Вы находитесь на странице: 1из 120

Specific Background Information on EN ISO 13849-1:2006 for Schmersal/Elan Sales & Technical Staff and for Interested Customers.

Explanation of frequently used abbreviations.


B10d value: Number of cycles until 10 % of components in a random sample of at least 7 prototypes have failed dangerously This is for components affected by wear, i.e. mechanical, pneumatic and electromechanical components. CCF: Common Cause Failure: Faults with a common cause, in which components which simultaneously process the same thing several times for reasons of safety fail at the same time. For example a car where all 4 brakes malfunction at the same time. DC: Diagnostic Coverage: Degree of diagnostic coverage, the capability for fault detection, which is usually automatic. MTTFd: Meantime To Dangerous Failure: Mean time to a dangerous failure of a component or device. This information must not be confused with a guaranteed service life (1).
The indexing d stands for failures in a dangerous situation. For example: a transistor fails and does not switch off (i.e. dangerous in the sense of functional machine safety): by contrast does not switch on (not dangerous in the sense of functional machine safety although it affects operation). See also glossary section, keyword Failure Rates.
(1)

PFH/PFHd: Probability of Dangerous Failure per Hour (1):


(1)

In the case of this value it is not particularly common to differentiate using the indexing d, i.e. both a PFH and a PFHd value are generally taken to mean the dangerous failure direction.

PL: Performance Level (EN ISO 13849-1:2006) There are 5 PLs (a, b, c, d, e), whereby the safety-related quality increases from a to e in line with the growing level of risk to be covered. SIL: Safety Integrity Level (EN IEC 62061:2005) There are 3 SILs (1, 2, 3), whereby the safety-related quality increases from 1 to 3 in line with the growing level of risk to be covered. CC: Control Category (B, 1, 2, 3, 4); the category already decisively (deterministically) dictates the safety-related quality of an SRP/CS. While CC B and CC 1 deal with the quality of the component used, higher categories demand additional components (channels) which are able to compensate for the failure of individual components. SRP/CS: Safety Related Part of Control Systems Sub-PL/Sub-SIL: PL or SIL at subsystem level. A subsystem is a system which, with reference to a partial task, already performs a safety function appropriately (for example an input module which safely detects inputs).

T10d Value: Guide value for a preventive replacement (10 % of the B10d value). With this value approximately 63 % of all components have already failed dangerously. Here the EN ISO 13849-1:12006 standard recommends replacement.

Foreword
With the coming into force of the EN ISO 13849-1:2006 and EN IEC 62061:2005 standards, the subject of designing safety-related parts of control systems takes on a new shape, in which a SRP/CS in future is composed of a combination of deterministic(1) and probabilistic (2) approaches. Added to this are a few equally important new requirements under the keyword Systematic Faults and Software (see glossary section, keywords Annex G and Software). This paper is intended to provide you with background information on the subject of the New SRP/CS standardisation which will be useful for your everyday work. With reference to the future combination of deterministic and probabilistic SRP/CS approaches, there are some new requirements that our customers must take into account in future. On the other hand our customers will also have greater configuration scope. As a manufacturer of safety components, we are directly affected by these changes and are required to comment on them. Although for practical reasons we recommend our customers to base future SRP/CS configuration on EN ISO 13849-1:2006 (and the PL philosophy behind this standard), in the following we also take the SIL philosophy into consideration in all areas where this comes into question as an alternative in accordance with EN IEC 62061:2005. Due to disagreements between the standardisation committees about competency, both standards are actually competing to succeed EN 954-1:1996. Nevertheless a decision in favour of EN ISO 13849-1:2006 will not be problematic since PL and SIL are essentially compatible with each other and the thinking behind them is the same to a large extent (see also glossary section, keyword Standards). We simply regard EN IEC 62061:2005 only to be more suitable to EN ISO 13849-1:2006 in special cases. The following brochure is divided into a Schmersal/Elan device-related Section 1 (Page 7 et seq.), Section 2 containing a discussion with examples (Page 29 et seq.), as well as a general Section 3 (Page 55 et seq.). In addition Section 4 from Page 67 contains a short glossary section with further information on individual keywords in connection with the new SRP/CS standardisation. If you wish initially to read about the philosophy of EN ISO 13849-1:2006 once again, please start with Section 3. At this juncture I would like to say Thank you to all colleagues who, with their active participation, suggestions and criticism, have contributed to the success of this brochure. Wuppertal/Wettenberg, June 2008 Friedrich Adams K.A. Schmersal Holding GmbH & Co. KG, Wuppertal Head of Schmersal tec.nicum
(1) Deterministic (D): terms used in philosophical scientific theory; D means the unambiguous determination and predetermination of occurrences through (definable and reproducable) causes, e.g. fault tolerance through redundancy (tolerances and coincidence are irrelevant!). (2) Probabilistic: Classification of events according to their degree of certainty = probability calculation/probability theory (area of mathematics).

Contents
Section 1: Information (as foundation for calculations within the meaning of EN ISO 13849-1:2006 and EN IEC 62061:2005) -------------------------------------------- Page 7 Background information-------------------------------------------------------------------------- Page 8 Information (as foundation for calculations within the meaning of EN ISO 13849-1:2006 and EN IEC 62061:2005 ------------------------------------------Page 10 Simple single devices in the Schmersal/Elan programme----------------------------Page 15 Simple single devices in the Schmersal/Elan programme ------------------------------Page 16 Device details in individual cases-------------------------------------------------------------Page 19 Devices with more complex safety-related functionality------------------------------Page 23 Devices with more complex safety-related functionality ------------------------------Page 24 Devices with more complex safety-related functionality in the Schmersal/Elan programme---------------------------------------------------------Page 25 Device combinations --------------------------------------------------------------------------Page 27 Section 2: Deviation and example section ---------------------------------------------------------------Page 29 Deviation: failure detection ---------------------------------------------------------------------Page 30 Deviation: fault exclusion -----------------------------------------------------------------------Page 32 Deviation: integration of simple single devices into one Sub-PL ----------------------Page 33 How can I calculate a Sub-PL with devices from the Schmersal/Elan programme? ---------------------------------------------------------------------------------------Page 40 Circuitry examples from the BGIA Report-----------------------------------------------Page 47 (1) BGIA circuitry example 8.2.34: guard door monitoring with subsequent signal processing using SRB module or safety SPS (the classic case)--------------Page 48 Deviation on the subject of cascading or series connections---------------------------Page 49 (2) BGIA circuitry example 8.2.29: cascading or series connections -----------------Page 50 (3) BGIA circuitry example 8.2.28: cascading or series connections -----------------Page 51 (4) BGIA circuitry example 8.2.18: guard door latching with subsequent signal processing using SRB module or safety SPS (channel1) and standard SPS (channel 2) ----------------------------------------------------------------Page 52 (5) BGIA circuitry example 8.2.19: guard door latching----------------------------------Page 53 Section 3: Overview of the features and use of EN ISO 13849-1:2006 ---------------------------Page 55 Objective of SRP/CS standardisation--------------------------------------------------------Page 56 Performance Level (1)---------------------------------------------------------------------------Page 59 Performance Level (2)---------------------------------------------------------------------------Page 61 Performance Level (3)---------------------------------------------------------------------------Page 66

Section 4: Glossary section/ Further information on some keywords and terms -------------------------------------Page 67 Addition of failure probabilities-----------------------------------------------------------------Page 68 Additional monitoring switch -------------------------------------------------------------------Page 68 Annex G (in accordance with EN ISO 13849-1:2006)------------------------------------Page 69 Annex K (in accordance with EN ISO 13849-1:2006) ------------------------------------Page 69 Architectures---------------------------------------------------------------------------------------Page 71 B10d values -----------------------------------------------------------------------------------------Page 72 Bathtub curve--------------------------------------------------------------------------------------Page 74 BGIA -------------------------------------------------------------------------------------------------Page 75 BGIA disc-------------------------------------------------------------------------------------------Page 75 BGIA Report 2/08---------------------------------------------------------------------------------Page 76 Calculations (PL calculations ----------------------------------------------------------------- Page 77 CCF (Common Cause Failure), CCF measures, CCF management -----------------Page 78 CCF management/measures ------------------------------------------------------------------Page 80 Compatibility SIL <> PL/PL <> SIL --------------------------------------------------------Page 80 Control categories --------------------------------------------------------------------------------Page 80 C (Type C) standards----------------------------------------------------------------------------Page 82

Diagnostic Coverage DC------------------------------------------------------------------------Page 83 Estimation of PL and SIL------------------------------------------------------------------------Page 83 Exponential distribution -------------------------------------------------------------------------Page 83 Failures ---------------------------------------------------------------------------------------------Page 84 Failures (systematic failures)------------------------------------------------------------------Page 84 Failures (random failures) ----------------------------------------------------------------------Page 85 Failure rates----------------------------------------------------------------------------------------Page 85 Fault detection DC--------------------------------------------------------------------------------Page 87 Fault exclusion ------------------------------------------------------------------------------------Page 87 Fault exclusion cable level----------------------------------------------------------------------Page 88 Fault detection (external) -----------------------------------------------------------------------Page 89

Hardware reliability MTTFd ---------------------------------------------------------------------Page 90 Interlocks and control category----------------------------------------------------------------Page 90 Level of cable--------------------------------------------------------------------------------------Page 91 Literature -------------------------------------------------------------------------------------------Page 91 Low Demand Mode ------------------------------------------------------------------------------Page 92 Machinery Directive (MD)-----------------------------------------------------------------------Page 92 Mission Time (service life) ----------------------------------------------------------------------Page 93 MTTFd hardware reliability ----------------------------------------------------------------------Page 93

Objective of the SRP/CS standardisation ---------------------------------------------------Page 93 Parts count method ------------------------------------------------------------------------------Page 93 Performance Level -------------------------------------------------------------------------------Page 93 PFD (Probability of Failure on Demand) ----------------------------------------------------Page 94 PL Performance Level ------------------------------------------------------------------------Page 94 PLr = required ------------------------------------------------------------------------------------------Page 94 PL result graph -----------------------------------------------------------------------------------Page 95 Proof test/proof test interval --------------------------------------------------------------------Page 95 Reliability technology (reliability engineering)----------------------------------------------Page 95 Result graph (PL)---------------------------------------------------------------------------------Page 97 Risk graph consideration in accordance with EN ISO 13849-1:2006-----------------Page 97 Risk graph consideration in accordance with EN IEC 62061:2006 -------------------Page 97 Risk graph, risk evaluation ---------------------------------------------------------------------Page 98 Risk, risk analysis, risk assessment----------------------------------------------------------Page 98

Safety function ---------------------------------------------------------------------------------- Page 100 Series connections ----------------------------------------------------------------------------- Page 102 Series connections of electromechanical devices -------------------------------------- Page 102 SIL (Safety Integrity Level) ------------------------------------------------------------------- Page 103 SIL Claim Limit (SILCL) ----------------------------------------------------------------------- Page 104 SISTEMA ----------------------------------------------------------------------------------------- Page 105 Software ------------------------------------------------------------------------------------------ Page 105 Standards: EN 954-1:1996 ------------------------------------------------------------------------------- Page 106 EN 954-2--------------------------------------------------------------------------------------- Page 106 EN ISO 13849-1:2006 ---------------------------------------------------------------------- Page 107 EN ISO 13849-2:2003 ---------------------------------------------------------------------- Page 107 EN IEC 62061:2005 ------------------------------------------------------------------------- Page 107 EN IEC 61508:2001 ------------------------------------------------------------------------- Page 108 EN ISO 13849-1:2006 <> EN IEC 62061:2006 (comparison) ------------------- Page 108 EN ISO 13849-1:2006 <> EN IEC 62061:2006 (comparison with EN 954-1:1996)-------------------------------------------------------- Page 109 Symmetrising formula ------------------------------------------------------------------------- Page 110 T10d value consideration----------------------------------------------------------------------- Page 110 Test equipment---------------------------------------------------------------------------------- Page 111 Appendix ------------------------------------------------------------------------------------------- Page 113 Example of block method (EN ISO 13849-1:2006) ------------------------------------- Page 114 The information in this brochure has been prepared to the best of our knowledge and belief. However, with the exception of contrary and compelling statutory provisions, we assume no liability for any errors and misunderstandings. The user of this information is not released from the responsibility of checking our information and recommendations for own use. We ask for your understanding and for this reference to be observed.
6

Information (as foundation for calculations within the meaning of EN ISO 13849-1:2006 and EN IEC 62061:2005)

Background information

This brochure essentially concentrates on information concerned with calculating (estimating) a Performance Level as used in future by EN ISO 13849-1:2006, and in this respect refers in the main to the so-called Sub-PL consideration methods. Background: in principle there are two possibilities for calculating a Performance Level (PL) for a safety function: Possibility 1 is based on the so-called block method in accordance with Annex B of EN ISO 13849-1:2006 and is an analysis of the entire SRP/CS. An overall consideration in accordance with the block method is, for example, the standard example that can be found in Annex I of EN ISO 13849-1:2006 (see appendix following the glossary section). Possibility 2 is the Sub-PL approach intended as simplification which makes use of the so-called combination table (Table 11 of EN ISO 13849-1:2006, see loc. cit.).

Sub-PLs or Sub-SILs* are the basis of modularisation of an entire SRP/CS into part SRP/CSs (= part or subsystems), which are derived from function blocks (typically function blocks for the input, signal processing and output levels = for input + for logic + for output). See the figure above right. The partition permits a subsequent simplified calculation of the overall PLs (or overall SILs) with the aid of the combination table (see loc. cit.).
* Following Sub-PLs and Sub-SILs are often mentioned in the same tenor, because EN IEC 62061:2005 describes the method of a subsystem consideration as the preferred one.

On the basis of the Schmersal/Elan product range (as well as the product ranges of our competitors), we must then distinguish between two types of device in connection with a Sub-PL or Sub-SIL approach, namely between the simple single devices with safety function group and the devices with more complex safety-related functionality group.

The fundamental difference between both groups lies in differing device architectures. Firstly there are architectures (see figure on left) with (automatic) external diagnosis and architectures (see figure on right) with (automatic) self-diagnosis (see loc. cit.). Automatic here and in the two cases means essentially performed by the system or independent of will.

CAUTION: The PFHd classifications above apply to an overall PL (or overall SIL). Only proportions may be consumed for subsystems recommendation: a max. of 20 % each for and , so that > 60 % for .

Information (as foundation for calculations within the meaning of EN ISO 13849-1:2006 and EN IEC 62061:2005)

All well-known manufacturers will gradually expand their technical data, if they have not already done so, to include information within the meaning EN ISO 13849-1:2006 and EN IEC 62061:2005 or will be able to make such information available upon request. In addition to the information from manufacturers there are a number of other sources available to us (starting with EN ISO 13849-1:2006 [Annex C] and EN IEC 62061:2005 itself and the standard SN 29000 through to [relatively outdated] MIL manuals etc.). Both standards, however, clearly state that the use of manufacturer information is preferable. Information will differ depending on the type of device. A differentiation must be made according to whether the objects concerned are components (e.g. electronic components), simple single devices, e.g. simple safety switching devices, or devices with more complex safety-related functionality. These may also include combinations of devices. Components will not be further considered in the following. Furthermore the basic difference lies in the fact that devices with more complex safety-related functionality and device combinations are already provided with an inbuilt specific safety-oriented architecture (in other words CC 2 and more) and have their own fault detection capabilities (in this respect through an their intelligence). We could also speak of the ability for self-diagnosis. Devices with more complex safety-related functionality therefore have a higher inbuilt Sub-PL or Sub-SIL. On the other hand simple single devices, for example simple safety switches, usually only have a simple architecture (they are at best 2-channelled). In particular, however, there is no self-diagnosis ability. With these devices faults are detected by other SRP/CS parts, which are upstream or downstream of the simple single devices, such as by an SRB module with AZ16 switches. In this respect we can also speak here of external diagnosis. Simple single devices are also termed part or subsystem elements in standardisation. Simple single devices (without additional external diagnosis) generally only have a low Sub-PL or Sub-SIL (depending on the probability of failure maximum PL c or SIL 1); however with corresponding arrangements (keyword Multiple channel capability) and in connection with additional fault detection measures (keyword External diagnosis) they can be strengthened to Sub-PL e or Sub-SIL 3. Here it may be necessary to additionally establish a 2-channelled arrangement/design (1).
In simple terms this means that (apart from exceptions) simple switches, even if they are electrically twochannelled, cannot have a higher category than 1 and higher Sub-PL higher than c or a Sub-SIL higher than 1. Only when a downstream intelligence also detects faults is it possible, e.g. in conjunction with 2channel capability or similar, to assign higher categories, PLs or SILs to such switches.

(1)

10

Typical examples of simple single devices are valves and cylinders for fluid technology (hydraulics, pneumatics), auxiliary and contactor relays, emergency-stop control devices, position switches, interlocking devices including magnetic safety switches, enabling switches etc. In future a reliability value in the form of a B10d (max. switching capacity) will generally be specified for devices of this nature if they are affected by wear and tear during use, or also where applicable an MTTFd value (in years) in future for new devices.

Safety switches with separate actuator

Safety magnet switches

Plastic and metal encapsulated safety guard locks

Trapped-key systems

Position switches with safety function

Emergency-stop equipment

Enabling switches

Pull-wire switches with convenient and wiretensioning device

Safety foot switches

PS: Other expressions for failure probability, e.g. or FIT values, are found in other standards and in other contexts of reliability engineering. These can easily be converted into MTTFd values. So-called MTBF values (= Mean Time Between Failures) can in context with EN ISO 13849-1:2006 be equated with MTTF values. The indexing d for dangerous or dangerous failures must be heeded. In accordance with EN ISO 13849-1:2006, values without d are generally divided according to a 50:50 ratio (where only every other fault is of interest), i.e. an MTTFd is twice as high as the MTTF (for all possible failures). The same correlation exists between B10d and B10 values.

11

Devices with more complex functionality (subsystems and above) on the other hand are constructed by the manufacturer such that they can be evaluated independently from a safety-related perspective, without the need to refer to other parts of the SRP/CS. The manufacturers information is then a Sub-PL or a Sub-SIL (with corresponding PFHd value respectively). Typical examples of devices with more complex safety-related functionality are safety relay modules, microprocessor-based safety sensors, safety SPSs, safety-oriented bus systems and similar.

Contactless guard lock with inductive working principle

Safety PLC system PROTECT PSC

Electronic safety sensor CSS 34

AS-Interface Safety at Work bus-system

Safety light curtains

Safety light barriers

Safety laser scanner

PS: in the case of PFH values it is not particularly common to differentiate using the indexing d, i.e. both a PFH value and a PFH d value are generally taken to mean the dangerous failure direction.

Device combinations are equated with devices that have more complex safety-related functionality, e.g. combination of BNS magnetic safety switches and special corresponding AES evaluation components which in this way (in combination) similarly represent a safety-related self-contained complete functionality for which a higher SubPL or Sub-SIL can be determined.

Example of a device combination BNS/AES


12

CAUTION stumbling block: if simple single devices and devices with more complex safety-related functionality are mixed in an SRP/CS, e.g. a safety switch at the input level and a safety SPS at the logic level, the result may be that there are MTTFd values (or B10d values from which the MTTFd value can be derived, see loc. cit.) for the one subsystem (in this example for the input level subsystem), and PFHd for the other subsystem (in this example for the logic level subsystem). One of the two values may have to be converted (if the values have to be added together). Here Annex K of EN ISO 13849-1:2006 may be of assistance (unfortunately only up to 100 y MTTFd; see glossary section, keyword Annex K) or a rough own estimate/extrapolation of Annex K figures or the simplified reverse calculation of a PFHd value to a block MTTFd value (1/PFHd : 8,760).). The background to this stumbling block is that, in addition to deterministic requirements, a PFHd value is actually behind a PL, which results from 4 consideration parameters from a probability mathematics perspective. In other words the PFHd value is the higher-ranking value (with which devices with more complex safety-related functionality can be described), while the MTTFd value is only a partial aspect as part of a discrete consideration of simple single devices to which the architecture (control category), the fault detection (DC) and the CCF management are added and which then in total can be described by a PFHd value. The mathematics behind this has been determined by the BGIA(*).

(*)

BGIA: Research Institute of Occupational Safety and Health Insurance Association, St. Augustin/Germany

13

14

Simple Single Devices in the Schmersal/Elan programme

15

Simple Single Devices in the Schmersal/Elan programme


Calculations of the B10d value

Details on safety-related reliability in the form of a so-called B10d value will generally be specified for devices of this kind in future. Embedded in the architecture (control category), fault detection (DC) and CCF management (see loc. cit.) is a design matter for the customer (and your consultancy). The B10d value is a kind of gross value for calculating an MTTFd value for devices which, due to their technology, are subjected to wear and tear owing to the number of switching cycles and possibly switching load. The B10d value calculation is necessary because the so-called bathtub curve with a constant rate of random failures and faults during the so-called mission time is not deemed to apply exactly to devices affected by wear and tear (see glossary section, keywords B10d value, Bathtub Curve, Mission Time). This means that the failure rate after the early failures for components affected by wear and tear is not constant over time, but generally increases. In other words: the failure rate here is time-dependent. The formulas for converting a B10d value into an MTTFd value are as follows:

In addition, a so-called T10d value must be determined in the case of technologies affected by wear and tear (10 % of the MTTFd of the B10d value). The T10d value is an indicator for the preventive replacement of such a component (where T10d < 20 y). The background behind the 10 % share is that for this, a constant failure pattern is assumed (the same as the failure pattern of the Bathtub Curve). With the T10d value, in a similar way to the MTTFd value, around 63 % of components in a random sample have failed dangerously. See also glossary section, keyword Exponential Distribution.

16

Example of a B10d value calculation: A guard door monitoring switch may have a B10d value of 2,000,000. The mechanical plant with protective enclosure in which it is used may operate for 200 days (dop) per year with 2 shifts (hop) and the guard door is opened 2 x per hour. This produces an operating cycle number per year of 200 (dop) x 16 (hop, 2 shifts) x 2 (requests/hour) or (tcycle = 1,800) = 8,400 nop. This accordingly results in an MTTFd value of 2,381 y(*) (2,000,000 : 0.1 x 8,400 = 2,381). The T10d value (238 y) is irrelevant in this example because it by far exceeds the assumed service life (mission time) for a machine control (20 y) in EN 13849-1:2006.
(*) The limitation of MTTFd values to a maximum of 100 years does not apply here because initially this concerns a single value. Capping/rounding to 100 years per channel takes place, in conjunction with other MTTFd values, only at the end of a PL consideration. CAUTION: in the SISTEMA software (see glossary section, keyword SISTEMA) each subsystem consideration by contrast already leads to rounding/capping. Insofar it is recommended to combine the same architectures of an SRP/CS to a SISTEMA-specific subsystem (= several subsystems as defined here but with the same architectures) in order not to have too much rounding/capping.

17

CAUTION:

The question or in individual cases the problem of which control category a simple single device corresponds to, also remains unchanged in the future since the control categories as the essential characteristics of a PL are to remain. The origin of data for our figures: EN ISO 13849-1:2006 (where nothing else is specified) Diagnostic coverage: dependent on the downstream signal processing up to 99 % (see loc. cit.); stand-alone without further measures = DC % 0. See also loc. cit. CCF measures (measures against failures due to common cause): the stand-alone evaluation is somewhat difficult. An evaluation in context with integration of the simple single devices in the SRP/CS is better, particularly because here too the question arises as to whether and how any 2-channel function has been executed (e.g. whether using physical or electrical redundancy). The simple single devices from the Schmersal/Elan programme, however, at least have the minimum required score of 65 inbuilt (see glossary section, keyword CCF schema from 3.). The reason for this is compliance with the product standardisation of the EN IEC 60947-5 series, their safety and environmentally-related requirements, the lack of EMC sensitivity of the devices etc. Added to this are the (possibly pro rata) points of the consideration units 1. physical separation between the signal paths(1) and where applicable 2. diversity (2).

Please note: CCF measures must only be analysed and evaluated as from Control Category 2. For further information: see glossary section, keyword CCF

(1) The individual contacts of devices are galvanically separated. Otherwise protected or separate cable routing should be observed. (2) For example, and depending on approach, with NC contact/NO contact combinations.

18

Device details in individual cases

Note: where reference is made in the following to NC contacts, these always mean positively opening contacts. In the case of positively opening NC contacts, the information is also understood as load-independent precisely because of this special safety-related feature. See glossary section, keyword Fault Exclusion.

Emergency-stop control devices: B10d value (load-independent ): 100,000 (NC contact) B10d value (max. load): 6,050 (NC contact) 1 or 2 channel capability: depending on designated architecture (control category) ALTERNATIVE: fault exclusion as part of the B10d value Note (1): where there is maximum load of an emergency-stop control device, in accordance with the standard a B10d value of only 6,050 may be assumed, otherwise of 100,000. Note (2): the new BGIA Report 2/08 deviates here and suggests the general value 6,050 for applications on machines (the 100,000 would then apply only to devices in laboratories, control centres and similar). Note (3): with our devices we follow the consideration used by the standard and not the BGIA consideration for the following reason: the B10d value of 6,050 is a minimum inspection value from EN IEC 60947-5-5 on the orderly functionality of the engaging mechanism of an emergency-stop control device in accordance with Paragraph 7.3. Only this minimum value to be achieved is of interest here. Conversely, the standard is not interested in how many switching cycles would take place before the engaging mechanism would fail. We know from our inspection field studies, however, that our devices satisfy a minimum of 100,000 correct engagement cycles. Pull wire emergency switch: See emergency-stop devices 3-stage enabling switch/push button: B10d value (load-independent): 100,000 (NC contact) 1 or 2 channel capability: depending on designated architecture (control category) ALTERNATIVE: fault exclusion as part of the B10d value Safety foot switch (3-stage versions): See 3-stage enabling switch/push button Two-hand control devices (NC contact-NO contact combinations): (1) B10d value: 20,000,000 (NC contact) 1,000,000 (NO contact)(2) 100,000 (NO contact)(3)
(1) Load-independent (2) With ohmic or quasi-ohmic load and over-dimensioning, i.e. 10 % of nominal load (3) With inductive load and over-dimensioning ( 10 % of nominal load) Note: In conjunction with two-hand SRB modules and similar, constraints on (1) to (3) do not apply or are covered by the component!

19

Position switch with integrated operating head (so-called type 1 switch): (1) B10d value:20,000,000 (NC contact) 1,000,000 (NO contact)(2) 100,000 (NO contact)(3)
(1) Load-independent (2) With ohmic or quasi-ohmic load and over-dimensioning, i.e. 10 % of nominal load (3) With inductive load and over-dimensioning ( 10 % of nominal load)

1 or 2 channel capability: required with single 2-pole devices depending on the C standard or fault exclusion in accordance with EN ISO 13849-2:2003 (see footnote on page 10).

Position switch with separate actuator: (so-called type 2 switch ) B10d value: 2,000,000 (NC contact)(1) 1,000,000 (NO contact)(2) 100,000 (NO contact)(3)
(1) Load-independent (2) With ohmic or quasi-ohmic load and over-dimensioning, i.e. 10 % of nominal load (3) With inductive load and over-dimensioning ( 10 % of nominal load)

1 or 2 channel capability with safety switches: required with a single 2-pole device depending on the C standard or fault exclusion in accordance with EN ISO 138492:2003 (see footnote on page 10).

Position switch with separate actuator and latch (guard locking): B10d value: see above (position switch with separate actuator) 1 or 2 channel capability: under consideration of fault exclusion (see the Safety latch (guard locking) systems for the protection of man and machine brochure and also glossary section, keywords Interlocks and Control Category) a single device can satisfy the requirements of 2-channel capability, but only in the version with fail-safe locking mechanism (= CC 3). The BGIA Report 2/08 also refers to this possibility and stipulates a second switch merely as additional manipulation protection (which may, however, also be achieved by other measures). With CC3 please note: guard door position monitoring = channel 1 latching (guard locking) position monitoring = channel 2 or guard door position monitoring = mechanical via fail-safe locking mechanism latching (guard locking) position monitoring (safety contact 1) = channel 1 (electrical) latching (guard locking) position monitoring (safety contact 2) = channel 2 (electrical) In other respects: see above and BGIA circuitry example Page 53 PS to fail-safe locking mechanism: This design feature, described in EN 1088, means that the solenoid locking bolt can only lock after the actuator has entered the interlock i.e. the safety guard is closed. This means that the safety circuit can be enabled using the solenoid contacts only. The actuator contacts are used solely for position indication of the safety guard. Since solenoid interlocks featuring a fail-safe locking mechanism offer a higher degree of safety, the installation of a second device for monitoring safety guard position can be left out under certain circumstances.

20

Magnetic safety switch*: B10d value (load-dependent): 20,000,000 400,000 7,500,000 2,500,000 1,000,000
(1) Own values after consulting BGIA

(with 20 % load) (with 100 % load) (with 40 % load)/(1) (with 60 % load)/(1) (with 80 % load)/(1)

1or 2 channel capability: 2-channel capability also possible with a single device; BNS/AES device combinations or BNS-capable SRB modules: a B10d value consideration and a de-rating as above has no relevance, i.e. we can assume 20,000,000 because the reed contacts in the sensors are switched with max. 20 % load. See also device combinations. In other words: the additional consideration only applies with alternative signal processing. Please do not conclude from this that this cannot work using competitor modules, but rather that this must be checked (current and voltage limitation, switching load etc.)
* In EN ISO 13849-1:2006 magnetic safety switches are rubricated under (subject to wear) proximity switches.

Hinge safety switch (TESF range) B10d value (load-independent): 2,000,000(1)

(1) With a max. safety-oriented switching angle of 8. A higher value may be taken into consideration if a larger switching angle is tolerable from a safety-related point of view.

1 or 2 channel capability: 2-channel capability is also possible with a single device when fault exclusion is used for the spindle that executes the rotating movement (protected installation, stress-free actuation). Note: in the case of TVS 521 hinge safety switches the B10d value consideration takes place with reference to values for type 1 switches. Devices with ASi-SaW interface We recommend an addition of the failure probability of the device (see above) + the failure probability of the ASi-SaW node. The contribution to the PL of the safety function is determined by the architecture of the safety switching device/according to the theory of the weakest link in the chain, e.g. the safety function with a single AZ 16 can at best remain at PL c even if the signal processing is performed with self-monitoring. We are currently determining the MTTFd value of an ASi-SaW node. Afterword: One can rightly ask why the above B10d values vary so greatly although the products concerned, with the exception of the magnetic safety switch, all have positively opening NC contacts. The reason is that other cases of dangerous failures are incorporated into this consideration, e.g. the wear of mechanics for the latch function of an emergency-stop control device or the ability of a push button to reset (and not to get stuck). In the case of so-called type 2 switches, poor service life experiences with competitor brands in the past play a role in the standard value.

21

Deviation: Failure detection in case of simple single devices with safety function

As already mentioned several times, failure detection (diagnosis) of simple single devices with safety function has to be provided by other parts of the SRP/CS, which are upstream or downstream of the simple single devices (normally at the signal processing level ). The diagnostic coverage achieved is depending on the functionality for failure detection (see EN ISO 13849-1:2006 Annex E). In case of safety-relay-modules (relay-safety-combinations), safety-plcs et al. (fulfilling the requirements of Sub-PL e) a DC of 99 % will be achieved in case of a 2-channeled 1:1-wiring (parallel wiring), but 60 % DC is achieved in case of series connection (daisy chain connections) only (because under certain circumstances a fault accumulation cannot be excluded). DC of other failure detection arrangements must be evaluated individually. Before mentioned restriction of 60 % DC in case of series connections (daisy chain connections) is relevant for circuitries executed in traditional electrical technology. In case of series connections, which are executed in a different technology, e.g. with ASiSaW-devices or with microprocessor-based devices of Schmersals CSS-family, thanks their additional intelligence a diagnostic coverage of 99 % is achieved. For simple single devices at the actuator level (e.g. power contactors) please note a DC of up to 99 % achievable, if the feedback signals, which are integrated into the reinitialisation path (reset path) of the signal processing device , are generated by devices with positively guided contacts (in all other cases < 99 % DC). Further information: See page 29 ff.

22

Devices with more complex safety-related functionality

23

Devices with more complex safety-related functionality


Foreword

Devices of this kind are typically designated with a Sub-SIL and corresponding PFHd value. The background to this is that the devices have been developed and certified on the basis of EN IEC 61508-1/-7:2001, partially because microprocessor technology is used in them for which EN 954-1:1996 is not applicable, and partially for other reasons. As is known, owing to the compatibility of the two new SRP/CS standards, an SIL can also be expressed as a PL and vice versa (see conversion table). The bracket of SIL and PL is the PFHd value from which, if desired, a block MTTFd value may also be derived.

CAUTION: the PFHd classifications above apply to an overall PL (or overall SIL). Only proportions may be consumed for subsystems (recommendation: a max. of 20 % each for and , so that > 60 % for ).

Annex K of EN ISO 13849-1:2006 is available for converting a PFHd value into an MTTFd value (PFHd values corresponding to max. 100 y MTTFd stored). According to the BGIA Report 2/08, a block MTTFd value can, however, be calculated in a greatly simplified manner (which is only permissible in this direction) from a PFHd value as well as by forming an inverted value. I.e. 1/PFHd : 8,760 = Block-MTTFd (with higher PLs or SILs usually several 100 y). The latter may be required if MTTFd and PFHd values are mixed within a chain (input, logic, output). + +

24

Devices with more complex safety-related functionality in the Schmersal/Elan programme (*)
(*) In the case of the specified PFHd values, these predominantly concern values which have been calculated in the course of device certifications (by the Employers Liability Insurance Association [BG], Technical Inspection Authority [TV] etc.) in accordance with EN IEC 61508:2001.

Safety sensors CSS 180 Sub-SIL 3, Sub-PL e, PFHd 6.1 x 109 Safety sensors CSS 34 Sub-SIL 3, Sub-PL e, PFHd 3.6 x 109 Safety sensors AZ 200 Sub-SIL 3, Sub-PL e, PFHd 4.0 x 109 Contact-free latching (guard locking) AZM 200 Sub-SIL 3, Sub-PL e, PFHd 4.0 x 109 Contact-free latching (guard locking) MZM 100 Sub-SIL 3, Sub-PL e, PFHd: 4.3 x 109 Safety relay modules (Architecture: CC 4) Sub-SIL 3, Sub-PL e, PFHd < 9.54 x 108 or > 30 y MTTFd (*)
(*) Additional inspection is necessary because relays belong to components affected by wear and tear. Basis for calculation B10d (with load in %): 20,000,000 (20 %), 7,500,000 (40 %), 2,500,000 (60 %), 1,000,000 (80 %), 400,000 (100 %). Incremental analysis: -8 PFHd < 9,54 x 10 or MTTFd > 30 y is produced in the case of 6.5 million switching cycles per year (Nop/y) and 20 % load 2.5 million switching cycles per year (Nop/y) and 40 % load 0.6 million switching cycles per year (Nop/y) and 60 % load 0.3 million switching cycles per year (Nop/y) and 80 % load 0.1 million switching cycles per year (Nop/y) and 100 % load Corresponding better PFHd of MTTFd values can be calculated with a smaller number of switching cycles. The B10d value approach is only relevant for the connected output level does not apply (< 20 % load). ! Consideration of the input level

For example, a PFHd value of 2.31 x 109 is assumed for safety relay modules in the BGIA Report 2/08 (in a different case with 2.69 x 109). There are other examples (e.g. with SIEMENS) that have a PFHd value of 1 x 109.

25

Safety relay modules (architecture: CC 3) 8 Sub-SIL 3, Sub-PL e, PFHd < 8.84 x 10 (*) or > 62 y MTTFd (including PL d or SIL 2) In other respects: see (accordingly) above (SRB modules with architecture CC 4)! Safety time delay relay AZS 2305 8 Sub-SIL 2, Sub-PL d, PFHd: 2,5 x 10 ESALAN-Compact safety controllers 7 Sub-SIL 3, Sub-PL e, PFHd 0.14 x 10 or MTTFd 193 y (for semiconductor outputs) or 7 0.15 x 10 or MTTFd 192 y (for relay outputs) PROTECT PSC safety PLCs 2-channelled I/Os Sub-SIL 3, Sub-PL e, PFHd 1.27 x 108 (2-channeled input > 2-channeled output); 1.64 x 108 (2 x 2-channeled inputs > 2-channeled output, e.g. in case of operation mode Muting) 1-channelled I/Os Sub-SIL ?, Sub-PL ?, PFHd (calculation in preparation) Regarding ability of failure detection (DC) of safety-relay-modules, safety-plcs etc. for simple single devices: see page 22.

ESALAN-Wireless systems 9 Sub-SIL 3, Sub-PL e, PFHd 5.5 x 10 Safety light barriers, light grids and curtains (Type 4) Sub-SIL 3, Sub-PL e, PFHd (calculation in preparation) PS: applies only to delivery versions with OSSD outputs and EDM function (therefore without additional evaluation device or SRB module) Safety light barriers, light grids and curtains (Type 2) Sub-SIL ?, Sub-PL ?, PFHd (calculation in preparation) PS: applies only to delivery versions with OSSD outputs and EDM function (therefore without additional evaluation device or SRB module)

26

Device combinations

ASi-Safety-at-Work (ASi-SaW) Solutions with ASi-SaW in context with ASi-SaW-monitor constitute a combination of devices with a Sub-PL resp. Sub-SIL. The weakest link of the chain, which normally is to be found at the sensor or output level of the SRP/CS, determines. The ASi-SaW-monitor itself in conjunction with the electronics of the ASi-SaW-interfaces (placed into the devices or into switching boxes) achieves a part-PL e resp. part-SIL 3. PFHd-value of the monitor is calculated with 9.1 x 109 + PFHd/interface (on request) + PFHd/device (on request). Further information on simple single devices with ASi-SaW-interfaces: see on page 21.

BNS magnetic safety switch / AES evaluation devices (ranges 11xx, 12xx, 2xxx) Sub-PL d, Sub-SIL 2, PFHd values depending on switching frequency as follows: 6 h1: 1 x 108 1 h1: 9 x 109 0.1 h1: 8.8 x 109

BNS magnetic safety switch/AES 6112 or 7112 evaluation devices 6 Sub-PL c, Sub-SIL 2, PFHd 1.21 x 10 or MTTFd 75 y at 5,280 nop/y Safety edges Data in preparation Safety mats Data in preparation Safety bumpers Data in preparation

27

28

Deviation and example section

29

Deviation: failure detection


Failure detection is of particular significance in an SRP/CS from two points of view:

While in multiple channel architectures a first fault (following a failure due to redundancy or hardware failure tolerance may not be critical from a safety-related perspective, failures must be detected and lead to an operational obstruction in order to avoid fault accumulation. Namely if further failures were to occur in addition to any undiscovered failure, this might very well lead to a hazardous state which, in view of the greater risks covered by these architectures, is unacceptable. However, thankfully, also in the case of simple architectures not every hazardous state resulting from a failure leads directly to an accident and in this respect failure detection has the effect of where possible preventing the risk of hazardous states which are present for longer. Common failure detection measures and the degree of the desired effect, in the form of the diagnostic coverage, are listed in EN ISO 13849-1:2006 in Annex E (classified according to measures for the input unit, the logic and the output unit). In order not to have to perform the calculation oneself, EN ISO 13849-1:2006 contains look-up tables with typical measures and % evaluations (an estimation must be made where necessary).

In addition to the measure or the combination of measures themselves, the possibility of failure detection (and therefore the desired effect of the diagnostic coverage) depends to a considerable extent on the architecture of an SRP/CS. The possibility of failure detection is not available with simple 1-channelled architectures (= DC 0), because there is no downstream or higher-ranking intelligence which serves this purpose.

30

The best thing for the input level is a 2-channel capability and a subsequent signal processing using SRB modules or safety PLCs in conjunction with a 1:1 wiring (or comparable), because here a so-called fail-safe comparison takes effect, with which the consistency of channels is checked (e.g. during the startup of a machine both channels must be closed in the case of an NC contact arrangement). This then corresponds to a DC of 99 % (see Annex E of EN ISO 13849-1:2006). With simple 1-channelled architectures this comparison benchmark is logically not available. At the same time the 2-channel capability of course also satisfies the so-called 1 failure safety requirement for control categories 3 and 4, see glossary section, keyword Control Categories. Test opportunities are also offered by electrical 2-channel capability or the inclusion of feedback signals in the PLC (with subsequent plausibility check) or, typical for downstream contactors, the reading back of feedback signals in the re-initialisation path of SRP/CS. A feedback loop of positively driven contacts then similarly produces 99 % DC.

31

Deviation: fault exclusion

Fault exclusion possibility (1): in accordance with EN ISO 13849-1:2006, fault exclusions for devices with positively opening contacts can also be made in future in compliance with EN ISO 13849-2:2003. i.e. respective simple single devices in the Schmersal/Elan programme can, where justifiable, be completely left out of the PL calculations. The degree of seriousness of a fault exclusion must, however, be taken into account also with reference to the following requirement from EN ISO 13849-1:2006: The combination of an SRP/CS starts at the point at which safety-related signals are generated (including, for example, actuator and the roller of a position switch) and ends at the outputs of the power control elements (including main contacts of the contactor). Fault exclusion possibility (2): the recommendation in the BGIA Report 2/08 on the new standard deviates from the preceding versions, suggesting that a fault exclusion for a device in its entirety should only be made in the case of manually operated devices, i.e. emergency-stop control devices, push buttons etc., while for machine-operated devices, i.e. position switches, safety switches etc., to only apply the fault exclusion to the positively opening contact, i.e. nevertheless deploy a B10d value consideration for the actuating mechanics of the devices. Recommendation (1): we do not view the above mentioned BGIA differentiation to be practical for our type of devices because they offer our customers next to nothing. A fault exclusion is either justified or not (see above). The aspect of positive opening of the contacts is purely a partial aspect. Recommendation (2): the use of a fault exclusion should be dispensed with from the outset if an estimation shows that use of the device lies in the higher range of its B10d value (with position switches, for example, in the case of several 100,000 switching cycles per year; below this number means one will in any case regularly lie within the range > 100 y MTTFd). Recommendation (3): we continue to have concerns, when we think about fault exclusions for an entire device in the case of simple position switches (think, for example, of the wear to a drive roller, to shrink holes in the plunger etc.) (unless the C standard concerned would explicitly tolerate a fault exclusion). See also glossary section, keyword Fault Exclusion.

32

Deviation: integration of simple single devices into one Sub-PL


CAUTION: the following circuitry examples essentially concern only the input level, i.e. which Sub-PL or Sub-SIL can be achieved in the SRP/CS for simple single devices in conjunction with the downstream signal processing. For SRB modules a diagnostic coverage DC of 99 % usually applies (owing to the plausibility test of the two positively driven channel relays) and with safety PLCs similarly a DC of 99 % (due to the highly dynamic crosswise data comparison of both microcomputer systems in the device). 2-channelled control is a pre-requisite. Both DC values originate from Annex E of EN ISO 13849-1:2006. An alternative consideration of the diagnostic coverage applies in the case of series connected electromechanical devices which are upstream on the input level of an SRB module or a safety PLC. Here until further notice we will operate with a restricted DC of 60 % = low (see loc. cit.). Other types of signal processing of simple single devices require special evaluation (likewise see Annex E of EN ISO 13849-1:2006). There are two possibilities when forming a Sub-PL:

Possibility 1 is to form a Sub-PL for the function simple single device + diagnosis (through the subsequent signal processing). In this case the part of the switching circuitry of an SRB module or a safety PLC that serves failure detection at the input level would be considered, so that the consideration applies only to level . Everything which then follows (levels + ), is the subject of a separate Sub-PL consideration. This is what the standard means in the following figure (see figure, upper labelling).

33

Possibility 2 is to form a Sub-PL for the device combination simple single device + SRB module or safety PLC, so that here the levels + would be combined (see figure, lower labelling). In the case of SRB modules, however, this would also require knowledge of the output level in order to be able to perform an approximate B10d value consideration, because the relay is affected by wear and tear.

The following remarks apply irrespective of whether a decision is taken in favour of possibility 1 or possibility 2:

A more differentiated evaluation is required for the diagnostic coverage of the feedback loop of the downstream actuating elements (usually a matter for the customer). While the already alluded to measures (DC: 99 %, see above) similarly have an effect here, it depends on the safety-related quality of the feedback signal as to which DC is achieved at with simple single devices for the output level subsystem. 99 % can be assumed in the case of contactors with positively guided contacts, but this will be lower in the case of a signal origin from non-guided contacts, depending among other things on whether and how frequently the output level is incorporated in the normal process and is therefore tested under normal operating conditions (i.e. not safety-critical conditions). These considerations must be made by the customer himself with the aid of Annex E of the EN ISO 13849-1:2006 standard (DC = > 60 % ... < 99 %). Note: if fault exclusion is instituted, the input level subsystem and/or output level do not need to be taken into consideration at all. Consequently the formation of a SubPL would be dispensed with here. See also BGIA circuitry examples, Page 50.

34

Example (1): A guard door in an enclosure surrounding a robotic system is to be safeguarded by a TESF switch. The following signal processing takes place with a safety relay module from the PROTECT SRB range for CC 4.

Exercise: what Sub-PL is available for the TESF switch input level? TESF switches are simple single devices without their own diagnostic function. Diagnosis takes place in the downstream SRB module. Therefore there is an examination of the TESF switch itself, and the diagnosis function of the SRB module which applies to the failure detection at the input level (the TESF switch). Consequently this function is (only ) the foundation of our Sub-PL consideration (device combinations + are found in Example 3). Consideration 1: which architecture under consideration of which fault exclusions is available?

From a physical point of view a TESF switch is a switch, albeit with two NC contacts (channels) which are independent of each other and each positively opening. The realisation of the rotational movement of the guard door in the plunger actuation of both channels takes place using a 1-channel mechanism (actuating axis), albeit in the inside of the device, i.e. protected and stress-free. We make use of fault exclusion for this small 1-channelled part. In other words: the architecture of the TESF switch is 2-channelled! Wiring installation between the TESF switch and SRB module is protected or in separate sheathed cable (= fault exclusion for the cable level, otherwise cross wire monitoring is necessary in the SRB module). Wiring of the TESF switch to the SRB module takes place as 2-channelled 1:1 according to a circuitry example for CC 4 (no series connection). corresponds to CC 4. >

THUS: the architecture of the subsystem

35

Consideration 2: which MTTFd hardware reliability is available? TESF switches are simple single devices which are subject to wear and tear and are therefore specified by a B10d value of 2,000,000. With reference to the calculation example on Page 17, this results in an MTTFd value of 2,381 y per channel. Thus a high MTTFd hardware reliability is available! Consideration 3: which diagnostic coverage DC is available? The failure detection function for the TESF switch is subject to the subsequent PROTECT SRB with 99 % DC (see loc. cit.) Thus a high diagnostic coverage is available! Consideration 4: which CCF measures have been taken? We can always assume > 65 points for safety components with correct incorporation and installation. For more information see glossary section, keyword CCF. THUS: sufficient CCF measures have been taken (= CCF: o.k.). Summary according to the bar chart Architecture (CC): 4 MTTFd: high DC: high CCF: o.k.

THUS: Performance Level e >


36

Example (2): As above, however with several TESF switches in series.

Exercise: which Sub-PL is available for the TESF switch input level? It is assumed that always only the safety function of one TESF switch is requested at specific point in time X (so that generally only one guard door is always opened). This therefore concerns a respective number of safety functions corresponding to the number of TESF switches on the enclosure, for example three devices will involve three safety functions. In other words: no addition of the residual failure probability of the TESF switches need be performed. As a result the combination 1 x TESF switch/SRB diagnosis forms the basis of our Sub-PL consideration. In other respects: see above! Consideration 1: which architecture under consideration of which fault exclusions is available?

Firstly: see above, although not all failures can be detected due to the series connection, i.e. a failure accumulation cannot be excluded. Consequently we are dealing with an architecture without self-monitoring potential (2-channelled but with limited failure detection).

THUS: the architecture of the subsystem only corresponds to CC 3. Consideration 2: which MTTFd hardware reliability is available? Every TESF switch forms a safety function. To calculate the MTTFd value we now assume that every guard door is opened 2 x per hour, i.e. an MTTFd value of 2,381 y remains. If we were to assume that the demand of 2 x per hour refers optionally to all guard doors found in the enclosure, the MTTFd values would increase significantly again (however, due to the limitation to 100 y per channel, without this having any effect on the PL). >

37

In other respects: see above! Thus a high MTTFd hardware reliability is available! Consideration 3: which diagnostic coverage DC is available? Since failure accumulation cannot be excluded, we cautiously assume a low DC, even if one might debate whether, possibly also in conjunction with further measures, medium might not also be appropriate in this case. We are currently still discussing this with the BGIA. In other respects: see above! Thus a low diagnostic coverage DC is available! Consideration 4: which CCF measures have been taken? See above! Thus sufficient CCF measures have been taken (= CCF: o.k.). Summary according to bar chart Architecture (CC): 3 MTTFd: high DC: low CCF: o.k. THUS: Performance Level d

>
38

Example (3): Exercise We combine the input level and the level for signal processing, i.e. we consider the SRP/CS part up to the enabling contact level of the SRB module, so that we create a device combination.

Consideration 1: which architecture under consideration of which fault exclusions is available? In addition to the TESF switch with SRB diagnosis of input level the signal processing level in the SRB module itself. , there is consideration of

In the case of an SRB module this concerns a device with more complex safety-related functionality which is already evaluated with an inbuilt Sub-PL (or Sub-SIL) (in our example with Sub-PL e or Sub-SIL 3). THUS an individual consideration of the architecture, MTTFd*, DC and CCF measures can be dispensed with for the SRB module (because they are already reflected in the Sub-PL or Sub-SIL). Here it is assumed that the switching frequency and switching load of the relay do not affect a high MTTFd. Summary: Under consideration of the combination table (see loc. cit.), a Sub-PL of e results for the complete device combination* in the case of the 1:1 wiring (2 x e remains e) and in the event of series connection a Sub-PL of d (determined by the weakest link in the chain). *

There must be a rough approximation to check whether, with reference to the use of technology affected by wear in the form of relays, the number of switching cycles and the switching load will influence the MTTFd classification. Here the switching load at enabling contact level of the SRB modules must also be incorporated in the consideration. Nevertheless it would only become critical where there are high operating cycle figures and high switching load (see B10d values for relays).

39

How can I calculate a Sub-PL with devices from the Schmersal/Elan programme?

Sub-PL for the input level

Cable level: Fault exclusion relating to EN ISO 13849-2:2003 or cross wire monitoring (see also glossary section, keyword Fault Exclusion Cable Level) Determination of the architecture, i.e. which control category is achieved at the input level (see figure above). Determination of the MTTFd value per channel (usually per B10d value consideration, see loc. cit.) Determination of DC for SRB modules and safety PLCs: 99 % with 1:1 wiring 60 % with series connection (released from the definition of the safety function)

40

CCF management: > 65 points (see glossary section, keyword CCF)

= Sub-PL according to diagram result (see figure) or Annex K of EN ISO 13849-1:2006

Sub-PL for the logic level (signal processing level)

Sub-PL or Sub-SIL: see respective device! As already described, this concerns devices with more complex safety-related functionality which already have an inbuilt Sub-PL or Sub-SIL.

Sub-PL for the output level

Logical procedure as with the input level (however possibly different DC values, see EN ISO 13849-1:2006 Annex E) = matter for the customer!

41

Combination of Sub-PLs to an overall PL

The combination of Sub-PLs (generally Sub-PLs for , and ) to an overall PL for an SRP/CS is, compared to the block method, a very easy process. For this EN ISO 13849-1:2006 provides the so-called combination table (= Table 11 of the standard). This firstly reflects the theory of the weakest link in the chain, but beyond this takes into consideration the addition of residual failure probabilities, i.e. that as from a specific chain length the MTTFd reliability values could fall below a critical limit value and affect the overall PL. The total number of Sub- PLs low (> Nlow Nlow) can be read off from the left side of the table while the resultant overall PL can be read off from the right side of the table. It is characteristic of the combination table that there is downgrading as from a certain number of Sub-PLslow. The background to this is the addition of residual failure probabilities (the longer the chain, the greater the probability!). CAUTION: downgrading by one PL is not obligatory if the residual failure probabilities in an individual case are better than the worst case assumptions of the standard setter in the configuration in Table 11.

In other words: in individual cases the following should be calculated: a) the lowest Sub-PL (PLlow) in the SRP/CS and b) the number of lowest Sub-PLs (Nlow) present and c) the resultant overall PL. For overall PLs a, b and c, a maximum of two Sub-PLslow and for overall PLs d and e a maximum of three Sub-PLslow of the respective criticality level are tolerated without downgrading taking place or vice versa: if in the SRP/CS concerned there are more Sub-PLslow, the overall PL is a step lower (e.g. 3 x Sub-PL c produces an overall PL b).

42

Please note: higher Sub-PLs in an SRP/CS are not counted when the combination table is used (= theory of the weakest link). The same applies to subsystems and parts of an SRP/CS for which fault exclusion has been used. Example 1 (2 x Sub-PL c = overall PL c)

This case concerns the standard example for the use of the combination table. The assumption is an SRP/CS consisting of 2 subsystems with PL c and one subsystem with Sub-PL d. The lowest Sub-PL here is c, which is present twice, i.e. the overall SRP/CS remains at PL c. The part of the SRP/CS with Sub-PL d is not taken into account (because it is higher).

43

Example 2 (This example demonstrates the procedure in the event of downgrading if one cannot or does not want to accept this because of the need for a higher PLr,)

An SRP/CS may consist of three subsystems with 3 x Sub-PL c. According to the combination table, this produces a downgrading to an overall PL of b. Now the individual hardware reliability values MTTFd or optionally the PFHd values should be taken into consideration. In order to be able to remain in PL c, it must be proven in this case that an overall MTTFd value of high (> 30 y) is achieved (= simplified consideration) or that the overall PFHd value lies within the interval required for PL c ( 106 ... 3 x 106). In the upper part of the figure it is shown that the values may not be adequate to achieve PL c; in the lower part they are sufficient (in variation 2) to establish a PL c.

44

Example 3 This example is understood as detached from the combination table of EN ISO 138491:2006, i.e. the weakest link in the chain and the PFHd values of the SRP/CS are considered from the start. This consideration corresponds, for example, to EN IEC 62061:2005.

45

46

Circuitry examples from the BGIA Report*


* For detailed presentation: see BGIA Report 2/08. The following examples have been selected from the point of view of proximity to our device range. All in all the BGIA Report contains 37 examples of wiring. CAUTION: the following annotation has been substantially shortened and simplified!

47

(1) BGIA circuitry example 8.2.34: guard door monitoring with subsequent signal processing using SRB module or safety PLC (the classic case!)
Remarks:

2-channelled input wiring Failure detection (external diagnosis) at the SRB through plausibility test using positively guided relay = 99 % DC or at safety-PLC by crosswise data comparison = 99 % DC (source: Annex E of EN ISO 13894-1:2006) SRB module or safety PLC satisfy Sub-PL e 2-channelled output wiring with feedback loop positively driven contacts.

All other rules relating to application, connection and wiring are taken into consideration. Result: assuming a high MTTFd value, the combination corresponds to PL e (CC 4, MTTFd high, DC 99 %, lack of sensitivity to CCF)! The MTTFd value results from a B10d value consideration (see loc. cit.). Circuitry example:

48

Deviation on the subject of cascading or series connections

We will have to deal with a new approach (*) in which an electrical series connection can consist of several safety functions and where the PL or SIL evaluation refers to the single safety function. I.e. (see following example) switching of 5 guard doors in series may consist of 5 safety functions to be considered individually and, resulting from this, 5 individual evaluations.
(*) This was actually also listed in EN 954-1 but not clearly formulated.

It is assumed that the safety function at a specific point in time is always only requested from one protective device by one operator, i.e. only one of several emergency-stop devices is actuated or, as in the example, only one of the 5 protective devices is opened. This approach considerably simplifies use of the new standards since the chain of the SRP/CS to be analysed is shorter. However, this consideration is only permissible where there is real independence of the individual safety functions, i.e. for example not in the case of a double door. The risk of deleting a failure in SRP/CS series connections of electromechanical devices (see glossary section, keyword Series Connections and loc. cit.) must be considered within the framework of the respective safety function. Until further notice we presume that only a low DC value (= 60 %) can be assumed in this case. Our previous argument that up to 31 devices in the CSS family can be connected in series without classification loss (keyword: Additional of residual failure probabilities) loses some of its force. This perspective means that there are now substantially more. However the argument about comprehensive failure detection in series connection definitely remains. But there are also different possible ways of dealing with the subject of cascading or series connection (see examples 8.2.29 and 8.2.28).

49

(2) BGIA circuitry example 8.2.29: cascading or series connections


The BGIA arrives at PL e in the case of the cascading of emergency-stop control devices because fault exclusion is performed for devices in their entirety.

Remarks: Fault exclusion for S1, S2 and S3 including cable level 2-input wiring SRB module (or similar) with PL e Result: assuming a high MTTFd value for the SRB module, the switching corresponds to PL e despite series connection.

The BGIA does not recommend the above mentioned switching consideration for machine-operated devices.

50

(3) BGIA circuitry example 8.2.28: cascading or series connections


Despite series connection of electromechanical devices, the following switching corresponds to PL e, in which an operational PLC is incorporated into the SRP/CS for the purpose of additional failure detection.

The operational PLC for failure detection is also termed test equipment in EN ISO 13849-1:2006 terminology. Conspicuous in the BGIA circuitry example is the fact that this possibility in combination with the safety module sanctions a desired effect of 99 % DC.

51

(4) BGIA circuitry example 8.2.18: guard door latching with subsequent signal processing using SRB module or safety PLC (channel 1) and standard PLC (channel 2)
The fact that it may be possible to manage without SRB or safety PLC is demonstrated by this example (basic circuit typical in large printing presses or similar)!

Remark:

2-channelled input wiring, cable routing protected/separate An MTTFd of high is calculated via a B10d value consideration for both position switches B1 and B2. Signal processing channel 1 direct via a contactor (Q2); channel 2 via an operational PLC (K1) with subsequent contactor Q1. The architecture corresponds to CC 3. Diagnostic coverage: the position of B1 is additionally read in to the PLC and compared for plausibility with B2 (DC = 99 %). The position of the contactors (with positively driven contacts) is similarly read in to the PLC via the feedback loop (DC = 99 %). The PLC itself is tested by the process (DC = 60 %). Consequently there is a DCavg of 62 %. All other rules relating to application, connection and wiring are taken into consideration.

Result: the switching corresponds to PL d (see block diagram: CC 3, MTTFd high, DC low, CCF o.k.).

52

(5) BGIA circuitry example 8.2.19: guard door latching

Remarks: By way of explanation: switching is realised without a pilot control level (SRB module, safety PLC or similar) with direct actuator control and, without further elaboration here, corresponds to PL d. The example here was not included for its circuitry elegance, but rather because it supports our argument on circumstances under which latching (guard locking) can be assigned to CC 3. In conjunction with a corresponding SRB module a device combination in CC 4 with PL e would even be achievable. Caution: 1-channelled standstill monitoring BGIA comment: the position of the lock bolt is monitored via an integrated position switch B1, while position switch B2 monitors the position of the guard door in addition to increasing manipulation safety. Latching (guard locking) has a fail-safe locking mechanism. i.e. channel 1 guard door position monitoring: fail-safe locking mechanism + safety contact(s) for position monitoring of the guard door channel 2: lock bolt position monitoring: electrical 2-channelled If manipulation protection is achieved in a different way, this circuitry example supports our opinion of the circumstances under which latching (guard locking) with fail-safe locking mechanism may be used in a stand alone manner (without additional 2nd switch) (= up to CC 3, see glossary section, keywords Latching and Control Category).

53

54

Overview of the features and use of EN ISO 13849-1:2006

55

Objective of SRP/CS standardisation

The purpose of SRP/CS standardisation is to use additional measures to maintain the personal protective function of an SRP/CS also in the case of a failure (or rather: to reduce hazardous states resulting from a failure event to an acceptable residual risk). Behind a failure event are faults and failures in the hardware and software of the SRP/CS used, in so far as these are of relevance to safety. Caution! Semantic subtlety: failures (e.g. in components = the function was previously correct) lead to faults (= permanent state of the device), however faults can also be present in an SRP/CS from the outset (design failure = systematic failure). Hazardous states resulting from (temporary) disturbances can be equated with failures.

There are two types of additional measures: those which serve to reduce risk of systematic faults or failures, and those which are directed at random faults or failures. Systematic faults and failures are already present at the time of delivery. They have a deterministic reference to a specific cause, and can only be eliminated by changing the design or manufacturing process, operating procedure, documentation or corresponding factors. This means they concern fundamental design problems, specification gaps, faults in reasoning, software faults etc. Here redundancy or similar measures is powerless.

56

Measures against systematic faults and failures can be found in Annex G of EN ISO 13849-1:2006 and in EN ISO 13849-2:2003. By contrast only a statistical probability can be assigned to random failures and faults (caused, for example by product aging or the random breakdown of components). In other words: the lower the failure probability, the higher the functional safety. The probability of random failures and faults is exclusively a statistical consideration, and while it permits conclusions to be drawn on the overall safety of a product in the field, it allows no such conclusions on the safety of an individual product. See also figure: Bathtub Curve!

57

Random faults do not exist at the point of delivery. They result from faults in hardware and occur randomly during operation. Examples of random failures and faults are short circuits, interruptions, component drifts, material fatigue or similar. While failures and faults of this kind occur randomly (as discussed), a statistic probability can be assigned to them.

Measures against random failures and faults are redundancy and fault detection etc., i.e. everything which one associates in simple terms (and incompletely) with the Control Category CC, Performance Level PL and Safety Integrity Level SIL. Incompletely because measures against systematic failures and faults are a compulsory basic prerequisite for CC, PL or SIL. The so-called Common Cause Failures constitute a particular type of consideration, i.e. the failure of various units (channels) which do the same thing from a common cause. Only hardware is subject to random failures and faults, while in the case of software exclusively systematic failures and faults are assumed. This theory is disputed, particularly in the case of higher criticality levels e.g. in airplane construction. The proportion of machine accidents attributed to random hardware failures is estimated to be low today. Talk is of a max. 10 to 15 % of all accidents. Other estimates produce a lower ratio still. By contrast, the bulk of accidents can be attributed to systematic shortcomings and, not to be forgotten, as a consequence of the manipulation of protective devices.

58

Performance Level (1)

Standard definition (EN ISO 13849-1:2006): discrete level which specifies the capacity of safety-related parts of a control system to achieve a safety function. In simple terms: safety-oriented overall quality of an SRP/CS under consideration of the SRP/CS architecture (= deterministic perspective) and of the SRP/CS reliability (probabilistic perspective). Here essentially the aspects of safety-related reliability, resistance to failures and faults, fault tolerance, behaviour in the event of a fault, fault detection, the avoidance of fault accumulation and the avoidance of systematic faults are considered. The requisite PL (PLr a e) results from the risk graph consideration or the respective safety function or the respective C standard. From a probability mathematics perspective, the average probability of a dangerous failure per hour PFHd results in a Performance Level PL as follows:

The remark in the table clarifies the fact (see above) that this does not exclusively concern requirements of probability mathematics. In order to give you an idea, PFHd values can also be interpreted as follows:

59

Logically if the average probability of a dangerous failure per hour PFHd is behind a PL, subsystems with PFHd values can also be specified for a specific Sub-PL. Typical examples of this are all devices with more complex safety-related functionality, for which this failure limit is usually specified in addition to the PL or SIL classification. Here at the latest it can be clearly seen that the shared PL bracket (or EN ISO 138491:2006) and SIL (or EN IEC 62061:2005 and EN IEC 61508-1/-7:2001) are simply the PFHd values. In the case of Sub-PFHd details it is recommended that the respective values should only demand a specific part of the overall value which is designated as the maximum for the respective PL or SIL classification. This is 20 % each for the input level and the logic level of the SRP/CS, so that over 60 % remains for the output level which experience shows to be the weakest link in the chain. If one wishes the following parameters, which are defined and explained in greater detail in Section (2) and which serve to determine a PL or Sub-PL, are nothing but simplifying aids for circumventing the complex mathematics which are actually behind a PFHd value.

60

Performance Level (2)


A PL is composed of:

Architecture (= control category) Brief explanation: the architecture of an SRP/CS (1-channelled, 1-channelled with testing, 2-channelled with mutual testing, 2-channelled with self-monitoring) for the chain (Inputs) + (Logic = signal processing) + (Outputs), whereby EN ISO 138491:2006 favours specific architectures, namely those of the familiar control categories, however with the possibility of performing fault exclusions in compliance with EN ISO 13849-2:2003. Other architectures are also permitted in EN ISO 13849-1:2006, however the simplified calculation approach cannot just be used for these as it is, so that resort must be made to more precise mathematics with the associated time expenditure.

In addition to consideration of the architectures of an SRP/CS as above, adherence of the so-called (a) fundamental and (b) well tried and tested safety principles form part of the requirements of a control category. The fundamental safety principles correspond to the state of the art and are basically to be taken into consideration (as from Control Category B); consideration of the well tried and tested safety principles also applies as from Control Category 1. Please do not confuse with the requirement to use well tried and tested components (applies only to CC 1). A description of what the one and the other are can be found in Annexes A to D of EN ISO 13849-1:2003 (Validation of an SRP/CS). See also glossary section, keyword Control Categories.

61

Hardware reliability (= MTTFd/Mean Time to dangerous Failure) Brief explanation: the mean time, expressed in years (y), until a dangerous (random) failure of an SRP/CS channel; the individual MTTFd values per channel of hardware used must be determined, added (using the parts count method) and compared with the standard specifications for low, medium and high. MTTFd values are based on manufacturer information or information from pertinent works of reference, e.g. SN 29500.

CAUTION: MTTFd details merely provide a statistical statement on the survival probability of a large amount of a product (statement is: only 37 % still survive at this point in time). The reciprocal value 1/MTTFd is the failure probability per hour which is also called or FIT value (for 109 failures). The background probability mathematics theory is exponential distribution (see loc. cit.).

Legend: Curves show from top to bottom failures in % in function to MTTFd of components. From top to bottom: 3 y, 10 y, 30 y and 100 y. Indicated (horizontally) as well is the line of 63 % where number of years of use and MTTFd is equal. Further lines show 50 %, 10 % and 1 %. 62

Legend: Curves show from top to bottom failures in % in function to MTTFd of components. Shown is a spread extract of the first 5 years of use. From top to bottom: 3 y, 10 y, 30 y and 100 y. Indicated (horizontally) as well is the line of 10 % and 1 %.

Diagnostic coverage (= DC/Diagnostic Coverage in %) Brief explanation: probability-based degree of diagnosis desired effect (-> fault detection), which expresses the relationship between noticed hazardous faults and the overall number of hazardous faults. This relationship is, however, additionally weighted with the MTTFd value of the respective component. This means that the quality of monitoring for components with a large MTTFd need not be as high as for those with a lower MTTFd. 90 % means, for example, 90 % probability of detecting hazardous faults (in good time) and 10 % of not discovering them (in good time) (in good time = discovery before the so-called second fault probability occurrence). Evaluation suggestions of different measures for , and can be found in Annex E of EN ISO 13849-1:2006; an average DCavg for an overall SRP/CS can be calculated using a specific formula (avg stands for average).

63

Common Cause Failure management (or CCF) Brief explanation: measures against failures of both channels in an SRP/CS at the same time following a common cause e.g. bridging of both channels by a foreign influence, overheating, surge, by lightning (surge pulse) with redundant semiconductor outputs, contaminated oil in the case of hydraulics or too much water in the air in the case of pneumatics. I.e. a single cause removes the multiple channel capability (typically the redundancy). The Annex to EN ISO 13849-1:2006 contains a table with measures against Common Cause Failures. Each measure has a score. Measures should be realised that have a score of > 65 from 100 possible points.

Furthermore there are measures against systematic failures and faults in the SRP/CS. See glossary section, keyword Failures (systematic failures).

64

Result Use may either be made of a results graph (Fig.1) from which the PL achieved can be read off or, if a more precise result is required, Annex K in accordance with EN ISO 138491:2006 (Fig. 2) produces a precise numerical assignment between PFHd and PL parameters.

Fig. 1: Bar chart

Figure 2: Annex K from EN ISO 13849-1:2006 Attention: Capping/limitation to 100 y MTTFd per channel (to avoid safety by calculation)! MTTFd-values within a channel may be higher (but sum of a channel must be capped/rounded down to 100 y).
65

Performance Level (3)

In accordance with the standard, evaluation preferably takes place using manufacturer information. A PL can be determined in two ways: A safety function (the chain + + ) is split into blocks (in logically functionally individual component parts). The blocks are assessed in relation to the aspects which define the PL and are evaluated together (in part analytically, in part mathematically). This solution method is termed the block method in EN ISO 13849-1:2006 and is described in detail in Annex B of the standard. An overall SRP/CS is divided into subsystems derived from function blocks. A Sub-PL is determined for every subsystem and added to an overall PL.

Sub-PLs have the advantage that a machine manufacturer is able to use a simplified procedure to determine the overall PL. The overall PL is here determined by the lowest Sub-PL. Moreover, the MTTFd value must correspond to the classification high or use is made of the combination table (see page 42 and glossary section, keyword Calculations (PL calculations). In the results and in their desired effect the contents of a PL and a Safety Integrity Level SIL are the same. In this respect there is also a compatibility table (e. g. PL e = SIL 3 etc.), although there are different types of calculation in individual cases.

CAUTION: the above PFHd classifications apply to an overall PL (or overall SIL). Only proportions may be consumed for subsystems (recommendation: a max. of 20 % each for and , so that > 60 % for ).

66

Glossary section further information on some keywords and terms

67

A
Addition of failure probabilities: If MTTFd values are available, then the addition per channel takes place using the parts count method, i.e. the reciprocal values 1/MTTFd are added. The sum is then converted back to an overall MTTFd value and compared to the standard specifications for low, medium and high. There is a limit of 100 y MTTFd per channel (by contrast, higher values can be assumed within a channel).

A so-called symmetrising formula exists for channels with different MTTFd values:

PFHd values may simply be added together, i.e. 1 x 109 + 1 x 109 = 2 x 109, however the lowest sub-classification determines the overall PL or SIL. Better PFHd values in no way compensate for limitations to the Safety Integrity Level (q.v.) which occur as a result of so-called architectural constraints.

Additional monitoring switch: See interlocks and control category

68

Annex G (in accordance with EN ISO 13849-1:2006): Measures against systematic failures are among the most important measures for SRP/CS safety. Other measures are hardly able to compensate for shortcomings in this area. In this respect, measures to prevent and control systematic failures are additionally considered once again in Annex G of EN ISO 13849-1:2006, informally. Additionally considered means that the EN 954-1:1996 (ISO 13849-1:1999) and in particular the EN ISO 13849-2:2003 standards (originally conceived as EN 954-2) already contain deliberate requirements which are continued and improved on in Annex G. The same considerations on this subject are similarly present in EN IEC 62061:2005. Annex G is divided into 4 groups: Group G.1 is simply a cross-reference to the detailed considerations in EN ISO 13849-2:2003 (see above). Group G.2 concerns measures to control systematic failures, G.3 measures to prevent systematic failures and G.4 measures to prevent systematic failures during the integration of an SRP/CS.

Annex K (in accordance with EN ISO 13849-1:2006): Annex K serves two different purposes: Firstly, it is possible to infer more precisely from the overlapping areas of the bar chart, for example, from which MTTFd value a PL e is achieved also with an architecture in accordance with CC 3 and a medium diagnostic coverage (from 62 y) etc. For clarification: see following table extract. From Annex K it is also possible to infer the average probability of a dangerous failure per hour (or which PFHd values, as typical for EN IEC 61508:2001 and EN IEC 62061:2005) that corresponds to a specific configuration. For example, PL d with an architecture in accordance with CC 3, a channel MTTFd value of 56 y and a medium diagnostic coverage corresponds to a PFHd value of 1.03 x 107/h.

69

The PFHd value practically represents the scope of EN IEC 61508-2001 or EN IEC 62061:2005, because these standards express the residual failure probability of an SRP/CS in this unit. We could also say that the influence of EN IEC 61508:2001 during the preparation of EN ISO 13849-1:2006 is most clearly reflected in Annex K. The PFHd value is, however, not an exclusively probabilistic approach.

(*) Since CCF measures are obligatory from CC 2, they are not listed by name in Annex K but are regarded as a given.

The table in Annex K is based on copious calculations using Markov models which have been performed by the Institute for Occupational Health and Safety (BGIA) of the German Statutory Accident Insurance in St. Augustin in the course of planning the standard. Unfortunately the figures in Annex K end with an MTTFd value of 100 y per channel, even if the conversion of higher values would sometimes be desirable for considerations within a channel. However it is possible to extrapolate such values in simplified form using a logarithmic calculation. According to the BGIA Report 2/08, a block MTTFd value can, however, be calculated in a greatly simplified manner (which is only permissible in this direction) from a PFHd value as well as by forming a reciprocal value. I.e. 1/PFHd : 8,760 = Block-MTTFd (in the case of higher PLs or SILs usually several 100 y).
70

Architectures: Standard definition (EN 62061:2005): specific configuration of hardware and software elements in an SRP/CS: SRP/CS architectures are composed of the input level (consisting of safety-oriented sensors and control devices), the logic level (for signal processing) and the output level (with the control signals for the hazardous movement triggered by outputs such as contactors). The number of channels (in other words the control category) and the internal or external test equipment also form part of the architecture. Consideration of the entire chain, i.e. the series connection + + is necessary to determine an (overall) PL or SIL.

A level here can once again be the result of a series connection in so far as this results from the safety function. The architectures in EN ISO 13849-1:2006 take on a special significance under the term designated architectures. They refer to control categories as are familiar from EN 9541:1996 and updated in EN ISO 13849-1:2006. In this connection designated architectures means that significant deviation from them (i.e. substantial deviation from the control categories) is not permitted (with the exception of fault exclusions) if one wishes to use EN ISO 13849-1:2006. If not, they would need to be evaluated in accordance with EN IEC 61508:2001, EN IEC 62061:2005 or other specific standards (e.g. EN IEC 61496 for AOPDs) (*). In this context architectures should not be considered as circuit diagrams, however, but as functional schematic diagrams. In this respect as long as one keeps to the main features and main structure of the designated architectures, it makes no difference whether one has three or also more or fewer blocks in a channel .
(*) AOPD = Active Optoelectronic Protective Devices

This restriction is explained by probability mathematical calculations which were in the background during the preparation of EN ISO 13849-1:2006 and which rest on the familiar control categories.

71

B
B10d values: Standard definition: number of cycles until 10 % of components have failed dangerously (B10d values apply primarily to mechanical, fluid and electromechanical components). CAUTION: further important feature > T10d value! The number of cycles means the number of switching cycles over service life, i.e. the B10d value expresses a maximum number of switching cycles and forms the foundation for the requisite MTTFd calculations of devices in an SRP/CS that are affected by wear and tear. These include mechanical components and devices, e.g. springs, fluidic devices, e.g. valves, and electromechanical switchgear, e.g. contactors, relays, position switches, emergency-stop control devices etc. Components of this kind have a failure pattern which is determined by the number of performed switching cycles and partially also by the switching load, and consequently for which a (monotonous increasing) Weibull distribution is assumed because the failure probability varies over time. The formula to convert a B10d value into an MTTFd value are as follows:

In Annex C (Table C.1) of EN ISO 13849-1:2006 B10d values are specified for typical kinds of components affected by wear and tear, for which the above formula then applies for the calculation of MTTFd values per channel (deviating manufacturer details may be used as basis as an alternative to the standard values). There is an exception for mechanical and hydraulic components for which the calculation formula need not be applied. Because of the well-known and empirically reinforced high reliability of these components, the standard setter recommends the assumption of a blanket 150 y MTTFd per channel (provided that the basic, tried and tested safety principles described in the standard are observed).

The B10d values for (reed contact-based) proximity switches, contactors and relays forms a second feature in Annex C. Two B10d values are specified for components of this kind, of which the first B10d value is for when the component is operated at minimum load (= 20 %) (B10d = 20,000,000), and the other B10d value is for when the component is operated at maximum load (B10d = 400,000). The creation of interim values is permissible, e.g. 7,500,000 (at 40 % load), 2,500,000 (at 60 % load) or 1,000,000 (at 80 % load). Care must furthermore be taken that positively opening contacts are demanded for emergency-stop devices and position switches in accordance with EN IEC 60947-5-x.

72

A prerequisite for application of the B10d standard values are the so-called processes of good engineering practices, i.e. the component manufacturer confirms use of the basic as well as well tried and tested safety principles in accordance with EN ISO 13849-2:2003 or the corresponding product standards for the design of the component and describes the suitable application and operating conditions for the user (keyword: operating instructions). In addition, the person responsible for the SRP/CS must comply with the basic as well as well tried and tested safety principles in accordance with EN ISO 13849-2:2003 for the implementation and operation of the component.

Extract of table C.1 of EN ISO 13849-1:2006: selected B10d values of components typically used in SRP/CS

There is one further feature to be taken into account in connection with components affected by wear and tear, namely the so-called T10d value as value for the preventive maintenance of components affected by wear and tear through timely replacement.

73

Neither the B10d value nor the T10d value consideration is completely without problems, since not every mechanical engineer knows in advance which operating conditions his machines will be subjected to by the customer. Where applicable, assessments should be made in accordance with worst case scenarios and/or incorporating such components into the SRP/CS such that the T10d value consideration always leads to a legitimate > 20 y (see mission time). Consideration of the demand rate of the safety function forms part of this consideration, e.g. so that an emergency-stop control device does not become a dual use product, i.e. one that functions simultaneously as operational STOP button (and rather that an additional device is designated for this) and the electrical load with which the specific components are operated lies in the medium range as maximum. The inbuilt (as set by the standard) B10d and T10d values are dimensioned very generously.

Bathtub curve: Diagram representation of the service life of the device/failure rate of (typically) electronic components as well as devices and systems with constant failure rates in Phase II. Taking into account Phase 1 (early failures) and Phase III (end of service life), the diagram representation produces a curve which resembles a bathtub.

See also keywords Exponential Distribution and Failure Rates Typical products: electronic safety sensors, optoelectronic protective devices (AOPDs), safety PLCs, bus systems etc. Failure rates with bathtube curve behaviour cannot be deployed throughout for an SRP/CS because components, devices and systems are frequently used with technologies for which the constant failure rate in Phase II does not apply, e.g. in fluid technology, electrical engineering and mechanics. In these cases a B10d value (q.v.) analysis should precede calculation of MTTFd values.

74

BGIA: The BGIA the Institute for Occupational Health and Safety (BGIA) of the German Statutory Accident Insurance is a research and test institute of the statutory accident insurance companies in Germany. It has its registered office in St. Augustin near Bonn. The BGIA supports the statutory accident insurance companies in Germany and their institutions with an emphasis on scientific-technical questions in occupational health and safety through: Research, development and investigation Inspection of products and samples of materials Operational measurements and consultation Involvement in standardisation and formulation of rules Provision of professional information and expert knowledge. In addition the BGIA is active on behalf of manufacturers and companies within the framework of Product inspection and certification Certification of quality management

BGIA disc: An aid issued by the BGIA that displays the relationships between PL and PFHd on the one hand and MTTFd, DC and CCF on the other. In essence this reproduces Annex 6 from EN ISO 13849-1:2006.

75

BGIA Report 2/08: This report with the title Funktionale Sicherheit von Maschinensteuerungen Anwendung der DIN EN ISO 13849 (Functional Safety of Machine Controls Deeper Understanding of DIN EN ISO 13849) serves to provide deeper understanding of EN ISO 13849-1:2006.

The report is published by the BGIA Institute for Occupational Health and Safety of the German Statutory Accident Insurance (DGUV), St. Augustin; the report can be downloaded from www.dguv.de or may be requested as a hard copy from the BGIA (or from us).

The report comprises around 260 pages and is divided into the following chapters Foreword Introduction Report and Standard in overview Safety functions and their contribution to risk reduction Design of safe controls Verification and validation Circuitry examples for SRP/CS Bibliography + 10 Annexes. The 37 circuitry examples are worthy of particular mention, even if these are not recipes.

76

C
Calculations (PL calculations): There are two fundamentally different approaches when calculating (estimating) a Performance Level PL in accordance with EN ISO 13849-1:2006: Approach 1 is the discrete consideration, i.e. the safety-related parts in the machine control are determined (identified) and structured in a block diagram according to the block method (see example on page 112 ff.).

The MTTFd, DC and CCF contribution is established for every individual block and, based on specific formulas and look-up tables, collated to the respective overall values. An assessment then follows based on the Relationship between the categories, DCavg, MTTFd of every channel and PL figure in the EN ISO 13849-1:2006 standard. The consideration of the control category here is performed taking into account the fault exclusions that can be made (see standard example for this). The CCF contribution in the table is viewed as a given.

Figure 5: Relationship between the categories, DCavg, MTTFd of every channel and PL
77

Approach 2 is the consideration of subsystems which have already been designated or estimated with a Performance Level PL (= Sub-PL) and application of the so-called combination table. The lowest Sub-PL (a < b < c < d < e) and quantity is fundamentally decisive for the overall PL (see figure), i.e. the overall PL remains unaffected up to a specific number of PLlow, while from a specific number of PLlow there is a downgrading by one level due to the adding together of residual risks/residual fault probabilities (see the standard example). However downgrading is not necessary if (as part of a simple additional calculation), the summation of the individual MTTFds in the SRP/CS produces an overall value of high (> 30 y) or a corresponding PFHd value.

A similar approach (which operates with SILsubsystems) is also provided for in EN IEC 62061:2005. See also Section 2 (Deviation and examples Page 42: Application of the combination table)

CCF (Common Cause Failure), CCF measures, CCF management: Standard definition (EN ISO 13849-1:2006): failures of various units due to a single event, whereby these failures are not due to mutual causes (should not be confused with similar failures). A very specific fault analysis forms the basis of the CCF, which is aimed at ensuring that adequate measures are taken to counter failures which impact on more than one SRP/CS channel at the same time and which can therefore render the protective function of a system ineffective despite multiple channel capability.

78

CCF is also called factor in the terminology of the EN IEC 62061:2005 and EN IEC 61508:2001 standards.

A typical example for CCFs are the effects of electromagnetic radiation, e.g. a surge pulse which impacts on redundantly performed semiconductor outputs with the coterminous simultaneous damaging result that the transistors of both channels can no longer switch off. A lack of filter measures with fluid technology or faults resulting from climatic impact such as humidity are further examples. In Table F.1, EN ISO 13849-1:2006 lists customary CCF measures (see the figure below) and evaluates every measure with points. If the sum of points for measures taken produces a score of over 65 points (out of a max. 100), EN ISO 13849-1:2006 considers that sufficient measures have been taken against CCF risks, i.e. a tick can be placed against the point for CCF management. Adequate CCF measures must always be guaranteed as from Control Category 2.

79

It can be seen from the table that there is only a qualified possibility of completely determining the CCF points in advance in the case of simple single devices, because the analysis units 1 and 2 in particular are areas where configuration is a matter for our customer. The analysis units 3 etc., by contrast, are predominantly design-related and device-specific, and already deliver the minimum of 65 points required for simple single devices.

CCF management/measures: See above!

Compatibility SIL <> PL/PL <> SIL: Since EN IEC 61508-2001 is behind both new SRP/CS standards, SIL and PL details between the two are compatible, i.e. a PL can schematically be expressed as an SIL, and an SIL schematically as a PL. A shared measurement criterion here is the probability of dangerous failure per hour (PFHd) as follows:

CAUTION: the PFHd classifications above apply to an overall PL (or overall SIL). Only proportions may be consumed for subsystems (recommendation: a max. of 20 % each for and , so that > 60 % for ). The above mentioned procedure applies overall, but can also be used for subsystems or part systems. This then has the particular advantage, for example, that SIL qualified devices may be integrated into PL considerations in accordance with EN ISO 138491:2006 and, vice versa, also PL qualified devices in SIL considerations in accordance with EN IEC 62061:2005. Remark: for the conversion from MTTFd values into PFHd values and vice versa: see keyword Annex K of EN ISO 13849-1:2006.

Control categories: Terminology from EN 954-1:1996, in future termed designated architectures (in EN ISO 13849-1:2006). They concern the safety-related requirements on SRP/CS irrespective of the technology and are divided into 5 levels (into categories B, 1, 2, 3 and 4). The levels range from simple to complicated requirements, such as 1-fault safety/redundancy and self-monitoring.
80

In addition to the requirements relating to architecture, observation of the so-called basic safety principles (from CC B) and beyond this (from CC 1) consideration of the so-called tried and tested safety principles also form part of the requirements of the control categories. Please do not confuse this with the requirement to use well tried and tested components (which only applies to CC 1). What one or the other is can be found in the informative annexes A to D of EN ISO 13849-1:2006 (validation of SRP/CS). Control categories reflect the resistance of an SRP/CS to failures and the behaviour in the event of fault. An outline of requirements of the individual 5 control categories can be seen in the table below.

Control categories/control category 2: The requirements and content of the control categories will not be dealt with in detail here because they have been familiar for many years from EN 954-1:1996. An overview can be found under the keyword Control Categories. An exception to this is a reference to the fact that the requirements of control category 2 have been increased in EN ISO 13849-1:2006. In practical terms this will in future be a kind of light control category 3. Background: since the failing of a safety function in CC 2 may go unnoticed between tests, the test frequency is a critical factor. Furthermore the test equipment itself might fail before the function channel. For this reason, the quantification requires: that the MTTFd value of the test equipment TE is not smaller than half of the MTTFd of the logic L; and that the test rate is at least 100 times greater than the medium demand rate of the safety equipment or than the hazardous failure rate;

81

added to this is the requirement for a second shut down path (via the test equipment).

Especially the required ratio 1:100 of the demand rate to test rate means CC 2 structures with electromechanical technology (without own test intelligence) are faced with barely achievable tasks. The reason for the increased requirements of control category 2 is that in future, in connection with a high MTTFd value and a medium DC, a Performance Level d can be achieved. We have to advise our customers to consider alternative configuration options for this level of criticality. If we find out about new configuration possibilities as time goes on, we will let you know. Up to a PL c, on the other hand, a high MTTFd value and an architecture of control category 1 (1-channelled, but executed with safety-related tried and tested components) would be sufficient. This means that electromechanical technology may continue to be used for the typical medium risk range (i.e. PL c). Despite the increased requirements of CC 2 therefore, there is no significant difference compared to the current status of safety technology.

C (Type C) standards: These standards, which deal with the concrete safety-related requirements in the case of individual types of machines (machine tools, processing centres, packaging machines etc.), must be adapted to the new standard situation. This means that where control categories are defined for the execution of certain safety functions, the respective standard setter must adapt these to the requisite Performance Level (= PLr). Considering the several 100 C standards in existence today, it is not to be anticipated that this can take place in the short term (within the coming months). The person responsible for the SRP/CS must therefore initially perform the CC > PLr conversion himself. It is possible, however, that the coming into force of the new EC Machinery Directive 2006/42/EC will ensure an accelerated process here.

82

In part the CC > PLr conversion can be performed schematically, but sometimes the risk parameters S, F and P (see keyword Risk Graph in accordance with EN ISO 13849-1:2006) must be consulted once again; this is the case where the current risk graph analysis produces two alternatively applicable control categories. In future there will no longer be any such ambiguities. It is also conceivable, however, that some C standard setters might also continue to demand a control category in addition to determining a PLr, because they do not agree that it will be possible in future to replace previous 2-channelled structures with 1channelled structures that have correspondingly high MTTFd and/or DC values.

D
Diagnostic Coverage DC: See Section 3, Page 55 et seq.: features and use of EN ISO 13849-1:2006

E
Estimation of PL and SIL: Both EN ISO 13849-1:2006 and EN IEC 62061:2005 consciously use the term estimation in connection with determining the PL and SIL, in order to make it clear that, in the case of the quantitative (probabilistic) requirements, it does not come down to an absolute calculable precise value. In the case of a simple SRP/CS within the framework of PL a to c, EN ISO 138491:2006 even stipulates that a qualitative estimation will suffice (see Paragraph 4.5.1). The background for estimation being sufficient is the concept of simplification pursued by both standards. Added to this is the fact that random failures in particular, against which the quantitative (probabilistic) measures are especially directed, are in practice only involved in 10 to 15 % of accidents in machine construction. Other estimates suggest that this proportion is even lower. Exponential distribution: The exponential distribution is a constant probability distribution across the set of positive real numbers and a typical service life distribution; it is, for example, expressed in MTTF or MTBF and used to estimate the service life of components, devices etc. where the effects of aging (wear and tear) do not need to be taken into account. An upstream B10d value analysis is used for components and devices affected by wear and tear. An MTTFd value assumes/means that 63 % of all units have failed dangerously 37 % of all units are still working properly

83

F
Failures: Standard definition (EN ISO 13849-1:2006): ending of the ability of a device (subsystem) to fulfil a required function. A substantial objective of standardisation in this area is to reduce the risk of failures in an SRP/CS causing dangerous states. Disturbances are considered to be equal to failures. A distinction is made within the SRP/CS standardisation between random and systematic failures as well as between dangerous failures (with information on values frequently identified with the index d) and failures which are not dangerous (which obstruct the availability of processes). The latter does not lie within the application range of the SRP/CS standardisation. The result of failures is faults in the SRP/CS. The standard also defines that failures are events and faults are states. However faults can also come about without the previous occurrence of failures. Measures must also be taken against these as dealt with especially in EN ISO 13849-2:2003. Since in part this consideration of what constitutes a failure and what is meant by a fault involves the finer points of semantics, the two terms are also used synonymously in certain parts of this brochure.

Failures (systematic failures): Standard definition (EN ISO 13849-1:2006): failures with deterministic reference to a specific cause which can only be eliminated by changing the design or manufacturing process, operating procedure, documentation or corresponding factors. Systematic failures can affect both hardware and software. Measures to prevent and control systematic failures are additionally considered once again in the new Appendix G of EN ISO 13849-1:2006. Additionally considered means that the EN 954-1:1996 (ISO 13849-1:1999) and in particular the EN ISO 13849-2:2003 standards (originally conceived as EN 954-2) already contain deliberate requirements which are continued and improved on in Annex G. Detailed considerations on this subject are similarly found in EN IEC 62061:2005. Today the cause of most machine accidents can be explained by systematic failures. These include inadequate FMEAs and testing, gaps in design and specification, as well as errors in reasoning. Added to these are accidents resulting from manipulation to protective devices (estimated in Germany to be around 25 %). Even if this does not belong precisely to the standard system, comprehensive risk assessment (hazard analysis) should be part of the context of systematic fault potential. See also EN ISO 12100-1/-2:2003 and EN ISO 14121:2007 (formerly EN 1050). A British study (see figure) suggests that over 60 % of all accidents studied as part of a representative survey were attributable to causes already present in the SRP/CS before commissioning.

84

More than 60 % of failures built into the safety-related systems before taken into service!

Failures (random failures): In particular the requirement to determine the safety-related overall quality of an SRP/CS in the form of a PL or SIL is aimed at reducing the residual risk of hazardous states through random dangerous failures. The assumption is fundamentally made in the case of hardware that this can fail both randomly and systematically. By contrast software is only subject to systematic failures. A statistical probability can be assigned to random hardware failure (due to product weakening from diverse causes, e.g. material fatigue). In other words: the lower this probability, the higher the functional safety. Where applicable other things can be dispensed with without affecting the safety-related overall quality. The proportion of accidents resulting from random hardware failures is commonly estimated today to be low. Talk is of a maximum 10 to 15 % of all machine accidents. Other estimates produce a lower ratio still. The probability of random hardware failures is an exclusively statistical consideration and permits no conclusions to be drawn on the quality of an individual product.

Failure rates: Typical values for failure rates referred to in the EN ISO 13849-1:2006 standard are MTTFd values (= Mean Time to dangerous Failure). In general MTTF values are a statistical characteristic for the reliability of an object (whatever this object may be); they make a statement about the probabilities of random failures. Failures due to other influences, e.g. through incorrect selection, insufficient dimensioning etc., are numbered among the group of systematic failures and are not reflected using MTTF values. MTTF values are based on the mean (average) service life or service performance of objects (up to failure). The knowledge of service lives or service performances is taken from field data, extrapolations from stress tests, so-called FMED analyses (*) etc.
(*) Failure Modes Effects and Diagnostic Analysis

85

Only dangerous failures are of interest within the meaning of standards EN ISO 138491:2006 and EN IEC 62061:2005. For example a contact is not able to close (= usually a disturbance in the case of shut-down systems but not dangerous) or to open (= usually dangerous in the case of shut-down systems). The ratio of dangerous to non-dangerous failures is commonly estimated at 50:50. In this respect an MTTFd value is then always twice as high as the MTTF value which reflects all failure possibilities. For a number of objects an MTTFd value is used as a probability mathematical expression, with reference to the exponential distribution, indicating that after expiry of the MTTFd service life, 63.2 % of the affected objects have failed dangerously. Therefore this constitutes a statement on the probability of survival.

Example:

Illustration of the mean service life: three groups with different levels of reliability are represented. Their units (illustrated by dots) fail at random times. Their failure time scores correspond to the vertical coordinate. The failure times are spread over long periods of time, e.g. in the case of the first group individual units survive for 18 years whereas some fail after just one year. 63 % have already failed after 6 years (Source: Einfhrung in die Methoden der Zuverlssigkeitsbewertung [Introduction to the methods of reliability assessment], Siemens AG, I&S IS ICS IT2). By contrast or FIT values, the failure rates with which EN IEC 62061:2005 works, specify on average how many objects in a unit of time randomly fail (= 1/time vs. survival probability of MTTF or MTTFd values). FIT values represent a failure rate expressed in 109 per hour. This therefore concerns an alternative temporal consideration of the same phenomenon. For this reason the reciprocal values of or FIT values here are again MTTF or MTTFd values.

86

PFHd values similarly express the probability of a dangerous failure per hour, but they are able to incorporate more into the calculation than simply a consideration of random hardware failures. A conversion is therefore only conditionally permissible. It is possible for 1-channelled structures (1/MTTFd = PFHd and vice versa). Moreover PFHd values may be converted in a greatly simplified manner into so-called block MTTFd values by forming the reciprocal value (1/PFHd : 8,760) (not permissible the other way round). In the case of PFHd values the distinction via the indexing d is not particularly common, i.e. the dangerous failure direction is in general meant both by a PFH and by a PFHd value. MTBF or MTBFd values are a sub-category of MTTF or MTTFd values. MTBF stands for Mean Time Between Failures and is the mean time between two failures for repairable objects. The difference between MTTF (MTTFd) and MTBF (MTBFd) is only marginal and can be disregarded in relation to the considerations for SRP/CS. In many other areas, e.g. in chemicals and process engineering, military engineering, avionics etc., the incorporation of failure rates is part of the state of the art (keyword: reliability engineering). There are numerous sources and works of reference for failure rates, e.g. SN 29500, MIL manuals etc. If the general sources are referred to for information on failure rates it is a good idea to question whether a value reflects dangerous failures within the meaning of EN ISO 13849-1:2006 (frequently identified by the index d), or all possible failures (the latter must then be converted see above). Furthermore, there is a recommendation in EN ISO 13894-1:2006 that values not verified for their purposes and which are from a different source should only be incorporated into calculations at 10 %. In the case of non-specific information on failure rates, e.g. for electrical components, frequently these concern nominal values which take no consideration of temperature impact (e.g. that the failure rate doubles for each 20C rise in temperature), temperature cycles (warmth <-> cold) and other environmental influences. These influences must be entered into further calculations (typical for EN IEC 61508:2001) or a blanket figure taken into account by only including 10 % of nominal failure rates in further calculations (recommended in EN ISO 13849-1:2006).

Fault detection DC: See loc. cit. and also Section 3, Page 55 et seq.: features and use of EN ISO 138491:2006

Fault exclusion: Fault exclusion is a compromise between the technical safety requirements (the requisite fault consideration) and the theoretical possibility of a fault occurring. As the name says, certain cases of failure or fault are excluded during the safety-related assessment (during FMEA) of a SRP/CS (their occurrence is not accepted/is not allowed to be accepted). Fault exclusions therefore permit (in part substantial) simplifications in the design of the architecture of an SRP/CS, e.g. in questions of the necessity of a redundant design or questions concerning the design of connecting cables in an SRP/CS, but no arbitrary and subjective use may be made of the fault exclusion possibility. Rather the
87

considerations made must be accompanied by qualified evidence and written documentation. A distinction must be made as to whether fault exclusions are reinforced by the accepted state of the art or whether they are made individually (without the backing of this state of the art). Annexes A to D of EN ISO 13849-2:2003 are considered to be the definitive state of the art in the area of machine safety. This determines which fault exclusions depending on the technology, i.e. whether mechanical, hydraulic, pneumatic or electrical, are automatically admissible, which are only admissible under certain circumstances, and which are not admissible. The possibility of fault exclusion is described in EN ISO 13849-1:2006 as follows: Fault exclusion can be based on: the technical improbability of the occurrence of a few faults; the generally recognised experience, irrespective of the application considered; and the technical requirements in terms of application and specific danger. If faults are excluded, a precise reason must be provided in the technical documentation. The following demarcation applies to fault exclusions: the combination of safety-related parts of a control system starts at the point at which safety-related signals are generated (including, for example, actuator and roller of a position switch) and ends at the outputs of the power control elements (including, for example, the main contacts of a contactor). See also Section 2 (Deviation and examples), page 29 etc., keyword Fault Exclusions.

Fault exclusion: cable level EN ISO 13849-1:2006 favours an assumption that fault exclusion can be made for the cable level in an SRP/CS. The requirements of a fault exclusion are as follows:

88

Alternatively we recommend our customers use signal processing with additional cross wire monitoring!

Fault detection (external): If simple single devices are deployed within an SRP/CS, the responsibility for fault detections falls to other parts of the SRP/CS which are upstream or downstream of the simple single devices (usually signal processing in the logic unit or special test equipment). In these cases it is necessary to know which fault detection measures are effective here and, of course, the simple single devices application must be correct, i.e. integrated in the logic (for example downstream contactors, preferably with positively driven contacts, per feedback loop). Where applicable enquiries must be made as to which fault detecting measures are effective in relation to the upstream and downstream parts of the SRP/CS. Moreover, all requirements of the control categories must also be complied with, e.g. the requirements of cable routing etc. In theory one creates an own subsystem or part system. See also Section 2 (Deviation and examples), page 29 etc., keyword Fault Detection. A diagnostic coverage of 99 % can be assumed for the input level when using safety relay modules, insofar as these are enabled for CC 4, PL e or SIL 3 (Table E measure: positively driven monitoring of electromechanical units). However at the output level the diagnostic coverage is essentially contingent on the type of output. If, for example, monitoring of a contactor is performed with positively guided contacts per feedback loop, 99 % DC can similarly be achieved. A 99 % diagnostic coverage can be assumed at the input level for safety SPSs, safety bus systems etc. (owing to the so-called crosswise data comparison here) (as long as likewise CC 4, PL e or SIL 3 enabled). The aforementioned applies to the output level (see: safety relay modules). CAUTION: the abovementioned versions do not apply to all permutations, e.g. not for series connections of electromechanical safety switchgear because certain faults which can occur within a chain are not always detected by the logic function. Here for a diagnostic coverage of 99 % devices must be incorporated 1:1 or additional measures will be required (e.g. external test equipment).

89

Hardware reliability MTTFd: See loc. cit. and Section 3, Page 55 et seq.: features and use of EN ISO 13849-1:2006

I
Interlocks with guard locking and control category: The following points must be adhered to in order to achieve the necessary control category:

The respective C standard determines the way in which interlocks may be deployed in safety circuits of a machine control system. If the design engineer satisfies this standard, he simultaneously also satisfies the requirements of the Machinery Directive owing to the so-called presumption of conformity. Deviations from the C standard are nevertheless possible at the own responsibility of the design engineer, but in such cases the design engineer must be able to produce evidence that the deviating solution guarantees at least a comparable degree of safety. If no C standard is available for the application, further information can be found on the use of interlocks in B standards.

Additional monitoring switch (1): The additional monitoring switch serves to control faults and detect faults in the event of a safety-critical failure of the interlock, e.g. in the event of substantial damage to the internal mechanism. It is possible to dispense with an additional monitoring switch if an optimal design adjustment is guaranteed, i.e. if there is a stable guidance of the door with stable end stop across the entire service life of the door; if the permissible interlock forces are adhered to etc.; if actuators are permanently connected to the protective devices, preferably with oneway screws; if the actuators consist of one part and are not manufactured from plastic or cast iron; if interlocks are used with fail-safe locking mechanism. Regardless of this, we recommend the use of a second monitoring switch: for applications in control category 4 in accordance with EN 954-1 and PLr = e; for non-visible sources of danger, e.g. for radiation, electric shock etc. (in part this is even normative designated, e.g. in the case of X-ray devices).

90

Additional monitoring switch (2): Frequently a second monitoring switch, however, is also required as an additional measure as protection against the manipulation of moving protective devices. For example, this is an additional provision that is suggested in the new Amendment 1 of EN 1088:1996 as one of a number of configuration possibilities to minimise circumvention potential. Other possibilities are the concealed installation of devices, redundantly constructed devices, e.g. AZM 200 devices, control-related plausibility controls etc. In addition we recommend that the following be observed for applications with increased safety-related requirements: A fault accumulation is also considered for applications with control category 4. In order to satisfy this fault consideration, startup testing is required for all electromechanical protective devices, i.e. in the case of latching devices, the safeguard must first be opened and then closed again after switching the supply voltage in order to again detect any concealed faults which had been noticed but which were lost when the supply voltage was turned off. In the case of applications with control category 3, there are a very few faults that are not detected where there is series connection of interlocks. A fault accumulation may lead to the loss of the safety function. For example, the malfunction of an interlock caused by a short circuit or wire break can be overridden by actuating another interlock. This should be taken into consideration in the risk analysis. If faults in the supply lines, such as short circuit or cross shorts, cannot be excluded by cable routing, the use of safety modules with cross short detection is to be recommended.

L
Level of cable: See cable level fault exclusion Literature: There is a great deal of literature now available on EN ISO 13849-1:2006 and EN IEC 62061:2005, published both by publishers and by the manufacturers of safety components, sometimes free of charge. Our information brochure A New Approach to Machine Safety: EN ISO 13849-1:2006 SRP/CS which can be downloaded from www.schmersal.com (link: safety and standards) was one of the first (and still one of the most comprehensive) sources of information. There are also explanations on the application of the EN 62061 and EN ISO 13849-1 standards in a brochure published by the automation division of the German Electrical and Electronic Manufacturers Association (ZVEI) (can be downloaded from www.zvei.org).
91

Last, but not least, we make reference to the BGIA Report 2/08 on the subject (q.v.).

Low Demand Mode: See PFD

M
Machinery Directive (MD): The EC MD Machinery Directive forms the statutory foundation for the requirements of functional machine safety in the European Union and the other EFTA countries of Iceland, Lichtenstein, Norway and Switzerland, and also Turkey in anticipation of intended EU accession.

As with all EU directives, the content of the MD must be transposed into respective national law. In the case of the MD, in Germany this takes place under the umbrella of the Equipment and Product Safety Act (GPSG) in the form of the so-called Machinery Ordinance (= 9. GPSG-VO).

92

The necessity of safety-related parts of control systems (= SRP/CS) is derived from the General Principles (keyword: hazard analysis or in future risk assessment) as well as the requirements in Paragraph 1.2.1 (keyword: safety and reliability in control systems) in Annex 1* of the MD.

* See MD 2006/42/EC valid from 29.12.2009 or the currently valid MD 98/37/EEC

The necessity of SRP/CS is further explained in Paragraph 9.4 Control function in the event of a fault of EN IEC 60204-1:2005** with final reference (in relation to the concrete definition) to the competency of EN ISO 13849-1:2006 and EN IEC 62061:2005. The graduated concept here is based on the General Principles of the MD.

** Elektrische Ausrstung von Maschinen (Electrical equipment of machinery); source: Beuth-Verlag, Berlin

Mission Time (service life): The probability-mathematical models behind EN ISO 13849-1:2006 assume a so-called mission time of 20 years. An exception to this is presented by the B10d value or T10d value consideration with regard to any necessary preventive device replacement. By contrast, so-called proof tests, proof test intervals and similar have a lesser role to play with reference to PL and SIL in engineering.

MTTFd hardware reliability: See loc. cit. (keywords Failure Risks, Bathtub Curve etc.) as well as Section 3, Page 55 et seq.: Features and use of EN ISO 13849-1:2006

O
Objective of the SRP/CS standardisation: See Section 3, Page 55 et seq.: Features and use of EN ISO 13849-1:2006

P
Parts count method: See Addition of failure probabilities Performance Level: See loc. cit. (keyword Calculations etc.) and also Section 3, Page 55 et seq.: Features and use of EN ISO 13849-1:2006

93

PFD (Probability of Failure on Demand): Consideration from EN IEC 61508-1/-7:2001 Probability of the safety integrity of an SRP/CS, as typical for the process technology and process engineering. The PFD value is the counterpart to the PFHd value for the factory automation. The reason for the distinction lies in the fact that there is a significantly different frequency in the request for the safety function. In the so-called Low Demand Mode (typical for process technology and process engineering) the safety function is very rarely requested (not more frequently than once a year). A typical example is provided by emergency shut-down systems which only become active when a process has got out of control. This normally occurs less frequently than once a year. This is contrasted with the so-called High Demand Mode (with PFHd values), i.e. the safety function is requested (more) frequently or continually (= more than once per year). The SIL classification in Low Demand Mode is as follows *:

* SIL 4 affects safety functions with the risk of several deaths and catastrophic effects and is not taken into consdieration in engineering (in factory automation).

PL Performance Level: See loc. cit. (keyword Estimations etc.) and also Part 3, Page 55 et seq.: Features and use of EN ISO 13849-1:2006

PLr = required: Standard definition (EN ISO 13849-1:2006): applied Performance Level (PL), in order to achieve the requisite risk reduction for every safety function. This deals so to speak with determining the TARGET state on the basis of the risk assessment of a safety function. Consequently a PL PLr must be realised. The PLr results from the respective C standard or from a risk graph consideration of the safety function, i.e. the Performance Level (a, b, c, d or e) is produced for a safety function depending on the assumed severity of injury in the event of a fault, the frequency and/or duration in the danger area and the possibility of eluding a hazard through personal reaction.

94

PL result graph: See also Part 3, Page 55 et seq.: Features and use of EN ISO 13849-1:2006

Proof test/proof test interval: Repeated test/recurring inspection of SRP/CS conducted to detect faults so that, if necessary, the system can be brought to an as new state or moved as close as practically possible towards this state. Counting then begins using a new so-called mission time. A typical use of proof tests and proof test intervals is by chemicals and process engineering, while another example of use is aircraft maintenance. The subject is hardly of any relevance to our devices (with the exception of the T10d value consideration of devices affected by wear and tear). This does not affect the obligation imposed on the employer to perform regular inspections of work equipment by virtue of the EC Use of Work Equipment Directive or, in Germany, obligations arising from occupational safety regulations (BetrSichV).

R
Reliability technology (reliability engineering): The reliability is a material property that can be assessed empirically through a statistically measurable value based on observed failure frequencies or with the aid of the probability calculation. PL and SIL considerations belong in a wider sense to the science of reliability technology (reliability engineering).
95

The first applications for reliability technology were found, as is frequently the case in other areas, in the field of military technology (followed by further applications). The area of reliability technology research is concerned with the reliability of components and systems as well as with methods for reliability analysis and safeguarding. Reliability databases are set up in conjunction with this. Methods of trial planning and the statistical evaluation of failure data and service lift trials are investigated. Other subjects are the realistic modelling of complex technical systems and the simulation of reliability and availability in early development phases. Calculations of system service life are performed as is the determination of load collectives. One area of work is the conducting of FMEAs and the preparation of documentation to accompany development.

The methods and terms of reliability technology are comprehensively described today in national and international sets of standards and risk standards and in principle apply to all technical products and systems. Safety Integrity Levels go back to the standard initiative IEC 61508 (today EN IEC 61508-1/-7:2001) resulting from the Seveso toxic gas accident. Therefore the initial applications of the standard also applied then to the chemicals and process technology and subsequently to other areas, whereby engineering is bringing up the rear so to speak with the standards EN IEC 62061:2005 and EN ISO 13849-1:2006.

96

Result graph PL (bar chart): See loc. cit. and Section 3, Page 55 et seq.: Features and use of EN ISO 13849-1:2006 Risk graph consideration in accordance with EN ISO 13849-1:2006: Determines the PLr (= PL to be applied in order to achieve the requisite risk reduction for every safety function). The familiar consideration parameters for risk evaluation from EN 954-1:1996 (ISO 13849-1:1999) remain unchanged in EN ISO 13849-1:2006, but instead of the result leading to a control category to be realised, this now leads to a Performance Level PLr to be realised as follows:

An advantage of the new risk graphs is that there is now a standard definition for delineation between parameters F1 and F2, i.e. F1 applies to the frequencies for time spent in the hazard area of 1 x per hour and more, and F2 for frequencies for time spent in the hazard area of > 1 x per hour. The second advantage is that the parameter considerations in future always produce an unambiguous PLr, while in the preceding standard it was possible with several permutations to arrive at two selectively applicable control categories without any further aids to decision being provided.

Risk graph consideration in accordance with EN IEC 62061:2006: Determines the requirements for safety integrity of the SRP/CS in the form of a safety integrity level (SIL). It concerns a derivative adapted to the machine construction and derived from the risk graph in accordance with EN IEC 61508:2001 as follows.

97

In this connection EN IEC 62061:2006 still recognises the so-called SIL claim limit (SIL CL = SIL Claim Limit). This concerns the (standard definition) maximum SIL which can be claimed for an SRP/CS part system with respect to structural constraints and systematic safety integrity. In this respect the SIL claim limit is important for the overall evaluation (validation) because the lowest SIL CL as the weakest link in the chain determines which SIL can be achieved by an SRP/CS in its entirety.

Risk graph, risk evaluation: Both new SRP/CS standards recognise a risk graph which is used as an aid for determining the requisite degree of risk reduction for the SRP/CS or which PL or SIL results for it. If we ignore the differentiated consideration in EN IEC 62061:2005, then approach and result are largely comparable. In a few borderline cases EN ISO 13849-1:2006 may be somewhat stricter (lying at one requirement class higher).

Risk, risk analysis, risk assessment: Standard definition of risk: combination of probability of damage occurrence and extent of damage. Standard definition of risk analysis: combination of stipulation of the limits of a machine, identification of hazard and risk appraisal. Standard definition of risk assessment: evaluation based on risk analysis to discover whether the objectives of risk reduction have been achieved. This set of subjects is similarly based on statutory requirements in the EC Machinery Directive (see keyword Machinery Directive). The perspectives of risk and risk analysis (elsewhere also termed risk evaluation, hazard analysis or similar) are not primary subject matter of the two new SRP/CS standards; rather they are presumed to have been completed before one of both SRP/CS standards is used.

98

Here standards EN ISO 12100-1/-2:2004(1) and EN 1050:1995 (in future EN ISO 14121:2007(2)) in particular offer aids to interpretation and performance.
(1) Safety of Machinery basic terms, general principles for design

-1: Part 1: Basic terminology, methodology; -2: Part 2: Technical principles (2) Safety of Machinery risk assessment -1: Part 1: Principles

Example of a plan for risk evaluation (Source: SUVA/CH = Swiss Labour Accident Insurance Association)
99

S
Safety function: A safety function is applied for classification of a requisite PL in accordance EN ISO 13849-1:2006 or SIL in EN IEC 62061:2005. In line with the definition (see EN ISO 13849-1:2006) this is the function of a machine, whereby a failure of the function can lead to the direct increase of risk (of risks). The definition of the safety function therefore has considerable effects on determining the PL and SIL. The following examples (taken in abbreviated form from the BGIA Report 2/08) are intended to elucidate this situation. In our case this consideration has caused some rethinking, as can in particular be seen in Example 2. Abbreviated extract from BGIA Report 2/08 Example 1: Safety function Shut down when opening the guard door A machine operator has access to a hazardous area when opening the guard door, where five actuators control the movements of machine parts. Opening the guard door causes the fastest possible shut down of all five actuators. The result can be a PL which is no longer sufficient for the application although perhaps only actuators 1 and 3 trigger movements which represent danger for the operator and the remaining actuators are shut down for purely functional reasons. In this case it is recommended that the safety function only take movements into account that are actually dangerous.

PS: All fault possibilities of the electrical installation must be assigned to the respective blocks, e.g. lack in fault detection in case of series connection of electromechanical devices..

100

Abbreviated extract from the BGIA Report 2/08 Example 2: Safety function Shut down when opening a guard door A hazardous movement is secured by a series connection which has five guard doors. Opening one of the doors leads to shut down. With reference to the subsequent determination of the PL, every door is a component of an own safety function SF1 to SF5 if each door is normally opened independently from each other.

PS: All fault possibilities of the electrical installation must be assigned to the respective blocks e.g. lack in fault detection in case of series connection of electromechanical devices.. Abbreviated extract from the BGIA Report 2/08 Example 3: Safety function Emergency-stop of an overall machine 20 emergency-stop devices are installed on a large machine, whose actuation shuts down all 50 actuators as quickly as possible. Which components must be taken into consideration in this case when realising the safety function? It cannot be predicted which emergency-stop device will be actuated to trigger the safety function. Since the operator only ever actuates one emergency-stop device, the safety functions are defined as SF1 to SF20. The respective location of an endangered person when triggering the emergency-stop is not known, but wherever this person is, not all 50 actuators represent a hazard. For this reason the worst case should be considered as a substitute for all conceivable situations. This is determined by the worst PL, and thus is dependent on the number of actuators in the safety chain, which generate hazardous movements in the worst possible location, as well as the respective individual PL.

101

PS: All fault possibilities of the electrical installation must be assigned to the respective blocks e.g. lack in fault detection in case of series connection of electromechanical devices..

Series connections: The length of a series connection (and thus the relative extent of residual fault probabilities, i.e. the longer the more likely) is determined by the definition of the safety function (see loc. cit.). According to this perspective more than 31 CSS devices can, for example, be connected in series without this being linked to a downgrading of the SIL or PL, if there are several safety functions which are independent of each other backing up the number of devices. The argument of complete fault detection (DC 99 %) in the CSS family however remains in full.

Series connections of electromechanical devices: In the past we have argued that series connections of electromechanical devices only constitute control category 3. Qualification as CC 4 is not possible because not all faults in the series connection can be detected and under certain circumstances a fault accumulation cannot be excluded (see figure on Page 103).

Nothing has changed in relation to this assessment, i.e. an SRB module or an SiSPS cannot be permitted to have a high diagnostic coverage ( 99 %) in the case of a series connection, however in future a PL d will also be possible with a CC 3 architecture.

102

The question, however, is whether the restricted fault detection (see figure) leads to a downgrading of the DC to low or medium. We are currently still clarifying this question. Until further notice we will only claim low (DC 60 %).

However, series connections with PL e are possible if the contacts of the series connection are read back into the SPS and are evaluated for plausibility (see BGIA circuitry example 8.2.28 on Page 51) or if fault exclusions can be made at the input level (see BGIA circuitry example 8.2.29 on Page 50). Alternatively use Schmersals CSS-family of contactless interlocking devices based on microprocessor technology.

SIL (Safety Integrity Level): Class of the safety-related overall quality of an SRP/CS, as recognised by EN IEC 62061:2005 and EN IEC 61508-1/-7:2001 (similar to the PL philosophy). Standard definition: discrete level for stipulating the claims to safety integrity of the safety-related control function. Safety integrity here is defined as the probability that the requisite control functions under all specified conditions will be performed satisfactorily and refers in this respect to the hardware, software and systematic safety integrity. In spite of the term probability used above, an SIL is not purely probabilistic. An SIL is determined from the so-called Architectural Constraints and the probability of a dangerous fault per hour (PFHd). Architectural constraints exist subject to the so-called Safe Failure Fraction SFF. This combines diagnosis with the ratio of faults which are in a safe direction. In simplified terms, if the SFF (i.e. ratio of recognised and/or safe faults) is high, construction may be 1-channelled depending on the SIL, and if the SFF is low, depending on the SIL construction must be redundant (hardware fault tolerance).

SFF: s = faults in safe direction, dd = faults dangerous detected, faults dangerous undetected
103

For example, an SIL 2 requires a PFHd value between 1 x 107 und 1 x 106 on the basis of a HWT 2 (3-channelled) with < 60 % SFF or HWT 1 (2-channelled) with 60 90 % SFF or HWT 0 (1-channelled) with 90 99 % SFF. Depending on the criticality level, EN IEC 62061:2006 distinguishes between three Safety Integrity Levels for machine construction. A risk graph is also decisive for classification here (similar to that used in EN ISO 13849-1:2006). Related to the residual fault probability, it is not possible to say either that an SIL is stricter than a PL or vice versa. It is rather the case that SILs offer more possibilities for configuration. Related to subsystems or part systems of a SRP/CS, this document also refers to SubPLs or Sub-SILs. This concerns safety-related reinforcement, expressed as SIL and PFHd, with reference to a subsystem or part system. The overall SIL of an SRP/CS corresponds to the lowest Sub-SIL (theory of the weakest link) and the PFHd value that can be achieved for this. The latter is the addition of individual PFHd values for each Sub-SIL. All in all, EN IEC 61508:2001 recognises 4 SIL levels. SIL 4 covers risks with several deaths or catastrophic effects, i.e. is not relevant to machinery. In addition to the PFHd value, EN IEC 61508:2001 also operates with the so-called PFD value (PFD = Probability of Failure on Demand) where a safety function is rarely demanded (> once per year), which is typical for chemicals and processing technology, for example.

SIL Claim Limit (SILCL): The SIL claim limit, i.e. the SIL required in terms of a safety function (the target specification resulting from a risk graph consideration or from a C standard).

The SILCL claim limit should be understood in a similar way to the required Performance Level PLr. See also keyword SIL.

104

SISTEMA: WINDOWS-based software for PL calculation in accordance with EN ISO 13849-1:2006, which was developed by the BGIA Institute for Occupational Health and Safety of the German Statutory Accident Insurance (DGUV), St. Augustin and made available free of charge to anybody interested. SISTEMA stands for SIcherheit von STEuerungen an MAschinen (safety of control systems on machines).

The SISTEMA tool replicates the structure of safety-related control parts (SRP/CS) on the basis of so-called designated architectures and calculates reliability values at a detailed level included the Performance Level (PL) achieved. The risk parameter for determining the PL, i.e. the category, CCF measures, component quality MTTFd and test quality DCavg, can be recorded step by step. The consequences of each parameter change on the overall system are displayed directly and can be printed out as a report. The tool provides assistance with calculation, but is no substitute for basic understanding of the standard! SISTEMA can be downloaded from www.dguv.de/bgia/13849. The user is asked to register for reasons of accepting licence terms and for any updates

Software: Software forming part of PES systems is given particular emphasis both in EN ISO 13849-1:2006 and in EN IEC 62061:2005. A distinction is made between the operating system software of a PES (= SRESW for Safety-Related Embedded Software) and the application software of a PES (= SRASW for Safety-Related Application Software). The latter (SRASW) is also divided according to the programming language used for it (FVL for programming languages with full language variability and LVL for programming languages with limited language variability).
105

We will not go into greater detail on the subject of SRESW within the framework of this brochure. It is important to know that EN 13849-1:2006 also facilitates the development of PES systems (see loc. cit.) and that SRESW requirements are echoed in the standard up to PL d. The respective part of EN IEC 61508 should be used as a basis for PL e; alternatively the SRESW software could be developed diversely. In future additional requirements will similarly apply to SRASW software which affect the user, e.g. the programmer of a safety PLC. There are basic requirements which apply to all PLs, and additional requirements as from PL c which are divided into FVL and LVL. Definition of user software: Software, which has been implemented in the machine specially by the manufacturer for the application and which generally contains logical sequences, limit values and routines to control respective inputs, outputs, calculations and decisions in order to satisfy the requirements of the SRP/CS. Definition of FVL: Type of language with the ability to implement a wide range of functions and applications.. Example: C, C++, assembler Remark 1: in accordance with IEC 61511-1:2003, item 3.2.80.1.3 Remark 2: a typical example of systems for the use of FVL: embedded systems Remark 3: in the machinery area, FVL is used in embedded software and occasionally in application software. Definition of LVL: Type of language with the ability to combine predefined, application-specific library functions in order to implement the specification of the safety functions. Remark 1: in accordance with IEC 61511-1:2003, item 3.2.80.1.2 Remark 2: typical examples of LVL (contact plan, function block diagram) are specified in IEC 61131-3. Remark 3: a typical example of a system that uses the LVL: PLC

STANDARDS: EN 954-1:1996: This standard on the subject of SRP/CS was contentious from the start and will be withdrawn in November 2009. Superseded by standard EN ISO 13849-1:2006

EN 954-2: See EN ISO 13849-2:2003

106

EN ISO 13849-1:2006: New B1 standard on the subject: Safety-related parts of control systems Part 1: General principles for design German version: DIN EN 13849-1:2007-07; Source: Beuth-Verlag GmbH, Berlin, www.beuth.de Standard listed (harmonised) with presumption of conformity under the umbrella of the EC Machinery Directive since May 2007; Supersedes EN 954-1:1996 (ISO 13849-1:1999) (will be withdrawn in November 2009) Substantial changes Performance Level (supersedes the exclusive analysis of control categories) Incorporates development and application of so-called programmable electronic systems with safety function (PES) into the SRP/CS technologies Expands (via an own Annex G) the consideration for controlling and preventing systematic failures and faults Alternative standard to EN ISO 13849-1:2006 (for partial areas): EN IEC 62061.2005

EN ISO 13849-2:2003: Standard originally introduced as Part 2 of EN 954 with the focal emphasis on Validation of SRP/CS (safety-related parts of control systems Part 2: Validation) German version: DIN EN ISO 13849-2:2003-12; Source: Beuth-Verlag GmbH, Berlin, www.beuth.de Remains in force (although currently being reworked) and now supplements EN ISO 13849-1:2006 The standard retains its significance in the configuration and design of SRP/CS also after the coming into force of the new Part 1 in the form of EN ISO 13849-1:2006. It has particular significance in terms of admissible fault exclusions and the list of basic, well tried and tested safety principles as well as safety-related tried and tested components (see technology-related Annexes A to D).

EN IEC 62061:2005: New B1 standard on the subject: Functional safety of safety-related electrical, electronic and programmable electronic systems (E/E/PES systems) Sector-specific standard for engineering derived from EN (IEC) 61508:2001 German version: DIN EN 62061 (VDE 0113-50):2005-10; source: Beuth-Verlag GmbH, Berlin, www.beuth.de Standard listed (harmonised) with presumption of conformity under the umbrella of the EC Machinery Directive since December 2006. Is to be understood as an alternative to EN 954-1:1996 and in particular for more complex E/E/PES systems also as an alternative to EN ISO 13849-1:2006 Principal content: considers safety-related electrical control systems (SRECS) and Safety Integrity Levels (SIL) reflects the requirements of EN (IEC) 61508:2001 for engineering, albeit in simplified form.
107

EN IEC 61508:2001: So-called Basic Safety Publication on the subject: Functional safety of electrical/electronic/programmable electronic systems Parts 1 to 7 (= 370 pages) German version: DIN EN 61508-x:2001 (x = Parts 1 to 7); source: Beuth-Verlag GmbH, Berlin, www.beuth.de Original IEC standard 1508 (1998 + 2000 amendment loop); was adopted into the European standard specifications in 2001 but without harmonisation under the umbrella of the EC Machinery Directive. The scope of validity of the standard spreads across all life phases of a product/system and considers the so-called safety life cycle (starting with design, through to dismantling). All forms of safety-relevant systems (fault tolerant systems, shut-down systems etc.) and risk reducing measures in the event of failures or malfunction through to catastrophic risks form the subject matter of the analysis. Background information: the creation of this standard was motivated by the toxic gas accident in Seveso. The desired effect of measures is expressed in a Safety Integrity Level (SIL), whose calculation relies on complex mathematical modelling with high scientific demands. The so-called sector-specific standards also arose against this background, which break down the requirements of standard EN IEC 61508 into a simplified form suited to the requirements of the respective target group.

Expressed very simply, EN IEC 61508 is the archetype of safety-related reliability engineering and also inspired EN ISO 13849-1:2006.

EN ISO 13849-1:2006 <> EN IEC 62061:2006 (comparison): Both standards are listed (harmonised) standards with presumption of conformity under the umbrella of the EC Machinery Directive. Unfortunately there are intersections between the two standards (in other words duplicate arrangements). This is because both standards are concerned with the configuration of a SRP/CS if electrical, electronic and programmable technologies are used (EN ISO 13849-1:2006 in the form of a Performance Level and EN IEC 62061:2005 in the form of a Safety Integrity Level).
108

The background to the intersections is that one standard was created at the ISO level and the other standard at IEC level (at European level the CEN or CENELEC level). Here the standard setter on the ISO side claims that EN 954-1:1996 was also already an ISO standard and in this respect also reclaims for itself the competency to revise the standard (in other words the standard successor) whereas the standard setters on the IEC side, referring to the Basic Safety Publication EN IEC 61508:2001, believes they have competency for so-called E/E/PES technologies. There is a clear delineation exists in the case of mechanics, hydraulics, pneumatics and wear and tear affected electrical technologies (for which only EN ISO 13849-1:2006 contains firm rules) on the one hand and architectures which significantly differ from the designated architectures in EN 13849-1:2006 (in other words control categories); (here EN IEC 62061:2005 is competent although with very frequent cross-referencing to EN IEC 61508:2001). Furthermore there is a competency reference to EN IEC 62061:2005/61508:2001 for PES development with Performance level e, as long as no diversely designed software is used. Otherwise we clearly recommend EN ISO 138491:2006 to our customers. The reason for the recommendation is that EN ISO 13849-1:2006 consistently aims at simplifying the complication resulting from conversion to the Performance Level as much as possible for the user in engineering (the price for this is only being allowed to move within the framework of the designated architectures), while EN IEC 62061:2005 offers more options (but with frequent reference to EN IEC 61508:2001). The simplification concept in EN IEC 62061:2005 compared to EN IEC 61508:2001 is to realise SRP/CS using subsystems. In spite of everything both standards are compatible with each other; they may be used alternatively or combined.

EN ISO 13849-1 / EN IEC 62061:2005 (comparison with EN 954-1:1996): Leaving aside the complication, the clear advantage of the two new SRP/CS standards is that in future there will be greater configuration scope for the user. For example, in EN ISO 13849-1:2006 there are 5 or possibly 6 different configuration possibilities for PL c. In the past there would only have been CC 2.

109

A further difference to EN 954-1:1996 is the incorporation of the development and application of PES systems (SiSPSs, safety bus systems etc.) as well as the deliberate analysis of systematic faults (including CCF).

Symmetrising formula: See keyword Addition of failure probabilities

T
T10d value consideration: A T10d value consideration is likewise a new consideration in EN ISO 13849-1:2006. The T10d value corresponds to 10 % of the B10d value and, when converted into years (y), is to be understood as information for the preventive replacement of devices affected by wear and tear. With the T10d value it is assumed that there will be a constant failure pattern for the device concerned over the respective period of time (similar to the medium phase of the bathtub curve). The information on a preventive device replacement of course only makes sense for MTTFd values where the 10 % ratio lies within the assumed mission time of an SRP/CS of 20 years. The T10d value consideration is no substitute for the regular inspections of work equipment in accordance with the EC Use of Work Equipment Directive or, in Germany, the occupational safety regulations (BetrSichV) See also keyword B10d values

110

Test equipment Test equipment serves fault detection (the diagnostic coverage) in SRP/CSs. It can be implemented in the channels of an SRP/CS, e.g. in the safety SPS or in the SRB module. They can also operate as external test equipment, released from integration in the channels of an SRP/CS, for example within the functions of the operational SPS. In this case there are certain additional requirements placed on the test equipment, which however do not generally represent any insurmountable obstacles. See also BGIA circuitry example 8.2.28 in this respect (Page 51).

111

112

Excerpt from our brochure A new approach to machine safety: EN ISO 13849-1:2006 safety-related parts of control systems: Example to estimate a PL by block method

113

Standard example in accordance with Annex I of EN ISO 13849-1:2006*

Fig. 32: Iterative design and development process in accordance with EN ISO 138491:2006 Example Firstly, the iterative design and development process in EN ISO 13 849-1:2006 is also present in a suitable version as is the case with EN ISO 12 100-1, i.e. hereto it is theoretically divided into 8 steps, beginning with the selection of a safety function (1) then on via steps (2) (7) to the decision whether the requisite PLr has been attained (8). The above example (refer to Figure 33) relates to the interlocking of moving guards, i.e. a hazardous movement is stopped when the protective device is opened, with no reengaging possible while open etc. (refer also to EN 1088: safety of machines interlocking devices associated with guards principles for design and selection).
* The devices affected by wear and tear in the circuitry example still have to be subjected to a B10d value consideration. We allege that the manufacturer information defined for this has already been converted correspondingly.

114

The determination of the required Performance Level, i.e. the risk graph consideration in the new version of EN ISO 13849-1:2006, may then produce a PLr of c (see Figure 34).

Fig. 34: Determining the PLr

Under discussion as SRP/CS structure (designated architecture): see Figure 35.

115

Fig. 35: Design and identification of an SRP/CS

On the basis of the designated architecture in accordance with Figure 35 this means:

Fig. 36: Determination of the PL: category Because both channels in the example are constructed differently (refer to the SRP/CS structure), differing MTTFd values for the two channels A and B must first be determined and symmetrised with each other.

116

Figure 37: Determination of the PL: MTTFd for channel A

Figure 38: Determination of the PL: MTTFd for channel B and total MTTFd

Below is an analysis of the diagnostic coverage (DC):

117

Figure 39: Determination of the PL: DCavg Below is the determination of the CCF management:

Figure 40: Determination of the PL: CCF

118

and finally the arrangement in the block diagram, i.e. the verification whether PL => PLr (refer to Figure 41).

Fig. 41: Verification whether reached PL

PLr

Remarks: naturally the meticulous breakdown in the individual stages of the above example has been somewhat exaggerated. Furthermore the example illustrates two differing constructed channels on both the sensor side and logic side, and it thus looks rather more complex than those frequently used in practice. Nevertheless: this demonstrates the thoughts behind the new requirements of EN ISO 13 849-1:2006, although in the example no B10d value consideration was employed for the interlocking device (as an electromechanical device) which would actually be more accurate.

119

K.A. Schmersal GmbH Industrielle Sicherheitsschaltsysteme Mddinghofe 30 D-42279 Wuppertal P.O. Box 24 02 63 D-42232 Wuppertal Telephone: +49 (0)202 6474-0 Facsimile: +49 (0)202 6474-100 Email: info@schmersal.com Internet: www.schmersal.com

Elan Schaltelemente GmbH & Co. KG Im Ostpark 2 D-35435 Wettenberg P.O. Box 1109 D-35429 Wettenberg Telephone: +49 (0)641 9848-0 Facsimile: +49 (0)641 9848-420 Email: info-elan@ schmersal.com Internet: www.elan.de

Your contact partner: Friedrich Adams Manager Schmersal tec.nicum Email: fadams@schmersal.com 09/08

120

Вам также может понравиться