRP/CS depends on the architecture and the average of each channel Time between dangerous failures (MTTFD) and DCavg. Common cause failure (CCF) should also be considered (see Appendix F for guidance). SRP/CS with software should meet the requirements of 4.6. If there is no or no quantitative data (for example. low complexity system), all relevant parameters in the worst case should be used. A combination of SRP/CS or a single SRP/CS may have only one PL. Several SRP/CS combinations with different PL are considered in 6.3. In applications where PLr is a~c, there are enough ways to avoid failures; in higher-risk applications where PLr is d~e, the SRP/CS junction Structures can provide methods to avoid, detect, or tolerate failures. Practical methods include redundancy, dissimilarity, monitoring, etc. (see also GB/T 15706- Chapter 6 of.2012 and GB 5226.1-2008). Figure 5 shows the procedure to select the category by combining the MTTFD and DCavg of each channel to achieve the PL required by the safety function. For PL estimation, Figure 5 shows the possible different combinations of DCavg and category (horizontal axis) and MTTFD (bar graph) of each channel. The shading in the bar graph represents the 3 ranges (low, medium, and high) of MTTFD for each channel, which can be selected to achieve the required PL. Before using the simplified method in Figure 5 (representing the results of different Markov models based on the architecture specified in Chapter 6), make sure that Determine the SRP/CS category, DCavg and MTTFD of each channel (see Chapter 6 and Appendix C ~ Appendix E). For Category 2, Category 3 and Category 4, measures sufficient to prevent common cause failure should be adopted (see Appendix F for guidance). Considering these parameters, Figure 5 provides a graphical method for determining the PL achieved by SRP/CS. The combination of category (including common cause failure) and DCavg determines the choice. Figure 5 Which column in the. According to the MTTFD of each channel, one of the three different shadow areas of the relevant column should be selected. The longitudinal position of this area determines the PL that can be read on the longitudinal axis. If there are two or three possibilities for PL in this a...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.