Machinery Safety

Functional safety

Autor: Dirk Van Mechelen

Training: Machinery Safety
Location: Antwerp, Belgium
Legal Framework

Introduction to functional safety

EN ISO 13849-1 Design

EN ISO 13849-2 Validation

Sistema 2.0
Legal framework
For Machinery directive 2006/42/EU
Machinery Directive:
Annex I: ESSENTIAL HEALTH AND SAFETY REQUIREMENTS

1.2. CONTROL SYSTEMS

1.2.1. Safety and reliability of control systems
▪ 1.2.2. Control devices
▪ 1.2.3. Starting
▪ 1.2.4. Stopping
▪ Normal stop
▪ Operational stop
▪ Emergency stop
▪ Assembly of machinery
▪ 1.2.5. Selection of control or operating modes
▪ 1.2.6. Failure of the power supply
 Use of harmonised standards

• «New approach » Directive gives only goals, which are mandatory

• Standards fill in the goals of the directive(s)

➢Not mandatory, well advised,
➢Harmonised standard gives presumption of conformity

• Developed by CEN/CENELEC in order of the European Commission

 Standards related to control circuits of machinery
EN 954-1: 1996 Safety of machinery - Safety related parts of control systems
- Part 1 : General principles for design. (Withdrawn since tot 30-11-2011)
EN 954-2 - Part 2 : Validation

EN ISO 13849-1: 2006 Safety of machinery - Safety related parts of control systems
- Part 1 : General principles for design . (Harmonised since 2007, now version 2015)
EN ISO 13849-2 - Part 2 : 2003 Validation (Harmonised since 2004, now version 2012)

EN IEC 62061: 2005 Safety of machinery - Functional safety of safety-related electrical,

electronic and programmable control systems (Harmonised since 2005, now version 2015)

EN 60204-1:2005 Safety of machinery - Electrical equipment of industrial machines

- Part 1 : General requirements (Harmonised since 1997, now version 2018?)

EN ISO 14119:2013 Safety of machinery — Interlocking devices associated with guards

— Principles for design and selection (Harmonised)
 Relation between other standards

Fig 1 from IEC 62061

 Other applicable standards
ISO 26262-1: Road vehicles – Functional safety
Part 1: Vocabulary
Part 2: Management of functional safety
Part 3: Concept phase
Part 4: Product development: system level
Part 5: Product development: hardware level
Part 6: Product development: software level
Part 7: Production and operation
Part 8: Supporting processes
Part 9: ASIL-oriented and safety-oriented analyses
Part 10: Guideline on ISO 26262

ISO 25119 -1: 2010 Tractors and machinery for agriculture and forestry - Safety-related parts of control systems –
Part 1: General principles for design and development
Part 2: Concept phase
Part 3: Series development, hardware and software
Part 4: Production, operation, modification and supporting processes
Evolution in standards

ISO 13849
Legal Framework

Introduction to functional safety

EN ISO 13849-1 Design

EN ISO 13849-2 Validation

Sistema 2.0

IEC 62061 Introduction to SIL

 Introduction
• A number of accidents are the result of failure of the control system
• Since 1960 more vision on the complexity of control systems in the process industry
• Development of IEC 61508 since 1980’s
▪ Machinery sector has own standards since 1996 - 2005
 A brief history of functional safety
▪ The notion of functional safety was introduced in the 1980′s as a means to evaluate
complex devices as part of the overall safety function.

▪ In 1998 the IEC published a document, IEC 61508, entitled: “Functional safety of
electrical/electronic/programmable electronic safety-related systems.”

▪ IEC 61508 was originally developed for industrial machinery and chemical plants and
remains the relevant standard for many industries.

▪ In recent years, however, many industries have looked to develop domain specific
standards that are better suited to their application and can handle the immense rise in
system complexity driven by many factors including the exponential growth of software.
Safety Life cycle strategy
Safety Life cycle
IEC 61508

-> Safety requirements: Functional requirements AND Reliability requirements (Performance level of SIL)
-> Allocate the functionality to a hardware (and software) system
 Introduction

Safety function:
Failure and/or malfunction of a safety function endangers the safety of people.
(e.g. seat belt, light curtain on a press)

Uses safety components:

not necessary in order for the machinery to function, or for which normal
components may be substituted in order for the machinery to function.
 Functional Safety

• Systems reaction on the status of inputs to generate outputs that fullfils a safety funtion

• Can be part of the overall control system of a system or separately implemented

• Is expressed in terms of failure (of components, of systems)

• Concerns reliability
 Examples of Input devices

Two hand control

Door switches

Vacuum
Temperature Light curtain measurement
measurement
Ventilation
Examples : Input control

Standard immaterial security

Photoelectrical
cell

Light barrier Scanner

 Examples of Logic devices

Safety relays
Programmable safety relays

Dedicated safety
hard- & software
Hard wired

Safety PLC
 Examples of Output devices

Low power relays Motor control with STO

High power relays

Mechanical coupling
Hydraulic valve
Solenoid valve
Design of a system architecture

=> Monitor the position of a guard / stop the motion when

the guard is open

=> Position screen, decision, stop command

=> Safety swirtch, Safety relais, Contactor

=> Movable screen with interlock function

 Safety function versus SRP/CS

Goal of a safety function : Protecting against onforseeable start up

Parts of a SRP/CS can be used for several safety functions

versus I L Orobot
1
I L Ox Oy Oz

I L Orobot
2

I L Orollen Odraai
baan tafel
Safety Lifecycle
Risk Assessment
Required risk reduction
Risk Assessment according EN ISO 12100

Start
Determine limits
machine
Risk-analysis
Identification
hazard
Risk-estimation

Risk estimation

Risk evaluation

No Machine Yes
Risk reduction End
safe ?
Risk estimation
The evaluation of the identified risk is based on the “Risk assessment using hybrid
method” mentioned in EN ISO 14121-2.
Functional Safety : IEC 62061 (machinery safety)
 Risk graph according ISO 25119

1) System description of failure modes must be known

2) Risk graph to quantifie the risk and determine the reliability level

Severity: Personal damage (operators and bystanders)

Exposure: based on the risk of dangerous.failure

Estimation of the frequency and the duration op
exposure

Controllability: Possible avoidance of damage

Risk Graph according ISO 25119

Note : This method is analog with the method of ISO

26262 for the automotive
Legal Framework

Introduction to functional safety

EN ISO 13849-1 Design

EN ISO 13849-2 Validation

Sistema 2.0
 EN ISO 13849-1

Safety of machinery - Safety-related parts of control

systems-Part 1: General principles for design

 EN ISO 13849-1

EN ISO 13849 Safety of machinery — Safety-related parts of control systems

Part 1: General principles for design (2015)

Part 2: Validation (2012)
Part 100: Guidelines for the use and application of ISO 13849-1 [Technical Report] (withdrawn)

- Assumption of agreement with EVGE 1.2.1 (reliability)

- National standard since may 2007 (harmonised)

ISO/TR 23849-1:2010 Guidance on the application of ISO 13849-1 and IEC 62061 in the design of
safety-related control systems for machinery
 EN ISO 13849-1: General

• Type B-standard, applicable for all type of machinery

• Refered to by many C-type standards
• Can be used for different technologies. (electrical, hydraulic, pneumatic, mechanic)
• Defines 5 Performance Levels
• Has a simplified method based on 5 architectures to implement the required Performance Level
• Based on reliability of components and architectures.

• Based on the failure of components and sub-assemblies during the complete “Life-cycle”.
 EN ISO 13849-1: definitions

Safety-related parts of control systems (SRP/CS) :

part of a control system that responds to safety-related input signals and generates safety-related output
signals.
•Can contain as well hardware as software
•Can be a part of the control system or can be performed separately
• monitoring systems used for diagnostics are also considered as SRP/CS

Performance level (PL):

• is a discrete level used to specify the ability of SRP/CS to perform a safety function under foreseeable
conditions.
• there are five levels, characterized by a probability of dangerous failure per hour PFHd.
 EN ISO 13849-1: Performance Levels (PL)

➢ Performance Level (PL) is a discrete level that defines the probability of dangerous failures per hour.
➢ There are five levels (PLa to PLe).
➢ Each level defines each a reach of dangerous failure per hour.

Not only quantitave but also qualitative requirements to be fulfilled (§4.5) !

EN ISO 13849-1
 EN ISO 13849-1

The factors determining a dangerous failure are:

Mean Time To dangerous Failure (MTTFd) (reliability of components)

Diagnostic Coverage (DC) (mechanism of error detection)
Common Cause Failure (CCF) (failure of different items resulting from a single event
where those failures are not consequences of each other)

To make an evaluation and classification of the resulting PL levels, for most of the cases, a simplified
method is used.

This method is based on the definition of possible architectures, called “categories.

The are called: “category B, 1, 2, 3 and 4”.

This simplified method is intended to reduce the calculations to a minimum, but Reliability Block Diagrams, Markov chain
or Fault Tree Analysis is permitted.
 EN ISO 13849-1

PL and the categories can be applied on :

• SRP/CS such as :
• Protective facilities (e.g. Two hand control or blocking device), ESPD such as light
barriers,, pressure mats, etc.
• Control units (e.g., safdety relays, data processor, etc. , and

• Power controls : (e.g. contactor, hydraulic valves, etc).

• But also on complete safety related control systems for a wide variety of
machinery, e.g. packaging installations, print presses, robot installations,
etc….).
 Design of SRP/CS

A typical safety function consist of:

✓Inputs, sensors
✓Logic, PLC or computer

✓Output, actuators

✓Connections, wires or busses

 Design of SRP/CS

Risk assessment to determine safety functions

Following steps to be executed for every safety function:

1. Determine PLr
2. Determine an architecture (called ‘category’)
3. Determine MTTFd
4. Determine DC
5. Determine CCF
6. Verify if the PL realised is higher than the PLr
7. Validate ( are all requirements fulfilled)
Design: determine PLrequired
How much reliability is required?

1. Type C-standards
▪ Standards related to one type of product (machine).
▪ Have priority on type-A and type-B standards

2. Risk assessment:
▪ Basis: Risk graph in Annex A of EN ISO 13849-1
▪ Informative annex, not mandatory to follow.
▪ ISO/TR 14121-2:2012 Safety of machinery -- Risk assessment -- Part 2:
Practical guidance and examples of methods
▪ Method from IEC 62061
Design: determine PLrequired
How much reliability is required?
C-standard EN 10218-2:2011 Robots and robotic devices – Robot system
Design: determine PLrequired
How much reliability is required?
C-standard EN 15011:2014 Cranes – Bridge and gantry cranes
 Design: determine PLrequired
How much reliability is required?
ISO 13849-1: Annex A
 Example how to determine PLr
Continu movement that stops when the dough mixer is openend.
•S = S2 contusiin of arm

•F = F2 multiple batches every shift, short in time

•P = P1 it is clear that the machine still rotates, movement starts slowely. ?

low
Risk

P1 a
F1

S1 P2
P1
b
Start
F2 Required
P2
P1
c Performance Level
F1
P2
S2 P1 d
F2
P2 e
S: Severity of the injury
F: Frequency of interaction
P: Possibility to avoid danger High
Risk
 Exercise 1: Control of a manual bench press

Determine

• Hazard
• Risk scenario
• Evaluation of the risk
•PLr
 Exercise 2: safeguarding a conveyor belt

Determine
• Hazard
• Risk scenario
• Evaluation of the risk
•PLr
•Residual risk
Risk assessment - Method used in IEC 62061 (SIL)
 Exercise 1: Control of a manual bench press

Determine

• Hazard
• Risk scenario
• Evaluation of the risk
•PLr
 Execersis: Entry to a Integrated Manufacturing System

Determine

• Hazard
• Risk scenario
• Quantification of the risk
• Functional behaviour of the SRCF
• PLr
 Simplified method to determine PL

•Based on a determined architecture, called “category”.

•Category B, 1, 2, 3 of 4

•PL is function of :
•Architecture
•MTTFd
•DCavg
•CCF are the requirements fulfilled?
Simplified method to determine PL
Simplified method to determine PL

PL is function of: Category, DC avg en MTTFD

Annex K shows a numerical interpretation of the data

Annex K: numerical interpretation
Annex K: numerical interpretation
 Category B

Im Im
I L O

• No Diagnostic Covery (DCavg)

• Low until middle average MTTFd
• CCF not relevant
• Normally one channel
• Basic safety principles are used
• Occurrence of a single error may lead to the loss of the function
• Maximum achievable Performance Level = b
 Category 1

Im Im
I L O

• Same requirements as in Category B, and furthermore

• Use of well tried components and safety principles
• Frequently and successfully used in the past, OR
• Designed and built according to accepted codes of good practice for safety applications
• High MTTFd
• CCF not relevant and no DCavg
• Normally one channel
• Occurrence of a single error may lead to the loss of the function
• Maximum achievable Performance Level = c
PLc, categorie 1: Start-stop with EMO

Working:
- Hazardous movement stopped with
emergency stop
- Emergency stop interrupts Q1

Well tried principle :

- Closed chain
- Emergency stop forced action
- Grounding
- Q1 is a “well tried” component
PLc, category 1: Fence monitoring

Working:
- Hazardous movement stopped with
screen
- Emeergency stop interrupts Q1

Well tried principle :

- Closed chain
- Switch : forded action:
- Grounding
- Q1 is a “well tried” component
 Category 2

Im Im
I L O

Im
TE OTE

• Same requirements as in Category B, use of well tried components and safety principles ,with furthermore
• The machine control will verify regularly the well functioning:
• at start up AND
• prior to the possible initiation of a hazardous situation
• The verification allows the automatic start up when no errors are detected; in the other case the control
device generates a preventive control action
• DCavg is low till average, MTTFD is low until high, measures against CCF necessary
• Maximum achievable Performance Level = d
PLd, Category 2: Hydraulic

Working:
- Steering hazardous movements of 1V3
- Failure of 1V3 leads to loss of function
- Position test of 1S3 en K1
- Stopping of P1 after switchingQ1

Well tried principle :

- PLC K1 may monitoring 1S3
 Category 3
m
Im
I1 L1 Im O1

m
Im
I2 L2 Im O2

• Same requirements as in Category B, use of well tried safety components, and safety principles with
furthermore
• Occurrence of a single error may NOT lead to the loss of the function
• DCavg is low till average, MTTFD is low till high, measures against CCF necessary
• Maximum achievable Performance Level = d
 Category 3 : Monitoring a fence
screen

Working:
- Combination of NO and NC contactes
- Failure of B1, B2, Q1 and Q2 noticed by
PLC K1
- Failures in K1 are not noticed

Well tried principle :

- B1 with met positive action (IEC 60947-5-1)
- Wires of the end-of-line
- Switches are separately or protected.

Diagnostics of the PLC is only applicable when the opening and closing of the fence is part of the normal cycle.
Category 3 : Hydraulic

Working:
- 1A and 2A dangerous movements
- Stopping by 1V5 and 2V1 also by 1V3
- Failure of a valve does not lead to loss of
function
- 1V5 and 2V1 cyclic used 1V3 safety
- 1V3 has position monitoring 1S3

Well tried principle :

- PLC monitors 1S3
 Category 4
m
Im
I1 L1 Im O1
c

m
Im
I2 L2 Im O2

•Same requirements as in Category B, use of well tried safety components and

safety principles, with furthermore
Occurrence of a single error may NOT lead to the loss of the function
AND
The single error will be detected at of before the next query
DCavg is high, MTTFD is high, measures against CCF necessary
Maximum achievable Performance Level = e
Overview of different categories
 Determine of the PL

The PL of the SRP/CS is determined by estimation of the following

aspects :
Architecture
MTTFD value of the individual components;
•DC;

• CCF;

• Behavior under error conditions;

•Systematic failure
 Mean time to dangerous Failure MTTFD

•MTTF assumes that any system will fail, if you wait long enough
• Approximatively, the MTTFD is the period of time that 63 % of the components will have
failed
• For each channel, three levels for MTTFD are defined
 Mean time to dangerous failure MTTFD

• To find out about the MTTFD three ways can be followed

• Manufacturer’s data
• Methods from Annex C and D of the Standard
• Just take 10 years.

73

73
 Mean time to dangerous failure MTTF D

Annex C gives us a method to calculate MTTFd for one single component

C.2: for different kinds of components, based on good engineering practices

C.3: a method for hydraulic components
C.4: for pneumatic, mechanic and electro-mechanical components, starting from the B10 value
C.5: a non limitative list of MTTFD for electrical components
 Mean time to dangerous failure MTTFD

C.2: Based on good engineering practices

❖ Use of well tried safety principles

❖ Build according to relevant standards

❖ Manufacturer specifies application and terms of use

 Mean time to dangerous failure MTTFD

C.3: Hydraulic components

The MTTFd for one single component is accepted being 150 year if:

❖ manufactured according to well tried safety principles

AND

❖ Manufacturer specifies application and terms of use

 Mean time to dangerous failure MTTFD
C.4: Pneumatic, mechanic and electro-mechanic components

Based on the number of cycles until 10 % of the components will have failed dangerously (B10d)
B10d is determined by the manufacturer according to standards
With nop = number of operations/year, MTTFD becomes:

and

with hop =average use in hours/day

dop =average use in days/year
tcycle =average time between two cycles
 Mean time to dangerous failure MTTFd
Pneumatic, mechanic and electro-mechanic components C.4

The lifetime of a component is limited to T10d

Practical, the mission time of a safety system is 20 year.

 Mean time to dangerous failure MTTFd

Pneumatical, mechanical and electro-mechanical components C.4

Example:
Pneumatic valve B10d = 60.106,
Use is 16 hour/day during 220 days/year and the interval equals 5 seconds.

MTTFD is high (may be used 23,7 year)

 Mean time to dangerous failure MTTFd

Elektrical components C.5

❖Based on the SN 29500 series database.

❖For all failure modes, not only for dangerous failure

❖FMEA is a precise method to determine the MTTFd.

 Mean time to dangerous failure MTTFd

Method from annex D.1 to determine MTTFd for each channel

with: for the channel

MTTFd for each component

 Mean time to dangerous failure MTTFd
Method from Annex D.2 to make MTTFd symmetrical

❖Take the lowest value of each channel

❖Use the formula below:

MTTFdC1 en MTTFdC2 are the values for MTTFd for each channel
 Diagnostic coverage (DC)

• DC is a measure for the effectiveness of the diagnose

• DC is defined as the ratio between the number of registered dangerous failures and the
total number of dangerous failures

• Four levels have been defined

• FMEA can be used to determine the DC

• Use the tables in Annex E “Estimates for diagnostic coverage for functions and modules”
 Diagnostic coverage (DC)
Annex E of the standard gives us a way to estimate the DC
Diagnostic Coverage DC
 Diagnostic Coverage DC
Annex E not practicable for Logic
 Diagnostic Coverage DC
Annex E not practicable for Logic
Diagnostic Coverage DC

Example to assess the DC value

of the output device

Note: version 2015 has no 90 % DC for one

channel test
 Diagnostic coverage (DC)

❖In order to estimate PL we require one value for DC.

❖Calculate an average value for DC from the individual values for DC of each
failure detection mechanism.

❖Method from Annex E

 Common Cause Failure
(CCF)
•Annex F (informative) provides a method to
verify if the measures against common cause
failures are adequately fulfilled

•Score must be 65 or better

 Design of safety functions by combining SRP/CS

The safety function consist of several

SRP/CS:
✓Input:

Cat. 2 PLc light barrier

✓Logic:

Cat. 3 PLd PLC

✓Output, actuators:
Cat.1 PLc hydraulic valve
 PL by combination of SRP/CS
1: PFHD is given
•PFHD of the overall safety function equals the sum of the individual PFHD’s
 PL by combination of SRP/CS
2: PFHD is not given
•Use tabel 11 to find the PL
 Example: Interlocking Guard

The interlocking function uses following components:

Safety function:
1) Input: Two safety contacts, NZ (Euchner),
The hazardous movement stops when the guard is
2) Logic: safetyrelays, ESA4 (Phoenix),
openend, by interrupting power to the electromotor.
3) Output: Two relays, 3RT (Siemens)
PLr = d -> S=S2, F=F1, P=P2

94

94
 Schematics of the safety function

S1 and S2: Two safety contacts, NZ (Euchner),

Safetyrelays: ESA4 (Phoenix),
K1 and K2: relay 3RT (Siemens)
Schematics of the safety function

DCI DCO
Input: two switches -> Euchner
 Input: two switches -> Euchner
Mean time to dangerous failure MTTFD

Based on the number of cycles until 10 % of a batch of components fail (B10d)

B10d is determined by the manufacturer following product standards.

nop number of cycles per year, MTTFd :

En hop average use in hour/day

dop average use in day/year
tcycle mean time between cycles
 Input: two switches -> Euchner

Mean time to dangerous failure MTTFd

𝐵10𝑑 (𝐾) = 30.000.000

𝑠 𝑠
𝑑𝑜𝑝 ⋅ ℎ𝑜𝑝 ⋅ 3600 250𝑑 ⋅ 16ℎ ⋅ 3600
𝑛𝑜𝑝 = ℎ= ℎ = 144.000
𝑡𝑐𝑦𝑐𝑙𝑒 100𝑠

𝐵10𝑑 30.000.000
𝑀𝑇𝑇𝐹𝑑𝐾 = = = 2083,3 jaar = high
0.1 ⋅ 𝑛𝑜𝑝 0.1 ⋅ 144.0000
 Input: two switches -> Euchner

Mean time to dangerous failure MTTFd

The lifespan of a component will be limited to T10d

In our case the lifespan will be limited to 208 year, in reality is a control system designed for 20 year
 Input: two switches -> Euchner

• MTTFd = high

• Diagnostic Coverage (DC)

DCInput = 99% NO and NC contactors with linked operation (table E1)
DCInput = high
• CCF ? > 65

• Category 4

• PL = e
 Logic -> Safety relays

Logic consists of a ESA4 safety relais

102

102
Output: two relays - contactors
 Output: two relays - contactors

Mean time to dangerous failure MTTFd

B10 d ( K ) = 10.000.000

d op  hop  3600 hs 250d 16h  3600 hs

nop = = = 144.000
tcycle 100s

B10 d 10.000.000
MTTFdK = = = 694 years = high
0.1 nop 0.1144.000
 Output: two relays - contactors

Mean time to dangerous failure MTTFd

The service lifetime of the component is limited to T10d, the average time that until 10 %
of the components will have dangerously failed

Here the maximum lifetime is limited to 70 years (practically we take 20 years) !!!
 Output: two relays - contactors

• MTTFd = high

• Diagnostic Coverage (DC)

DCoutput = 99% Redundant disconnection after test by logic (table E1)
DCoutput = high

• CCF ? > 65

• Category 4

• PL = e
 Example: Interlocking Guard

PFHD given:
•Input : PFHDI = 1,1 * 10-9 (Annex K, MTTF=2083 y)
•Logic : PFHDL = 1,5 * 10-9
•Output: PFHDO = 3,3 * 10-9 (Annex K, MTTF=694 y)

PFHD = (1,1 + 1,5 + 3,3) * 10-9 = 5,9 * 10-9

PL= e
PFHD not given:

•Input : PLI = e
•Logic : PLL = e
•Output : PLO = e

PL = e
 Systematic failure
•Failureembedded in the design, only possible way to solve is to improve the design
•Also used for software failure

•Measures for the control of systematic failures :

- Use of de-energization (see ISO 13849-2)
- Effects of voltage breakdown, voltage variations, overvoltage, undervoltage
- Physical environment (temperature, humidity, water, vibration, dust, corrosive substances, emc, ..)
- Program sequence for software in order detect defective program sequences
- Errors from data communication
• Other measures
— failure detection by automatic tests;
— tests by redundant hardware;
— diverse hardware;
— operation in the positive mode;
— mechanically linked contacts;
— direct opening action;
— oriented mode of failure;
— over-dimensioning by a suitable factor, derating (at least 1,5 should be used).
Software requirements
V-model
Software requirements
 Conclusion

• Relatively simple method to assemble and develop safety functions as soon as

sufficiently manufacturer data are available

• All C-standards mention Pl and/or SIL.

• Note that type C-standards have priority on type-A or type-B standards

• Other standards pose supplementary requirements concerning the use of PL

Legal Framework

Introduction to functional safety

EN ISO 13849-1 Design

EN ISO 13849-2 Validation

Sistema 2.0
EN ISO 13849-2

Validation
 Validation

The aim of the validation process is to demonstrate that the specifications and the conformity
of the SRP/CS matches with the general safety requirements of the machine.

This means that one shall demonstrate for every safety part if it satisfies with the requirements
of the EN ISO 13489-1, and especially with:
the safety characteristics of the safety functions as intended in the design
AND
the requirements imposed on the chosen category

Validation must be implemented by independent persons (not necessarily third parties)

Validation can be performed by Analysis and/or by Testing

 Validation
▪ Example: Process vessel

▪ Low sensor and high sensor in BPCL (basic process control logic)

▪ Safety Function : High High Level

▪ Software check onfilling time ( 10 % extra time causes stop and create an alarm)

▪ How to test the High High Level and software check?

▪ Commisioning
▪ During operation
Use of a checklist (1/2)
Use of a checklist (2/2)
 Validation - Technology

•The following table gives a scoop of the content of EN ISO 13849-2

➢ Used technologies
➢ Basic safety principles
➢ well tried safety principles
➢ well tried components
➢ Potential faults and exclusions of those
Validation - Technology
Validation - Technology
Validatie - Technologie

ISO 13849-2:2012
Validatie - Technologie

ISO 13849-2:2012
Validatie - Technologie
ISO 13849-2:2012
Safety Life cycle (ISO 26262 road vehicles)

Validation
Verification
 EN ISO 14119: Interlocking guards

9.3 Assessment of mechanical faults

An interlocking system with required PL e in accordance with ISO 13849-1 or SIL3 in accordance with
IEC 62061 will need to incorporate a minimum fault tolerance of 1 (e.g. two conventional
mechanical position switches) in order to achieve this level of performance since it is not normally
justifiable to exclude faults, such as, broken switch actuators. However, it may be acceptable to
exclude faults, such as short circuit of wiring within a control panel designed in accordance with
relevant standards. The same applies for PL d and SIL2 unless a full justification is provided in
accordance with ISO 13849-1 or IEC 62061.

For applications using interlocking devices with automatic monitoring to achieve the required
diagnostic coverage needed for the required PL, a functional test (see IEC 60204-1:2005, 9.4.2.4)
can be carried out every time the device changes its state, e. g. at every access. If, in such a case,
there is only infrequent access, the interlocking device shall be used with additional measures such
as conditional guard unlocking (see Figure 4 b)), as between consecutive functional tests the
probability of occurrence of an undetected fault is increased.
 EN ISO 14119: Interlocking guards

When infrequent access is foreseeable a manual functional test to detect a

possible accumulation of faults shall be made within the following test
intervals:

⎯ at least every month for PL e with category 3 or category 4 (according to ISO

13849-1) or SIL 3 with HFT = 1 (according to IEC 62061);

⎯ at least every 12 months for PL d with category 3 (according to ISO 13849-1) or

SIL 2 with HFT = 1 (according to IEC 62061).
ISO/TR 24119
ISO/TR 24119
ISO/TR 24119
ISO/TR 24119
Legal Framework

Introduction to functional safety

EN ISO 13849-1 Design

EN ISO 13849-2 Validation

Sistema 2.0
Sistema 2.0
Sistema 2.0
Sistema - Libraries
 Sistema

http://www.dguv.de/ifa/en/pra/softwa/sistema/index.jsp (download versie 1.2.?)

 Sistema 2.0

Exercise 1: Safety of Batch-type Ribbon Blender

 Exersice 1

▪ Batch ribbon blender: full continu, cycle time 15 minutes

▪ Risk assessment : determine PLreq
▪ Choose industrial components and verify / validate