Basics Safety Standards en

Siemens AG 2009. All Rights Reserved.
Safety of machinery /
European machinery
directive
Important note
(apply to all parts of the event):
The event shall give the participants overview over the topic area
safety of machines with the focus on "functional safety". The
represented lawful and normative requirements and implementation
strategies are represented simplified, i.e. for the practical
implementation a detailed analysis of the safety systems and
procedures is absolutely necessary!
The examples are non-committal and do not lay any claim to completeness with
regard to configuration and equipment as well as any eventualities. The
examples do not represent any custom-designed solutions but shall offer only
support at typical tasks. You are accountable for the proper mode of the
described products yourself.
These examples do not discharge you from the obligation to safe dealing for
application, installation, business and maintenance. By use of these examples
you appreciate that Siemens cannot be made liable for possible damages
beyond the provisions regarding described above. We reserve us the right to
carry out changes at these examples without announcement at any time. The
contents of the other documentation have priority at deviations between the
suggestions in these examples and other Siemens publications, such as
catalogues.
Industry Sector Page 3/198 Safety of machinery / European machinery directive
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Agenda
Part 1: The way to a safe machinery
Risk assessment / risk reduction / validation / placing on market
Part 2: Practical implementation IEC 62061 and ISO 13849-1
Norm overview "functional safety" / core requirements /
practical implementation at an application example
Shown is the principle procedure (simplified representation )
Part 3: SIL / PL-verification with the application example
Consideration according to ISO 13849-1 and IEC6201
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety of machinery / European machinery directive
Question:
What has to be considered, when a machinery is placed to market
in Europe?
Part 1: The way to a safe machinery
Risk assessment
Risk reduction
Validation
Placing on market
Support by Siemens
Application example
IEC 62061 and ISO 13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe machinery
Safety of Machinery
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Terms and definitions
Machinery
Machine + system (linked machines)
Machine manufacturer
Redesigns a machine or considerably modifies it
Implements safety functions
Machine owner
Purchases and uses a machine.
The machine owner becomes machine manufacturer when
machines are linked to form a system
the machine is considerably modified
Machine operator
Operator + maintenance personal
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Motivation for a safe machine
needless to say: Protection of people and the environment
but also: economic efficiency
Advantage of modern safety technologies and intelligent safety
concepts:
Protection measures do not turn into obstacles
Example:
Protection zones of laser scanners, depending on operating modes
Increase in productivity
Examples:
Safely reduced speed instead of complete stop or energy off
Selective emergency stop instead of global emergency stop
Support by Siemens
Application example
IEC 62061 and ISO 13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Safety of Machinery
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
In Europe, machine manufacturers and machine owners are
required by law to ensure the safety of people and the
environment.
Machines placed on the market in Europe must be safe.
Placed on the market means:
The machine is manufactured or considerably modified in Europe
The machine is imported to and operating in Europe
European Directives for Machinery
describe essential requirements for the machine manufacturer
Situation in Europe
(and in many other countries)
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
Machine manufacturers and users are responsible
for the safety of machines and of the plant
* Until 2009/12/29
2006/95/EG
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
European Machinery Directive
Correlations
Machinery
Machinery
Directive
98/37/EC
Further directives:
Low Voltage
Electromagnetic
Compatibility
Harmonized standards:
Describe specific requirements
for the machine manufacturer.
European Directives for Machinery:
Essential requirements
A machine is considered to be
safe when the Machinery
Directive requirements are
meet
Presumption of conformity:
When applied correctly, the
corresponding directive is
considered to be complied
with
Certification by the
machine manufacturer:
The machine meets the
requirements of the Machinery
Directive and of all other
relevant directives
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
Options for meeting the requirements
Applying harmonized standards
The machine manufacturer only has to prove that the requirements
of the harmonized standards have been met.
In this case, the presumption of conformity applies!
or
Without applying harmonized standards
The machine manufacturer must prove in detail that the Machinery
Directive requirements have been met.
Compared to the first option, this means increased overhead when
validating the machine.
Recommendation:
Application of harmonized standards
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
Directive
reference
Subject of directive
European Directives and applying standards
Web: http://www.newapproach.org/
Info
about
directive
Standards
activities
References
harmonised
standards
90/396/EEC Appliances burning gaseous fuels
00/9/EC Cableway installations designed to carry persons
89/106/EEC Construction products
89/336/EEC Electromagnetic compatibility
94/9/EC
Equipment and protective systems in potentially
explosive atmospheres
93/15/EEC Explosives for civil uses
95/16/EC Lifts
73/23/EEC Low voltage equipment
98/37/EC Machinery safety
90/385/EEC Medical devices: Active implantable
93/42/EEC
View
directive
Directives & Standards
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
TYPE
C standards
Specific safety features for individual machine families
Specialist
standards
TYPE
B standards
B1 standards
General safety aspects
B2 standards
Reference to special
protective devices
Group
safety standards
Basic design principles
and basic concepts
for machines
TYPE
A standards
Basic safety standards
IEC 62061
IEC 61811
IEC 61508
IEC 61800-5
EN 692
EN ISO 12100
Hierarchical organization of the EN standards
EN ISO 14121
EN 349
IEC 61496-1
EN 294
EN 418
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
Hierarchical organization of the EN standards
The B norms are also aimed primarily at the norm compositors for C
norms. They also can, however, be helpful to the manufacturers for
construction of a machine if there exist no C norms.
There is another subdivision at the B norms carried out:
B1: for primary safety aspects (ergonomic principles, safe distances
against reaching from sources of danger and to the avoidance of
squeezing parts of the body)
B2: intended for machines like: E- Stop, Two-hands-facilities,
contactless safeguards, safety-related parts of controls)
Minimum
distances to the
avoidance of
crushes from parts
of the body
EN 349
Safety
relevant
parts of
controls
EN 954-1
Electrical
equipment
of
machines
EN 60204-
1
Interlocking
devices
associated with
guards
EN 1088
Two hand control
EN 574
E- stop system,
design basic
principles ISO
13850
Light barriers,
light curtains
EN 61496-1
Electro-sensitive
protective equipment
EN 61496-1
Type B1 standards
General primary safety aspects
Type B2 standards
Specifications among others of safeguards
with a general character
EN 62061 & ISO 13849-1
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
USA:
UL, ANSI
Europe:
EN
Japan:
JIS
e.g. EN 954
World
e.g. IEC 61508,
IEC 62061, IEC 61511
Europe:
IEC 62061,
EN ISO 13849
New
The valid instructions and standards are significant at the place
of action of the machine and/or plant.
The European standards and instructions are accepted worldwide.
Norms
International safety norms
IEC, ISO
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
Export to Countries outside Europe
Overview
Situation in the different countries of the world
There are different concepts for machine safety:
Requirements and assessment of safety systems
Responsibilities
Legal consequences
The laws and regulations of the country in which the machine is
operated always apply.
Influence of Europe
The European procedure is accepted worldwide
The CE mark is accepted worldwide
Numerous European standards for machine safety
turned into internationally applicable standards
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
Machine
Risk evaluation/
-assessment
Acceptable
risk
Measurements
to reduce
the risk
Danger
Danger
The process is
prescribed by the
legislature and
defined in norms
The European Machinery Directive prescribes:
Manufacturer of machinery and plants have to perform a risk evaluation and
assessment before the construction. Only machinery with acceptable risk are allowed
to be placed on the market.
Safe Machine
Inducement
The European Machinery Directive
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
At the process, all
countries consider the
same basic principles, but
the exact instructions for
the implementation are
defined in country- or/and
region- specific
standards.
The valid guidelines and
standards at the place of
action of the machine
and/or plant are
significant.
The constructor of the
plant and/or the
machine is responsible
for the adherence of the
standards.
Changed machinery- or
process- design
Further Measurements to
reduce danger
Usage of
Safety Engineering
Determination of the
amount of damage,
probability, avoidableness
Classification
Proven by:
Certificate
Acceptance test
Norms
Process Implementation
Risk- evaluation/
-assessment
Acceptable
risk
Measurements
to reduce
the risk
!
Inducement
Process in overview
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Implementation
Machinery Directive
Europe
The way to a safe
machinery
Safety of Machinery
Basic implementation procedure
Steps to be performed by the machine manufacturer
1 Risk assessment
2 Risk reduction
Step 1: Safe design
Step 2: Technical protective measures
Step 3: User information on residual risks
3 Validation of the machine
4 Placing the machine on the market
Technical documentation
Each step must be comprehensibly documented:
Procedures and results
Test strategy and test results
Responsibilities,
Support by Siemens
Application example
IEC 62061 and ISO 13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Safety of Machinery
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The 3 step method
Start
Risk reduction by
selecting suitable
protective measures
YES
NO
Is the risk
adequately
reduced?
End
For each hazard:
Estimation and assessment of the risk
Identifying the hazards on the machine
Defining the limits of the machine
The machine is safe
except for a reasonable
residual risk
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Relevant standards
EN ISO 12100
Safety of machinery
Basic concepts, general principles for design
Describes possible hazards on a machine
Describes strategies for risk reduction
Objective: Design of a safe machine
whose residual risk is reasonable
EN ISO 14121
Safety of machinery
Principles for risk assessment
Consideration of the risk
Support by Siemens
Application example
IEC 62061 and ISO 13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Safety of Machinery
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The 3-Step Method (according to EN ISO 12100)
YES
NO
Again: Risk assessment
For each hazard requiring risk reduction:
End
Start
YES
YES
NO
NO
Step 3: Risk reduction by user information on residual risks
Was the risk adequately reduced?
Step 1: Risk reduction by safe design
Step 2: Risk reduction by technical protective measures
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Step 1: Safe design
Safe design
Integration of safety into the design of the machine
Highest priority for risk assessment
Aspects for safe design (examples)
Avoidance of pinch points
Avoidance of electric shock
Concepts for stopping in the event of hazards
Concepts for operation and maintenance

Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Technical protective measures
A safety function must be defined for each hazard that
cannot be eliminated by design
Safety functions can be performed by
safety systems
Example: Safety function - without safety system
Access to the hazardous location is permanently prevented
(fixed mechanical cover, )
Example: Safety function - with safety system
When the protective cover is opened during normal
operation, the motor must be switched off.
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety system
Performs safety functions
Consists of subsystems
Subsystems of a safety system
Detecting (position switch, light curtain, )
Evaluating (fail-safe controller, safety switching device, )
Reacting (contactor, frequency converter, )
Safety system
motor
Protective
cover
Subsystem 3:
Reacting
Subsystem 1:
Detecting
Subsystem 2:
Evaluating
or
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Relevant standards for designing and realizing
safety systems for machinery
EN 954-1 (valid until the end of 2009)
EN ISO 13849-1 (valid since 2006)
EN 62061 (identical to IEC 62061) (valid since 2005)
Properties of the standards:
Harmonized norms (Europe )
EN 62061 and EN ISO 13849 are accepted internationally
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The standards grown in the past in different countries will be harmonized and
reduced to a few European standards.
The often used standard EN954-1 will be replaced in October 2009.
The remaining relevant standards are:
IEC 61508: Basic-standard for functional safety (e.g. for PLC) (product liability)
IEC 61511: Application standard for process engineering
IEC 62061: Application standard for mechanical engineering and also for
electrical and electronic safety engineering.
ISO 13849-1: Application standard for mechanical engineering and also for
electronic and other technics (e.g. pneumatic, hydraulic).
Suppressor of EN 954-1.
IEC 61800-5-2: Product specific standard for electrical drives with integrated safety
functions.
IEC 62061 and ISO 13849-1 are often used for risk assessment of machines.
IEC 61508 and IEC 61800-5-2 are often used for risk assessment of safety devices
(e.g. PLC).
The relevant standards
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Basic procedure for each safety function
a) Specifying the safety function
b) Determining the required safety level
c) Designing the safety function
d) Determining the achieved safety level
e) Realizing and testing the safety function
The steps will be
explained in
the following
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
a) Specifying the safety function
Boundary conditions of the safety function
Hazard to be prevented on the machine
Affected persons on the machine
Affected operating modes of the machine
Mission time
...
Requirements for the functionality of the safety function
Functional description of the safety function
Required reaction time
Reaction to faults
Number of operations for electromechanical components

Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Required safety level
Significance of the required safety level
The required safety level is a measure for the reliability of the
safety function.
The required safety level depends on:
Severity of the injury
Frequency / exposure time
Possibility of avoiding
The more severe the injury and the more probable its occurrence,
the higher the required safety level.
EN 62061 and ISO 13849 show procedures for determining the
required safety level.
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The risk dimension
results from:
The exact calculation is standard-specific different.
Depending on the dimension of the risk, a certain safety level is postulated. The
notations of the safety levels are:
at EN 954-1: Category B, 1 - 4
at ISO 13849-1: Performance Level a - e (PL)
at IEC 62061: Safety Integrity Level 1 - 3 (SIL)
at IEC 61511: Safety Integrity Level 1 - 4 (SIL)
Heaviness of
injury
Wie
schwer
Frequency
and/ or
duration of stay
Possibilities of
avoidance
light
heavy
often
rare
Hardly
possible
possible
Achievable safety level
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Specification according to EN ISO 13849: PLr a to PLr e
PL
r
b
PL
r
e
PL
r
a
PL
r
c
PL
r
d
Se1
Se2
Fr1
Fr1
Fr2
Fr2
P1
P2
P1
P2
P1
P2
P1
P2
Se1 Reversible injury
Se2 Irreversible injury
Se Severity of the injury
Fr1
Seldom up to quite
often / short
Fr2
Frequent up to
continuous / long
Fr
Frequency /
exposure time
P1 Possible
P2 Scarcely possible
P
Possibility of
avoiding
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Specification according to EN 62061: SIL 1 to SIL 3
2 More than 1 year
3 2 weeks to 1 year
4 1 day to 2 weeks
5 1 h to 1 day
5 Less than 1 hour
Fr
Frequency /
exposure time
1 Negligible
2 Rarely
3 Possible
4 Likely
5 Frequently
Pr
Probability of
occurrence
SIL 1 1
SIL 2 SIL 1 2
SIL 3 SIL 2 SIL 1 3
SIL 3 SIL 3 SIL 2 SIL 2 SIL 2 4
14 to 15 11 to 13 8 to 10 5 to 7 3 to 4
Class Cl = Fr + Pr + P Severity of the
injury Se
+
+
1 Likely
3 Possible
5 Impossible
P
Possibility of
avoiding
1 Reversible: E.g., requiring first aid
2 Reversible: E.g., requiring medical attention
3 Irreversible: E.g., broken limb(s)
4 Irreversible: E.g., losing limb(s)
Se Severity of the injury
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Requirements of the safety levels: Safety system
The requirements concern:
Engineering (depends strongly on the required safety level)
Procedure
Requirements for engineering: (low high safety level)
Hardware structure (one-channel two-channel)
Fault detection capability (none comprehensive
diagnostics)
Reliability of components (increasing)
Requirements for the procedure:
Project management
Test concept
Technical documentation,
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
c) Designing the safety function
Objective of the design
The safety system performing the safety function
must meet the requirements of the necessary safety level
(SIL, PL
r
).
Example
Safety function: When the protective cover is opened during
normal operation, the motor must be switched off.
Required safety level: SIL 3 or PL
r
e
Safety system
motor
Protective
cover
Subsystem 3:
Reacting
Subsystem 1:
Detecting
Subsystem 2:
Evaluating
or
Design
for SIL 3
or PLr e
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety system
motor
Protective
cover
Subsystem 1:
Detacting
Subsystem 2:
Evaluating
or
Subsystem 3:
Reacting
Design review
Can the required safety level (SIL, PL
r
) be achieved?
Basic procedure
Assessment of the individual subsystems
Achieved safety level (SIL, PL)
Probability of failure PFH
D
Assessment of the safety system
Achieved safety level (SIL, PL):
Normally, the lowest achieved safety level of a
subsystem determines the achieved safety level of the safety system.
D
: Total of PFH
D
of the subsystems
Achieved safety level of the safety system (SILCL, PL) =
required safety level of the safety function (SIL, PL
r
)?
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Assessment of the subsystems
Safety-relevant characteristics of a subsystem:
Achieved safety level (SILCL, PL)
D
Finished subsystem:
Characteristics and certificates from the
manufacturer
Designed subsystem:
Characteristics have to be calculated
EN 62061 and EN ISO 13849
show how
Subsystem 1:
Detecting
Subsystem 3:
Reacting
Subystem 2:
Evaluating
or
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
Step 3
Step 2
Step 1
3-Steps-Method
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Step 3: User information
User information warns of residual risks
User information does not replace
safe design
technical protective measures
Examples:
Warnings in the operating instructions
Special work instructions
Icons
Personal protective equipment
Support by Siemens
Application example
IEC 62061 and ISO 13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Safety of Machinery
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Validation of the machine
Objective of the validation
Determination of the conformity (accordance) with the requirements
of
the European Machinery Directive
all other directives that apply to the machine
Implementation of the validation
For most machines:
Machine manufacturer
Machines listed in Annex IV of the Machinery Directive:
Machines with greater hazards (presses, )
The machine manufacturer has to call in an independent testing
agency and/or a certification body (examples: TV, BGIA).
Support by Siemens
Application example
IEC 62061 and ISO 13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Safety of Machinery
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Placing the Machine on the Market
Prerequisites
Determination of conformity, within the scope of the validation
Technical documentation
Placing on the market
Issuing the declaration of conformity:
The machine complies with all relevant directives.
Attaching the CE mark on the machine
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Question:
What has to be considered, when designing safety related control
systems of a machinery?
Part 2: Practical implementation IEC 62061 and ISO 13849-1
Overview "functional safety
Core requirements
Practical implementation at an application example
Support by Siemens
Application example
IEC 62061 and ISO 13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Safety of Machinery
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Functional safety
Safety require protection because of following hazards:
Danger by
malfunctions
Dangerous radiation
Heat and fire Electric shock
Functional safety means protection against dangers, which
caused by malfunctions.
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Worldwide:
Basic standard IEC 61508 (functional safety)
(Safety Integrity Level SIL)
Europe:
Harmonized standards
EN 954-1 (Categories) ( valid till 29.12.2009)
EN ISO 13849 (Performance Level PL)
EN 62061
(with identical SIL like IEC 61508)
IEC 61508 (SIL)
Nuclear
EN 61513
Machines
EN 62061
Functional Safety
Process
EN 61511
Sector standard
IEC
IEC
Basic standard
Previous regulations
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Influence of the IEC 61508 in the process and
manufacturing industry
IEC 61508
IEC 62061
ISO 13849
EN 954
(until 2009)
IEC 61511
process-
industry
Manufacturing industry
EEP systems
Factor also not-EEP
systems
(f.E. Hydr., Pneum)
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Environment
EN 954-1: 1996
EN ISO 13849-1: 2006
IEC 62061: 2005
identical to
EN 62061: 2005
Time
Irrespective of the application:
IEC 61508: 1998/2000
Functional safety of safety-related
electrical, electronic and programmable
electronic control systems
EN ISO 13849-1: 2006
Safety of machines
Safety-related parts of control systems
Part 1: General principles for design
EN 62061: 2005
Safety of machines
Functional safety of safety-related
electrical, electronic and programmable
electronic control systems
EN 954-1: 1996
Safety of machines
Safety-related parts of control systems
Part 1: General principles for design
Influences
IEC 61508: 1998/2000
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
EN 954-1:1996
harmonized under EU Mach. Dir.
only structure orientated
no programmable electronics
still valid up to the end of 2009
ISO 13849-1:2006
quantitative and structure
orientated
for control integrators and
manufactures
intended architectures for
electronics
also for hydraulics,
pneumatics
IEC 61508:1998/2000
recognized state-of-the-art
technology
for control and system
manufacturers
quantitative and structure oriented
IEC 62061:2005
harmonized under EU
Machine Directive
for controls integrators
quantitative and structure
orientated
uses PES acc. to IEC 61508
in extracts
Electromechanical devices
Further development of the basis standards
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Why new norms?
Points of criticism at the EN 954:
No direct connection between risk minimization and
category, the complexity is unconsidered,
No detailed requirements for programmable systems
and complex electronic,
No sufficient requirements for the consideration
of the values of the reliability
-> Does not represent the state of technology anymore
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
What is new about EN 62061 and EN ISO 13849?
Assessment of complete safety functions
(Overall view: Detecting evaluating reacting)
Requirements for the probability of failure (PFH
D
)
Requirements for the procedure
(project management, test concept, technical documentation, )
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Validity
Relevant standards for safety systems for machinery
2006 2007 2008 2009 2010
Machinery Directive 98/37/EC 2006/42/EC
EN ISO 13849-1
Transitional period: 3 years EN 954-1: 1996
EN 62061
Recommendation:
Immediate change from EN 954-1
to EN 62061 or EN ISO 13849
Predominantly electrical subsystems: EN 62061
Predominantly hydraulic, pneumatic devices: EN ISO 13849
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Concept
Functional safety
Control of dangers
failure during the operation
robust design
Avoiding of systematic
failure at the concept, production and
operation of the systems
robust process
Safety-lifecyle requirement
Technical design requirements of
safety-related functions
system architecture
failure probability
Requirements of planning processes
and methods
Functional safety management
From risk analysis until
deinstallation of safety-engineering
systems
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Summary
Functional safety
Control of dangers
robust design
mistakes at the concept, production
and operation of the systems
robust process
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Robust design quantitative requirements
NEW: Quantitative measure for the safety-related
efficiency (Safety Performance)
- a - 10
-5
to < 10
-4
e
d
b
c
PL
3
2
1
SIL
>1000 years
>100 years
>10 years
one dangerous
failure every X years
10
-8
to < 10
-7
10
-7
to < 10
-6
10
-6
to < 10
-5
PFH
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Robust design quantitative requirements
Requirements of the safety levels: Probability of failure
EN 62061 and EN ISO 13849 describe requirements for the maximum
permissible probability of dangerous failure for a safety function:
Probability of dangerous failure per hour PFH
D
The higher the safety level, lower the required PFH
D
PFH
D
decreases
10
-8
10
-7
10
-6
10
-5
10
-4
3*10
-6
SIL 3 PL
r
e
SIL 1
SIL 2 PL
r
d
PL
r
c
PL
r
a
PL
r
b
Not more than 1 dangerous failure
of the safety function in 10 years
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Robust design - qualitative requirements
IEC 62061:
The structure (architecture) of the subsystems must be suitable for
the demanded SIL (IEC 62061 / table 5.)
Example:
- to achieve SIL 2
with a single channel architecture (HFT = 0),
the rate of the safe failures must be (SFF) > 90%
ISO 13849-1:
The regulation of the PL bases on the categories from the
EN 954-1 (scheduled architectures )
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Successor of the EN 954-1 with quantitative
methods for evaluation
EN ISO 13849-1 (Successor of the EN 954-1 )
(Safety of machinery - safety parts of control systems
Part 1: General principles for design)
state: Version 2006
comment:
Treats electric and more
electronically systems also
hydraulics and pneumatics
PL
Performance Level
S
t
r
u
c
t
u
r
e
Cat
R
e
l
i
a
b
i
l
i
t
y
MTTF
D
D
i
a
g
n
o
s
i
s
DC
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
Verifying
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Sector norm under IEC 61508 with quantitative
methods for the evaluation of functional safety
IEC / EN 62061
Functional safety of safety related-electrical, electronic and
programmable electronic control systems
state: Version 01/2005,
harmonized under the EC
machine guideline 12/2005
comment:
Treats the integration of
safety relevant systems of
electrical and electronic
machines.
SIL
Safety Integrity Level
S
t
r
u
c
t
u
r
e
HFT
R
e
l
i
a
b
i
l
i
t
y
PFH
D
D
i
a
g
n
o
s
i
s
DC/SFF
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
Verifying
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Summary
Functional safety
Control of dangerous
robust design
mistakes at the concept, production
and operation of the systems
robust process
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Systematic safety integrity
Besides the "safety integrity of the hardware" the IEC 62061 also
looks at the "systematic safety integrity" ,this consists:
Avoidance of systematic faults
Control of systematic faults
Examples of systematic faults:
Fault in the specification of the SRCF
Fault at design of the hardware or the applications software
Short-circuit, wire break
No regulation regarding responsibilities
Organizational and technical measures have to be taken to avoid
and master systematic faults.
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Avoiding of systematically faults (management)
Implementation of the demand "Avoiding of systematic failures at
concept, production and operation of the system"?
Through the FSM (Functional Safety Management)
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Plan of the functional safety
Process for safety relevant projects
should be created first (activities, rolls,
documents, milestones etc.) !
Topic of the "process and quality
management"
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Recommendation: Project independent implementation of
the management of the functional safety
Analysis of the installed QM-processes (Gap Analysis)
QM
(ISO 9001)
FSM (IEC 62061)
Quality securing processes
Functional Safety Management
Common
requirements
Identification of the
coincidences
e.g. personnel training,
internal audits, document
steering, maintenance, fault
analysis etc.
Identification of the
coincidences
e.g. personnel training,
internal audits, document
steering, maintenance, fault
analysis etc.
Integration of the "Add
Ons" into the QM-
system and description
in a "Safety plan"
Integration of the "Add
Ons" into the QM-
system and description
in a "Safety plan"
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Plan of the functional safety
In cooperation with the quality management should be cleared at
least on the project level following points and be documented in
the plan of the functional safety :
Who has which responsibility in the project?
Which minimum qualification of the employees is required for
which tasks?
Which documents have to be available to assign the delivering
release?
Which verification and validation activities have to be carried out
in front of delivering release?
How is the configuration management defined?
How are modifications converted and checked?
Who cares about the product care?
.
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Software safety life cycle (V-model)
Safety
SW specification
System design
Module design
Coding
Module test
Integration test
Validation
Verification
Validation
Result
Specification of
the safety
functions
software
validated
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Avoiding systematic faults (technology)
Technical measures for the avoidance of systematic faults:
The SRECS shall be designed and implemented in accordance
with the functional safety plan
Correct choice, combination, orders, assembly and installation of
components
Use of the components within manufacturer specification
Use of subsystems that have compatible operating characteristics
(business boundary conditions must be known)
Acceptance according to manufacturer regulation
Consider foreseeable misuse, environmental changes or
modification
Over-engineering of the components
Support by Siemens
Application example
Functional safety
Overview
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Controlling of systematic faults
Technical measures for controlling of systematic faults :
Supervision during the operation (e.g. supervision of the
environmental temperature, voltage variation, electromagnetic
interference)
Tests by comparison at redundant hardware
At loss of the electrical supply no dangerous condition may
appear at the machine
Use of de-energization: the system shall be designed so that with
loss of its electrical supply a safe state of the machine is
achieved or maintained;

Support by Siemens
Application example
IEC 62061 and ISO 13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Safety of Machinery
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Example - cutting and stamping machine
Cutting -
machine
Stamping-
machine
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The 3-Step-Method (EN ISO 12100)
YES
NO
Renewed: Risk evaluation
For any endangering which requires a risk reduction:
End
start
YES
YES
NO
NO
Step 3: Risk reduction by user information about remaining risks
Was the risk reduced adequately?
Step 1: Risk reduction by a safe construction
Step 2: Risk reduction by technical protective measures
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Example of endangering (extract) to ISO 14121-1
Root
cutting parts
possible consequences
-cut
-cutting off
Root
moving parts
-crushing
-hit
-cropping
Root
gravitation
stability
-crushing
-trapping
Root
droping parts
-crushing
-hit
Root
moving parts (3
examples)
-feeding
-abraison
-hit
Root
approach one of part
moving towards a rigid
part
-crushing
-hit
endangering endangering
Chart A.2
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Risk analysis and risk assessment
Endangering
place
Endangering
place
Examples of mechanically endangering
Endangering
place
Endangering
place
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Endangering
place
Endangering
place
Define suitable safety functions and additional
protection measures
Gate
monitoring
Door
monitoring
Additional:
Emergency stop
function
Examples of not
constructively avoidable
risks
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Principle procedure

Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
b) Determination of the required safety level
Meaning of the required safety level:
The required safety level is a measure for the reliability of the
safety function.
The required safety level is dependent of:
Severity of the injury
Frequency / length of stay
Possibility for the avoidance
The heavier the possible injury, and the more probable the
occurrence, the higher is the required safety level.
EN 62061 and ISO 13849 show Methods, how the required safety
level can identified
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Requirements of the safety levels: Safety system
EN 62061 and EN ISO 13849 describe requirements
for the reliability of safety systems:
All phases of the lifetime of a machine are considered:
From planning
to shutdown
Increasing requirements
for the reliability
of safety systems
SIL 3 PL
r
e
SIL 1
SIL 2 PL
r
d
PL
r
c
PL
r
a
PL
r
b
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL assignment IEC 62061, annex A
Endangering place - cutting machine
Mode cleaning/maintenance
Document Nr.:
Part of:
Pre risk assessment
Intermediate risk assessment
Follow up risk assessment
Severity
Se Fr Pr
Death, losing an eye or arm 4 <= 1 h Very high 5
Permanent, losing fingers 3 > 1 h to ? 1 day likely 4
Reversible, medical attention 2 > 1 day to ? 2 weeks possible 3 5
Reversible, first aid 1 > 2 weeks to ? 1 year rarely 2 3
> 1 year negligible 1 1
Ser. Hzd Hazard
Nr. Nr.
Comments
Avoidance
Product:
Issued by:
Date:
Effects
Class
Cl
Frequency and
duration
5-7 8-10 11-13
Probability of hazardous
event
Av
5
Safe Safety measure
3
2
OM SIL 1 SIL 2 SIL 3
OM SIL 1
OM SIL 1 SIL 2 impossible 4
possible
likely
Se Fr Pr Av Cl
Risk assessment and safety measures
14-15 3-4
Danger of cutting Sliding door supervision 1 3 5 4 3 12 SIL2 + + + =
Frequency: >1 hour to 1 day
Probability: likely
leads to
Fr 5 and Pr 4
Avoidance: possible,
leads to
Av 3
Severity: permanent
(loosing fingers)
leads to
Se 3
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL assignment IEC 62061, annex A
Endangering place - cutting machine / stamping machine
Document Nr.:
Part of:
Pre risk assessment
Intermediate risk assessment
Follow up risk assessment
Severity
Se Fr Pr
Death, losing an eye or arm 4 <= 1 h Very high 5
Permanent, losing fingers 3 > 1 h to ? 1 day likely 4
Reversible, medical attention 2 > 1 day to ? 2 weeks possible 3 5
Reversible, first aid 1 > 2 weeks to ? 1 year rarely 2 3
> 1 year negligible 1 1
Ser. Hzd Hazard
Nr. Nr.
Comments
Avoidance
Product:
Issued by:
Date:
Effects
Class
Cl
Frequency and
duration
5-7 8-10 11-13
Probability of hazardous
event
Av
5
Safe Safety measure
3
2
OM SIL 1 SIL 2 SIL 3
OM SIL 1
OM SIL 1 SIL 2 impossible 4
possible
likely
Se Fr Pr Av Cl
Risk assessment and safety measures
14-15 3-4
1 Danger of cutting 3 5 4 3 12 Sliding Door supervision SIL2
2 Danger of squeeze 3 4 4 3 11 Door supervision SIL2
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Risk Parameter
S = Severity of injury
S1 = Slight (normally reversible) injury.
S2 = Severe (normally irreversible) injury including death.
F = Frequency and/or exposure time to the hazard
F1 = Seldom up to often and/or the exposure time is short.
F2 = Frequent up to continuous and/or the exposure time is long.
P = Possibility of avoiding the hazard or limiting the harm
P1 = Possible under specific conditions.
P2 = Scarcely possible.
a,b,c,d,e = Estimates of safety-related Performance Level
a
b
c
d
e
Required
Performance
Level (PL)
Low Risk
High Risk
Starting point for
risk reduction
estimation
F1
F2
S2
S1
F1
F2
P1
P2
P1
P2
P1
P2
P1
P2
Risk = function of:
Measure of
damages (S)
Frequency
and duration (F)
Possibility of
avoidence (P)
Risk graph in the EN ISO 13849-1
Endangering place - cutting machine
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Risk graph in the EN ISO 13849-1
Endangering place - stamping machine
Assessment according EN ISO 13849: PLr a bis PLr e
PL
r
b
PL
r
e
PL
r
a
PL
r
c
PL
r
d
S1
S2
F1
F1
F2
F2
P1
P2
P1
P2
P1
P2
P1
P2
S1 Reversible injury
S2 Irreversible injury
S
Severity of
injury
F1 Seldom / shortly
F2 Frequent
F
Frequency /
Exposure
P1 Possible
P2 Rarely
P Avoidance
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Supplementary protective measure "emergency hold"
The MRL 2006/42/ EC demands:
Which drives have to be stopped/with which SIL/PL?
Answer by endangering and risk evaluation
Fixed for the application example:
Two drives (the most unfavorable case.)
SIL 2 / PLd (konservative)
Note: Measures to disengage are described as "supplementary protective
measures"
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Distinction E-stop need E -hold EN 60204
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Shutdown (for emergency) acc. EN 60204-1
c
no Torque
full Torque
Controlled
shutdown
Controlled
shutdown
Activation
Stop-orderl
coast-down
n
n
t
Stop-category 0
n
n
t
Stop-category 1
n
n
t
Stop-category 2
shutdown of an
bounddrive
Application example:
shutdown of an extruder
Application example :
shutdown of an bound drive
Application example :
Hoist
(no sag down of the
charge)
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safe shutdown according to IEC 61800-5-2:
STO, SS1, SS2
n
n
t
Activation
Safe Shutdown
n
n
t
n
n
t
Defined braking
ramp
Defined braking
ramp
Safe Operating Stop
Safe Torque Off t
t
Safe Torque Off
Safe Stop 1
Safe Stop 2
Galvanic
isolation
from the net
is not
required!
Safe Torque Off
full Torque
Stop-categorie 0
Stop-categorie 1
Stop-categorie 2
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Principle procedure

Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Specification of the safety function
Boundary conditions of machine for the safety function
Endangering at the machine which shall be prevented
Concerned operating modes of the machine when active
Reaction time
Production cycle time
Mission time
...
Functionality of the safety function
Functional description of the safety function
Required safety performance
Reset function
Priority if different safety functions can be active
Reaction to faults
Frequent of operation

Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Principle procedure

Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Structuring elements of the system architecture
A "safety function" is executed by a "system".
A "system" is combined of "subsystems".
A "subsystem" consists of "subsystem elements"
system subsystems subsystem elements
Detect
Evaluate React
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Concept of the safety function
Aim of the concept
The safety system which executes the safety function
must fulfill the requirements of the required safety level
(SIL, PLr).
Example
Safety function : If the protective hood is opened in the normal
mode, then the engine must be turned off.
Demanded safety level: SIL 2 or PL
r
d
safety system
motor
protective
hood
Subsystem 3:
react
Subsystem 1:
Detecting
Subsystem 2:
evaluation
or
concept
for SIL CL 2
or PLr d
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety system
The principle of security systems
A safety system always consists of components to:
Detecting Reacting
SIRIUS contactors
SIRIUS motor starters
SIRIUS compact starter
SINAMICS G120/G120D
SINAMICS S120
SIRIUS position switches
SIRIUS signal columns
SIRIUS EMERGENCY STOP
buttons
SIRIUS zero-speed relays
SIMATIC FS light curtain
SIMATIC FS laser scanner
ASIsafe safe modules
Evaluating
SIRIUS
safety switching devices
SIRIUS
modular safety system
ASIsafe safety monitor
SIMATIC
fail-safe controllers
SIMATIC ET 200S, ET 200pro
SIMATIC
Mobile Panel 277F IWLAN
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety functions and
supplementary protective measures
Safety functions after risk analysis:
Cutting machine:
Door monitoring with
immediately stop
Stamping- machine
Door monitoring with
immediately stop
Supplementary protective measures:
Emergency Stop - central
Emergency Stop - local at cutting machine
IM 151-8F PN/DP CPU
6ES7 151-8FB00-0AB0
PM-E DC24V..48V AC24..230V
6ES7 138- 4CB11-0AB0
P15S23-A0 6ES7 193- 4CD20-0AA0
4 F-DI/3 F-DO DC24V/2A PROFIsafe
6ES7 138-4FC01-0AB0
6 2
3 7
4 0 1 1
5 1 1
6 2 1 1
9 31 5 1
8 4E30S44-01 6ES7 193- 4CG20-0AA0
8DI DC24V
6ES7 131- 4BF00-0AA0
E15S24-01 6ES7 193- 4CB20-0AA0
8DO DC24V/0.5A
6ES7 132- 4BF00-0AA0
E15S24-01 6ES7 193- 4CB20-0AA0
Cutting-
machine
Stamping-
machine
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety functions
Door supervision Cutting machine
Door supervision Stamping- machine
Detecting evaluation react
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Supplementary protective measures
Emergency hold (local & central)
Stamping- machine and Cutting machine
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety related control systems
1.1 2 3.1
1.2
2 3.1
2 3.2 1.3
1.4
2
3.2
3.1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety related control system
2
3.1
3.2
1.1
1.2
System, S
Subsystem, TS
Subsystem element TSE
1.3
1.4
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Principle procedure
Part 3: SIL/PL-Verification
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety of Machinery /
Question:
How can the safety-related reliability of the system be determined?
Part 3: Verification
Assessment according to ISO 13849 (PLr)
Assessment according to IEC 62061 (SIL)
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Thank you for your attention!
IEC 62061
ISO 13849-1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
index 7 Simplified procedure to evaluate the PL achieved by SPR/CS
none none
low
medium low medium high
a
b
not
covered
not
covered
not
covered
low
medium
high
MTTFd of each channel
The identification of performance levels (PL) according to ISO 13849
The identification of the performance levels from category, DC and MTTF
d
Within the two norms different methodology is used for the assessment of a safety
function, but the results can be convicted into each other.
Simplified method to the assessment of the PL reached by a SPR/CS:
3 years
10 years
30 years
not
covered
not
covered
Category
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
PL according to EN ISO 13849-1
PL
Performance Level
S
t
r
u
c
t
u
r
e
Cat
R
e
l
i
a
b
i
l
i
t
y
MTTF
D
D
i
a
g
n
o
s
i
s
DC
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
verifying
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Categories
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
PL
Performance Level
S
t
r
u
c
t
u
r
e
Cat-
gory
R
e
l
i
a
b
i
l
i
t
y
MTTF
D
D
i
a
g
n
o
s
i
s
DC
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
verifying
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
MTTFd
MTTF
d
: Average of operating time without
dangerous failure for each channel of the control
MTTFd is a static average and
not a rated economic life-time
30 Jahre MTTF
d
100 Jahre hoch
10 Jahre MTTF
d
< 30 Jahre mittel
3 Jahre MTTF
d
< 10 Jahre niedrig
Wertebereich MTTF
d
Bezeichnung
Denotation
Range of values MTTFd
low
medium
high
3 years MTTFd < 10 years
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Definition of MTTF and MTBF
MTTF: Mean time to failure:
Mean time before a fault occurs
ISO 13849, MTTF = MTBF + MTTR
Mean Time Between Failure, Mean Time To Repair
MTBF>>MTTR, MTTR can be ignored
MTBF values for SIMATIC components are
available in the Internet
SFF: Safe Failure Fraction
Fault detection rate in %
(
S
+
DD
) / (
S
+
D
)
S: Safe, D: Dangerous, DD Dangerous Detected
Corresponds indirectly to the DC value
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
MTTFd
Hierarchical procedure for the determination of the MTTFd:
1. Use of the manufacturer's indications
2. Application of the methods in the appendix C and D
3. Chose 10 years
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
MTTFd (After annex C)
If the requirements from C.2 are fulfilled, the MTTFd or B10d
value can be intended for a component after table C.1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
MTTFd (After annex C)
Calculation of the MTTFd for components from B10d
B10d value: 10% of all equipment have failed dangerously
n
op
: Number of activity cycles per years
h
op
: Operation hours per day [h/d]
d
op
: Operation days per years [d/y]
t
cycle
: Mean time between two activity cycles
[s/cycle]
Operating timeT10
d
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Siemens norm SN 31920
Table referring to
the ISO 13849-2 (annex D) (EN 954-2)
the ISO/FDIS 13849-1:2005 (annex C)
the EN 62061 (annex D, Failure type of electrical/electronic components)
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Analysis of the sensor circle 1.1 position switch
n
op
= ( (365
days
x 24
h
x 3600 ) / 28800 = 1095
MTTF
d
= ( 1.000.000
operating cycle
/ 0,2
dangerous failures
) / 0,1 x 1095 n
op
= 45662 years
The MTTFd of every channel of the position switch is therefore "high" (> 30 years)
B10 = 1.000.000 with part of dangerous failures 20%
B10
d
= B10/ 0,2
dangerous failures
It will be worked 365 days per year and 24 hours per day
T
cycle
= every 8 hours 28800 sec.
hop, The average of operation hours per day [h/d]
dop, The average of operation days per year [d/y]
tcyle, The mean time between two operation cycles [s{cycle]
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
PL
Performance Level
S
t
r
u
c
t
u
r
e
Cate-
gory
R
e
l
i
a
b
i
l
i
t
y
MTTF
D
D
i
a
g
n
o
s
i
s
DC
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
verifying
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Diagnostic Coverage (DC)
The diagnostic coverage (DC) is the ratio
of the failure rate of the recognized dangerous
failures to failure rates of all dangerous failures
DC< 60% no
99% DC 100% high
90% DC< 99% medium
60% DC< 90% low
Range of DC
Denotation
DD
DD DU
DC

DD
DU
S
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The specification diagnostic coverage DC (EN ISO 13849-1:2006)
4.5.3 Diagnostic coverage (DC) page 18
The value of the DC is given in four levels (see Table 6).
For the estimation of DC, in most cases, failure mode and effects analysis (FMEA,
see IEC 60812) or similarmethods can be used. In this case, all relevant faults and/or
failure modes should be considered and the PL of the combination of the SRP/CS
which carry out the safety function should be checked against the required
performance level (PLr). For a simplified approach to estimating DC, see Annex E.
table 6
diagnostic coverage (DC)
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Diagnostic coverage (DC) for function and modules
annex E informative (EN ISO 13849-1:2006)
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
PL
Performance Level
S
t
r
u
c
t
u
r
e
Cate-
gory
R
e
l
i
a
b
i
l
i
t
y
MTTF
D
D
i
a
g
n
o
s
i
s
DC
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
verifying
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Common cause failure (CCF)
Annex F: Estimate of the failures due to CCF
This quantitative process should be used for the complete system.
Every part of the safety-related parts of the control should be taken
into account especially 2 channel architectures Cat. 2-4
The table F.1 list measures and contains associated values,
based on an engineer-like judgement, which represent the
contribution each measure makes in the reduction of common
cause failures.
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Method to estimate common cause failure (CCF)
annex F.1 informative (EN ISO 13849-1:2006)
(Max
accessibl
e 100%)
e. g. by use
of:
EN 60204
IEC 61664
FMEA
Analysis
total points
65% or better
less than 65%
measures to avoid CCF
Requierments achieved
Process failed ->
Choose of additional
measures
1.summ up
the points
2.
Requierments
achieved?
X
X
X
X
X
X
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Look at lecture no. 2 / robust processes
PL nach EN ISO 13849-1
PL
Performance Level
S
t
r
u
c
t
u
r
e
Cate-
gory
R
e
l
i
a
b
i
l
i
t
y
MTTF
D
D
i
a
g
n
o
s
i
s
DC
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
verifying
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
PFH and corresponding PL or MTTFd with DC
annex K informative (EN ISO 13849-1:2006)
The calculated MTTFd can be transferred to an adequate PFH value
low
medium
high
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
PL verification of the individual safety functions
1.1 2 3.1
1.2
2 3.1
2 3.2 1.3
1.4
2
3.2
3.1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Emergency
hold
Door supervision with
magnetic switch
Door supervision
Position switch with a
separate actuator
Door supervision
Recommended solution
Connection according to Cat. 3 to EN 954-1,
PL d according to EN ISO 13849-1
and SIL 2 according to EN 62061
*
Emergency hold control units are
manufactured according to EN ISO 13850
and can despite mechanical one-channel
design in safety technical applications
used for Cat. 3, PLd and SIL 2 There are
no . There are no structural restriction at
the emergency-hold / emergency-stop.
or or
ASIsafe
safety monitor
3TK28 F-CPU
or
MSS
* The break of the actuator must be
impossibly to fulfill PL d, SIL 2and
category 3. For Measures see DIN
VDE 0113. This fault exclusion is
possible only at position switches with
a separate actuator.
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
index 7 Simplified operation to rating by a SPR/CS achieved PLSafety-
none none
low
medium low medium high
a
b
not
masked
not
masked
not
masked
not
masked
not
masked
low
medium
high
MTTFd of each
Channel
The regulation of the performance levels (PL) to ISO 13849
Appointment of performance levels of category, DC and MTTFd. Within either
norms there will be a different method used for rating of safety functions, but the
results can be transfered into each other. Simplified operation to rating by a
SPR/CS achieved PL.
3 years
10 years
30 years
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Required measures
n
op
= ( (365
days
x 24
h
x 3600 ) / 28800 = 1095
MTTF
d
= ( 1.000.000
operating cycle
/ 0,2
dangerous failures
) / 0,1 x 1095 n
op
= 45662 years
The MTTFd of every channel of the position switch is therefore "high" (> 30 years)
B10
d
= B10/ 0,2
dangerous failures
It will be worked 365 days per year and 24 hours per day
T
cycle
hop, The average of operation hours per day [h/d]
dop, The average of operation days per year [d/y]
tcyle, The mean time between two operation cycles [s{cycle]
Construction is carried out into category 3
DC is required with 90% as medium
CCF is regarded accordance to annex F and must be complied.
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Reihenschaltung
Beispiel NOT-HALT und Schutztrberwachung
1. 2. 3.
Categorie ?
PL ?
SIL ?
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Sensor connection according DC
Testing pulses for
short-circuit detection
F-DI
Two channel
Discrepancy assessment
No short-circuit detection
DC 90%
P* P*
short-circuit
detection
* Internal sensor supply can also be used
Two channel
Short-circuit detection
DC 99%
Two channel antivalent
DC 99%
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The DC is defined as medium with 90%
The CCF has to be considered acc. to annex F and must be fulfilled.
The mounting proceeds in category 3
n
op
= ( (365
days
x 24
h
x 3600 ) / 86400 = 365
MTTF
d
= ( 100.000
operating cycle
/ 0,2
dangerous failures
) / 0,1 x 365 n
op
= 13698 years
So the MTTF
d
of any Channels from the E-STOP is high.(> 30 years)
Analysis of the sensor circle 1.2 emergency hold local (trick unlocked)
B10 = 100.000 with part of dangerous failures 20%
B10
d
= B10/ 0,2
dangerous failures
It is worked per annum 365 days and 24 hour on each the day
T
cycle
= 1x per day 86400 sec.
hop, The average of operating time in hours per day [h/d]
dop, The average of operating time within days per annum [d/y]
tcyle, The one average of the period of time between two activity cycles [s{cycle]
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
n
op
= ( (365
days
x 24
h
x 3600 ) / 3600 = 8760
MTTF
d
= ( 1.000.000
operating cycle
/ 0,2
dangerous failures
) / 0,1 x 8760 n
op
= 5707 years
So the MTTF
d
of any Channels from the position switch is high.(> 30 years)
Analysis of the sensor circle 1.3 position switches
B10
d
= B10/ 0,2
dangerous failures
T
cycle
= 1x per hour 3600 sec.
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
n
op
= ( (365
days
x 24
h
x 3600 ) / 28800 = 1095
MTTF
d
= ( 100.000
operating cycle
/ 0,2
dangerous failures
) / 0,1 x 1095 n
op
= 4566 years
So the MTTF
d
of any Channels from the E-STOP is high.(> 30 years)
Analysis of the sensor circle 1.4 emergency hold central (trick unlocked)
B10 = 100.000 with part of dangerous failures 20%
B10
d
= B10/ 0,2
dangerous failures
T
cycle
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Failsafe module PROFIsafe - Failsafe controller
4 F-DI/ 3F-DO
SILCL
2.1
= 2 -> PL
d
PFH
D2.1
= 1,0*10
-8
SILCL
2.3
= 3 -> PL e
PFH
D2.3
= 3,62*10
-10
SILCL
SRP/CS 2.x
>= SIL SRP/CS 2
2 ; 3 ; 3 >= 2 -> PL d
PFH
D2.1
+ PFH
D2.2
+ PFH
D2.3
= PFH
D 2
= 1,14 * 10
-8
F-CPU
PROFIsafe
SILCL
2.2
= 3 -> PL e
PFH
D2.2
= 1,00*10
-9
communication
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
PFH / PFD The technical
data evaluate for Simatic assemblies
http://support.automation.siemens.com/WW/view/de/27832836
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
n
op
= ( (365
days
x 24
hour
3600 ) / 3600 = 8760
MTTF
d
= ( 1.000.000
operating cycle
/ 0,75
dangerous failures
) / 0,1 x 8760 n
op
= 1522 years
So the MTTF
d
of any Channels from the contactors is high.(> 30 years)
Analysis of the actor circle 3.1 and 3.2 contactors
B10
d
= B10/ 0,75 dangerous failures
T
cycle
= every hour 1x 3600 sec.
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Analysis of the actor circle 3.1 and 3.2 contactors
Electronic-contact - M
Electronic
contact - P
Power circuit > 24V
F-DO
DI
Feedback monitoring within the
safety controller
Cross monitoring
DC 90%
Direct monitoring
DC 99%
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
low
medium
high
Table (annex K)
for the determination of PFH value
1522 years
PFH-value for contactors & position switches
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety functions Door supervision
Cutting machine
Detect Evaluate React
Required safety integrity
+
+
PL d
PFH 1,14 * 10
-8
Cat. 3
MTTF high
DC medium
CCF >65
Cat. 3
MTTF high
DC medium
CCF >65
Pl = d/ Kat. 3; DC = 90;
MTTF = 45662 years
PFH
1.1
= 4,29E-8
SIL = 2; SFF = >90
PL = d; SIL CL = 2
PFH
2
= 1,14E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 1522 years
PFH
3.1
= 4,29E-8
Pl = d
PFH
SF1
= 9,72E
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Results
Pl = d/ Kat. 3; DC = 90;
MTTF = 45662 years
PFH
1.1
= 4,29E-8
SIL = 2; SFF = >90
PL = d; SIL CL = 2
PFH
2
= 1,14E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 1522 years
PFH
3.1
= 4,29E-8
Pl = d
PFH
SF1
= 9,72E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 13698 years
PFH
1.2
= 4,29E-8
SIL = 2; SFF = >90
PL = d; SIL CL = 2
PFH
2
= 1,14E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 1522 years
PFH
3.1
= 4,29E-8
Pl = d
PFH
SF2
= 9,72E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 5707 years
PFH
1.3
= 4,29E-8
SIL = 2; SFF = >90
PL = d; SIL CL = 2
PFH
2
= 1,14E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 1522 years
PFH
3.2
= 4,29E-8
Pl = d
PFH
SF3
= 9,72E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 4566 years
PFH
1.4
= 4,29E-8
SIL = 2; SFF = >90
PL = d; SIL CL = 2
PFH
2
= 1,14E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 1522 years
PFH
3.1/3.2
= 8,58E-8
Pl = d
PFH
SF4
= 1,40E-7
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Results
Pl = d/ Kat. 3; DC = 90;
MTTF = 45662 years
PFH
1.1
= 4,29E-8
SIL = 2; SFF = >90
PL = d; SIL CL = 2
PFH
2
= 1,14E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 1522 years
PFH
3.1
= 4,29E-8
PL = d
PFH
SF1
= 9,72E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 13698 years
PFH
1.2
= 4,29E-8
SIL = 2; SFF = >90
PL = d; SIL CL = 2
PFH
2
= 1,14E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 1522 years
PFH
3.1
= 4,29E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 5707 years
PFH
1.3
= 4,29E-8
SIL = 2; SFF = >90
PL = d; SIL CL = 2
PFH
2
= 1,14E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 1522 years
PFH
3.2
= 4,29E-8
PL = d
PFH
SF3
= 9,72E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 4566 years
PFH
1.4
= 4,29E-8
SIL = 2; SFF = >90
PL = d; SIL CL = 2
PFH
2
= 1,14E-8
Pl = d/ Kat. 3; DC = 90;
MTTF = 1522 years
PFH
3.1/3.2
= 8,58E-8
PL = d
PFH
SF4
= 1,40E-7
PL = d
PFH
SF2
= 9,72E-8
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Simplified quantification of the PL for a safety function with Parts Count
Sensor circuit:
MTTF
d
= 850 years; DC-value is low with 99%
Actuator circuit:
MTTF
d
= 56 years; DC-value is high with 99%
333
1
1250
1
MTTF
1
D
52,54 MTTF
D

1) Creation of DC
avg
Sensor/ Actuator = ?
x
% 99 DC
DC
avg
56
1
850
1
56
0,99
850
0,99
avg
Sensor circuit & Actuator circuit:

MTTF
d
= 52,54 years high; DC-value with 99% high PL e
with
for each
component
2) Creation of MTTFd Sensor/ Actuator of each channel = ?
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The regulation of the performance levels (PL) to ISO 13849 ( table 11)
The check of the complete PL for the series connection of SRP/CS
> 3 x PL e
result = PL d
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
IEC 62061
ISO 13849-1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
A "safety function" is executed by a "system".
A "system" is combined of "subsystems".
A "subsystem" consists of "subsystem elements"
system subsystems subsystem elements
detecting
evaluation react
complet SIL = ?
SIL subsystem 1 = ? SIL subsystem 2 = ? SIL subsystem 3 = ?
Bases of the SIL-verification
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL
SIL
S
t
r
u
c
t
u
r
e
HFT
R
e
l
i
a
b
i
l
i
t
y
PFH
D
D
i
a
g
n
o
s
i
s
DC/SFF
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
verifying
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Structural restrictions
The structure (architecture) of the subsystems must be
suitable for the demanded SIL. The following factors
influence the suitability:
HFT: Hardware Fault Tolerance
the ability of a hardware component to execute a
demanded function at existence of faults or deviations
further
HFT = N means, that N +1 hardware problems the loss
of the security function imply
SFF: Safe Failure Fraction
Proportional part of the safe recognized failures
( S + DD) / ( S + D)
S: Safe, D: Dangerous, DD: Dangerous Detected
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL 1 (s. Corrigendum)
Structural restrictions : SIL CL SFF (table 5)
SFF
HFT
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Assessment of the functional safety
SIL claim limit, SIL CL
SIL
CL
, SIL-Claim limit
The SILCL of every subsystem of the safety function (SRCF)
must at least correspond to the demanded SIL (after danger
analysis) of the SRCF (similar as categories at EN954).
SIL CL
subsystem
>= SIL CL
SRCF
The architecture of the subsystems also must be suitable for the demanded SIL, for
example subsystem with/without redundancy or with/without diagnosis.
subsystem, TS
SIL CL
3.1
=
?
SIL CL
1.1
=
?
SIL CL
2
= ?
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SFF of subsystems
detecting Position switch with tumbler1.1
Simple subsystem, i.e. simple analysis of the failure type
(annex IEC 62061)
- Contact does not open
Dangerous
Detection by diagnosis
- Contact does not close
safe
- DC >= 90 SFF>= 90% HFT = 0
Because of fault exclusion (Break of the actuator) -> HFT 1
According to the table 5 arises
- SFF >90% and HFT =1 SIL CL = 3
- The fault exclusion at the mechanical part leads to the max. limitation
on SIL CL 2
Note: According to IEC 61508 at certified components the SIL CL is given.
Manufacturer's indications at configuration and wiring have to be taken into account
1.1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Structural restriction: SIL CL - SFF (table 5)
of SFF
contingent
safer failures
SIL 3
(see comment 2)
Hardware fault-tolerance (see comment 1)
COMMENT 1: A hardware fault-tolerance of means that +1 error
could conduct to a loss of SRCF.
COMMENT 2: A SIL 4-border of claim will be not treated at this norm. For
SIL 4 see IEC 61508-1
COMMENT 3: exception see 6.7.7.
Not allowed
(see comment 3)
SIL 3
(see comment 2)
SIL 3
(see comment 2)
Table 5 structural controls of subsystems: maximal take on claimable SIL for a
SRCF, which is used by this subsystem
necessary for a subsystem with
HFT = 0 and elimination of errors is:
EXCEPTION:
SIL CL SIL 2
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Mixed module, F-communication and F-CPU
4/8 F-DI/ 3F-DO
SIL CL
2.1
= 2
PFH
D2.1
= 1,0*10
-8
SIL CL
2.3
= 3
PFH
D2.3
= 3,62*10
-10
SIL CL
subsystem 2.x
>= SIL CL
subsystem 2
2; 3; 3; >= 2
F-CPU
PROFIsafe
SIL CL
2.2
= 3
PFH
D2.2
= 1,00*10
-9
Communication
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SFF of the subsystems
Reacting contactor 3.1 and 3.2
Simple subsystem, i.e. simple analysis of the failure type (annex K
IEC 62061)
- Contact does not open
dangerous
detecting by diagnosis in F CPU
- Contact does not close
safe
- DC >= 90 SFF>= 90% HFT = 1
According to the table 5 arises
- SFF >90% und HFT =1 SIL CL = 3
3.1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Assessment of the function-related safety
after SIL claim limit, SIL CL
subsysteme, TS
SIL CL
1.1
=
2
SIL CL
2
= 2
SIL CL
3.1
=
3
SIL CL = 2
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL
SIL
S
t
r
u
c
t
u
r
e
HFT
R
e
l
i
a
b
i
l
i
t
y
PFH
D
D
i
a
g
n
o
s
i
s
DC/SFF
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
verifying
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
MTTF values and general approach
The failure rate lambda
The failure rate has the dimension 1/time unit, e.g. 1/h
For construction elements often used the notion FIT (failures in time).
This describes a failure rate related to a corresponding "time base" (of
109 hours):
A so-called constant failure rate can be started out
from for a particular time period only.
failure rate
Early failures
Phase with a constant failure rate Late failures
time t
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Harmless and dangerous failure rate in
accordance to DIN EN 62061
The failure rate () gets together from harmless/safe (
S
) and
dangerous failures (
D
) together:
=
S
+
D
s = safe, d = dangerous
or
D
= [part of dangerous failures in %] x
S
= [part of harmless failures in %] x
It is mainly looked at the dangerous failure rate
in the safety engineering.
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The probability of failure
A (mathematical) distribution function of the probability of failure
gives up from the failure rate:
F(t) = 1 exp (- t), with as failure rate.
One also describes the mean average value of this exponential distribution:
At components could not been repaired as the middle life time MTTF
(Mean Time To Failure; 63,2% of the components fallen out until middle life
time MTTF);
at repairable components as a middle operating time
between two failures MTBF
( Mean operating Time Between Failures).
Technical statistics
MTTF = 1 /
The MTTF is a statistical mean average value,
however no guaranteed life time!
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The probability of failure
according to DIN EN 62061
The probability of failure is looked at based on the failure rate at any hour of the life
time of the component:
PFH
D
probability of dangerous hardware failure
The calculation is derived directly from the failure rate:
PFH
D
=
D
x 1 h[without dimension]
high demand or continuous mode
Mode in which the frequency of requirements on a SRECS more than once per year
amounts or the frequency of the requirements more greatly is as the double
frequency of the proof test.
SRECS: Safety-Related Electrical Control Systems
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
PFH estimation for electromechanical components
d
Rate of dangerous failures [1/h]
Reciprocal value of the time until the
dangerous failure (MTTFd)
d = 1 / MTTFd
= 1 / MTTF (mainly)
Restrictions see IEC 62061
PFH = d 1h; = 1/MTTF
IEC 62061,
6.7.8.2.1
IEC 62061,
6.7.8.2.1
detection
PFH subsystem 1 = ?
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
B10 value for electromechanical components
according to DIN EN 62061
The failure rate for electromechanical components is
defined with the B10 value.
The B10 value is expressed in number of operating cycles:
The number of operating cycles within a life time test,
after 10% of the components have been failed.
According to EN 62061:
= 0,1 x C / B10
with C = operation cycle in hour
The failure rate must be calculated on base of
operation cycle.
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Electromechanical components
= 0,1*C/B10
d = * part of dangerous failures
B10: Number of operation cycles after which 10% of all equipment have failed
C: operation cycle per hour
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Example application
Subsystem element: Single Contact
Dangerous failure rate,
D
[1/h]
D
= 0.1 x C / B10 x (Contingent of dangerous failure
rate)
B10: Amount of switching cycles
-> Information of component manufacturer:
B10 = 1.000.000
Rate of dangerous failures fuse of contacts
-> Information of component manufacturer = 75%
C: Operating Cycles
-> Information of machine manufacturer:
C = 10 times per hour / h
D
= 7,5 x 10
-6
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
4 Base subsystem architectures
One fault tolerance without
diagnostic function(s)
One fault tolerance with
element 1
element n
subsystem
PFH=?
Zero fault tolerance without
diagnostic function
Zero fault tolerance with
diagnostic function
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Designated architectures and basic subsystem
architectures are comparable
Category 3/4 designated architectures
Basic subsystem architecture D
I1
I2
L1
L2
O1
output signal
O2
monitoring
sensor logic contactor
output signal
monitoring
input signal
input signal
monitoring
Basic subsystem architecture D
subsystem element 1
De1
subsystem element 2
De2
common cause failure
D
= ( 1 )2 {[
D11

D12
( DC
11
+ DC
12
) T2 / 2 ] + [
D11

D12
( 2 - DC
11
- DC
12
) T1 / 2 ]} + (
D11
+
D12
) / 2
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Some definitions
for abrasion afflicted, electro mechanical elements
Failure probability of a subsystem with 1-channel architecture:

D
=
Di
without diagnosis

D
=
D1
( 1 - DC
1
) with diagnosis
Failure probability of a subsystems with redundant architecture:

D
= ( 1 )
2
{[
D11

D12
( DC
11
+ DC
12
) ] T2 / 2 +
[
D11

D12
( 2 - DC
11
- DC
12
) ] T1 / 2} + (
D11
+
D12
) / 2
Failure probability of a Subsystems with even Subsystem elements of
a redundant architecture:

De
=
D11
=
D12
DC
e
= DC
11
= DC
12

D
= ( 1 )
2

De
2
{[ DC
e
T2 ] + [ (1 DC
e
) T1 ]} +
De
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
One fault tolerance with diagnostic function(s)
homogeneous structure
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Definition
Rate dangerous failures:
= 1/MTTF (electronic component)
= 0,1*C/B10 (electromechanical components)
DC: Diagnostic Coverage
Diagnostic Coverage in %
DD /Dtotal
Specification by machinery manufacturers
CCF or -factor: Common Cause Failure
Fault in result of a common cause
By analysis of the realization established
Question list from IEC 62061, annex F
T2: Diagnosis test interval
Time interval between two function tests
Operation interval at electromechanical
components
T1: Proof test interval
Time interval between two tests
Proof "virgin state"
Given for certified safety products.
Otherwise parameter to adjust Lambda
value
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Method to estimate CCF- Factor
annex F informative (EN 62061)
CCF-factor : common cause failure
Defined through machine manufacturer after total points from the
application assessment according to some special criteria.
criteria: separation/isolation
diversity / redundancy, complexity/ application
assessment / analysis, competence / training and
environment monitoring
Possible values are 0,1 to 0,01
e.g. total points, = 0,1
conservative assumption
X
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
CCF or : Common Cause Failure
By reflection of the realization detected
Question lists out of IEC 62061 or ISO 13849 (rev)
An failure, which is the result from one or more events, which cause the failure of two or
more seperate channels in a subsystem (redundant architecture) and leads to a failure of
a SRECS at the same time.
Measure against it is e.g. a protected transfer
Specification by machinery manufacturers (e.g. by evaluation of the tables F1 and F2.)
The CCF factor worsens the PFHD value!
Reasons for CCF:
Surroundings: Temperature, dampness, vibration, shock, corrosive substances
Power supply: Voltage drops, voltage fluctuations, transient voltage , voltage blackout
EMV: Interference immunity opposite magnetic fields, electromagnetic fields and
electrostatic discharges
Software: Identical algorithms,
only must be intended for redundant architectures, (.architecture type C and D)
Explanation CCF-factor and regulation
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
DC Diagnostic Coverage
DC: Diagnostic Coverage ( dd / d)
Diagnostic Coverage in % from 0 to 99 %
"Approval of the probability of dangerous hardware failures which results
from the execution of the automatic diagnostic tests."
Example: Two position switches are controlled on discrepancy; this failure
is uncovered as soon as one is faulty DC = 0,99 (or 99%)
Procedure to the assessment of the DC value
execution of a fault analysis - fault tree analysis or FMEA for every subsystem
regulation of the failure rates s, D, DD and DU (on basis of the IEC 61508)
calculation of the diagnosis funding ratio
if necessary determination of the SFF part

DD

DD
+
DU
DC
AVG
=
The diagnostic coverage (DC) is the ratio of the failure rate of the
recognized dangerous failures to the failure rates of all dangerous failures
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Estimate of the diagnostic coverage (DC) for function and modules
Tabelle E.1 (fortgesetzt)
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
T1, T2
Proof test interval T1
Time interval between two subsystem tests
influences the lambda value of the subsystem
Can be defined by subsystem manufacturer
Test interval T2
Time interval between two function tests
for uncovering failures
Can be replaced with the number of switching cycles and corresponds so
to the operation cycle of the electromechanical component.
Specification by machinery manufacturers (operation manual)
At mechanical components e.g. 1 year about a forced dynamic sampling
1
C
T2 =
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Verification of the individual safety functions
1.1 2 3.1
1.2
2 3.1
2 3.2 1.3
1.4
2
3.2
3.1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Subsystem element
subsystem
Failure coverage
through comparison
in F-SPS
rate of dangerously failures
Dangerous faults: "Contacts do not open = 20%
D
= 0.2 x
Homogeneous redundancy (the same machine)
1
=
2
= ; DC
1
= DC
2
= DC
Failure coverage ratio (at comparison in F-SPS)
DC = 90%
Common Cause Failure
CCF: 10% (conservative worst case value)
Time-related failure rate
C: Switching rate in [1 / h]
= 0.1 x C / B10
B10: Manufacturer's indication
B
10
: 100.000
C : all 8 hours
Diagnosis support:
Manufacturer's indications
DssD = (1 )
2
{[ De
2
* 2 * DC ] * T2/2 + [ De
2
* (1 - DC) ] * T1} + * De
PFHDssD = DssD * 1h 2,51 E-9
test Intervals
T1: 20 years (Manufacturer detail)
T2: all 8 h (Evaluation in user software)
SIL CL = 3
Analysis of the sensor circle 1.4 emergency hold central (trick unlocked)
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
The Excel table for calculation
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Verification with a Siemens tool after HMI 2009
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
subsystem element
subsystem
Failure coverage
through
comparison in F-
SPS
D
= 0.75 x
1
=
2
= ; DC
1
= DC
2
= DC
DC = 90%
= 0.1 x C / B10
B
10
: 1.000.000
C : every 8 hours (0,125)
Diagnosis support :
DssD = (1 )
2
{[ De
2
* 2 * DC ] * T2/2 + [ De
2
* (1 - DC) ] * T1} + * De
test Intervals
SIL CL = 3
consideration of actor circles 3.1 contactors (3.1 = 3.2)
3.1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Mixed module, F-communication and F-CPU
4/8 F-DI/ 3F-DO
SIL CL
2.1
= 2
PFH
D2.1
= 1,0*10
-8
SIL CL
2.3
= 3
PFH
D2.3
= 3,62*10
-10
PFH
D2.1
+ PFH
D2.2
+ PFH
D2.3
= PFH
D 2
= 1,14 * 10
-8
F-CPU
PROFIsafe
SIL CL
2.2
= 3
PFH
D2.2
= 1,00*10
-9
Communication
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Results
SIL CL = 2
PFH
1.1
= 2,50E-10
SIL CL = 2
PFH
2
= 1,14E-8
SIL CL = 3
PFH
3.1
= 7,58E-9
SIL CL = 2
PFH
SF1
= 1,92E-8
SIL CL = 3
PFH
1.4
= 2,51E-9
SIL CL = 2
PFH
2
= 1,14E-8
SIL CL = 3
PFH
3.1
= 1,52E-8
SIL CL = 2
PFH
SF4
= 2,91E-8
SIL CL = 3
PFH
1.2
= 8,41E-10
SIL CL = 2
PFH
2
= 1,14E-8
SIL CL = 3
PFH
3.1
= 7,58E-9
SIL CL = 2
PFH
SF2
= 1,98E-8
SIL CL = 2
PFH
1.3
= 2,01E-9
SIL CL = 2
PFH
2
= 1,14E-8
SIL CL = 3
PFH
3.2
= 7,58E-9
SIL CL = 2
PFH
SF3
= 2,10E-8
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
subsystem element
subsystem
Failure coverage
through
comparison in F-
SPS
D
= 0.2 x
1
=
2
= ; DC
1
= DC
2
= DC
DC = 90%
= 0.1 x C / B10
B
10
: 1.000.000
C : every 8 hours
Diagnosis support:
DssD = (1 )
2
{[ De
2
* 2 * DC ] * T2/2 + [ De
2
* (1 - DC) ] * T1} + * De
test Intervals
SIL CL = 2
Analysis of the sensor circle 1.1 door supervision
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Subsystem element
subsystem
Failure coverage
through
comparison in F-
SPS
D
= 0.2 x
1
=
2
= ; DC
1
= DC
2
= DC
= 0.1 x C / B10
B
10
: 100.000
C : 1x per day
Diagnosis support :
DssD = (1 )
2
{[ De
2
* 2 * DC ] * T2/2 + [ De
2
* (1 - DC) ] * T1} + * De
test Intervals
SIL CL = 3
Analysis of the sensor circle 1.2 need hold local (trick unlocked)
DC = 90%
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Subsystem element
Subsystem
Failure coverage
through
comparison in F-
SPS
D
= 0.2 x
1
=
2
= ; DC
1
= DC
2
= DC
DC = 90%
= 0.1 x C / B10
B
10
: 1.000.000
C : every 8 hours (0,125)
Diagnosis support :
DssD = (1 )
2
{[ De
2
* 2 * DC ] * T2/2 + [ De
2
* (1 - DC) ] * T1} + * De
test Intervals
SIL CL = 2
Analysis of the sensor circle 1.3 door supervision
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL Claim:
SS1.1 SS1.2 SS2 SS3 SS4
SIL2 SIL3 SIL3 SIL3 SIL2
SIL2
PFH and SIL:
1,0 E-9 +1,0 E-10 +1,2 E-8 + 5,42 E-10 + 1,8 E-9
= 1,5442 E-8
SIL specification
SIL3 ???
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL and PL can be compared with each other
Measure of the safety performance
3 10
-8
to < 10
-7
e
2 10
-7
to < 10
-6
d
1 10
-6
to < 3 x 10
-6
c
1 3 x 10
-6
to < 10
-5
b
no special safety requirements 10
-5
to < 10
-4
a
SIL [EN 61508-1 (IEC 61508-1)] for
information
Average probability of a dangerous failure per
hour [1/h]
Performance level (PL)
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL Claim:
SIL2
PFD and SIL:
1,0 E-9 +1,0 E-10 +1,2 E-8 + 5,42 E-10 + 1,8 E-9
= 1,5442 E-8
SIL2
Qualitative
assessment
SIL specification
SIL3 ???
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL Claim:
SIL2
PFD und SIL:
1,0 E-6 +1,0 E-10 +1,2 E-8 + 5,42 E-10 + 1,8 E-9
= 1,002 E-6
SIL2
Qualitative
assessment
SIL specification
SIL1
Support by Siemens
SIL verification
PL verification
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SIL
See lecture no. 2 / robust processes
SIL
S
t
r
u
c
t
u
r
e
HFT
R
e
l
i
a
b
i
l
i
t
y
PFH
D
D
i
a
g
n
o
s
i
s
DC/SFF
R
e
s
i
s
t
a
n
c
e
CCF
P
r
o
c
e
s
s
verifying
Support by Siemens
Application example
IEC 62061 and ISO 13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
Safety of Machinery
Information
Training
Function examples
Evaluation tool
Support
Products
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Certified Products for the overall Safety System
with all safety-relevant characteristics and certificates
Detecting Reacting
SIRIUS contactors
SIRIUS motor starters
SIRIUS compact starter
SINAMICS G120/G120D
SINAMICS S120
SIRIUS position switches
SIRIUS signal columns
SIRIUS EMERGENCY STOP
buttons
SIRIUS zero-speed relays
SIMATIC FS light curtain
SIMATIC FS laser scanner
ASIsafe safe modules
Evaluating
SIRIUS
safety switching devices
SIRIUS
modular safety system
ASIsafe safety monitor
SIMATIC
fail-safe controllers
SIMATIC ET 200S, ET 200pro
SIMATIC
Mobile Panel 277F IWLAN
www.siemens.de/simatic-safety-integrated/starterkit
Information
Training
Function examples
Evaluation tool
Support
Products
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Action packs and slides
Information
Training
Function examples
Evaluation tool
Support
Products
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Comprehensive Support on your Way
to the optimum Use of Safety Technology
Internet contact
http://support.automation.siemens.com
The right support for every
project phase
Support
Internet download
http://www.siemens.com//safety-
functional-examples
Instructions for functions and
applications
Functional Examples
Product and standards
trainings
Tool to prove the required
safety level
Contents
Internet contact
http://www.siemens.com/sitrain-
safetyintegrated
Sitrain
Online tool
www.siemens.com/safety-evaluation-tool
Safety Evaluation tool
Can be obtained from
Information
Training
Function examples
Evaluation tool
Support
Products
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Safety evaluation tool
The safety evaluation tool
A free Internet-based tool for calculating safety functions
ISO 13849-1 (successor standard of EN 954-1)
IEC 62061
For documenting the
results by a report
Offers easy, identical
handling for both
standards
Optimum support when
using the Siemens products
With the Safety Evaluation tool:

Easy preparation of machine documentation conforming to the
standards
Information
Training
Function examples
Evaluation tool
Support
Products
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Functional Examples
Functional Examples include
Functional, tested and
practical safety functions
List of all required software
and hardware components and
description of the interconnection
Tested and commented code
Assessment of the safety functions
according to EN 62061 and
EN ISO 13849-1: 2006
Described functionalities
Can be easily implemented
Serve as a basis for individual
expansions
Easy, fast and inexpensive implementation of safety tasks
Example: Safety Door with Spring-Loaded
Engagement in Category 4 / PL e / SIL 3
Information
Training
Function examples
Evaluation tool
Support
Products
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
SITRAIN Safety Integrated Course Catalog
Specific courses
Drive technology
ST-NSST, focus: Theory; trainer: TV Sd, Latest
Standards for Designing Safe Machines, 2 days
Sensors
SE-FSZERT
Testing, Usage and
Handling of Contactless
Protective Equipment
2 days
Controls
IK-ASISYS
Actuator-Sensor Interface
system course
3 days
Automation
systems
ST-PPDS
Configuring and
Programming Fail-Safe
SIMATIC S7-300 Control
Systems with PROFIsafe
3 days
DR-G120-EXP
SINAMICS G120 Service
and Commissioning
2 days
NC-840DSIW
SINUMERIK 840D Safety
Integrated Configuring and
Commissioning
5 days
NC-840DSIS
SINUMERIK 840D Safety
Integrated Maintenance
course
3 days
General courses
ST-SIUEBF, focus: System overview;
Current Standards (ST-NSST) plus Safety Integrated Product and
System Overview, 4 days
CD-SSI
SIRIUS Safety
Integrated
3 days
Drives Safety S120
Safety Functions
2 days
NEW
starts 2009
NEW
starts 2009
Information
Training
Function examples
Evaluation tool
Support
Products
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Functional safety of machine control
application of DIN EN ISO 13849
Functional safety of machine control
- application of DIN EN ISO 13849 (BGIA-Report 2/2008)
Download report & calculation tool SISTEMA
http://www.dguv.de/bgia/de/pub/rep/rep07/bgia0208/index.jsp
Information
Training
Function examples
Evaluation tool
Support
Products
Support by Siemens
Application example
IEC 62061 and ISO
13849-1
4 Placing to market
3 Validation
2 Risk reduction
1 Risk assessment
The way to a safe
machinery
Safety of Machinery
Support to the norms
To the 62061
Siemens Function example to 62061
http://support.automation.siemens.com/WW/view/de/23996473
To the EN ISO 13849
BGIA Report 2008
http://www.dguv.de/bgia/13849
To the EN 62061 and EN ISO 13849:
Siemens: Standards brochure, standards poster
http://www.automation.siemens.com/cd/safety/index_00.htm
To the reference book:
Funktionale Sicherheit von Maschinen und Anlagen
Umsetzung der europischen Maschinenrichtlinie in der Praxis
(ISBN 978-3-89578-366-1, only German version)
To the EU Guidelines:
Guidelines, activities for the guidelines, list of the harmonized norms,
FAQs, ...
http://www.newapproach.org

Basics Safety Standards en

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Basics Safety Standards en

Uploaded by

Copyright:

Available Formats

Siemens AG 2009. All Rights Reserved.

Siemens AG 2009. All Rights Reserved.

Siemens AG 2009. All Rights Reserved.

Siemens AG 2009. All Rights Reserved.

Sensor circuit & Actuator circuit:

With the Safety Evaluation tool:

You might also like