Functional Safety of Machinery: EN ISO 13849-1 Stewart Robinson Overview of the presentation Defining Safety Functions Avoidance of Systematic Failures Defining Performance Levels Required Verifying Performance Levels Achieved SRP/CS Architectures Component reliability Diagnostic Coverage Common Cause Failures Functional Safety of Machinery: EN ISO 13849-1 Slide 2 References Functional Safety of Machinery: EN ISO 13849-1 Slide 3 1
Standards for Functional Safety Two new functional standards are available for use in the machinery sector Source: BGIA Report 2/2008e Functional Safety of Machinery: EN ISO 13849-1 Slide 4 Which standard to use? EN 62061 Safety of Machinery: Functional safety of electrical, electronic and programmable electronic control systems Technology specific Covers all levels of complexity EN ISO 13849-1 Safety of machinery Safety-related parts of control systems Part 1: General principles for design Is a replacement for EN 954-1 Not technology specific, can be used for any energy source. Can also be used for Programmable Systems (Safety PLC s) Functional Safety of Machinery: EN ISO 13849-1 Slide 5 EN ISO 13849-1 Source: BGIA Report 2/2008e Functional Safety of Machinery: EN ISO 13849-1 Slide 6 2
Overall Risk Estimation/Risk Reduction EN ISO 13849-1 Figure 1 Functional Safety of Machinery: EN ISO 13849-1 Slide 7 Risk estimation general principles Probability of occurence of that harm Risk related to the identified hazard = Severity of the possible harm (Se) and Frequency and duration of exposure (Fr) Probability of occurrence of a hazardous event (Pr) Probability of avoiding or limiting harm (Av) Functional Safety of Machinery: EN ISO 13849-1 Slide 8 Risk Reduction Source: BGIA Report 2/2008e Functional Safety of Machinery: EN ISO 13849-1 Slide 9 3
Safety-Related Controls What is a Safety Related Control System? A control system in a machine should be regarded as being safety-related if it contributes to reducing any risk to an acceptable level or if it is required to function correctly to maintain or achieve safety. Functional Safety of Machinery: EN ISO 13849-1 Slide 10 Systematic failure Failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors the safety requirements specification, the design, manufacture, installation, operation of the hardware, and the design, implementation, etc., of the software. Further information can be found in EN ISO 13849-1, in particular in Annex G Functional Safety of Machinery: EN ISO 13849-1 Slide 11 Frequency of Failures Out of control Why control systems go wrong and how to prevent failure? (Out of control, 2nd edition 2003, Health & Safety Executive HSE UK) Functional Safety of Machinery: EN ISO 13849-1 Slide 12 4
Specifying requirements EN ISO 13849-1 4.2.2 For each safety function the characteristics and the required performance level shall be specified 4.3 Determination of required performance level (PLr) For each selected safety function to be carried out by a SRP/CS, a required performance level (PLr) shall be determined and documented (see Annex A for guidance on determining PLr). Functional Safety of Machinery: EN ISO 13849-1 Slide 13 Safety Functions - Examples Safety related stop function initiated by safeguard Local control function Hold to run Enabling device Muting function Prevention of unexpected start up Control modes and mode selection Emergency stop Functional Safety of Machinery: EN ISO 13849-1 Slide 14 EN ISO 13849-1 Annex A risk graph Functional Safety of Machinery: EN ISO 13849-1 Slide 15 5
Risk Graph Parameters Severity of Injury. S1 Slight injury, (bruise). S2 Severe injury, (Amputation or death). Frequency of exposure to injury. F1 Seldom. F2 Frequent to continuous ( Frequent to continuous are not defined in the standard). Possibility of avoiding the hazard. P1 Possible. P2 Less possible. Based on the speed of approach of the hazard and the ability of the operator to avoid the hazard. If the operator can avoid the hazard then you would choose P1. Functional Safety of Machinery: EN ISO 13849-1 Slide 16 PL / PFHd Functional Safety of Machinery: EN ISO 13849-1 Slide 17 PL and SIL EN ISO 13849-1 Performance Level (PL) Average probability of a dangerous failure per hour [1/h] EN 62061 Safety Integrity Level (SIL) a 10-5 to < 10-4 no special safety requirements b 3 x 10-6 to < 10-5 1 c 10-6 to < 3 x 10-6 1 d 10-7 to < 10-6 2 e 10-8 to < 10-7 3 Functional Safety of Machinery: EN ISO 13849-1 Slide 18 6
Performance Level EN ISO 13849-1 Clause 4.7 Verification that achieved PL meets PLr For each individual safety function the PL of the related SRP/CS shall match the required performance level (PLr) determined according to 4.3 The PL of the different SRP/CS which are part of a safety function shall be greater than or equal to the required performance level (PLr) of this safety function. Functional Safety of Machinery: EN ISO 13849-1 Slide 19 Factors to establish PL The Performance Level achieved depends on: The architectures of the SRP/CS Categories The reliability of components Mean Time To Dangerous Failure (MTTFd) The effectiveness of error detection Diagnostic Coverage (DC) Functional Safety of Machinery: EN ISO 13849-1 Slide 20 Designated Architectures Clause 6 describes designated architectures as categories (B, 1 4). Categories state the required behaviour of a SRP/CS in respect of it s resistance to faults etc. Functional Safety of Machinery: EN ISO 13849-1 Slide 21 7
Categories B SRP/CS shall be designed in accordance with relevant standards 1 SRP/CS shall use well tried components and principles. No protection against faults. 2 SRP/CS shall use well tried principles and functions shall be checked at suitable intervals. Testing rate better than 100 times demand rate. No protection against faults. 3 SRP/CS shall be designed, so that: a single fault in any of these parts does not lead to the loss of the safety function; and whenever reasonably practicable the single fault is detected. 4 SRP/CS shall be designed, so that: a single fault in any of these parts does not lead to a loss of the safety function; and the single fault is detected at or before the next demand upon the safety function. If this is not possible, then an accumulation of faults shall not lead to a loss of the safety function Functional Safety of Machinery: EN ISO 13849-1 Slide 22 Categories Structure / Category Cat B & Cat 1 Cat 3 Cat 2 Cat 4 Functional Safety of Machinery: EN ISO 13849-1 Slide 23 Architecture - Categories 1 & 2 Type 2 L/C Test rate? Functional Safety of Machinery: EN ISO 13849-1 Slide 24 8
Architectures - Categories 3 & 4 Functional Safety of Machinery: EN ISO 13849-1 Slide 25 Combinations of Categories Cat. B/1? Cat. 1 Cat. 1? Cat. 3/4 Cat. 3? Cat. 2 Cat. 1/2 Cat. 4 Cat. 4 Cat. 4 Cat. 4 Functional Safety of Machinery: EN ISO 13849-1 Slide 26 Component reliability - MTTFd Mean time to dangerous failure, MTTF d The MTTF assumes the fact that every system will fail if you just wait long enough Assessment low medium high MTTF d 3 years MTTF d < 10 years 10 years MTTF d < 30 years 30 years MTTF d < 100 years Functional Safety of Machinery: EN ISO 13849-1 Slide 27 9
Reliability data EN ISO 13849-1, Clause 4.5.2 For the estimation of MTTFd of a component, the hierarchical procedure for finding data shall be, in the order given: a) use manufacturer s data; b) use methods in Annexes C and D; c) choose ten years. What do we do if no data is available? Functional Safety of Machinery: EN ISO 13849-1 Slide 28 Good Engineering Practices Source: BGIA Report 2/2008e EN ISO 13849-1 Annex C Functional Safety of Machinery: EN ISO 13849-1 Slide 29 EN ISO 13849-1 Annex C MTTFd = B10d 0.1 x nop Where B10 d = mean number of cycles until 10% of the components fail dangerously n op = number of operations per year Where d op = number of operating days per year h op = number of operating hours per day t cycle = cycle time in seconds Functional Safety of Machinery: EN ISO 13849-1 Slide 30 10
Diagnostic Coverage Diagnostic Coverage is the fractional decrease in the probability of dangerous hardware failures, resulting from the use of automatic diagnostic tests. This is determined using the following equation DC = l DD / l Dtotal l DD is the probability of detected dangerous failures l Dtotal is the probability of total dangerous failures. Functional Safety of Machinery: EN ISO 13849-1 Slide 31 EN ISO 13849-1 Diagnostic Coverage Functional Safety of Machinery: EN ISO 13849-1 Slide 32 DCavg in accordance with EN ISO 13849-1 Determine the DC avg, (diagnostic coverage) Formula for DC avg Where d1, d2 and dn represent the separate parts of the SRP/CS Functional Safety of Machinery: EN ISO 13849-1 Slide 33 11
Diagnostic Coverage (DC) Diagnostic coverage is divided into 4 levels. Denotation None Low Medium High Range of DC DC < 60% 60% DC < 90% 90% DC < 99% 99% DC Functional Safety of Machinery: EN ISO 13849-1 Slide 34 Relationship - PL and Cat, DC, MTTFd Functional Safety of Machinery: EN ISO 13849-1 Slide 35 Performance Level Annex K Table K.1 Numerical representation of Figure 5 Functional Safety of Machinery: EN ISO 13849-1 Slide 36 12
EN ISO 13849-1 - Common Cause Failure Functional Safety of Machinery: EN ISO 13849-1 Slide 37 PFH D of the Function The PFH D of the Function is the sum of the PFH D of each of the SRP/CS (subsystems) that make up the Function Sensor Logic Actuator Sensor Actuator Input Logic Output Sensor Actuator PFH Dtotal PFH PFH PFH... PFH Dss1 Dss2 Dss3 Dssn Functional Safety of Machinery: EN ISO 13849-1 Slide 38 Example 1 Low complexity Functional Safety of Machinery: EN ISO 13849-1 Slide 39 13
Example 2 Source: BGIA Report 2/2008e Functional Safety of Machinery: EN ISO 13849-1 Slide 40 Thank you for listening For more information contact: +44 (0)1642 345637 machinery@tuv-sud.co.uk www.tuv-sud.co.uk/machinery Functional Safety of Machinery: EN ISO 13849-1 Slide 41 14