Professional Documents
Culture Documents
Functional safety
Sistema 2.0
Legal framework
For Machinery directive 2006/42/EU
Machinery Directive:
Annex I: ESSENTIAL HEALTH AND SAFETY REQUIREMENTS
EN ISO 13849-1: 2006 Safety of machinery - Safety related parts of control systems
- Part 1 : General principles for design . (Harmonised since 2007, now version 2015)
EN ISO 13849-2 - Part 2 : 2003 Validation (Harmonised since 2004, now version 2012)
ISO 25119 -1: 2010 Tractors and machinery for agriculture and forestry - Safety-related parts of control systems –
Part 1: General principles for design and development
Part 2: Concept phase
Part 3: Series development, hardware and software
Part 4: Production, operation, modification and supporting processes
Evolution in standards
ISO 13849
Legal Framework
Sistema 2.0
▪ In 1998 the IEC published a document, IEC 61508, entitled: “Functional safety of
electrical/electronic/programmable electronic safety-related systems.”
▪ IEC 61508 was originally developed for industrial machinery and chemical plants and
remains the relevant standard for many industries.
▪ In recent years, however, many industries have looked to develop domain specific
standards that are better suited to their application and can handle the immense rise in
system complexity driven by many factors including the exponential growth of software.
Safety Life cycle strategy
Safety Life cycle
IEC 61508
-> Safety requirements: Functional requirements AND Reliability requirements (Performance level of SIL)
-> Allocate the functionality to a hardware (and software) system
Introduction
Safety function:
Failure and/or malfunction of a safety function endangers the safety of people.
(e.g. seat belt, light curtain on a press)
• Systems reaction on the status of inputs to generate outputs that fullfils a safety funtion
• Concerns reliability
Examples of Input devices
Door switches
Vacuum
Temperature Light curtain measurement
measurement
Ventilation
Examples : Input control
Photoelectrical
cell
Safety relays
Programmable safety relays
Dedicated safety
hard- & software
Hard wired
Safety PLC
Examples of Output devices
Mechanical coupling
Hydraulic valve
Solenoid valve
Design of a system architecture
versus I L Orobot
1
I L Ox Oy Oz
I L Orobot
2
I L Orollen Odraai
baan tafel
Safety Lifecycle
Risk Assessment
Required risk reduction
Risk Assessment according EN ISO 12100
Start
Determine limits
machine
Risk-analysis
Identification
hazard
Risk-estimation
Risk estimation
Risk evaluation
No Machine Yes
Risk reduction End
safe ?
Risk estimation
The evaluation of the identified risk is based on the “Risk assessment using hybrid
method” mentioned in EN ISO 14121-2.
Functional Safety : IEC 62061 (machinery safety)
Risk graph according ISO 25119
Sistema 2.0
EN ISO 13849-1
ISO/TR 23849-1:2010 Guidance on the application of ISO 13849-1 and IEC 62061 in the design of
safety-related control systems for machinery
EN ISO 13849-1: General
• Based on the failure of components and sub-assemblies during the complete “Life-cycle”.
EN ISO 13849-1: definitions
➢ Performance Level (PL) is a discrete level that defines the probability of dangerous failures per hour.
➢ There are five levels (PLa to PLe).
➢ Each level defines each a reach of dangerous failure per hour.
To make an evaluation and classification of the resulting PL levels, for most of the cases, a simplified
method is used.
This simplified method is intended to reduce the calculations to a minimum, but Reliability Block Diagrams, Markov chain
or Fault Tree Analysis is permitted.
EN ISO 13849-1
• But also on complete safety related control systems for a wide variety of
machinery, e.g. packaging installations, print presses, robot installations,
etc….).
Design of SRP/CS
✓Output, actuators
1. Determine PLr
2. Determine an architecture (called ‘category’)
3. Determine MTTFd
4. Determine DC
5. Determine CCF
6. Verify if the PL realised is higher than the PLr
7. Validate ( are all requirements fulfilled)
Design: determine PLrequired
How much reliability is required?
1. Type C-standards
▪ Standards related to one type of product (machine).
▪ Have priority on type-A and type-B standards
2. Risk assessment:
▪ Basis: Risk graph in Annex A of EN ISO 13849-1
▪ Informative annex, not mandatory to follow.
▪ ISO/TR 14121-2:2012 Safety of machinery -- Risk assessment -- Part 2:
Practical guidance and examples of methods
▪ Method from IEC 62061
Design: determine PLrequired
How much reliability is required?
C-standard EN 10218-2:2011 Robots and robotic devices – Robot system
Design: determine PLrequired
How much reliability is required?
C-standard EN 15011:2014 Cranes – Bridge and gantry cranes
Design: determine PLrequired
How much reliability is required?
ISO 13849-1: Annex A
Example how to determine PLr
Continu movement that stops when the dough mixer is openend.
•S = S2 contusiin of arm
low
Risk
P1 a
F1
S1 P2
P1
b
Start
F2 Required
P2
P1
c Performance Level
F1
P2
S2 P1 d
F2
P2 e
S: Severity of the injury
F: Frequency of interaction
P: Possibility to avoid danger High
Risk
Exercise 1: Control of a manual bench press
Determine
• Hazard
• Risk scenario
• Evaluation of the risk
•PLr
Exercise 2: safeguarding a conveyor belt
Determine
• Hazard
• Risk scenario
• Evaluation of the risk
•PLr
•Residual risk
Risk assessment - Method used in IEC 62061 (SIL)
Exercise 1: Control of a manual bench press
Determine
• Hazard
• Risk scenario
• Evaluation of the risk
•PLr
Execersis: Entry to a Integrated Manufacturing System
Determine
• Hazard
• Risk scenario
• Quantification of the risk
• Functional behaviour of the SRCF
• PLr
Simplified method to determine PL
•PL is function of :
•Architecture
•MTTFd
•DCavg
•CCF are the requirements fulfilled?
Simplified method to determine PL
Simplified method to determine PL
Im Im
I L O
Im Im
I L O
Working:
- Hazardous movement stopped with
emergency stop
- Emergency stop interrupts Q1
Working:
- Hazardous movement stopped with
screen
- Emeergency stop interrupts Q1
Im Im
I L O
Im
TE OTE
• Same requirements as in Category B, use of well tried components and safety principles ,with furthermore
• The machine control will verify regularly the well functioning:
• at start up AND
• prior to the possible initiation of a hazardous situation
• The verification allows the automatic start up when no errors are detected; in the other case the control
device generates a preventive control action
• DCavg is low till average, MTTFD is low until high, measures against CCF necessary
• Maximum achievable Performance Level = d
PLd, Category 2: Hydraulic
Working:
- Steering hazardous movements of 1V3
- Failure of 1V3 leads to loss of function
- Position test of 1S3 en K1
- Stopping of P1 after switchingQ1
m
Im
I2 L2 Im O2
• Same requirements as in Category B, use of well tried safety components, and safety principles with
furthermore
• Occurrence of a single error may NOT lead to the loss of the function
• DCavg is low till average, MTTFD is low till high, measures against CCF necessary
• Maximum achievable Performance Level = d
Category 3 : Monitoring a fence
screen
Working:
- Combination of NO and NC contactes
- Failure of B1, B2, Q1 and Q2 noticed by
PLC K1
- Failures in K1 are not noticed
Diagnostics of the PLC is only applicable when the opening and closing of the fence is part of the normal cycle.
Category 3 : Hydraulic
Working:
- 1A and 2A dangerous movements
- Stopping by 1V5 and 2V1 also by 1V3
- Failure of a valve does not lead to loss of
function
- 1V5 and 2V1 cyclic used 1V3 safety
- 1V3 has position monitoring 1S3
m
Im
I2 L2 Im O2
• CCF;
•Systematic failure
Mean time to dangerous Failure MTTFD
•MTTF assumes that any system will fail, if you wait long enough
• Approximatively, the MTTFD is the period of time that 63 % of the components will have
failed
• For each channel, three levels for MTTFD are defined
Mean time to dangerous failure MTTFD
73
73
Mean time to dangerous failure MTTF D
The MTTFd for one single component is accepted being 150 year if:
AND
Based on the number of cycles until 10 % of the components will have failed dangerously (B10d)
B10d is determined by the manufacturer according to standards
With nop = number of operations/year, MTTFD becomes:
and
MTTFdC1 en MTTFdC2 are the values for MTTFd for each channel
Diagnostic coverage (DC)
✓Logic:
✓Output, actuators:
Cat.1 PLc hydraulic valve
PL by combination of SRP/CS
1: PFHD is given
•PFHD of the overall safety function equals the sum of the individual PFHD’s
PL by combination of SRP/CS
2: PFHD is not given
•Use tabel 11 to find the PL
Example: Interlocking Guard
94
94
Schematics of the safety function
DCI DCO
Input: two switches -> Euchner
Input: two switches -> Euchner
Mean time to dangerous failure MTTFD
𝑠 𝑠
𝑑𝑜𝑝 ⋅ ℎ𝑜𝑝 ⋅ 3600 250𝑑 ⋅ 16ℎ ⋅ 3600
𝑛𝑜𝑝 = ℎ= ℎ = 144.000
𝑡𝑐𝑦𝑐𝑙𝑒 100𝑠
𝐵10𝑑 30.000.000
𝑀𝑇𝑇𝐹𝑑𝐾 = = = 2083,3 jaar = high
0.1 ⋅ 𝑛𝑜𝑝 0.1 ⋅ 144.0000
Input: two switches -> Euchner
In our case the lifespan will be limited to 208 year, in reality is a control system designed for 20 year
Input: two switches -> Euchner
• MTTFd = high
• Category 4
• PL = e
Logic -> Safety relays
102
102
Output: two relays - contactors
Output: two relays - contactors
B10 d ( K ) = 10.000.000
B10 d 10.000.000
MTTFdK = = = 694 years = high
0.1 nop 0.1144.000
Output: two relays - contactors
Here the maximum lifetime is limited to 70 years (practically we take 20 years) !!!
Output: two relays - contactors
• MTTFd = high
• CCF ? > 65
• Category 4
• PL = e
Example: Interlocking Guard
PFHD given:
•Input : PFHDI = 1,1 * 10-9 (Annex K, MTTF=2083 y)
•Logic : PFHDL = 1,5 * 10-9
•Output: PFHDO = 3,3 * 10-9 (Annex K, MTTF=694 y)
PL= e
PFHD not given:
•Input : PLI = e
•Logic : PLL = e
•Output : PLO = e
PL = e
Systematic failure
•Failureembedded in the design, only possible way to solve is to improve the design
•Also used for software failure
Sistema 2.0
EN ISO 13849-2
Validation
Validation
The aim of the validation process is to demonstrate that the specifications and the conformity
of the SRP/CS matches with the general safety requirements of the machine.
This means that one shall demonstrate for every safety part if it satisfies with the requirements
of the EN ISO 13489-1, and especially with:
the safety characteristics of the safety functions as intended in the design
AND
the requirements imposed on the chosen category
▪ Low sensor and high sensor in BPCL (basic process control logic)
▪ Software check onfilling time ( 10 % extra time causes stop and create an alarm)
➢ Used technologies
➢ Basic safety principles
➢ well tried safety principles
➢ well tried components
➢ Potential faults and exclusions of those
Validation - Technology
Validation - Technology
Validatie - Technologie
ISO 13849-2:2012
Validatie - Technologie
ISO 13849-2:2012
Validatie - Technologie
ISO 13849-2:2012
Safety Life cycle (ISO 26262 road vehicles)
Validation
Verification
EN ISO 14119: Interlocking guards
An interlocking system with required PL e in accordance with ISO 13849-1 or SIL3 in accordance with
IEC 62061 will need to incorporate a minimum fault tolerance of 1 (e.g. two conventional
mechanical position switches) in order to achieve this level of performance since it is not normally
justifiable to exclude faults, such as, broken switch actuators. However, it may be acceptable to
exclude faults, such as short circuit of wiring within a control panel designed in accordance with
relevant standards. The same applies for PL d and SIL2 unless a full justification is provided in
accordance with ISO 13849-1 or IEC 62061.
For applications using interlocking devices with automatic monitoring to achieve the required
diagnostic coverage needed for the required PL, a functional test (see IEC 60204-1:2005, 9.4.2.4)
can be carried out every time the device changes its state, e. g. at every access. If, in such a case,
there is only infrequent access, the interlocking device shall be used with additional measures such
as conditional guard unlocking (see Figure 4 b)), as between consecutive functional tests the
probability of occurrence of an undetected fault is increased.
EN ISO 14119: Interlocking guards
Sistema 2.0
Sistema 2.0
Sistema 2.0
Sistema - Libraries
Sistema