PESSRAL Programmable Electronic components and Systems in Safety Related Applications for Lifts

1
PESSRAL Programmable Electronic components and
Systems in Safety Related Applications for Lifts
Melbourne November 2005
Presented by Ian Todkill Credits Barry
Blackaby Vince Robibero
2
What is PES?

• PESSRAL Programme Electronic components
• and Systems in Safety Related
• Application for Lifts
• The ability to utilize Intelligent sensors and
  circuits for safety critical functions
• - Door Contacts
• - Final limit switches and
• - the related control circuits that provide
  single
• failure protection and redundancy checks.

3
Terms

• PESSRAL (PES) Programmable Electronic Components
  and Systems in Safety Related Application for
  Lifts
• IEC 61508 International Electro-technical
  Commission, Functional Safety of Electrical
  /Electronic /Programmable Electronic
  Safety-Related Systems
• Safety Integrity Level (SIL) one out of a
  possible four levels which give the level
  associated with the probability of failure of the
  safety function and the degree of redundancy

4
PES Fundamentals

• Based on IEC 61508 International
  Electro-technical Commission, Functional Safety
  of Electrical /Electronic /Programmable
  Electronic Safety-Related Systems.
• A standard to enable industry specific Codes to
  be developed
• Other industries have embraced the IEC 61508
  approach.
• Provides a structured approach for developing
  electronic safety levels.
• Explains and provides examples of device design
  system architectures, reliability requirements,
  diagnostic coverage, to attain SIL values.

5
Mechanical Contacts
Positives

• The mechanical contact solution utilized today in
  safety circuits and creates a very reliable
  safety system for specific functions, it is
  difficult to improve on a positive mechanical
  breaking contact.
• Cost
• Susceptible to jumpers
• Due to physical contact, mechanical cams and
  switches can become misaligned
• Impractical for complex safety functions
• Contact wear causes nuisance shutdowns and
  trapped passengers

Negatives
6
PES Devices

• More intelligent fault management, based on type
  of fault and car position, (fewer trapped
  passengers), more complex safety functions.
• Ensure the safety system is intact before
  returning to automatic operation, use of S/W
  jumpers
• Wiring errors in the safety chain will be
  recognized
• Greater ability for automated testing
• Better MTTR
• More difficult for design and certification.
• Cost

Positives
Negatives
7
Why PES?

• Electronics can be designed to be as reliable as
  mechanical contacts when considering the wiring
  and jumpers.
• Better ability to do automatic periodic device
  testing
• Allows for more intelligent fault response.
• Aid in trouble shooting.
• Reduction in Nuisance shut downs
• Provides 3rd party device verification on the
  devices/designs. Inspection will be to verify the
  device minimum SIL rating to the table in the
  Code.
• Inspection procedures will become more automated.
• SIL values become Global Safety Parameters for
  Global Essential Safety Requirements in the
  performance based Codes.

8
PES Mitigation Decision Table
Corrective Action Requirements
IA, IB, IC, IIA, IIB, IIIA
Corrective action required to mitigate the effect
and if practicable, eliminate it
Corrective action required to mitigate the effect
ID, IIC, IIIB
Review and determine if any further mitigation is
technically practicable
IE, IID, IIE, IIIC, IIID, IVA, IVB
No action required
IF, IIF, IIIE, IIIF, IVC, IVD, IVE, IVF
9
Hazard Mitigation Analysis
10
Determine Required SIL
11
SIL Determination Chart
Low Demand Mode of Operation (Average probability
of Failure to Perform its Design Function on
Demand)
Safety Integrity Level (SIL)
gt 10-5 to lt 10-4
4
gt 10-4 to lt 10-3
3
gt 10-3 to lt 10-2
2
gt 10-2 to lt 10-1
1
12
Todays Functional Circuit
Drive
ac
DC1
DC10
1LS
BFS

SOS
GS
ICSS
TES
Brake
Machine
H/W
Control Circuits
S/W
13
A17.1 Allowed Configurations
14
A17.1 Allowed Configurations
15
Performance Based Code SIL Inclusion (A17)
Code
SP
GESR
Safety parameter
Ref.

B 3.4.5
3.4.5 LCU (car) Travel Path
B 3.4.5.1 I
f PES devices are used
Limits
for the following functions, the
device should have

The vertical travel of the
2.26.2.11
B 3.4.5.1.1 SIL
gt
1 to remove power
LCU (car) shall be
from the driving means at the final
limited to prevent the
2.26.2.12
limits and

LCU (car) from
B 3.4.5.1.2 SIL
gt
2 to limit speed at
uncontrolled running
2.26.2.16
terminals to rated striking speed
beyond the travel path.
for end or terminal retar
dation
means (buffer) not designed for
rated speed or
B 3.4.5.1.3 SIL
gt
1 to limit speed at
terminals to rated striking speed
for end of terminal retardation
means (buffer) designed for rated
speed


16
Code Groups Pursuing PES

• The four Code groups actively involved in
  developing Code for PES are
• EN81
• JEA (Industry association)
• A17.1
• ISO TC178/wg8 harmonization effort
• EN81 and A17.1 groups are actively pursuing PES
  inclusion into their respective Codes, as well as
  harmonization via ISO
• JIS is a government published Code, JEA is
  waiting for ISO harmonization before they
  approach JIS for adoption.