Functional Safety of Machinery Stewart Robinson PDF

Functional Safety of
Machinery:
EN ISO 13849-1
Stewart Robinson
TV SD Product Service
Overview of the presentation
Defining Safety Functions

Avoidance of Systematic Failures
Defining Performance Levels Required
Verifying Performance Levels Achieved
SRP/CS Architectures
Component reliability
Diagnostic Coverage
Common Cause Failures
12/12/2012
Functional Safety of Machinery: EN ISO 13849-1
Slide 2
References
12/12/2012
Slide 3
Standards for Functional Safety

Two new functional standards are available
for use in the machinery sector
Source: BGIA Report 2/2008e
12/12/2012
Slide 4
Which standard to use?
EN 62061
Safety of Machinery: Functional safety of electrical,
electronic and programmable electronic control systems
Technology specific
Covers all levels of complexity
EN ISO 13849-1
Safety of machinery Safety-related parts of control
systems Part 1: General principles for design
Is a replacement for EN 954-1
Not technology specific, can be used for any energy
source.
Can also be used for Programmable Systems (Safety
PLCs)
12/12/2012
Slide 5
EN ISO 13849-1
12/12/2012
Slide 6
Overall Risk Estimation/Risk Reduction
EN ISO 13849-1 Figure 1
12/12/2012
Slide 7
Risk estimation general principles
Probability of occurence of that harm
Risk related
to the
identified
hazard
Severity
of the
possible
harm
(Se)
Frequency and duration of exposure (Fr)
and
Probability of occurrence of
a hazardous event (Pr)
Probability of avoiding or
limiting harm (Av)
12/12/2012
Slide 8
Risk Reduction

12/12/2012
Slide 9
Safety-Related Controls
What is a Safety Related Control

System?
A control system in a machine should be
regarded as being safety-related if it contributes
to reducing any risk to an acceptable level or if it
is required to function correctly to maintain or
achieve safety.
12/12/2012
Slide 10
Systematic failure
Failure related in a deterministic way to a certain

cause, which can only be eliminated by a
modification of the design or of the manufacturing
process, operational procedures, documentation or
other relevant factors
the safety requirements specification,
the design, manufacture, installation, operation of the
hardware, and
the design, implementation, etc., of the software.
Further information can be found in EN ISO 138491, in particular in Annex G
12/12/2012
Slide 11
Frequency of Failures
Out of control
Why control systems go wrong and how to
prevent failure?
(Out of control, 2nd edition 2003, Health & Safety Executive HSE UK)
12/12/2012
Slide 12
Specifying requirements
EN ISO 13849-1
4.2.2 For each safety function the characteristics
and the required performance level shall be
specified
4.3 Determination of required performance level

(PLr)
For each selected safety function to be carried out by a
SRP/CS, a required performance level (PLr) shall be
determined and documented (see Annex A for guidance
on determining PLr).
12/12/2012
Slide 13
Safety Functions - Examples
Safety related stop function initiated by safeguard

Local control function
Hold to run
Enabling device
Muting function
Prevention of unexpected start up
Control modes and mode selection
Emergency stop
12/12/2012
Slide 14
EN ISO 13849-1 Annex A risk graph
12/12/2012
Slide 15
Risk Graph Parameters
Severity of Injury.
S1 Slight injury, (bruise).
S2 Severe injury, (Amputation or death).
Frequency of exposure to injury.

F1 Seldom.
F2 Frequent to continuous ( Frequent to continuous
are not defined in the standard).
Possibility of avoiding the hazard.

P1 Possible.
P2 Less possible.
Based on the speed of approach of the hazard and the ability
of the operator to avoid the hazard. If the operator can avoid
the hazard then you would choose P1.
12/12/2012
Slide 16
PL / PFHd
12/12/2012
Slide 17
PL and SIL
EN ISO 13849-1
Performance Level
(PL)
Average probability
of a dangerous
failure per hour [1/h]
EN 62061
Safety Integrity
Level (SIL)
10-5 to < 10-4
no special safety
requirements
3 x 10-6 to < 10-5
10-6 to < 3 x 10-6
10-7 to < 10-6
10-8 to < 10-7
12/12/2012
Slide 18
Performance Level
EN ISO 13849-1 Clause 4.7

Verification that achieved PL meets PLr
For each individual safety function the PL of the related
SRP/CS shall match the required performance level
(PLr) determined according to 4.3
The PL of the different SRP/CS which are part of a safety
function shall be greater than or equal to the required
performance level (PLr) of this safety function.
12/12/2012
Slide 19
Factors to establish PL
The Performance Level achieved depends on:

The architectures of the SRP/CS
Categories
The reliability of components

Mean Time To Dangerous Failure (MTTFd)
The effectiveness of error detection

Diagnostic Coverage (DC)
12/12/2012
Slide 20
Designated Architectures
Clause 6 describes designated architectures

as categories (B, 1 4). Categories state the
required behaviour of a SRP/CS in respect of its
resistance to faults etc.
12/12/2012
Slide 21
Categories
SRP/CS shall be designed in accordance with relevant standards
SRP/CS shall use well tried components and principles. No protection against
faults.
SRP/CS shall use well tried principles and functions shall be checked at
suitable intervals. Testing rate better than 100 times demand rate. No
protection against faults.
SRP/CS shall be designed, so that: a single fault in any of these parts does
not lead to the loss of the safety function; and whenever reasonably
practicable the single fault is detected.
SRP/CS shall be designed, so that: a single fault in any of these parts does
not lead to a loss of the safety function; and the single fault is detected at or
before the next demand upon the safety function. If this is not possible, then
an accumulation of faults shall not lead to a loss of the safety function
12/12/2012
Slide 22
Categories
Structure / Category
Cat B & Cat 1
Cat 3
Cat 2
Cat 4
12/12/2012
Slide 23
Architecture - Categories 1 & 2
Type 2 L/C
12/12/2012
Test rate?
Slide 24
Architectures - Categories 3 & 4
12/12/2012
Slide 25
Combinations of Categories
Cat. B/1?
Cat. 1
Cat. 1?
Cat. 3/4
Cat. 3?
Cat. 2
Cat. 1/2
Cat. 4
Cat. 4
12/12/2012
Cat. 4
Cat. 4
Slide 26
Component reliability - MTTFd
Mean time to dangerous failure, MTTFd

The MTTF assumes the fact that every system will
fail if you just wait long enough
Assessment
MTTFd
low
3 years MTTFd < 10 years
medium
high
12/12/2012
Slide 27
Reliability data
EN ISO 13849-1, Clause 4.5.2

For the estimation of MTTFd of a component, the
hierarchical procedure for finding data shall be, in
the order given:
a) use manufacturers data;
b) use methods in Annexes C and D;
c) choose ten years.
What do we do if no data is available?
12/12/2012
Slide 28
Good Engineering Practices
EN ISO 13849-1 Annex C
12/12/2012
Slide 29
EN ISO 13849-1 Annex C
MTTFd
B10d
0.1 x nop
Where B10d = mean number of cycles until 10% of the components

fail dangerously
nop
= number of operations per year
Where dop = number of operating days per year

hop = number of operating hours per day
tcycle = cycle time in seconds
12/12/2012
Slide 30
Diagnostic Coverage
Diagnostic Coverage is the fractional decrease in the
probability of dangerous hardware failures, resulting from the
use of automatic diagnostic tests.
This is determined using the following equation
DC = lDD / lDtotal
l DD is the probability of detected dangerous failures
lDtotal is the probability of total dangerous failures.
12/12/2012
Slide 31
EN ISO 13849-1 Diagnostic Coverage
12/12/2012
Slide 32
DCavg in accordance with EN ISO 13849-1

Determine the DCavg, (diagnostic coverage)
Formula for DCavg
Where d1, d2 and dN represent

the separate parts of the SRP/CS
12/12/2012
Slide 33
Diagnostic Coverage (DC)
Diagnostic coverage is divided into 4

levels.
Denotation
Range of DC
None
DC < 60%
Low
60% DC < 90%
Medium
90% DC < 99%
High
99% DC
12/12/2012
Slide 34
Relationship - PL and Cat, DC, MTTFd
12/12/2012
Slide 35
Performance Level Annex K

Table K.1 Numerical representation of Figure 5
12/12/2012
Slide 36
EN ISO 13849-1 - Common Cause Failure
12/12/2012
Slide 37
PFHD of the Function

The PFHD of the Function is the sum of the PFHD of
each of the SRP/CS (subsystems) that make up the
Function
Sensor
Logic
Actuator
Sensor
Actuator
Input
Logic
Output
Sensor
Actuator
PFH Dtotal PFH Dss1 PFH Dss 2 PFH Dss3 .... PFH Dssn
12/12/2012
Slide 38
Example 1
Low complexity
12/12/2012
Slide 39
Example 2

12/12/2012
Slide 40
Thank you for listening

For more information contact:
+44 (0)1642 345637
machinery@tuv-sud.co.uk
www.tuv-sud.co.uk/machinery
12/12/2012
Slide 41

Functional Safety of Machinery Stewart Robinson PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Functional Safety of Machinery Stewart Robinson PDF

Uploaded by

Copyright:

Available Formats

Functional Safety of

Overview of the presentation

Defining Safety Functions

Common Cause Failures

Functional Safety of Machinery: EN ISO 13849-1

Functional Safety of Machinery: EN ISO 13849-1

Standards for Functional Safety

Source: BGIA Report 2/2008e

Functional Safety of Machinery: EN ISO 13849-1

Which standard to use?

Functional Safety of Machinery: EN ISO 13849-1

Source: BGIA Report 2/2008e

Functional Safety of Machinery: EN ISO 13849-1

Overall Risk Estimation/Risk Reduction

EN ISO 13849-1 Figure 1

Functional Safety of Machinery: EN ISO 13849-1

Risk estimation general principles

Probability of occurence of that harm

Frequency and duration of exposure (Fr)

Functional Safety of Machinery: EN ISO 13849-1

Source: BGIA Report 2/2008e

Functional Safety of Machinery: EN ISO 13849-1

What is a Safety Related Control

Functional Safety of Machinery: EN ISO 13849-1

Failure related in a deterministic way to a certain

Further information can be found in EN ISO 138491, in particular in Annex G

Functional Safety of Machinery: EN ISO 13849-1

Functional Safety of Machinery: EN ISO 13849-1

4.3 Determination of required performance level

Functional Safety of Machinery: EN ISO 13849-1

Safety Functions - Examples

Safety related stop function initiated by safeguard

Functional Safety of Machinery: EN ISO 13849-1

EN ISO 13849-1 Annex A risk graph

Functional Safety of Machinery: EN ISO 13849-1

Risk Graph Parameters

Frequency of exposure to injury.

Possibility of avoiding the hazard.

Functional Safety of Machinery: EN ISO 13849-1

Functional Safety of Machinery: EN ISO 13849-1

10-5 to < 10-4

3 x 10-6 to < 10-5

10-6 to < 3 x 10-6

10-7 to < 10-6

10-8 to < 10-7

Functional Safety of Machinery: EN ISO 13849-1

EN ISO 13849-1 Clause 4.7

Functional Safety of Machinery: EN ISO 13849-1

The Performance Level achieved depends on:

The reliability of components

The effectiveness of error detection

Functional Safety of Machinery: EN ISO 13849-1

Clause 6 describes designated architectures

Functional Safety of Machinery: EN ISO 13849-1

SRP/CS shall be designed in accordance with relevant standards

Functional Safety of Machinery: EN ISO 13849-1

Cat B & Cat 1

Functional Safety of Machinery: EN ISO 13849-1

Architecture - Categories 1 & 2

Functional Safety of Machinery: EN ISO 13849-1

Architectures - Categories 3 & 4

Functional Safety of Machinery: EN ISO 13849-1