PowerPoint Presentation Expo/Presentations/SF...These harmonized standards (EN/ISO/ANSI) outline the requirements for assessments. The ISO and IEC standards address the design of the

An Introduction to ISO 13849-1:2008

Functional Safety of Machinery

SF02

Agenda

2

History of Safety Standards

Example using 13849

What is Functional Safety

Primary Concepts of 13849

Who is affected by what?

What Is Functional Safety?

3

IEC 61508-4:2010 defines Functional Safety in section 3.1.12 as

“part of the overall safety relating to the equipment under control and the control system that depends on the correct functioning of the electrical, electronic and programmable electronic safety-related systems and other risk reduction measures”

Practical Definition: The automatic action that must occur to ensure a safe state

Functional Safety Standards

IEC/EN 61508 Functional safety of electrical, electronic, and programmable electronic

safety-related systems (EEPE/CS)

IEC/EN 61511 SIS

(SIL1 – SIL4)

IEC/EN 62061 EEPE/CS

(SIL1 - SIL3)

ISO/EN 13849 SRP/CS

(PLa - PLe)

Process Machinery

Software

Functional Safety of Machinery

ISO 13849-1 IEC 62061

• ISO 13849-1 and IEC 62061 are known as machinery functional safety standards.

• These standards look at how well a safety system needs to operate.

• This allows us to use new technologies to drive productivity and safety.

• These new technologies are called contemporary safety solutions.

• ISO 13849-1 and IEC 62061 will be combined in the near future to benefit from the strengths of each standard.

• The technical committee for 17305 has a draft in progress.

History of Safety - USA

6

• 1877 – Massachusetts, required guarding of belts, shafts and gears

• 1890 – Nine US states required machine guarding

• 1930 – All US states had established job-related safety laws

• 1934 – Bureau of Labor Standards (F. D. Roosevelt - Frances Perkins)

– Promote safety and health for working men and women

• 1970 – Occupational Safety and Health Act (William Steiger’s Act)

– Assure safe and healthy working conditions for men and women

• 1981 – Lost Workday Incident Rates policy established by OSHA

• 1991 – EN 292 – Basic Concepts of Machine Safety

• 1996 – EN 954 and EN 1050 – Machinery Safety

Safety has been a growing part of the human integrated manufacturing environment. Our responsibility is required.

Who’s Responsible?

• OSHA requires that each employer shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to employees.

• OSHA specifies minimal standards, and offers little, if any, assistance in compliance solutions.

• OSHA uses industry standards as well as manufacturer’s instructions when investigating accidents.

• Manufacturers and employers should apply consensus standards to help assure safety.

• The Machinery Directive has a dual objective: to permit the free movement of machinery within the internal market whilst ensuring a high level of protection of health and safety.

• The protection of health and safety is both a fundamental duty and a prerogative of the Member States. Since the Machinery Directive harmonises the health and safety requirements for the design and construction of machinery at EU level, the responsibility of Member States to protect health and safety of people with regard to the risks associated with machinery implies ensuring that the requirements of the Machinery Directive are correctly applied.

Who’s Responsible?

9

Standards Organizations

Abbreviation Sponsoring Organization Scope

ANSI American National Standards Institute U.S.A.

AS Australia Standard Australia

ASME American Society of Mechanical Engineers U.S.A.

ASSE American Society of Safety Engineers U.S.A.

B11 Association of Manufacturing Technology U.S.A.

CSA Canadian Standards Association Canada

EN European Norm European

Community

IEC International Electrotechnical Commission Global

ISO International Organization for Standardization Global

NFPA National Fire Protection Association U.S.A.

OSHA Occupational and Safety Health Administration U.S.A.

PMMI Packaging Machinery Manufacturer’s Association U.S.A.

RIA Robotic Industries Association U.S.A.

Standards Comparison

Copy

right

©

2007

Rock

well

Auto

matio

n,

Inc.

All

rights

reser

ved.

OHSA Machine Safety 1910.xxx

Machine Safety - General Safety

Requirements ANSI B11.GSR

Machine Safety - Principles for Risk

Assessment ANSI B11.TR3

Machine Safety - Selection of

Programmable Electronic Systems

(PES/PLC) for Machine Tools ANSI B11.TR4

Electrical equipment of machines ANSI/NFPA 79

European Machine Directive 2006/42/EC

Machine Safety - Basic concepts EN/ISO 12100

Machine Safety - Principles for Risk

Assessment EN/ISO 14121

Machine Safety -

safety-related parts

of control systems

ISO 13849-1

Non-electrical and simple electrical

Machine Safety - Electrical equipment of

machines

IEC 60204-1

Machine Safety -

Functional safety of

EEPES control

systems IEC 62061

Step 1 - Define the Requirements

Step 2 – Follow and Assessment Process

Step 3 – Utilize a defined Assessment Tool/Method

Step 5 – Follow the proper regional electrical installation standard

The European & North American machinery

directives/standards outlines the general

requirements that shall be followed to ensure

that machines are assessed and that proper

protection methods have been implemented to

ensure personnel protection.

These harmonized standards (EN/ISO/ANSI)

outline the requirements for assessments.

The ISO and IEC standards address the design

of the safety related parts of the control system

including the requirements of design verification.

IEC/NEC/NFPA standards address electrical

installation and wiring practices.

Step 4 - Determine the design method

and verify the design

What do we need to do?

ISO 13849

IEC 61508

Globalized Safety Standards

12

ISO 12100 ISO 13849 IEC 62061 IEC 60204 IEC 61508

EN ISO 14119 EN ISO 13849 EN ISO 12100 EN ISO 13850 EN IEC 62061 EN IEC 61800

ANSI B11.0 ANSI B11.19

NFPA 79 UL 1998

PMMI B155.1 RIA 15.06

Standards are being adopted globally

What is it really?

13

ISO 13849-1 Concepts

• ISO 13849-1 is intended to give guidance to those involved in the design and assessment of the safety-related parts of control systems (SRP/CS) which perform safety functions.

• The ability of the SRP/CS to perform the safety function under foreseeable conditions is allocated on of five levels, called Performance Levels (PL), and defined in terms of probability of dangerous failure per hour (PFHd).

• The probability of dangerous failure of the safety function depends on factors including: – Reliability of components – the mean time to dangerous failure (MTTFd)

– Diagnostic Coverage – the extent of fault detection mechanisms (DC)

– Common Cause Failure – scoring process and quantification of measures against CCF

– Structure – definition of five designated architectures that fulfil specific design

criteria and behavior under a fault condition (Category)

– Systematic failures – measures against systematic failures which should be applied

14

EN 954 EN ISO 13849-1

Electrical Control Circuits Control circuits all technologies : • Electrical • Pneumatic • Fluids • Hydraulic

Safety Categories B, 1, 2, 3 & 4 Performance Levels PLa to PLe

Safety provided by the structure of the control circuit

Safety provided by: • The architecture/structure (categories) • The reliability of the system (MTTFd, B10d) • The diagnostic coverage of the system (DC) • The preventive measures against common

causes of failure (CCF)

Draw a diagram (schematic) Draw a diagram and verification of PL Does PL(achieved) = PLr (required) ?

Changes from EN 954

Methodology Change

Qualitative Quantitative

Structure

MTTFd

Diagnostic Coverage (DC)

Common Cause Failures (CCF)

Software

Systematic Failure

Behavior Under Fault conditions

Environmental

EN 954 was basically a qualitative approach. Factors of time and component reliability are quantitative aspects which must now be considered when developing a safety control system using ISO 13849-1.

When to use ISO 13849

Safety Life Cycle

5. Maintain and Improve ISO 13849-2 ANSI B11.0

1. Risk Assessment ISO 12100 ANSI B11.0

4. Installation, Verification and Validation

ISO 13849-2 ANSI B11.19

2. Functional Requirements Specification

ISO 12100 ANSI B11.0

3. Design and Design Verification ISO 13849-1 ANSI B11.19

Determine the Limits of the Machinery

Hazard Identification

Risk Estimation

Risk Evaluation

Is the Risk Reduced?

End Yes

No

Measures for Risk Reduction

Risk Assessment Overview

Refer to SF01 – Risk and Hazard Assessment for more information on this process.

Risk Reduction Overview

Measures for Risk Reduction

Is a Control System Needed?

Back to Risk Assessment

No

Yes

Design SRP/CS per ISO 13849-1:2006

1) Inherently Safe Design

2) Safeguards & Complementary

3) Information for Use

Refer to SF01 – Risk and Hazard Assessment for more information on this process.

SRP/CS Design Overview

20

Identify the Safety Functions

Evaluate the Performance Level 1) Category/System Architecture 2) Mean Time to Dangerous Failure (MTTFd) 3) Diagnostic Coverage (DC) 4) Common Cause Failure (CCF) 5) Software (if existing)

Verification

Specify the Characteristics (SRS)

Required Performance Level (PLr)

Realization – Identify SRP/CS Components

Validation

• Two steps are required before determining the PL of a safety control system.

• These are based on the Risk Assessment


Specify the Characteristics (SRS)

Safety Functions & Specification


22

• Safety Function – A control system function which reduces the risk presented by a particular hazard to an acceptable level.

• The safety functions are identified during the risk assessment process and take into consideration both the application and the hazard.

• Some examples:

– “Stopping of the machine when a guard door is opened.”

– “Controlled location of the operator’s hands during hazardous movement.”

– “Safe limited speed of the robot while the guard door is opened.”

– “Emergency stopping of the machine when an EStop is pressed.”

Input Logic Output

Safety Requirements Specification

23

• The Safety Requirements Specification (SRS) is a formal document which describes the various safety functions and provides all of the required information an engineer will need to design the control system to perform the safety functions.

• The SRS is considered a living document and shall have provisions for revision control and document management.

• The validation protocols for testing the safety functions are derived from the SRS.

• The SRS should include the following: Description of the function, environmental requirements, response times, operating modes, fault handling requirements, diagnostics, safe parameters, fault exclusion, failure modes, etc.

Six Steps to Performance Level

Once the Safety Functions have been identified and defined, there are six basic steps required to determine the Performance Level.

Step 1 – Determine the required performance level (PLr)

Step 2 – Identify the SRP/CS Components & Design Block Diagram

Step 3 – Evaluate the Performance Level (PL)

Step 3a - Category

Step 3b - Mean Time to Dangerous Failure (MTTFd)

Step 3c - Diagnostic Coverage (DC)

Step 3d - Common Cause Failure (CCF)

Step 4 – Develop Safety-Related Software (If Required)

Step 5 – Verification of Performance Level (PL > PLr)

Step 6 – Validation that all requirements are met

24






Step 3a - Category







Performance Level Required

• The Risk Assessment determines the Performance Level required, PLr

• Creates the Foundation of the Safety System Functional Requirements, System Design and Validation Protocol

• Shows “Due Diligence” and compliance to standards

S1

S2

F2

F1

Performance

Level, PLr

a

b

P1

P2

e

c

d

P1

P2

P1

P2

P1

P2

F2

F1

S = Severity F = Frequency or Duration of Exposure P = Avoidance Probability

Task/Hazard

Contribution to

Risk

Reduction

Low

High

Risk

Categories

RIA 15.06

R1

As

det

erm

ined

fro

m t

he

risk

ass

essm

ent

R2A

R2B

R2B

R2C

R3A

R3B

R4 a

b

b

c

c

d

d

e

Performanc

e Levels

ISO 13849

Control Reliable (4.5.4)

Control Reliable (4.5.4)

Single CH with Monitoring

(4.5.3)

Single CH with Monitoring

(4.5.3)

Single CH (4.5.2)

Single CH (4.5.2)

Simple (4.5.1)

Simple (4.5.1)

Cat 3+

Cat 3+

Cat 2

Cat 2

Cat 1

Cat 1

Cat B

Cat B

Categories

EN 954

ANSI

B11.19

PLr Equivalents?

Note: Intended to show approximate equivalency for guidance only; attaining the corresponding PL or SIL requires more

information and calculation based on several additional factors






Step 3a - Category







• Typical safety function diagram:

• The designer shall select an architecture that will meet the needs of the safety function.

– Category B, 1, 2, 3 or 4

Identify Component & Block Diagram

INPUT LOGIC

SOLVING OUTPUT

Sensing element

Final element

or actuator

Control element






Step 3a - Category







Evaluate Performance Level

Cat B DCavg none

Cat 1 DCavg none

Cat 2 DCavg low

Cat 2 DCavg med

Cat 3 DCavg low

Cat 3 DCavg med

Cat 4 DCavg high

a

d

e

c

b

Perf

orm

ance

Lev

el

MTTFd low MTTFd medium MTTFd high

ISO 13849-1, Figure 5

*Common Cause Failure and quality measures to avoid systematic failures not shown.






Step 3a - Category







Typical Implementation

Designed to product standards e.g. IEC 60947-5-2 (not specific safety standards)

Designed for environment and electrical safety aspects e.g. IEC 60204-1

PLC is accepted solution

The structure and behaviour of the safety function under fault conditions

Designated Architecture Category B

Requirements • Basic Safety principles

• Withstand

• expected operating stresses

• influence of the processed material

• other relevant external influences

Behaviour under fault conditions A fault can cause a loss of the safety function.

Machine Control

Contactor Motor

Sensor

Category B

im

Logic Device

Output Device

Input Device im

im = Interconnecting Means



Designated Architecture Category 1

Requirements • Category B

• Well-tried components

• Well-tried safety principles

Behaviour under fault conditions A fault can cause a loss of the safety function, but

is less likely than Category B.

Machine Control

Safety

Contactor Motor

Safety

Sensor

Category 1

im

Logic Device

Output Device

Input Device im


Basic Safety Principles Well Tried Safety Principles Well Tried Components

Installed per Instructions Use Mechanically Linked Contacts Direct Opening Switches

Voltage & Current Ratings Redundant Devices E-Stop Devices

Environmental Conditions Diverse Technologies Fuses/Circuit Breakers

N.C. Inputs & N.O. Outputs Monitoring/Diagnostics Contactors

Transient Suppression Limitation of Energy Mechanically Linked Contacts

No Unexpected Start-up Over-Dimensioning (Factor of 2) Auxiliary Contactor/Relay

Secure Mounting of Devices No Undefined States Interlocks

Control Circuit Protection Separation of Safety & Non-Safety Temperature/Pressure Switches

Proper Grounding Fail-to-Safe Operation Programmable Controller

Safety system designs include ‘well-tried’ engineering principles and ‘well-tried’ components

Examples of well-tried

im

Test Equip

Output Of TE

m

im

Logic Device

Output Device

Input Device im




Requirements • Category B

• Well-tried safety principles

• Function is checked at suitable intervals

•

Behaviour under fault conditions A fault can lead to the loss of the safety function

between checks.

Machine Control

Safety

Contactor Motor

Safety

Sensor

Category 2


m = Monitoring

Safety

Relay



Requirements • Category B, well-tried safety principles

• Single fault does not lead to a loss of safety

• Fault shall be detected at or before demand

Behaviour under fault conditions When a single fault occurs the safety function is always

performed. Some but not all faults will be detected. An

accumulation of undetected faults can lead to the loss of the

safety function

im

Logic Device 2

Output Device 2

Input Device 2

m

c

im

im

Logic Device 1

Output Device 1

Input Device 1

m

im


Machine Control

Safety

Contactor Motor

Safety

Sensor

Category 3


m = Monitoring

Safety

Relay

Safety

Contactor

Contactor

Monitoring

c = Monitoring



Requirements • Category B, well-tried safety principles

• Single fault does not lead to a loss of safety

• An accumulation of faults does not lead to a loss of

safety

Behaviour under fault conditions When a single fault occurs the safety function is always

performed. The faults will be detected in time to prevent the loss

of the safety function. An accumulation of undetected faults is

taken into account.

im

Logic Device 2

Output Device 2

Input Device 2

m

c

im

im

Logic Device 1

Output Device 1

Input Device 1

m

im


Machine Control

Safety

Contactor Motor

Safety

Sensor

Category 4


m = Monitoring

Safety

Relay

Safety

Contactor

Contactor

Monitoring

c = Monitoring






Step 3a - Category







Mean Time to Dangerous Failure

Denotation of each channel Range of each channel

Low 3 years <= MTTFd < 10 years

Medium 10 years <= MTTFd < 30 years

High 30 years <= MTTFd < 100 years

For the estimation of MTTFd of a component, the hierarchical procedure for finding data shall be: 1) use manufacturer’s data 2) use methods in Annexes C and D 3) Choose ten years

The value for MTTFd of each channel is given in three levels and shall be taken into account for each channel individually with a maximum of 100 years. MTTFd is a statistical value.

For mechanical or electromechanical devices:

• Failure is dependent on operating frequency

• Manufacturers will quote a B10d which is derived from testing

• Number of operations where 10% of the sample has failed to danger

Example – 100S Safety Contactor:

MTTFd Considerations

Contactor B10d Days Hours Seconds NOP MTTFd

100S-C09 to C97 at AC3

1333333 365 16 60 350400 38 Years

1333333 365 16 360 58400 228 Years

1333333 365 16 3600 5840 2283 Years

For electronic devices:

• Failure is dependent on time, temperature or Environment..

• Ratings generally in MTTFd or PFHd

• Mean time to failure – dangerous

• Probability of danger failure per year

MTTFd => 1 / PFHd (must convert years to hours)

Example – PowerFlex525 Safe Torque Off

MTTFd Considerations






Step 3a - Category







51

Diagnostic Coverage

• The value for DC is given in four levels. DC is the number of detected dangerous failures divided by the number of all dangerous failures. This is a measure of the effectiveness of the diagnostics.

• For estimation of DC, failure mode and effects analysis or similar methods can be used.

• For SRP/CS consisting of several parts an average DC is used. • For a simplified approach to estimating DC, see Annex E.

Denotation of DC Range of DC

None DC < 60%

Low 60% ≤DC < 90%

Medium 90% ≤ DC < 99%

High 99% ≤ DC

Calculation of the Average DC

DCavg = 73.3%

• The Diagnostic Coverages for the individual “Input-Logic-Output” blocks are first determined.

• The individual values are then averaged for the entire safety channel.

Diagnostic Coverage

The simplified approach is

available with the use of Annex E.






Step 3a - Category







Failure which is the result of one or more events and which causes simultaneous failures of two or more separate channels in a multi-channel system, leading to the failure of a safety related control function

Common Cause Failure

Failure Channel 1

Failure Channel 2

• Common causes are: – External stress such as excessive

temperature or EMI. – Systematic design failures due to

the high complexity of the product or missing experience with the new technology.

– No spatial separation between channels such as common cables or close PCB traces.

– Human errors during maintenance and repair.

Common Cause Failure

• Annex F contains a ‘score card’ with a list of measures typically used to mitigate Common Cause Failures.

• Must achieve a score of 65 out of 100 possible points.

• If the score is < 65, there is not a sufficient allowance for CCF and additional measures must be realized.

• These are failures of different items, resulting from a single event. The failures are not consequences of each other.






Step 3a - Category







Safety-Related Software

Software safety requirements (ISO 13848-1:2006, Clause 4.6)

All lifecycle activities of safety-related embedded or application software (RSLogix 5000) shall primarily consider the avoidance of faults introduced during the software lifecycle. The main objective of the following requirements is to have readable, understandable, testable and maintainable software.






Step 3a - Category







PL Verification

There are three ways to verify the Performance Level (PL) per ISO 13849-1.

Simplified Verification Procedure

ISO 13849-1 Table 7

Verification using DC, MTTFd & PL

Cat B DCavg none

Cat 1 DCavg none

Cat 2 DCavg low

Cat 2 DCavg med

Cat 3 DCavg low

Cat 3 DCavg med

Cat 4 DCavg high

a

d

e

c

b

Perf

orm

ance

Lev

el

MTTFd low MTTFd medium MTTFd high

ISO 13849-1, Figure 5

*Common Cause Failure and quality measures to avoid systematic failures not shown.

Verification by PFHd Equivalent

63 ISO 13849-1 Table K.1

Relationship between PL and SIL

Combination of Table 3 and 4 from ISO 13849-1:2008

You can convert a ‘simple circuit’ calculated in ISO 13849 and apply it to IEC 62061 by using the chart below.

Performance level (PL)

Probability of dangerous failure (PFHd)

Safety Integrity Level (SIL)

a 10-5 to < 10-4 No special safety requirements

b 3 x10-6 to < 10-5 1

c 10-6 to < 3 x10-6 1

d 10-7 to < 10-6 2

e 10-8 to < 10-7 3






Step 3a - Category







Validation is an evaluated inspection (including analysis and testing) of the safety functions and categories of SRP/CS.

Validation requires fault injection and is typically done off-line.

Goal:

Proof that the SRP/CS complies to the overall safety requirements of the machinery, proof that the requirements EN 954-1 or EN ISO 13849-1 are fulfilled.

Method:

Analysis and testing according to the validation plan

Validation requirements are defined in ISO 13849, Part 2.

Validation

Documents required for validation:

• Specification of the expected performance, of the safety functions and categories

• Drawings and specifications

• Block diagram with functional description of the blocks

• Circuit diagram including interfaces/connections

• Functional description of the circuit diagram

• Time sequence diagram(s) for switching components, signals relevant for safety

• Component lists with item designations, rated values, tolerances etc.

• Analysis of all relevant faults, including the justification of any excluded faults

Validation Documentation






Step 3a - Category







Need resources?

One hour is quick!

• SafeBook 4 – An overview of safety standards including

definitions and examples. Based on ISO 13849.

– Publication SAFEBK-RM002

• Sample Safety Functions – Rockwell Automation has complied a set of

example applications based on ISO 13849.

– Visit www.machinesafetysolutions.com

• Training – Additional training classes are available

– Contact Werner Electric for more details

• Certification – TUV Functional Safety certification is available

through Rockwell Automation.

Questions?

Thank you for attending