Safety@Festo

Evaluation and assessment of safety measures

in accordance with EN ISO 13849-1/EN 61508/EN61511

Risk assessment 10 safety functions

Trigger
Input Logic Output Drive
event
Risk analysis Risk evaluation Risk reduction What triggers the Device that Device that Device that controls www.festo.com
safety measure? recognises the safely processes the dangerous
Design measures Pressurising Maintaining Reducing Exhausting Tamper-proof, prevention of
trigger situation the signal movement
pressure pressure and force unexpected starting-up
For example: • Light curtain • Hard-wiring • Pneumatic
Technical measures • Approaching a • Safety door • Safety relay • Elektrical
hazardous area • Pressure mat • Safety PLC • Hydraulic
• Opening a safety • Emergency Stop • Pneumatic Energy
Two-hand Reducing Free of forces Reversing Stopping, holding and door • Failure control system
User information control speed a movement blocking a movement • Laser scanner
• Camera

6 steps for evaluating whether safety measures are sufficient

EN ISO 13849-1 Applicable to safety-related parts of control systems and for all types of machines, EN 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems

EN 61511
regardless of the technology and power used – electric, pneumatic, hydraulic, mechanic.
Functional safety – safety instrumented systems for the process industry sector.

1 Risk assessment Determining the required Performance Level (PLr) Determining the required Safety Integrity Level (SILr)
W1 W2 W3 S Consequence
Low risk S1 Minor injuries to a person
Evaluation of the application

S1 S2 Severe injury to multiple persons

S Severity of injury – – –
P1 up to death of a person
F1
a S1 Slight (normally reversible injury) P1
SIL1 – – S3 Multiple deaths
P2 S2 Serious (normally irreversible injury, or death) F1
S1 P2 S4 Catastrophic effects with many deaths
P1 b S2 SIL1 SIL1 –
F Frequency and/or exposure to hazard F Frequency
F2 P1
P2
F1 Seldom to less often and/or exposed time is short F2
SIL2 SIL1 SIL1 F1 Seldom to reasonably frequent
F2 Frequent to continuous and/or exposed P2 F2 Frequent to continuous
c SIL3 SIL2 SIL1
P1 time is long
F1 F1 P Possibility of avoidance
P2 S3 SIL3 SIL3 SIL2
P Possibility of avoiding the hazard P1 Possible under certain conditions
S2 F2
d P1 Possible under specific conditions SIL4 SIL3 SIL3 P2 Scarcely possible
P1
F2 P2 Scarcely possible S4
P2 SIL4 SIL4 SIL3
e W Probability of occurrence
a–e Performance Level (PLr)
• SIL (Safety Integrity Level) W1 Relatively high
Four discrete steps (SIL1 to SIL4). The higher the SIL of a safety-related W2 Low
High risk Source: DIN EN ISO 13849-1 Appendix 1.2.3 system, the lower the probability of the system not being able to execute W3 Very low
the necessary safety functions.

2 Designated architectures Specifications of categories HFT Defining the Hardware Failure Tolerance
Category B/Category 1 Category 3
Input Monitoring HFT 0 HFT 1 HFT 2
Evaluation of safety measures

Input Output
Input Logic Output Input Logic Output
Output
signal
signal signal
signal
Test signal
Monitoring
Input
Input Logic Output Output
signal
Category 2 signal

Test signal Monitoring

Example: 1oo2 Example: 1oo3
Input Output Category 4
Input Logic Output
signal signal Input Monitoring 1oo2 (One out of Two) 1oo3 (One out of Three)
Input Logic Output
Trigger signal Monitoring signal Output
1oo1 (One out of One) 2oo2 (Two out of Two) 2oo3 (Two out of Three)
signal
Test signal
Second shut-down Output
Test Input
Monitoring A single failure can lead to a At least 2 failures must occur simultaneously At least 3 failures must occur simultaneously
of test
unit criterion or display Input Logic Output loss of safety to cause a loss of safety to cause a loss of safety
unit signal Output
signal • HFT (Hardware Failure Tolerance)
Ability of a required function to still perform in case of failures and deviations

3 CCF Common Cause Failure/DC Determining Diagnostics Coverage SFF Defining the Safe Failure Fraction
ëDD + ëS High Demand Mode Low Demand Mode
SFF = ________
ëD + ëS
Measures against CCF Points Start Component DC š SFF š 1 FME(D)A FME(D)A

for ëS = 0 > SFF = DC

Separation/Segregation 15 System structure: What failures could occur? for ëD = 0 > SFF = 1 Ausfallart
Type of failure Detected
Erkannt Undetected
Unerkannt Ausfallart
Type of failure Detected
Erkannt Undetected
Unerkannt
(Detected dangerous failures)
Diversity 20
Category, MTTFd, DC, CCF
Are the failures dangerous? DC1 = ___________________________ safe safe safe safe safe safe
(Total dangerous failures) detected undetected detected undetected
Design/application 20 Checking the achieved PL Can the dangerous failures be detected? ëS ëSD ëSU ëS ëSD ëSU
Assessment/analysis 5
dangerous dangerous dangerous dangerous dangerous dangerous
n
Competence/training 5 Points › 65 detected undetected detected undetected
ëD ëDD ëDU ëD ëDD ëDU
Environmental 35 j DC1 DC2 DCn
______ + ______ + ... + ______
MTTF MTTF MTTF
______________________________
d1 d2 dn
End Entire system DC
avg = 1 1 1
______ + ______ + ... + ______ ëSD + ëSU + ëDD ëDD ëSD + ëSU + ëDD ëDD
MTTFd1 MTTFd2 MTTFdn SFF = ___________________ DC = ______ SFF = ___________________ DC = ______
ëTotal ëD ëTotal ëD

• ë (failure rates ) • FME(D)A (Failure Modes, Effects and • SFF (Safe Failure Fraction)
ëS: Failure rate for safe failures ëSU: Failure rate for safe, undetected failures Diagnostics Analysis) Proportion of all safe and detected
ëD: Failure rate for dangerous failures ëDD: Failure rate for dangerous, detected failures Methods of analysis for quantitative failures based on the total amount
ëSD: Failure rate for safe, detected failures ëDU: Failure rate for dangerous, undetected failures determination of types of failure and failure rates of failures

4 MTTFd Definition of the Mean Time To Failure PFH/PFD Determination of the probability of failure
MTBF = MTTF + MTTR
Input Input signal Logic Control signal Output Control signal Drive Formula for determining Input Input signal Logic Control signal Output Control signal Drive Input Input signal Logic Control signal Output Control signal Drive
B10d for MTTF ,, MTTR
MTTF = _______ the MTTFd value for
d > MTBF = MTTF
Characteristic service life values B10d B10d 0,1 . nop a mechanical element in a Characteristic service life values B10d B10d Characteristic service life values B10d B10d
of the individual components channel of the individual components of the individual components
(from the data sheets) Application data (from the data sheets) Application data (from the data sheets) Application data
dop . hop . 3600 s/h Mean number of annual
MTTFd MTTFd MTTFd MTTFd nop = _________________ actuations nop for the MTBF MTBF MTTFd MTTFd MTBF MTBF MTTFd MTTFd
tcycle mechanical element

Calculation of total MTTFd 1

2 1 PFH = ______ Good engineering practice Good engineering practice
1 N ____
1 MTTF = _ MTTF MTTF ________________ for two different channels MTTFd
______ = d 3 dC1 + dC2 – 1 1 1 N ____
1 Test attempt 1 Test attempt
______ + ______
MTTFd MTTFd,i PFH = ______ = PFD = _ ëDU . Tp ëDU = ëD . (1-DC)
i=1 MTTFdC1 MTTFdC2 MTTFd MTTFd,i Operating experience 2 Operating experience
i=1

• MTTFd (Mean Time to Failure) Evaluation MTTFd

• PFH (Probability of failure per hour) • PFD (Probability of Failure on Demand)
Mean time until a dangerous failure Low 3 years š MTTFd . 10 years Probability of failure of a safety function Probability that a safety function will not be
• MTTR (Mean Time to Restoration) Medium 10 years š MTTFd . 30 years under continuous use executed on demand at a low requirement rate
Mean repair time High 30 years š MTTFd . 100 years • MTBF (Mean Time between Failure) • Tp (Proof test interval)
Source: DIN EN ISO 13849-1, Chapter 4.5.2 Mean time between two successive failures Regularly complete examination of the function

5 Entire system – Target: PL › PLr Target: SIL › SILr

Example layout of safety-related parts of a control system Typical distribution of the PFH Typical distribution of the PFD
between the sub-systems of a safety function in single safety loops between the sub-systems of a safety function in single safety loops

Input Logic Output Drive Sensor š 35% Logic š 15% Actuator š 50% Sensor š 35% Logic š 15% Actuator š 50%

Component 1 Component 2 Lowest PL Number of lowest PL Entire system

PLlow Nlow PL
B10d B10d B10d PFH ëSD PFH ëSD PFH ëSD PFD ëSD PFD ëSD PFD ëSD
,3 not allowed
a
MTTFd MTTFd š3 a SFF ëSU SFF ëSU SFF ëSU SFF ëSU SFF ëSU SFF ëSU
,2 a
MTTFd MTTFd per channel b
š2 b HFT ëDD HFT ëDD HFT ëDD HFT ëDD HFT ëDD HFT ëDD
Cat Cat ,3 b
c
š3 c MTBF ëDU MTBF ëDU MTBF ëDU MTBF ëDU MTBF ëDU MTBF ëDU
DC DC ,3 c
d
š3 d SILrequired (SILr) SILrequired (SILr)
CCF CCF
,3 d
e
PL PL PL š3 e PFHtotal PFDtotal

Defined by manufacturer To be determined by the system operator Defined by manufacturer To be determined by the system operator Defined by manufacturer To be determined by the system operator

6 Evaluation – Target: PL › PLr Target: SIL › SILr

Definition of MTTFd = Mean Time To Failure (dangerous) Device type A Device type B

SIL-Level Safe Failure Fraction (SFF)

Max. acceptable failure
High Demand Mode .60% 60...90% 90...99% ,99% .60% 60...90% 90...99% ,99% Low Demand Mode
of the safety system
One risk of failure
a 10–5 š PFH . 10–4 every 10,000 hours
Definition of PL = Performance Level

One risk of failure

3 . 10–6 š PFH . 10–5
b 10–2 š PFD . 10–1 Once every 10 years
every 1,250 days
1 HFT 0 HFT 1 HFT 0
One risk of failure
c 10–6 š PFH . 3 . 10–6 every 115.74 years

One risk of failure Once every 100 years

d 2 10–7 š PFH . 10–6 HFT 1 HFT 0 HFT 2 HFT 1 HFT 0 10–3 š PFD . 10–2
every 115.74 years

One risk of failure

e 3 10–8 š PFH . 10–7 every 1,157.41 years HFT 2 HFT 1 HFT 0 HFT 0 HFT 2 HFT 1 HFT 0 10–4 š PFD . 10–3 Once every 1,000 years

One risk of failure HFT 1 HFT 1 HFT 1 Once every 10,000 years
4 10–9 š PFH . 10–8 HFT 2 HFT 2 10–5 š PFD . 10–4
every 11,574.1 yeras HFT 2 HFT 2 HFT 2
[per hour]
DC . 60% DC . 60% 60% š DC 90% š DC 60% š DC 90% š DC 99% š DC
• Device type A
none none . 90% . 99% . 90% . 99%
Evaluation MTTFd low medium low medium high Device for which the failure behaviour of all components and the
failure characteristics are sufficiently determined
Low 3 years š MTTFd . 10 years
Kat B Kat 1 Kat 2 Kat 3 Kat 4

PL › PLr SIL › SILr

Medium 10 years š MTTFd . 30 Jahre
54707 en 2009/06

• Device type B
CCF not relevant CCF › 65 %
High 30 years š MTTFd . 100 Jahre Device for which the failure behaviour of at least one component
and the behaviour in case of a failure are not sufficiently determined.