TÜV SÜD Product Service

Functional Safety of

Machinery:

EN ISO 13849-1 Stewart Robinson TÜV SÜD Product Service

TÜV SÜD Product Service

Overview of the presentation

• Defining Safety Functions

• Avoidance of Systematic Failures

• Defining Performance Levels Required

• Verifying Performance Levels Achieved – SRP/CS Architectures

– Component reliability

– Diagnostic Coverage

• Common Cause Failures

Functional Safety of Machinery: EN ISO 13849-1 Slide 2 12/12/2012

TÜV SÜD Product Service

References

Functional Safety of Machinery: EN ISO 13849-1 Slide 3 12/12/2012

TÜV SÜD Product Service

Standards for Functional Safety

Two new functional standards are available for use in the machinery sector

Source: BGIA Report 2/2008e

Functional Safety of Machinery: EN ISO 13849-1 Slide 4 12/12/2012

TÜV SÜD Product Service

• EN 62061 – Safety of Machinery: Functional safety of electrical,

electronic and programmable electronic control systems

– Technology specific

– Covers all levels of complexity

• EN ISO 13849-1 – Safety of machinery — Safety-related parts of control

systems Part 1: General principles for design

– Is a replacement for EN 954-1

– Not technology specific, can be used for any energy

source.

– Can also be used for Programmable Systems (Safety

PLC’s)

Which standard to use?

Functional Safety of Machinery: EN ISO 13849-1 Slide 5 12/12/2012

TÜV SÜD Product Service

EN ISO 13849-1

Source: BGIA Report 2/2008e

Functional Safety of Machinery: EN ISO 13849-1 Slide 6 12/12/2012

TÜV SÜD Product Service

Overall Risk Estimation/Risk Reduction

EN ISO 13849-1 Figure 1

Functional Safety of Machinery: EN ISO 13849-1 Slide 7 12/12/2012

TÜV SÜD Product Service

Risk estimation – general principles

Risk related

to the

identified

hazard

Severity

of the

possible

harm

(Se)

Probability of occurence of that harm

Frequency and duration of exposure (Fr)

Probability of occurrence of

a hazardous event (Pr)

Probability of avoiding or

limiting harm (Av)

= and

Functional Safety of Machinery: EN ISO 13849-1 Slide 8 12/12/2012

TÜV SÜD Product Service

Risk Reduction

Source: BGIA Report 2/2008e

Functional Safety of Machinery: EN ISO 13849-1 Slide 9 12/12/2012

TÜV SÜD Product Service

• A control system in a machine should be

regarded as being safety-related if it contributes

to reducing any risk to an acceptable level or if it

is required to function correctly to maintain or

achieve safety.

Safety-Related Controls

What is a Safety Related Control

System?

Functional Safety of Machinery: EN ISO 13849-1 Slide 10 12/12/2012

TÜV SÜD Product Service

• Failure related in a deterministic way to a certain

cause, which can only be eliminated by a

modification of the design or of the manufacturing

process, operational procedures, documentation or

other relevant factors – the safety requirements specification,

– the design, manufacture, installation, operation of the

hardware, and

– the design, implementation, etc., of the software.

• Further information can be found in EN ISO 13849-

1, in particular in Annex G

Systematic failure

Functional Safety of Machinery: EN ISO 13849-1 Slide 11 12/12/2012

TÜV SÜD Product Service

Frequency of Failures

Out of control

Why control systems go wrong and how to

prevent failure?

(Out of control, 2nd edition 2003, Health & Safety Executive HSE – UK)

Functional Safety of Machinery: EN ISO 13849-1 Slide 12 12/12/2012

TÜV SÜD Product Service

EN ISO 13849-1

• 4.2.2 – For each safety function the characteristics

and the required performance level shall be

specified

• 4.3 Determination of required performance level

(PLr) – For each selected safety function to be carried out by a

SRP/CS, a required performance level (PLr) shall be

determined and documented (see Annex A for guidance

on determining PLr).

Specifying requirements

Functional Safety of Machinery: EN ISO 13849-1 Slide 13 12/12/2012

TÜV SÜD Product Service

• Safety related stop function initiated by safeguard

• Local control function

• Hold to run

• Enabling device

• Muting function

• Prevention of unexpected start up

• Control modes and mode selection

• Emergency stop

Safety Functions - Examples

Functional Safety of Machinery: EN ISO 13849-1 Slide 14 12/12/2012

TÜV SÜD Product Service

EN ISO 13849-1 Annex A risk graph

Functional Safety of Machinery: EN ISO 13849-1 Slide 15 12/12/2012

TÜV SÜD Product Service

• Severity of Injury. – S1 Slight injury, (bruise).

– S2 Severe injury, (Amputation or death).

• Frequency of exposure to injury. – F1 Seldom.

– F2 Frequent to continuous ( Frequent to continuous

are not defined in the standard).

• Possibility of avoiding the hazard. – P1 Possible.

– P2 Less possible. • Based on the speed of approach of the hazard and the ability

of the operator to avoid the hazard. If the operator can avoid

the hazard then you would choose P1.

Risk Graph Parameters

Functional Safety of Machinery: EN ISO 13849-1 Slide 16 12/12/2012

TÜV SÜD Product Service

PL / PFHd

Functional Safety of Machinery: EN ISO 13849-1 Slide 17 12/12/2012

TÜV SÜD Product Service

PL and SIL

EN ISO 13849-1

Performance Level

(PL)

Average probability

of a dangerous

failure per hour [1/h]

EN 62061

Safety Integrity

Level (SIL)

a ≥ 10-5 to < 10-4 no special safety

requirements

b ≥ 3 x 10-6 to < 10-5 1

c ≥ 10-6 to < 3 x 10-6 1

d ≥ 10-7 to < 10-6 2

e ≥ 10-8 to < 10-7 3

Functional Safety of Machinery: EN ISO 13849-1 Slide 18 12/12/2012

TÜV SÜD Product Service

EN ISO 13849-1 Clause 4.7

• Verification that achieved PL meets PLr

– For each individual safety function the PL of the related

SRP/CS shall match the required performance level

(PLr) determined according to 4.3

– The PL of the different SRP/CS which are part of a safety

function shall be greater than or equal to the required

performance level (PLr) of this safety function.

Performance Level

Functional Safety of Machinery: EN ISO 13849-1 Slide 19 12/12/2012

TÜV SÜD Product Service

• The Performance Level achieved depends on:

– The architectures of the SRP/CS

• Categories

– The reliability of components • Mean Time To Dangerous Failure (MTTFd)

– The effectiveness of error detection • Diagnostic Coverage (DC)

Factors to establish PL

Functional Safety of Machinery: EN ISO 13849-1 Slide 20 12/12/2012

TÜV SÜD Product Service

• Clause 6 describes ―designated architectures‖

as categories (B, 1 – 4). Categories state the

required behaviour of a SRP/CS in respect of it’s

resistance to faults etc.

Designated Architectures

Functional Safety of Machinery: EN ISO 13849-1 Slide 21 12/12/2012

TÜV SÜD Product Service

Categories

B SRP/CS shall be designed in accordance with relevant standards

1 SRP/CS shall use well tried components and principles. No protection against

faults.

2 SRP/CS shall use well tried principles and functions shall be “checked at

suitable intervals”. Testing rate better than 100 times demand rate. No

protection against faults.

3 SRP/CS shall be designed, so that: a single fault in any of these parts does

not lead to the loss of the safety function; and whenever reasonably

practicable the single fault is detected.

4 SRP/CS shall be designed, so that: a single fault in any of these parts does

not lead to a loss of the safety function; and the single fault is detected at or

before the next demand upon the safety function. If this is not possible, then

an accumulation of faults shall not lead to a loss of the safety function

Functional Safety of Machinery: EN ISO 13849-1 Slide 22 12/12/2012

TÜV SÜD Product Service

Categories

Structure / Category

Functional Safety of Machinery: EN ISO 13849-1 Slide 23 12/12/2012

Cat B & Cat 1

Cat 2

Cat 3

Cat 4

TÜV SÜD Product Service

Architecture - Categories 1 & 2

Type 2 L/C Test rate?

Functional Safety of Machinery: EN ISO 13849-1 Slide 24 12/12/2012

TÜV SÜD Product Service

Architectures - Categories 3 & 4

Functional Safety of Machinery: EN ISO 13849-1 Slide 25 12/12/2012

TÜV SÜD Product Service

Combinations of Categories

Cat. B/1? Cat. 1

Cat. 2 Cat. 1/2 Cat. 4

Cat. 4 Cat. 4 Cat. 4

Cat. 1?

Cat. 3?

Cat. 3/4

Functional Safety of Machinery: EN ISO 13849-1 Slide 26 12/12/2012

TÜV SÜD Product Service

Component reliability - MTTFd

Mean time to dangerous failure, MTTFd

The MTTF assumes the fact that every system will

fail if you just wait long enough

30 years ≤ MTTFd < 100 years high

10 years ≤ MTTFd < 30 years medium

3 years ≤ MTTFd < 10 years low

MTTFd Assessment

Functional Safety of Machinery: EN ISO 13849-1 Slide 27 12/12/2012

TÜV SÜD Product Service

• EN ISO 13849-1, Clause 4.5.2

• For the estimation of MTTFd of a component, the

hierarchical procedure for finding data shall be, in

the order given: – a) use manufacturer’s data;

– b) use methods in Annexes C and D;

– c) choose ten years.

• What do we do if no data is available?

Reliability data

Functional Safety of Machinery: EN ISO 13849-1 Slide 28 12/12/2012

TÜV SÜD Product Service

Good Engineering Practices

Source: BGIA Report 2/2008e EN ISO 13849-1 Annex C

Functional Safety of Machinery: EN ISO 13849-1 Slide 29 12/12/2012

TÜV SÜD Product Service

EN ISO 13849-1 Annex C

MTTFd =B10d

0.1 x nop

Where B10d = mean number of cycles until 10% of the components

fail dangerously

nop = number of operations per year

Where dop = number of operating days per year

hop = number of operating hours per day

tcycle = cycle time in seconds

Functional Safety of Machinery: EN ISO 13849-1 Slide 30 12/12/2012

TÜV SÜD Product Service

Diagnostic Coverage is the fractional decrease in the

probability of dangerous hardware failures, resulting from the

use of automatic diagnostic tests.

This is determined using the following equation

DC = lDD / lDtotal

l DD is the probability of detected dangerous failures

lDtotal is the probability of total dangerous failures.

Diagnostic Coverage

Functional Safety of Machinery: EN ISO 13849-1 Slide 31 12/12/2012

TÜV SÜD Product Service

EN ISO 13849-1 Diagnostic Coverage

Functional Safety of Machinery: EN ISO 13849-1 Slide 32 12/12/2012

TÜV SÜD Product Service

DCavg in accordance with EN ISO 13849-1

Determine the DCavg, (diagnostic coverage)

Formula for DCavg

Where d1, d2 and dN represent

the separate parts of the SRP/CS

Functional Safety of Machinery: EN ISO 13849-1 Slide 33 12/12/2012

TÜV SÜD Product Service

Diagnostic coverage is divided into 4

levels.

99% ≤ DC High

90% ≤ DC < 99% Medium

60% ≤ DC < 90% Low

DC < 60% None

Range of DC Denotation

Diagnostic Coverage (DC)

Functional Safety of Machinery: EN ISO 13849-1 Slide 34 12/12/2012

TÜV SÜD Product Service

Relationship - PL and Cat, DC, MTTFd

Functional Safety of Machinery: EN ISO 13849-1 Slide 35 12/12/2012

TÜV SÜD Product Service

Performance Level – Annex K

Table K.1 — Numerical representation of Figure 5

Functional Safety of Machinery: EN ISO 13849-1 Slide 36 12/12/2012

TÜV SÜD Product Service

EN ISO 13849-1 - Common Cause Failure

Functional Safety of Machinery: EN ISO 13849-1 Slide 37 12/12/2012

TÜV SÜD Product Service

PFHD of the Function

The PFHD of the Function is the sum of the PFHD of

each of the SRP/CS (subsystems) that make up the

Function

DssnDssDssDssDtotal PFHPFHPFHPFHPFH ....321

Sensor Logic Actuator

Sensor

Sensor

Input Logic Output

Actuator

Actuator

Functional Safety of Machinery: EN ISO 13849-1 Slide 38 12/12/2012

TÜV SÜD Product Service

• Low complexity

Example 1

Functional Safety of Machinery: EN ISO 13849-1 Slide 39 12/12/2012

TÜV SÜD Product Service

Example 2

Source: BGIA Report 2/2008e

Functional Safety of Machinery: EN ISO 13849-1 Slide 40 12/12/2012

TÜV SÜD Product Service

Thank you for listening

For more information contact: +44 (0)1642 345637 machinery@tuv-sud.co.uk www.tuv-sud.co.uk/machinery

TÜV SÜD Functional Safety of Machinery: EN ISO 13849-1 Slide 41 12/12/2012