Powered by Google www.ChineseStandard.net Database: 189759 (14 Jul 2024)

GB/T 16855.2-2015 PDF in English

GB/T 16855.2-2015 (GB/T16855.2-2015, GBT 16855.2-2015, GBT16855.2-2015)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 16855.2-2015English685 Add to Cart 0-9 seconds. Auto-delivery. Safety of machinery -- Safety-related parts of control systems -- Part 2: Validation Valid

PDF Preview

Standards related to: GB/T 16855.2-2015

GB/T 16855.2-2015: PDF in English (GBT 16855.2-2015)

GB/T 16855.2-2015
Safety of machinery - Safety-related parts of control systems - Part 2. Validation
ICS 13.110
National Standards of People's Republic of China
Replace GB/T 16855.2-2007
Safety related parts of mechanical safety control system
Part 2. Confirmation
Part 2.Validation
(ISO 13849-2.2012, IDT)
Released on December 10,.2015
2016-07-01 implementation
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China
China National Standardization Administration issued
Foreword III
Introduction IV
1 range 1
2 Normative references 1
3 Terms and Definitions 1
4 Confirmation process 1
4.1 Confirmation Principle 1
4.2 Confirmation Plan 2
4.3 General Fault List 3
4.4 Special fault list 3
4.5 Confirmation Information 3
4.6 Confirmation record 5
5 Analysis and confirmation 5
5.1 General requirements 5
5.2 Analysis method 5
6 Test Confirmation 5
6.1 General requirements 5
6.2 Measurement accuracy 6
6.3 More stringent requirements 6
6.4 Number of test samples 6
7 Confirmation of safety requirements specification for safety functions 7
8 Confirmation of safety function 7
9 Confirmation of performance levels and categories 7
9.1 Analysis and testing 7
9.2 Confirmation of category specifications 8
9.3 Confirmation of MTTFd, DCavg and CCF 9
9.4 Confirmation of systemic failure prevention measures related to SRP/CS performance levels and categories 10
9.5 Confirmation of safety related software 10
9.6 Confirmation and verification of performance levels 11
9.7 Confirmation of safety related component combinations 11
10 Confirmation of environmental requirements 11
11 Confirmation of maintenance requirements 12
12 Confirmation of technical documents and usage information 12
Appendix A (informative) Confirmation tool for mechanical systems 13
Appendix B (informative) Pneumatic system validation tool 16
Appendix C (informative) Hydraulic system validation tool 23
Appendix D (informative) Confirmation tools for electrical systems 29
Appendix E (informative) Example of fault characteristics confirmation and diagnostic measures 39
References 59
GB/T 16855 "Safety related parts of mechanical safety control system" consists of the following two parts.
--- Part 1. General rules of design;
--- Part 2. Confirmation.
This part is the second part of GB/T 16855.
This part is drafted in accordance with the rules given in GB/T 1.1-2009.
This part replaces GB/T 16855.2-2007 "Safety Parts of Machinery Safety Control System Part 2. Confirmation". versus
Compared with GB/T 16855.2-2007, the main technical changes except editorial changes are as follows.
--- Added a confirmation to the performance level for the scope (see Chapter 1, Chapter 1 of the.2007 edition);
--- Added confirmation of safety requirements for safety functions (see Chapter 7);
--- Increased performance levels and related parameters (MTTFd, DCavg, and CCF), and safety-related software validation (see Chapter 9,
Chapter 1 of the.2007 edition);
--- Added confirmation of technical documentation and usage information (see Chapter 12);
--- Added examples of fault characteristics confirmation and diagnostic measures (see Appendix E).
This section uses the translation method equivalent to ISO 13849-2.2012 "Mechanical Safety Control System Safety Related Parts Part 2.
Recognition (English version).
This part is proposed and managed by the National Machinery Safety Standardization Technical Committee (SAC/TC208).
This section drafted by. Rugao Packaging Food Machinery Co., Ltd., National Machine Tool Quality Supervision and Inspection Center, Nanjing University of Science and Technology, ohm
Long Automation (China) Co., Ltd., China Machine Productivity Promotion Center, Institute of Optical and Mechanical Engineering, Nanjing Forestry University, Piel Magnetic Industry Automation
Trading (Shanghai) Co., Ltd., ABB (China) Co., Ltd., Siemens (China) Co., Ltd.
The main drafters of this section. Shi Chuanming, Curie, Zhao Qinzhi, Zhang Xiaofei, Li Qin, Ning Yan, Ju Ronghua, Li Liyan, Wei Weizhong, Zhang Tianqiang,
Luo Guang, Cheng Hongbing, Liu Ying, Chen Nengyu, Huang Zhixuan, Zhang Yarong, Song Xiaoning, Wu Jian, Wang Zheng, Fu Huiqing, Liu Zhiyong, Jiang Tao, Yu Heng.
The previous versions of the standards replaced by this section are.
---GB/T 16855.2-2007.
The structure of safety standards in the mechanical field is as follows.
--- Class A standard (basic safety standard), giving basic concepts, design principles and general characteristics applicable to all machines.
---Class B (General Safety Standard), a type of safety device that covers a safety feature of a machine or has a wide range of uses.
● Class B1, specific safety features (such as safety distance, surface temperature, noise) standards;
● Class B2, standard for safety devices (such as two-hand control devices, interlock devices, pressure sensitive devices, and protective devices).
---Class C (Product Safety Standard), a standard that specifies detailed safety requirements for a particular machine or group of machines.
According to GB/T 15706, this standard belongs to the B1 standard.
Class C standards may supplement or modify the requirements of this standard.
For machines within the scope of the C standard, if it has been designed and manufactured in accordance with this standard, the requirements in this Class C standard are preferred.
This section specifies the validation process for the safety functions, categories, and performance levels of safety-related components of the control system. This section recognizes the passage
The combination of analysis (see Chapter 5) and testing (see Chapter 6) enables the identification of safety-related components of the control system and specifies the characteristics of the test.
Special environmental conditions.
Most of the procedures and conditions specified in this section are based on the assumption that the provisions of 4.5.4 of GB/T 16855.1-2008 are adopted.
A simplified procedure for estimating the performance level (PL). This section does not give guidance on the use of other programs (for example. Markov modeling).
In this case, certain provisions of this section no longer apply and additional requirements are required.
Regardless of the technology (electrical, hydraulic, pneumatic, mechanical, etc.) used in the safety-related components of the control system, the general design rules (see
The guidelines of GB/T 15706) are given in GB/T 16855.1. This includes a description of some typical security features, the required performance level.
Determination, as well as general requirements for categories and performance levels.
Some of the validation requirements given in this section are generic, while other validation requirements are specific to the type of technology being used.
Safety related parts of mechanical safety control system
Part 2. Confirmation
1 Scope
This section specifies the procedures and conditions to be followed when analyzing and testing the following parameters.
---Specified safety functions;
--- Category of control system safety related components (SRP/CS) designed in accordance with GB/T 16855.1;
---Performance level achieved by the control system safety related components (SRP/CS) designed in accordance with GB/T 16855.1.
Note. Additional requirements for programmable electronic systems (including embedded software) are given in 4.6 and GB/T 20438 of GB/T 16855.1-2008.
2 Normative references
The following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article.
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
GB/T 15706-2012 Mechanical Safety Design General Risk Assessment and Risk Reduction (ISO 12100.2010, IDT)
GB/T 16855.1-2008 Safety of mechanical safety systems - Part 1 . General rules for design (ISO 13849-1.
2006, IDT)
3 Terms and definitions
The terms and definitions defined in GB/T 15706-2012 and GB/T 16855.1-2008 apply to this document.
4 Confirmation process
4.1 Confirmation principle
The purpose of the validation process is to determine if the design of the SRP/CS supports all safety requirements specifications for the machine.
Confirmation should demonstrate that each SRP/CS meets the requirements of GB/T 16855.1, in particular.
a) The specified safety characteristics of the safety functions provided by the component as proposed by the design principle.
b) Requirements for the specified performance level (see 4.5 in GB/T 16855.1-2008).
1) Requirements for the specified categories (see 6.2 of GB/T 16855.1-2008);
2) Measures to control and avoid systemic failures (see Appendix G of GB/T 16855.1-2008);
3) Software requirements when applicable (see 4.6 of GB/T 16855.1-2008);
4) The ability to perform safety functions under expected environmental conditions.
c) the ergonomic design of the operator interface, for example, does not induce the operator to adopt dangerous operating methods, such as discarding
SRP/CS (see 4.8 of GB/T 16855.1-2008).
It should be confirmed by a person who is independent of the SRP/CS design.
Note. “Independent staff” does not imply a need for third party testing.
The validation includes an analytical confirmation (see Chapter 5) and a functional test performed under foreseeable conditions in accordance with the validation plan (see Chapter 6).
Figure 1 shows the confirmation process. The balance between analysis and testing depends on the technology used and the level of performance required for the safety-related components.
For Class 2, Class 3 and Class 4, the confirmation of safety functions should also include tests under fault conditions.
It is advisable to start the analysis as early as possible and at the same time as the design process so that it can be solved as soon as the problem is relatively easy to solve.
Between the two steps of “design and technical realization of safety functions” and “evaluation performance level PL” (Figure 3 in GB/T 16855.1-2008)
Between the fourth and fifth boxes). Part of the analysis work needs to be postponed until the design is completed.
Due to the size, complexity or integration of the control system into the (machine's) control system, if necessary, it should be as follows
Special arrangements.
--- Confirm SRP/CS separately before integration, including simulating the corresponding input and output signals;
--- Confirm the integration of safety-related components with the rest of the control system.
Figure 1 Confirmation process
The "modified design" in Figure 1 refers to the design process. If the confirmation cannot be completed successfully, it is necessary to change the design. Then, it is also appropriate to repair
The changed safety related components are reconfirmed. This process should be repeated until the safety-related components of all safety functions have been successfully completed.
4.2 Confirmation plan
The validation plan should identify and describe the requirements for the validation process for the specified safety functions and their categories and performance levels.
The validation plan should also identify methods for identifying the specified safety features, categories, and performance levels. Where appropriate, the following should be specified.
a) identify technical specification documents;
b) operational and environmental conditions during the test;
c) the analysis and testing that needs to be carried out;
d) applicable test standards;
e) Identify the person or unit at each step of the process.
Safety-related parts that have been previously confirmed by the same technical specification need only reference the previous confirmation.
4.3 General fault list
The validation process includes consideration of the performance of the SRP/CS under all considered fault conditions. The basis for fault consideration is Appendix A~Appendix D
A list of faults given in tabular form based on experience. These forms include.
---Components/components such as wires/cables (see Appendix D);
--- Fault, such as short circuit between conductors;
--- Allowable troubleshooting, taking into account environmental, operational and application factors;
---Remarks column, giving reasons for troubleshooting.
The fault list only considers permanent faults.
4.4 Special fault list
If necessary, create a special list of product-related faults as a reference for the safety-related component validation process. This list
It can be based on the corresponding general fault list in the appendix.
For a list of special product-related faults based on the general fault list, the following should be specified.
a) the fault listed in the general fault list;
b) other related faults not listed in the general fault list (for example, common cause failure);
c) the criteria listed in the general fault list and in the list of general faults (see GB/T 16855.1-2008)
7.3) The faults that may be excluded under the premise;
In special cases, it should also include.
d) The general fault list is not allowed to be excluded, but the reason and principle of exclusion (see 7.3 of GB/T 16855.1-2008) are given.
He is malfunctioning.
For fault lists that are not based on a general fault list, the designer should give the principle of troubleshooting.
4.5 Confirmation Information
With the technology employed, the categories and performance levels to be verified, the system design principles, and the role of SRP/CS in reducing risk
Changes, the information needed to confirm will also change. A document containing sufficient information to confirm the safety phase should be included in the validation process.
The critical components perform the specified safety functions to achieve the required performance levels and categories.
a) the technical specifications of the features required for each safety function, and the required category and performance level;
b) drawings and technical documents such as mechanical, hydraulic and pneumatic components, printed wiring boards, mounting panels, internal wiring, enclosures, materials and
Installed drawings and technical documents;
c) a block diagram with a function description box;
d) circuit diagrams, including interfaces/connections;
e) a functional description of the circuit diagram;
f) timing diagram of the switching elements, safety related signals;
g) a description of the relevant characteristics of the identified component;
h) For safety-related components not listed in g), name, rating, tolerance, associated operating force, model specification, loss
a list of components for efficiency data, component manufacturers, and other safety-related data;
i) analysis of all relevant faults (see also 4.3 and 4.4), eg the faults listed in the tables in Appendix A~Appendix D, including
There are reasons for troubleshooting;
j) analysis of the influence of the material being processed;
k) Use information such as installation and operating manuals/instructions.
If the software is related to security features, the software's documentation should include.
--- Unambiguous technical specifications, and specify the security performance that the software needs to achieve;
--- Evidence that the software is designed to achieve the required performance level (see 9.5);
--- The details of the test (especially the test report) used to demonstrate that the required performance level has been achieved.
Note. The requirements of the software can be found in 4.6.2 and 4.6.3 of GB/T 16855.1-2008.
Information should be provided on how to determine the performance level and the average probability of dangerous failures per hour. The documentation of quantifiable factors should include.
--- Safety related module diagram (see Appendix B of GB/T 16855.1-2008) or specified structure (see GB/T 16855.1-
6.2) in.2008;
--- Determination of MTTFd, DCavg and CCF;
--- Determination of the category (see Table 1).
Documentation information on the SRP/CS system should be provided.
Information should be provided on how to combine several SRP/CSs to achieve the required level of performance.
Table 1 File requirements for categories related to performance levels
Documentation requirements
Category of file required
B 1 2 3 4
Basic safety principles × × × × ×
Expected operating force × × × × ×
Influence of processed materials × × × × ×
Performance when affected by other related externalities × × × × ×
Proven components - × - - -
Proven safety principles - × × × ×
Mean risk of failure (MTTFd) for each channel × × × × ×
Security function check program - - × - -
Diagnostic measures performed, including fault response - - × × ×
Check interval, if specified - - × × ×
Diagnostic Coverage (DCavg) - - × × ×
Predictable single failures and detection methods adopted during design - - × × ×
Recognized Common Cause Failure (CCF) and Prevention Methods - - × × ×
Foreseeable Single Troubleshooting - - - × ×
Fault to be detected - - × × ×
How to maintain safety functions under each fault condition - - - × ×
How to maintain safety functions under each combined fault condition - - - - ×
Measures to prevent systemic failure × × × × ×
Measures to prevent software failure × - × × ×
× ---Requires documents;
- --- No files required.
Note. Category refers to the category given in GB/T 16855.1-2008.
4.6 Confirmation record
Confirmation by analysis and testing should be recorded. The record should reflect the confirmation process for each safety requirement. If the previous confirmation record
Valid, can also be quoted.
For safety-related parts that have not been confirmed during the validation process, the confirmation record should describe which components did not pass the analysis/test confirmation.
It should be ensured that all safety related parts have been reconfirmed after the modification.
5 Analysis and confirmation
5.1 General requirements
The SRP/CS should be confirmed by analysis. The inputs to the analysis include.
--- Risk analysis identified safety functions and their characteristics, as well as the required performance level (see Figure 1 of GB/T 16855.1-2008)
And Figure 3);
--- quantifiable indicators (MTTFd, DCavg and CCF);
--- System structure (such as the specified structure) (see Chapter 6 of GB/T 16855.1-2008);
--- Non-quantitative qualitative indicators that affect system performance (including software when applicable);
--- Deterministic arguments.
Relative to testing, the identification of safety functions requires the formation of deterministic arguments.
Note 1. Deterministic arguments are based on the arguments of qualitative indicators such as manufacturing quality and experience. This method depends on the specific application and is subject to various factors.
Note 2. The difference between deterministic and other evidence is that they indicate that the required system characteristics are derived logically from the system model. Such theory
It can be based on the concept of easy to understand.
5.2 Analytical methods
The choice of analytical method depends on the specific target. There are currently two basic methods.
a) top-down (deductive) method, suitable for determining the initial event that can lead to the top event, and calculating the probability by the initial event
The probability of an event. This method can also be used to study the causal relationship of identified multiple faults.
Examples. Fault Tree Analysis (FTA, see GB/T 7829) and Event Tree Analysis (ETA).
b) A bottom-up (inductive) approach suitable for studying the causal relationship of a single fault identified.
Examples. Failure Mode and Impact Analysis (FMEA, see GB/T 7826) and Failure Mode, Impact and Hazard Analysis (FMECA).
6 test confirmation
6.1 General requirements
When the analysis confirms that no conclusion is reached, the test should be completed to confirm. Testing is often a supplement to analysis, and it is usually necessary
The planning and implementation of test validation should follow a logical approach, in particular.
a) A test plan should be developed prior to starting the test, including.
1) Test specifications;
2) Test results required to meet the specifications;
3) The time sequence of the test.
b) Test records should be formed, including.
1) the name of the tester;
2) Environmental conditions (see Chapter 10);
3) test procedures and equipment used;
4) Test date;
5) Test results.
c) Test records and test plans should be compared to ensure that the specified functional and performance objectives are met.
The test sample should be run as close as possible to the final operating conditions, ie all peripherals and enclosures attached.
Testing can be done manually or automatically, for example, through a computer.
In practical applications, various combinations of input signals should be applied to the SRP/CS to complete the test verification of the safety function. Should be at the output
The response is compared to the corresponding specified output.
It is recommended to apply these combined input signals to the control system and the machine system, for example, power on, start, operation, direction change, re
start up. If necessary, in order to observe the response of the SRP/CS under abnormal or abnormal conditions, the range of the input data should be extended. Such loss
The combination of incoming data should take into account foreseeable misoperations.
The test objectives determine the environmental conditions of the test. The environmental conditions can be one of the following.
---The environmental conditions for the intended use;
---Special specific conditions;
--- Given condition range (if drift exists).
It is advisable for the operator to negotiate with the person responsible for the test to determine the range of conditions that can be considered stable and valid for the test and to record.
6.2 Measurement accuracy
During the process of confirming by testing, the measurement accuracy should be compatible with the test. In general, the accuracy of temperature measurement should be guaranteed.
Within 5 °C, and ensure that the measurement accuracy of the following parameters is within 5%.
a) time;
b) pressure;
c) force;
d) electrical parameters;
e) relative humidity;
f) Linear.
If there is a deviation from the above measurement accuracy, the reason should be explained.
6.3 More stringent requirements
If the requirements of the accompanying documents for SRP/CS are higher than those specified in this section, stricter requirements should be applied.
Note. If the control system has to withstand particularly harsh working conditions, such as barbaric operations, humidity effects, hydrolysis, changes in ambient temperature, chemical effects,
More stringent requirements can be imposed for corrosion, high-intensity electromagnetic fields due to proximity to the launcher, and the like.
6.4 Number of test samples
Unless otherwise specified, testing of safety-related components shall be performed using a single product sample.
Safety related parts during the test should not be modified.
Some tests can permanently change the performance of certain components. If the permanent change of the component makes the safety related component not full
For the subsequent testing requirements, new samples should be used for subsequent testing.
If a particular test is a destructive test and the same result is obtained by testing the components of the SRP/CS separately, then
In order to obtain test results, samples of this component can be used instead of safety-related components for testing. Only analysis shows that the Ministry of Safety
The test is sufficient to demonstrate the safety of the entire safety-related component performing the safety function in order to use this method.
7 Confirmation of safety requirements specification for safety functions
Before verifying the design of the SRP/CS or SRP/CS combination that provides the safety function, verify the safety requirements of the safety function.
Whether it can ensure the consistency and integrity of its intended use.
Since safety requirements are the basis for other activities, it is important to analyze the safety requirements specification before starting the design.
It should be ensured that the requirements for all safety functions of the machine control system are documented.
In order to confirm these specifications, appropriate measures should be taken to prevent systemic failures (errors, omissions or inconsistencies).
Confirmation can be done by reviewing and reviewing the safety requirements and design specifications of the SRP/CS, in particular by demonstrating that each of the following has been considered
---The intended use requirements and security requirements;
--- Operating conditions and environmental conditions, as well as possible human error (such as misuse).
If the product standard specifies the safety requirements for designing SRP/CS (eg GB 16655 for integrated manufacturing systems or for dual
GB/T 19671) for hand-operated devices should also consider these standards.
8 Confirmation of safety function
The confirmation of the safety function shall certify that the SRP/CS or SRP/CS combination providing the safety function complies with the specified characteristics.
Note 1. Errors caused by design and integration phases in the absence of hardware failures (eg, understanding of safety feature characteristics errors, logic design errors, hardware assembly errors)
Systematic failures caused by errors, software code input errors, etc. can cause loss of security functions. Some of these systemic failures will be in the design phase
It is exposed, and other systemic failures will be exposed during the validation process or will not be discovered. In addition, errors may occur in the validation process (eg
Some features were not checked).
The specified characteristics of the safety function should be confirmed using the appropriate measures listed below.
---Chart function analysis, software review (see 9.5);
Note 2. If the safety functions of the machine are complex or numerous, the analysis can reduce the number of functional tests required.
---Check the hardware components installed on the machine, as well as the details of the relevant software to determine its consistency with the file (such as manufacturing,
Type, version);
--- Functionally test the safety function in all operating modes of the machine to determine if it meets the specified characteristics (some typical safety
For the technical specifications of the function, see Chapter 5 of GB/T 16855.1-2008), the functional test should be guaranteed to be implemented in the entire range.
All safety-related outputs, and respond to safety-related inputs as required by technical specifications. Test cases are usually derived from technical specifications.
Fan, but some cases may also come from analysis of charts or software;
--- Perform an extended function test to check for the presence of foreseeable anomalous signals or signal combinations from the input, including power
Broken and recovered, as well as incorrect operation;
---Check the operator-SRP/CS interface for ergonomic principles (see 4.8 of GB/T 16855.1-2008).
Note 3. Other measures to prevent systemic failure are given in 9.4 (eg diversity, failure by automatic test detection), these measures also contribute to the detection function
9 Confirmation of performance levels and categories
9.1 Analysis and testing
For SRP/CS or SRP/CS combinations that provide safety functions, the validation shall demonstrate that the required properties in the safety requirements specification are met.
Energy level (PLr) and category. In principle, this requires a circuit diagram for failure analysis (see Chapter 5) and is not available in failure analysis.
When the result is.
--- Perform the fault insertion test on the actual circuit, and perform the fault trigger test on the actual components, especially the failure analysis in the system.
The component of the result obtained is questionable (see Chapter 6);
--- Simulate the operating conditions of the control system in the event of a failure, such as using hardware and/or software models.
In some applications, it may be necessary to divide the connected safety-related components into several functional groups and perform these functional groups and their interfaces.
Fault simulation test.
When confirming by testing, according to the actual situation, the test should include the following.
--- Perform a fault insertion test on the product sample;
--- Perform a fault ins......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.