Click to edit
Master text
styles
Functional Safety
Standards for
Machinery
Stewart Robinson
MIET MInstMC
Drives & Controls 2014 - Functional Safety of Machinery
1
Current Functional Safety Standards for Machinery
• Since 2007 there has been a choice of harmonised standards
to use for Functional Safety in the machinery sector.
• The choices are:
– ISO standard EN ISO 13849-1
– IEC standard EN 62061.
• Whilst both standards have essentially the same basic
requirements there are differences in the detail of these
standards.
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 2
Current Functional Safety Standards for Machinery
• The intention is that the standards will be combined into a
single standard at some point?
• The new standard will be ISO/IEC 17305
• This presentation will explain some of the techniques and
approaches that can be used now to comply with the current
standards whilst preparing for the introduction of a single
standard.
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 3
ISO13849-1 and IEC 62061
Drives & Controls 2014 - Functional Safety of Machinery
4
References
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 5
Standards for Functional Safety
Source: BGIA Report 2/2008e
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 6
EN ISO 13849-1
Source: BGIA Report 2/2008e
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 7
ISO/IEC Technical reports
• Technical reports were issued by both the IEC and ISO in 2010
• ISO/DTR 23849 and IEC/TR 62061-1
• “Safety-related control systems can be designed to achieve acceptable levels of
functional safety using either of the two standards by integrating non-complex
SRECS (safety-related electrical control system) subsystems or SRP/CS (safetyrelated parts of a control system) designed in accordance with IEC 62061 and
ISO 13849-1, respectively.
• “Both standards can also be used to provide design solutions for complex
SRECS and SRP/CS by integrating electrical/electronic/programmable electronic
subsystems designed in accordance with IEC 61508.”
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 8
ISO/IEC Technical reports
• “Both standards currently have value to users in the machinery sector and
benefits will be gained from experience in their use. Feedback over a reasonable
period on their practical application is essential to support any future initiatives to
move towards a standard that merges the contents of both IEC 62061 and
ISO 13849-1.”
• “Differences exist in detail and it is recognized that some concepts (e.g.
functional safety management) will need further work to establish equivalence
between respective design methodologies and some technical requirements.”
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 9
IEC 62061 and ISO 13849 A cross reference guide
This guide sets out to explain where
the details for different safety
lifecycle activities can be found in
the standards for the Machinery
Sector:
IEC 62061 and ISO 13849.
1
Concept
2
Overall scope definition
3
Hazard and risk analysis
4
Overall safety requirements
5
Overall safety requirements
allocation
9
E/E/PE system safety
requirements specification
10
E/E/PE
Safety-related systems
Overall planning
The overall safety lifecycle model
contained in IEC 61508 has been
used as the reference point.
To navigate click on one of the
buttons below and then click
on an individual phase
Phases
1-5
TÜV SÜD Product Service
Phases
6-16
6
Overall
operation
and
maintenan
ce planning
7
Overall
safety
validati
on
plannin
g
8
Overall
installation
and
commissionin
g planning
11
Other risk reduction
measures
Specification and
Realisation
Realisation
(see E/E/PE system
safety lifecycle)
12
Overall installation and
commissioning
13
Overall safety validation
14
Overall operation,
maintenance and repair
16
Decommissioning or
disposal
15
Overall modification
and retrofit
5
Overall safety requirements allocation
Objectives
To allocate the safety functions, contained in the specification for the overall safety requirements
(both the safety functions requirements and the safety integrity requirements), to the designated
E/E/PE safety related systems and other risk reduction measures; To allocate a safety integrity
level to each safety function to be carried out by an E/E/PE safety-related system.
IEC 61508
IEC 62061
ISO 13849
Part 1 Clauses
7.6.1
7.6.2
Clause 5
5.2.1.3 – Specifications
for each SRCF shall
comprise the functional
requirement (5.2.3)and
the safety integrity
requirement (5.2.4)
Clause 4
4.2.2 – For each safety
function the
characteristics and the
required performance
level shall be specified
Phases
1-5
TÜV SÜD Product Service
Home
Phases
6-16
EN ISO 13849-1 Annex A risk graph
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 12
SIL Assignment Matrix
• Probability of occurrence of harm (Cl)
Cl = Fr + Pr + Av
Frequency
Fr
Probability of occurence
Pr
Avoidance
Av
≤ 1 per hr
5
Common
5
<1 per hr to ≥ I day
5
Likely
4
< 1per day to ≥ 1 per 2 weeks
4
Possible
3
Impossible
5
< 1 per 2 wks to ≥ 1 per yr
3
Rarely
2
Rarely
3
< 1 per yr
2
Negligible
1
Likely
1
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 13
PLr Determination by matrix
For discussion/consideration
Consequences Severity
Class Cl
4-5
6-7
8-9
10-11
12-13
14-15
Death, losing
an eye or arm
4
PLc
PLc
PLd
PLd
PLe
PLe
Permanent,
losing fingers
3
PLc
PLc
PLc
PLd
PLd
PLe
Reversible,
medical attn.
2
PLb
PLb
PLb
PLc
PLd
PLd
Reversible, first
aid
1
PLa
PLa
PLb
PLb
PLc
PLc
May require recalibration!
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 14
PL and SIL
EN ISO 13849-1
Performance Level
(PL)
Average
probability of a
dangerous failure
per hour [1/h]
EN 62061
Safety Integrity
Level (SIL)
a
≥ 10-5 to < 10-4
no special safety
requirements
b
≥ 3 x 10-6 to < 10-5
1
c
≥ 10-6 to < 3 x 10-6
1
d
≥ 10-7 to < 10-6
2
e
≥ 10-8 to < 10-7
3
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 15
Realisation – Hardware design
10
Objectives
To create E/E/PE safety related systems conforming to the specification for the E/E/PE system
safety requirements (comprising the specification for the E/E/PE system safety functions
requirements and the specification for the E/E/PE system safety integrity requirements).
IEC 61508
Part 1 Clauses
7.11.1; 7.11.2
Part 2 for Hardware
Part 3 for Software
IEC 62061
Included in Clause 6.
Clause 4.4 gives the
Control of systematic
overall requirements.
faults is part of this
Clause 6 describes
clause.
designated architectures
SRECS architecture is
as categories (B, 1 – 4).
described by subsystems
Categories state the
detailing Hardware Fault required behaviour of a
Tolerance and Diagnostic SRP/CS in respect of it’s
Coverage
resistance to faults etc.
Phases
1-5
TÜV SÜD Product Service
ISO 13849
Home
Phases
6-16
EN ISO 13849-1 Categories
Designated Architectures
Cat B & Cat 1
Cat 2
Cat 3
TÜV SÜD Product Service
Cat 4
Drives & Controls 2014 - Functional Safety of Machinery
Slide 17
EN 62061 Architectures
Subsystem A
Subsystem B
Subsystem C
Subsystem D
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 18
PFHD of the Function
The PFHD of the Function is the sum of the PFHD of each of
the SRP/CS (subsystems) that make up the Function
Sensor
Logic
Actuator
Sensor
Actuator
Input
Logic
Output
Sensor
Actuator
PFH Dtotal  PFH Dss1  PFH Dss 2  PFH Dss3  ....  PFH Dssn
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 19
Series alignment of Subsystems
SIL or PL
PFH Dtotal  PFH Dsensor  PFH D logic  PFH Dactuator
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 20
PFH Verification
PFH D 
Category 1
Or
Subsystem A
1
MTTFd  8760
PFH D  D 1h
Subsystem D
DssD  (1   ) {[De  2  DC]  T2 2  [De 2  (1  DC)]  T1}    De
2
TÜV SÜD Product Service
2
Drives & Controls 2014 - Functional Safety of Machinery
Slide 21
Verification by software – Object types
SISTEMA recognizes seven different types of objects.
These can be regarded as the building- blocks from which a project is created.
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 22
IFA SISTEMA – PL – EN ISO 13849-1
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 23
Pilz PAScal – SIL – EN 62061 (and PL – EN 13849)
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 24
Out of control
Why control systems go wrong and how to prevent failure?
(Out of control, 2nd edition 2003, Health & Safety Executive HSE – UK)
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 25
Systematic failure
• Failure related in a deterministic way to a certain cause, which can only be
eliminated by a modification of the design or of the manufacturing process,
operational procedures, documentation or other relevant factors
– the safety requirements specification,
– the design, manufacture, installation, operation of the hardware, and
– the design, implementation, etc., of the software.
• Further information can be found in:
– EN ISO 13849-1, in particular in Annex G
– EN 62061, in particular Clause 6.4
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 26
Check Lists
Item
Reference
Have all risks been reduced as far as possible by safe design EN ISO 12100:2010
of the machine, and the use of fixed safeguards etc?
EN 953:1997
Have the consequences of systematic failures been fully taken EN ISO 13849-1 Annex G
into account?
EN 62061 Clause 6.4
Have all risks that are to be reduced by Safety Related
EN ISO 13849-1 Clause 4.4
Controls been identified?
EN 62061 Clause 5.2
Have the Safety Requirements for each Safety Related Control EN ISO 13849-1 Clause 5
Function been correctly specified in terms of functional
EN 62061 Clause 6.6.2.1.6
requirements?
Have the Safety Requirements for each Safety Related Control EN ISO 13849-1 Clause 4.3 and Annex A
Function been correctly specified in terms of performance
EN 62061 Clause 6.6.2.1.6 and Annex A
requirements?
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 27
Yes No
Check List part 2
Item
Reference
Has an appropriate architecture for the design of the safety
related controls been chosen?
EN ISO 13849-1 Clause 6
2) Reliable generic data
Has the Diagnostic Coverage provided by the automatic tests
been correctly established?
EN 62061 Clause 6.7.7.2
EN ISO 13849-1 Annex E
Yes No
EN 62061 Clauses 6.6.2.1.2,3,7
Is performance data available for safety related components from: EN ISO 13849-1 Clause 4.5.2 and
Annexes C and D
1) The component manufacturer.
Have the effects of Common Cause Errors been examined and
adequate measures to mitigate the consequences put in place?
EN 62061 Clause 6.8
EN ISO 13849-1 Annex F
EN 62061 Clause 6.7.8.3 and Annex F
Has the performance of the safety related control functions been EN ISO 13849-1 Clause 4.7
verified as meeting the required PL or SIL?
EN 62061 Clause 6.6.3
Have the requirements for validation been adequately planned
EN ISO 13849-2
and prepared?
EN 62061 Clause 8
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 28
Thank you for listening
For more information
please visit our stand:
D261
TÜV SÜD Product Service
Drives & Controls 2014 - Functional Safety of Machinery
Slide 29