TÜV SÜD Product Service
Functional Safety of
Machinery:
EN ISO 13849-1 Stewart Robinson TÜV SÜD Product Service
TÜV SÜD Product Service
Overview of the presentation
• Defining Safety Functions
• Avoidance of Systematic Failures
• Defining Performance Levels Required
• Verifying Performance Levels Achieved – SRP/CS Architectures
– Component reliability
– Diagnostic Coverage
• Common Cause Failures
Functional Safety of Machinery: EN ISO 13849-1 Slide 2 12/12/2012
TÜV SÜD Product Service
References
Functional Safety of Machinery: EN ISO 13849-1 Slide 3 12/12/2012
TÜV SÜD Product Service
Standards for Functional Safety
Two new functional standards are available for use in the machinery sector
Source: BGIA Report 2/2008e
Functional Safety of Machinery: EN ISO 13849-1 Slide 4 12/12/2012
TÜV SÜD Product Service
• EN 62061 – Safety of Machinery: Functional safety of electrical,
electronic and programmable electronic control systems
– Technology specific
– Covers all levels of complexity
• EN ISO 13849-1 – Safety of machinery — Safety-related parts of control
systems Part 1: General principles for design
– Is a replacement for EN 954-1
– Not technology specific, can be used for any energy
source.
– Can also be used for Programmable Systems (Safety
PLC’s)
Which standard to use?
Functional Safety of Machinery: EN ISO 13849-1 Slide 5 12/12/2012
TÜV SÜD Product Service
EN ISO 13849-1
Source: BGIA Report 2/2008e
Functional Safety of Machinery: EN ISO 13849-1 Slide 6 12/12/2012
TÜV SÜD Product Service
Overall Risk Estimation/Risk Reduction
EN ISO 13849-1 Figure 1
Functional Safety of Machinery: EN ISO 13849-1 Slide 7 12/12/2012
TÜV SÜD Product Service
Risk estimation – general principles
Risk related
to the
identified
hazard
Severity
of the
possible
harm
(Se)
Probability of occurence of that harm
Frequency and duration of exposure (Fr)
Probability of occurrence of
a hazardous event (Pr)
Probability of avoiding or
limiting harm (Av)
= and
Functional Safety of Machinery: EN ISO 13849-1 Slide 8 12/12/2012
TÜV SÜD Product Service
Risk Reduction
Source: BGIA Report 2/2008e
Functional Safety of Machinery: EN ISO 13849-1 Slide 9 12/12/2012
TÜV SÜD Product Service
• A control system in a machine should be
regarded as being safety-related if it contributes
to reducing any risk to an acceptable level or if it
is required to function correctly to maintain or
achieve safety.
Safety-Related Controls
What is a Safety Related Control
System?
Functional Safety of Machinery: EN ISO 13849-1 Slide 10 12/12/2012
TÜV SÜD Product Service
• Failure related in a deterministic way to a certain
cause, which can only be eliminated by a
modification of the design or of the manufacturing
process, operational procedures, documentation or
other relevant factors – the safety requirements specification,
– the design, manufacture, installation, operation of the
hardware, and
– the design, implementation, etc., of the software.
• Further information can be found in EN ISO 13849-
1, in particular in Annex G
Systematic failure
Functional Safety of Machinery: EN ISO 13849-1 Slide 11 12/12/2012
TÜV SÜD Product Service
Frequency of Failures
Out of control
Why control systems go wrong and how to
prevent failure?
(Out of control, 2nd edition 2003, Health & Safety Executive HSE – UK)
Functional Safety of Machinery: EN ISO 13849-1 Slide 12 12/12/2012
TÜV SÜD Product Service
EN ISO 13849-1
• 4.2.2 – For each safety function the characteristics
and the required performance level shall be
specified
• 4.3 Determination of required performance level
(PLr) – For each selected safety function to be carried out by a
SRP/CS, a required performance level (PLr) shall be
determined and documented (see Annex A for guidance
on determining PLr).
Specifying requirements
Functional Safety of Machinery: EN ISO 13849-1 Slide 13 12/12/2012
TÜV SÜD Product Service
• Safety related stop function initiated by safeguard
• Local control function
• Hold to run
• Enabling device
• Muting function
• Prevention of unexpected start up
• Control modes and mode selection
• Emergency stop
Safety Functions - Examples
Functional Safety of Machinery: EN ISO 13849-1 Slide 14 12/12/2012
TÜV SÜD Product Service
EN ISO 13849-1 Annex A risk graph
Functional Safety of Machinery: EN ISO 13849-1 Slide 15 12/12/2012
TÜV SÜD Product Service
• Severity of Injury. – S1 Slight injury, (bruise).
– S2 Severe injury, (Amputation or death).
• Frequency of exposure to injury. – F1 Seldom.
– F2 Frequent to continuous ( Frequent to continuous
are not defined in the standard).
• Possibility of avoiding the hazard. – P1 Possible.
– P2 Less possible. • Based on the speed of approach of the hazard and the ability
of the operator to avoid the hazard. If the operator can avoid
the hazard then you would choose P1.
Risk Graph Parameters
Functional Safety of Machinery: EN ISO 13849-1 Slide 16 12/12/2012
TÜV SÜD Product Service
PL / PFHd
Functional Safety of Machinery: EN ISO 13849-1 Slide 17 12/12/2012
TÜV SÜD Product Service
PL and SIL
EN ISO 13849-1
Performance Level
(PL)
Average probability
of a dangerous
failure per hour [1/h]
EN 62061
Safety Integrity
Level (SIL)
a ≥ 10-5 to < 10-4 no special safety
requirements
b ≥ 3 x 10-6 to < 10-5 1
c ≥ 10-6 to < 3 x 10-6 1
d ≥ 10-7 to < 10-6 2
e ≥ 10-8 to < 10-7 3
Functional Safety of Machinery: EN ISO 13849-1 Slide 18 12/12/2012
TÜV SÜD Product Service
EN ISO 13849-1 Clause 4.7
• Verification that achieved PL meets PLr
– For each individual safety function the PL of the related
SRP/CS shall match the required performance level
(PLr) determined according to 4.3
– The PL of the different SRP/CS which are part of a safety
function shall be greater than or equal to the required
performance level (PLr) of this safety function.
Performance Level
Functional Safety of Machinery: EN ISO 13849-1 Slide 19 12/12/2012
TÜV SÜD Product Service
• The Performance Level achieved depends on:
– The architectures of the SRP/CS
• Categories
– The reliability of components • Mean Time To Dangerous Failure (MTTFd)
– The effectiveness of error detection • Diagnostic Coverage (DC)
Factors to establish PL
Functional Safety of Machinery: EN ISO 13849-1 Slide 20 12/12/2012
TÜV SÜD Product Service
• Clause 6 describes ―designated architectures‖
as categories (B, 1 – 4). Categories state the
required behaviour of a SRP/CS in respect of it’s
resistance to faults etc.
Designated Architectures
Functional Safety of Machinery: EN ISO 13849-1 Slide 21 12/12/2012
TÜV SÜD Product Service
Categories
B SRP/CS shall be designed in accordance with relevant standards
1 SRP/CS shall use well tried components and principles. No protection against
faults.
2 SRP/CS shall use well tried principles and functions shall be “checked at
suitable intervals”. Testing rate better than 100 times demand rate. No
protection against faults.
3 SRP/CS shall be designed, so that: a single fault in any of these parts does
not lead to the loss of the safety function; and whenever reasonably
practicable the single fault is detected.
4 SRP/CS shall be designed, so that: a single fault in any of these parts does
not lead to a loss of the safety function; and the single fault is detected at or
before the next demand upon the safety function. If this is not possible, then
an accumulation of faults shall not lead to a loss of the safety function
Functional Safety of Machinery: EN ISO 13849-1 Slide 22 12/12/2012
TÜV SÜD Product Service
Categories
Structure / Category
Functional Safety of Machinery: EN ISO 13849-1 Slide 23 12/12/2012
Cat B & Cat 1
Cat 2
Cat 3
Cat 4
TÜV SÜD Product Service
Architecture - Categories 1 & 2
Type 2 L/C Test rate?
Functional Safety of Machinery: EN ISO 13849-1 Slide 24 12/12/2012
TÜV SÜD Product Service
Architectures - Categories 3 & 4
Functional Safety of Machinery: EN ISO 13849-1 Slide 25 12/12/2012
TÜV SÜD Product Service
Combinations of Categories
Cat. B/1? Cat. 1
Cat. 2 Cat. 1/2 Cat. 4
Cat. 4 Cat. 4 Cat. 4
Cat. 1?
Cat. 3?
Cat. 3/4
Functional Safety of Machinery: EN ISO 13849-1 Slide 26 12/12/2012
TÜV SÜD Product Service
Component reliability - MTTFd
Mean time to dangerous failure, MTTFd
The MTTF assumes the fact that every system will
fail if you just wait long enough
30 years ≤ MTTFd < 100 years high
10 years ≤ MTTFd < 30 years medium
3 years ≤ MTTFd < 10 years low
MTTFd Assessment
Functional Safety of Machinery: EN ISO 13849-1 Slide 27 12/12/2012
TÜV SÜD Product Service
• EN ISO 13849-1, Clause 4.5.2
• For the estimation of MTTFd of a component, the
hierarchical procedure for finding data shall be, in
the order given: – a) use manufacturer’s data;
– b) use methods in Annexes C and D;
– c) choose ten years.
• What do we do if no data is available?
Reliability data
Functional Safety of Machinery: EN ISO 13849-1 Slide 28 12/12/2012
TÜV SÜD Product Service
Good Engineering Practices
Source: BGIA Report 2/2008e EN ISO 13849-1 Annex C
Functional Safety of Machinery: EN ISO 13849-1 Slide 29 12/12/2012
TÜV SÜD Product Service
EN ISO 13849-1 Annex C
MTTFd =B10d
0.1 x nop
Where B10d = mean number of cycles until 10% of the components
fail dangerously
nop = number of operations per year
Where dop = number of operating days per year
hop = number of operating hours per day
tcycle = cycle time in seconds
Functional Safety of Machinery: EN ISO 13849-1 Slide 30 12/12/2012
TÜV SÜD Product Service
Diagnostic Coverage is the fractional decrease in the
probability of dangerous hardware failures, resulting from the
use of automatic diagnostic tests.
This is determined using the following equation
DC = lDD / lDtotal
l DD is the probability of detected dangerous failures
lDtotal is the probability of total dangerous failures.
Diagnostic Coverage
Functional Safety of Machinery: EN ISO 13849-1 Slide 31 12/12/2012
TÜV SÜD Product Service
EN ISO 13849-1 Diagnostic Coverage
Functional Safety of Machinery: EN ISO 13849-1 Slide 32 12/12/2012
TÜV SÜD Product Service
DCavg in accordance with EN ISO 13849-1
Determine the DCavg, (diagnostic coverage)
Formula for DCavg
Where d1, d2 and dN represent
the separate parts of the SRP/CS
Functional Safety of Machinery: EN ISO 13849-1 Slide 33 12/12/2012
TÜV SÜD Product Service
Diagnostic coverage is divided into 4
levels.
99% ≤ DC High
90% ≤ DC < 99% Medium
60% ≤ DC < 90% Low
DC < 60% None
Range of DC Denotation
Diagnostic Coverage (DC)
Functional Safety of Machinery: EN ISO 13849-1 Slide 34 12/12/2012
TÜV SÜD Product Service
Relationship - PL and Cat, DC, MTTFd
Functional Safety of Machinery: EN ISO 13849-1 Slide 35 12/12/2012
TÜV SÜD Product Service
Performance Level – Annex K
Table K.1 — Numerical representation of Figure 5
Functional Safety of Machinery: EN ISO 13849-1 Slide 36 12/12/2012
TÜV SÜD Product Service
EN ISO 13849-1 - Common Cause Failure
Functional Safety of Machinery: EN ISO 13849-1 Slide 37 12/12/2012
TÜV SÜD Product Service
PFHD of the Function
The PFHD of the Function is the sum of the PFHD of
each of the SRP/CS (subsystems) that make up the
Function
DssnDssDssDssDtotal PFHPFHPFHPFHPFH ....321
Sensor Logic Actuator
Sensor
Sensor
Input Logic Output
Actuator
Actuator
Functional Safety of Machinery: EN ISO 13849-1 Slide 38 12/12/2012
TÜV SÜD Product Service
• Low complexity
Example 1
Functional Safety of Machinery: EN ISO 13849-1 Slide 39 12/12/2012
TÜV SÜD Product Service
Example 2
Source: BGIA Report 2/2008e
Functional Safety of Machinery: EN ISO 13849-1 Slide 40 12/12/2012
TÜV SÜD Product Service
Thank you for listening
For more information contact: +44 (0)1642 345637 [email protected] www.tuv-sud.co.uk/machinery
TÜV SÜD Functional Safety of Machinery: EN ISO 13849-1 Slide 41 12/12/2012