Machinery Sector

9.2 EN ISO 13849

This examines complete safety functions, including all the subsystems included in the design of the safety-related parts of the control system (SRP/CS). This standard, as of 2015, was currently being reviewed (along with EN 62061) to bring them together in a single document

“IEC ISO 17305: Safety of Machinery e Safety functions of control systems.” Publication was planned for 2016 but has been suspended.

Integrity of SRP/CS and safety function is expressed in terms of performance levels (PLs). Control risk assessment is used to determine the required PL (PLr) using a risk graph: seeFigure 9.5.

and RISK

related to the hazard under consideration

is a function

of

PROBABILITY OF OCCURRENCE of the harm considering

- Exposure of the person(s) to the hazard

- The occurrence of the hazardoue event - The possibility to avoid or limit the harm SEVERITY

OF HARM that can result from the hazard

Figure 9.3:General hazard risk assessment.

programmable based systems:For more complex Non electrical / relay-based and

simple programmable based systems:

EN ISO 13849 EN 62061

Figure 9.4:Selecting the standard for the design of the SRCF.

The design of the SRP/CS and safety function can then be undertaken based on the required level of the PL and the PL Verification of the safety function requires assessment of:

• Diagnostic Coverage (DC)

• Architecture (category)

• Mean Time To Failure Dangerous (MTTFd)

• Common Cause Failures (CCF).

Diagnostic Coverage (DC) is a measure of the effectiveness of diagnostics, expressed as a percentage (DCav) of a safety function, and is calculated from assessing both the total dangerous failure rate and the dangerous detected failure rate for each component in the SRP/CS, and calculating the safety function average DC:

DCav ¼

PPðlddÞ ðl_dÞ

Figure 9.5:Determining the performance level required for each risk.

DCavthen is compared with this table to determine the coverage band:

Coverage Range of DC

None DC < 60%

Low 60%  DC < 90%

Medium 90%  DC < 99%

High 99%  DC

The Architecture of a safety function is presented in a similar way to IEC 61508 and is shown inFigure 9.6:

However, the architecture is assessed in terms of five categories:

Cat. Requirements System behavior

B ^• Apply basic safety principles A fault can cause a loss of the safety function.

• Can withstand expected influences

1 ^• Category B A fault can cause a loss of the safety

function.

• Well-tried components

• Well-tried safety principles

2 • Category B A fault occurring between the checks can

cause a loss of the safety function.

• Well-tried safety principles

• Functional check at start up and periodically (on/off check)

3 ^• Category B Accumulation of undetected faults can

cause a loss of the safety function.

• Well-tried safety principles

• Single fault does not cause a loss of safety function

• Where practicable that fault should be detected

4 ^• Category B Faults will be detected in time to prevent

a loss of safety function.

• Well-tried safety principles

• An accumulation of faults does not cause a loss of safety function

Output Logic

Final element / actuation device, e.g. motor contactor, dump valve

etc.

Logic Device, e.g. safety relay, safety PLC etc.

Input

Sensing / initiation device, e.g.

push button, interlocked guard, light curtain beam etc.

Input Signal Output Signal

Figure 9.6:Architecture.

The architectures are shown inFigures 9.7e9.11.

The Assessment

The MTTFd includes BOTH the dangerous undetected AND the dangerous detected failures.

The total MTTFd of a single safety function channel is calculated from:

MTTFdChannel ¼ 1=MTTFd1þ 1=MTTFd2þ 1=MTTFd3þ .1=MTTFdn Input

Signal Output

Signal

Output Logic

Input

Figure 9.7:Category B architecture.

Input

Signal Output

Signal

Output Logic

Input

Figure 9.8:Category 1 architecture.

Equip. O/P Test EquipmentTest

Monitoring

Output Logic

Output Signal Monitoring Input

Signal Input

Figure 9.9:Category 2 architecture.

Output Monitoring 2 Logic

Input 2 2

Cross Monitoring

Output Monitoring 1 Logic

Input 1 1

Figure 9.10:Category 3 architecture.

Output Monitoring 2 Logic

Input 2 2

Cross Monitoring

Output Monitoring 1 Logic

Input 1 1

Figure 9.11:Category 4 architecture.

The MTTFd of a channel is then compared with the following table to determine whether the MTTFd is within a given band:

Assessment Range of MTTFd per channel

Low 3 years  MTTFd < 10 years

Medium 10 years  MTTFd < 30 years

High 30 years  MTTFd < 100 years

The Category, DCav, and the MTTFd (per channel) are then compared with the following table in order to determine the PL of the SRP/CS and safety function:

Category B 1 2 2 3 3 4

DCav None None Low Medium Low Medium High

MTTFd per channel:

Low a Not covered a b b c Not covered

Medium b Not covered b c c d Not covered

High Not covered c c d d d e

In addition, if the design of the safety function includes redundant elements then the Common Cause Failures (CCF) have to be evaluated. The various measures that can affect CCF have to be evaluated, providing a score against each measure. The greater the effectiveness against CCF the higher the score, as shown below. To ensure an adequate design a score of greater than 65 is required.

No. Measure against CCF Score

1 Separation/segregation 15

2 Diversity 20

3 Design/application/experience 20

4 Assessment/analysis 5

5 Competence/training 5

6 Environmental 35

9.2.1 Systematic Failures

Techniques/procedures/documentation requirements are a very much simplified requirement of that given in IEC 61508 and are more in line with those given in IEC 61511 (application-level requirements) and consist of:

• Requirement specification for the SRP/CS and safety functions

• Design and integration

• Verification and validation

• Modification

• Documentation

The design and integration includes requirement for behavior on detection of faults/selection of all components to function within manufacturer’s requirements/use of de-energization for the safe state/electromagnetic immunity/clear, modular, and documented application software.

9.3 BS EN 62061

This is the closest to being the sector-specific standard to IEC 61508 and is intended to provide functional safety guidance for the design of safety-related electrical and electronic control systems for machinery and covers the whole life-cycle as covered in IEC 61508.

9.3.1 Targets

The integrity of a safety-related electrical control system (SRECS) is expressed using the SIL concept. A risk assessment has to be undertaken to determine the required SIL, typically, using risk matrices as follows.

SIL assignment

Frequency and duration, Fr Probability of hazard event, Pr Avoidance, Av

1 hrs 5 Very high 5

>1 hrse1 day 5 Likely 4

>1 daye2 weeks 4 Possible 3 Impossible 5

>2 weekse1 year 3 Rarely 2 Possible 3

>1 year 2 Negligible 1 Likely 1

Consequence Severity (Se) Class Cl[ Fr D Pr D Av

Classes 3e4

Classes 5e7

Classes 8e10

Classes 11e13

Classes 14e15

Death, losing eye or arm 4 SIL2 SIL2 SIL2 SIL3 SIL3

Permanent, losing fingers 3 (OM) SIL1 SIL2 SIL3

Reversible, medical attention

2 (OM) SIL1 SIL2

Reversible, first aid 1 (OM) SIL1

OM, other measures.