Specific Background Information on EN ISO 13 849-1:2006* for Schmersal/Elan Sales & Technical Staff and for Interested Customers

Low risk

ed Requir nc e a Per form Lr P l Leve a

P1 F1 g point Star tin on reducti for risk tion estima S1 F2 F1 P1 P P2 P1 P2

b c d

Category 3 1 2

* In the meantime EN ISO 13 849-1:2006 has been replaced by the EN ISO 13 849-1:2008 edition. However the difference is merely confined to reference to the new EC Machinery Directive 2006/42/EC in the new Annex ZB of the standard. In the following we adhere to EN ISO 13 849-1:2006.

S1

S2 F1 P1

P2 B

F2

P1

P2

Explanation of frequently used abbreviations

B10d value: Number of cycles until 10 % of components in a random sample of at least 7 prototypes have failed dangerously This is for components affected by wear, i.e. mechanical, pneumatic and electromechanical components. CC: Control Category (B, 1, 2, 3, 4); the category already decisively (deterministically) dictates the safety-related quality of an SRP/CS. While CC B and CC 1 deal with the quality of the component used, higher categories demand additional components (channels) which are able to compensate for the failure of individual components. CCF: Common Cause Failure: Faults with a common cause, in which components which simultaneously process the same thing several times for reasons of safety fail at the same time. For example a car where all 4 brakes malfunction at the same time. DC: Diagnostic Coverage: Degree of diagnostic coverage, the capability for fault detection, which is usually automatic. MTTFd: Meantime To Dangerous Failure: Mean time to a dangerous failure of a component or device. This information must not be confused with a guaranteed service life(1). PFH/PFHd: Probability of Dangerous Failure per Hour(2) PL: Performance Level (EN ISO 13 849-1:2006) There are 5 PLs (a, b, c, d, e), whereby the safety-related quality increases from a to e in line with the growing level of risk to be covered. SIL: Safety Integrity Level (EN IEC 62 061:2005) There are 3 SILs (1, 2, 3), whereby the safety-related quality increases from 1 to 3 in line with the growing level of risk to be covered. SILCL: SIL Claim Limit (IEC 62 061:2005) Maximum SIL that may be used for a subsystem with reference to structural constraints and systematic fault integrity. SRP/CS: Safety Related Part of Control Systems Sub-PL/Sub-SIL: PL or SIL at subsystem level. A subsystem is a system which, with reference to a partial task, already performs a safety function appropriately (for example an input module which safely detects inputs). SRB: Safety Relay Module (Sicherheits-Relais-Baustein) T10d value: Guide value for a preventive replacement (10 % of the MTTFd value in years calculated using the B10d value). With this value (B10d) approximately 63 % of all components have already failed dangerously. Inside of the T10d-time a constant dangerous failure rate is assumed!

(1)

(2)

The index d stands for dangerous failures. For example: a transistor fails and does not switch off (i.e. dangerous in the sense of functional machine safety): by contrast does not switch on (not dangerous in the sense of functional machine safety although it affects operation). See also glossary section, keyword Failure Rates. In the case of this value it is not particularly common to differentiate using the index d, i.e. both a PFH and a PFHd value are generally taken to mean the dangerous failure direction.

Foreword to the 3rd edition (2011)

We are pleased to note the continued significant interest in this brochure, which is now issued in its 3rd edition. A contributory factor may well be that until the end of the year (up to 31.12.2011) the harmonised standard EN 954-1:1996 can be used as basis for the implementation of safety-related parts of control systems (and that this was not withdrawn with loss of the so-called presumption of conformity on 29.12.2009 as originally planned). If one wishes to use the proof of conformity in harmonised standardisation, whether in the form of EN ISO 13 849-1:2008 (2006)(1) or see loc. cit. in special cases EN IEC 62 061:2005 (2008)(1), EN 954-1:1996 is no longer the benchmark only for machine control systems that have been placed on the market or put into operation in the EU or the European Economic Area (EEA) for the first time as from 01.01.2012. We do not wish to investigate the legal debate here as to whether EN 943-1:1996 still satisfies the primacy of the state of the art and whether in view of this its continued application is already dubious today. As some time has passed since this brochure was originally edited (this took place in mid-2008) we checked the content again when preparing this reprint. In spite of careful proofreading (Erratum human est!) we did find a few printing errors, and these have now been eradicated. We have also provided more details of some aspects which at that time were not as clear to us and others. Happily none of these corrections were of a fundamental nature. Here and now we can assume that the new standard EN ISO 13 849-1:2006 (or EN IEC 62 061:2005) will finally replace the previous standard EN 954-1:1996 as from 01.01.2012, even it is not possible to rule out possible supplementary interpretations, aids to interpretation or reinterpretations here and there. At all events this is the conclusion arrived at by a major technical conference of the EU Commission on this subject which took place in Brussels in September 2010. By contrast we will certainly have to wait another few years for consolidation of the EN ISO 13 849-1:2006 and EN IEC 62 061:2005 standards. In other words: if you want your machine control systems to comply with the state of the art as the legislator expects you to do, you should switch to the new requirements now at the latest.

t c A ! w o n

Wuppertal/Wettenberg, February 2011

Friedrich Adams K.A. Schmersal Holding GmbH & Co. KG, Wuppertal Head of Schmersal tec.nicum

(1)

See the footnote on the front page of the brochure regarding the relationship between the 2006 and 2008 editions; the footnote also applies analogously to the EN IEC 62 061:2006 vs. 2008 editions.

Foreword

With the standards EN ISO 13 849-1:2006 and EN IEC 62 061:2005 coming into force the subject of designing safety-related parts of control systems takes on a new shape, in which a SRP/CS in future is composed of a combination of deterministic(1) and probabilistic(2) approaches. Added to this are a few equally important new requirements under the keyword Systematic Faults and Software (see also page 82 et seq. and glossary section, keywords Annex G and Software). This paper is intended to provide you with background information on the subject of the New SRP/CS standardisation which will be useful for your everyday work. With reference to the future combination of deterministic and probabilistic SRP/CS approaches, there are some new requirements that our customers must take into account in future. On the other hand our customers will also have greater configuration scope. As a manufacturer of safety components, we are directly affected by these changes and are required to comment on them. Although for practical reasons we recommend our customers to base future SRP/CS configuration on EN ISO 13 849-1:2006 (and the PL philosophy behind this standard), in the following we also take the SIL philosophy into consideration in all areas where this comes into question as an alternative according to EN IEC 62 061:2005. Due to disagreements between the standardisation committees about competency, both standards are actually competing to succeed EN 954-1:1996. Nevertheless a decision in favour of EN ISO 13 849-1:2006 will not be problematic since PL and SIL are essentially compatible with each other and the thinking behind them is the same to a large extent (see also glossary section, keyword Standards). We simply consider EN IEC 62 061:2005 more suitable than EN ISO 13 849-1:2006 in special cases. The following brochure is based on a first edition edited mid-2008. The present edition, however, has been significantly reworked, more precisely defined and expanded; as before, it is divided into several sections with different focal points, some of which are specific to Schmersal/Elan, and some related to basic principles and background. See also the Table of Contents from page 4 et seq. Furthermore in Section 7 (from page 93) you will also find a short glossary section with additional information connected to the new SRP/CS standardisation. If you wish to read about the philosophy of EN ISO 13 849-1:2006, please start with Section 6 page 81 et seq. At this juncture I would like to say Thank you to all colleagues who, with their active participation, suggestions and criticism, have contributed to the creation of this brochure. Wuppertal/Wettenberg, April 2009

Friedrich Adams K.A. Schmersal Holding GmbH & Co. KG, Wuppertal Head of Schmersal tec.nicum

(1)

(2)

Deterministic (D): terms used in philosophical scientific theory; D means the unambiguous determination and predetermination of occurrences through (definable and reproducible) causes, e.g. fault tolerance through redundancy (tolerances and coincidence are irrelevant!). Probabilistic: Classification of events according to their degree of certainty = probability calculation/probability theory (area of mathematics).

Contents

Part 1: Background information ................................................................................... Page 9

Part 2: Information (as foundation for calculations within the meaning of von EN ISO 13 849-1:2006 and EN IEC 62 061:2005) .............................................. Page 15 Simple Single Devices in the Schmersal/Elan programme ..................................... Page 21 Simple Single Devices in the Schmersal/Elan programme ........................................ Page 22 Device details in individual cases ................................................................................. Page 25 Excursus: questions on the architecture or control category .................................... Page 29 Excursus: Failure detection in case of simple single devices with safety function ... Page 32 Devices with more complex safety-related functionality ....................................... Page 35 Devices with more complex safety-related functionality ........................................... Page 36 Devices with more complex safety-related functionality in the Schmersal/Elan programme ............................................................................. Page 38 Device combinations ................................................................................................... Page 41 Safety bus system ASi-SaW/devices with ASi-SaW interface ................................... Page 42

Part 3: Combination of Sub-PLs to an overall PL .................................................... Page 45 How can I calculate a PL for a subsystem (a sub PL)? ............................................ Introduction/preamble ................................................................................................ Examples .................................................................................................................... How can I calculate a Sub-PL with devices from the Schmersal/Elan programme? Page 53 Page 54 Page 56 Page 63

Part 4: Excursus ............................................................................................................ Page 67 Failure detection .......................................................................................................... Page 68 Influence of the definition of the safety function on the PL calculation examples Page 70

Part 5: Wiring examples from the BGIA Report ....................................................... Page 73 1) BGIA wiring example 8.2.34: guard door monitoring with subsequent signal processing using SRB module or safety PLC (the classic case!) ............. Page 74 2) BGIA wiring example 8.2.29: cascading or series connections ........................... Page 75 3) BGIA wiring example 8.2.28: cascading or series connections ........................... Page 76 4) BGIA wiring example 8.2.18: guard door latching with subsequent signal processing using SRB module or safety PLC (channel 1) and standard PLC (channel 2) ............................................................................... Page 77 5) BGIA wiring example 8.2.19: guard door latching ................................................ Page 78

Part 6: Overview of the features and use of EN ISO 13 849-1:2006 ......................... Page 81 Objective of SRP/CS standardisation ....................................................................... Page 82 Performance Level (1) .................................................................................................. Page 85 Performance Level (2) .................................................................................................. Page 87 Performance Level (3) .................................................................................................. Page 92

Part 7: glossary section/ Further information on some keywords and terms ................................................. Page 93 Additional monitoring switch ...................................................................................... Page 94 Addition of failure probabilities ................................................................................... Page 94 AMD 1 to EN 1088:1996 ............................................................................................. Page 94 Annex E ....................................................................................................................... Page 95 Annex G (according to EN ISO 13 849-1:2006) ........................................................... Page 95 Annex K (according to EN ISO 13 849-1:2006) ........................................................... Page 96 Architectures ............................................................................................................... Page 97 B10d values ................................................................................................................... Page 98 Bar chart ..................................................................................................................... Page 99 Bathtub curve ............................................................................................................. Page 99 BGIA .......................................................................................................................... Page 100 BGIA disc ................................................................................................................... Page 100 BGIA Report 2/08 ...................................................................................................... Page 101 Cabling ....................................................................................................................... Page 101 Calculations (PL calculations) .................................................................................... Page 101 Capping/capping limit ............................................................................................... Page 102 CCF (Common Cause Failure), CCF measures, CCF management ......................... Page 102 CCF management/measures .................................................................................... Page 104 Compatibility SIL PL/PL SIL .............................................................................. Page 104 Coming into force ...................................................................................................... Page 104 Control categories ..................................................................................................... Page 104 Control categories/control category 2 ...................................................................... Page 105 C (Type C) standards ................................................................................................. Page 106

Designated Architectures .......................................................................................... Page 106 Diagnostic Coverage DC ........................................................................................... Page 106 Estimation of PL and SIL ........................................................................................... Page 107 Exponential distribution ............................................................................................. Page 107 Failures ...................................................................................................................... Page 107 Failures (systematic failures) ...................................................................................... Page 108

Failures (random failures) .......................................................................................... Page 109 Failure rates ............................................................................................................... Page 109 Fault detection DC ..................................................................................................... Page 111 Fault detection (external) ........................................................................................... Page 111 Fault exclusion ........................................................................................................... Page 111 Fault exclusion: wiring/cabling .................................................................................. Page 112 Fault exclusion in the case of manually actuated devices ........................................ Page 113 Fault exclusion in the case of interlocking devices ................................................... Page 113 Feedback loop ........................................................................................................... Page 113

Good Engineering Practices (GEP) ........................................................................... Page 113 Hardware reliability MTTFd ........................................................................................ Page 113 Level of cable ............................................................................................................. Page 113 Literature .................................................................................................................... Page 113 Low Demand Mode ................................................................................................... Page 114 Machinery Directive (MD) .......................................................................................... Page 114 Mission Time (service life) .......................................................................................... Page 115 MTTFd hardware reliability ......................................................................................... Page 115 Objective of the SRP/CS standardisation ................................................................. Page 115 Parts count method ................................................................................................... Performance Level ..................................................................................................... PFD (Probability of Failure on Demand) .................................................................... PL Performance Level ............................................................................................ PLr = required ............................................................................................................ PL result graph .......................................................................................................... Proof test/proof test interval ...................................................................................... Proven performance .................................................................................................. Proven in use ............................................................................................................. Reliability technology (reliability engineering) ........................................................... Reset .......................................................................................................................... Restart loop circuit .................................................................................................... Result graph PL ......................................................................................................... Risk graph consideration according to EN ISO 13 849-1:2006 ................................. Risk graph consideration according to EN IEC 62 061:2006 .................................... Risk graph, risk evaluation ........................................................................................ Risk, risk analysis, risk assessment .......................................................................... Safety function ........................................................................................................... Series connections .................................................................................................... Series connections of electromechanical devices .................................................... SIL (Safety Integrity Level) ......................................................................................... Page 115 Page 115 Page 115 Page 115 Page 116 Page 116 Page 116 Page 116 Page 116 Page 116 Page 117 Page 117 Page 117 Page 118 Page 118 Page 119 Page 119 Page 120 Page 120 Page 120 Page 121

SIL Claim Limit (SILCL) .............................................................................................. SISTEMA .................................................................................................................... Software .................................................................................................................... Standards .................................................................................................................. (Type-) A, B and C standards ................................................................................ EN 954-1:1996 ........................................................................................................ EN 954-2 ................................................................................................................ EN ISO 13 849-1:2006 ............................................................................................ EN ISO 13 849-2:2003 ............................................................................................ EN IEC 62 061:2005 ................................................................................................ EN IEC 61 508:2001 ................................................................................................ EN ISO 13 849-1:2006 EN IEC 62061:2006 (comparison) ................................. EN ISO 13 849-1/EN IEC 62 061:2005 (comparison with EN 954-1:1996) .............. Symmetrising formula ................................................................................................

Page 121 Page 122 Page 122 Page 123 Page 123 Page 123 Page 123 Page 123 Page 124 Page 124 Page 124 Page 125 Page 126 Page 127

T10d value consideration ............................................................................................. Page 127 Test equipment .......................................................................................................... Page 127 Transition period ........................................................................................................ Page 127

Part 8: Excerpt from our brochure A new approach to machine safety: EN ISO 13 849-1:2006 safety-related parts of control systems ........................ Page 129

Part 9: Schmersal/Elan data sheets ......................................................................... Page 135

Part 10: Managing the restriction of PFHd to 100y MTTFd .................................... Page 139

Imprint ........................................................................................................................... Page 145

The information in this brochure has been prepared to the best of our knowledge and belief. However, with the exception of contrary and compelling statutory provisions, we assume no liability for any errors and misunderstandings. The user of this information is not released from the responsibility of checking our information and recommendations for own use. We ask for your understanding and consideration of this remark. 8

Background information

Background information (1)

(Further information: see Section 6, page 81 et seq.)

Put simply, a Performance Level, as required in future by the new EN ISO 13 849-1:2006 standard(1) for the design of SRP/CS, is a consideration of several determining factors. It is now globally accepted as a means of establishing the safety and reliability of measuring and control systems, i.e. factors relevant to the safety integrity of a system. In contrast to common practices in mechanical engineering, a Performance Level constitutes a multidimensional approach. However, instead of complex modelling, EN ISO 13 849-1:2006 uses a simplified method that considers 4 auxiliary variables. However please bear in correct mind that in addition fundamental requirements (basic requirements) are placed on a Performance Level irrespective of its level; these are measures to prevent and control systematic failures and faults, whereas a PL classification (PL a e) essentially concerns the prevention and control of random failures and faults (see also glossary section, keywords to Failures). Starting point for a PL consideration is the determination of various safety functions of a machine or machine control system. This follows the establishment of the required Performance Level PLr for the safety function concerned. Which of 5 performance levels (a e) should be selected results from the respective standard (product standard) or using a risk graph evaluation. The Performance Level therefore reflects the required amount of measures for minimising risk. a) A very slight degree of risk must be reduced c d b) A slight degree of risk must be reduced c) A greater degree of risk must be reduced

a Rest risk b

e
Risk height

d) A high degree of risk must be reduced e) Risk must be significantly reduced

The effectiveness of the (required) measures is expressed in the form of a PFHd value (a value of the maximum residual average Probability of a dangerous Failure per Hour tolerated). The PFHd value is also the reference point for the international Safety Integrity Levels (SILs), as recognised in EN IEC 61 508:2000 or EN IEC 62 061:2005. According to EN ISO 13 849-1:2006, the estimation (calculation) of a Performance Level is now performed on the basis of 4 individual parameters (auxiliary variables):

(1)

According to the current policy decision, EN 954-1:1996 (or ISO 13 849-1:1999) will be withdrawn on 31.12.2011 at the latest (originally planned for 29.12.2009). Refer also to the Official Journal of the European Communities C 321/18 dated 29.12.2009.

10

1. The architecture, essentially identical to the consideration of control categories and familiar from the use of EN 954-1:1996 (ISO 13 849-1:1999), has been adopted in EN ISO 13 849-1:2006; 2. The assessment of hardware reliability expressed as the Mean Time to dangerous Failure MTTFd in years (an assumption of hardware failure behaviour based on mathematical probability with reference to exponential distribution; refer also to Page 88/89); 3. The evaluation (probability) of the effectiveness of fault detection measures in the SRP/ CS or in the section of the SRP/CS, expressed as diagnostic coverage DC in %; 4. The evaluation of measures against so-called Common Cause or Common Mode Failures (CCF = Common Cause Failures = failures which could disrupt the safety-related use of the multi-channel ability of a system. The Performance Level PL achieved can then be determined by means of a bar chart or Annex K of EN ISO 13 849-1:2006 and compared and validated with the required PLr for the respective safety function.

Schematic conclusion
PL Performance Level PLr Reference: C-standard or riskgraph consideration Probability of dangerous failures per hour (PFH d) a b c d e 10 5 < 10 4 3 10 6 < 10 5 10 6 < 3 10 6 10 < 10
7 6

Safety Integrity Level (SIL) = No equivalent SIL 1 SIL 2 SIL 3

10 8 < 10 7

Designated architecture (control category): Former consideration of EN 954-1:1996

Hardware reliability (Mean Time To dangerous Failure): Source: Manufactures data or refer to standards or other sources, e.g. MIL-books

Diagnostic coverage DC (performance to detect dangerous failures right in time): Annex E of EN ISO 13 849-1:2006 or manufactures data

Common-Cause-Failure- Management CCF: > 65 scores (can be always assumed in case of safety devices) (refer also to the table in the glossary section, keyword CCF)

Bar chart
PFH (1/h) 10 4 a 10 5 b 3 10 6 c 10 6 d 10 7 e 10 8 MTTFd = low MTTFd = mittel MTTFd = high Category B Category 1 Category 2 Category 2 Category 3 Category 3 Category 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low mittel low medium high + CCF PL

Numerical description acc. EN ISO 13 849-1:2006 Annex K

Table K.1 Numerical description of Fig. 5 (of EN ISO 13 849-1:2006 [D] Annex K [informative]) Average probability of a dangerous failure per hour (1/h) and corresponding performance level (PL) MTTFd for each channel years 3 3.3 3.6 3.9 4.3 4.7 5.1 5.6 6.2 6.8 7.5 8.2 9.1 Cat. B PL Cat. 1 PL Cat. 2 PL Cat. 2 PL Cat. 3 PL Cat. 3 PL Cat. 4 PL

DCavg = none 3.80 10 5 3.46 10 5 3.17 10 5 2.93 10 5 2.65 10 5 2.43 10 5 2.24 10 5 2.04 10 5 1.84 10 5 1.68 10 5 1.52 10 5 1.39 10 5 1.25 10 5

DCavg = none a a a a a a a a a a a a a

DCavg = low 2.58 10 5 2.33 10 5 2.13 10 5 1.95 10 5 1.76 10 5 1.60 10 5 1.47 10 5 1.33 10 5 1.19 10 5 1.08 10 5 9.75 10 6 8.87 10 6 7.94 10 6

a a a a a a a a a a b b b

DCavg = medium 1.99 10 5 1.79 10 5 1.62 10 5 1.48 10 5 1.33 10 5 1.20 10 5 1.10 10 5 9.87 10 6 8.80 10 6 7.93 10 6 7.10 10 6 6.43 10 6 5.71 10 6

a a a a a a a b b b b b b

DCavg = low 1.26 10 5 1.13 10 5 1.03 10 5 9.37 10 6 8.39 10 6 7.58 10 6 6.91 10 6 6.21 10 6 5.53 10 6 4.98 10 6 4.45 10 6 4.02 10 6 3.57 10 6

a a a b b b b b b b b b b

DCavg = medium 6.09 10 6 5.41 10 6 4.86 10 6 4.40 10 6 3.89 10 6 3.48 10 6 3.15 10 6 2.80 10 6 2.47 10 6 2.20 10 6 1.95 10 6 1.74 10 6 1.53 10 6

DCavg = high b b b b b b b c c c c c c

11

Background information (2)

This brochure essentially concentrates on information concerned with calculating (estimating) a Performance Level as used in future by EN ISO 13 849-1:2006, and in this respect refers mainly to the so-called Sub-PL method.
NB: the choice of the words calculation and estimation in connection with a Performance Level (PL) as frequently used below should be taken to have the same meaning. EN ISO 13 849-1:2006 regularly refers to estimation. Estimation must not be confused with guessing (rather it refers to a mathematical term for auxiliary variables in conjunction with inequalities), but conversely there is no need for absolute, calculated accuracy. Of greater importance is the right direction or right magnitude.

In principle there are two possibilities when calculating a Performance Level (PL) for a safety function: Possibility 1 is based on the so-called block method according to Annex B of EN ISO 13 849-1:2006 and is an analysis of the entire SRP/CS. An overall consideration according to the block method is, for example, the standard example that can be found in Annex I of EN ISO 13 849-1:2006 (see appendix following the glossary section page 131 et seq.). The use of the block method is most recommended for complex interwoven SRP/CS and in special cases (as alternative to the subsystem method).

Entire consideration of a safety function Block method Standard example Open Close SW2 P K1B SW1B K1B + A SW1B + + L

API PLC

SPS Control signal CC

SW2

PLC

CC RS

CC: PLC: M: RS: P:

Current Converter Programmable Logic Controller Motor Rotation Sensor Switch shown in actuated position

RS n

Possibility 2 is the subsystem method designed as a simplification (also referred to below as Sub-PL consideration or Sub-PL method), which takes place according to the so-called combination table (Table 11 of EN ISO 13 849-1:2006, see page 45 et seq.). Also see Annex H of the standard. The advantage of the subsystem method is on the one hand that devices and systems that form a subsystem are already available on the market and have been assessed with respect to the Sub-PL (or Sub-SIL) and corresponding PFHd by the manufacturer so that in such cases there is no need to perform a calculation oneself; on the other hand, the estimation (calculation) is considerably simpler (less complex) if it is necessary to estimate a Sub-PL oneself. But there is the advantage of simplification even if Table11 cannot be usefully applied.

12

Allocation of the safety function in I , L and O Sub-PL method see pages 47 et seq.
Safety function B Safety function A

Function block B 1

Function block B 2

Function block B 3

Sensor I Function block A 1

Logic L Function block A 2

oder

Actor O Function block A 3

Subsystem 1

Subsystem 2

Subsystem 3

SRECS

Sub-PLs or Sub-SILs(1) are the basis of modularisation of an entire SRP/CS into sub-SRP/ CSs (= part or subsystems), which are derived from function blocks (typically function blocks for the input, signal processing and output levels = I for input + L for logic + O for output). See the figure above. As already set out above, the differentiation permits a subsequent simplified calculation of the overall PLs (or overall SILs). Taking all requisite caution into consideration, however, it can be said that the block method is the more mathematically accurate method and also allows more configuration possibilities because the individual subsystem is not (geometrically) calculated but rather the entire safety chain. On the basis of the Schmersal/Elan product range (as well as the product ranges of our competitors), we must then distinguish between two types of devices in connection with a Sub-PL or Sub-SIL approach, namely between the simple single devices with safety function group (also called passive devices, elements or sub-system elements) and the devices with more complex safety-related functionality group (also called active devices, sub-systems or part-systems). The above mentioned distinction into two groups does not signify any qualification, i.e. both device groups can perform their respective safety-related task in the SRP/CS equally well; merely the use (see pages 15 et seq.) is different.

(1)

Following Sub-PLs and Sub-SILs are often mentioned in the same tenor, because EN IEC 62 061:2005 describes the method of a subsystem consideration as the preferred one.

13

 The fundamental difference between both groups is the different device architecture. Firstly there are architectures (see figure on left) with (automatic) external diagnosis and architectures (see figure on right) with (automatic) self-diagnosis (see also pages 15 et seq. in this respect). Automatic here and in the two cases means essentially performed by the system or independent of will.

Simple single devices with safety function

Devices with more complex safety-related functionality Difference: External diagnosis vs. self-diagnosis

Allocated function and integrity requirements

Subsystems (SS) implement function blocks and are elements in the top level architectural design of a SRECS where a failure of any one subsystem will result in the failure of the safety related control function.
Contactor SSE 4.1

Allocated function and integrity requirements

Interlock switch SSE 1.1 Interlock switch SSE 1.2 SS 1 Contactor SSE 4.1

Interlock switch SSE 1.1 Interlock switch SSE 1.2 SS 1

PLC in accordance with IEC 61508

PLC in accordance with IEC 61508

Subsystems (SS) implement function blocks and are elements in the top level architectural design of a SRECS where a failure of any one subsystem will result in the failure of the safety related control function. Subsystem Elements (SSE) are components which implement the function block elements allocated to the subsystem. Diagnostic Functions (D) are considerated as separate functions which may have a separate structure to the safety related control function. They may be performed: within the subsystem by another subsystem in the SRP/CS by a subsystem external to the SRP/CS

D
Speed sensor SSE 2.1 Speed sensor SSE 2.2 SS 2 SS 3

Subsystem Elements (SSE) are components which implement the function block elements allocated to the subsystem. Diagnostic Functions (D) are considerated as separate functions which may have a separate structure to the safety related control function. They may be performed: within the subsystem by another subsystem in the SRP/CS by a subsystem external to the SRP/CS

Contactor SSE 4.2

D
Speed sensor SSE 2.1 Speed sensor SSE 2.2 SS 2

Contactor SSE 4.2

D
SS 4

D
SS 3 SS 4

Simple single devices with safety function (also called Part Safety Elements SSE) are particularly characterised by the fact that they do not have any own inbuilt capability for fault detection, other parts of the SRP/CS are required for this (external diagnosis). See also the separate arrangement of D in the above graph. Together (SSE or SSEs + D ) produce a subsystem which is suitable for a (higher) Sub-PL calculation. An evaluation of the hardware reliability of simple single devices (SSEs) is sufficient for lower PLs.

Devices with more complex safety-related functionality are already provided with an architecture which has all the features required for a (higher) Sub-PL, in particular the ability for an own fault detection (self diagnosis). See also the direct assignment of D in the above graph in this respect, i.e. SSE and D already form a unit (a subsystem, usually with a higher Sub-PL).

Representation borrowed from EN IEC 62 061-2005!

14

Information (as foundation for calculations within the meaning of EN ISO 13 849-1:2006 and EN IEC 62 061:2005)

15

Information (as foundation for calculations within the meaning of EN ISO 13849-1:2006 and EN IEC 62061:2005)

All well-known manufacturers will gradually expand their technical data, if they have not already done so, to include information within the meaning EN ISO 13 849-1:2006 and EN IEC 62 061:2005 or will be able to make such information available upon request. In addition to the information from manufacturers there are a number of other sources available to us (starting with EN ISO 13 849-1:2006 [Annex C] and EN IEC 62 061:2005 itself and the standard SN 29 000 through to [relatively outdated] MIL manuals etc.). Both standards, however, clearly state that the use of manufacturer information is preferable. Information will differ depending on the type of device. A differentiation must be made according to whether the objects concerned are components (e.g. electronic components), simple single devices, e.g. simple safety switching devices, or devices with more complex safety-related functionality. These may also include combinations of devices. Components will not be further considered in the following. Furthermore the basic difference lies in the fact that devices with more complex safety-related functionality and device combinations are already provided with an inbuilt specific safety-oriented architecture (in other words CC 2 and more) and have their own fault detection capabilities (in this respect through an their intelligence). We could also speak of the ability for self-diagnosis. Devices with more complex safety-related functionality therefore have a higher inbuilt Sub-PL or Sub-SIL. On the other hand simple single devices, for example simple safety switches, usually only have a simple architecture (they are at best 2-channel). In particular, however, there is no self-diagnosis ability. With these devices faults are detected by other SRP/CS parts, which are upstream or downstream of the simple single devices, such as by an SRB module with AZ16 switches. In this respect it is possible to also speak here of external diagnosis. Simple single devices are also termed part or subsystem elements in standardisation. Simple single devices (without additional external diagnosis) generally only have a low SubPL or Sub-SIL (depending on the probability of failure maximum PL c or SIL 1); however with corresponding arrangements (keyword architecture) and in connection with additional fault detection measures (keyword External diagnosis) they can be strengthened to Sub-PL e or Sub-SIL 3. Here it may be necessary to additionally establish a 2-channel arrangement/design(1). Typical examples of simple single devices are valves and cylinders for fluid technology (hydraulics, pneumatics), auxiliary and contactor relays, emergency-stop control devices, position switches, interlocking devices including magnetic safety switches, enabling switches etc. In future a reliability value in the form of a B10d (max. switching capacity) will generally be specified for devices of this nature because they are affected by wear and tear during use, or also where applicable an MTTFd value (in years) in future for new devices. For information on the B10d value consideration: see page 22 et seq.

(1)

In simple terms this means that (apart from exceptions) simple switches, even if they are electrically two-channel, cannot have a higher category than 1 and higher Sub-PL higher than c or a Sub-SIL higher than 1. Only when a downstream intelligence also detects faults is it possible, e.g. in conjunction with 2-channel capability or similar, to assign higher categories, PLs or SILs to such switches. The possibility of justified fault exclusions is also available by way of alternative. See also pages 23 et seq. and 29 et seq. in this respect.

16

Schematic conclusion: Division of Schmersal-/Elan-programme into two groups Simple single devices with safety function Devices with more complex safety-related functionality

As a rule: 1-channeled (sometimes 2-channeled) Stand-alone: max. PL c resp. SIL 1 No diagnosis For higher PLs + higher architecture (or fault exclusions, also see page 29 et seq. inter alia) + external diagnosis necessary!

As a rule: 2-channeled Self-diagnosis-capability Enabled for higher Sub-PLs

As already realized, a (sub) PL "d" or (sub) PL "e" can also be achieved with the so-called simple single devices if fault detection measures received from other SRP/CS parts are also incorporated; redundancy of the devices may additionally be required if they do not have the in-built features needed to satisfy the requirements of a 2-channeled architecture. With such examinations, these basically involve nothing more than the combination of the devices familiar from EN 954-1:1996 with, for example, safety relay modules or safety PLCs, whose input and feedback circuits act as failsafe comparisons, detecting any failures and faults at the I or O level.

Safety switches with separate actuator

Safety magnet switches

Plastic and metal encapsulated safety guard locks

Trapped-key systems

Position switches with safety function

Emergency-stop equipment

Enabling switches

Pull-wire switches with convenient and wire-tensioning device

Safety foot switches

17

 Supplementary remarks on the terms hardware reliability, MTTFd etc. for simple single devices with safety function:
Other expressions for failure probability, e.g. or FIT values, are found in other standards and in other contexts of reliability engineering. These can easily be converted into MTTFd values using the inverse. In conjunction with EN ISO 13 849-1:2006, so-called MTBF values (= Mean Time Between Failures) can be equated with MTTF values. The index d for dangerous or dangerous failures must be heeded. According to EN ISO 13 849-1:2006, values without d are generally divided according to a 50 : 50 ratio (where only every other fault is of interest), i.e. an MTTFd is twice as high as the MTTF (for all possible failures). The same correlation exists between B10d and B10 values.

Devices with more complex functionality (subsystems and above) on the other hand are constructed by the manufacturer such that they can be evaluated independently from a safety-related perspective, without the need to refer to other parts of the SRP/CS. The manufacturers information is then a Sub-PL or a Sub-SIL (with corresponding PFHd value respectively). Typical examples of devices with more complex safety-related functionality are safety relay modules, microprocessor-based safety sensors, safety PLCs, safety-oriented bus systems and similar.

Contact-free guard locks with inductive working principle

Electronic safety sensors

Safety PLC systems

Devices for ASi-SaW

Safety light grids/ curtains AOPD types 2 and 4

optionally with muting, blanking and combination functions, with cyclic operation

optionally with protection class IP 69K, also in hygiene-compliant design

Through-beam safety light barriers AOPD types 2 and 4

PS: in the case of PFH values it is not particularly common to differentiate using the index d, i.e. both a PFH value and a PFHd value are generally used equally. Device combinations are equated with devices that have more complex safety-related functionality, e.g. combination of BNS magnetic safety switches and special corresponding AES evaluation components which in this way (in combination) similarly represent a safetyrelated self-contained complete functionality for which a higher Sub-PL or Sub-SIL can be determined.

18

Example of a device combination BNS/AES CAUTION stumbling block: if simple single devices and devices with more complex safetyrelated functionality are mixed in an SRP/CS, e.g. a safety switch at the input level and a safety SPS at the logic level, the result may be that there are MTTFd values (or B10d values from which the MTTFd value can be derived) for the one subsystem (in this example for the input level subsystem, see page 22 f.), and PFHd for the other subsystem (in this example for the logic level subsystem). One of the two values may have to be converted (if the values have to be added together). Here Annex K of EN ISO 13 849-1:2006 may be of assistance (unfortunately only up to 100 y MTTFd; see glossary section, keyword Annex K) or a rough own estimate/extrapolation of Annex K figures or the simplified reverse calculation of a PFHd value to a block MTTFd value (1/PFHd : 8,760) (see also page 50 and corresponding keywords in the glossary section). Where applicable, however, you can also mix the block and subsystem methods from the standard, especially if the simplifying Table 11 of the standard (see Page 46 et seq. in this respect) cannot be usefully applied or in the case of more complex conflicting situations. Refer to the example in the addendum to the 2011 edition (Page 141 et seq.). The background to this stumbling block is that, in addition to deterministic requirements, a PFHd value is actually behind a PL, which results from the abovementioned 4 consideration parameters from a probability mathematics perspective. In other words the PFHd value is the higher-ranking value (with which devices with more complex safety-related functionality can be described), while the MTTFd value is only a partial aspect as part of a discrete consideration of simple single devices to which the architecture (control category), the fault detection (DC) and the CCF management are added and which then in total can be described by a PFHd value. The mathematics behind this has been determined by the BGIA(1).

(1)

BGIA: Institute for Occupational Health and Safety for the German Statutory Accident Insurance (see glossary).

19

Excursus: Use of Dual-Use products in SRP/CSs(1)

The term Dual-Use products means devices that have not been placed on the market by the manufacturer explicitly as safety component; they have been designed for operational applications but can also be used in safety functions, e.g. commercially available proximity switches, position switches, contactors, valves, PLCs etc. In accordance with EN ISO 13 849-1:2006, the use of such devices as part of safety functions is basically permitted (which is why they are referred to as dual-use products) if appropriate qualified requirements are satisfied. Manufacturers of products of this nature generally correctly only specify an MTTF or MTTFd value(2) or a B10 or B10d value(2), in other words a hardware reliability value. Within the framework of single channel architectures, when using dual-use products it is necessary to check whether the product concerned is a so-called proven component (see EN ISO 13 849-2:2003 Annexes A to D) or not. If the latter is true, a PL b is possible (for example for commercial PLCs). If on the other hand the product is a proven component, a maximum PL c is possible (examples: fluidic valves, contactors, relays, traditional position switches etc.). Within the framework of 2-channel structures, with careful selection and design a maximum PL d can be achieved when using dual-use products. However in this connection it is vital to note that the designer of such SRP/CSs bears a high level of responsibility when assessing the safety-related suitability, especially when this concerns electronic technology, and that this is something that manufacturers of safety components have already relieved him of to a great degree. This refers, for example, to measures to protect against manipulation, any necessary special software and/or increased EMC requirements etc. Schmersal/Elan manufacturer information about dual-use products is available on request!

(1)

(2)

The term dual-use product is one borrowed from the English term that is actually used in export controls and which designates the use of a commodity (e.g. a machine or software and technology) for civil or military purposes in principle. The term has a different meaning here (describing use for both safety-related and operational applications). See page 18 above for the relationship MTTF : MTTFd value (or B10 : B10d value).

20

Simple Single Devices in the Schmersal/Elan programme

21

Simple Single Devices in the Schmersal/Elan programme

Calculations of the B10d value Details on safety-related reliability in the form of a so-called B10d value will generally be specified for devices of this kind in future. Embedded in the architecture (control category), fault detection (DC) and CCF management (see glossary section, keyword CCF) is a project planning matter for the customer (and their consultants). The B10d value is a kind of gross value for calculating an MTTFd value for devices which, due to their technology, are subjected to wear and tear owing to the number of switching cycles and possibly switching load. The B10d value calculation is necessary because Failure rate the so-called bathtub curve with a constant rate of random failures and faults during the so-called mission time is not deemed to apply exactly to devices affected by wear and tear (see glossary section, keywords B10d value, Bathtub Curve, Mission Time). This means that Phase of constant Early the failure rate after the early failures for compofailures failures nents affected by wear and tear is not constant Time of operation over time, but generally increases (ditto after the mission time). In other words: the failure rate here is time-dependent. The formulas for converting a B10d value into an MTTFd value are as follows: B10d MTTFd = 0.1 nop
nop = dop= hop = tcycle =

Failures caused by wear

nop =

dop hop 3,600 tcycle

s h

mean number of operations per year mean number of operation days per year mean number of operation hours per day mean time between the beginning of two successive cycles of the component in s (e.g. 4 per hour = 1 per 15 min = 900 s)

In addition, a so-called T10d value 1 must be determined in the case 0,9 Mission Time b=0,8 0,8 of technologies affected by wear b=1 F(t) 0,7 TM b=2 and tear (10 % of the MTTFd b=3 0,6 b=4 b=4 derived from the B10d value). The 0,5 b=5 b=6 0,4 T10d value is an indicator for the b=7 Line for 0,3 B10 value preventive replacement of such 0,2 a component (where T10d < 20 y). 0,1 The background behind the 10 % 0 t [T] Switching cycles 0 1 2 3 share is that for this, a constant failure pattern is assumed (the same as the failure pattern of the Bathtub Curve). With the B10d value, by contrast, in a similar way to the MTTFd value, around 63 % of components in a random sample have failed dangerously. See also glossary section, keyword Exponential Distribution.

22

Example of a MTTFd value calculation: A guard door monitoring switch may have a B10d value of 2,000,000. The mechanical plant with protective enclosure in which it is used may operate for 200 days (dop) per year with 2 shifts (hop) and the guard door is opened 2 per hour. This produces an operating cycle number per year of 200 (dop) 16 (hop, 2 shifts) 2 (demands/hour) or (tcycle = 1,800) = 6,400 nop. This accordingly results in an MTTFd value of 3,125 y(1) (2,000,000 : 0.1 8,400 = 3,125). The T10d value (313 y) is irrelevant in this example because it by far exceeds the assumed service life (mission time) for a machine control (20 y) in EN 13 849-1:2006.

Origin of our data Where nothing else is specified: EN ISO 13 849-1:2006 and BGIA Report 2/2008 (see glossary, keyword: BGIA Report 2/08).

Questions on the architecture or control category The question or in some cases the problem of which control category a simple single device corresponds to remains unchanged in future, because the control categories are retained as a significant characteristic for a PL. This therefore addresses the old discussion of whether a device with redundant safety contacts (positive break or comparable) is sufficient for a 1-failsafe architecture, as demanded for control categories 3 and 4, or whether two devices should be provided (a physical 2-channel capability). Only deploying a device with redundant safety contacts means an assumption of fault exclusion for the mechanical actuation (the actuating mechanism), i.e. being able to exclude the possibility of dangerous failures occurring e.g. through wear, damage, dirt etc. Refer also to Page 29 et seq.

(1)

The limitation of MTTFd values to a maximum of 100 years does not apply here because initially this concerns a single value. Capping/rounding to 100 years per channel takes place, in conjunction with other MTTFd values, only at the end of a PL consideration. CAUTION: in the SISTEMA software (see glossary section, keyword SISTEMA) each subsystem consideration by contrast already leads to rounding/capping. Insofar it is recommended to combine the same architectures of an SRP/CS to a SISTEMA-specific subsystem (= several subsystems as defined here but with the same architectures) in order not to have too much rounding/capping.

23

 Fault exclusion approaches are also admissible according to EN ISO 13849-1:2006 with reference to Number 7.3 and in connection with this EN ISO 13 849-2:2003. On the other hand there is the requirement in a remark on Number 3.3 of the standard which states that the assessment of failure possibilities in an SRP/CS begin where the safety-relevant signal is generated, e.g. on the roller of a position switch, and ends on the contact of the actuating elements. Careful consideration is required in every case! When it comes to our devices, advice can be found in the following list of devices under the keyword 1 or 2 channel capability and in the Questions on architecture and control category in the excursus on page 29 et seq. Ultimately the question of fault exclusion depends on the assessment by the customer and application conditions, however. You can also find the Schmersal/Elan information Foregoing an additional monitoring switch for interlocking devices (physical redundancy vs. electronic redundancy) on this subject in the (supplemented) data sheet in this brochure (see page 138).

Diagnostic coverage Dependant on the following signal processing, up to 99 % (also see pages32f. and 68f.).

CCF measures (Measures against common cause failures) CCF measures (measures against failures due to common cause): the stand-alone evaluation is somewhat difficult. An evaluation in context with integration of the simple single devices in the SRP/CS is better, particularly because here too the question arises as to whether and how any 2-channel function has been executed (e.g. whether using physical or electrical redundancy). The simple single devices from the Schmersal/Elan range, however, already have the required minimum score of 65 inbuilt, of which a proportion is for the subsystem in which they are used (see glossary, keyword CCF, Table from 3.). The reason for this is compliance with the product standard of the EN IEC 60 947-5 series, their safety and environmentallyrelated requirements, the EM compatibility of the devices etc. Added to this are the (possibly pro rata) points of the consideration units 1. physical separation between the signal paths(1) and where applicable 2. diversity(2). Please note: CCF measures must only be analysed and evaluated as from Control Category 2 because SRP/CS from CC 2 are multi-channel (whether in the form of a classic 2-channel capability or in the form of a 1-channel capability + test channel). For further information: see glossary section, keyword CCF.

(1)

(2)

The individual contacts of devices are galvanically separated. Otherwise protected or separate cable routing should be observed. For example, and depending on approach, with NC contact/NO contact combinations.

24

Specific device details

(See also the Schmersal online catalogue www.schmersal.net) [data sheets for the respective product] or our SISTEMA manufacturer library [www.schmersal.net other products/software download software])

Note (1): where reference is made in the following to NC contacts, these always with the exception of safety magnetic switches mean positive break contacts. In the case of positive break contacts, the information is also understood as load-independent precisely because of this special safety-related feature. See glossary section, keyword Fault Exclusion. Note (2): One can also rightly ask the question why B10d values sometimes turn out to be so different although the products concerned with the exception of safety magnetic switches have positive break contacts. The reason is that other faults causing danger must be incorporated into this consideration, e.g. the wear of the mechanics of the step function of an emergency-stop control device or the ability of a push button to reset (and not get stuck). In the case of so-called class 2 switches, poor service life experience with competitor brands in the past play a part in the standard value.

Emergency-stop control devices B10d value (load-independent ): 100,000 (NC contact) 1 or 2 channel capability: depending on designated architecture (control category) ALTERNATIVE: fault exclusion as part of the B10d value (see pages 29 and 75) Note (1): where there is maximum load of an emergency-stop control device, according to the standard a B10d value of only 6,050 may be assumed, otherwise of 100,000. We do not adhere to the approach in the standard for our devices for the following reason: the B10d value of 6,050 is a minimum test value from EN IEC 60 947-5-5 on the orderly functionality of the latching mechanism of an emergency-stop control device according to Paragraph 7.3. Only this minimum value is of interest here. Conversely, the standard is not interested in how many switching cycles would take place before the latching mechanism would fail. We know from our test labs, however, that our devices achieve a minimum of 100,000 correct engagement cycles. Note (2): We recommend achieving a 2-channel capability for emergency-stop control devices by using two contact elements (keyword: physical redundancy).

Pull wire emergency switch See emergency-stop devices

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 25

3-stage enabling switch/push button B10d value (load-independent): 100,000 (NC contact) 1 or 2 channel capability: depending on designated architecture (control category) ALTERNATIVE: fault exclusion as part of the B10d value

Safety foot switch (3-stage versions) See 3-stage enabling switch/push button

Two-hand control devices (NC contact-NO contact combinations) B10d value: 20,000,000 (NC contact)(1) 1,000,000 (NO contact)(2) 100,000 (NO contact)(3)
(1) (2) (3)

Load-independent With ohmic or quasi-ohmic load and over-dimensioning, i.e. 10 % of nominal load With inductive load and over-dimensioning ( 10 % of nominal load)

Note: In conjunction with two-hand SRB modules and similar, constraints on (1) to (3) do not apply or are covered by the SRB module!

Position switch with integrated actuator (so-called type 1 switch) B10d value: 20,000,000 (NC contact)(1) 1,000,000 (NO contact)(2) 100,000 (NO contact)(3)
(1) (2) (3)

Load-independent With ohmic or quasi-ohmic load and over-dimensioning, i.e. 10 % of nominal load With inductive load and over-dimensioning ( 10 % of nominal load)

1 or 2 channel capability: for single 2-pole devices depending on the C standard or fault exclusion according to EN ISO 13 849-2:2003 (see footnote on page 16 and pages 29 f.) required.

Position switch with separate actuator (so-called type 2 switch) B10d value: 2,000,000 (NC contact)(1) 1,000,000 (NO contact)(2) 100,000 (NO contact)(3)
(1) (2) (3)

Load-independent With ohmic or quasi-ohmic load and over-dimensioning, i.e. 10 % of nominal load With inductive load and over-dimensioning ( 10 % of nominal load)

1 or 2 channel capability: for single 2-pole devices depending on the C standard or fault exclusion according to EN ISO 13 849-2:2003 (see footnote on page 16 and pages 29 f.) required.

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 26

Position switch with separate actuator and guard locking B10d value: see above (position switch with separate actuator) 1 or 2 channel capability: under consideration of fault exclusion (see footnote page 16 and pages 29 f.) a single device can satisfy the requirements of 2-channel capability (= SK 3, max. PL d), but only in the version with fail-safe locking mechanism(1) (= CC 3). The BGIA Report 2/08 also refers to this possibility and stipulates a second switch merely as additional manipulation protection (which may, however, also be achieved by other measures).
(1)

In conjunction with an interlock, fail-safe locking mechanism means that the locking mechanism cannot assume the locking position when the guard door is open, i.e. "air interlocks" can be excluded. For this reason a second sensor can be dispensed with also where there are greater safety requirements.

With CC3 please note: guard door position monitoring = channel 1 latching (guard locking) position monitoring = channel 2 or guard door position monitoring = mechanical via fail-safe locking mechanism latching (guard locking) position monitoring (safety contact 1) = channel 1 (electrical) latching (guard locking) position monitoring (safety contact 2) = channel 2 (electrical) In other respects: see above and BGIA wiring example page 78

Magnetic safety switch(1) B10d value (load-dependent): 20,000,000 400,000 7,500,000 2,500,000 1,000,000
(2)

(with 20 % load) (with 100 % load) (with 40 % load)(2) (with 60 % load)(2) (with 80 % load)(2)

Own values after consulting BGIA

1/2-channel capability: 2-channel capability also possible with a single device (with the exception of BNS 30, 300 and 333 = 1-channel). BNS/AES device combinations or BNS-capable SRB modules: this concerns a device combination (see page 41), that represents a subsystem (with Sub-PL or Sub-SIL and PFHd value). A B10d value consideration and a de-rating as above has no relevance, i.e. we can assume 20,000,000 because the reed contacts in the sensors are switched with max. 20 % load. In other words: the additional consideration only applies with alternative signal processing. Please do not conclude from this that this cannot work using competitor modules, but rather that this must be checked (current and voltage limitation, switching load etc.). In conjunction with AES modules (or another suitable signal processing) can, if required, be calculated for a single BNS with a PFHd value of 2.5 10 11 (at 0.1 h 1) (with the exception of BNS 30, 300 and 333 = 1.21 10 6 at 0.1 h 1, 1-channel, max. PL c).
(1)

In EN ISO 13 849-1:2006 magnetic safety switches are arranged (subject to wear) under proximity switches.

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 27

Hinge safety switch (TESF range) B10d value (load-independent): 2,000,000(1)

(1)

With a max. safety-oriented switching angle of 8. A higher value may be taken into consideration if a larger switching angle is tolerable from a safety-related point of view.

1 or 2 channel capability: 2-channel capability is also possible with a single device when fault exclusion is used for the spindle that implements the rotating movement (protected installation, stress-free actuation). Note: in the case of TVS 521 hinge safety switches the B10d value consideration takes place with reference to values for type 1 switches.

Devices with ASi-SaW interface See pages 42 et seq.

Key transfer systems MTTFd value: 150 y (1)

(1)

EN ISO 13 849-1:2006 permits a simplified approach with a blanket MTTFd value of 150 y for mechanical systems. For the key switch of an SHGV system we recommend assuming fault exclusion for the positive break contact and assuming a B10d value of 1,000,000 (at ohmic or quasi-ohmic load and over dimensioning, i.e. at 10 % of the nominal load) or 100,000 (in the case of inductive load and over dimensioning, i.e. at 10 % of the nominal load) for the NO contact.

1/2-channel capability: see position switch with separate actuator and interlock

Reset/re-engage button With respect to not making the design of other PL considerations (e.g. protection from hazardous movements) too complex, these devices can additionally be considered within the framework of a separate safety function protection from unexpected start/re-start. This may include any other angles of the consideration, in particular if stop signals take place as a category 2 STOP (controlled shutting down without disconnecting the power supply to the drives see EN IEC 60 204-1). The B10d values for NO contacts apply (see e.g. page 26). Furthermore there is now an unambiguous requirement in Section 5.2.2 of EN ISO 13 8491:2006 that the manual reset function may only take place by releasing the drive element in its actuated (on) position! In other words, trailing edge detection must be realized for reset/ re-engage buttons. This safety-related measure serves to detect faults on or manipulation of the button. A PL d (CC 2 with function test at the moment of requesting the safety function) is produced when connecting to suitable safety relay modules or safety PLCs with an MTTFd of 36 y for the reset/restart button. If the trailing edge detection takes place with self-monitoring circuitry, fault exclusion is permissible.

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 28

Excursus: questions on the architecture or control category

The question is familiar from the application of EN 954-1:1996: does the realization of a 1-failure safe (1-failure tolerant) structure of an SRP/CS, as required for Control Categories 3 or 4, have to take place using a physical redundancy e.g. in interlocking devices of moving protective devices with two switches, or does a single interlocking device with two (internal) safety-oriented contacts (electrical 2-channel capability) similarly satisfy the requirements. Manually actuated safety switching devices such as emergency-stop control devices, enabling switches etc. should be viewed as an exception from the start in this context. In any case only an electrical 2-channel capability comes into question here. If one follows the BGIA Report (see glossary section, keyword BGIA Report), one can go so far as to assign all of these devices with fault detection because they are regularly designed with positive break contacts if the foreseeable actuation frequency lies within the framework of the B10d value. However the cable laying etc. must be right. The operator is responsible for any fault detection here. He must convince himself that the device concerned is undamaged before he works with it. For electromechanical switches the critical point is the actuation mechanism for the electrical contacts that would lead to the loss of the safety function of the devices in the event of a failure. The rule here is to weigh up the high degree of improbability of such a dangerous fault occurring.

End stop

End stop

To illustrate the question: examples of 2-switch versus 1-switch solutions (above: in a revolving door; below: in a sliding door). This question (in the sense of a recipe) also remains unanswered in EN ISO 13 849-1:2006. On the one hand there is Note 1 on Section 3.3 of the standard. According to this an SRP/ CS combination starts at the point at which the signal is generated (e.g. on the roller of a position switch) and ends at the contacts of the power control elements (e.g. at the power control element of a contactor). On the other hand under certain conditions it is possible according to Section 7.3 of the standard to make fault exclusions.

29

 The ideal is for the question to be dealt with in the respective competent C-standard (product standard) as is the case for certain safety functions of printing presses, for example (the electrical 2-channel capability of a switch suffices) or in the case of metal presses (here a 2-switch solution is explicitly required). In borderline cases we recommend the following to customers: For Performance Level d (in case of doubt) and for Performance Level e (always) provide a physical 2-channel capability (a 2-switch solution) and query your C-standard. Exceptions: see the section below on page 138 and loc. cit. In deviation of this, safety magnetic switches from the BNS range with 2-channel outputs, hinge switch from the TESF model series and all contact-free interlocking devices with and without latching from Schmersals CSS family can be used without second switch, on the condition that AMD 1 of EN 1088:1996 (see glossary section, keyword AMD 1) has been observed. In the case of the AZM 200 device, additional manipulation safety is inbuilt by virtue of double position monitoring. With simple switches, and in particular for type 1 position switches (with integrated actuator elements), a physical redundancy should as a rule be provided for 2-channel architectures, because an adverse external influence can directly affect the function of the 1-channel tappet mechanism. No compromise may be made with Performance Level e, also in anticipation of a planned revision to EN ISO 13 849-2:2003 (source: new Table D.8 of the draft of the revision). This means that with PL e only a 2-switch solution basically comes into question for all electromechanical devices. By contrast fault exclusion may be possible with Performance Level d for safety switches with separate actuator with reference to EN ISO 13 849-2:2003 Annex A Section A.5, if the conditions defined in the following table can be guaranteed. We furthermore recommend that the aspects in the following section (Interlocking devices with latching) similarly be taken into consideration where applicable.

Fault assumption Wear/corrosion

Fault exclusion

Not tighten/loosen

Remarks See ISO Yes, if material (over)dimensioning, manufacturing process, treatment process 13 849-1:2006, and suitable lubrication have been carefully selected according to the specified 7.2 service life (see also Table A.2). Yes, if material, manufacturing process, securing elements and treatment process have been carefully selected according to the specified service life (see also Table A.2). Yes, if material, (over) dimensioning, manufacturing process, treatment process and suitable lubrication have been carefully selected according to the specified service life (see also Table A.2). Yes, if material, (over) dimensioning, manufacturing process and treatment process have been carefully selected according to the specified service life (see also Table A.2). Yes, if material, (over) dimensioning, manufacturing process, treatment process and suitable lubrication have been carefully selected according to the specified service life (see also Table A.2).

Breakage

Deformation through overstrain Stiffness/getting stuck

30

 Table A.2 from page 30 affects the so-called tried and tested safety principles which must additionally be applied. There may be deviation from a physical 2-channel capability under certain circumstances in the case of interlocking devices with latching, i.e. the individual safety latching suffices if the following marginal conditions are guaranteed (ditto for the abovementioned table): a) It must involve a device with a failsafe locking mechanism (see page 27) and there must be 2-channel signal evaluation (1 door position, 1 locking mechanism monitoring). b) Applications only up to max Performance Level d (or control category 3); it must also involve a visible source of danger. c) The interaction between actuator and device must be stress-free (without play), for example in connection with a safety door handle system. d) The actuator must have a form fit execution and be constructed from one piece of punched metal (without springs etc.). e) The installation site of the devices must be selected so that no particles of dirt or similar can enter the articulating mechanism. f) The max locking forces and principles of good engineering practices) (see glossary) must be observed. g) Additional measures are to be provided to reduce the possibility or by-passing the system according to AMD 1 from EN 1088:1996. Furthermore, the second switch may belong to the measures to be realized if there are no alternatives. h) An automatic start-up test is recommended in order to discover any faults. This is geared to maintaining the signal change expectations of the devices (however, the occurrence of signal changes that reflect a correct function of the devices would also, depending on the application, be tested by the operational control system during ongoing operation = minimum signal change related to a logical unit of time). Irrespective of this, the general rule is that an interlocking device must not be used as an end stop and that EN 953:1997(1) and a corresponding 2-channel signal processing device has been observed. You can also find a summary of this subject in the (supplemented) data sheet in this brochure in the form of the Schmersal/Elan information Foregoing an additional monitoring switch for interlocking devices (physical redundancy vs. electronic redundancy) (see page 138).

(1)

DIN EN 953:1997-11: Safety of Machinery Guards General requirements for the Design and Construction of Fixed and Movable Guards

31

Excursus: Failure detection in case of simple single devices with safety function

As previously mentioned a failure detection (diagnosis) of simple single devices with safety function has to be provided by other parts of the SRP/CS, which are upstream or downstream of the simple single devices (normally at the signal processing level L ). The diagnostic coverage achieved is dependant on the functionality for failure detection (see EN ISO 13 849-1:2006 Annex E). In case of safety-relay-modules (relay-safety-combinations), safety-plcs et al. (fulfilling the requirements of Sub-PL e) a DC of 99 % will be achieved in case of a 2-channel 1:1-wiring (parallel wiring), but by contrast only 60 % DC is achieved in case of series connection (daisy chain connections) only under certain circumstances a fault accumulation cannot be excluded. DC of other failure detection arrangements must be evaluated individually. Worst case fault analysis with the series connection of electromechanical devices:

S1.1

S2.1

Guard door 1

S1.1

S2.1

Guard door 1

S1 + + K1 K2

S2

Guard door 2 +

S1 + K1 K2

S2

Guard door 2

First fault: Short circuit via contact S1.1 (guard door 1) Guard door 1 is opened Module switches off 1-channel Obstruction to operation (correct safety-related reaction, no re-engaging possible)

Fault elimination: Guard door 1 remains open Module switches off 2-channel Re-start possible

S1.1

S2.1

Guard door 1

S1.1

S2.1

Guard door 1

S1 + + K1 K2

S2

Guard door 2
+

S1 + K1 K2

S2

Guard door 2

Fault accumulation: Second fault in guard door 1 Short circuit via S2.1

Dangerous state: Guard door 1 is opened Module does not switch off

32

 The diagnostic coverage of 60 % with series connection of simple electromechanical devices is based on a probability mathematical estimation of more than 2 guard doors. Where by contrast there are only two protective devices, parallel wiring on the L level (1:1 wiring) is recommended. Under no circumstances should series connection be used for electromechanical devices without additional measures in line with a PL e or CC 4. It is possible to estimate a higher diagnostic coverage than 60 % (and therefore a possibly PL e or CC 4) for series connection of electromechanical devices if, for example, feedback signals are additionally incorporated in the operational SPS whose plausibility in the form of an appropriate signal is in turn incorporated into the enabling path of the L level. See also page 76 in the Excursus section in this respect (BGIA wiring example 8.2.28). Fault exclusion may possibly be deployed for series connections of emergency stop control devices (see BGIA wiring example 8.2.29 on page 75 in this respect). The above mentioned restriction of 60 % DC in case of series connections (daisy chain connections) applies as already set out only to circuitries executed in traditional electrical technology. In case of series connections, which are executed in a different technology, e.g. with ASi-SaW devices or with microprocessor-based devices of Schmersals CSS-family, thanks their additional intelligence a diagnostic coverage of 99 % is achieved. Further information (including fault detection for simple single devices at the O level: see page 55 and Excursus section page 68 f. A further detailed consideration of this subject can be found in the (supplemented) data sheet in this brochure in the form of the Schmersal/Elan information One should not throw the baby out with the bathwater: on the subject of diagnostic coverage with simple series connections of electromechanical safety sensors and safety switches (see page 139).

33

34

Devices with more complex safety-related functionality

35

Devices with more complex safety-related functionality

Foreword Devices of this kind are typically provided with a Sub-SIL and corresponding PFHd value. The background to this is that the devices have been developed and certified on the basis of EN IEC 61 508-1/-7:2001, partially because microprocessor technology is used in them for which EN 954-1:1996 is not applicable, and partially for other reasons. As is known, owing to the compatibility of the two new SRP/CS standards, an SIL can also be converted to a PL and vice versa (see conversion table). The base of SIL and PL is the PFHd value from which, if desired, a block MTTFd value may also be derived.
Average probability of a dangerous failure per hour EN ISO 13 849-1:2006 10 4 10 5

PL

3 10 6

10 6

10 7

10 8

SIL no special IEC 62 061:2005/ safety IEC 61 508:2001 requirements

3 Measures against higher risks

Measures against lower risk

CAUTION: the PFHd classifications above apply to an overall PL (or overall SIL). Only proportions may be consumed for subsystems (recommendation: a max. of 20 % each for I and L , so that > 60 % for O ). Annex K of EN ISO 13 849-1:2006 is available for converting a PFHd value into an MTTFd value (PFHd values corresponding to max. 100 y MTTFd stored). According to the BGIA Report 2/08, a block MTTFd value can, however, be calculated in a greatly simplified manner (which is only permissible in this direction) from a PFHd value by inverting the PFHd value. I.e. 1/PFHd : 8,760 = Block-MTTFd (with higher PLs or SILs usually several 100 y). See also page 50. N.B.: A block MTTFd value, apart from some exceptions, is always greater than a single MTTFd value that exclusively reflects a statistical hardware reliability, while in the PFHd value (and in the inverted value = block MTTFd) all remaining measures are also taken into account and evaluated. In particular the measures for fault detection or diagnostic coverage. Therefore a MTTFd value of 30 y in conjunction with all other measures required for a PL e corresponds, to a block MTTFd value of approx. 1,200 y.

36

 Depending on methods used for estimating a PL, it may be necessary to convert a PFHd value to a block MTTFd value if MTTFd and PFHd values are mixed within a chain I + L + O (Input, Logic, Output). However the usual case is the other way round, i.e. estimating the PFHd value with the help of Annex K of EN ISO 13 849-1:2006 from the control category CC, hardware reliability MTTFd and diagnostic coverage DC or DCavg (see also page 141 et seq.). Example: a safety function may have an architecture corresponding to CC4, a DC of 99 % and a homogeneous (or symmetrised) MTTFd channel of 75 y: pursuant to Annex K this would correspond to a PFHd value of 3.41 10 8.
Table K.1 Numerical description of Fig. 5 (of EN ISO 13 849-1:2006 [D] Annex K [informative]) Average probability of a dangerous failure per hour (1/h) and corresponding performance level (PL) Cat. B MTTFd for each channel Years DCavg = none PL Cat. 1 DCavg = none PL Cat. 2 DCavg = low PL Cat. 2 DCavg = medium PL Cat. 3 DCavg = low PL Cat. 3 DCavg = medium PL Cat. 4 DCavg = high PL

3 3.3 3.6 3.9 4.3 4.7 5.1 5.6 6.2 6.8 7.5 8.2 9.1 10 11 12 13 15 16 18 20 22 24 27 30 33 36 39 43 47 51 56 62 68 75 82 91 100

3.80 10 5 3.46 10 5 3.17 10 5 2.93 10 5 2.65 10 5 2.43 10 5 2.24 10 5 2.04 10 5 1.84 10 5 1.68 10 5 1.52 10 5 1.39 10 5 1.25 10 5 1.14 10 5 1.04 10 5 9.51 10 6 8.78 10 6 7.61 10 6 7.13 10 6 6.34 10 6 5.71 10 6 5.19 10 6 4.76 10 6 4.23 10 6

a a a a a a a a a a a a a a a b b b b b b b b b 3.80 10 6 3.46 10 6 3.17 10 6 2.93 10 6 2.65 10 6 2.43 10 6 2.24 10 6 2.04 10 6 1.84 10 6 1.68 10 6 1.52 10 6 1.39 10 6 1.25 10 6 1.14 10 6 b b b c c c c c c c c c c c

2.58 10 5 2.33 10 5 2.13 10 5 1.95 10 5 1.76 10 5 1.60 10 5 1.47 10 5 1.33 10 5 1.19 10 5 1.08 10 5 9.75 10 6 8.87 10 6 7.94 10 6 7.18 10 6 6.44 10 6 5.84 10 6 5.33 10 6 4.53 10 6 4.21 10 6 3.68 10 6 3.26 10 6 2.93 10 6 2.65 10 6 2.32 10 6 2.06 10 6 1.85 10 6 1.67 10 6 1.53 10 6 1.37 10 6 1.24 10 6 1.13 10 6 1.02 10 6 9.06 10 7 8.17 10 7 7.31 10 7 6.61 10 7 5.88 10 7 5.28 10 7

a a a a a a a a a a b b b b b b b b b b b c c c c c c c c c c c d d d d d d

1.99 10 5 1.79 10 5 1.62 10 5 1.48 10 5 1.33 10 5 1.20 10 5 1.10 10 5 9.87 10 6 8.80 10 6 7.93 10 6 7.10 10 6 6.43 10 6 5.71 10 6 5.14 10 6 4.53 10 6 4.04 10 6 3.64 10 6 3.01 10 6 2.77 10 6 2.37 10 6 2.06 10 6 1.82 10 6 1.62 10 6 1.39 10 6 1.21 10 6 1.08 10 6 9.39 10 7 8.40 10 7 7.34 10 7 6.49 10 7 5.80 10 7 5.10 10 7 4.43 10 7 3.90 10 7 3.40 10 7 3.01 10 7 2.61 10 7 2.29 10 7

a a a a a a a b b b b b b b b b b b c c c c c c c c d d d d d d d d d d d d

1.26 10 5 1.13 10 5 1.03 10 5 9.37 10 6 8.39 10 6 7.58 10 6 6.91 10 6 6.21 10 6 5.53 10 6 4.98 10 6 4.45 10 6 4.02 10 6 3.57 10 6 3.21 10 6 2.81 10 6 2.49 10 6 2.23 10 6 1.82 10 6 1.67 10 6 1.41 10 6 1.22 10 6 1.07 10 6 9.47 10 7 8.04 10 7 6.94 10 7 5.94 10 7 5.16 10 7 4.53 10 7 3.87 10 7 3.35 10 7 2.93 10 7 2.52 10 7 2.13 10 7 1.84 10 7 1.57 10 7 1.35 10 7 1.14 10 7 1.02 10 7

a a a b b b b b b b b b b b c c c c c c c c d d d d d d d d d d d d d d d d

6.09 10 6 5.41 10 6 4.86 10 6 4.40 10 6 3.89 10 6 3.48 10 6 3.15 10 6 2.80 10 6 2.47 10 6 2.20 10 6 1.95 10 6 1.74 10 6 1.53 10 6 1.36 10 6 1.18 10 6 1.04 10 6 9.21 10 7 7.44 10 7 6.78 10 7 5.67 10 7 4.85 10 7 4.21 10 7 3.70 10 7 3.10 10 7 2.65 10 7 2.30 10 7 2.01 10 7 1.78 10 7 1.54 10 7 1.34 10 7 1.19 10 7 1.02 10 7 8.84 10 8 7.68 10 8 6.62 10 8 5.79 10 8 4.94 10 8 4.29 10 8

b b b b b b b c c c c c c c c c d d d d d d d d d d d d d d d d e e e e e e

9.54 10 8 8.57 10 8 7.77 10 8 7.11 10 8 6.37 10 8 5.76 10 8 5.26 10 8 4.73 10 8 4.22 10 8 3.80 10 8 3.41 10 8 3.08 10 8 2.74 10 8 2.47 10 8

e e e e e e e e e e e e e e

With certain protective devices (see device datasheets) the subsystem L may also not apply in some cases if the sensor at the I level acts directly using OSSD outputs(1) on the O level, e.g. (in simple structured SRP/CS) the sensor also has an interface for a feedback loop (so-called EDM function(2)) and usually for the reset/re-engage button. An SRB module, a safety PLC or similar can be omitted in these cases.
(1)

(2)

OSSD = Output Signal Switching Devices = safety-related part of a protective device, e.g. a safety light curtain or a sensor from the Schmersal CSS family, connected to the machine control system and which moves to the OFF state if the sensor part is activated during specified normal operation. EDM = External Device Monitoring = a protective device, e.g. a safety light curtain or a sensor from the Schmersal CSS family, monitors the status of other SRP/CS parts.

37

Devices with more complex safety-related functionality in the Schmersal/Elan programme(1)

(See also the Schmersal online catalogue www.schmersal.net) [data sheets for the respective product] or our SISTEMA manufacturer library [www.schmersal.net other products/software download software])
(1)

In case of specified PFHd values, these predominantly concern values which have been calculated in the course of device certifications (Employers Liability Insurance Association [BG], Technical Inspection Authority [TV] etc.) according to EN IEC 61 508:2001.

Safety sensors CSS 180(2) Sub-SIL 3, Sub-PL e, PFHd 6.1 10 9 Safety sensors CSS 34(2) Sub-SIL 3, Sub-PL e, PFHd 3.6 10 9 Safety switch AZ 200(2) Sub-SIL 3, Sub-PL e, PFHd 4.0 10 9 Electronic solenoid interlock AZM 200 Sub-SIL 3, Sub-PL e, PFHd 4.0 10 9 Electronic solenoid interlock MZM 100(2) Sub-SIL 3, Sub-PL e, PFHd 4.3 10 9
(2)

With respect to safety sensors and contact-free guard locking from the Schmersal CSS family: please also heed the requirements for additional measures to reduce the risk of manipulation (AMD 1 of EN 1088:1996) when using these devices (with the exception of the AZM 200 interlocks due to a doubled position monitoring). Examples include a permanent fastening of the matching part (with tamperproof screws, masked installation or similar. See also keyword AMD 1 in the Glossary.

Diagnostic Coverage of 99 % for the above devices (devices of Schmersals CSS-family) remains unaffected in case of series connections (daisy chain connections) too, because selfmonitoring routines take place in each device.

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 38

Safety relay modules (Architecture: CC 4)(1) Sub-SIL 3, Sub-PL e, PFHd value depending on switching load and operating cycles as follows: Min. see incremental analysis 9.54 10 8 or 30 y MTTFd(2)
(1)

(2)

Information on fault detection (for the diagnostic coverage) for the upstream and downstream SRP/CS parts (simple single devices at the I or O level): see pages 32 f. and 50. Additional inspection is necessary because relays belong to components subject to wear and tear. Basis for calculation B10d (with load in %): 20,000,000 (20 %), 7,500,000 (40 %), 2,500,000 (60 %), 1,000,000 (80 %), 400,000 (100 %). The B10d value approach is only relevant for the connected output level O ! Consideration of the input level I does not apply (< 20 % load). Incremental analysis: PFHd < 9.54 10 8 (< 2.47 10 8) or MTTFd > 30 y (> 100 y) is produced in the case of: 6,5 (1.9) million switching cycles per year (nop/y) and 20 % load 2,5 (0.75) million switching cycles per year (nop/y) and 40 % load 0,6 (0.18) million switching cycles per year (nop/y) and 60 % load 0,3 (0.09) million switching cycles per year (nop/y) and 80 % load 0,1 (0.03) million switching cycles per year (nop/y) and 100 % load Corresponding better PFHd of MTTFd values can be calculated with a smaller number of switching cycles.

It is reasonable to calculate a PFHd value of 5 10 9 (and with a PFHd value of 1.3 10 8 at a switching load of up to 80 %) with a mean number of operating cycles of 100 per day ( 36,500 nop/y) and at a switching load of up to 60 %. For example, a PFHd value of 2.31 10 9 is assumed for safety relay modules in the BGIA Report 2/08 (in another case with 2.69 10 9). There are other examples (e.g. with SIEMENS) that have a PFHd value of 1 10 9. Clearly more favourable operating cycle numbers and/or switching loads can be calculated here compared to our assessment above.

Safety relay modules (architecture: CC 3) Sub-SIL 3, Sub-PL e, PFHd < 8.84 10 8(1) or > 62 y MTTFd (including PL d or SIL 2) Further remarks: see (accordingly) above (SRB modules with architecture CC 4)!

Safety time delay relay AZS 2305 Sub-SIL 2, Sub-PL d, PFHd 2,5 10 8

Safety standstill monitors FWS 1205, 1206 and 2xxx (depending on circuitry) max. Sub-PL d, Sub-SIL 2, Sub-PL d, PFHd: 8.8 10 9

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 39

ESALAN-Compact safety controllers(1) Sub-SIL 3, Sub-PL e, PFHd 0.14 10 7 or MTTFd 193 y (for semiconductor outputs) or 0.15 10 7 or MTTFd 192 y (for relay outputs)
(1)

Information on fault detection (for the diagnostic coverage) for the upstream and downstream SRP/CS parts (simple single devices at the I or O level): see page 32 f. and 50.

PROTECT PSC safety PLCs(1) 2-channel I/Os: Sub-SIL 3, Sub-PL e, PFHd 1.27 10 8 (2-channel input 2-channel output); 1.64 10 8 (2 2-channel inputs 2-channel output, e.g. in case of operation mode Muting) 1-channel I/Os: On request
(1)

Information on fault detection (for the diagnostic coverage) for the upstream and downstream SRP/CS parts (simple single devices at the I or O level): see page 32 f. and 50.

ESALAN-Wireless systems Sub-SIL 3, Sub-PL e, PFHd 5,5 10 9

Safety light barriers, light grids and curtains (Type 4) Sub-SIL 3, Sub-PL e, PFHd (for example SLG(C) 420) 7,42 10 9 PS: applies only to delivery versions with OSSD outputs(1) and EDM function(2) (therefore without additional evaluation device or SRB module)
(1)

(2)

OSSD = Output Signal Switching Devices = safety-related part of a protective device, e.g. a safety light curtain or a sensor from the Schmersal CSS family, connected to the machine control system and which moves to the OFF state if the sensor part is activated during specified normal operation. EDM = External Device Monitoring = means whereby a protective device, e.g. a safety light curtain or a sensor from the Schmersal CSS family, monitors the status of other SRP/CS parts.

Safety light barriers, light grids and curtains (Type 2) Sub-SIL 2, Sub-PL d, PFHd (for example SLG(C) 220) 3,59 10 8

Safety laser scanner Sub-SIL 2, Sub-PL d, PFHd 7,3 10 8 Mission time: 11 y

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 40

Device combinations

BNS safety magnetic switches/AES monitoring modules Combination of versions of BNS/AES, AES models 1xxx (with the exception of 1102 and 1112 and see below 1337): Sub-PL d, Sub-SIL 2, PFHd value depending on the operating cycles as follows: Sub-PL d; Sub-SIL 2, PFHd value depending on the operating cycles as follows: 1 10 8 at 6 h 1, 9 10 9 at 1 h 1 and 8.4 10 9 at 0.1 h 1 Combination of BNS/AES of AES model 1337: Sub-PL e, Sub-SIL 3, PFHd values on request Combination of BNS/AES of AES model 2xxx: Sub-PL d, Sub-SIL 2, PFHd value depending on operating cycles 1.8 10 9 at 0.1 h 1 Combination of BNS/AES versions of models 1102, 1112, 6112 and 7112: Sub-PL c, SubSIL 1, PFHd value depending on operating cycles: 1.21 10 6 or 75 y MTTFd at 5,280 nop/y

Safety edges On request

Safety mats On request

Safety bumpers On request

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 41

Safety bus system ASi-SaW devices with ASi-SaW interface

Preliminary remark When considering the PL estimation, the respective safety function (see page 70 et seq.) and the chain are safety switching device including integrated ASi-SaW interface (e.g. magnetic switch BNS260 AS) or safety switching device plus external ASi-SaW interface connection (e.g. emergencystop control device + ASi tube) plus ASM ASi-SaW monitor. For the purpose of the subsystem method this corresponds to the levels I and L . Added to this is the evaluation of the output level O . In the case of simple single devices at the O level, the feedback loop interface in the ASM ASi-SaW monitor of the fault detection also serves a safety as a relay module or safety SPS. Therefore, depending on the safety-related quality of the feedback signal, up to 99 % diagnostic coverage can be achieved (see page 55 in this respect). Note on the I level: the diagnostic coverage of 99 % in the ASi-SaW safety bus system also in the case of series connection of simple single devices is not affected, i.e. it also remains 99 % in this case because the ASi-SaW monitoring routines incorporate (is seeing) each participant separately. Note 2: the performance level of a safety function is determined according to the theory of the weakest link in the chain, i.e. a single safety switching device that can only be assessed as one channel and therefore achieves a maximum Sub-PL c, determines the level of the overall PL. The higher quality ASi-SaW electronics does not improve the PL.

42

Note 3: in the case of simple single devices with external ASi-SaW interface connection we recommend considering both system components as a sub-system. Depending on the operating cycles(1), this generally results in a Sub-PL c for 1-channel simple single devices and as a rule always in a Sub-PL e for 2-channel devices/device arrangements. If necessary the sub-system should be quantified using a PFH value (see page 50).
(1)

The influence of the switching load does not need to be considered.

Safety magnetic switches B10d value: 20,000,000(1)

(1)

Operation at low load (< 20 %)

1 or 2-channel capability, 2-channel capability also possible with a single device BNS 260 AS version: Sub-PL e, PFHd value 6.21 10 9 (at nop/y 525,600) or 3.35 10 9 (at nop/y 24,000) BNS 36 AS version: Sub-PL e, PFHd value 1.24 10 8 (at nop/y 525,600) or 4.03 10 9 (at nop/y 24,000) BNS 16 AS version: similar to BNS 36 AS

Position switches with separate actuator (so-called class 2 switch) B10d value: 2,000,000(1)
(1)

Operation at low load (< 20 %)

1 or 2-channel capability with safety switches: with a single device depends on the Cstandard or fault exclusion required according to EN ISO 13 849-2:2003 AZ 16 AS version: Sub-PL c(2), Sub-SIL 1(2) (with fault exclusion provided by the customer max. PL d(2), Sub-SIL 2(2)), PFHd value: PFHd/safety switches (to be based on a user-dependent appraisal) + PFHd/ASi-SaW electronics (< 1 10 8), e.g. at 100 y MTTFd = 3.47 10 8, at 200 y = 2.19 10 8, at 500 y approx. 0.55 10 8 etc.
(2)

at MTTFd high

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 43

Position switches with separate actuator and interlocking (so-called class 2 switch) B10d value: 2,000,000(1)
(1)

Operation at low load (< 20 %)

1 or 2-channel capability: see pages 26 f. and 29 et seq. (devices with separate actuator and latching without ASi-SaW interface) AZM 162 AS version: max. Sub-PL d(2), SIL 2(2), PFHd value: PFHd/safety switches (to be based on a user-dependant appraisal) + PFHd/ASi-SaW electronics (< 1 10 8), e.g. at 100 y MTTFd = 3.47 10 8, at 200 y = 2.19 10 8, at 500 y approx. 0.55 10 8 etc.
(2)

at MTTFd high

AZM 170 AS version: max. Sub-PL d(2), SIL 2(2), PFHd value: PFHd/safety switches (to be based on a user-dependant appraisal) + PFHd/ASi-SaW electronics (< 1 10 8), e.g. at 100 y MTTFd = 3.47 10 8, at 200 y = 2.19 10 8, at 500 y approx. 0.55 10 8 etc.
(2)

at MTTFd high

AZ 200 AS version: Sub-PL e, Sub-SIL 3, PFHd value: 4 10 9 MZM 100 AS version: Sub-PL e, Sub-SIL 3, PFHd value: < 5 10 9

ASi-SaW monitors ASM version: Sub-PL e, Sub-SIL 3, PFHd value: 9.1 10 9 ASM G2 version: Sub-PL e, Sub-SIL 3, PFHd value: 5.4 10 9

External ASi-SaW interface connections ASi/Opto-Tube version: Contribution to the Sub-PL e, contribution to the Sub-SIL 3, PFHd value: < 1 10 8

Additional and updated information where appropriate: see online catalogue www.schmersal.net (data sheets for the respective product) or our SISTEMA manufacturer library (www.schmersal.net other products/software download software)! 44

Combination of Sub-PLs to an overall PL

45

Combination of Sub-PLs to an overall PL

Reference: see pages 12 et seq. as well as pages 53 et seq. The combination of Sub-PLs (generally Sub-PLs for I , L and O ) to an overall PL for an SRP/CS is, compared to the block method, a very simple process. For this EN ISO 13 849-1:2006 provides the so-called combination table (Table 11 of the standard). This reflects firstly the theory of the weakest link in the chain, but where applicable takes into consideration the addition of residual failure probabilities, i.e. that as from a specific chain length the PFHd or MTTFd reliability values could fall below a critical limit value and affect the overall PL. The total number of Sub- PLslow (> Nlow Nlow) can be read off from the left side of the table i.e. the number of the lowest Sub-PL, while the resultant overall PL can be read off from the right side of the table. It is characteristic of the combination table that there is a downgrading from a certain number of Sub-PLslow. The background to this is the addition of residual failure probabilities (the longer the chain, the higher the residual failure!). CAUTION: downgrading by one PL is not obligatory if the residual failure probabilities in a specific case are better than the assumptions of the standard authors in the configuration in Table 11. The mean value is assumed here. PLlow a b c d e Nlow >3 3 >2 2 >2 2 >3 3 >3 3 PL none, not permitted a a b b c c d d e

In other words: in individual cases the following should be calculated: a) the lowest Sub-PL (PLlow) in the SRP/CS and b) the number of lowest Sub-PLs (Nlow) present and c) the resultant overall PL. A maximum of three sub-PLslow are tolerated for an overall PL a, a maximum of two Sub-PLslow for an overall PL b and c, and of three sub-PLs for overall PLs d and e without downgrading taking place or vice versa: if in the SRP/CS concerned there are more Sub-PLslow, the overall PL is a step lower (e.g. 3 Sub-PL c produces an overall PL b).

46

 Please note: higher Sub-PLs in an SRP/CS are not counted when the combination table is used (theory of the weakest link). The same applies to sub-systems and parts of an SRP/CS for which fault exclusion has been used. Tip: in order to be able to make use of the combination table also for complex circuitries (without too many downgrading problems), it is recommended that the circuits concerned be analysed more closely. The objective here is to have as few subsystems into consideration as are offered from a safety-related point of view. The subject of the analysis should therefore exclude parts from the subsystem that are not safety-related (e.g. not every drive in a system has to be a dangerous drive), and on the other hand complicated circuitry can also comprise several safety functions (see also the Excursus page 70 et seq. in this respect). Example 1 Hazardous (2 Sub-PL c = overall PL c, 1 Sub-PL d is not Fluidic taken into consideration) actuator

movement

Light barrier SRP/CSc Category 2; PL = c

Example 1: I PL c

Electronic control logic SRP/CSd Category 2; PL = d I1 L1 OO 1

Fluidics SRP/CSc Category 1; PL = c

PLIst PL c

L O PL d

PL c

* acc. combination table ** see next figure

I I2
a b c d e

TE

OTE

L2
PLlow

SRP/CS 1 PL c SRP/CS 2 PL d SRP/CS PL

O2 Nlow
>3 3 >2 2 >2 2 >3 3 >3 3

PL

SRP/CS 3 PL c

none a a b b c c d d e

This case concerns the standard example for the use of the combination table. The assumption is an SRP/CS consisting of 2 subsystems with PL c and one subsystem with Sub-PL d. The lowest Sub-PL here is c, which is present twice, i.e. the overall SRP/ CS remains at PL c. The part of the SRP/CS with Sub-PL d is not taken into account (because it is higher). 47

 Example 2 (For this example 3 Sub-PL c demonstrates the procedure in the event of downgradHazardous ing if one cannot or does not want to accept this because of the need for a higher PLr,) Fluidic actuator

movement

Light barrier SRP/CSc Category 2; PL = c

Example 2: I PL c

Electronic control logic SRP/CSd Category 2; PL = c I1 L1 OO 1

Fluidics SRP/CSc Category 1; PL = c

PLIst

L O PL c

PL c

I
* acc. combination table

PL b* PL Oc

TE

OTE

I2
a b c d e

L2
PLlow

SRP/CS 1 PL c SRP/CS 2 PL d SRP/CS PL

O2 Nlow
>3 3 >2 2 >2 2 >3 3 >3 3

PL

SRP/CS 3 PL c

none a a b b c c d d e

An SRP/CS may consist of three subsystems with 3 Sub-PL c. According to the combination table, this produces a downgrading to an overall PL of b. Now the individual PFHd values of the individual subsystems should be taken into consideration, i.e. they should be added together and the sum compared to the PFHd value required for the overall PL c. In the above example this is with 1 10 6 ... 3 10 6). If the added PFHd value lies within the respective interval, downgrading is not relevant because the individual values are better than those values assumed by the standard setter as model. If this approach is to be used in simplified fashion with MTTFd values, the target value aimed the overall PL should at all events be > 30 y (MTTFd high).

48

The upper part of the following figure (variation 1) illustrates that the values may not be sufficient to achieve a PL c, while in the lower part (variation 2) they are able to substantiate a PL c. MTTFd-/PFHd-value-addition and comparison MTTFd: > 30 y (worst case) PFHd: > 10 6 < 3 10 6 I Alternative 1: MTTFd PFHd Alternative 2: MTTFd PFHd 200 y + 100 y + 100 y 40 y 0.7 10 6 + 1.14 10 6 + 1.14 10 6 3 10 6 Just enough! 50 y
6

L + 50 y
6

O + 50 y
6

PLIst 17 y

Bemerkung

2.24 10 + 2.24 10 + 2.24 10 6.72 10 6

Not enough!

Example 3 This example is understood as detached from the combination table of EN ISO 13 8491:2006, i.e. the weakest link in the chain and the PFHd values of the SRP/CS are considered from the start. This consideration corresponds, for example, to EN IEC 62 061:2005.

Example 3: I AZM 200 L O SRP/CS PLIst S ESALAN-Compact Drive system with safety function

PL e 4.3 10
9

PL e + 0.5 10
9

PL d + 10 10
9

PL d* = 14.8 10 9 PFHd**

* Determined by the weakest link in the chain ** Comparison is with the required PFHd limit value, e.g. > 10 7 < 10 6 for PL d Otherwise (where there are substantially more subsystems than provided for in table 11 of EN ISO 13 849-1:2006) all subsystems should be taken into consideration. In particular their residual failure probabilities (in other words the individual PFHd values) should be added together and compared with the maximum permissible PFHd value for the respective PL, whereby in this case the rule is, the weakest link (the lowest Sub-PL) determines the overall PL. Alternatively MTTFd values can also be added, although the target should always be a value of > 30 y in this case.

49

 Example An SRP/CS may consist of 6 subsystems. The lowest Sub-PL determines the overall PL. The sum of the PFHd values of the subsystems must fall within the PLr category!

Performance Level (PL)

Average probabil- max. 1 (tolerated) ity of a dangerous dangerous fault per failure per hour (PFHd) 10 5 < 10 4 3 10 6 < 10 5 10 6 < 3 10 6 10 7 < 10 6 10 8 < 10 7 10,000 hours 100,000 hours 333,000 hours 1,000,000 hours 10,000,000 hours

a b c d e

+ + + + + =

PFHd of subsystem 1 with PL e PFHd of subsystem 2 with PL d PFHd of subsystem 1 with PL e PFHd of subsystem 1 with PL d PFHd of subsystem 1 with PL d PFHd of subsystem 1 with PL d overall PL = PLlow = d

I L O

e.g. 5 10 9 e.g. 10 10 9 e.g. 1 10 9 e.g. 10 10 9 e.g. 10 10 9 e.g. 10 10 9 e.g. 4.6 10 8

Where should PFHd values be taken from and not stolen? If devices with more complex safety-related functionality that are already qualified by a Sub-PL (or Sub-SIL) are used for subsystems, generally the PFHd values are also available as manufacturer information. In order to be able to arrive at a PFHd value using own SubPL estimations, Annex K of EN ISO 13 849-1:2006 may be referred to, although this ends at 100 y MTTFd. Greater MTTFd values can only be carefully (or cautiously) be converted to an estimated PFHd value (please remember that this concerns a logarithmic function). An extension to Annex K of EN ISO 13 849-1:2006 (> 100 y MTTFd) is currently being prepared. Presently as yet unofficial figures: see keyword Annex K in the Glossary). According to information provided by the BGIA, it is also possible to calculate half of the PFHd value of the respective PL class if this is helpful (caution: logarithmic function) if one has information on the PL of a subsystem but not the corresponding PFHd information. As further calculation help it seems reasonable to add together MTTFd and block MTTFd values (PFHd = 1/PFHd : 8,760) according to the parts count method. Here a minimum MTTFd > 30 y per channel should result if downgrading is to be avoided. See above! Any handicap caused by the restriction in Annex K of EN ISO 13 849-1:2006 to an MTTFd value of 100 y can be overcome, however, by combining several discretely evaluated subsystems, i.e. with control category, MTTFd channel and DC, and using the combination as the basis for reading off a PFHd value in Annex K. You can find examples on page 141 et seq.

50

Concluding remarks on the subsystem method As mentioned several times, the subsystem method concerns the option in the standard that provides a simple way of calculating an overall PL. The simplifications in the background here, however, may also lead to arriving at a lower overall PL estimation using the subsystem method in individual cases than if using the block method. In particular this results from the consistent use of the philosophy concerning the weakest link in the subsystem chain. By contrast, with the block method the individual consideration parameters are considered in sum (with the MTTFd value) or as an average (with the diagnostic coverage DC), i.e. to a certain degree individual low values can be compensated by other higher values. Example: a safety function consists of a subsystem with Sub-PL c and several other subsystems with Sub-PL e (= overall PL c using the subsystem method and according to the philosophy of the weakest link in the chain of the subsystems). If, on the other hand, an overall consideration uses the block method, depending on the configuration of the individual values, it may be possible to arrive at an overall PL of d. This result would lie within the intended room for manoeuvre in the standard. The mathematics behind the standard can also produce absurd results (paradoxes). For example, increases in the MTTFd values can arithmetically produce a lower DCavg owing to the provision of better hardware even where there is the same diagnostic coverage of individual SRP/CS parts. Cases in the reverse direction are similarly conceivable. For this reason a healthy degree of common sense and professional knowledge should always act as a correcting measure.

Confusion, but on a higher level! 51

52

How can I calculate a PL for a subsystem (a sub PL)?

53

Introduction/preamble

CAUTION: the following wiring examples essentially concern only the input level, i.e. which Sub-PL or Sub-SIL can be achieved in the SRP/CS for simple single devices in conjunction with the downstream signal processing. For SRB modules a diagnostic coverage DC of 99 % usually applies (owing to the plausibility test of the two positively guided channel relays) and with safety PLCs similarly a DC of 99 % (due to the highly dynamic crosswise data comparison of both microcomputer systems in the device). 2-channel control is a pre-requisite. Both DC values originate from Annex E of EN ISO 13 849-1:2006. An alternative consideration of the diagnostic coverage applies in the case of series connected electromechanical devices which are upstream on the input level of an SRB module or a safety PLC. Here until further notice we will operate with a restricted DC of 60 % = low (see page 32 f. and page 139). Other types of downstream signal processing of simple single devices require special evaluation (likewise see Annex E of EN ISO 13 849-1:2006). Please do not forget here that several fault exclusion measures can be realized in an SRP/CS (e.g. by SRB modules, safety PLCs etc. as well as test equipment measures [TEs], e.g. operational PLCs). See example page 76. There are two possibilities when forming a Sub-PL: Possibility 1 is to form a Sub-PL for the function simple single device + diagnosis (through the subsequent signal processing). In this case the part of the switching circuitry of an SRB module or a safety PLC that serves failure detection at the input level would be considered, so that the consideration applies only to level I . Everything which then follows (levels L + O ), is the subject of a separate Sub-PL consideration. This is what the standard means in the following figure (see figure, upper labelling).

Allocated function and integrity requirements

Interlock switch SSE 1.1 Interlock switch SSE 1.2 SS 1 Contactor SSE 4.1

PLC in accordance with IEC 61508

D
Speed sensor SSE 2.1 Speed sensor SSE 2.2 SS 2 SS 3

Contactor SSE 4.2

D
SS 4

I/L
54

Allocated function and integrity requirements

Interlock switch SSE 1.1 Interlock switch SSE 1.2 SS 1 Contactor SSE 4.1

PLC in accordance with IEC 61508

D
Speed sensor SSE 2.1 Speed sensor SSE 2.2 SS 2 SS 3

Contactor SSE 4.2

D
SS 4

I/L

Possibility 2 is to form a Sub-PL for the device combination simple single device + SRB module or safety PLC, so that here the levels I + L would be combined (see figure, lower labelling). In the case of SRB modules, however, this would also require knowledge of the output level O in order to be able to perform an approximate B10d value consideration, because the relay is affected by wear and tear. The following remarks apply irrespective of whether a decision is taken in favour of possibility 1 or possibility 2: A more differentiated evaluation is required for the diagnostic coverage of the feedback loop of the downstream actuating elements (usually a matter for the customer). While the already mentioned measures (DC: 99 %, see above) also have an effect here, it depends on the safety-related quality of the feedback signal as to which DC is achieved with simple single devices for the output level O subsystem. 99 % can be assumed for contactors with positively driven contacts, but this will be lower for a signal origin from positively-guided contacts. It will depend among other things on whether and how frequently the output level is incorporated in the normal process and is therefore tested under normal operating conditions (i.e. not safety-critical conditions). These considerations must be made by the customer himself with the aid of Annex E of the EN ISO 13 849-1:2006 standard (DC = > 60 % ... < 99 %). Please remember that the diagnostic coverage can be increased when the feedback signals from the operating part of the control system (keyword: test equipment, see loc. cit.) can be incorporated into the consideration. Information on the efficacy of these additional measures is contained in Annex E of EN ISO 13 849-1:2006. If fault exclusion is used for an entire subsystem (see pages 32 f.) e.g. in the case of manually actuated safety devices (emergency-stop, enabling switches etc.), the subsystem does not need to be considered at all (see Chapter BGIA wiring examples page 76). Careful consideration is required here, however.

55

Example 1(1)
A guard door in a safety fence surrounding a robotic system is to be safeguarded by a TESF switch. The following signal processing takes place with a safety relay module from the PROTECT SRB range for CC 4.
I
Allocated function and integrity requirements

Interlock switch SSE 1.1 Interlock switch SSE 1.2 SS 1 Contactor SSE 4.1

PLC in accordance with IEC 61508

D
Speed sensor SSE 2.1 Speed sensor SSE 2.2 SS 2 SS 3

Contactor SSE 4.2

D
SS 4

Exercise: what Sub-PL is available for the TESF switch input level? TESF switches are simple single devices without their own diagnostic function. Diagnosis takes place in the downstream SRB module. Therefore there is an examination of the TESF switch itself, and the diagnosis function of the SRB module which applies to the failure detection at the input level (the TESF switch). Consequently this function is (only I ) the foundation of our Sub-PL consideration (device combinations I + L are found in Example 3).

I/L

Consideration 1: which architecture under consideration of which fault exclusions is available? From a physical point of view a TESF switch is a switch, but with two independent positive break NC contacts (channels). The realisation of the rotational movement of the guard door in the plunger actuation of both channels takes place using a 1-channel mechanism (actuating axis), but in the inside of the device, i.e. protected and stressfree. We make use of fault exclusion for this small 1-channel part. In other words: the architecture of the TESF switch is 2-channel! Wiring installation between the TESF switch and SRB module is protected or in separate sheathed cable (fault exclusion for the cabling, otherwise cross wire monitoring is necessary in the SRB module). Wiring of the TESF switch to the SRB module takes place as 2-channel 1:1 according to a wiring example for CC 4 (no series connection). THUS: the architecture of the subsystem I corresponds to CC 4.

(1)

Subsequently the previously required PLr determination and validation whether in retrospect PLIst > PLr, is not considered.

56

Consideration 2: which MTTFd hardware reliability is available? TESF switches are simple single devices which are subject to wear and tear and are therefore specified by a B10d value of 2,000,000. With reference to the calculation example on page 23, this results in an MTTFd value of 3,125 y per channel. THUS a high MTTFd hardware reliability is available!

Consideration 3: which diagnostic coverage DC is available? The failure detection function for the TESF switch is subject to the subsequent PROTECT SRB with 99 % DC (see page 32 f.) THUS a high diagnostic coverage is available!

Consideration 4: which CCF measures have been taken? We can always assume > 65 points for safety components with correct incorporation and installation. For more information see glossary section, keyword CCF. THUS: sufficient CCF measures have been taken (CCF: o.k.).

Summary according to the bar chart Architecture (CC): 4 MTTFd: high DC: high CCF: o.k.
PFH (1/h) 10 4 a 10 5 b 3 10 6 c 10 6 d 10 7 e 10 8 MTTFd = low MTTFd = mittel MTTFd = high Category B Category 1 Category 2 Category 2 Category 3 Category 3 Category 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low mittel low medium high + CCF

PL

THUS: Performance Level e

57

Example 2(1)
As above, however with several TESF switches in series.

Exercise: which Sub-PL is available for the TESF switch input level? It is assumed that always only the safety function of one TESF switch is requested at a specific point in time X (so that only one guard door is always opened at a time). This therefore concerns a respective number of safety functions corresponding to the number of TESF switches on the safety fence, for example three devices will perform three different safety functions. In other words: no addition of the residual failure probability of the TESF switches need be performed. As a result the combination 1 TESF switch/SRB diagnosis forms the basis of our Sub-PL consideration. In other respects: see above (Example 1)!

Consideration 1: which architecture under consideration of which fault exclusions is available? Firstly: see above (Example 1), although not all failures can be detected due to the series connection, i.e. a failure accumulation cannot be excluded. Consequently we are dealing with an architecture without complete self-monitoring potential (2-channel but with limited failure detection). THUS: the architecture of the subsystem only corresponds to CC 3.

(1)

Subsequently the previously required PLr determination and validation whether in retrospect PLIst > PLr, is not considered.

58

Consideration 2: which MTTFd hardware reliability is available? Every TESF switch forms a safety function. To calculate the MTTFd value we now assume that every guard door is opened 2 per hour, i.e. an MTTFd value of 3,125 y remains. If we were to assume that the demand of 2 per hour refers optionally to all guard doors found in the enclosure, the MTTFd values would increase significantly again (however, due to the limitation to 100 y per channel, without having any effect on the PL). In other respects: see above! THUS a high MTTFd hardware reliability is available! Excursus: if several TESF switches had to be considered for a safety function because more than one guard is always open during operation, the MTTFd values of the devices must be added (according to the parts count method). In this case the sum is decisive for the MTTFd classification. However, you see yourself that, owing to the high individual MTTFds, a higher number of devices would be required to arrive at a downgrading, e.g. to a medium MTTFd value. The diagnostic coverage of 60 % remains unchanged in this case.

Consideration 3: which diagnostic coverage DC is available? Since it is not possible to exclude fault accumulation with series connections of simple single devices, after consulting the BGIA we assume a low DC (see page 32 f.) if no other measures are effective, e.g. an additional fault detection takes place via external test equipment (keyword: Integration of the PLC under normal operating conditions) or fault exclusions are performed. In other respects: see above! THUS a low diagnostic coverage (DC) is available!

Consideration 4: which CCF measures have been taken? See above! THUS sufficient CCF measures have been taken (CCF: o.k.).

59

Summary according to bar chart Architecture (CC): 3 MTTFd: high DC: low CCF: o.k. ERGO: Performance Level d

PFH (1/h) 10 4 a 10 5

PL

b 3 10 6 c 10 6 d 10 7 e 10 8 MTTFd = low MTTFd = mittel MTTFd = high Category B Category 1 Category 2 Category 2 Category 3 Category 3 Category 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low mittel low medium high + CCF

60

Example 3(1)
Exercise We combine the input level and the level for signal processing, i.e. we consider the SRP/ CS part up to the enabling contact level of the SRB module, so that we create a device combination.
I
Allocated function and integrity requirements

Interlock switch SSE 1.1 Interlock switch SSE 1.2 SS 1 Contactor SSE 4.1

PLC in accordance with IEC 61508

D
Speed sensor SSE 2.1 Speed sensor SSE 2.2 SS 2 SS 3

Contactor SSE 4.2

D
SS 4

I/L

Consideration 1: which architecture under consideration of which fault exclusions is available? In addition to the TESF switch with SRB diagnosis of input level I , there is consideration of the signal processing level in the SRB module L itself. In the case of an SRB module this concerns a device with more complex safety-related functionality which is already evaluated with an inbuilt Sub-PL (or Sub-SIL) (in our example with Sub-PL e or Sub-SIL 3). THUS an individual consideration of the architecture, MTTFd(2), DC and CCF measures can be dispensed with for the SRB module (because they are already reflected in the Sub-PL or Sub-SIL). Here it is assumed that the switching frequency and switching load of the relay do not affect a high MTTFd.

(2)

An approximate examination should be carried out to check whether the number of operating cycles and the switching load influences the MTTFd classification in terms of using technology subject to wear in the form of the relay. The switching load at the enabling level of the SRB modules must also be incorporated into the consideration. Nevertheless it would only become critical at high numbers of operating cycles and at high switching load (see B10d values for relays).

(1)

Subsequently the previously required PLr determination and validation whether in retrospect PLIst > PLr, is not considered.

61

Summary
Under consideration of the combination table (see pages 45 et seq.), a Sub-PL of e results for the complete device combination* in the case of the 1:1 wiring (2 e remains e) and in the event of series connection a Sub-PL of d (determined by the weakest link in the chain). It would, however, also be reasonable to combine I and L to a higher ranking subsystem [taking into account an additional B10d value consideration for the relay in the SRB module, see (2)].

(1)

An approximate examination should be carried out to check whether the number of operating cycles and the switching load influences the MTTFd classification in terms of using technology subject to wear in the form of the relay. The switching load at the enabling level of the SRB modules must also be incorporated into the consideration. Nevertheless it would only become critical at high numbers of operating cycles and at high switching load (see B10d values for relays).

62

How can I calculate a Sub-PL with devices from the Schmersal/Elan programme?

The following steps with some extra consideration are logically preceded by a wiring analysis (see pages 70 et seq.) and the transfer of the wiring to a block diagram.

Open Protective device 1 Closed Open Protective device 2 Closed

B1 A

B2 P

B3 A

B1
B4 P P K3 I1.0 K1
I1.1 I1.2 I1.3 I1.4 Inputs

Q1 K1 Q2 K3 K2

K1 Safety relay module K2 Q1 Q2 K3 Q1 Q2

Outputs O1.1

SPS

B2

Auxiliary contactor K2

L Q1 Q2
M 3~

Sub-PL for the input level I Cabling: Fault exclusion relating to EN ISO 13 849-2:2003 or cross wire monitoring (see also glossary section, keyword Fault Exclusion wiring/cabling) Determination of the architecture, i.e. which control category is achieved at the input level (see figure above). Determination of the MTTFd value per channel (usually per B10d value consideration, see pages 22 et seq.) Determination of DC for SRB modules and safety PLCs: 99 % with 1:1 wiring 60 % with series connection (independent of the definition of the safety function) where applicable incorporate the diagnostic coverage of a TE (see page 32 f.) CCF management: > 65 points (see glossary section, keyword CCF) = Sub-PL according to diagram result (see figure) or Annex K of EN ISO 13 849-1:2006
PFH (1/h) 10 4 a 10 5 b 3 10 6 c 10 6 d 10 7 e 10 8 MTTFd = low MTTFd = mittel MTTFd = high Category B Category 1 Category 2 Category 2 Category 3 Category 3 Category 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low mittel low medium high + CCF

PL

63

Schematic conclusion Modular (discrete) Sub-PL-estimation

Required, if diagnoses (and consequently diagnostic coverage respectively failure detection DC) takes place in a subsequent or following part of the SRP/CS
Allocated function and integrity requirements
Subsystems (SS) implement function blocks and are elements in the top level architectural design of a SRECS where a failure of any one subsystem will result in the failure of the safety related control function.
Contactor SSE 4.1

e.g.:
OPEN CLOSED

Interlock switch SSE 1.1 Interlock switch SSE 1.2 SS 1

PLC in accordance with IEC 61 508

2 3

D
Speed sensor SSE 2.1 Speed sensor SSE 2.2 SS 2 SS 3

Subsystem Elements (SSE) are components which implement the function block elements allocated to the subsystem. Diagnostic Functions (D) are considerated as separate functions which may have a separate structure to the safety related control function. They may be performed: within the subsystem by another subsystem in the SRP/CS by a subsystem external to the SRP/CS

Contactor SSE 4.2

Logic

D
SS 4

Sub-PL

PFH (1/h) 10 4 a 10 5

PL

b 3 10 6 c 10 6 d 10 7 e 10 8 MTTFd = low MTTFd = mittel MTTFd = high Category B Category 1 Category 2 Category 2 Category 3 Category 3 Category 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low mittel low medium high + CCF

Designated architecture (control category): 1-channel? 2-channel? CC 4-performance?(1)

(1) (2)

Hardware reliability MTTFd: Calculate via a B10d-valueconsideration where appropriate

Diagnostic coverage DC: 99 % if 1 : 1-wiring(2) 60 % in case of series connection (daisy chain) DC (as mentioned before) is realized by SRBs or safety controllers enabled for CC 4

CommonCause-Failure-measures (CCF): > 65 scores

refer to switching examples for SRB- or PLC-systems ATTENTION: 99 % DC for feedback loop only, if signals are generated by contactors with positively guided contacts, otherwise less (see Annex E of EN ISO 13 849-1:2006)

64

Sub-PL for the logic level (signal processing level) L Sub-PL or Sub-SIL: see respective device! As already described, this relates to devices with more complex safety-related functionality which already have an inbuilt Sub-PL or Sub-SIL.

Sub-PL for the output level O Similar procedure to the input level (however for possibe different DC values, see EN ISO 13 849-1:2006 Annex E). Therefore the customer must deal with this.

65

66

Excursus

67

Excursus: failure detection

Failure detection is of particular significance in an SRP/CS from two points of view: While in multiple channel architectures a first fault (due to redundancy or hardware failure tolerance may not be critical from a safety-related perspective, failures must be detected and lead to an operational obstruction in order to avoid fault accumulation. Namely if further failures were to occur in addition to any undiscovered failure, this might very well lead to a hazardous state which, in view of the greater risks covered by these architectures, is unacceptable. However, thankfully, also in the case of simple architectures not every hazardous state resulting from a failure leads directly to an accident and in this respect failure detection has the effect of preventing the risk of long-lasting hazardous states. Common failure detection measures and the degree of the desired effect, in the form of the diagnostic coverage, are listed in EN ISO 13 849-1:2006 in Annex E (classified according to measures for the input unit, the logic and the output unit). In order not to have to perform the calculation oneself, EN ISO 13 849-1:2006 contains lookup tables with typical measures and % evaluations (an estimation must be made where necessary).
Measure Input device Cyclic test stimulus by dynamic change of the input signals Plausibility check, e.g. use of normally open and normally closed mechanically linked contacts Cross monitoring of inputs without dynamic test Cross monitoring of inputs signals with dynamic test if short circuits are not detected Diagnostic coverage (DC) 90 % Measure Logic Indirect monitoring (e.g. monitoring by pressure switch, electrical position monitoring of actuators) Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of electromechanical devices by mechanically linked contact elements Simple temporal time monitoring of the logic (e.g. timer as watchDiagnostic coverage (DC) 90 % to 99 %, depending on the application Measure Output devices Monitoring of outputs by one channel without dynamic test Cross monitoring of outputs without dynamic test Cross monitoring of output signals with dynamic test without detection of short circuits (for multiple I/O) Cross monitoring of outputs signals and intermediate results Diagnostic coverage (DC) 0 % to 99 % depending on how often a signal change is done by the application 0 % to 99 % depending on how often a signal change is done by the application 90 %

99 %

99 %

0 % to 99 %, depending on how often a signal change is done by the application 99 %

60 %

99 %

In addition to the measure or the combination of measures themselves, the possibility of failure detection (and therefore the desired effect of the diagnostic coverage) depends to a considerable extent on the architecture of an SRP/CS. The possibility of failure detection is not available with simple 1-channel architectures (= DC 0), because there is no downstream or higher-ranking intelligence which serves this purpose.

68

 The best thing for the input level I is a 2-channel capability and a subsequent signal processing using SRB modules or safety PLCs in conjunction with a 1:1 wiring (or comparable), because here a so-called fail-safe comparison takes effect, with which the consistency of channels is checked (e.g. during the startup of a machine both channels must be closed in the case of an NC contact arrangement). This then corresponds to a DC of 99 % (see Annex E of EN ISO 13849-1:2006). With simple 1-channel architectures this comparison benchmark is logically not available. At the same time the 2-channel capability of course also satisfies the so-called 1 failure tolerance requirement for control categories 3 and 4, see glossary section, keyword Control Categories. Test opportunities are also offered by electrical 2-channel capability or the inclusion of feedback signals in the PLC (with subsequent plausibility check) or, typical for downstream contactors, the reading back of feedback signals in the restart path of SRP/CS. A feedback loop of positively guided contacts then similarly produces 99 % DC. Further information on diagnostic coverage: see page 32 f., page 68 f. and page 139 f.

69

Excursus: Influence of the definition of the safety function on the PL calculation examples

The definition of what a safety function is and which hardware and possibly software belongs to it determines the scope of a PL consideration. What is crucial is which control system parts are involved at the time of the request of a safety function and are thereby responsible for the personal protection function. This is explained in more detail using the following examples (source: BGIA-Report 2/2008, see Glossary).

Example 1: Safety function shutting down when the guard door is opened When the guard door is opened a machine operator has access to a hazardous area in which five drives control the movements of machine parts. The opening of the guard door effects a shutting down of all five drives as quickly as possible.

Drive 1 Drive 2 Position monitoring of the guard door Logic Drive 3 Drive 4 Drive 5

The PLs of the following blocks (fault possibilities of the electrical installation are assigned to respective blocks) are therefore linked during the subsequent calculation of the PL of the safety function: Position monitoring of the guard door including mechanical components Logic Drive x (x = 1, 2, ... 5) The result can be a PL that is no longer sufficient for the application although maybe only the drives 1 and 3 trigger hazardous movements for the operator and the remaining drives are shut down purely for functional reasons. In this case it is recommended only taking movements into consideration for the safety function that are actually a hazard.

Example 2: Safety function shutting down when a guard door is opened A hazardous movement is safeguarded by a fence that has five guard doors. The opening of one of the doors leads to a shut down. With reference to the subsequent determination of the PL, each door is the component of its own safety function SF1 to SF5, which consists of the following blocks (fault possibilities of the electrical installation are assigned to respective blocks): Position monitoring guard door x (x = 1, 2, ... 5) including mechanical components Logic Drive 70

 The figure shows the functional circuit diagram and the blocks of safety function SF3:

Position monitoring guard door 1 Position monitoring guard door 2 Position monitoring guard door 3 Position monitoring guard door 4 Position monitoring guard door 5 Logic Drive

Example 3: Safety function emergency-stop of an overall machine 20 emergency-stop devices are installed on a large machine, whose actuation shuts down all 50 drives as quickly as possible. Which components must be taken into consideration in this case when realizing the safety function? It cannot be foreseen which emergency-stop device is actuated to trigger the safety function. Since the operator only ever actuates one emergency-stop device, the safety functions SF1 to SF20 are defined. The respective location of an endangered person when triggering the emergency-stop is unknown, but wherever this person is, not all 50 drives represent a hazard. For this reason the least favourable case should be considered to represent all conceivable situations. This is determined by the worst PL, and therefore is dependent among other things on the number of drives in the safety chain which generate hazardous movements in the least favourable location, as well as the respective individual PLs.

E-stop device 01 E-stop device 02 E-stop device 03 E-stop device 04 Logic Drive 21

Drive 35

Drive 47

During the subsequent determination of the PL for the safety function the PL values of the following blocks must be taken into consideration: Emergency-stop device 03 Logic Drive 21 Drive 35 Drive 47 71

 The examples demonstrate that when defining a safety function a local perspective is recommended that takes the following into consideration: At which location are people to be found at the time under consideration? Which movements represent hazards at the person or peoples location? Which protective devices must the safety function trigger? Where applicable the use of several alternative protective devices should be considered. If several actors (axle drives, contactors, valves etc.) make a contribution to the same hazard for example, they must be taken into consideration together in the safety function ( O1 + O2 + On ). By contrast, so-called overlapping hazards (hazards impacting on one operator at a specific place arising from several machines) (no longer) need to be considered according to the most recent interpretation. See the technical committee information sheet 047 Safety functions in accordance with EN ISO 13 849-1 for overlapping hazards on this subject.

Remarks from the Schmersal/Elan perspective, particularly with reference to Example 2: We will have to deal with a new approach(1) in which an electrical series connection can consist of several safety functions and where the PL or SIL evaluation refers to the single safety function. I.e. (see following example) switching of 5 guard doors in series may consist of 5 safety functions to be considered individually and, resulting from this, 5 individual evaluations.
(1)

This was actually also listed in EN 954-1 but not clearly formulated.

In this example it is assumed that at a specific time the safety function is only ever demanded from one protective device by an operator, i.e. only one of 5 protective devices is ever opened or only one emergency-stop control device actuated in a series of several emergency-stop control devices. This approach considerably simplifies use of the new standards since the chain of the SRP/ CS to be analysed is shorter. However, this consideration is only permissible where there is real independence of the individual safety functions, i.e. for example not in the case of a double door. The risk of deleting a failure in SRP/CS series connections of electromechanical devices (see glossary section, keyword Series Connections and loc. cit.) must be considered within the framework of the respective safety function. Until further notice we presume that only a low DC value (= 60 %) can be assumed in this case Our previous argument that up to 31 devices in the CSS family can be connected in series without classification loss (keyword: Additional of residual failure probabilities) loses some of its stringency. Considering the above means that substantially more CSS switches can now be connected into series. However the argument about comprehensive failure detection in series connection definitely remains. But there are also different possible ways of dealing with the subject of cascading or series connection (see examples 8.2.29 and 8.2.28).

72

Wiring examples from the BGIA Report(1)

(1)

For a more comprehensive report: see BGIA Report 2/08. The following examples have been selected to best reflect our product range. All in all the BGIA Report contains 37 wiring examples. CAUTION: the following annotation has been substantially shortened and simplified! Furthermore it must be remembered that a particular consideration is applied in the BGIA Report above in the case of fault exclusions for positive break contacts. While the normally closed contact is not considered as part of the quantification (fault exclusion!), a B10d value consideration will, however, then be performed. Recommendation 1: we do not believe the abovementioned BGIA distinction to be helpful for our type of devices because they give our customers next to nothing. Either an argument can be made for fault exclusion or not (see above). The aspect of positive break contacts is simply one aspect. Recommendation 2: fault exclusion should be dismissed from the start if an estimation indicates that use of the device lies in the upper area of its B10d value (in the case of position switches, for example, in the event of several 100,000 operating cycles per year; below this number one will regularly lie within the range > 100 y MTTFd in any case). Recommendation 3: we continue to feel uneasy about recommending fault exclusions in their entirety for simple position switches (think for example of wear to the drive roller, of bubbles in the tappet etc.) (unless the C-standard concerned were to explicitly tolerate a fault exclusion). However see pages 29 et seq. in this respect. Recommendation 4: see also Glossary, keyword fault exclusion. A special case here fault exclusion as part of the B10d value in its entirety are emergencystop control devices (see loc. cit.).

73

1) BGIA wiring example 8.2.34: guard door monitoring with subsequent signal processing using SRB module or safety PLC (the classic case!)
Remarks 2-channel input wiring Failure detection (external diagnosis) at the SRB through plausibility test using positively guided relay = 99 % DC or at safety-PLC by crosswise data comparison = 99 % DC (source: Annex E of EN ISO 13 894-1:2006) SRB module or safety PLC satisfy Sub-PL e 2-channel output wiring with feedback loop of positively driven contacts. All other rules relating to application, connection and wiring are taken into consideration. Result: assuming a high MTTFd value, the combination corresponds to PL e (CC 4, MTTFd high, DC 99 %, lack of sensitivity to CCF)! The MTTFd value results from a B10d value consideration (see loc. cit.). Wiring example:

Open B1 A L

B2 P Closed

L K1 Q1

Q2

S1 START (Reset)

M 3~ Q1 Q1 Q2 Q2

Feedback

Representation in operated position

74

2) BGIA wiring example 8.2.29: cascading or series connections

The BGIA arrives at PL e in the case of the cascading of emergency-stop control devices because fault exclusion is performed for devices in their entirety.

L A S1 A +

A S2

K2

A S3 K1 START S4

K3

K2

M 3~

K3

Remarks Fault exclusion for S1, S2 and S3 including cabling 2-channel input wiring SRB module (or similar) with PL e Result: assuming a high MTTFd value for the SRB module, the example corresponds to PL e despite series connection. The BGIA does not recommend the above mentioned switching consideration for machineoperated devices.

75

3) BGIA wiring example 8.2.28: cascading or series connections

Despite series connection of electromechanical devices, the following example corresponds to PL e, in which an operational PLC is incorporated into the SRP/CS for the purpose of additional failure detection. The operational PLC for failure detection is also termed test equipment in EN ISO 13 8491:2006 terminology. Noticeable in the BGIA wiring example is the fact that this possibility in combination with the safety module sanctions a desired effect of 99 % DC.

Open

Protective device 1
Closed

B1 A B2 P P P

Open

Protective device 2
Closed

B3 A B4 P P K1 K3 K1 Safety relay module I1.0 I1.1 I1.2 I1.3 I1.4 Inputs

SPS
Outputs O1.1 L

K2 Q1 Q2 K3 Q1

Auxiliary contactor K2

Q1 Q2

Q2

M 3~ A Representation in operated position

76

4) BGIA wiring example 8.2.18: guard door locking with subsequent signal processing using SRB module or safety PLC (channel 1) and standard PLC (channel 2)
The fact that it may be possible to manage without SRB or safety PLC is demonstrated by this example (basic circuit typical in large printing presses or similar)!

Remarks 2-channel input wiring, cable routing protected/separate An MTTFd of high is calculated via a B10d value consideration for both position switches B1 and B2. Signal processing channel 1 direct via a contactor (Q2); channel 2 via a standard SRS with subsequent contactor Q1. The architecture corresponds to CC 3. Diagnostic coverage: the position of B1 is additionally read in to the PLC and compared for plausibility with B2 (DC = 99 %). The position of the contactors (with positively driven contacts) is similarly read in to the PLC via the feedback loop (DC = 99 %). The PLC itself is tested by the process (DC = 60 %). Consequently there is a DCavg of 62 %. All other rules relating to application, connection and wiring are taken into consideration. Result: the switching corresponds to PL d (see block diagram: CC 3, MTTFd high, DC low, CCF o.k.).

Open B1 A B2 Closed K1 I1.0 I1.1 I1.2 Inputs I1.3 P Q1 Q2 Q1 Q2

SPS
O1.0 Q1 Q2 Outputs Q1

M 3~

Representation in operated position

77

(5) BGIA wiring example 8.2.19: guard door latching

L S1 Unlock S2

+UB STOP

Q1 Q2 n>0 M1 M 3~ G1 n n K1 S3 START

K2 Guard door switch-on delay B2 P P

B1 A Closed Open F F1 Magnet Q1 Q2

Guard locking actuated by spring-force with fail-safe locking mechanism

Representation in operated position

Remarks By way of explanation: circuit is realised without a pilot control level (SRB module, safety PLC or similar) with direct actuator control and, without further elaboration here, corresponds to PL d. The example here was not included for its wiring elegance, but rather because it supports our argument on circumstances under which guard locking can be assigned to CC 3. In conjunction with a corresponding SRB module a device combination in CC 4 with PL e would even be achievable. Caution: 1-channel standstill monitoring BGIA comment: the position of the lock bolt is monitored via an integrated position switch B1, while position switch B2 monitors the position of the guard door in addition to increasing manipulation safety. The interlock offers a fail-safe locking mechanism.

78

 I.e. channel 1 guard door position monitoring: fail-safe locking mechanism + safety contact(s) for position monitoring of the guard door channel 2: lock bolt position monitoring: 2 electrical channels. If manipulation protection is achieved in a different way, this wiring example supports our opinion that, under certain circumstances, interlocking with fail-safe mechanisms may be used along (i.e. without additional 2nd switch) to achieve CC3 (see page 29 et seq.).

79

80

Overview of the features and use of EN ISO 13 849-1:2006

81

Objective of SRP/CS standardisation

The purpose of SRP/CS standardisation is to use additional measures to maintain the personal protective function of an SRP/CS also in the case of a failure (or rather: to reduce hazardous states resulting from a failure event to an acceptable residual risk). Reasons for failure event are failures, faults and disturbances in the hardware and software of the SRP/CS used, in so far as these are of relevance to safety. Caution! Semantic subtlety: failures (e.g. in components = the function was previously correct) lead to faults (= permanent state of the device), however faults can also be present in an SRP/CS from the beginning (design failure = systematic failure). Hazardous states resulting from (temporary) disturbances can be equated with failures.

EN ISO 13 849-1:2006

EN 954-1:1996 Deterministic Proven methods: Safety functions Risk chart Categories

IEC 61508:19982000 Probabilistics New concepts: Quantication: component reliability and test quality Common cause failure

There are two types of additional measures: those which serve to reduce risk of systematic faults or failures, and those which are directed at random faults or failures. Systematic faults and failures are already present at the time of delivery. They have a deterministic reference to a specific cause, and can only be eliminated by changing the design or manufacturing process, operating procedure, documentation or corresponding factors. This means they concern fundamental design problems, specification gaps, faults in reasoning, software faults etc. Redundancy or similar measures are ineffective here.

82

Causes of systemic failures

Before commissioning, e.g.: Manufacturing error Error during development (wrong selection, wrong dimensioning, faulty software) Error in integration (wrong selection, faulty wiring) After commissioning, e.g.: Energy failure/fluctuation Environmental influences Wear and tear, overloading software Faulty maintenance

Measures to avoid failures Appropriate materials and suitable manufacture Correct dimensioning and design Correct selection, arrangement, assembly, installation Components with suitable operating features Stability against stated ambient conditions Components in acc. with suitable standard with defined failure type Functional test INTEGRATION: In addition: Project management, documentation Black box test

Measures to control failures Principle of energy lockout Draft for controlling influences Draft for controlling environmental influences Monitoring of program sequence (in the case of software) Safe data communication processes (bus systems) Automatic tests In addition: Redundant hardware/diverse hardware Positive actuation mode Contacts positively driven/positive opening Failures addressed Overdimensioning

Measures against systematic faults and failures can be found in Annex G of EN ISO 13 8491:2006 and in EN ISO 13 849-2:2003. By contrast only a statistical probability can be assigned to random failures and faults (caused, for example by product aging or the random breakdown of components). In other words: the lower the failure probability, the higher the functional safety. The probability of random failures and faults is exclusively a statistical consideration, and while it permits conclusions to be drawn on the overall safety of a product in the field, it allows no such conclusions on the safety of an individual product. See also figure: Bathtub Curve!

Infant mortality failures

Usually attributable to inadequacies in manufacture, maintenance or design

Random failures
Usually attributable to external occurrences

Wear-out failures
Usually attributable to a progressive deterioration of a component

Failure rate per hour

Time of operation TM or T10d

0 Time

83

 Random faults do not exist at the point of delivery. They result from faults in hardware and occur randomly during operation. Examples of random failures and faults are short circuits, interruptions, component drifts, material fatigue or similar. While failures and faults of this kind occur randomly (as discussed), a statistic probability can be assigned to them. Measures against random failures and faults are redundancy and fault detection etc., i.e. everything which one associates in simple terms (and incompletely) with the Control Category CC, Performance Level PL and Safety Integrity Level SIL. Incompletely because measures against systematic failures and faults are a compulsory basic prerequisite for CC, PL or SIL. The so-called Common Cause Failures constitute a particular type of consideration, i.e. the failure of various units (channels) which do the same thing from a common cause. Only hardware is subject to random failures and faults, while in the case of software exclusively systematic failures and faults are assumed. This theory is disputed, particularly in the case of higher criticality levels e.g. in airplane construction. The proportion of machine accidents attributed to random hardware failures is estimated to be low today. Talk is of a max. 10 to 15 % of all accidents. Other estimates produce a lower ratio still. By contrast, the bulk of accidents can be attributed to systematic shortcomings and, not to be forgotten, as a consequence of the manipulation of protective devices.

84

Performance Level (1)

Standard definition (EN ISO 13 849-1:2006): discrete level which specifies the capacity of safety-related parts of a control system to achieve a safety function. In simple terms: safety-oriented overall quality of an SRP/CS under consideration of the SRP/CS architecture (= deterministic perspective) and of the SRP/CS reliability (probabilistic perspective). Here essentially the aspects of safety-related reliability, resistance to failures and faults, fault tolerance, behaviour in the event of a fault, fault detection, the avoidance of fault accumulation and the avoidance of systematic faults are considered. The requisite PL (PLr a e) results from the risk graph consideration or the respective safety function or the respective C standard. From a probability mathematics perspective, the average probability of a dangerous failure per hour PFHd results in a Performance Level PL as follows: Performance Level (PL) Average probability of a dangerous failure per hour (1/h) a b c d e 10 5 < 10 4 3 10 6 < 10 5 10 6 < 3 10 6 10 7 < 10 6 10 8 < 10 7

Note: Beside the Average Probability of a dangerous Failure per Hour (PFHd) some additional estimations are necessary!

The remark in the table clarifies the fact (see above) that this does not exclusively concern requirements of probability mathematics. In order to give you an idea, PFHd values can also be interpreted as follows: Performance Level (PL) Max. toleranced failure degree: 1 dangerous failure per a b c d e 1 dangerous failure per 10,000 hours 1 dangerous failure per 100,000 hours 1 dangerous failure per 333,000 hours 1 dangerous failure per 1,000,000 hours 1 dangerous failure per 10,000,000 hours

Logically if the average probability of a dangerous failure per hour PFHd is behind a PL, subsystems with PFHd values can also be specified for a specific Sub-PL. Typical examples of this are all devices with more complex safety-related functionality, for which this failure limit is usually specified in addition to the PL or SIL classification.

85

 Here at the latest it can be clearly seen that the shared PL bracket (or EN ISO 13 8491:2006) and SIL (or EN IEC 62 061:2005 and EN IEC 61 508-1/-7:2001) are simply the PFHd values. In the case of Sub-PFHd details it is recommended that the respective values should only demand a specific part of the overall value which is designated as the maximum for the respective PL or SIL classification. This is 20 % each for the input level I and the logic level L of the SRP/CS, so that over 60 % remains for the output level O which experience shows to be the weakest link in the chain. If one wishes the following parameters, which are defined and explained in greater detail in Section (2) and which serve to determine a PL or Sub-PL, are nothing but simplifying aids for circumventing the complex mathematics which are actually behind a PFHd value. If the subsystem method is used for estimating the PL (see pages 45 et seq.), some of the calculations set out below do not apply or are simplified. The so-called block method (see pages 131 et seq.) is assumed here.

86

Performance Level (2)

A PL is composed of: Architecture (= control category) Brief explanation: the architecture of an SRP/CS (1-channel, 1-channel with testing, 2-channel with mutual testing, 2-channel with self-monitoring) for the chain I (Inputs) + L (Logic = signal processing) + O (outputs), ), whereby EN ISO 13 849-1:2006 favours specific architectures, namely those of the familiar control categories. It also goes on to provide the posInput Output sibility of being able to perform fault exclusions in compliance with EN ISO 13 849-2:2003. Signal Signal O O L Other architectures are also permitted in EN ISO 13 849-1:2006, however the simplified calculation approach cannot just be used for these as it is, so that resort must be made to more precise mathematics with the associated time expenditure.
Monitoring Input Monitoring Output

To be designated (1): Signal Signal I O L Control category B 4 (designated architectures: classification of the safetyrelated parts of a control system in terms of its resistance to faults and its sub2nd switchsequent behaviour in the event ofInput a fault. Output off path Signal Signal TEor necessary. OTE Fault exclusions in acc. with ENO 13 849-2:2003 continue to be important O L or indiMonitoring Monitoring cation path

Categories B and 1:
O
Input Signal

Category 2:
Monitoring Monitoring Output Signal

Categories 3 and 4:
Input Signal Monitoring

Output Signal

O I

Input Signal Monitoring

Monitoring

Monitoring Input Signal Monitoring

Monitoring Output Signal

TE O

2nd switchoff path

Cross Monitoring

I1

L1

Output Signal

O1

L
Monitoring

or indication path

OTE

Monitoring Output Signal

I2

Input Signal

L2

O2

switch- to CC 2! See lexicon section, keyword Control category 2! Caution: Changes Moni-

2nd

TE

off path

or indication path

OTE

I1

Input Signal

toring

L1

In addition to consideration of the architectures of an SRP/CS as above, adherence of the so-called (a) fundamental and (b) well tried and tested safety principles form part of the MoniMonirequirements toring safety principles correspond to the Input of a control category. The fundamental toring Signal I2 O2 L2 state I1 of the artL1 and are basically to be taken into Output consideration (as from Control Category O1 Input Output Signal safety Signal B); consideration of the well tried and tested principles also applies as from Control Signal Category 1. Please do not confuse with the requirement to use well tried and tested components (applies alsoMonito CC 1). A description of what the one and the other are can be found in toring Annexes A to D of EN ISO 13 849-1:2003 (Validation of an SRP/CS). See also glossary secI2 O2 L2 Input Control Output Categories. tion, keyword
Signal Cross Monitoring Signal

Cross Monitoring

Output Signal

O1

87

 Hardware reliability (= MTTFd/Mean Time to dangerous Failure) Brief explanation: the mean time, expressed in years (y), until a dangerous (random) failure of an SRP/CS channel; the individual MTTFd values per channel of hardware used must be determined, added (using the parts count method) and compared with the standard specifications for low, medium and high. MTTFd values are based on manufacturer information or information from pertinent works of reference, e.g. SN 29 500. To be designated (2): MTTFd per channel as sum of the individual MTTFds of I + L + O and divided into 3 groups: low, medium and high Denotation low medium high Range of MTTFd 3 years MTTFd < 10 years 10 years MTTFd < 30 years 30 years MTTFd 100 years

Expressed in simple terms: safety-oriented (derived from reliability) statistical hardware quality. The so-called parts count method is used in EN ISO 13 849-1:2006 to calculate the MTTFd values.

1 = MTTFd

i=1

1 MTTFd i

CAUTION: MTTFd details merely provide a statistical statement on the survival probability of a large amount of a product (statement is: only 37 % still survive at this point in time). The reciprocal value 1/MTTFd is the failure probability per hour which is also called or FIT value (for 10 9 failures). The background probability mathematics theory is exponential distribution (see glossary section).
MTTFd electronics 3 years 10 years 63% 50% 30 years 100 years 10% 1% 8 10 12 14 16 18 20 22 24 26 28 30 Years of use

100 Dangerous failures as % 90 80 70 60 50 40 30 20 10 0 0 2 4 6

Legend: Curves show from top to bottom dangerous failures in % in function to MTTFd of components. From top to bottom: 3 y, 10 y, 30 y and 100 y. Indicated (horizontally) as well is the line of 63 % where number of years of use and MTTFd is equal. Further lines show 50 %, 10 % and 1 %.

88

30 Dangerous failures as % 25 20 15 10 5 0 0 1 3 years

MTTFd electronics 10 years

30 years 10% 100 years 1% 2 3 Years of use 4 5

Legend: Curves show from top to bottom dangerous failures in % in function to MTTFd of components. Shown is a spread extract of the first 5 years of use. From top to bottom: 3y, 10 y, 30 y and 100 y. Indicated (horizontally) as well is the line of 10 % and 1 %.

Diagnostic coverage (= DC in %) Brief explanation: probability-based degree of diagnosis desired effect ( fault detection), which expresses the relationship between noticed hazardous faults and the overall number of hazardous faults. This relationship is, however, additionally weighted with the MTTFd value of the respective component. This means that the quality of monitoring for components with a large MTTFd need not be as high as for those with a lower MTTFd. 90 % means, for example, 90 % probability of detecting hazardous faults (in good time) and 10 % of not discovering them (in good time) (in good time = discovery before the so-called second fault probability occurrence). Evaluation suggestions of different measures for I , L and O can be found in Annex E of EN ISO 13 849-1:2006; an average DCavg for an overall SRP/CS can be calculated using a specific formula (avg stands for average).

To be designated (3): DCavg of the overall SRP/CS (divided into 4 groups: none, low, medium and high) = result of the efficacy of the individual DCs of I , L and O Denomination none low medium high Range of values DC < 60 % 60 % DC < 90 % 90 % DC < 99 % 99 % DC

89

To be designated (3) (continued): Expressed in simple terms: efficacy/reliability of fault-detecting measures expressed as a percentage (determination of DCavg using formula) DC2 DCS DC1 + + ... + MTTFd1 MTTFd2 MTTFdN 1 1 1 + + ... + MTTFdN MTTFd1 MTTFd2

DCavg =

Support in EN ISO 13 849-1:2006: see Annex E of EN ISO 13 849-1:2006 DC = S dd S d Probability of detected dangerous failures Probability of total dangerous failures

Common Cause Failure management (or CCF) Brief explanation: measures against failures of both channels in an SRP/CS at the same time following a common cause e.g. bridging of both channels by a foreign influence, overheating, surge, by lightning (surge pulse) with redundant semiconductor outputs, contaminated oil in the case of hydraulics or too much water in the air in the case of pneumatics. I.e. a single cause removes the multiple channel capability (typically the redundancy). The Annex to EN ISO 13 849-1:2006 contains a table with measures against Common Cause Failures. Each measure has a score. Measures should be realised that have a score of > 65 from 100 possible points. To be designated (4): CCF measures (YES/NO assignment, only from control category 2): failure resulting from common cause: failures of various units owing to a single event, whereby these failures have no mutual effects. Assignment of the measures in I , L and O in accordance with the look-up-table (a score of at least 65 points must be achieved from a possible 100 points).

Fault channel 1

Fault Common channel 2 cause

No. Measure against CCF 1 Disconnection/separation Physical disconnection between signal paths 2 Diversity Different technologies/configuration or physical principles are used 3 Configuration/application/experience 3.1 Protection against surge, excess pressure, overcurrent etc. 3.2 Use of tried and tested components

Score 15 20

15 5

Furthermore there are measures against systematic failures and faults in the SRP/CS. See glossary section, keyword Failures (systematic failures). 90

Result Use may either be made of a results graph (Fig. 1) from which the PL achieved can be read off or, if a more precise result is required, Annex K according to EN ISO 13 849-1:2006 (Fig. 2) produces a precise numerical assignment between PFHd and PL parameters. Result table MTTFd limited to 100 y Dependency on CC, DC, CCF and MTTFd More precise assignment (in accordance with Annex K) Overlaps can be used in the case of precise calculations

PFH (1/h) 10 4 a 10 5

PL

b 3 10 6 c 10 6 d 10 7 e 10 8 MTTFd = low MTTFd = mittel MTTFd = high Category B Category 1 Category 2 Category 2 Category 3 Category 3 Category 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low mittel low medium high + CCF

Fig. 1: Bar chart

Numerical representation See EN ISO 13 849-1:2006 Annex K

Table K.1 Numerical description of Fig. 5 (of EN ISO 13 849-1:2006 [D] Annex K [informative]) Average probability of a dangerous failure per hour (1/h) and corresponding performance level (PL) Cat. B MTTFd for each channel Years 3 3.3 3.6 3.9 4.3 4.7 5.1 5.6 6.2 6.8 7.5 8.2 9.1 10 11 12 13 15 16 18 20 22 24 27 30 33 36 39 43 47 51 56 62 68 75 82 91 100 DCavg = none 3.80 10 5 3.46 10 5 3.17 10 5 2.93 10
5

PL Cat. 1 DCavg = none a a a a a a a a a a a a a a a b b b b b b b b b 3.80 10 6 3.46 10

6

PL Cat. 2 DCavg = low 2.58 10 5 2.33 10 5 2.13 10 5 1.95 10

5

PL Cat. 2 DCavg = medium a a a a a a a a a a b b b b b b b b b b b c c c c c c c c c c c d d d d d d 1.99 10 5 1.79 10 5 1.62 10 5 1.48 10

5

PL Cat. 3 DCavg = low a a a a a a a b b b b b b b b b b b c c c c c c c c d d d d d d d d d d d d 1.26 10 5 1.13 10 5 1.03 10 5 9.37 10

6

PL Cat. 3 DCavg = medium a a a b b b b b b b b b b b c c c c c c c c d d d d d d d d d d d d d d d d 6.09 10 6 5.41 10 6 4.86 10 6 4.40 10

6

PL Cat. 4 DCavg = high b b b b b b b c c c c c c c c c d d d d d d d d d d d d d d d d e e e e e e 9.54 10 8 8.57 10 8 7.77 10 8 7.11 10 8 6.37 10 5.76 10

8 8

PL

2.65 10 5 2.43 10 5 2.24 10

5

1.76 10 5 1.60 10 5 1.47 10

5

1.33 10 5 1.20 10 5 1.10 10

5

8.39 10 6 7.58 10 6 6.91 10

6

3.89 10 6 3.48 10 6 3.15 10

6

2.04 10 5 1.84 10 5 1.68 10 5 1.52 10

5

1.33 10 5 1.19 10 5 1.08 10 5 9.75 10

6

9.87 10 6 8.80 10 6 7.93 10 6 7.10 10

6

6.21 10 6 5.53 10 6 4.98 10 6 4.45 10

6

2.80 10 6 2.47 10 6 2.20 10 6 1.95 10

6

1.39 10 5 1.25 10 5 1.14 10 5 1.04 10

5

8.87 10 6 7.94 10 6 7.18 10 6 6.44 10

6

6.43 10 6 5.71 10 6 5.14 10 6 4.53 10

6

4.02 10 6 3.57 10 6 3.21 10 6 2.81 10

6

1.74 10 6 1.53 10 6 1.36 10 6 1.18 10

6

9.51 10 6 8.78 10 6 7.61 10

6

5.84 10 6 5.33 10 6 4.53 10

6

4.04 10 6 3.64 10 6 3.01 10

6

2.49 10 6 2.23 10 6 1.82 10

6

1.04 10 6 9.21 10 7 7.44 10

7

7.13 10 6 6.34 10 6 5.71 10 6 5.19 10

6

4.21 10 6 3.68 10 6 3.26 10 6 2.93 10

6

2.77 10 6 2.37 10 6 2.06 10 6 1.82 10

6

1.67 10 6 1.41 10 6 1.22 10 6 1.07 10

6

6.78 10 7 5.67 10 7 4.85 10 7 4.21 10

7

4.76 10 6 4.23 10 6

2.65 10 6 2.32 10 6 b b b c c c c c c c c c c c 2.06 10 6 1.85 10

6

1.62 10 6 1.39 10 6 1.21 10 6 1.08 10

6

9.47 10 7 8.04 10 7 6.94 10 7 5.94 10

7

3.70 10 7 3.10 10 7 2.65 10 7 2.30 10

7

e e e e e e e e e e e e e e

3.17 10 6 2.93 10 6 2.65 10 2.43 10

6 6

1.67 10 6 1.53 10 6 1.37 10 1.24 10

6 6

9.39 10 7 8.40 10 7 7.34 10

7 7

5.16 10 7 4.53 10 7 3.87 10 3.35 10

7 7

2.01 10 7 1.78 10 7 1.54 10 1.34 10

7 7

6.49 10

2.24 10 6 2.04 10 6 1.84 10

6

1.13 10 6 1.02 10 6 9.06 10

7

5.80 10 7 5.10 10 7 4.43 10

7

2.93 10 7 2.52 10 7 2.13 10

7

1.19 10 7 1.02 10 7 8.84 10

8

5.26 10 8 4.73 10 8 4.22 10

8

1.68 10 6 1.52 10 6 1.39 10 6 1.25 10

6

8.17 10 7 7.31 10 7 6.61 10 7 5.88 10

7

3.90 10 7 3.40 10 7 3.01 10 7 2.61 10

7

1.84 10 7 1.57 10 7 1.35 10 7 1.14 10

7

7.68 10 8 6.62 10 8 5.79 10 8 4.94 10

8

3.80 10 8 3.41 10 8 3.08 10 8 2.74 10

8

1.14 10 6

5.28 10 7

2.29 10 7

1.02 10 7

4.29 10 8

2.47 10 8

Figure 2: Annex K from EN ISO 13 849-1:2006

91

Performance Level (3)

According to the standard, evaluation preferably takes place using manufacturer information. A PL can be determined in two ways: A safety function (the chain I + L + O ) is split into blocks (in logically functionally individual component parts). The blocks are assessed in relation to the aspects which define the PL and are evaluated together (in part analytically, in part mathematically). This solution method is termed the block method in EN ISO 13 849-1:2006 and is described in detail in Annex B of the standard. An overall SRP/CS is divided into subsystems derived from function blocks. A Sub-PL is determined for every subsystem and added to an overall PL (see pages 45 et seq.). Sub-PLs have the advantage that a machine manufacturer is able to use a simplified procedure to determine the overall PL. The overall PL is here determined by the lowest Sub-PL. Moreover, the MTTFd value must correspond to the classification high or use is made of the combination table (see page 45 and glossary section, keyword Calculations (PL calculations). In the results and in their desired effect the contents of a PL and a Safety Integrity Level SIL are the same. In this respect there is also a compatibility table (e. g. PL e = SIL 3 etc.), although there are different types of calculation in individual cases.

Average probability of a dangerous failure per hour EN ISO 13 849-1:2006 10 4 10 5

PL

3 10 6

10 6

10 7

10 8

SIL no special IEC 62 061:2005/ safety IEC 61 508:2001 requirements

3 Measures against higher risks

Measures against lower risk

CAUTION: the above PFHd classifications apply to an overall PL (or overall SIL). Only proportions may be consumed for subsystems (recommendation: a max. of 20 % each for I and L , so that > 60 % for O ).

92

Glossary section further information on some keywords and terms

93

Additional monitoring switch See page 29.

Addition of failure probabilities If MTTFd values are available, then the addition per channel takes place using the parts count method, i.e. the reciprocal values 1/MTTFd are added. The sum is then converted back to an overall MTTFd value and compared to the standard specifications for low (3 y 10 y), medium (10 y 30 y) and high (30 y 100 y). There is a limit of 100 y MTTFd per channel (by contrast, higher values can be assumed within a channel).

1 = MTTFd

i=1

1 MTTFd i

A so-called symmetrising formula exists for channels with different MTTFd values: MTTFd = 2 MTTFd C1 + MTTFd C2 3 1 1 1 + MTTFd C1 MTTFd C2

PFHd values may simply be added together, i.e. 1 10 9 + 1 10 9 = 2 10 9, however the lowest sub-classification determines the overall PL or SIL. Better PFHd values in no way compensate for limitations to the Safety Integrity Level (q.v.) which occur as a result of socalled architectural constraints.

(1)

Interlocking devices in conjunction with guards guidelines for design and selection (www.beuth. de).

AMD 1 to EN 1088:1996 The addition AMD 1 to EN 1088:1996(1) affects requirements on the design to minimise possibilities to circumvent interlocking devices. In the meantime AMD 1 has been worked into Edition EN 1088-10:2008. Here a distinction must be made between measures which prevent circumvention in a simple way (as up to now) and additional measures designed to make circumvention more difficult. Various measures are being suggested, depending on the type of interlocking device; of these, and this is what is actually new, at least one may be realized. With respect to devices with separate actuators the following optionally belong to these additional measures: concealed device installation; that the actuator cannot be released easily e.g. through assembly with tamperproof screws, use of rivets, welding etc.; that actuators are individually coded; or control-related monitoring measures take place such as plausibility tests, start-up tests or similar. In view of a possible accident, appropriate attention should be paid to the new (extended) requirements. It is estimated that a quarter of all accidents at work involving machines in Germany can be explained by manipulated protective devices. This and other valuable information and findings have been revealed by an empirical study commissioned by a number of statutory accident insurers (including accident insurers for the metal industry and conducted by the Institute for Occupational Health and Safety (BGIA) in St. Augustin (Download: www.dguv.de/bgia Publikationen BGIA-Reports 20052006).

94

 Nevertheless making the manipulation of protective devices is not everything. Frequently, as the above study has shown, operators have reasons to manipulate them, both objective and subjective, if they wish to do their work. Therefore in future there will be a greater requirement for the engineers designing machines to allow for this as part of the safety concept of a machine, e.g. by additionally providing operating modes outside automatic mode that are equally effective and safe. But it is also a question of the safety culture in the company operating the machine when it comes to the subject of manipulation of protective devices.

Annex E Estimation of diagnostic coverage (DC) for functions and modules See keyword Fault detection and pages 32 f. and pages 68 f.

Annex G (according to EN ISO 13 849-1:2006) Measures against systematic failures are among the most important measures for SRP/CS safety. Other measures are hardly able to compensate for shortcomings in this area. In this respect, measures to prevent and control systematic failures are additionally considered once again in Annex G of EN ISO 13 849-1:2006, informally. Additionally considered means that the EN 954-1:1996 (ISO 13 849-1:1999) and in particular the EN ISO 13 849-2:2003 standards (originally conceived as EN 954-2) already contain deliberate requirements which are continued and improved on in Annex G. The same considerations on this subject are similarly present in EN IEC 62 061:2005. Annex G is divided into 4 groups: Group G.1 is simply a cross-reference to the detailed considerations in EN ISO 13 849-2:2003 (see above). Group G.2 concerns measures to control systematic failures, G.3 measures to prevent systematic failures and G.4 measures to prevent systematic failures during the integration of an SRP/CS.

ISO/FDIS 13849-1:2006(E)

Annex G (informative) Systematic failure

G.1 General ISO 13849-2 gives a comprehensive list of measures against systematic failure which should be applied, such as basic and well-tried safety principles.

G.2 Measures for the control of systematic failures The following measures should be applied: Use of de-energization (see ISO 13849-2) The safety-related parts of the control system (SRP/CS) should be designed so that with loss of its power supply a safe state of the machine can be achieved or maintained. Measures for controlling the effects of voltage breakdown, voltage variations, overvoltage, undervoltage SRP/CS behaviour in response to voltage breakdown, voltage variations, overvoltage and undervoltage conditions should be predetermined so that the SRP/CS can achieve or maintain a safe state of the machine (see also IEC 60204-1 and IEC 615087-2000, A 8). Measures for controlling or avoiding the effects of the physical environment (for example, temperature, humidity, water, vibration, dust, corrosive substances, electromagnetic interference and its effects) SRP/CS behaviour in response to the effects of the physical environment should be predetermined so that the SRP/CS can achieve or maintain a safe state of the machine (see also, for example, IEC 60 529, IEC 60 204-1).

95

Annex K (according to EN ISO 13 849-1:2006) Annex K serves two different purposes: Firstly, it is possible to infer more precisely from the overlapping areas of the bar chart, for example, from which MTTFd value a PL e is achieved also with an architecture according to CC 3 and a medium diagnostic coverage (from 62 y) etc. For clarification: see following table extract. From Annex K it is also possible to infer the average probability of a dangerous failure per hour (or which PFHd value) corresponding to a specific configuration. For example, PL d with an architecture according to CC 3, a channel MTTFd value of 56 y and a medium diagnostic coverage corresponds to a PFHd value of 1.03 10 7/h. The PFHd value practically represents the scope of EN IEC 61 508-2001 or EN IEC 62 061:2005, because these standards express the residual failure probability of an SRP/CS in this unit. We could also say that the influence of EN IEC 61 508:2001 during the preparation of EN ISO 13 849-1:2006 is most clearly reflected in Annex K. The PFHd value is, however, not an exclusively probabilistic approach.
(1)

Since CCF measures are obligatory from CC 2, they are not listed by name in Annex K but are regarded as a given.

Table K.1 Numerical description of Fig. 5 (of EN ISO 13 849-1:2006 [D] Annex K [informative]) Average probability of a dangerous failure per hour (1/h) and corresponding performance level (PL) Cat. B MTTFd for each channel Years DCavg = none PL Cat. 1 DCavg = none PL Cat. 2 DCavg = low PL Cat. 2 DCavg = medium PL Cat. 3 DCavg = low PL Cat. 3 DCavg = medium PL Cat. 4 DCavg = high PL

3 3.3 3.6 3.9 4.3 4.7 5.1 5.6 6.2 6.8 7.5 8.2 9.1 10 11 12 13 15 16 18 20 22 24 27 30 33

3.80 10 5 3.46 10 5 3.17 10 5 2.93 10 5 2.65 10 5 2.43 10 5 2.24 10 5 2.04 10 5 1.84 10 5 1.68 10 5 1.52 10 5 1.39 10 5 1.25 10 5 1.14 10 5 1.04 10 5 9.51 10 6 8.78 10 6 7.61 10 6 7.13 10 6 6.34 10 6 5.71 10 6 5.19 10 6 4.76 10 6 4.23 10 6

a a a a a a a a a a a a a a a b b b b b b b b b 3.80 10 6 b 3.46 10 6 b

2.58 10 5 2.33 10 5 2.13 10 5 1.95 10 5 1.76 10 5 1.60 10 5 1.47 10 5 1.33 10 5 1.19 10 5 1.08 10 5 9.75 10 6 8.87 10 6 7.94 10 6 7.18 10 6 6.44 10 6 5.84 10 6 5.33 10 6 4.53 10 6 4.21 10 6 3.68 10 6 3.26 10 6 2.93 10 6 2.65 10 6 2.32 10 6 2.06 10 6 1.85 10 6

a a a a a a a a a a b b b b b b b b b b b c c c c c

1.99 10 5 1.79 10 5 1.62 10 5 1.48 10 5 1.33 10 5 1.20 10 5 1.10 10 5 9.87 10 6 8.80 10 6 7.93 10 6 7.10 10 6 6.43 10 6 5.71 10 6 5.14 10 6 4.53 10 6 4.04 10 6 3.64 10 6 3.01 10 6 2.77 10 6 2.37 10 6 2.06 10 6 1.82 10 6 1.62 10 6 1.39 10 6 1.21 10 6 1.08 10 6

a a a a a a a b b b b b b b b b b b c c c c c c c c

1.26 10 5 1.13 10 5 1.03 10 5 9.37 10 6 8.39 10 6 7.58 10 6 6.91 10 6 6.21 10 6 5.53 10 6 4.98 10 6 4.45 10 6 4.02 10 6 3.57 10 6 3.21 10 6 2.81 10 6 2.49 10 6 2.23 10 6 1.82 10 6 1.67 10 6 1.41 10 6 1.22 10 6 1.07 10 6 9.47 10 7 8.04 10 7 6.94 10 7 5.94 10 7

a a a b b b b b b b b b b b c c c c c c c c d d d d

6.09 10 6 5.41 10 6 4.86 10 6 4.40 10 6 3.89 10 6 3.48 10 6 3.15 10 6 2.80 10 6 2.47 10 6 2.20 10 6 1.95 10 6 1.74 10 6 1.53 10 6 1.36 10 6 1.18 10 6 1.04 10 6 9.21 10 7 7.44 10 7 6.78 10 7 5.67 10 7 4.85 10 7 4.21 10 7 3.70 10 7 3.10 10 7 2.65 10 7 2.30 10 7

b b b b b b b c c c c c c c c c d d d d d d d d d d

9.54 10 8 e 8.57 10 8 e

The table in Annex K is based on copious calculations using Markov models which have been performed by the Institute for Occupational Health and Safety (BGIA) of the German Statutory Accident Insurance in St. Augustin in the course of planning the standard. Unfortunately the figures in Annex K end with an MTTFd value of 100 y per channel, even if the conversion of higher values would sometimes be desirable for considerations within a channel. However it is possible to extrapolate such values in simplified form using a logarithmic calculation. According to the BGIA Report 2/08, a block MTTFd value can, however, be calculated in a greatly simplified manner (which is only permissible in this direction) from a PFHd value as well as by forming a reciprocal value. I.e. 1/PFHd : 8,760 = Block-MTTFd (in the case of higher PLs or SILs usually several 100 y). In the meantime the K figures (so-called basic values) have been unofficially updated, but this only applies to architectures according to Control Category 4. The application of these figures is only compatible with EN ISO 13 849-1:2006 for subsystems (in order to be able to switch more of these in series). The limiting of an overall SRP/CS to 1 10 8 is unaffected by this.

96

 For other architectures the advice, when necessary, continues to be cautious extrapolation taking into consideration the double logarithmic scale or using the auxiliary variables MTTFd and block-MTTFd. The updated figures are shown below (at CC 4, DC high and CCF > 65 points): MTTFd (y) = PFHd (per hour) 100 = 2.47 108 110 = 2.23 108 120 = 2.03 108 130 = 1.87 108 150 = 1.61 108 160 = 1.50 108 180 = 1.33 108 200 = 1.19 108 220 = 1.08 108 240 = 9.81 109 270 = 8.67 109 300 = 7.76 109 330 = 7.04 109 360 = 6.44 109 390 = 5.94 109 430 = 5.38 109 470 = 4.91 109 510 = 4.52 109 560 = 4.11 109 620 = 3.70 109 680 = 3.37 109 750 = 3.05 109 820 = 2.79 109 910 = 2.51 109 1,000 = 2.27 109 1,100 = 2.07 109 1,200 = 1.90 109 1,300 = 1.75 109 1,500 = 1.51 109 1,600 = 1.42 109 1,800 = 1.26 109 2,000 = 1.13 109 2,200 = 1.03 109 2,300 = 9.85 1010 2,400 = 9.44 1010 2,500 = 9.06 1010

Architectures Standard definition (EN 62 061:2005): specific configuration of hardware and software elements in an SRP/CS: SRP/CS architectures are composed of the input level I (consisting of safety-oriented sensors and control devices), the logic level L (for signal processing) and the output level O (with the control signals for the hazardous movement triggered by outputs such as contactors). The number of channels (in other words the control category) and the internal or external test equipment also form part of the architecture. Consideration of the entire chain, i.e. the series connection I + L + O is necessary to determine an (overall) PL or SIL.

Sensor detect

Logic process

Actor switch

SRP/CSa

iab

SRP/CSb

ilx

SRP/CSc

PL r or SIL

(1)

AOPD = Active Optoelectronic Protective Devices

A level here can once again be the result of a series connection in so far as this results from the safety function. The architectures in EN ISO 13 849-1:2006 take on a special significance under the term designated architectures. They refer to control categories as are familiar from EN 9541:1996 and updated in EN ISO 13 849-1:2006. In this connection designated architectures means that significant deviation from them (i.e. substantial deviation from the control categories) is not permitted (with the exception of fault exclusions) if one wishes to use EN ISO 13 849-1:2006. If not, they would need to be evaluated according to EN IEC 61 508:2001, EN IEC 62 061:2005 or other specific standards (e.g. EN IEC 61 496 for AOPDs(1)). In this context architectures should not be considered as circuit diagrams, however, but as functional schematic diagrams. In this respect as long as one keeps to the main features and main structure of the designated architectures, it makes no difference whether one has three or also more or fewer blocks in a channel. This restriction is explained by probability mathematical calculations which were in the background during the preparation of EN ISO 13 849-1:2006 and which rest on the familiar control categories. See also keyword control categories 97

B10d values Standard definition: number of cycles until 10 % of components have failed dangerously (B10d values apply primarily to mechanical, fluid and electromechanical components). CAUTION: further important feature T10d value! The number of cycles means the number of switching cycles over service life, i.e. the B10d value expresses a maximum number of switching cycles and forms the foundation for the requisite MTTFd calculations of devices in an SRP/CS that are affected by wear and tear. These include mechanical components and devices, e.g. springs, fluidic devices, e.g. valves, and electromechanical switchgear, e.g. contactors, relays, position switches, emergency-stop control devices etc. Components of this kind have a failure pattern which is determined by the number of performed switching cycles and partially also by the switching load, and consequently for which a (monotonous increasing) Weibull distribution is assumed because the failure probability varies over time. The formula to convert a B10d value into an MTTFd value are as follows: dop hop 3,600 tcycle s h

B10d MTTFd = 0.1 nop

nop = dop= hop = tcycle =

nop =

average number of switching cycles per year average number of operating days per year average number of operating hours per day average demand of the safety function in s (for example 4 per hour = 1 per 15min = 900 s)

In Annex C (Table C.1) of EN ISO 13 849-1:2006 B10d values are specified for typical kinds of components affected by wear and tear, for which the above formula then applies for the calculation of MTTFd values per channel (deviating manufacturer details may be used as basis as an alternative to the standard values). There is an exception for mechanical and hydraulic components for which the calculation formula need not be applied. Because of the well-known and empirically reinforced high reliability of these components, the standard setter recommends the assumption of a blanket 150 y MTTFd per channel (provided that the basic, tried and tested safety principles described in the standard are observed). The B10d values for (reed contact-based) proximity switches, contactors and relays forms a second feature in Annex C. Two B10d values are specified for components of this kind, of which the first B10d value is for when the component is operated at minimum load (=20 %) (B10d = 20,000,000), and the other B10d value is for when the component is operated at maximum load (B10d = 400,000). The creation of interim values is permissible, e.g. 7,500,000 (at 40 % load), 2,500,000 (at 60 % load) or 1,000,000 (at 80 % load). Care must furthermore be taken that positive break contacts are demanded for emergencystop devices and position switches according to EN IEC 60 947-5-x. A prerequisite for application of the B10d standard values are the so-called processes of good engineering practices, i.e. the component manufacturer confirms use of the basic as well as well tried and tested safety principles according to EN ISO 13 849-2:2003 or the corresponding product standards for the design of the component and describes the suitable application and operating conditions for the user (keyword: operating instructions). In addition, the person responsible for the SRP/CS must comply with the basic as well as well tried and tested safety principles according to EN ISO 13 849-2:2003 for the implementation and operation of the component. There is one further feature to be taken into account in connection with components affected by wear and tear, namely the so-called T10d value as value for the preventive maintenance of components affected by wear and tear through timely replacement. 98

Extract of table C.1 of EN ISO 13849-1:2006: selected B10d values of components typically used in SRP/CS
Basic and tried and tested safety principles in accordance with ISO 13 8492:2003 Mechanical components Hydraulic components Pneumatic components Relays and auxiliary contactors with low load (mechanical load) Relays and auxiliary contactors with maximum load Tables A.1 and A.2 Tables C.1 and C.2 Tables B.1 and B.2 Tables D.1 and D.2 Other relevant standards Typical values MTTFd (years), B10d (cycles)

EN 982 EN 983 EN 50 205 IEC 61 810 IEC 60 947 EN 50 205 IEC 61 810 IEC 60 947 IEC 60 947 EN 1088 IEC 60 947 EN 1088 IEC 60 947 IEC 60 947 IEC 60 947 EN 1088 IEC 60 947 EN 1088 IEC 60 947 ISO 13 850 IEC 60 947 ISO 13 850 IEC 60 947

MTTFd = 150 MTTFd = 150 B10d = 20,000,000 B10d = 20,000,000

Tables D.1 and D.2

B10d = 400,000

Proximity switches with low load (mechanical load) Proximity switches with maximum load Contactors with low load (mechanical load) Contactors with nominal load Position switches, irrespective of load Position switches (with separate drive element, latching), irrespective of load Emergency-stop devices, irrespective of load Emergency-stop devices with maximum number of actuations Buttons (e.g. enabling buttons), irrespective of load

Tables D.1 and D.2 Tables D.1 and D.2 Tables D.1 and D.2 Tables D.1 and D.2 Tables D.1 and D.2 Tables D.1 and D.2 Tables D.1 and D.2 Tables D.1 and D.2 Tables D.1 and D.2

B10d = 20,000,000 B10d = 400,000 B10d = 20,000,000 B10d = 2,000,000 B10d = 20,000,000 B10d = 2,000,000 B10d = 100,000 B10d = 100,000 B10d = 100,000

(1)

If fault exclusion for positive opening is possible

Neither the B10d value nor the T10d value consideration is completely without problems, since not every mechanical engineer knows in advance which operating conditions his machines will be subjected to by the customer. Where applicable, assessments should be made according to worst case scenarios and/or incorporating such components into the SRP/CS such that the T10d value consideration always leads to a legitimate > 20 y (see mission time). Consideration of the demand rate of the safety function forms part of this consideration, e.g. so that an emergency-stop control device does not become a dual use product, i.e. one that functions simultaneously as operational STOP button (and rather that an additional device is designated for this) and the electrical load with which the specific components are operated lies in the medium range as maximum. The inbuilt (as set by the standard) B10d and T10d values are dimensioned very generously.

Bar chart See loc. cit. and Part 6, page 81 et seq.: Features and use of EN ISO 13 849-1:2006.

Bathtub curve Diagram representation of the service life of the device/failure rate of (typically) electronic components as well as devices and systems with constant failure rates in Phase II. Taking into account Phase 1 (early failures) and Phase III (end of service life), the diagram representation produces a curve which resembles a bathtub. See also keywords Exponential Distribution and Failure Rates Typical products: electronic safety sensors, optoelectronic protective devices (AOPDs), safety PLCs, bus systems etc.

99

Failure rate

Early failures

Phase of constant failures Time of operation

Failures caused by wear

Failure rates with bathtub curve behaviour cannot be deployed throughout for an SRP/CS because components, devices and systems are frequently used with technologies for which the constant failure rate in Phase II does not apply, e.g. in fluid technology, electrical engineering and mechanics. In these cases a B10d value (q.v.) analysis should precede calculation of MTTFd values.

BGIA The BGIA the Institute for Occupational Health and Safety (BGIA) of the German Statutory Accident Insurance is a research and test institute of the statutory accident insurance companies in Germany. It has its registered office in St. Augustin near Bonn. The BGIA supports the statutory accident insurance companies in Germany and their institutions with an emphasis on scientific-technical questions in occupational health and safety through: Research, development and investigation Inspection of products and samples of materials Operational measurements and consultation Involvement in standardisation and formulation of rules Provision of professional information and expert knowledge In addition the BGIA is active on behalf of manufacturers and companies within the framework of Product inspection and certification Certification of quality management

BGIA disc An aid issued by the BGIA that displays the relationships between PL and PFHd on the one hand and MTTFd, DC and CCF on the other. In essence this reproduces Annex 6 from EN ISO 13 849-1:2006.

PFH (1/h) 10 4 a 10 5

PL

Cat. 4, DC high 9,54 108 PL e 30

b 3 10 6 c 10 6 d 10 7 e 10 8

Category B Category 1 Category 2 Category 2 Category 3 Category 3 Category 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low medium low medium high + CCF

100

BGIA Report 2/08 This report with the title Funktionale Sicherheit von Maschinensteuerungen Anwendung der DIN EN ISO 13 849 (Functional Safety of Machine Controls Deeper Understanding of DIN EN ISO 13 849) serves to provide deeper understanding of EN ISO 13 849-1:2006. The report is published by the BGIA Institute for Occupational Health and Safety of the German Statutory Accident Insurance (DGUV), St. Augustin; the report can be downloaded from www.dguv.de or may be requested as a hard copy from the BGIA (or from us). The report comprises around 260 pages and is divided into the following chapters Foreword Introduction Report and Standard in overview Safety functions and their contribution to risk reduction Design of safe controls Verification and validation Wiring examples for SRP/CS Bibliography + 10 Annexes The 37 wiring examples are worthy of particular mention, even if these are not recipes. See also pages 73 et seq.

Cabling See fault exclusion: Wiring/cabling

Calculations (PL calculations) There are two fundamentally different approaches when calculating (estimating) a Performance Level PL according to EN ISO 13 849-1:2006: Approach 1 is the discrete consideration, i.e. the safety-related parts in the machine control are determined (identified) and structured in a block diagram according to the block method (see example).

+ SW1B

B2

K1

B1
Eingnge

K1

SPS
Ausgnge

B2
Betriebshalt Reglerfreigabe FU

SPS

FU G1

G1 n

101

 The MTTFd, DC and CCF contribution is established for every individual block and, based on specific formulas and look-up tables, collated to the respective overall values. An assessment then follows based on the Relationship between the categories, DCavg, MTTFd of every channel and PL figure in the EN ISO 13 849-1:2006 standard (see bar chart loc. cit.). In EN ISO 13 849-1:2006 this approach is also described as the block method and explained in detail in Annex B. A standard example can be found in the brochure on pages 131 et seq. Approach 2 is the consideration of subsystems which have already been designated or estimated with a Performance Level PL (= Sub-PL) and application of the so-called combination table. The lowest Sub-PL (a < b < c < d < e) and quantity is fundamentally decisive for the overall PL (see figure), i.e. the overall PL remains unaffected up to a specific number of PLlow, while from a specific number of PLlow there is a downgrading by one level due to the adding together of residual risks/residual fault probabilities (see the standard example). However downgrading is not necessary if (as part of a simple additional calculation), the summation of the individual MTTFds in the SRP/CS produces an overall value of high (> 30 y) or a corresponding PFHd value. Calculation of the PL for the series switching of SRP/CS PLlow a b c d e Nlow >3 3 >2 2 >2 2 >3 3 >3 3 PL none, not permitted a a b b c c d d e

A similar approach (which operates with SILsubsystems) is also provided for in EN IEC 62 061:2005 See also pages 45 et seq. of the brochure

Capping/capping limit This means that not more than 100 y MTTFd can be calculated for an overall PL (in order to prevent it calculations being made to look better than they are solely on the basis of an MTTFd value (i.e. to higher PLs than c). Calculations with higher values than 100 y MTTFd are possible within a channel and are sometimes (in the case of longer series connections) also urgently required. In this respect see also remark on SISTEMA software tool on page 23.

CCF (Common Cause Failure), CCF measures, CCF management: Standard definition (EN ISO 13 849-1:2006): failures of various units due to a single event, whereby these failures are not due to mutual causes (should not be confused with similar failures). A very specific fault analysis forms the basis of the CCF, which is aimed at ensuring that adequate measures are taken to counter failures which impact on more than one SRP/CS channel at the same time and which can therefore render the protective function of a system ineffective despite multiple channel capability. 102

 CCF is also called factor in the terminology of the EN IEC 62 061:2005 and EN IEC 61 508:2001 standards. These specific failures are also described in other places as Common Mode Failures.

Failure channel 1

Failure Common channel 2 cause

A typical example for CCFs are the effects of electromagnetic radiation, e.g. a surge pulse which impacts on redundantly performed semiconductor outputs with the coterminous simultaneous damaging result that the transistors of both channels can no longer switch off. A lack of filter measures with fluid technology or faults resulting from climatic impact such as humidity are further examples In Table F.1, EN ISO 13 849-1:2006 lists customary CCF measures (see the figure below) and evaluates every measure with points. If the sum of points for measures taken produces a score of over 65 points (out of a max. 100), EN ISO 13 849-1:2006 considers that sufficient measures have been taken against CCF risks, i.e. a tick can be placed against the point for CCF management. Adequate CCF measures must always be guaranteed as from Control Category 2. Procedure for awarding points and quantification for measures against CCF No. Measure against CCF 1 2 Disconnection/separation Physical disconnection between the signal paths Score 15 20 15 5 5

Diversity Different technologies/configuration or physical principles are used 3 Configuration/application/experience 3.1 Protection against surge, excess pressure, overcurrent etc. 3.2 Use of tried and tested components 4 Evaluation/analysis Have the results of a failure type and fault effect analysis been taken into consideration to prevent common cause failures in the development process? 5 Competency/training Have design engineers been trained to understand the reasons for and effects resulting from common cause failures? 6 Environment 6.1 Protection from pollution and electromagnetic influence (EMC) against CCF in compliance with the appropriate standards 6.2 Other influences: have all requirements in terms of sensitivity to all relevant ambient conditions such as temperature, shock, vibration, humidity (e.g. as specified in the pertinent standards) have been taken into consideration? Total

25 10

100

It can be seen from the table that there is only a qualified possibility of completely determining the CCF points in advance in the case of simple single devices, because the analysis units 1 and 2 in particular are areas where configuration is a matter for our customer. The analysis units 3 etc., by contrast, are predominantly design-related and device-specific, and already deliver the minimum of 65 points required for simple single devices. 103

CCF management/measures See above!

Compatibility SIL PL/PL SIL Since EN IEC 61 508-2001 is behind both new SRP/CS standards, SIL and PL details between the two are compatible, i.e. a PL can schematically be expressed as an SIL, and an SIL schematically as a PL. A shared measurement criterion here is the probability of dangerous failure per hour (PFHd) as follows:

Average probability of a dangerous failure per hour EN ISO 13 849-1:2006 10 4 10 5

PL

3 10 6

10 6

10 7

10 8

SIL no special IEC 62 061:2005/ safety IEC 61 508:2001 requirements

3 Measures against higher risks

Measures against lower risk

The above mentioned procedure applies overall, but can also be used for subsystems or part systems. This then has the particular advantage, for example, that SIL qualified devices may be integrated into PL considerations according to EN ISO 13 849-1:2006 and, vice versa, also PL qualified devices in SIL considerations according to EN IEC 62 061:2005. If calculating without use of the combination table (Table 11 according to EN ISO 13 8491:2006) the recommendation for subsystems is that a max 20 % of the overall PFHd each be used for I and L should so that > 60 % remains available for the O level (which experience shows to be the weakest link in the chain). Remark: for the conversion from MTTFd values into PFHd values and vice versa: see keyword Annex K of EN ISO 13 849-1:2006.

Coming into force EN ISO 13 849-1:2006 came into force in the autumn of 2006. IEC EN 62 061:2005 is already in force, however EN 954-1:1996 (and ISO 13 849-1:1999) may still be applied until December (with presumption of conformity to the EC Machinery Directive). Also see keyword Transition period for further information.

Control categories Terminology from EN 954-1:1996, in future termed designated architectures (in EN ISO 13 849-1:2006). They concern the safety-related requirements on SRP/CS irrespective of the technology and are divided into 5 levels (into categories B, 1, 2, 3 and 4). The levels range from simple to complicated requirements, such as 1-fault safety/redundancy and self-monitoring. In addition to the requirements relating to architecture, observation of the so-called basic safety principles (from CC B) and beyond this (from CC 1) consideration of the so-called tried and tested safety principles also form part of the requirements of the control categories. Please do not confuse this with the requirement to use well tried and tested components (which only applies to CC 1). What one or the other is can be found in the informative annexes A to D of EN ISO 13 849-1:2006 (validation of SRP/CS). 104

 Control categories reflect the resistance of an SRP/CS to failures and the behaviour in the event of fault. An outline of requirements of the individual 5 control categories can be seen in the table below.
Cat.(1) Outline of requirements System behaviour(2) Principles to achieve safety Chiefly characterised by the selection of components.

The safety-related parts of control systems and/or their The development of a fault may protective devices as well as their components must lead to the loss of the safety be configured, constructed, selected, assembled and function combined in compliance with the pertinent standards so that they can withstand the anticipated influences The requirements of B must be satisfied. Tried and tested components and safety principles must be used. The development of a fault may lead to the loss of the safety function but the probability of this occurrence is lower than in Category B. The development of a fault may lead to the loss of the safety function between the inspection intervals. The loss of the safety function is detected by the inspection.

The requirements of B and the use of tried and tested safety principles must be satisfied. The safety function must be checked by the machine control system at suitable temporal intervals

Chiefly characterised by the structure.

The requirements of B and the use of tried and tested safety principles must be satisfied. Safety-related parts must a single fault in each of these parts does not lead to the loss of the safety function, and the single fault is detected whenever tests are performed in an appropriate manner

When a single fault develops, the safety function is always maintained. Some, but not all, faults are detected. An accumulation of faults may lead to the loss of the safety function When faults develop, the safety function is always maintained. The faults are detected in good time, in order to prevent a loss.

Chiefly characterised by the structure.

The categories are not intended to be used in any specified order or hierarchical arrangement with respect to the safety-related requirements. ( ) Whether the overall or partial loss of the safety function(s) due to faults is accepable arises from the risk assessment.
(1)

The requirements of B and the use of tried and tested safety principles must be satisfied. Safety-related parts must be configured such that a single fault in each of these parts does not lead to the loss of the safety function, and the single fault is detected during or before the next request of the safety function or, if this is not possible, an accumulation of faults does not lead to the loss of the safety function

Chiefly characterised by the structure.

Control categories/control category 2 The requirements and content of the control categories will not be dealt with in detail here because they have been familiar for many years from EN 954-1:1996. An overview can be found under the keyword Control Categories. An exception to this is a reference to the fact that the requirements of control category 2 have been increased in EN ISO 13 849-1:2006. In practical terms this will in future be a kind of light control category 3. Background: since the failing of a safety function in CC 2 may go unnoticed between tests, the test frequency is a critical factor. Furthermore the test equipment itself might fail before the function channel. For this reason, the quantification requires: that the MTTFd value of the test equipment TE is not smaller Monitoring Monitoring Input Output than half of the MTTFd of the logic L ; and Signal Signal I O L that the test rate is at least 100 times greater than the medium demand rate of the safety equipment or than the 2nd switchhazardous failure rate; off path added to this is the requirement for a second shut down path TE OTE or indication path (via the test equipment).
Monitoring Monitoring

105

 Especially the required ratio 1:100 of the demand rate to test rate means CC 2 structures with electromechanical technology (without own test intelligence) are faced with barely achievable tasks. The reason for the increased requirements of control category 2 is that in future, in connection with a high MTTFd value and a medium DC, a Performance Level d can be achieved. We have to advise our customers to consider alternative configuration options for this level of criticality. If we find out about new configuration possibilities as time goes on, we will let you know. Up to a PL c, on the other hand, a high MTTFd value and an architecture of control category 1 (1-channel, but executed with safety-related tried and tested components) would be sufficient. This means that electromechanical technology may continue to be used for the typical medium risk range (i.e. PL c). Despite the increased requirements of CC 2 therefore, there is no significant difference compared to the current status of safety technology.

C (Type C) standards These standards, which deal with the concrete safety-related requirements in the case of individual types of machines (machine tools, processing centres, packaging machines etc.), must be adapted to the new standard situation. This means that where control categories are defined for the execution of certain safety functions, the respective standard setter must adapt these to the requisite Performance Level (= PLr). Considering the several 100 C standards in existence today, it is not to be anticipated that this can take place in the short term (within the coming months). The person responsible for the SRP/CS must therefore initially perform the CC PLr conversion himself. It is possible, however, that the coming into force of the new EC Machinery Directive 2006/42/EC will ensure an accelerated process here. In part the CC PLr conversion can be performed schematically, but sometimes the risk parameters S, F and P (see keyword Risk Graph according to EN ISO 13 849-1:2006) must be consulted once again; this is the case where the current risk graph analysis produces two alternatively applicable control categories. In future there will no longer be any such ambiguities. It is also conceivable, however, that some C standard setters might also continue to demand a control category in addition to determining a PLr, because they do not agree that it will be possible in future to replace previous 2-channel structures with 1-channel structures that have correspondingly high MTTFd and/or DC values. (Type) C standards form an own level in the machine safety standard matrix; this is above the levels of the so-called A and B standards. (Type) A standards stipulate the fundamental requirements of machine safety (design guidelines, risk assessment etc.). Subgroup B1 from the (Type) B standards also concern the different safety aspects (safety distances, body dimensions etc.) while Subgroup B2 deals with the requirements placed on protective devices (interlock devices, AOPDs etc.).

Designated Architectures See heading for Architectures and Control categories

Diagnostic Coverage DC See Section 6, pages 81 et seq.: Features and use of EN ISO 13 849-1:2006 as well as pages 32 f. and 68 f.

106

Estimation of PL and SIL Both EN ISO 13 849-1:2006 and EN IEC 62 061:2005 consciously use the term estimation in connection with determining the PL and SIL, in order to make it clear that, in the case of the quantitative (probabilistic) requirements, it does not come down to an absolute calculable precise value. In the case of a simple SRP/CS within the framework of PL a to c, EN ISO 13 849-1:2006 even stipulates that a qualitative estimation will suffice (see Paragraph 4.5.1). The background for estimation being sufficient is the concept of simplification pursued by both standards and the deterministic control category which continues to play an important role. Added to this is the fact that random failures in particular, against which the quantitative (probabilistic) measures are especially directed, are in practice only involved in 10 to 15 % of accidents in machine construction. Other estimates suggest that this proportion is even lower.

Exponential distribution The exponential distribution is a constant probability distribution across the set of positive real numbers and a typical service life distribution; it is, for example, expressed in MTTF or MTBF and used to estimate the service life of components, devices etc. where the effects of aging (wear and tear) do not need to be taken into account. An upstream B10d value analysis is used for components and devices affected by wear and tear. An MTTFd value assumes/means that 63 % of all units have failed dangerously 37 % of all units are still working properly EN ISO 13 849-1:2006 divides MTTFd values into three groups per channel:
100% 80% 60% medium 40% high 20% not acceptable 0% 0 5 10 15 Time [years] 20 25 30 not acceptable

Dangerous failures [%]

low

MTTFd = 3 y = 30% failures after 1 year MTTFd = 10 y = 10% failures after 1 year MTTFd = 30 y = 3% failures after 1 year MTTFd = 100 y = 1% failures after 1 year

Failures Standard definition (EN ISO 13 849-1:2006): ending of the ability of a device (subsystem) to fulfil a required function. A substantial objective of standardisation in this area is to reduce the risk of failures in an SRP/CS causing dangerous states. Disturbances are considered to be equal to failures.

107

 A distinction is made within the SRP/CS standardisation between random and systematic failures as well as between dangerous failures (with information on values frequently identified with the index d) and failures which are not dangerous (which obstruct the availability of processes). The latter does not lie within the application range of the SRP/CS standardisation. The result of failures is faults in the SRP/CS. The standard also defines that failures are events and faults are states. However faults can also come about without the previous occurrence of failures. Measures must also be taken against these as dealt with especially in EN ISO 13 849-2:2003. Since in part this consideration of what constitutes a failure and what is meant by a fault involves the finer points of semantics, the two terms are also used synonymously in certain parts of this brochure.

Failures (systematic failures) Standard definition (EN ISO 13 849-1:2006): failures with deterministic reference to a specific cause which can only be eliminated by changing the design or manufacturing process, operating procedure, documentation or corresponding factors. Systematic failures can affect both hardware and software. Measures to prevent and control systematic failures are additionally considered once again in the new Appendix G of EN ISO 13 849-1:2006. Additionally considered means that the EN 954-1:1996 (ISO 13 849-1:1999) and in particular the EN ISO 13 849-2:2003 standards (originally conceived as EN 954-2) already contain deliberate requirements which are continued and improved on in Annex G. Detailed considerations on this subject are similarly found in EN IEC 62 061:2005. Today the cause of most machine accidents can be explained by systematic failures. These include inadequate FMEAs and testing, gaps in design and specification, as well as errors in reasoning. Added to these are accidents resulting from manipulation to protective devices (estimated in Germany to be around 25 %). Even if this does not belong precisely to the standard system, comprehensive risk assessment (hazard analysis) should be part of the context of systematic fault potential. See also EN ISO 12 100-1/-2:2003 and EN ISO 14 121:2007 (formerly EN 1050). A British study (see figure) suggests that over 60 % of all accidents studied as part of a representative survey were attributable to causes already present in the SRP/CS before commissioning.
(1)

More than 60 % of failures built into the safety-related systems before taken into service!

15 % Design & implementation 6% Installation and commissioning

44 % Specification

15 % Operation and maintenance 20 % Changes after commissioning

108

Failures (random failures) In particular the requirement to determine the safety-related overall quality of an SRP/CS in the form of a PL or SIL is aimed at reducing the residual risk of hazardous states through random dangerous failures. The assumption is fundamentally made in the case of hardware that this can fail both randomly and systematically. By contrast software is only subject to systematic failures. A statistical probability can be assigned to random hardware failure (due to product weakening from diverse causes, e.g. material fatigue). In other words: the lower this probability, the higher the functional safety. Where applicable other things can be dispensed with without affecting the safety-related overall quality. The proportion of accidents resulting from random hardware failures is commonly estimated today to be low. Talk is of a maximum 10 to 15 % of all machine accidents. Other estimates produce a lower ratio still. The probability of random hardware failures is an exclusively statistical consideration and permits no conclusions to be drawn on the quality of an individual product.

(1)

Failure Modes Effects and Diagnostic Analysis

Failure rates Typical values for failure rates referred to in the EN ISO 13 849-1:2006 standard are MTTFd values (= Mean Time to dangerous Failure). In general MTTF values are a statistical characteristic for the reliability of an object (whatever this object may be); they make a statement about the probabilities of random failures. Failures due to other influences, e.g. through incorrect selection, insufficient dimensioning etc., are numbered among the group of systematic failures and are not reflected using MTTF values. MTTF values are based on the mean (average) service life or service performance of objects (up to failure). The knowledge of service lives or service performances is taken from field data, extrapolations from stress tests, so-called FMED analyses(1) etc. Only dangerous failures are of interest within the meaning of standards EN ISO 13 8491:2006 and EN IEC 62 061:2005. For example a contact is not able to close (= usually a disturbance in the case of shut-down systems but not dangerous) or to open (= usually dangerous in the case of shut-down systems). The ratio of dangerous to non-dangerous failures is commonly estimated at 50:50. In this respect an MTTFd value is then always twice as high as the MTTF value which reflects all failure possibilities. For a number of objects an MTTFd value is used as a probability mathematical expression, with reference to the exponential distribution, indicating that after expiry of the MTTFd service life, 63.2 % of the affected objects have failed dangerously. Therefore this constitutes a statement on the probability of survival (see example page 110). By contrast or FIT values, the failure rates with which EN IEC 62 061:2005 works, specify on average how many objects in a unit of time randomly fail (= 1/time vs. survival probability of MTTF or MTTFd values). FIT values represent a failure rate expressed in 10 9 per hour. This therefore concerns an alternative temporal consideration of the same phenomenon. For this reason the reciprocal values of or FIT values here are again MTTF or MTTFd values. PFHd values similarly express the probability of a dangerous failure per hour, but they are able to incorporate more into the calculation than simply a consideration of random hardware failures. A conversion is therefore only conditionally permissible. It is possible for 1-channel structures (1/MTTFd = PFHd and vice versa). Moreover PFHd values may be converted in a greatly simplified manner into so-called block MTTFd values by forming the reciprocal value (1/PFHd : 8,760) (not permissible the other way round). In the case of PFHd values the distinction via the indexing d is not particularly common, i.e. the dangerous failure direction is in general meant both by a PFH and by a PFHd value.

109

 Example:
Jahre

Zuverlssigkeitsverteilung von Einheiten dreier Kollektive 60 Jahre 18 Jahre Intakt

60 18

37% 63%

72% 28%

90% 10%

Ausgefallen MTTF = 6 Jahre MTTF = 18 Jahre MTTF = 60 Jahre

Illustration of the mean service life: three groups with different levels of reliability are represented. Their units (illustrated by dots) fail at random times. Their failure time scores correspond to the vertical coordinate. The failure times are spread over long periods of time, e.g. in the case of the first group individual units survive for 18 years whereas some fail after just one year. 63 % have already failed after 6 years (Source: Einfhrung in die Methoden der Zuverlssigkeitsbewertung [Introduction to the methods of reliability assessment], Siemens AG, I&S IS ICS IT2). MTBF or MTBFd values are a sub-category of MTTF or MTTFd values. MTBF stands for Mean Time Between Failures and is the mean time between two failures for repairable objects. The difference between MTTF (MTTFd) and MTBF (MTBFd) is only marginal and can be disregarded in relation to the considerations for SRP/CS. In many other areas, e.g. in chemicals and process engineering, military engineering, avionics etc., the incorporation of failure rates is part of the state of the art (keyword: reliability engineering). There are numerous sources and works of reference for failure rates, e.g. SN 29 500, MIL manuals etc. If the general sources are referred to for information on failure rates it is a good idea to question whether a value reflects dangerous failures within the meaning of EN ISO 13 8491:2006 (frequently identified by the index d), or all possible failures (the latter must then be converted see above). Furthermore, there is a recommendation in EN ISO 13 894-1:2006 that values not verified for their purposes and which are from a different source should only be incorporated into calculations at 10 %. In the case of non-specific information on failure rates, e.g. for electrical components, frequently these concern nominal values which take no consideration of temperature impact (e.g. that the failure rate doubles for each 20 C rise in temperature), temperature cycles (warmth cold) and other environmental influences. These influences must be entered into further calculations (typical for EN IEC 61 508:2001) or a blanket figure taken into account by only including 10 % of nominal failure rates in further calculations (recommended in EN ISO 13 849-1:2006).

110

Fault detection DC See Part 6, pages 81 et seq.: Features and use of EN ISO 13 849-1:2006 and also pages 32 f. and 68 f.

Fault detection (external) If simple single devices are deployed within an SRP/CS, the responsibility for fault detections falls to other parts of the SRP/CS which are upstream or downstream of the simple single devices (usually signal processing in the logic unit or special test equipment). In these cases it is necessary to know which fault detection measures are effective here and, of course, the simple single devices application must be correct, i.e. integrated in the logic (for example downstream contactors, preferably with positively driven contacts, per feedback loop). Where applicable enquiries must be made as to which fault detecting measures are effective in relation to the upstream and downstream parts of the SRP/CS. Moreover, all requirements of the control categories must also be complied with, e.g. the requirements of cable routing etc. In theory one creates an own subsystem or part system. See also page 32 f. A diagnostic coverage of 99 % can be assumed for the input level when using safety relay modules, insofar as these are enabled for CC 4, PL e or SIL 3 (Table E measure: positively driven monitoring of electromechanical units). However at the output level the diagnostic coverage is essentially contingent on the type of output.
Sensor A Sensor B

Cross-short

If, for example, monitoring of a contactor is performed with positively guided contacts per feedback loop, 99 % DC can similarly be achieved. A 99 % diagnostic coverage can be assumed at the input level for safety PLCs, safety bus systems etc. (owing to the so-called crosswise data comparison here) (as long as likewise CC 4, PL e or SIL 3 enabled). The aforementioned applies to the output level (see: safety relay modules). CAUTION: the abovementioned versions do not apply to all permutations, e.g. not for series connections of electromechanical safety switchgear because certain faults which can occur within a chain are not always detected by the logic function. Here for a diagnostic coverage of 99 % devices must be incorporated 1:1 or additional measures will be required (e.g. external test equipment). Information on fault detection with series connections, in particular in the case of series connections of electromechanical devices: see page 32 f.

Fault exclusion Fault exclusion is a compromise between the technical safety requirements (the requisite fault consideration) and the theoretical possibility of a fault occurring. As the name says, certain cases of failure or fault are excluded during the safety-related assessment (during FMEA) of a SRP/CS (their occurrence is not accepted/is not allowed to be accepted).

111

 Fault exclusions therefore permit (in part substantial) simplifications in the design of the architecture of an SRP/CS, e.g. in questions of the necessity of a redundant design or questions concerning the design of connecting cables in an SRP/CS, but no arbitrary and subjective use may be made of the fault exclusion possibility. Rather the considerations made must be accompanied by qualified evidence and written documentation. A distinction must be made as to whether fault exclusions are reinforced by the accepted state of the art or whether they are made individually (without the backing of this state of the art). Annexes A to D of EN ISO 13 849-2:2003 are considered to be the definitive state of the art in the area of machine safety. This determines which fault exclusions depending on the technology, i.e. whether mechanical, hydraulic, pneumatic or electrical, are automatically admissible, which are only admissible under certain circumstances, and which are not admissible. The possibility of fault exclusion is described in EN ISO 13 849-1:2006 as follows: Fault exclusion can be based on: the technical improbability of the occurrence of a few faults; the generally recognised experience, irrespective of the application considered; and the technical requirements in terms of application and specific danger. If faults are excluded, a precise reason must be provided in the technical documentation. The following demarcation applies to fault exclusions: the combination of safety-related parts of a control system starts at the point at which safety-related signals are generated (including, for example, actuator and roller of a position switch) and ends at the outputs of the power control elements (including, for example, the main contacts of a contactor). See also pages 29 et seq.

Fault exclusion: wiring/cabling EN ISO 13 849-1:2006 favours an assumption that fault exclusion can be made for the cabling in an SRP/CS. The requirements of a fault exclusion are as follows: Fault acceptance Fault exclusion

(1)

Prerequisite is that both the cables and the installation space correspond to the respective requirements (see EN 60 204-1 [IEC 60 204-1]).

Short circuit between any two conductors Short circuits between conductors which are permanently installed (fixed installation) and protected against external damage (e.g. by cable conduit, armoured conduit) or which are protected in different sheathed cables or within an electrical installation space1, or which are individually protected by a ground connection. Short circuit between any one conductor and an unprotected conductive part or the ground or a protective conductor connection Interruption of a conductor Short circuits between conductor and any unprotected part within an installation space1.

No

Alternatively we recommend our customers use signal processing with additional cross wire monitoring!

112

Fault exclusion in the case of manually actuated devices Emergency-stop control devices, enabling switches etc. see pages 29 et seq.

Fault exclusion in the case of interlocking devices Physical v. electrical 2-channel function of monitoring switches with interlock for movable protective devices: see pages 29 et seq.

Feedback loop Measure to detect faults at the O level when these are performed by simple single devices e.g. contactors. The test result of other measures can likewise flow in here in order to guarantee that restarting of the machine controller is only possible once the SRP/CS parts concerned are working correctly. The diagnostic coverage DC can be up to 99 % depending on quality of the feedback signals. See also page 55.

Good Engineering Practices (GEP) Original term from planning and operation of pharmaceutical systems. The particular meaning for the design of SRP/CS within EN ISO 13 849-1:2006 is to take the following into consideration: the requirements of the respective product standards (see Table D.2 in EN ISO 138491:2006); the requirements of A standards (EN ISO 12 100-1/-2, EN ISO 14 121-1/-2) and the basic, proven safety principles, as well as the use of proven safety-related components (in CC 1) (Annexes A to D of EN ISO 13 849-2:2003). Furthermore the selection of suitable devices in relation to the application and ambient conditions and taking into consideration manufacturer information (keyword: operating instructions) form part of the GEPs. The background is to avoid systematic faults and failures which are not (or hardly) influenced by design features that contribute to the level of a PL (or SIL). See also keyword Failures here.

H L

Hardware reliability MTTFd See Part 6, pages 81 et seq.: Features and use of EN ISO 13 849-1:2006

Level of cable See cabling fault exclusion

Literature There is a great deal of literature now available on EN ISO 13 849-1:2006 and EN IEC 62 061:2005, published both by publishers and by the manufacturers of safety components, sometimes free of charge. Our information brochure A New Approach to Machine Safety: EN ISO 13 849-1:2006 SRP/CS which can be downloaded from www.schmersal.com (link: safety and standards) was one of the first (and still one of the most comprehensive) sources of information.

113

A New Approach to Machine Safety: EN ISO 13 849-1:2006 Safety-related Parts of Control Systems

Low risk

d Require ance perform level PL r a

Automation

P1 F1 point Starting e to gaug uction risk red S1 F2 F1 P1 P P2 P1 P2

b c d

Sicherheit von Maschinen

Erluterungen zur Anwendung der Normen EN 62061 und EN ISO 13849-1

There are also explanations on the application of the EN 62 061 and EN ISO 13 849-1 standards in a brochure published by the automation division of the German Electrical and Electronic Manufacturers Association (ZVEI) (can be downloaded from www.zvei.org). Last, but not least, we make reference to the BGIA Report 2/08 on the subject (q.v.).

Low Demand Mode See PFD

(1)

(2)

See MD 2006/42/ EC valid from 29.12.2009 or the currently valid MD 98/37/EEC Elektrische Ausrstung von Maschinen (Electrical equipment of machinery); source: Beuth-Verlag, Berlin

Machinery Directive (MD The EC MD Machinery Directive forms the statutory foundation for the requirements of functional machine safety in the European Union and the other EFTA countries of Iceland, Liechtenstein, Norway and Switzerland, and also Turkey in anticipation of intended EU accession. As with all EU directives, the content of the MD must be transposed into respective national law. In the case of the MD, in Germany this takes place under the umbrella of the Equipment and Product Safety Act (GPSG) in the form of the so-called Machinery Ordinance (= 9. GPSG-VO). The necessity of safety-related parts of control systems (= SRP/CS) is derived from the General Principles (keyword: hazard analysis or in future risk assessment) as well as the requirements in Paragraph 1.2.1 (keyword: safety and reliability in control systems) in Annex 1(1) of the MD. The necessity of SRP/CS is further explained in Paragraph 9.4 Control function in the event of a fault of EN IEC 60204-1:2005(2) with final reference (in relation to the concrete definition) to the competency of EN ISO 13 849-1:2006 and EN IEC 62 061:2005. The graduated concept here is based on the General Principles of the MD.

114

S1

S2 F1 P1

P2 B Category 3 1 2 4

F2

P1

P2

Mission Time (service life) The probability-mathematical models behind EN ISO 13 849-1:2006 assume a so-called mission time of 20 years. An exception to this is presented by the B10d value or T10d value consideration with regard to any necessary preventive device replacement. By contrast, socalled proof tests, proof test intervals and similar have a lesser role to play with reference to PL and SIL in engineering.

MTTFd hardware reliability See loc. cit. (keywords Failure Risks, Bathtub Curve etc.) as well as Section 6, pages 81 et seq.: Features and use of EN ISO 13 849-1:2006

O P

Objective of the SRP/CS standardisation See Section 6, pages 81 et seq.: Features and use of EN ISO 13 849-1:2006

Parts count method See Addition of failure probabilities

Performance Level See loc. cit. (keyword Calculations etc.) and also Section 6, page 81 et seq.: Features and use of EN ISO 13 849-1:2006

(1)

SIL 4 affects safety functions with the risk of several deaths and catastrophic effects and is not taken into consideration in engineering (in factory automation).

PFD (Probability of Failure on Demand) Consideration from EN IEC 61 508-1/-7:2001 Probability of the safety integrity of an SRP/CS, as typical for the process technology and process engineering. The PFD value is the counterpart to the PFHd value for the factory automation. The reason for the distinction lies in the fact that there is a significantly different frequency in the request for the safety function. In the so-called Low Demand Mode (typical for process technology and process engineering) the safety function is very rarely requested (not more frequently than once a year). A typical example is provided by emergency shut-down systems which only become active when a process has got out of control. This normally occurs less frequently than once a year. This is contrasted with the so-called High Demand Mode (with PFHd values), i.e. the safety function is requested (more) frequently or continually (= more than once per year). The SIL classification in Low Demand Mode is as follows(1): SIL PFD 1 2 3 4 10 < 10
2 1

Max. accepted failure of the SIS 1 dangerous failure in 10 years 1 dangerous failure in 100 years 1 dangerous failure in 1,000 years 1 dangerous failure in 10,000 years

10 3 < 10 2 10 4 < 10 3 10 5 < 10 4

PL Performance Level See loc. cit. (keyword Estimations etc.) and also Part 6, pages 81 et seq.: Features and use of EN ISO 13 849-1:2006

115

PLr = required Standard definition (EN ISO 13 849-1:2006): applied Performance Level (PL), in order to achieve the requisite risk reduction for every safety function. This deals so to speak with determining the TARGET state on the basis of the risk assessment of a safety function. Consequently a PL PLr must be realised. The PLr results from the respective C standard or from a risk graph consideration of the safety function, i.e. the Performance Level (a, b, c, d or e) is produced for a safety function depending on the assumed severity of injury in the event of a fault, the frequency and/or duration in the danger area and the possibility of eluding a hazard through personal reaction. See keyword Risk graph consideration according to EN ISO 13 849-1:2006.

PL result graph See also Part 6, pages 81 et seq.: Features and use of EN ISO 13 849-1:2006

Proof test/proof test interval Repeated test/recurring inspection of SRP/CS conducted to detect faults so that, if necessary, the system can be brought to an as new state or moved as close as practically possible towards this state. Counting then begins using a new so-called mission time. A typical use of proof tests and proof test intervals is by chemicals and process engineering, while another example of use is aircraft maintenance. The subject is hardly of any relevance to our devices (with the exception of the T10d value consideration of devices affected by wear and tear). This does not affect the obligation imposed on the employer to perform regular inspections of work equipment by virtue of the EC Use of Work Equipment Directive or, in Germany, obligations arising from occupational safety regulations (BetrSichV).

Proven performance A little used term in mechanical engineering, which in particular is seen as a substitute measure for the consideration of systematic faults and failures. . See EN IEC 61 508:2001

Proven in use See keyword: Proven performance

Reliability technology (reliability engineering) The reliability is a material property that can be assessed empirically through a statistically measurable value based on observed failure frequencies or with the aid of the probability calculation. PL and SIL considerations belong in a wider sense to the science of reliability technology (reliability engineering). The first applications for reliability technology were found, as is frequently the case in other areas, in the field of military technology (followed by further applications). The area of reliability technology research is concerned with the reliability of components and systems as well as with methods for reliability analysis and safeguarding. Reliability databases are set up in conjunction with this. Methods of trial planning and the statistical evaluation of failure data and service lift trials are investigated. Other subjects are the realistic modelling of complex technical systems and the simulation of reliability and availability in early development phases. Calculations of system service life are performed as is the determination of load collectives. One area of work is the conducting of FMEAs and the preparation of documentation to accompany development.

116

1940 Aviation and space technology (Air force V1) 1945 Activities chiey in the USA 1950

1955 Trafc engineering (aviation) 1960 Time axis Electronic device engineering measurement and control technology

Telecommunications engineering (post and general) Trafc engineering (railway)

Nuclear technology

1965

Trafc engineering (navy, army)

Computer technology

1970

Safety technology (general)

Energy management (electrical supply)

Automotive and transport technology (land trafc) 1975

Municipal engineering (supply/disposal) Computer technology Heavy industry (process engineering) Civil engineering (general) Process engineering

Transport- und Verkehrstechnik (Allgemein) 1980

Manufacturing engineering

The methods and terms of reliability technology are comprehensively described today in national and international sets of standards and risk standards and in principle apply to all technical products and systems. Safety Integrity Levels go back to the standard initiative IEC 61 508 (today EN IEC 61 508-1/7:2001) resulting from the Seveso toxic gas accident. Therefore the initial applications of the standard also applied then to the chemicals and process technology and subsequently to other areas, whereby engineering is bringing up the rear so to speak with the standards EN IEC 62 061:2005 and EN ISO 13 849-1:2006.

Reset See keyword Restart loop circuit and page 28.

Restart loop circuit Typically the manual (and in exceptional cases the automatic) restart/reset signals of the L level belong here. The operator must convince himself beforehand that it is possible to safely restart a machine control system. EN ISO 13 849-1:2006 unambiguously stipulates in future that an edge change is required for re-initialisation. Refer also to page 28. At the O level, restart loop circuit and feedback loop are also frequently merged.

Result graph PL (bar chart) See loc. cit. and Section 6, pages 81 et seq.: Features and use of EN ISO 13 849-1:2006

117

Risk graph consideration according to EN ISO 13 849-1:2006 Determines the PLr (= PL to be applied in order to achieve the requisite risk reduction for every safety function). The familiar consideration parameters for risk evaluation from EN 954-1:1996 (ISO 13 8491:1999) remain unchanged in EN ISO 13 849-1:2006, but instead of the result leading to a control category to be realised, this now leads to a Performance Level PLr to be realised as follows:
S Severity of injury S1 Slight (normally reversible) injury S2 Serious (normally irreversible) injury including death Frequency and/or exposure time to the hazard F1 Seldom to quite often and/or the exposure time is short F2 Frequent to continuous and/or the exposure time is long Possibility of avoiding the hazard P1 Possible under specific conditions P2 Scarcely possible

Low risk P1 F1 S1 F2 P1 F1 S2 Starting point for risk reduction estimation F2 P2 P2 P1 P2

Required Performance Level PLr a b c d e

P1 P2 High risk

An advantage of the new risk graphs is that there is now a standard definition for delineation between parameters F1 and F2, i.e. F1 applies to the frequencies for time spent in the hazard area of 1 per hour and more, and F2 for frequencies for time spent in the hazard area of > 1 per hour. The second advantage is that the parameter considerations in future always produce an unambiguous PLr, while in the preceding standard it was possible with several permutations to arrive at two selectively applicable control categories without any further aids to decision being provided.

Risk graph consideration according to EN IEC 62061:2006 Determines the requirements for safety integrity of the SRP/CS in the form of a safety integrity level (SIL). It concerns a derivative adapted to the machine construction and derived from the risk graph according to EN IEC 61 508:2001 as follows.
Frequency and/or duration of stay F* 1 hour > 1 hour to 1 day Seriousness of the damage S > 1 day to 2 weeks > 2 weeks to 1 year > 1 year Degree of damage S 4 3 2 1 Other measures 5 5 4 3 2 Probability of a hazardous event occurring W frequent probable possible seldom negligible 5 4 3 2 1 impossible possible probable 5 3 1 Possibility of prevention P

Effects Death, losing an eye or arm Permanent, losing fingers Reversible, medical attention Reversible, first aid

Class C = F + W + P 34 SIL 2 57 SIL 2 810 SIL 2 SIL 1 1113 SIL 3 SIL 2 SIL 1 1415 SIL 3 SIL 3 SIL 2 SIL 1

118

* Where the duration is shorter than 10 min, the value may be decreased to the next level. This does not apply to frequency of exposure 1 h, which should not be decreased at any time.

 In this connection EN IEC 62 061:2006 still recognises the so-called SIL claim limit (SILCL = SIL Claim Limit). This concerns the (standard definition) maximum SIL which can be claimed for an SRP/CS part system with respect to structural constraints and systematic safety integrity. In this respect the SIL claim limit is important for the overall evaluation (validation) because the lowest SILCL as the weakest link in the chain determines which SIL can be achieved by an SRP/CS in its entirety.

Risk graph, risk evaluation Both new SRP/CS standards recognise a risk graph which is used as an aid for determining the requisite degree of risk reduction for the SRP/CS or which PL or SIL results for it. If we ignore the differentiated consideration in EN IEC 62 061:2005, then approach and result are largely comparable. In a few borderline cases EN ISO 13 849-1:2006 may be somewhat stricter (lying at one requirement class higher).

Risk, risk analysis, risk assessment Standard definition of risk: combination of probability of damage occurrence and extent of damage.

Determination of the limits of the machine Risk analysis

Identication of the hazardous situations

Risk assessment

Risk evaluation

Is the machine safe? YES No further protective measure is necessary

NO

Select protective measure

Description of the intended use in the operating instructions. Description of the protective measures which have been selected to prevent the hazards emanating from the machine, and information on residual risks. It is advisable to also describe risks for which no protective measures are required.

Example of a plan for risk evaluation (Source: SUVA/CH = Swiss Labour Accident Insurance Association)

Technical documentation

Risk reduction

Risk assessment

119

(1)

(2)

Safety of Machinery basic terms, general principles for design -1: Part 1: Basic terminology, methodology; -2: Part 2: Technical principles Safety of Machinery risk assessment -1: Part 1: Principles

Standard definition of risk analysis: combination of stipulation of the limits of a machine, identification of hazard and risk appraisal. Standard definition of risk assessment: evaluation based on risk analysis to discover whether the objectives of risk reduction have been achieved. This set of subjects is similarly based on statutory requirements in the EC Machinery Directive (see keyword Machinery Directive). The perspectives of risk and risk analysis (elsewhere also termed risk evaluation, hazard analysis or similar) are not primary subject matter of the two new SRP/CS standards; rather they are presumed to have been completed before one of both SRP/CS standards is used. Here standards EN ISO 12 100-1/-2:2004(1) and EN 1050:1995 (in future EN ISO 14 121:2007(2)) in particular offer aids to interpretation and performance.

Safety function A safety function is applied for classification of a requisite PL in accordance EN ISO 13 8491:2006 or SIL in EN IEC 62 061:2005. In line with the definition (see EN ISO 13 849-1:2006) this is the function of a machine, whereby a failure of the function can lead to the direct increase of risk (of risks). The definition of the safety function therefore has considerable effects on determining the PL and SIL. Further information: see pages 70 et seq.

Series connections The length of a series connection (and thus the relative extent of residual fault probabilities, i.e. the longer the more likely) is determined by the definition of the safety function (see also page 32 f.). According to this perspective more than 31 CSS devices can, for example, be connected in series without this being linked to a downgrading of the SIL or PL, if there are several safety functions which are independent of each other backing up the number of devices. The argument of complete fault detection (DC 99 %) in the CSS family however remains in full.

Series connections of electromechanical devices In the past we have argued that series connections of electromechanical devices only constitute control category 3. Qualification as CC 4 is not possible because not all faults in the series connection can be detected and under certain circumstances a fault accumulation cannot be excluded (see figure on page 32 f.). Nothing has changed in relation to this assessment, i.e. an SRB module or an SiSPS cannot be permitted to have a high diagnostic coverage ( 99 %) in the case of a series connection, however in future a PL d will also be possible with a CC 3 architecture. After consulting the BGIA we recommend calculating on the basis of 60 % DC (see loc. cit., in particular page 32 f.). Series connections with PL e are also possible, however, if the contacts of the series connection in the PLC under normal operating conditions are read back and evaluated for plausibility there (see BGIA wiring example 8.2.28 on page 76) or if fault exclusions can be made at the input level (see BGIA wiring example 8.2.29 on page 75).

120

SIL (Safety Integrity Level) Class of the safety-related overall quality of an SRP/CS, as recognised by EN IEC 62 061:2005 and EN IEC 61 508-1/-7:2001 (similar to the PL philosophy). Standard definition: discrete level for stipulating the claims to safety integrity of the safetyrelated control function. Safety integrity here is defined as the probability that the requisite control functions under all specified conditions will be performed satisfactorily and refers in this respect to the hardware, software and systematic safety integrity. In spite of the term probability used above, an SIL is not purely probabilistic. An SIL is determined from the so-called Architectural Constraints and the probability of a dangerous fault per hour (PFHd). Architectural constraints exist subject to the so-called Safe Failure Fraction SFF. This combines diagnosis with the ratio of faults which are in a safe direction. In simplified terms, if the SFF (i.e. ratio of recognised and/or safe faults) is high, construction may be 1-channel depending on the SIL, and if the SFF is low, du depending on the SIL construction must be redundant (hardware fault tolerance).

dd
SFF: s = faults in safe direction, dd = faults dangerous detected, faults dangerous undetected

For example, an SIL 2 requires a PFHd value between 1 10 7 and 1 10 6 on the basis of a HWT 2 (3-channel) with < 60 % SFF or HWT 1 (2-channel) with 60 90 % SFF or HWT 0 (1-channel) with 90 99 % SFF. Depending on the criticality level, EN IEC 62 061:2006 distinguishes between three Safety Integrity Levels for machine construction. A risk graph is also decisive for classification here (similar to that used in EN ISO 13 849-1:2006). Related to the residual fault probability, it is not possible to say either that an SIL is stricter than a PL or vice versa. It is rather the case that SILs offer more possibilities for configuration. Related to subsystems or part systems of a SRP/CS, this document also refers to Sub-PLs or Sub-SILs. This concerns safety-related reinforcement, expressed as SIL and PFHd, with reference to a subsystem or part system. The overall SIL of an SRP/CS corresponds to the lowest Sub-SIL (theory of the weakest link) and the PFHd value that can be achieved for this. The latter is the addition of individual PFHd values for each Sub-SIL. All in all, EN IEC 61 508:2001 recognises 4 SIL levels. SIL 4 covers risks with several deaths or catastrophic effects, i.e. is not relevant to machinery. In addition to the PFHd value, EN IEC 61 508:2001 also operates with the so-called PFD value (PFD = Probability of Failure on Demand) where a safety function is rarely demanded (> once per year), which is typical for chemicals and processing technology, for example.

SIL Claim Limit (SILCL) The SIL claim limit, i.e. the SIL required in terms of a safety function (the target specification resulting from a risk graph consideration or from a C standard). The SILCL claim limit should be understood in a similar way to the required Performance Level PLr See also keyword SIL.

121

SISTEMA WINDOWS-based software for PL calculation according to EN ISO 13 849-1:2006, which was developed by the BGIA Institute for Occupational Health and Safety of the German Statutory Accident Insurance (DGUV), St. Augustin and made available free of charge to anybody interested. SISTEMA stands for SIcherheit von STEuerungen an MAschinen (safety of control systems on machines).

The SISTEMA tool replicates the structure of safety-related control parts (SRP/CS) on the basis of so-called designated architectures and calculates reliability values at a detailed level included the Performance Level (PL) achieved. The risk parameter for determining the PL, i.e. the category, CCF measures, component quality MTTFd and test quality DCavg, can be recorded step by step. The consequences of each parameter change on the overall system are displayed directly and can be printed out as a report. The tool provides assistance with calculation, but is no substitute for basic understanding of the standard! SISTEMA can be downloaded from www.dguv.de/bgia/13849. The user is asked to register for reasons of accepting licence terms and for any updates

Software Software forming part of PES systems is given particular emphasis both in EN ISO 13 8491:2006 and in EN IEC 62 061:2005. A distinction is made between the operating system software of a PES (= SRESW for Safety-Related Embedded Software) and the application software of a PES (= SRASW for Safety-Related Application Software). The latter (SRASW) is also divided according to the programming language used for it (FVL for programming languages with full language variability and LVL for programming languages with limited language variability). We will not go into greater detail on the subject of SRESW within the framework of this brochure. It is important to know that EN 13 849-1:2006 also facilitates the development of PES systems (see loc. cit.) and that SRESW requirements are echoed in the standard up to PL d. 122

The respective part of EN IEC 61 508:2001 should be used as a basis for PL e; alternatively the SRESW software could be developed diversely. In future additional requirements will similarly apply to SRASW software which affect the user, e.g. the programmer of a safety PLC. There are basic requirements which apply to all PLs, and additional requirements as from PL c which are divided into FVL and LVL. Definition of user software: Software, which has been implemented in the machine specially by the manufacturer for the application and which generally contains logical sequences, limit values and routines to control respective inputs, outputs, calculations and decisions in order to satisfy the requirements of the SRP/CS. Definition of FVL: Type of language with the ability to implement a wide range of functions and applications. Example: C, C++, assembler Remark 1: according to IEC 61 511-1:2003, item 3.2.80.1.3 Remark 2: a typical example of systems for the use of FVL: embedded systems Remark 3: in the machinery area, FVL is used in embedded software and occasionally in application software. Definition of LVL: Type of language with the ability to combine predefined, application-specific library functions in order to implement the specification of the safety functions. Remark 1: according to IEC 61 511-1:2003, item 3.2.80.1.2 Remark 2: typical examples of LVL (contact plan, function block diagram) are specified in IEC 61 131-3. Remark 3: a typical example of a system that uses the LVL: PLC

STANDARDS (Type-) A, B and C standards See C standards

EN 954-1:1996 This standard on the subject of SRP/CS was contentious from the start and will be withdrawn in December 2009. Superseded by standard EN ISO 13849-1:2006

EN 954-2 See EN ISO 13 849-2:2003

EN ISO 13 849-1:2006 New B1 standard on the subject: Safety-related parts of control systems Part 1: General principles for design German version: DIN EN 13 849-1:2007-07; source: Beuth-Verlag GmbH, Berlin, www.beuth.de Standard listed (harmonised) with presumption of conformity under the umbrella of the EC Machinery Directive since May 2007. Supersedes EN 954-1:1996 (ISO 13849-1:1999) (will be withdrawn in November 2009)

123

 Substantial changes Performance Level (supersedes the exclusive analysis of control categories) Incorporates development and application of so-called programmable electronic systems with safety function (PES) into the SRP/CS technologies Expands (via an own Annex G) the consideration for controlling and preventing systematic failures and faults Alternative standard to EN ISO 13 849-1:2006 (for partial areas): EN IEC 62 061:2005

EN ISO 13 849-2:2003 Standard originally introduced as Part 2 of EN 954 with the focal emphasis on Validation of SRP/CS (safety-related parts of control systems Part 2: Validation) German version: DIN EN ISO 13 849-2:2003-12; source: Beuth-Verlag GmbH, Berlin, www.beuth.de Remains in force (although currently being reworked) and now supplements EN ISO 13 8491:2006 The standard retains its significance in the configuration and design of SRP/CS also after the coming into force of the new Part 1 in the form of EN ISO 13 849-1:2006. It has particular significance in terms of admissible fault exclusions and the list of basic, well tried and tested safety principles as well as safety-related tried and tested components (see technology-related Annexes A to D).

EN IEC 62 061:2005 New B1 standard on the subject: Functional safety of safety-related electrical, electronic and programmable electronic systems (E/E/PES systems) Sector-specific standard for engineering derived from EN (IEC) 61 508:2001 German version: DIN EN 62 061 (VDE 0113-50):2005-10; source: Beuth-Verlag GmbH, Berlin, www.beuth.de Standard listed (harmonised) with presumption of conformity under the umbrella of the EC Machinery Directive since December 2006. Is to be understood as an alternative to EN 954-1:1996 and in particular for more complex E/E/PES systems also as an alternative to EN ISO 13 849-1:2006. Principal content: considers safety-related electrical control systems (SRECS) and Safety Integrity Levels (SIL) reflects the requirements of EN (IEC) 61 508:2001 for engineering, albeit in simplified form. Refer here also to keyword EN ISO 13 849-1:2006 EN IEC 62 061:2005 (comparison)

EN IEC 61 508:2001 So-called Basic Safety Publication on the subject: Functional safety of electrical/electronic/ programmable electronic systems Parts 1 to 7 (= 370 pages) German version: DIN EN 61 508-x:2001 (x = Parts 1 to 7); source: Beuth-Verlag GmbH, Berlin, www.beuth.de Original IEC standard 1508 (1998 + 2000 amendment loop); was adopted into the European standard specifications in 2001 but without harmonisation under the umbrella of the EC Machinery Directive. The scope of validity of the standard spreads across all life phases of a product/system and considers the so-called safety life cycle (starting with design, through to dismantling). All forms of safety-relevant systems (fault tolerant systems, shut-down systems etc.) and risk reducing measures in the event of failures or malfunction through to catastrophic risks form the subject matter of the analysis. Background information: the creation of this standard was motivated by the toxic gas accident in Seveso.

124

 The desired effect of measures is expressed in a Safety Integrity Level (SIL), whose calculation relies on complex mathematical modelling with high scientific demands. The so-called sector-specific standards also arose against this background, which break down the requirements of standard 61 508:2001 into a simplified form suited to the requirements of the respective target group.

Machinery branch

Medical branch

branch

Chemical and Process branch

Powerstation branch

Expressed very simply, EN IEC 61 508 is the archetype of safety-related reliability engineering and also inspired EN ISO 13 849-1:2006.

EN ISO 13 849-1:2006 EN IEC 62 061:2006 (comparison) Both standards are listed (harmonised) standards with presumption of conformity under the umbrella of the EC Machinery Directive. Unfortunately there are intersections between the two standards (in other words duplicate arrangements). This is because both standards are concerned with the configuration of a SRP/CS if electrical, electronic and programmable technologies are used (EN ISO 13 8491:2006 in the form of a Performance Level and EN IEC 62 061:2005 in the form of a Safety Integrity Level). The background to the intersections is that one standard was created at the ISO level and the other standard at IEC level (at European level the CEN or CENELEC level). Here the standard setter on the ISO side claims that EN 954-1:1996 was also already an ISO standard and in this respect also reclaims for itself the competency to revise the standard (in other words the standard successor) whereas the standard setters on the IEC side, referring to the Basic Safety Publication EN IEC 61 508:2001, believes they have competency for so-called E/E/PES technologies. There is a clear delineation exists in the case of mechanics, hydraulics, pneumatics and wear and tear affected electrical technologies (for which only EN ISO 13849-1:2006 contains firm rules) on the one hand and architectures which significantly differ from the designated architectures in EN 13 849-1:2006 (in other words control categories); (here EN IEC 62 061:2005 is competent although with very frequent cross-referencing to EN IEC 61 508:2001). Furthermore there is a competency reference to EN IEC 125

62 061:2005/61 508:2001 for PES development with Performance level e, as long as no diversely designed software is used. Otherwise we clearly recommend EN ISO 13 849-1:2006 to our customers. The reason for the recommendation is that EN ISO 13 849-1:2006 consistently aims at simplifying the complication resulting from conversion to the Performance Level as much as possible for the user in engineering (the price for this is only being allowed to move within the framework of the designated architectures), while EN IEC 62061:2005 offers more options (but with frequent reference to EN IEC 61 508:2001). The simplification concept in EN IEC 62 061:2005 compared to EN IEC 61 508:2001 is to realise SRP/CS using subsystems. In spite of everything both standards are compatible with each other; they may be used alternatively or combined.

EN ISO 13 849-1 / EN IEC 62 061:2005 (comparison with EN 954-1:1996) Leaving aside the complication, the clear advantage of the two new SRP/CS standards is that in future there will be greater configuration scope for the user. For example, in EN ISO 13 849-1:2006 there are 5 or possibly 6 different configuration possibilities for PL c. In the past there would only have been CC 2. Rounded down in a safe direction: Performance Level (PL) Designated Architecture (CC) Component quality (MTTFd) Diagnostic Coverage (DC) CCF management Performance Level (PL) Designated Architecture (SK) Component quality (MTTFd) Diagnostic Coverage (DC) CCF management Performance Level (PL) Designated Architecture (SK) Component quality (MTTFd) Diagnostic Coverage (DC) CCF management PL a CC B low PL b CC 2 medium low yes!

CC 2 low low yes!

CC 3 low medium yes!

CC 3 low low yes!

PL c CC 1 high

CC 2 high low yes!

CC 2 medium medium yes!

CC 3 medium low yes!

CC 3 low medium yes! PL e CC 4 high high yes!

(1)

PL e with MTTFd very high

PL d CC 2 high medium yes!

CC 3 high low yes!

CC 3 medium/high(1) medium yes!

PFH (1/h) 10 4 a 10 5

PL

b 3 10 6 c 10 6 d 10 7 e 10 8 MTTFd = low MTTFd = mittel MTTFd = high Category B Category 1 Category 2 Category 2 Category 3 Category 3 Category 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low mittel low medium high + CCF

126

 A further difference to EN 954-1:1996 is the incorporation of the development and application of PES systems (SiSPSs, safety bus systems etc.) as well as the deliberate analysis of systematic faults (including CCF).

Symmetrising formula See keyword Addition of failure probabilities

T10d value consideration A T10d value consideration is likewise a new consideration in EN ISO 13 849-1:2006. The T10d value corresponds to 10 % of the B10d value and, when converted into years (y), is to be understood as information for the preventive replacement of devices affected by wear and tear. With the T10d value it is assumed that there will be a constant failure pattern for the device concerned over the respective period of time (similar to the medium phase of the bathtub curve). The information on a preventive device replacement of course only makes sense for MTTFd values where the 10 % ratio lies within the assumed mission time of an SRP/CS of 20 years. The T10d value consideration is no substitute for the regular inspections of work equipment according to the EC Use of Work Equipment Directive or, in Germany, the occupational safety regulations (BetrSichV) See also keyword B10d values

Test equipment Test equipment serves fault detection (the diagnostic coverage) in SRP/CSs. It can be implemented in the channels of an SRP/CS, e.g. in the safety SPS or in the SRB module. They can also operate as external test equipment, independent of integration in the channels of an SRP/CS, for example within the functions of the operational SPS. In this case there are certain additional requirements placed on the test equipment, which however do not generally represent any insurmountable obstacles. See also BGIA wiring example 8.2.28 in this respect (page 76).

Transition period EN 954-1:1996 (and ISO 13 849-1:1999) will be withdrawn in December 2009. At the same time the standard loses the status of so-called presumption of conformity (i.e. to correctly interpret and substantiate the protective objectives of the EC Machinery Directive as intended by the legislator). Machines and machine control systems used for the first time as from 2010 should take the new standard into consideration, and in case of doubt continue to conform to the EC Machinery Directive. CAUTION: this also applies to existing constructions which are likewise marketed after this date. Realistically a prompt conversion will not be possible in some cases when one considers the lead times of large machines and machinery systems, for example. If the worst comes to the worst, courts may have to decide how to view such cases. It would certainly also be taken into account that EN 954-1:1996 has not been a bad standard or that EN ISO 13 849-1:2006 is not the safer standard (but rather takes a different approach). Irrespective of this, the rule of protecting vested rights applies for machines and machine control systems already in use.

127

128

Excerpt from an earlier brochure A new approach to machine safety: EN ISO 13 849-1:2006 Safety-related parts of control systems

129

Standard example according to Annex I of EN ISO 13 849-1:2006

The devices affected by wear and tear in the wiring example still have to be subjected to a B10d value consideration. We allege that the manufacturer information defined for this has already been converted correspondingly.

130

Low risk P1 F1 S1 Starting point to gauge risk reduction S2 F2 F2 P1 F1 P2 P2 P1 P2

Required performance level PL r a b c d e

P1 P2 High risk

Selection of the SF From risik analysis (EN ISO 12 100-1) Determination: requirements of SF Determination of PL r 1

Design, identification SRP/CS Determination PL 4 Category 5 MTTFd PL PL r yes Validation To risk analysis ja yes All SF? DC 6 no CCF

no

no

Figure 32: Iterative design and development process in accordance with prEN 13 849-1

Example
Firstly, the iterative design and development process in EN ISO 13 849-1:2006 is also present in a suitable version as is the case with EN ISO 12 100-1, i.e. here too it is theoretically divided into 8 steps, beginning with the selection of a safety function (1) then on via steps (2) (7) to the decision whether the requisite PLr has been attained (8).

The above example (refer to Figure 33) relates to the interlocking of moving guards, i.e. a hazardous movement is stopped when the protective device is opened, with no re-engaging possible while open etc. (refer also to EN 1088: safety of machines interlocking devices associated with guards principles for design and selection).

Example: Interlocking of a guard Safety function Hazardous movement is stopped when the guard door is opened Figure 33: Selection and determination of safety function requirements

27

131

A New Approach to Machine Safety: EN ISO 13 849-1:2006 Safety-related Parts of Control Systems

Low risk P1 F1 S1 Starting point for estimating the risk reduction S2 F2 F2 P1 F1 P2 P2 P1 P2

Required performance level PL r a b c d e PL r = c

P1 P2 High risk

Figure 34: Determining the PLr To determine the requisite performance level, i.e. the risk graph consideration in the new version of prEN 13 849-1, should result in a PLr of c (refer to Figure 34). Refer to Figure 35 for discussion of an SRP/CS structure (designated architecture).

Open Close SW2

+ SW1B

A P K1B
SW1B K1B

API

PLC

SPS CC

SW2

PLC

CC RS

Control signal
CC: PLC: M: RS: P: Current converter Programmable logic controller RS Motor Rotation sensor Switch (shown in actuated position)

Figure 35: Design and identication of an SPS/CS

132

28

Low risk P1 F1 S1 Starting point to gauge risk reduction S2 F2 F2 P1 F1 P2 P2 P1 P2

Required performance level PL r a b c d e

P1 P2 High risk

Based on the designated architecture in accordance with Figure 35 this means:

SW2, SPS, CC: MTTFd = 20 y each (manufacturers specication)

Fullls the requirements of category B Single failure do not lead to loss of SF? Partial fault detection

1 1 1 1 = + + = 3 20 y MTTFd C2 MTTFSW2 MTTFPLC MTTFCC Channel 2: MTTFd = 6.7 y MTTFd symmetrised for both channels: MTTFd = 2 MTTFd C1 + MTTFd C2 3 1 1 1 + MTTFd C1 MTTFd C2

An accumulation of undetected faults does not lead to loss of the SF? (1st SPS fails without being detected, 2nd channel A fails) > Category 3 can be achieved Figure 36: Determination of the PL category

MTTFd = 20 y (medium) Figure 38: Determination of the PL: MTTFd for channel B and total MTTFd

Because both channels in the example are constructed differently (refer to the SRP/CS structure), differing MTTFd values for the two channels A and B must rst be determined and symmetrised with each other.

Below is an analysis of the diagnostic coverage (DC):

DCK1B = 99%, high due to the positively driven electric contacts from the table in annex E.1

SW1B: positive opening contact: Fault exclusion for non-opening of the contacts, non-activation of the switches due to mechanical failure (e.g. plunger break, wear and tear of actuating lever, misalignment) K1B: MTTFd = 30 y (manufacturers specication) 1 1 = = MTTFd K1B MTTFd C1 1 30 y

DCSW2 = 60%, low due to the monitoring of the entry signals without dynamic tests DCPLC = 30%, none due to the low effectiveness of the self-tests DCCC = 90%, medium due to the reduced switch off distance with actor monitoring by the controller, refer to table in E.1 from table in annex E.1 DC2 DCS DC1 + + ... + MTTFd1 MTTFd2 MTTFdN 1 1 1 + + ... + MTTFdN MTTFd1 MTTFd2 DCavg = 67% (low) Figure 39: Determination of the PL: DCavg

DCavg =

Channel 1: MTTFd = 30 y Figure 37: Determination of the PL: MTTFd for channel A

29

133

A New Approach to Machine Safety: EN ISO 13 849-1:2006 Safety-related Parts of Control Systems

Below is the determination of the CCF management:

and nally the arrangement in the block diagram, i.e. the verication whether PL => PLr (refer to Figure 41). Remarks: Remarks: naturally the meticulous breakdown in the individual stages of the above example has been somewhat exaggerated. Furthermore the example illustrates two differing constructed channels on both the sensor side and logic side, and it thus looks rather more complex than those frequently used in practice. Nevertheless: this demonstrates the thoughts behind the new requirements of EN ISO 13 849-1:2006, although in the example no B10d value consideration was employed for the interlocking device (as an electromechanical device) which would actually be (more) accurate.

CCF: Failures of various parts through common causes Separation of the signal paths Diversity Protection against e.g. surge/overpressure Tried and tested components FMEA Competence/training of the developer EMC or ltering of the pressure medium and protection against contamination Temperature, dampness, shock, vibration etc. 15 points 20 points 0 points 5 points 5 points 0 points

25 points 10 points

= 80 points > 65 points Figure 40: Determination of the PL: CCF

a Performance level b c d e MTTFd = low MTTFd = medium MTTFd = high Category Category Category Category Category Category Category B 1 2 2 3 3 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low medium low medium high

PL = PLr = c Figure 41: Verication of whether PL PLr has been achieved

134

30

Schmersal-/Elan data sheets: Foregoing an additional monitoring switch for interlocking devices (physical redundancy vs. electronic redundancy One should not throw the baby out with the bathwater! EN ISO 13 849-1:2006: on the subject of diagnostic coverage with simple series connections of electromechanical safety sensors and safety switches

135

Waiving of an additional monitoring switch for interlocking devices (physical redundancy vs. electrical redundancy for CC 3 or PL d)
2 nd switch Yes/No? Safety switches with separate actuators Safety guard locks with separate actuators Hinge switches BNS magnetic switches CSS-based electronic devices

AZ range and similar AZM range and similar TESF range and similar. Operating principle: electromechanical Operating principle: electromechanical Operating principle: electro mechanical

BNS range Operating principle: contactless

CSS, AZ/AZM 200, MZM range Operating principle: pulseecho principle

Max. CC/PL

Without 2nd switch: max.CC 3, PL d

Without 2nd switch: max. CC 3, PL d

Stand alone: max. CC 4, PL e Stand alone: max. CC 4, PL e No 2nd switch required No 2nd switch required see also product standard IEC EN 60 947 53: classification as PDFM

Stand alone: max. CC 4, PL e No 2nd switch required see also product standard IEC EN 60 947 53: classification as PDFM

Relating only to SRP/ Fault exclusion required (see reverse) CS(1)standardisation In terms of their design features and their technical data, our devices corre EN 138491/2 (BUT: spond to the relevant requirements. Cstandard has priority!) In addition (also see reverse) please adhere to GEP(2)! Additional Schmersal/ Elan recommendations if use is made of fault exclusion Hazard must be visible (no radiation etc.) Stressfree interaction between actuator and device Installation site free from risk and permeation of dirt/foreign particles etc. Formfit working effect of the actuator (one piece of punched metal respec tively in case of flexible actuators formfit assembly of parts additionally) Actuator fixing into a stabil material Startup test (recommendation) To be additionally heeded for devices with guard locking: Devices with faillocking mechanism Observance of the max. permissible extraction forces Remarks Particularly careful consideration recommended! Yes!

Specific fault exclusion Yes! documentation required Requirements of other standards to be ob served: AMD 1(3) to EN 1088: 1996 (addition meas ures vs. manipulation) EN ISO 13 8491:2006 EN 1088:2007
1

No!

No!

No!

Yes (see suggestions overleaf) with the exception of i versions = indi vidual coded versions (AZi etc.) 2channeled signal processing No mechanical endstop

Yes (see suggestions overleaf) with the exception of i versions = indi vidual coded versions (AZi etc.) 2channeled signal processing No mechanical endstop

Nondetachable fixing

Yes (see suggestions overleaf)

2channeled signal processing 2channeled signal processing No mechanical endstop No mechanical endstop

Yes (see suggestions overleaf) except AZM 200 with B30 actuator 2channeled signal processing no mechanical endstop with the exception of MZM 100

SRP/CS: SafetyRelated Parts of Control Systems; 2 GEP: Good Engineering Practices; 3 Integrated in EN 1088:2007

GEP (Good Engineering Practices) Observance of the basic and welltried safety principles in accordance with Annexes A and D of EN ISO 13 849 2:2003 Observance of the technical data and installation information in accordance with the operating instructions of the devices Validation of the SRP/CS in accord ance with EN ISO 13 8492:2003

Additional precautions against manipulation (optional, but at least 1 of these) Nondetachable actuator/possibly fix ing for device (rivet, weld, tamperproof screws) Concealed device installation Pivot point installation Individually coded actuators Additional monitoring switch Controlrelated measures (startup testing, plausibility tests etc.) Basics/further information: AMD 1 of EN 1088:1996 (integrated in EN 1088:2007)

Fault exclusion consideration Basis: EN ISO 13 8491:2006 Section 7.3 in con nection with EN ISO 13 8492:2003 Section 3.2 Does not open with positive opening contacts (permissible fault exclusion in accordance with Table D.8 of EN ISO 13 8492:2003) Mechanical fault (permissible fault exclusion in ac cordance with Table A.4 of EN ISO 13 8492:2003) Assumed fault Wear/corrosion Fault exclusion Yes, if material, (over) dimensioning, manufacturing process, treatment proc ess and suitable lubrication have been carefully selected in accordance with the established service life (see also Table A.2). Yes, if material, manufacturing process, locking devices and treatment process have been carefully selected in accordance with the established service life (see also Table A.2). Yes, if material, (over) dimensioning, manufacturing process, treatment proc ess and suitable lubrication have been carefully selected in accordance with the established service life (see also Table A.2). Yes, if material, (over) dimensioning, manufacturing process and treatment proc ess have been carefully selected in accordance with the established service life (see also Table A.2). Yes, if material, (over) dimensioning, manufacturing process, treatment proc ess and suitable lubrication have been carefully selected in accordance with the established service life (see also Table A.2)..

Do not tighten/loosen

Breakage

Deformation through excess strain Stiff/gets stuck

Revision von EN ISO 13 8492 (in preparation): fault exclusion mechanical fault no long permitted for PL e!

Elan Schaltelemente GmbH & Co. KG Im Ostpark 2, D35435 Wettenberg Telephone: Facsimile: Email: Internet: +49 (0)641 98480 +49 (0)641 9848420 infoelan@schmersal.com www.elan.de

K.A. Schmersal GmbH Industrielle Sicherheitsschaltsysteme Mddinghofe 30, D42279 Wuppertal Telephone: Facsimile: Email: Internet: +49 (0)202 64740 +49 (0)202 6474100 info@schmersal.com www.schmersal.com

Liability The information and recommendations in this informa tion sheet are provided according to the best of our knowledge and in good faith. However they do not absolve the user from his responsibility to conduct his own test and weigh up different aspects involved. With the exception of contrary and mandatory statutory pro visions, we shall assume no liability for any errors and misunderstandings in this information sheet.

Edited by Friedrich Adams K.A. Schmersal Holding GmbH & Co. KG Head of Schmersal tec.nicum Telephone (mobile): +49 (0)178 6474051 Telephone (Wuppertal): +49 (0)202 6474700 Telephone (home office): +49 (0)6406 836237 Facsimile (Wuppertal): +49 (0)202 6474700719 Facsimile (home office): +49 (0)6406 836238 Email: fadams@schmersal.com

136

We shouldnt throw the baby out with the bathwater!*

* Saying (already used by Luther and Thomas Murner)! A figurative phrase to express the fact that if we are over-eager we are in danger of rejecting the good along with the bad!

EN ISO 13 849-1:2006: On the question of the degree of diagnostic coverage in the case of simple series connections (daisy-chain connections) of electromechanical safety sensors and safety switches
these in Control Category 3. On the other hand a DC of 60 % blocks an assessment of PL e due to a residual risk in which a hazardous failure accumulation cannot be completely excluded. Whereas single failure safety with appropriate failure detection (some but not all failures are detected) is required for CC3, CC4 requires that a failure may not lead to the loss of the safety function (1-failure safety as for CC3) and that (to a qualified extent) all failures must be detected in good time. Our recommendation of a restriction to PL I (ind doesnt refer to the subsystem puts) only, it refers to the entire PL as well (even if a PL e can be calculated). It is undisputed that additional failure detection measures are necessary for simple series connections to be classified as a PL e, for example: the incorporation of a PLC used in normal operating conditions (see BGIA switching example on the back); optionally deployment of our PROTECTIE input extension modules with corresponding signal processing extender (see documentation); individual evaluation and dispensing with series connection. As an alternative the deployment of devices that operate electronically come into question (e.g. devices from Schmersals CSS range; see also ). The information on the back demonstrates the considerations behind our decision in favour of the DC level of 60 % that we propose and shows that even a failure accumulation in simple series connections, with one exception, does not lead to hazardous states if this is based on a balanced overall consideration that takes into account all potential failure possibilities and application conditions.
The question does not affect series connections of electronic safety sensors with and without latching (CSS range) that have their own (implemented) capabilities for failure detection (always PL e, DC 99 %) as well as simple single devices (as mentioned above) if these are integrated into a safety bus system. E.g. with ASi-SaW these can generally similarly be calculated with 99 % DC. DC = probability-based value of the efficacy of the diagnostic functions (failure detecting measures); DC expresses the relationship between detected dangerous failures and the total number of dangerous failures with respect to the total failure rate of a component ( or 1/MTTFd).

Concerns: Electromechanical safety switches and interlocks (with/without guard locking), safety magnet switches, e-stop control devices etc. arranged 2-channelled in a simple series connection (daisy-chain connection), i.e. simple single devices with safety function that are monitored for failures, faults and inconsistencies by safety relay modules, safety PLCs etc. . Please also note in the case of safety magnetic switches that their connection to an evaluator from a different brand takes place on own responsibility and that as is always required for devices of this nature a safe current and voltage limitation must be guaranteed that corresponds to the technical data of the devices When applying EN ISO 13 849-1:2006 we recommend that our customers take a diagnostic coverage (DC) of 60 % as a basis for switching systems of this nature insofar as the remaining requirements are satisfied for Control Category 3.

The (rather conservative) approach of DC 60 % makes it possible for simple series connections (a 2-channelled architecture that corresponds to Control Category 3 and where a prerequisite is a high hardware reliability MTTFd) to achieve a Performance Level (PL) d. This recommendation simultaneously results in downwards compatibility to EN 954-1:1996 which has made it possible to classify tried and tested circuits like
PFH (1/h) 10 4 a 10 5 b 3 10 6 c 10
6

PL

d 10 7 e 10
8

MTTFd = low MTTFd = mittel MTTFd = high Category B Category 1 Category 2 Category 2 Category 3 Category 3 Category 4 DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = 0 0 low mittel low medium high + CCF

DC

dd d

= 60 %

Dear Reader! Please note that the opinion which we have analysed carefully and put to paper here is not universally shared in the branch. We respect these doubts, without sharing them; our view is rather to refer the objections to the area of risk assessment. If after opening the protective safeguard an operator regularly (F2*) has to handle stationary dangerous tools or machine parts, e.g. blades, squeegees, and a sudden machine restart (P2*) can lead to serious injuries (S2*), we recommend classifying the unexpected restart inhibit safety function as required Performance Level PLr = e.
* See risk graph in accordance with EN ISO 13849-1

Open

Protective device 1

B1 A B2 P Closed P P

Consideration 1: Requirements for failure detection in accordance with EN ISO 13 849-1:2006 Failure possibilities Earth fault Cross-fault (by protected line installation or cross-fault recognition) Short circuit via a safety contact ERGO: Min. DC as average of all failure possibilities Failure accumulation Other short circuits How is diagnostic coverage defined?
nd

Safe state/failure detection 1st failure Yes! Yes! Yes! DC in % Remark 99 99 49.5 99 > 60 Qualified! 0 99 Diagnostic overwriting (masking) possible! Also in worst-case!

Safe state/failure detection 1st failure Yes! Yes! Yes! DC in % Remark 99 99 99

BGIA switching example for PL e through additional integration of a PLC used in normal operating Open conditions for failure diagnosis in series connections
Protective device 2 Protective
device 1
Closed Open B1 A B2 P

B3 A

B4 P
P P

Closed K3
B3 A B4 P

Open

I1.0

I1.1

K1

I1.2 I1.3 Inputs

99 2 failure ff. DC in % Remark

nd

Protective device 2
Closed

Protective module

PLC
P K1

2 failure ff. DC in % Remark

Outputs O1.1
I1.1 I1.2 I1.3 I1.4 Inputs

Dep. on failure sequence Yes!

99

Max. 3-failure consideration

K3 K1 Protective module

I1.0

The degree of diagnostic coverage describes the capability for fault detection and is given as a % (0 % no failure detection 99 % failures are detected in good time, accumulations of failures are taken into account). Earth fault is detected by the downstream logic 99 % Cross fault is detected by the downstream logic (or can be excluded with protected line installtion) 99 % Short-circuit via a safety contact (worst case): 49.5 % for 2 devices in series, 66 % as from 3 devices in series
K2

PLC

K2 Q1

Outputs O1.1 L

Auxiliary contactor K2

Which failures are possible in the above case?

K3 Auxiliary contactor K2
K3 Q1 Q2

Q1 Q2

Q2

Q1

Q1 Q2 Q2

M 3~

A Representation Representation actuated A in actuatedin position

position

Consideration 2: Switching examples related to short circuits on safety contacts Starting point for the consideration
S1.1 S1.2 Guard door 1 S1.1 S1.2 Guard door 1
S1.1

Failure accumulation version 1

S1.2 Guard door 1 S1.1 S1.2 Guard door 1
S1.1

Failure accumulation version 2

S1.2 Guard door 1 S1.1 S1.2 Guard door 1 S1.1

Failure accumulation version 3

S1.2 Guard door 1 S1.1 S1.2 Guard door 1

S2.1 + + K1 K2

S2.2 Guard door 2 +

S2.1 + K1 K2

S2.2 Guard door 2

+

S2.1 + K1 K2

S2.2 Guard door 2 +

S2.1 + K1 K2

S2.2 Guard door 2

+

S2.1 + K1 K2

S2.2 Guard door 2 +

S2.1 + K1 K2

S2.2 Guard door 2 +

S2.1 + K1 K2

S2.2 Guard door 2 +

S2.1 + K1 K2

S2.2 Guard door 2

First failure: Short circuit via contact S1.1 (safeguard 1) Safeguard 1 is opened Module switches off, single channelled Operational hurdle DC 99 %

Failure elimination (resetting of failure recognition): Safeguard 2 is opened Module switches off, 2-channelled Renewed start possible

Second failure in safeguard 2 Short circuit via S2.1 Analysis: Safeguard (any) is opened Module switches off, single channelled Operational hurdle (correct safety-related reaction, no restart possible)
PS: A further safeguard would have to be opened to overwrite the failure. A hazardous state requires a 3rd (and in the case of more safeguards possibly further) failure!
Phone: Fax: Email: Internet: +49 (0)641 9848-0 +49 (0)641 9848-420 info-elan@schmersal.com www.elan.de

Second failure on safeguard 2 Short circuit via S2.2 Analysis: Safeguard (any) is opened Module switches off, single channelled Operational hurdle (correct safety-related reaction, no restart possible)
PS: A hazardous state following the occurrence of a 3rd failure (in the case of more safeguards possibly further required)!

Second failure on safeguard 1 Short circuit via S1 .2 Analysis: Safeguard 1 is opened Module does not switch off Hazardous state! Safeguard 2 is opened Module switches off, 2-channelled Renewed start possible

PS: For applications where any first fault is always overwritten for operational reasons, e.g. for double doors or similar, we recommend additional fault detection measures where safety magnetic switches are deployed (see loc. cit.). This information can be ignored for electromechanical devices with positive break contacts.
K.A. Schmersal GmbH Industrial safey switching systems Mddinghofe 30 D-42279 Wuppertal Phone: Fax: Email: Internet: +49 (0)202 6474-0 +49 (0)202 6474-100 info@schmersal.com www.schmersal.com

Elan Schaltelemente GmbH & Co. KG Im Ostpark 2 D-35435 Wettenberg

Liability The information and recommendations contained in this information sheet/leaflet have been provided to the best of our knowledge. Nevertheless they do not absolve the user from his/her responsibility to check and weigh up different aspects. With the exception of any opposing and compelling legal provisions, we shall not assume liability for any errors and misunderstandings arising from the information presented here.

Editor: Friedrich Adams Schmersal tec.nicum Tel. +49 (0)178 6474-051 Fax +49 (0)202 6474 700719

137

138

Excursus: Managing the restriction of PFHd to 100 y MTTFd in Annex K of EN ISO 13 849-1:2006

139

Excursus: Managing the restriction of PFHd to 100 y MTTFd in Annex K of EN ISO 13 849-1:2006

For complex safety functions, the restriction of the PFHd to 100 y MTTFd in Annex K of EN ISO 13 849-1:2006 can become an obstacle. The same is possible if various subsystems in a safety function have themselves been calculated in part (using the CC, MTTFd and DC), and are partly based on the information of safety component manufacturers with the sub-PL specification and PFHd value. Assuming you have 5 subsystems with control category 4 (CC 4), an MTTFd value (with homogeneous channels) of 200 y each and a diagnostic coverage of 99 % (high) and, with a lack of other information, you refer to the MTTFd value rounded off (down) to 100y as set out in Annex K of EN ISO 13 849-1:2006, this would produce a value per subsystem of 2.47 10 8, i.e. a total of 1.2 10 7 for 5 subsystems. However with this PFHd value you would only achieve PL d (1 10 6 ... 1 10 7) purely because of rounding down five times although your safety function is actually better (namely corresponding to a PFHd value of 6 10 8). Even with 4 subsystems you arrive at the borderline area between PL e and PL d. More than 2 subsystems are also critical for a PL c (even if the 100 y rounding off is not a relevant factor here). SuSy 1 2.47 10
8

SuSy 2 2.47 10
8

SuSy 3 2.47 10
8

SuSy 4 2.47 10
8

SuSy 5 2.47 10
8

S 12.35 10 8 (1.235 10 7)

In these cases the subsystems can be combined using the formulae in EN ISO 13 849-1:2006 (see et seq.) as follows:

1 MTTFd =

S
N i=1

1 MTTFd i

Cat. 4 Cat. 4 Cat. 4 Cat. 4 Cat. 4 DC: 99 % + DC: 99 % + DC: 99 % + DC: 99 % + DC: 99 % MTTFd: 200 y MTTFd: 200 y MTTFd: 200 y MTTFd: 200 y MTTFd: 200 y

possibly 1 1 1 + MTTFd C1 MTTFd C2 Cat. 4 DC: 99 % (high) MTTFd-S: 40 y PFHd in accordance with Annex K: 7.11 10 8

MTTFd =

2 MTTFd C1 + MTTFd C2 3

The control category of the entire system corresponds to CC 4 because all subsystems correspond to CC4 (otherwise the CC would correspond to the weakest link in the chain); the MTTFd values of the individual subsystems were added using the parts-count method (where necessarily symmetrised beforehand), i.e. the total corresponds to 40 y MTTFd per channel and would result in 99 % as DCavg (see formula loc. cit.). This means that in accordance with Annex K of EN ISO 13 849-1:2006 an overall consideration of the subsystems would produce a PFHd value of 7.11 10 8. PFHd values of other systems with manufacturer specifications can then be added to this value.

140

Example 2 This approach is also possible with different structures of subsystems. A mixtum compositum of subsystems with CC3 and CC4 and different diagnostic coverages is set out below (although for reasons of simplicity we have left the same MTTFd values of 200 y per channel).

Weakest link DC1 DCavg = MTTFd1 DC2 MTTFd2 DCS MTTFdN

+ ... +

1 1 1 + + ... + MTTFdN MTTFd1 MTTFd2 See page 142

Cat. 3 Cat. 4 Cat. 3 Cat. 4 Cat. 3 DC: 90 % DC: 99 % DC: 60 % DC: 99 % DC: 90 % + + + + MTTFd: MTTFd: MTTFd: MTTFd: MTTFd: 200 y 200 y 200 y 200 y 200 y

Cat. 3 DC: 88 % (low) MTTFd-S: 40 y

PFHd in accordance with K: 4,53 10 7 PL d

Taking the theory of the weakest link into consideration, a DCavg according to the formula and an MTTFd of 40 y added using the parts count method produces a PFHd value of 4.53 10 7 ( PL d).

Using the SISTEMA tool produces the same results if you combine several blocks (BLs) and elements (ELs) together under one subsystem.

141

142

Publisher K.A. Schmersal GmbH Industrielle Sicherheitsschaltsysteme Mddinghofe 30 D-42279 Wuppertal P.O. Box 240263 D-42232 Wuppertal Telephone: +49 (0)202 6474-0 Facsimile: +49 (0)202 6474-100 Email: info@schmersal.com Internet: www.schmersal.com Elan Schaltelemente GmbH & Co. KG Im Ostpark 2 D-35435 Wettenberg P.O. Box 1109 D-35429 Wettenberg Telephone: +49 (0)641 9848-0 Facsimile: +49 (0)641 9848-420 Email: info-elan@schmersal.com Internet: www.elan.de

Editor Friedrich Adams K.A. Schmersal Holding GmbH & Co. KG Manager Schmersal tec.nicum Telephone (mobile): +49 (0)178 6474-051 Telephone (Wuppertal): +49 (0)202 6474-700 Telephone (Home office): +49 (0)6406 8362-37 Facsimile (Wuppertal): +49 (0)202 6474-700719 Facsimile (Home office): +49 (0)6406 8362-38 Email: fadams@schmersal.com

Production flick-werk Werbe-Grafik Heinz Flick, D-35075 Gladenbach

143

Safety Technology
System safety protection for man and machine

Intervention in the working process of a machine by people is often unavoidable for example when filling, removing, cleaning and servicing In such cases, the safety of the operator must be guaranteed. This responsibility falls to the machine operating company, something also required by machine safety standards and guidelines throughout the world. With its machines, the Schmersal Group has been working for safety in the workplace for many years, and today offers industry the widest range of safety switching devices and systems to protect man and machine in the world. The companies in the Schmersal Group develop and manufacture safety switching devices according to the principle of "system safety protection for man and machine"; these address the principles of the system and can be optimally integrated into work processes. Because we are convinced that safety does not run counter to greater productivity.

The extremely comprehensive product range can primarily be explained by orienting development and product management to the customer: several products are developed or adapted to specific application conditions according to customer wishes. In addition our product portfolio has been substantially enlarged by the development from an individual enterprise to an efficient group. Today the Schmersal Group presents itself as a globally operating network of companies, where each is a centre of competence that concentrates on specific areas of safety switching devices and systems. In this way the Schmersal Group can offer its customers system safety and protection for man and machine.

144

More Details

Detailed information on our products can be found on the internet at www.schmersal.com, while detailed technical information is available at www.schmersal.net

Online documentation in six languages We are continually expanding our online services for customers. The entire catalogue is available on the net in six languages. However, it is not just up-to-date technical data on the entire product range that can be accessed round the clock. It is also possible to view or download declarations of conformity, test certificates and assembly instructions.

Service for the design engineer Technical drawings of products are also available from the online catalogue. This is a special service for the design engineer who can download drawings and transfer them straight into his CAD system. What is more, he can also find up-to-date information on a wide range of subjects on the Schmersal homepage, for example technical reports on machine safety and information on training courses and events. Our tip: it is worth taking a look! The direct line Of course you can also just give us a ring if you need further information or wish to speak to us:

Tel.: +49 (0)202 6474-0

We will be happy to advise you!

145

Notes

146

Notes

147

Im Ostpark 2 D-35435 Wettenberg P.O. Box 11 09 D-35429 Wettenberg Telephone: +49 (0)641 9848-0 Facsimile: +49 (0)641 9848-420 Email: info-elan@schmersal.com Internet: www.elan.de

Telephone: +49 (0)202 6464-0 Facsimile: +49 (0)202 6474-100 Email: info@schmersal.com Internet: www.schmersal.com

1.000 / W / 04.2011 / 1208294 / Ausgabe 02

K.A. Schmersal GmbH Industrielle Sicherheitsschaltsysteme Mddinghofe 30 D-42279 Wuppertal P.O. Box 24 02 63 09 D-42232 Wuppertal

Elan Schaltelemente GmbH & Co. KG

148

flick-werk