circuit design for iso 13849

Design with ISO 13849page 1110401

Sensors

Safety

Vision

Motion

Automation

Controls A Single Source…A Total Solution

WELCOMEThe topic for today is:

Circuit Design for ISO13849-1-2006

Your presenter is:Heinz [email protected](937) 434-8830 Office(937) 545-6494 Cell


Sensors

Safety

Vision

Motion

Automation

Controls

Who we are and what we do

A Single Source…A Total Solution

Thirty+ years serving the automation industry

30 account representatives who live near their customers

12 Technical Support Specialists, both in the field & in the office

8 Customer Service Reps, quotes, delivery information, expediting

Large inventory; same day shipping on stock items

95% or better on time delivery

Order online, via EDI, Credit Card, Fax, or Phone

24 Hour emergency assistance

Lunch & Learns, Seminars, and in-depth training classes

Generic Technology or Product application specific

www.cesales.com 800-228-2790


Circuits for ISO 13849-1-2006• Objective

– Functional over view of ISO 13849-1– Establish basis for further self study

• Contents– Background and safety with EN-954-1-1996– Basic Safety Circuit Structure from EN-954-1– Introduction to ISO13849-1– Component failure and MTTFd– Evaluation of sub-systems and systems– Explanation of DCavg and CCF– Example of simplified PL evaluation– Commercial PL Calculation programs– Simplified example


The General Duty Clause 5(a) (1) of the

OSH Act-1970 Public Law 91-596

requires that:

A less well known part 5(b) further states that:

MACHINE SAFETYIS NOT AN OPTION!

Each employer shall furnish to each of his employees, employment and a place of employment, which is free from recognized hazards that are

causing or are likely to cause death or serious physical harm

Each employee shall comply with occupation safety and health standards and all rules, regulations and orders issued pursuant to this Act which are

applicable to his own actions and conduct


Performance of the Safety Related Parts of the Control System

• U.S. – OSHA Control Reliable– No single fault shall cause the loss of the safety function– B11.0-2010 and RIA-15.06-1999 provided some guidance of

the construction and performance of the SRP/CS as a function of the level of risk reduction required

• International - Machinery Directive– ISO and EN consensus standards are “harmonized” so that if

a machine is designed to these standards, there is a “Presumption of Conformity” with the Machinery Directive.

– Standards describe a method of determining the performance and design requirements of a level of risk reduction as established by a Risk Assessment

• EN-954-1-1996• ISO-13849-1-2006• Hundreds of Machine specific “C” level standards


Some Background

“Safety of Machinery”EN-954-1-1996

Was the Starting point


EN-954-1-1996• Defined five Level of Risk categories each of which described a safety

control system with appropriate performance for its risk reduction• It is considered “Deterministic” or “Qualitative” so that conformance to

the requirement cannot not be positively established nor “substantiated”• Resulted in a “spectrum” of acceptable system performance within a

category• Specifically defined the categories as “Non Hierarchical”

– A system which meets the risk reduction requirements for one risk level, does not necessarily provide a greater risk reduction than one which meets the requirement for a lower risk level.

– In practice, the hierarchical approach has been quite successful when• Components of similar reliability are used• Exclusions used in a lower category are valid• Same preventive maintenance is applied• Environmental conditions have the same effect on the devices

• This system was adopted as a functional guide line in the US, asinitially, there was no similar U.S. system– “Control Reliable” term was used but not well defined.– RIA-15.06-1999 offered an alternative with both a risk assessment and risk

reduction strategy, with some specific guidelines, modeled after EN-954-1.– B11.0-2010 has a very qualitative description of the process.


Example of the “spectrum” within a given category

Using standard Photo Electric sensors, this circuit has been certified by TUV as meeting Cat 2 if monitored by a DEDICATED, but non Safety Rated, PLCThe TYPE 2 Safety Light Curtain has been certified as meeting Cat 2The “probability” of the TYPE 2 safety light screen failing UNSAFELY is incredibly small due to internal testing (per IEC 61496 Type 2) while the chances of a P.E. sensor failing to ON is much higher. The external testing of the P.E. by the standard PLC is less positiveBoth been certified as meeting the same Category risk reduction requirements.

P.E. Switched Output

PLC

Safety Light Curtain Type 2

PLC Q1

SIM Cat 4

5


EN-954-1 The Process• Perform a Task based Risk Assessment

– Identify all Hazards and the Tasks performed while exposed to them• For each Task/Hazard pair, qualify the three variables which together

determine the level of risk– Seriousness of the potential injury

• Serious• Slight

– Frequency of Exposure to the Hazard• Continuous• Seldom

– Ability to Avoid the Harm• Difficult, hardly possible• Easy, almost assured

• The Level of Risk identifies a reasonable minimum safety system’s functional performance appropriate to reduce that risk to a tolerable level– There are Five Risk Level Categories B, 1, 2, 3, and 4– Each has a functional description of the behavior of the safety system

under fault conditions, and a suggested circuit architecture to attain such performance.


EN-954-1-1996B

2

4

S1

S2

P1

P2

3

F1

F2

P2

P1

PLr

a

b

c

d

e

F1

F2

P2

P1

B

P2

P11

<10-4

<10-5

<3x10-6

<10-6

<10-7

1/h=λ

h is Mean Time to Dangerous Failure MTTFd in hours

SIL

N/A

1

1

2

3

EN954-1 ISO13849-1-2006 IEC 62061

One year of 24/7=8736 hr or just under 104 hours

Risk Category


What does the “category’s” structure look like?

Cat B

Cat B = Single Channel also often called “Simple”

Safety Block Diagram

LIInput Signal Output Signal

O

CR1

CR1CR1



Cat 1 Cat 1 = Single Channel

Cat 1 uses “Better Stuff” than “B”

Components with longer mean time to DANGEROUS failure (MTTFd) and at least some are “Safety Rated”

Postpone but not prevent the failure to danger


LIInput Signal Output Signal

O

CR1

CR1

CR1


Cat 2

Cat 2 = Single Channel with monitoring

Monitor at “suitable interval

May not always be able to shut down the hazard, but only warn and inhibit next hazardous cycle/situation


LI OInput Signal Control Signal

TE

Trig

ger S

igna

l

2nd Switchoff Path

Mon

itorin

g

MonitoringTest Stimulus

OTE


Dashed monitoring lines represent reasonably practicable fault detection



Cat 3 = Dual Channel

No Single Fault causes loss of the Safety Function

w/ Conditional Monitoring (May not detect all failures)

Cat 3Safety Block Diagram

L2I2Input Signal

Output Signal

Monitoring

Cro

ss M

onito

ring

O2

L1I1Input Signal

Output Signal

Monitoring

O1

Dashed monitoring lines represent reasonably practicable fault detection


Cat 4Cat 4 = Dual Channel No Single Fault causes loss of the Safety Function

w/ Complete Monitoring

Must detect first fault or continue to protect with this fault until the next fault, when it or the combination of faults, must be detected


L2I2Input Signal

Output Signal

Monitoring

Cro

ss M

onito

ring

O2

L1I1Input Signal

Output Signal

Monitoring

O1


Solid monitoring lines represent technically feasible fault detection

10


Then came the new Machinery Directive 2006/42/EC which drove the need for a new

Machinery Safety standard

ISO 13849-1-1999 2006Safety of Machines

Safety Related Parts Of Control SystemsGeneral Design Principles

Performance Defined in Performance Levels PL

IEC 62061 Safety of Machines

Functional Safety of Electrical, Electronic, and Programmable Electronic Control Systems

Performance Defined in Safety Integrity Levels SIL CL


Current Standing• To meet the safety performance required for sale and use in the

European and some other International Markets, a machine must meet the current Machinery Directive

• When a standard is “harmonized” with the Machinery Directive, building the machine to that standard is presumed as proof of conformity to the Machinery Directive

• What is status– ISO 13849-1 has been listed as a Harmonized Standard with the M.D. – When a standard is superseded it is retired and can no longer be used

as proof of conformity– EN 954-1 has been extended through Dec 2011

• which means either may be used as presumption of conformity to M.D.– Machine Level “C” standards are still presumed to be in conformance,

but require adherence to EN-954-1 • At issue is can a machine be built to the “C” standard if its safety related

parts of the control system are designed to ISO13849-1• Or• Does a machine built to the “C” standard meet the Machinery Directive if

built to EN-954-1– The data and Third Party certification to the new standard of many

safety rated components are not available, which precludes their use in a system to the new standards


Why worry about ISO13849 in the US, isn’t it a European problem?

• There are many aspects of the new standard which can help our industry understand the design of safer and perhaps more cost effective machines

• Provides a quantitative method to evaluate the impact of component, circuit or fault detection changes on the system performance

• This standard can manage “mixed” category construction• U.S. is theoretically bound by this international standard (ISO)

– EN-954-1 was a European Standard• Many organizations build machines for both markets, or purchase

them there• Although never part of our regulatory system, the Risk Categories of

EN-954-1 have become engrained in our safety vocabulary and in the machinery safety design for the U.S. market

• EN-954-1 has influenced both ANSI B11.0 and RIA 15.06• RIA is looking at adoption of the Robotic standards

ISO 10218-1 and -2 with National Deviations.


Objectives of the new Machinery Safety standard

• Replace “Qualitative” with “Quantitative” SRP/CS performance– Based on Probabilistic Calculations of MTTFd of the

SRP/CS• Mean Time To Dangerous Failure

• For a required level of risk reduction, as determined by the Risk Assessment, DEFINE the MINIMUM:– Performance criterion of individual components, sub-systems and

channels in terms of MTTFd– Structure of the SRP/CS– Considerations for reduction of Common Cause Failures (CCF)– Requirements of Diagnostic Coverage (DCavg) component failure

discovery, capable of being detected, in terms of % of failures to danger.

15


Objectives of the new Machinery Safety standard

• Continue the use of the general structure used in EN-954-1 Categories as the basis for circuit design– These standard structures have made it possible for many of the

simplifications of the statistical calculations of MTTFd in ISO 13849 to be made

– Alternative is to do complete FMEA calculations per IEC 61508• Based on safety circuit’s MTTFd performance

requirement, permit simpler structure for some level of risk reduction which otherwise would not meet the qualitative definition under EN-954-1– Using components with varying individual MTTFd values,

complete safety control systems may be capable of meeting system performance level with sub-systems of less complicated structures than is possible under EN-954-1

• May permit use of sub-system with mixed structure, not possible in the qualitative evaluation


Organization of ISO 13849-1

• Safety of Machines– Risk assessment according to ISO 14121-1

now incorporated into just released ISO 12100– For a given risk as defined above:

• Determine the Performance Level of the Safety Related Parts of the Control System required to reduce the risk to a tolerable level

– Functional Safety• Divided into SIX steps• Performed Sequentially


The Process, • 1 Definition of the safety-technological requirements

– Safety function characteristics and interface to the basic machine control• 2 Selection of required performance level

– From Risk Assessment results• PLa through PLe for Machine and electromechanical and mechanical devices• SIL 1 through 3 for electronic and programmable devices

• 3 Safety Design– Execution of the design requirements above with appropriate components

• 4 Definition of the achieved performance– Determine Safety System Mean Time To Dangerous Failure MTTFd

• Using vendor data for safety rated components• B10 life for components which have a wear out cycle

• 5 Verification – All Safety Functions meet risk reduction requirements PLr determined by

the risk assessment• 6 Validation

– All safety relevant parts meet the Qualitative reduction requirements


Editorial Comment

In order for the value of ISO13849-1 to be realized, one must accept the validity of Statistical Mathematics

FACT

MTTFd is a statistical value and in NO WAY MEANS

“Guaranteed Lifetime, or “Failure-Free-Time”, “Time to First Failure” or any other such concept

It is a numerical value, usually stated in years, which permits the calculation of probability of failures in terms of % for a given period of use

MTTFd in years can be converted to Failure Rate in terms of failures per hour λd typically based on a 24/7 day 365 days per year

λd(hr) = 1/(MTTFd(yr) *8760)hr/yr orMTTFd of one year of 24/7 is approximately a λd of 10-4 failures per hour


Distribution of Failures to Danger

λ=1.9x10-5 PLb λ=6.3x10-6 PLc λ=1.9x10-6 PLd

37%63%

37%63%

Logarithmic

Scale

= tuse = 1/λd

20


Individual Channel Performance

•Channel MTTFd of 3 years and less is not acceptable for safety controls•Channel MTTFd cap of 100 years is used to prevent overshadowing a lesser capable second channel

From “A New Approach to Machine SafetySchmersal IPEC Industrial Controls Ltd

3

t=1/λ63.2%

%f(t) = 1-e-λt

%f(t)

3y

10y

30y

100y


ISO 13849-2006B

2

4

S1

S2

P1

P2

3

F1

F2

P2

P1

PLr

a

b

c

d

e

F1

F2

P2

P1

B

P2

P11

<10-4

<10-5

<3x10-6

<10-6

<10-7

1/h=λ

h is Mean Time to Dangerous Failure MTTFd

in hours

SIL

N/A

1

1

2

3

EN954-1 ISO13849-1-2006 IEC 62061

Note: Correlation of risk levels between EN-954-1 and ISO 13849 or IEC 62061 are not identities, but are given for relative comparisons only See also B11-TR4

One year of 24/7=8760 hr or just

under 104 hours


PL of Safety Related Function of the Control System as a function of Risk Category

Syst

em

< 10-4

< 10-5

< 3x10-6

< 10-6

< 10-7

λ 1/h

SIL 1

SIL 2

SIL 3

ISO 62061

N/A

ISO 13849-1-2006PL

CCF=>65

Channel

d

A Cat 3 structure, with Medium MTTFD a Low DCavgand a CCF score ≥ 65, can achieve a PLc


Safety Rated Components• Tested to product specific standards• Performance under failure modes

– Categorized by the different standards• SIL, PL, Cat, MTTFd , or B10d

– Older or legacy product may have only the category• Each product must be re-certified to the current standard by

a 3d party testing laboratory (NRTL) to obtain the PL or SIL• Products with only EN-954-1 Cat are not necessarily less

capable, just not re-tested to the latest standard• Were totally acceptable for the same risk category in the old

standard– The PL level describes the potential performance of

the device when correctly used following the manufacturer’s recommendation

– “Well Tried” are listed with industry or manufacturer developed B10d or B10


Device Failure• Electronic (non wear) are assumed to have a linear failure

distribution– Life dependent on hours of use– Ignore the two ends of the “Bath Tub”

• Infant mortality due to manufacturers’ burn in• Component degradation is too far out

• Mechanical Devices– “Well Tried” proven performance in similar applications– Wear out typically driven by cycles under load– B10 Life, level of use where 10% of the population has failed

• Use 10xB10d or 2x10xB10 (assumes 50% of failures are to danger) to obtain Mean Cycles to Failure MCTF

– MTTFd is calculated using the Use Profile (nop) of the device – MTTFd = 10B10d / nop = 10 x B10d x tcycle(sec)

x xDaysYear

HoursDay

3600 secHour

• Replace after usage reaches B10d life at T10d = B10d / nopor 20 Years

25


B10d examples of “Well Tried” components

When used per Manufacture’s or Designers use specification Some adjustment for duty cycle and loading is allowed/required. “Full Load” applies not only to electrical load but extreme conditions or marginal operating conditions

Loading variation provides a factor of 50x

From Appendix D BGIA Report 2/2008e

Table D.2partial table


Safety Controller

Safety Light Curtain

Limit Switch

Note: These specifications certify the acceptable performance of specific logic safety functions


Fault Exclusion• If a fault may be excluded, its occurrence does

not need to detected, thereby decreasing the system’s requirement to detect faults, DCavg– Technical improbability of certain faults– Generally excepted technical experience– Technical demands regarding the application and

special hazards– Design and construction may be used to exclude some

faults• Excluded faults must have a documented

explanation why the exclusion is valid


Determination of PL

• Determine the structure and components of the three functions for each sub-system– Input, Logic, Output– Identify when failure occurs, which components will

cause failure of the entire sub-system• Determine the PL of each Channel, System,

and Subsystem using– Published manufacturer’s data – Estimates from Standard’s Appendix of Safety and

Well Tried devices– Summation of 1/MTTFd of series components or

Sub-systems– Commercial programs for complex sub-systems

30


SRP/CS SRP/CS SRP/CSiab iix PL

SensorDetect

ActuatorActuation

LogicProcess

Safety Functions are implemented by the Safety Related Parts of the Control System

(SRP/CS)

The design presented here is based on the simplifications to thestatistical analysis allowed by the use of the structures required for given PL. Deviation from these structures will require full analysis using FMEA and full statistical methods.Any failure modes in the interconnection iix between sub systems must be included on one of the sub-systems

Safety Related Parts of the Control System

Any Sub-System or Channel


Sub-SystemsSimplification by Re-arrangement

Note One of the advantages of ISO13849-1, allows the evaluation of mixed risk category solutions

MTTFdS MTTFdQMTTFdL

From BGIA Report 2-2008e

I1

I2L1

O1

O2

I1

I2

O1

O2L1=


Here comes the math

• The MTTFd of a single channel with N series failure components is:

• The MTTFd of two channels, each with a MTTFd with no monitoring is:

1MTTFd Chnl

1MTTFdi Comp= Σ

N

i=1

MTTFd= ⅔ MTTFdC1+MTTFdC2 1MTTFdC1

+1

MTTFdC2

1

Ex: if MTTFdC1=50 years and MTTFdC2 =100 years MTTFd= 77.8 years


• Determine the PL of each sub system connected in Series using MTTFd data

• Determine lowest PL=PLlow• Count number of PLlow in the series string• Use table 6.6 to determine PL of the string• This table is a simplified method of the mathematical

summation of the probabilities of failure using sub system mid-point 1/MTTFd values

Table 6.6 BGIA2/2008e

1MTTFd Chnl = Σ

N

i=1

1

MTTFd (Subsystem)i

Or


Average Diagnostic Coverage• Is typically very difficult to calculate, it depends on

– The ratio of undiscovered to discovered faults to danger– The mean time of occurrence of each of these faults

• The standards provide some guidance tables of the average achievable, given certain design considerations and features.– These allow for the DCavg groupings of 60% to 90%,

90% to 99%, and greater than 99%

• Estimate DCavg of n components of a sub-system

Σ 1MTTFd(i)

DC(i)MTTFd(i)

i=1

n

DCavg =


From Table E.1 Diagnostic Coverage ISO 13849-1-2006Partial listing


Common Cause Failure CCF• Especially important where the same cause results in

dangerous failures in both channels of a dual channel system

• Common Cause could result in the failure of one system and its failure to be incapable of being detected by the other channel, negating the value of dual channel monitoring– “One lies, and the other swears to it !”– Two door closed limit switches mounted in a positive mode, but

on the same mounting plate. If the plate becomes detached, neither limit switch will detect that the door is open

– To assure that common cause failures do not negate the value of dual channel systems and their monitoring function, they must be designed with the following characteristics to amass a point total of at least 65 points

OpenHazard

Access


Reducing Common Cause Failures

5Components used are “WELL TRIED”3.2

15Protection against over-voltage, over-pressure, over-current etc

3.1

10Temperature, Humidity, Dust, Shock, Vibration6.2

25Pertaining to the power source for electrical and fluid power

EMI, RFI, Filtration, Drainage, Dirt Entry (All according to Manufacturer’s Specifications)

6.1Environmental6

5Competence/training55Assessment/analysis4

Design/application/experience320Diversity215Separation/Segregation1

ScoreScoreMeasure Against CCFMeasure Against CCFClauseClause

Must reach a score of at least 65 for Cat 2, 3, or 4 structureAll devices/components in channel must meet requirement to get score >0 No partials

CCF are Failures of different devices, resulting from the same single eventFailures are not consequences of each other ISO 13849-1-2006

From ISO 13849-1:2006 Table F.1


System PL performance using:• The performance level of dual channel monitored systems can

only be calculated using FMEA and complicated statistics

• Simplifications can be permitted in calculation of system MTTFdusing:– Category Structure– PL, or MTTFd of the components and sub systems– DCavg %– Common Cause Failure scoring system

• This statistical treatment of failure and detection results in complete systems whose performance exceeds that of the individual components or channels

• Means available to the average, non-mathematician, user– Use of PL estimation wheel– Commercial and Free SIL and PL Computer Programs

• Vendors’ contain library of components of their product’s SIL, PL, or MTTFd• Most will permit import of user library data

OR


PL of Safety Related Function of the Control System as a function of Risk Category

1MTTFdi Comp

Syst

em

< 10-4

< 10-5

< 3x10-6

< 10-6

< 10-7

λ 1/hMTTFd Sys

1

1λ

MTTFd=d

% failure @ time t f =1-e- λ td

SIL 1

SIL 2

SIL 3

ISO 62061

N/A

ISO 13849-1-2006PL

CCF=>65

Each Channel with MTTFd of:

3<=MTTFd<10 4*10-5 > λ > 10-5

10<=MTTFd<30 10-5 > λ > 4*10-6

30<=MTTFd<100 4*10-6 > λ > 10-6

Years 1/Hour

D= Faults to danger D*=Faults detected

1MTTFd Chnl= Σ

N

i=1

DC avg probability of fault discovery as % of occurrence

Low 60% <= DC < 90%Med 90% <= DC < 99%High 99% <= DC

[(Ddi Ddi) λdi]*

(t)

(t)

If t=1/λ then f = 63%d (t)

d

Σ λdii-1

N= i-1

N

Σ

35


Circular CalculatorCalculation Estimate by PL Wheel

Channel MTTFd of 30 yearsDC High (Cat4)CCF ≥ 65

Align 30 years in disk’s bottom window

Locate Characteristic in slot Cat 4 DC High 9.54

Identify color and locateExponent 10-8

Control System is :9.54x10-8 equal to PLe


from BGIA


Safety Evaluation Tool

Required Achieved


PAScal Demo Version 1.5.2


Example of the “spectrum” within a given category•The dedicated PLC monitors the function of the three photoelectric sensors and the follower relay K1•Since the PLC is not a Serial device in the system, i.e. its failure does not result in the loss of the safety function, its MTTFd is not included in the safety channel calculation•MTTFd of the PLC is 50 years and is >2x the MTTFd of the system being monitored, it meets the minimum requirement for a test component for this system

•The Type 2 Safety Light Curtain is certified by a Third Party Test Laboratory to meet the required standards and is certified as a PLd safety component.•The Safety Interface module is a certified PLe safety component

•The solenoid valve is a Well Tried component with a MTTFd of 100 years at this operation rate

•See following page for estimated PLr

P.E. Switched Output

PLC

Safety Light Curtain Type 2

PLC Q1

SIM Cat 4

40


System Performance LevelComparison of Three P.E. and PLC

vs.Type 2 SLC and SIM

At the end of 20 years of use, the P.E. and PLC has a 44% chance of failure to danger, while the Type 2 SLC with SIM has a 6.6% failure rate Note: Some of the data is estimated and is intended only as an example of the impact of multiple series components and DC coverage in a Cat 2 configuration.

Cat 2 DCavg Low

Cat 2 DCavg Med

3 P.E. with PLC monitor.

Type 2 SLC with SIM.


Appendix A• References

– BGIA Report 2/2008e– ISO 13849-1-2006– BGIA Report 6/2004 “Untersuchung des Alterungsprozesses

von hydraulischen Vegeventilen” (Study of the ageing process of hydraulic valves)

• Links to Calculation Programs– BGIA FIA Performance Level Calculator (Disc Calculator

• http://www.dguv.de/ifa/en/pra/drehscheibe/index.jsp– BGIA FIA SISTEMA “Safety Integrity Software Tool for the

Evaluation of Machine Applications”• http://www.dguv.de/ifa/en/pra/softwa/sistema/index.jsp

– Siemens “Safety Evaluation Tool”• https://eb.automation.siemens.com/registration/login.aspx?ret=https

%3a%2f%2feb.automation.siemens.com%2fspice%2fsid%2fmain%2fsid.jsf

– Pilz Demo copy of PAScal• http://www.pilz.com/login.jsp?restricted=true

circuit design for iso 13849

Documents

risk reduction

meeting cat

system

level

performance

meets

requirement

spectrum