PowerPoint Presentation Expo/Presentations/SF...These harmonized standards (EN/ISO/ANSI) outline the...
Transcript of PowerPoint Presentation Expo/Presentations/SF...These harmonized standards (EN/ISO/ANSI) outline the...
An Introduction to ISO 13849-1:2008
Functional Safety of Machinery
SF02
Agenda
2
History of Safety Standards
Example using 13849
What is Functional Safety
Primary Concepts of 13849
Who is affected by what?
What Is Functional Safety?
3
IEC 61508-4:2010 defines Functional Safety in section 3.1.12 as
“part of the overall safety relating to the equipment under control and the control system that depends on the correct functioning of the electrical, electronic and programmable electronic safety-related systems and other risk reduction measures”
Practical Definition: The automatic action that must occur to ensure a safe state
Functional Safety Standards
IEC/EN 61508 Functional safety of electrical, electronic, and programmable electronic
safety-related systems (EEPE/CS)
IEC/EN 61511 SIS
(SIL1 – SIL4)
IEC/EN 62061 EEPE/CS
(SIL1 - SIL3)
ISO/EN 13849 SRP/CS
(PLa - PLe)
Process Machinery
Software
Functional Safety of Machinery
ISO 13849-1 IEC 62061
• ISO 13849-1 and IEC 62061 are known as machinery functional safety standards.
• These standards look at how well a safety system needs to operate.
• This allows us to use new technologies to drive productivity and safety.
• These new technologies are called contemporary safety solutions.
• ISO 13849-1 and IEC 62061 will be combined in the near future to benefit from the strengths of each standard.
• The technical committee for 17305 has a draft in progress.
History of Safety - USA
6
• 1877 – Massachusetts, required guarding of belts, shafts and gears
• 1890 – Nine US states required machine guarding
• 1930 – All US states had established job-related safety laws
• 1934 – Bureau of Labor Standards (F. D. Roosevelt - Frances Perkins)
– Promote safety and health for working men and women
• 1970 – Occupational Safety and Health Act (William Steiger’s Act)
– Assure safe and healthy working conditions for men and women
• 1981 – Lost Workday Incident Rates policy established by OSHA
• 1991 – EN 292 – Basic Concepts of Machine Safety
• 1996 – EN 954 and EN 1050 – Machinery Safety
Safety has been a growing part of the human integrated manufacturing environment. Our responsibility is required.
Who’s Responsible?
• OSHA requires that each employer shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to employees.
• OSHA specifies minimal standards, and offers little, if any, assistance in compliance solutions.
• OSHA uses industry standards as well as manufacturer’s instructions when investigating accidents.
• Manufacturers and employers should apply consensus standards to help assure safety.
• The Machinery Directive has a dual objective: to permit the free movement of machinery within the internal market whilst ensuring a high level of protection of health and safety.
• The protection of health and safety is both a fundamental duty and a prerogative of the Member States. Since the Machinery Directive harmonises the health and safety requirements for the design and construction of machinery at EU level, the responsibility of Member States to protect health and safety of people with regard to the risks associated with machinery implies ensuring that the requirements of the Machinery Directive are correctly applied.
Who’s Responsible?
9
Standards Organizations
Abbreviation Sponsoring Organization Scope
ANSI American National Standards Institute U.S.A.
AS Australia Standard Australia
ASME American Society of Mechanical Engineers U.S.A.
ASSE American Society of Safety Engineers U.S.A.
B11 Association of Manufacturing Technology U.S.A.
CSA Canadian Standards Association Canada
EN European Norm European
Community
IEC International Electrotechnical Commission Global
ISO International Organization for Standardization Global
NFPA National Fire Protection Association U.S.A.
OSHA Occupational and Safety Health Administration U.S.A.
PMMI Packaging Machinery Manufacturer’s Association U.S.A.
RIA Robotic Industries Association U.S.A.
Standards Comparison
Copy
right
©
2007
Rock
well
Auto
matio
n,
Inc.
All
rights
reser
ved.
OHSA Machine Safety 1910.xxx
Machine Safety - General Safety
Requirements ANSI B11.GSR
Machine Safety - Principles for Risk
Assessment ANSI B11.TR3
Machine Safety - Selection of
Programmable Electronic Systems
(PES/PLC) for Machine Tools ANSI B11.TR4
Electrical equipment of machines ANSI/NFPA 79
European Machine Directive 2006/42/EC
Machine Safety - Basic concepts EN/ISO 12100
Machine Safety - Principles for Risk
Assessment EN/ISO 14121
Machine Safety -
safety-related parts
of control systems
ISO 13849-1
Non-electrical and simple electrical
Machine Safety - Electrical equipment of
machines
IEC 60204-1
Machine Safety -
Functional safety of
EEPES control
systems IEC 62061
Step 1 - Define the Requirements
Step 2 – Follow and Assessment Process
Step 3 – Utilize a defined Assessment Tool/Method
Step 5 – Follow the proper regional electrical installation standard
The European & North American machinery
directives/standards outlines the general
requirements that shall be followed to ensure
that machines are assessed and that proper
protection methods have been implemented to
ensure personnel protection.
These harmonized standards (EN/ISO/ANSI)
outline the requirements for assessments.
The ISO and IEC standards address the design
of the safety related parts of the control system
including the requirements of design verification.
IEC/NEC/NFPA standards address electrical
installation and wiring practices.
Step 4 - Determine the design method
and verify the design
What do we need to do?
ISO 13849
IEC 61508
Globalized Safety Standards
12
ISO 12100 ISO 13849 IEC 62061 IEC 60204 IEC 61508
EN ISO 14119 EN ISO 13849 EN ISO 12100 EN ISO 13850 EN IEC 62061 EN IEC 61800
ANSI B11.0 ANSI B11.19
NFPA 79 UL 1998
PMMI B155.1 RIA 15.06
Standards are being adopted globally
What is it really?
13
ISO 13849-1 Concepts
• ISO 13849-1 is intended to give guidance to those involved in the design and assessment of the safety-related parts of control systems (SRP/CS) which perform safety functions.
• The ability of the SRP/CS to perform the safety function under foreseeable conditions is allocated on of five levels, called Performance Levels (PL), and defined in terms of probability of dangerous failure per hour (PFHd).
• The probability of dangerous failure of the safety function depends on factors including: – Reliability of components – the mean time to dangerous failure (MTTFd)
– Diagnostic Coverage – the extent of fault detection mechanisms (DC)
– Common Cause Failure – scoring process and quantification of measures against CCF
– Structure – definition of five designated architectures that fulfil specific design
criteria and behavior under a fault condition (Category)
– Systematic failures – measures against systematic failures which should be applied
14
EN 954 EN ISO 13849-1
Electrical Control Circuits Control circuits all technologies : • Electrical • Pneumatic • Fluids • Hydraulic
Safety Categories B, 1, 2, 3 & 4 Performance Levels PLa to PLe
Safety provided by the structure of the control circuit
Safety provided by: • The architecture/structure (categories) • The reliability of the system (MTTFd, B10d) • The diagnostic coverage of the system (DC) • The preventive measures against common
causes of failure (CCF)
Draw a diagram (schematic) Draw a diagram and verification of PL Does PL(achieved) = PLr (required) ?
Changes from EN 954
Methodology Change
Qualitative Quantitative
Structure
MTTFd
Diagnostic Coverage (DC)
Common Cause Failures (CCF)
Software
Systematic Failure
Behavior Under Fault conditions
Environmental
EN 954 was basically a qualitative approach. Factors of time and component reliability are quantitative aspects which must now be considered when developing a safety control system using ISO 13849-1.
When to use ISO 13849
Safety Life Cycle
5. Maintain and Improve ISO 13849-2 ANSI B11.0
1. Risk Assessment ISO 12100 ANSI B11.0
4. Installation, Verification and Validation
ISO 13849-2 ANSI B11.19
2. Functional Requirements Specification
ISO 12100 ANSI B11.0
3. Design and Design Verification ISO 13849-1 ANSI B11.19
Determine the Limits of the Machinery
Hazard Identification
Risk Estimation
Risk Evaluation
Is the Risk Reduced?
End Yes
No
Measures for Risk Reduction
Risk Assessment Overview
Refer to SF01 – Risk and Hazard Assessment for more information on this process.
Risk Reduction Overview
Measures for Risk Reduction
Is a Control System Needed?
Back to Risk Assessment
No
Yes
Design SRP/CS per ISO 13849-1:2006
1) Inherently Safe Design
2) Safeguards & Complementary
3) Information for Use
Refer to SF01 – Risk and Hazard Assessment for more information on this process.
SRP/CS Design Overview
20
Identify the Safety Functions
Evaluate the Performance Level 1) Category/System Architecture 2) Mean Time to Dangerous Failure (MTTFd) 3) Diagnostic Coverage (DC) 4) Common Cause Failure (CCF) 5) Software (if existing)
Verification
Specify the Characteristics (SRS)
Required Performance Level (PLr)
Realization – Identify SRP/CS Components
Validation
• Two steps are required before determining the PL of a safety control system.
• These are based on the Risk Assessment
Identify the Safety Functions
Specify the Characteristics (SRS)
Safety Functions & Specification
Identify the Safety Functions
22
• Safety Function – A control system function which reduces the risk presented by a particular hazard to an acceptable level.
• The safety functions are identified during the risk assessment process and take into consideration both the application and the hazard.
• Some examples:
– “Stopping of the machine when a guard door is opened.”
– “Controlled location of the operator’s hands during hazardous movement.”
– “Safe limited speed of the robot while the guard door is opened.”
– “Emergency stopping of the machine when an EStop is pressed.”
Input Logic Output
Safety Requirements Specification
23
• The Safety Requirements Specification (SRS) is a formal document which describes the various safety functions and provides all of the required information an engineer will need to design the control system to perform the safety functions.
• The SRS is considered a living document and shall have provisions for revision control and document management.
• The validation protocols for testing the safety functions are derived from the SRS.
• The SRS should include the following: Description of the function, environmental requirements, response times, operating modes, fault handling requirements, diagnostics, safe parameters, fault exclusion, failure modes, etc.
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
24
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
Performance Level Required
• The Risk Assessment determines the Performance Level required, PLr
• Creates the Foundation of the Safety System Functional Requirements, System Design and Validation Protocol
• Shows “Due Diligence” and compliance to standards
S1
S2
F2
F1
Performance
Level, PLr
a
b
P1
P2
e
c
d
P1
P2
P1
P2
P1
P2
F2
F1
S = Severity F = Frequency or Duration of Exposure P = Avoidance Probability
Task/Hazard
Contribution to
Risk
Reduction
Low
High
Risk
Categories
RIA 15.06
R1
As
det
erm
ined
fro
m t
he
risk
ass
essm
ent
R2A
R2B
R2B
R2C
R3A
R3B
R4 a
b
b
c
c
d
d
e
Performanc
e Levels
ISO 13849
Control Reliable (4.5.4)
Control Reliable (4.5.4)
Single CH with Monitoring
(4.5.3)
Single CH with Monitoring
(4.5.3)
Single CH (4.5.2)
Single CH (4.5.2)
Simple (4.5.1)
Simple (4.5.1)
Cat 3+
Cat 3+
Cat 2
Cat 2
Cat 1
Cat 1
Cat B
Cat B
Categories
EN 954
ANSI
B11.19
PLr Equivalents?
Note: Intended to show approximate equivalency for guidance only; attaining the corresponding PL or SIL requires more
information and calculation based on several additional factors
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
• Typical safety function diagram:
• The designer shall select an architecture that will meet the needs of the safety function.
– Category B, 1, 2, 3 or 4
Identify Component & Block Diagram
INPUT LOGIC
SOLVING OUTPUT
Sensing element
Final element
or actuator
Control element
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
Evaluate Performance Level
Cat B DCavg none
Cat 1 DCavg none
Cat 2 DCavg low
Cat 2 DCavg med
Cat 3 DCavg low
Cat 3 DCavg med
Cat 4 DCavg high
a
d
e
c
b
Perf
orm
ance
Lev
el
MTTFd low MTTFd medium MTTFd high
ISO 13849-1, Figure 5
*Common Cause Failure and quality measures to avoid systematic failures not shown.
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
Typical Implementation
Designed to product standards e.g. IEC 60947-5-2 (not specific safety standards)
Designed for environment and electrical safety aspects e.g. IEC 60204-1
PLC is accepted solution
The structure and behaviour of the safety function under fault conditions
Designated Architecture Category B
Requirements • Basic Safety principles
• Withstand
• expected operating stresses
• influence of the processed material
• other relevant external influences
Behaviour under fault conditions A fault can cause a loss of the safety function.
Machine Control
Contactor Motor
Sensor
Category B
im
Logic Device
Output Device
Input Device im
im = Interconnecting Means
Typical Implementation
The structure and behaviour of the safety function under fault conditions
Designated Architecture Category 1
Requirements • Category B
• Well-tried components
• Well-tried safety principles
Behaviour under fault conditions A fault can cause a loss of the safety function, but
is less likely than Category B.
Machine Control
Safety
Contactor Motor
Safety
Sensor
Category 1
im
Logic Device
Output Device
Input Device im
im = Interconnecting Means
Basic Safety Principles Well Tried Safety Principles Well Tried Components
Installed per Instructions Use Mechanically Linked Contacts Direct Opening Switches
Voltage & Current Ratings Redundant Devices E-Stop Devices
Environmental Conditions Diverse Technologies Fuses/Circuit Breakers
N.C. Inputs & N.O. Outputs Monitoring/Diagnostics Contactors
Transient Suppression Limitation of Energy Mechanically Linked Contacts
No Unexpected Start-up Over-Dimensioning (Factor of 2) Auxiliary Contactor/Relay
Secure Mounting of Devices No Undefined States Interlocks
Control Circuit Protection Separation of Safety & Non-Safety Temperature/Pressure Switches
Proper Grounding Fail-to-Safe Operation Programmable Controller
Safety system designs include ‘well-tried’ engineering principles and ‘well-tried’ components
Examples of well-tried
im
Test Equip
Output Of TE
m
im
Logic Device
Output Device
Input Device im
Typical Implementation
The structure and behaviour of the safety function under fault conditions
Designated Architecture Category 2
Requirements • Category B
• Well-tried safety principles
• Function is checked at suitable intervals
•
Behaviour under fault conditions A fault can lead to the loss of the safety function
between checks.
Machine Control
Safety
Contactor Motor
Safety
Sensor
Category 2
im = Interconnecting Means
m = Monitoring
Safety
Relay
Typical Implementation
Designated Architecture Category 3
Requirements • Category B, well-tried safety principles
• Single fault does not lead to a loss of safety
• Fault shall be detected at or before demand
Behaviour under fault conditions When a single fault occurs the safety function is always
performed. Some but not all faults will be detected. An
accumulation of undetected faults can lead to the loss of the
safety function
im
Logic Device 2
Output Device 2
Input Device 2
m
c
im
im
Logic Device 1
Output Device 1
Input Device 1
m
im
The structure and behaviour of the safety function under fault conditions
Machine Control
Safety
Contactor Motor
Safety
Sensor
Category 3
im = Interconnecting Means
m = Monitoring
Safety
Relay
Safety
Contactor
Contactor
Monitoring
c = Monitoring
Typical Implementation
Designated Architecture Category 4
Requirements • Category B, well-tried safety principles
• Single fault does not lead to a loss of safety
• An accumulation of faults does not lead to a loss of
safety
Behaviour under fault conditions When a single fault occurs the safety function is always
performed. The faults will be detected in time to prevent the loss
of the safety function. An accumulation of undetected faults is
taken into account.
im
Logic Device 2
Output Device 2
Input Device 2
m
c
im
im
Logic Device 1
Output Device 1
Input Device 1
m
im
The structure and behaviour of the safety function under fault conditions
Machine Control
Safety
Contactor Motor
Safety
Sensor
Category 4
im = Interconnecting Means
m = Monitoring
Safety
Relay
Safety
Contactor
Contactor
Monitoring
c = Monitoring
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
Mean Time to Dangerous Failure
Denotation of each channel Range of each channel
Low 3 years <= MTTFd < 10 years
Medium 10 years <= MTTFd < 30 years
High 30 years <= MTTFd < 100 years
For the estimation of MTTFd of a component, the hierarchical procedure for finding data shall be: 1) use manufacturer’s data 2) use methods in Annexes C and D 3) Choose ten years
The value for MTTFd of each channel is given in three levels and shall be taken into account for each channel individually with a maximum of 100 years. MTTFd is a statistical value.
For mechanical or electromechanical devices:
• Failure is dependent on operating frequency
• Manufacturers will quote a B10d which is derived from testing
• Number of operations where 10% of the sample has failed to danger
Example – 100S Safety Contactor:
MTTFd Considerations
Contactor B10d Days Hours Seconds NOP MTTFd
100S-C09 to C97 at AC3
1333333 365 16 60 350400 38 Years
1333333 365 16 360 58400 228 Years
1333333 365 16 3600 5840 2283 Years
For electronic devices:
• Failure is dependent on time, temperature or Environment..
• Ratings generally in MTTFd or PFHd
• Mean time to failure – dangerous
• Probability of danger failure per year
MTTFd => 1 / PFHd (must convert years to hours)
Example – PowerFlex525 Safe Torque Off
MTTFd Considerations
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
51
Diagnostic Coverage
• The value for DC is given in four levels. DC is the number of detected dangerous failures divided by the number of all dangerous failures. This is a measure of the effectiveness of the diagnostics.
• For estimation of DC, failure mode and effects analysis or similar methods can be used.
• For SRP/CS consisting of several parts an average DC is used. • For a simplified approach to estimating DC, see Annex E.
Denotation of DC Range of DC
None DC < 60%
Low 60% ≤DC < 90%
Medium 90% ≤ DC < 99%
High 99% ≤ DC
Calculation of the Average DC
DCavg = 73.3%
• The Diagnostic Coverages for the individual “Input-Logic-Output” blocks are first determined.
• The individual values are then averaged for the entire safety channel.
Diagnostic Coverage
The simplified approach is
available with the use of Annex E.
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
Failure which is the result of one or more events and which causes simultaneous failures of two or more separate channels in a multi-channel system, leading to the failure of a safety related control function
Common Cause Failure
Failure Channel 1
Failure Channel 2
• Common causes are: – External stress such as excessive
temperature or EMI. – Systematic design failures due to
the high complexity of the product or missing experience with the new technology.
– No spatial separation between channels such as common cables or close PCB traces.
– Human errors during maintenance and repair.
Common Cause Failure
• Annex F contains a ‘score card’ with a list of measures typically used to mitigate Common Cause Failures.
• Must achieve a score of 65 out of 100 possible points.
• If the score is < 65, there is not a sufficient allowance for CCF and additional measures must be realized.
• These are failures of different items, resulting from a single event. The failures are not consequences of each other.
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
Safety-Related Software
Software safety requirements (ISO 13848-1:2006, Clause 4.6)
All lifecycle activities of safety-related embedded or application software (RSLogix 5000) shall primarily consider the avoidance of faults introduced during the software lifecycle. The main objective of the following requirements is to have readable, understandable, testable and maintainable software.
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
PL Verification
There are three ways to verify the Performance Level (PL) per ISO 13849-1.
Simplified Verification Procedure
ISO 13849-1 Table 7
Verification using DC, MTTFd & PL
Cat B DCavg none
Cat 1 DCavg none
Cat 2 DCavg low
Cat 2 DCavg med
Cat 3 DCavg low
Cat 3 DCavg med
Cat 4 DCavg high
a
d
e
c
b
Perf
orm
ance
Lev
el
MTTFd low MTTFd medium MTTFd high
ISO 13849-1, Figure 5
*Common Cause Failure and quality measures to avoid systematic failures not shown.
Verification by PFHd Equivalent
63 ISO 13849-1 Table K.1
Relationship between PL and SIL
Combination of Table 3 and 4 from ISO 13849-1:2008
You can convert a ‘simple circuit’ calculated in ISO 13849 and apply it to IEC 62061 by using the chart below.
Performance level (PL)
Probability of dangerous failure (PFHd)
Safety Integrity Level (SIL)
a 10-5 to < 10-4 No special safety requirements
b 3 x10-6 to < 10-5 1
c 10-6 to < 3 x10-6 1
d 10-7 to < 10-6 2
e 10-8 to < 10-7 3
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
Validation is an evaluated inspection (including analysis and testing) of the safety functions and categories of SRP/CS.
Validation requires fault injection and is typically done off-line.
Goal:
Proof that the SRP/CS complies to the overall safety requirements of the machinery, proof that the requirements EN 954-1 or EN ISO 13849-1 are fulfilled.
Method:
Analysis and testing according to the validation plan
Validation requirements are defined in ISO 13849, Part 2.
Validation
Documents required for validation:
• Specification of the expected performance, of the safety functions and categories
• Drawings and specifications
• Block diagram with functional description of the blocks
• Circuit diagram including interfaces/connections
• Functional description of the circuit diagram
• Time sequence diagram(s) for switching components, signals relevant for safety
• Component lists with item designations, rated values, tolerances etc.
• Analysis of all relevant faults, including the justification of any excluded faults
Validation Documentation
Six Steps to Performance Level
Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.
Step 1 – Determine the required performance level (PLr)
Step 2 – Identify the SRP/CS Components & Design Block Diagram
Step 3 – Evaluate the Performance Level (PL)
Step 3a - Category
Step 3b - Mean Time to Dangerous Failure (MTTFd)
Step 3c - Diagnostic Coverage (DC)
Step 3d - Common Cause Failure (CCF)
Step 4 – Develop Safety-Related Software (If Required)
Step 5 – Verification of Performance Level (PL > PLr)
Step 6 – Validation that all requirements are met
Need resources?
One hour is quick!
• SafeBook 4 – An overview of safety standards including
definitions and examples. Based on ISO 13849.
– Publication SAFEBK-RM002
• Sample Safety Functions – Rockwell Automation has complied a set of
example applications based on ISO 13849.
– Visit www.machinesafetysolutions.com
• Training – Additional training classes are available
– Contact Werner Electric for more details
• Certification – TUV Functional Safety certification is available
through Rockwell Automation.
Questions?
Thank you for attending