PLe Type4

Safety Light Curtain

GL-R Series

Safety Support
Guide Book
Vol. 2 Performance Level

PLe Type4 PLe Type4 PLd Type3

Safety Light Curtain Safety Light Curtain Safety Laser Scanner
Slim type GL-SS Flat type GL-SF SZ Series
 Safety Support
Guide Book

2
INDEX
Vol. 1 Safety Standards and Machine Design
01 History of Safety Standards
Background of Increased Focus on Safety
Reason for Using ISO/IEC Standards

02 Organizational Diagram of Safety Standards

International Standards of Machine Safety
Principal Safety Standards

03 Risk and Safety

Occurrence of Risk
Tolerable Risk
What Is Risk Assessment?

04 Machine Design Process

Applying the A/B/C Standards
Risk Assessment
3-step Method and Protective Measures
Example of Implementing the 3-step Method and Protective Measures

Vol. 2 Performance Level

01 ISO 13849-1 Revisions  P. 4
Overview of Revision

02 PL (Performance Level)  P. 6
PLr and PL (From ISO 13849-1:2006)

03 PL Parameters  P. 7
MTTFd
DC (Diagnostic Coverage)
CCF
Determination of PL

Vol. 3 Installation of Safety Equipment

01 Light Curtain Installation and Safety Distance (Minimum Distance)
02 Light Curtain Installation and Safety Distance
03 Laser Scanner Installation and Safety Distance
04 Wiring Examples Using Safety Controllers for Different Categories

3
 01 ISO 13849-1 Revisions

Background of Revision

ISO 13849-1 (Safety of machinery - Safety-related parts of control systems - General principles for design), an international
standard, was revised in 2006. As the background of the revision, semiconductor parts such as transistors and MOS-FETs have been
put to use in the safety machinery that composes the safety-related parts of control systems, which represents a change in control
methods from control by way of hard wiring to control by way of software. In the conventional way of thinking about categories,
safety was determined according to system architectures (structures) that used mechanical safety devices and relays with forcibly
guided contacts, so it could not be said that sufficient thought was given to safety attributable to the reliability of parts. Under these
circumstances, attempts were made to regulate mechanical safety according to functions and reliability from around the year 2000.
This way of thinking is called functional safety. ISO 13849-1:2006 is a standard that revises ISO 13849-1:1999, which was based
on the conventional standard EN 954-1, by adding details from IEC 61508 (IEC 62061), which defined functional safety.

EN 954-1 Functional safety of electrical/

ISO 13849-1:2006
(ISO 13849-1:1999) electronic/programmable
Category
PL; Average probability of electronic safety-related systems
dangerous failure per hour IEC 61508/IEC 62061
SIL; Average frequency of a dangerous
failure of the safety function

Overview of Revision

Safety Category was defined in ISO 13849-1: 1999. It is classification of the safety-related parts of a control system in respect of
their resistance to faults and their subsequent behavior in the fault condition, and which is achieved by the structural arrangement of
the parts and/or by their reliability.
Performance level (PL) was introduced in ISO 13849-1: 2006, which is quantitatively expressed as the reliability of safety-related
parts of a control system, including diagnostic coverage or failure rate.

ISO 13849-1:1999 ISO 13849-1:2006

PL
e

Low High d

c
B 1 2 3 4
b
Category
a

B 1 2 3 4
Category

4
 Safety Support
Guide Book

Reference: Requirements before Revisions

ISO 13849-1: 1999 specified the determination method of category and its requirements.

Short explanation on the Category selection

Symbol Symbol details Parameter Hazard
parameter
Level
B 1 2 3 4
Severity of injury Slight (normally reversible) S1
S1 I
injury
S P1
Serious (normally irreversible) F1 II
S2 Start
injury including death P2
III
Frequency and/or F1 Seldom to quite often exposure P1
exposure time to the time is short S2 IV
F hazard P2
F2 Frequent to continuous F2 V
exposure time is long
: Measures which can be over dimensioned for the relevant risk
Possibility of avoiding P1 Possible
P the hazard : Preferred categories for reference points
P2 Scarcely possible
: Possible categories which can require additional measures
: Unacceptable categories

Explanation of symbols
The following is a criteria for each parameter according to AISI/RIA R15.06.

S: In a case where it requires more F: In a case where typical exposure P: In a case where robot speed is
than first-aid, including absence to the hazard more than one per greater than 250 mm 9.84"/s, P2
from work, S2 would be assigned. hour, F2 would be assigned. would be assigned.

Category requirements defined by ISO 13849-1

Category Summary of requirements System behavior

Safety-related parts of control systems and their protective equipment shall be The occurrence of a fault can lead to the loss of the safety function.
B designed, constructed, selected, assembled, and combined in accordance with
relevant standards so that they can withstand the expected influence.

Requirements of B shall apply. The occurrence of a fault can lead to the loss of the safety function,
1
Well-tried components and well-tried safety principles shall be used.* but the probability of occurrence is lower than for category B.

Requirements of B and the use of well-tried safety principles shall apply. The occurrence of a fault can lead to the loss of the safety function
2 The safety function shall be checked at suitable intervals by the machine control between the checks.
system. The loss of the safety function is detected by the check.

Requirements of B and the use of well-tried safety principles shall apply. When a single fault occurs, the safety function is always performed.
Safety-related parts shall be designed so that Some, but not all, faults will be detected.
3 - a single fault in any of these parts does not lead to the loss of the safety function Accumulation of undetected faults can lead to the loss of the safety
and function.
- whenever reasonably practicable, the single fault is detected.

Requirements of B and the use of well-tried safety principles shall apply. When the faults occur, the safety function is always performed.
Safety-related parts shall be designed so that The faults will be detected in time to prevent the loss of the safety
- a single fault in any of these parts does not lead to the loss of the safety function function.
4 and
- single faults are detected at or before the next demand upon the safety function,
but that if this detection is not possible, an accumulation of undetected faults shall
not lead to the loss of the safety function.

* Well-tried safety principles are, for example, 1) avoidance of certain faults (ex. avoidance short-circuit by separation), 2) reducing the probability of faults (ex. over-dimensioning or underrating of components), 3) by orientating the mode of fault
(ex. by ensuring an open circuit in the event of fault), 4) detect faults very early, and 5) restrict the consequences of a fault (ex. earthing of the equipment).

5
 02 PL (Performance Level)

PLr and PL (From ISO 13849-1:2006)

The performance level (PL) is a value used to define the ability Performance Level Probability of Dangerous
of safety-related parts of control systems to perform a safety (PL) Failure per Hour (PFHd) 1/h

function under foreseeable conditions.

10-5 and <10-4
a
On the other hand, the required performance level (PLr) is (0.001% to 0.01%)
used in order to achieve the required risk reduction for each
3 10-6 and <10-5
safety function. b
(0.0003% to 0.001%)
Therefore, the performance level (PL) of safety-related parts of
10-6 and <3 10-6
a control system must be equal to or higher than the required c
(0.0001% to 0.0003%)
performance level (PLr).
10-7 and <10-6
d
(0.00001% to 0.0001%)

10-8 and <10-7

e
(0.000001% to 0.00001%)

Determination of Required Performance Level (PLr)

For each safety function to be carried out by a safety-related parts of a control system, the required performance level (PLr)
must be determined, which is based on the following three parameters:

Severity of injury Frequency and/or exposure Possibility of avoiding

S F P
to hazard hazard or limiting harm
S1: Slight
F1: Seldom-to-less-often and/or exposure time is short P1: Possible under specific conditions
S2: Serious
F2: Frequent-to-continuous and/or exposure time is long P2: Scarcely possible
(such as irreversible injuries and death)

Severity of
injury

Frequency and
exposure time S1 S2

Possibility Evaluation example

F1 F2 F1 F2
of avoiding
hazard The PLr is determined to be c for the following case.
P1 P2 P1 P2 P1 P2 P1 P2
Severity of injury: Serious (S2)

Degree Frequency: Seldom (F1)

of risk
Possibility of avoiding: Possible (P1)

PLr a b c d e

6
 03
Safety Support
Guide Book
PL Parameters

PL Parameters

For each safety-related part of the control system and/or the combination thereof that performs a safety function, the performance
level (PL) must be determined (evaluated) by the estimation of the following principal aspects: 1) Category (Structure), 2) DC, 3)
MTTFd, and 4) CCF.

Parameter Details Level

Category is the basic parameter used to achieve a specific PL. This states the required B
behavior of the safety-related parts of the control system in case of a fault. 1
Category (See category description below for additional detail.) 2
3
4
This is the diagnostic coverage of the safety-related control system. The value of the DC is High (99%)
PL DC
given in four levels. (see page 8 for additional detail.) Medium (90% to 99%)
Low (60% to 90%)
None (<60%)
This is the mean time to dangerous failure of the whole or part of the safety-related system. High (30 to 100 years)
MTTFd The value of the MTTFd of each channel is given in three levels. Medium (10 to 30 years)
(see page 8 for additional detail.) Low (3 to 10 years)
This expresses the reliability of the whole safety-related control system in terms of 65 points
CCF foreseeable common cause failures. <65 points
It is classified into two types: 65 points and <65 points. (see page 8 for additional detail.)

Category

I L
Designated architecture (structure) of categories B and 1
I: Input device (example: emergency stop switch)
L: Logic processing
O: Output device (example: relays with forcibly guided
O contacts)
* When a fault occurs on Category B and 1, it can lead to the loss of the safety
function.
The safety-related parts of the control system must be designed in
accordance with the relevant standards and using basic principles for the
B
specific application to withstand the expected operating stresses, the
influence of the processed material, and other relevant external influences.
In addition to the requirements of category B, safety-related
1 parts of a control system have to be designed using well-tried
components and well-tried safety principles.

In addition to the requirements of category B, the

Designated architecture (structure) of category 2
safety-related parts of a control system have to be designed
m: Monitoring 2
I L O so that their function(s) are checked at suitable intervals by
TE: Test equipment the machine control system.
OTE: Output of test equipment
m
* When a fault occurs on Category 2 between checks, it can lead to the loss
of the safety function.
TE OTE

In addition to the requirements of category B, the safety-related parts of a

m Designated architecture (structure) of categories 3 and 4
control system have to be designed so that a single fault does not lead to
I1 L1 O1 m: Monitoring 3 the loss of the safety function. Whenever reasonably practicable, it has to
C: Cross monitoring be detected at or before the next demand upon the safety function.
* When a single fault occurs on Category 3 device, the safety function is
C always performed (some but not all faults will be detected), but
In addition to the requirements of category B, the safety-related
m accumulation of undetected faults can lead to the loss of the safety
parts of a control system have to be designed such that a single
I2 L2 O2 function.
fault does not lead to the loss of the safety function and it is
* In the case of Category 4, the lines for monitoring represent diagnostic 4 detected at or before the next demand upon the safety function.
coverage that is higher than in the designated architecture for category 3.
If not possible, an accumulation of undetected faults does not
have to lead to the loss of the safety function.

7
 03 PL Parameters

DC (Diagnostic Coverage)

DC is a measure of the effectiveness of the diagnostics, Denotation Range

which may be determined as the ratio between the failure rate
None DC < 60%
of detected dangerous failures and the failure rate of total
dangerous failures. Low 60% DC < 90%
DC can exist for the whole or parts of a safety-related system. Medium 90% DC < 99%
The four denotations shown in the table to the right are
High 99% DC
provided in ISO 13849-1.

MTTFd

MTTFd (Mean time to dangerous failure) is an expectation of Denotation MTTFd

the mean time to dangerous failure on the whole or part of a
Low 3 years MTTFd < 10 years
safety-related system.
The MTTFd is given for each channel, such as I (Input de- Medium 10 years MTTFd < 30 years
vice), L (Logic), and O (output device). High 30 years MTTFd < 100 years
The three denotations shown in the table to the right are pro-
vided in ISO 13849-1.

CCF

The CCF (Common Cause Failure) relates to the failure of different items, resulting from a single event, where the failures are not con-
sequences of each other.
ISO 13849-1 provides a scoring process and quantification of measures against CCF. The total score must be 65 or better.

8
 Safety Support
Guide Book

Determination of PL

(1) Category (five types: B, 1, 2, 3, and 4) (3) DCavg (four types: high, medium, low, and none)
(2) MTTFd (three types: high, medium, and low) (4) CCF (two types: 65 points and <65 points)

The following table can be used for determination of PL based on the above parameters.

Example: Category = 3, MTTFd = medium, DCavg = low, and CCF = 65 points

(1) Category B 1 2 2 3 3 4

(2) DCavg None None Low Medium Low Medium High

(3) MTTFd of Low a a b b c

each channel
Medium b b c c d

High c c d d d e

(4) CCF None 65 points

The PL is to be c according to the above example.

Column

Relationship between PL and SIL

IEC 61508-1 specifies the safety integrity level (SIL), which is similar to performance level (PL). The following table shows the
relationship between these 2 concepts.

Relationship between PL and SIL (excerpt from ISO 13849-1:2006)

Probability of Dangerous Failure SIL Probability of Dangerous Failure

PL
per Hour
( IEC 61508-1, high demand or
continuous mode of operation ) per Hour
(High demand or
continuous mode of operation)
10 -5 and <10 -4 a No correspondence

3 10 -6 and <10 -5 b 1 10 -6 and <10 -5

10 -6 and <3 10 -6 c 1 10 -6 and <10 -5

10 -7 and <10 -6 d 2 10 -7 and <10 -6

10 -8 and <10 -7 e 3 10 -8 and <10 -7

9
 Safety Support
Guide Book

www.keyence.com

E-mail: keyencecanada@keyence.com E-mail: keyencemexico@keyence.com

Copyright (c) 2015 KEYENCE CORPORATION. All rights reserved. SafetySupport2-KA-TG-US 1035-2 E 611A11