Functional Safety Introduction - Starting From The Basics

Changes in Machinery Safety
Standards and Legislation
Overview of EN ISO 13849-1 and

SISTEMA
Copyright © 2009 Rockwell Automation, Inc. All rights reserved.

Sustainable Production -
Machine and Process Safety
BR OR
2009 Machine Safety Market Leaders
P
OA TFO
DE LI
Vendor Market Share
ST O
Rockwell Automation #1
OMRON #2
Siemens #3
SICK #4
Pilz #5
2008 Process Safety Market Leaders
SC
MOALA
S T BL E
Source Data: ARC Vendor Market Share
Invensys / Triconex Leader
Rockwell Automation #2
Honeywell #3
ABB #4
Hima #5
Rockwell Automation––The
RockwellAutomation Theworld
worldleader
leaderininthe
the$3B+
$3B+Safety
SafetyMarket*
Market*
Copyright © 2009 Rockwell Automation, Inc. All rights reserved. * Source ARC Machine Safety (2009) & Process Safety (2008) Market Studies 2
What is functional safety?
What is it? It’s about ……………

It’s NOT just about Equations,
Standards and schematics…
ISO 13849-1 IEC 62061
Performance Productivity
Sustainability
Time to market
Information Compliance
Development Costs Ops & Maintenance Costs

• It is about things working safely and

productively


productively
• It is about evidence of due diligence, can

we prove it is right…


productively

• It is about implementing a solution that is

both technically and commercially viable


productively

• It is about implementing a solution that is

both technically and commercially viable
• It is about a logical concept for design

What makes safety special
• Is a domestic float valve a safety device

• What happens if valve doesn’t work?
• Do any of these states represent a

dangerous state?
• Does the valve fail In the on/off/unknown

state?

• Process vessel – is a domestic float valve good enough?
• How do we know
• What do we need to do to check that it is good enough

How Good Is It??
• Valves could be anywhere

between 0-100% reliable
• Relatively inexpensive plastic

float valve to stainless steel
MTTFD = Mean time to a dangerous failure

Improve reliability
• The same principle applies for electrical

switches
• We could select an inexpensive plastic
switch compared to a state of the art
RFiD non-contact switch

Improve reliability
Is this all we need?

Do We Need Two?
• What if our single valve fails?

Do We Need Two?
• Do we need 2 float valves?
• Increased risk – we might need two..
FT = Fault tolerant

Fault Tolerance - Redundancy
• Electrically we could have

redundant switches to switch off the
motor
FT = Fault tolerant

Fault Tolerance - Redundancy
• Is this all we need?
FT = Fault tolerant

What If One Fails
• If one fails – do we know?
• Do we need to know??
DC = Diagnostic Coverage

What If One Fails
• In this case we have no diagnostics

and the fault is not detected

What If One Fails
• Without diagnostics we could get

a subsequent fault.

How do we check
• Fault detection may be desirable

How do we check
• In this instance the fault is indicated

How to achieve DC
• Electrically we would wire the switches

back to a monitoring safety relay

How to achieve DC

What If They Both Fail
• Both fail together?
CCF = Common cause failure

What If They Both Fail
• One means of addressing CCF is to

adopt diversity

Diversity using differing technologies
• Diversity reduces common

cause failure

Diversity using differing technologies

What If The Process Changes?
• Contents of vessel changes
• Change in pressure from 10-100PSi
SYS =Systematic integrity

Have we maintained the installation?
• Is the valve replaced every 5 years as

per the installation sheet
• Do we have the sufficient competency
• Is this all we need???
FSM = Functional safety management

The Acronyms…
• MTTFd – Mean Time To Dangerous

Failure
• FT – Fault Tolerance
• DCavg – Diagnostic Coverage
• CCF – Common Cause Failure
• SYS – Systematic Integrity
• FSM – Functional Safety Management
• If some of the points listed above aren’t

dealt with properly we will fail to achieve
our goal of a functionally safe system

Safety Management – Roles and Responsibilities




New Machinery Directive
New Machinery Directive - 2006/42/EC became applicable on 29th December

2009. Old Machinery Directive 98/37/EC no longer applies.
For best info see:

http://ec.europa.eu/enterprise/mechan_equipment/machinery/index.htm
• Clear requirement for Risk Assessment at design stage

• Full Quality Assurance Scheme for Annex IV machines
• No Certificate of Adequacy option for Annex IV
• Clarification and relevance updated
• Covers partly completed machinery
Guide to Application of the New Machinery Directive

http://ec.europa.eu/enterprise/sectors/mechanical/files/machinery/guide_application_directive_2
006-42-ec-1st_edit__12-2009_en.pdf
For best comparison with Old Directive (98/37/EC) see:

http://www.kan.de/en/publikationen/kan-berichte/kan-berichte display/kandocs/7a9354a64e/kan
bericht/2659.html
Some Standards not yet on OJ yet - but will be (EN 60204-1, EN 62061 etc)
For best info see: http://eur-lex.europa.eu/JOIndex.do
and
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2009:309:0029:0065:EN:PDF
Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 36
New Machinery Directive
2006/42/EC

Machinery Safety Standards - Future Changes
ISO EN 12100: Safety of machinery – Basic principles will be combined with EN ISO 14121: Risk
assessment -
No very significant changes
New EN ISO 14119: Interlocking devices

 More emphasis on coding to prevent defeat
 Technology update
 More explanation of guard locking
 System implications – Fault masking etc
 Fault exclusion
EN/IEC 11161 Revised – Safety of Integrated Manufacturing Systems - Published now

EN ISO CD 415-10 – Packaging Machinery – Safety Requirements – will reference
.
Functional safety standards

Machinery Safety Standards - Functional Safety
Published now:
IEC EN 62061: Safety of machinery - Functional safety of Electrical, electronic and programmable
electronic control systems – Published now
EN ISO 13849-1: Safety of machinery – Safety related parts of control systems – Transition
standard - Replaces EN 954-1 (the “Categories” standard) end of this year - Published now
IEC 61800-5-2 Power drive systems – Functional safety – Published now
Short term:
Common Annex to IEC EN 62061 and EN ISO 13849-1 – Clarification, questions answered, worked
calculation examples – IEC 62061-1/ISO TR 23849 Published now
IEC EN 60947-4-1 – Contactors – Functional safety data testing requirements being added –
Published now
IEC EN 60947-5-3: Proximity devices with defined behavior under fault conditions – Functional
safety requirements added – Published now
IEC EN 61508: Functional safety of Electrical, electronic and programmable electronic control
systems – Being revised – Safe failure fraction re-visited, safety manuals, new subsystem definition
– Published now
IEC 61131-6: Programmable logic controllers – Functional safety - Expected 2011
Longer term
Amalgamation of IEC EN 62061 and EN ISO 13849-1 – Approximately 5 years

Machinery Safety - Functional Safety
Safety that depends on equipment functioning correctly
Task Analysis
Risk Assessment
Safety Requirement Specification
Design & Implementation
Validation
Management, Competencies and
Organisation

40
Standards for functional safety
Generic
IEC (EN) 61508
Functional safety of E/E/P
control systems SIL
SIL SIL SIL

Process Railways Machinery Nuclear
IEC 61511 EN 50129 IEC 61513
Machinery IEC/EN 62061 SIL
Directive EN ISO 13849 PL

2006/42/EC
EN 954 Withdrawn end 2011

EN/IEC 60204-1 and Standards for functional safety
l 5 -5
ica 4 7- -1
n 09 -5
a se 47
ec
h Noi 6 60
9
M EN/IEC 60204-1 I EC IE C
Machinery EN ISO 12100 Electrical EN ISO 13849
Safety of Safety of
Directive G u a rd I EC 6
machinery i ng machinery 2 0 61
2006/42/EC e rg IE
on Electrical C
Basic principles om 60
07
IE
equipment
Sl
ic 3
et c . . . .
et c . . . .
C
ips
60
t ri
EN/IEC 60204-1
43
ps
. . . ..
. . . ..
9
Previous versions used to state:
Clause 9.2.5.4.2
Where a category 0 stop is used for the emergency
stop function, it shall have only hardwired
electromechanical components. In addition, its
operation shall
not depend on electronic
logic (hardware or software) or on the
transmission of commands over a communications EN/IEC 60204-1
network or link. Current version now states:
And
Clause 11.3.4 Programmable electronic equipment Clause 9.4.1
shall not be used for Category 0 emergency stop The electrical control circuits shall have an appropriate level of
functions (see 9.2.5.4). safety performance that has been determined from the risk
For all other safety-related stop functions, the use
The requirements of
assessment at the machine.
of hardwired electromechanical components is
preferred (i.e. the function should not depend on the IEC 62061 and/or ISO 13849-1 ………………..shall
operation of programmable electronic equipment). apply.

EN ISO 13849-1:2006
Estimation of the Required Performance Level Category

(PLr) B1 2 3 4
PL
Performance
Level
S = Severity
F = Frequency
P = Probability

EN ISO 13849-1 Safety of machinery — Safety related parts of control systems
Then we choose the most suitable combination of

Structure (Category), Reliability (MTTFd) and Diagnostics (DC)
To achieve that Performance Level (PL)

EN ISO 13849-1:2006
How do we meet these requirements?

What else is required?
We need to Satisfy the requirements for :

• Safety Function Specifications
• Structure and behaviour of the safety function under fault
conditions (Designated Architecture Category)
• Reliability (MTTFd)
• Diagnostic coverage (DC) (see Annex E);
• Common cause failure (CCF) (see Annex F)
• Systematic failure and Environmental influences
• Safety-related Software

Categories
Categories - same as they always were (well almost!)
The structure and behaviour of the safety function under fault conditions
Designated Architecture Category B Typical implementation
Contactor Motor
Requirements
• Basic Safety principles
Sensor
• Withstand expected influences Machine
Control
Behaviour under fault conditions

A fault can cause a loss of the safety function.
Designed to product standards e.g. IEC

60947-5-2 (not specific safety standards)
Designed for environment and electrical
safety aspects e.g. IEC 60204-1

Categories
Designated Architecture Category 1 Typical implementation
Contactor Motor
Requirements Guard
• interlock
Category B
switch
• Well tried components Machine
Control
• Well tried safety principles

A fault can cause a loss of the safety function.

Categories
Contactor Motor
Guard Safety monitoring relay

interlock with start up check
switch
Machine
Control
Requirements
• Category B
• Functional check at start up and periodically
(on/off check) Now requires a test to demand ratio
Behaviour under fault conditions of >100:1
A fault occurring between the checks can cause a
loss of the safety function.

EN ISO 13849-1:2006
Contactors with mechanically
linked contacts
Motor
Contactor monitoring
Guard Safety
Requirements interlock
switches
monitoring relay
• Category B
• Single fault does not cause a loss of safety
function
• Where practicable that fault should be detected Machine
Control

Accumulation of undetected faults can cause a loss
of the safety function.

Categories
Contactors with mechanically

linked contacts
Motor
Guard
interlock
switches Contactor monitoring
Requirements Safety
monitoring
• Category B relays
• An accumulation of faults does not cause a loss
of safety function
Machine
Behaviour under fault conditions Control
Faults will be detected in time to prevent a loss of
safety function Fault Exclusion –
under the microscope!
MTTFd
Reliability (MTTFd –– Mean Time To Failure Dangerous of each channel )
Channel 1
Data sources preference:

B10d =400,000
1. provided by manufacturers MTTFd = 277y Channel 2
Mission time = 27y
2. from generic handbook sources
Fault Exclusion? or: 4
3. use 10 years B10d =2,000,000
MTTFd = 1388y
Mission time = 138y 3
Simplified into 3 ranges B10d =20,000,000
Low = 3 years to <10 years MTTFd = 13,888y
1 2 Mission time = 1,388y
Medium = 10 years to <30 years
High = 30 years to <100 years
Both guard doors access the same hazard zone
1/MTTFdtotal= 1/MTTFd1 + 1/MTTFd2 + 1/MTTFd3 + 1/MTTFd4
1/MTTFdtotal= 1/1388 + 1/1388 + 1/13888 + 1/277
MTTFdtotal= 195 years = High

Diagnostic Coverage
Channel 1
(average) Diagnostic coverage (DC)
failure rates of dangerous detected failures 99%
failure rates of all dangerous failures
Channel 2
Fault Exclusion? or: 4

99% reduced to
Data sources: 60% (due to shadowing)
1. Annex E of the standard 3
2. provided by manufacturers 99%
1 2
3. FMEA
Simplified into 4 ranges Both guard doors access the same hazard zone
None = <60% DCavg=

DC1/MTTFd1 + DC2/MTTFd2 + DC3/MTTFd3 + DC4/MTTFd4
Low = 60% to <90% 1/MTTFd1 + 1/MTTFd2 + 1/MTTFd3 + 1/MTTFd4
Medium = 90% to <99% 0.6/1388 + 0.6/1388 + 0.99/13888 + 0.99/277

DCavg=
High = 99% 1/1388 + 1/1388 + 1/13888 + 1/277
DCavg = 88% = Low

Diagnostic Coverage
Simplified DC estimation
Annex E of EN/ISO 13849-1

EN ISO 13849-1:2006
How do we meet these requirements?

What else is required?
We need to Satisfy the requirements for :

• Safety Function Specifications
• Structure and behaviour of the safety function under fault
conditions (Designated Architecture Category)
• Reliability (MTTFd)
• Diagnostic coverage (DC) (see Annex E);
• Common cause failure (CCF) (see Annex F)
• Systematic failure and Environmental influences
• Safety-related Software

EN ISO 13849-1:2008 / IEC EN 62061
Both address the functional safety of machinery control systems

• ISO EN 13849-1: 2008 • IEC/EN 62061
• Simple methodology • Relatively complex methodology
• Builds on Categories • More flexibility
• More constraints • Less constraints
• System based • Simplified modularity via subsystems
• Applies to all technologies • Only applies to electrical technology
• Can the system be designed simply using the • Are there complex safety functions e.g.
designated architectures ? depending on complex logic decisions?
• Will the system include technologies other • Will the system require validation to SIL e.g.
than electrical? machinery used in the process secor
If the answer to either question is YES If the answer to either question is YES
it is probably most appropriate to use it is probably most appropriate to use
ISO/EN 13849-1: 2008 IEC/EN 62061
You can choose the most suitable standard for your use
ISO EN 13849-1: 2008 is the usual choice

Guidance - ISO TR 23849 & IEC TR 62061-1
ISO TR 23849
IEC TR 62061-1
Recently Published
EN ISO 13849 and

IEC/EN 62061 are
compatible
Liaison
SIL and PL are

interchangeable at
subsystem level
Fault exclusion
clarification
Future? – New standard combining

EN ISO 13849-1 and IEC 62061 ?
Guidance - ISO TR 23849 & IEC TR 62061-1
Design implications – “Grey areas?”
• You cannot always use fault exclusion for Ple or SIL3

IEC 62061
ISO TR 23849 – IEC TR 62061-1

57
Functional Safety – Overview of requirements
for design
Design - Fundamental requirements

1. Probability of Failure
2. Fault Tolerance
3. Safe Failure Fraction
4. Common Cause Failure
5. Systematic Integrity
6. Functional Safety Management

EN ISO 13849-1:2006
Performance Level (PL) is related to the Probability of Dangerous

failure per Hour (PFHD)
Life gets easier if you

know the PFHd For example: SensaGuard
PFHd = 1.12E-9
PLe SIL CL 3

EN ISO 13849-1:2006
Annex K has everything

EN ISO 13849-1:2006
What data is available?

Generic data from
EN ISO 13849-1: 2006
“Mechanistic” devices
The more it operates the quicker it
breaks.
Data is B10d value
Number of operations to failure
Must be converted to
MTTFd (years)
For each application
“Electronic” devices
Does not “wear” out.
Data is MTTFd (or PFH)
Failure related to a constant time
span independent of usage rate
For more information see the

Rockwell Automation Safety Portal

EN ISO 13849-1: SISTEMA
The easiest way – But don’t! (unless you have PFH to spare!)
Combining subsystems with known PLs
PLe
Subsyste Nlow Achieved system
m PLlow PL
>3 Not allowed

a
≤3 a
PLe
>2 a 1 2
b
≤2 b
>2 b
c
≤2 c PLd PLd
>3 c
d PLd is achieved
≤3 d
>3 d Based on the number of the lowest
e
≤3 e PL subsystems
There is a (much) better way

Functional Safety – Requirement to Achievement
Guard interlock Switch System

Trojan 5 SmartGuard 100S
Contactors


• Relationship of 7 SISTEMA elements - example

Safeguarding machine hazards
Gate interlocking system
(Category 2
Architecture
Only)
Safety Output
Channel 1 linkage contacts Contactor 1
Switch channel 1
SmartGuard
600
Safety Output
Channel 2 linkage contacts Contactor 1
Switch channel 2

Data validation

Device
Documentation
Rockwell
Automation
SISTEMA
Data
Library

Technical
Report

SISTEMA is a software tool for the implementation of EN ISO 13849-1

(safety related parts of control systems for machinery)
 SISTEMA is the RA’s preferred tool, as well as the only tool

recommended by TÜV
 It is free for use
 There is a Rockwell Automation Data Library available for it
 It is developed and maintained by BGIA in Germany

How to get SISTEMA (available in English and German)

1 Go to http://www.dguv.de/bgia/en/pra/softwa/sistema/index.jsp
2 Click on Download – Submit e-mail

address for link to download page
3 Register, Download and follow

installation instructions

SISTEMA requires the input of Functional Safety Data.

The Data can be input manually or automatically by using a
Manufacturer’s SISTEMA Data Library
Download the Rockwell Automation SISTEMA Data Library from the

Safety Portal: (On your first visit you must register for access)
http://discover.rockwellautomation.com/EN_Safety_Solutions.aspx
Download to the “Libraries” folder into the

installed SISTEMA program folder
Usually at C/Program Files/SiSteMa/Libraries
You should now be able to launch SISTEMA

Click on the SISTEMA logo on your desktop or at start/program/SISTEMA
If you have installed

SISTEMA with the English
option this is what you will
see:
launch SISTEMA

How does SISTEMA see this?
1000 ops/yr 2000 ops/yr 4000 ops/yr 2000 ops/yr

9000 ops/yr
Safety Function 1
DC reduced
Safety Function 2
DC reduced
Safety Function 3
DC reduced
Safety Function 4
DC reduced

How does SISTEMA see this?
TLS SmartGuard
Safety Controller 100S
Guard locking
Safety Contactors
Interlocking Switch
Safety Function 1
Prevention of unexpected start-up
Safety Function 2
Guard locking


Functional Safety Introduction - Starting From The Basics

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Functional Safety Introduction - Starting From The Basics

Uploaded by

Copyright:

Available Formats

Changes in Machinery Safety

Standards and Legislation

Overview of EN ISO 13849-1 and

Copyright © 2009 Rockwell Automation, Inc. All rights reserved.

2008 Process Safety Market Leaders

What is it? It’s about ……………

ISO 13849-1 IEC 62061

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• It is about things working safely and

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• It is about things working safely and

• It is about evidence of due diligence, can

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• It is about things working safely and

• It is about evidence of due diligence, can

• It is about implementing a solution that is

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• It is about things working safely and

• It is about evidence of due diligence, can

• It is about implementing a solution that is

• It is about a logical concept for design

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Is a domestic float valve a safety device

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• What happens if valve doesn’t work?

• Do any of these states represent a

• Does the valve fail In the on/off/unknown

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Process vessel – is a domestic float valve good enough?

• What do we need to do to check that it is good enough

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Valves could be anywhere

• Relatively inexpensive plastic

MTTFD = Mean time to a dangerous failure

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• The same principle applies for electrical

MTTFD = Mean time to a dangerous failure

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

Is this all we need?

MTTFD = Mean time to a dangerous failure

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• What if our single valve fails?

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Do we need 2 float valves?

• Increased risk – we might need two..

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Electrically we could have

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Is this all we need?

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• If one fails – do we know?

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• In this case we have no diagnostics

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Without diagnostics we could get

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Fault detection may be desirable

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• In this instance the fault is indicated

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Electrically we would wire the switches

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

• Is this all we need?