((SSaaffeettyy ooff mmaacchhiinneerryy –– SSaaffeettyy--rreellaatteedd ppaarrttss ooff ccoonnttrrooll ssyysstteemmss))
STO aligns internally to the following aspects of this standard:
• AArrcchhiitteeccttuurree aaccccoorrddiinngg ttoo CCaatteeggoorryy 33::
Solid lines represent the STO control paths.
Dashed lines represent reasonably practicable fault detection.
Key:
I1, I2 = user terminal
L1, L2 = logic
O1, O2 = methods of enabling or disabling output power devices
i
mxy
= interconnecting means
m
x
= monitoring
c = cross monitoring
I1 L1 O1
I2 L2 O2
i
m1a
i
m2a
i
m1b
i
m2b
m
1
m
2
c
PPaarrkkeerr HHaannnniiffiinn CCoorrppoorraattiioonn
Cylinder Division
Des Plaines, Illinois
50
wwwwww..ppaarrkkeerr..ccoomm/
cylinder
• CCaatteeggoorryy 33 ggeenneerraall rreeqquuiirreemmeennttss aarree::
A single failure, and any consequential failures, will not lead to loss of the STO safety
function.
Failure of more than one component can lead to the loss of the STO safety function.
Most but not all single component failures will be detected. Diagnostic Coverage (DC) is
required to be at least 60% (i.e. the minimum required for ‘low’ diagnostic coverage).
Detected component failures will result in the STO function being applied without
intervention from the user.
The risk associated with the loss of STO safety function caused by multiple failures must
be understood and accepted by the user.
The user must undertake a risk analysis and specify suitable components that, when
connected together, meet the required risk assessment requirements.
Mean Time To Failure (dangerous) (MTTFd) of each STO channel must be ≥ 30 years.
Common Cause Failure (CCF) score must be ≥ 65 according to Annex F of the standard.
• PPeerrffoorrmmaannccee LLeevveell ee::
Average Probability of dangerous Failure per Hour (PFH) must be ≤ 10
-7
To Next Page
Loading...
