iso 13849-1 pl calculations simplified - robotics online 13849 pl... · iso 13849-1 pl calculations...
TRANSCRIPT
page 1
ISO 13849-1 PL
Calculations Simplified
Heinz KnackstedtSafety Engineer
C&E sales, inc.
page 2
Cats, SILs and PLs… Oh My !!!
What is
ISO 13849-1:2015
Or
page 3
Safety Light
Curtain Type 2
Three PE with Standard dedicated PLC
vs.
Type 2 Safety Light Curtain and IM
BOTH are Structure Category 2, but is their
Safety Performance Level the same?
These two circuits are both identified as being
the “same” category
But, do they provide the same level of risk
reduction performance?
There may be “logical” arguments for
preference of one design over the other, but
there is no rigor to the evaluation using EN954-
1:1996
Switched
Output
PLC
K1
K1 V1
Red is Monitoring connections to PLC
FGR
V1
The “Spectrum” Within a EN954-1 Category
page 4
Which is the better safety circuit?
It has been a judgement call, based on experience
That was the problem so, what to do
page 5
We will get back to this example after we examine the
concepts embodied by ISO 13849-1:2015
page 6
Objectives of the New MachineryFunctional Safety Standards
• Replace “Qualitative” with “Quantitative” performance metrics of the Safety Related Parts of the Control Systems (SRP/CS)
• For a required level of risk reduction, as determined by the Risk Assessment, DEFINE the MINIMUM Safety System level of performance which may be utilized to achieve a risk reduction to an acceptable level
• What is Functional Safety– Control based Risk Reduction Measure which, if it fails to danger,
immediately increases risk back to the original level
• Safety Light Curtains, Safety Modules and PLC, Interlocked Guards, Two-Hand-Anti-Tie-Down, Robotic Safe Speed
• Fixed Guards and PPE are not part of functional safety
page 7
What Are• MTTFD Mean Time to Dangerous Failure
– Average value of operating time without a failure to danger for a component or channel
– Typically given in years
• PFHD Probability of Failure to Danger per Hour– Statistical probability of Failure to Danger of a system or sub-
system based on its:
• Channel(s) MTTFD
• Ability to detect failures to danger and to eliminate the hazard having sustained that fault
• Robustness against Common Cause Failure
– Given in Failure/hour
– For Cat B and Cat 1 and single components it is
• λD = 1/(MTTFD) if MTTFD is expressed in hours
page 8
Performance Level PL
Performance Level PL:
– Discrete value used to specify the ability of the Safety Related Parts of Control System (SRP/CS ) to perform a safety function under foreseeable conditions.
page 9
Performance Level is a discrete value of the PROBABILISTICoccurrence of a failure to danger expressed as Probability of
Dangerous Failures per Hour, PFHD
– Failure of a Channel is the Mean Time to Dangerous Failure, MTTFD of its components, typically expressed in years
• For non-monitoring structures, system failure rate depends solely on MTTFD of its components
– Failure of a monitored single or dual channel system is the Probability of Dangerous Failure per Hour PFHD
• Its failure rate is lower than the MTTFD of its components due to monitoring which, upon detecting a failure to danger, removes the hazard before the control system has an opportunity to fail to danger
Performance Level PL
page 10
PFHD
BGIA Report 2/2008e
page 11
One year of 24/7=8760 hr..... or just under 104 hours
Graph for determining required PLr for Safety Function
a
b
c
d
e
SIL
N/A
1
2
3Note: Correlation of risk levels between EN-954-1 and ISO 13849 or IEC 62061 are not identities, but are given for relative comparisons only
B
2
4
S1
S2
P1
P2
3
F1
F2
P2
P1
F1
F2
P2
P1
B
P2
P1
1
< 3.8 x10-4
< 10-5
< 3x10-6
< 10-6
< 10-7
PLr PFHDEN954-1 ISO 13849-1:2015 IEC 62061
λD =1/ 8760 MTTFD
Adapted from Appendix A Fig A.1 ISO 13849-1-2015
page 12
Verification
and
Validation
The
UnderpinningDoes it meet the
design requirements?
Risk AssessmentThe Basis of Design of the
Safety Function
CCFCommon Cause
FailureMTTFD Mean Time
To
Dangerous
Failure
StructureCircuit
Configurations
DCDiagnostic
Coverage
FUNCTIONAL SAFETY
RISK REDUCTION MEASURE
CAPABILITY
The FOUR Legged Stool of ISO 13849-1,2:2015
page 13
Each Performance Level PL, is defined by FOUR specific, quantitative, requirements
1 Category (Cat.) also known as STRUCTUREHow the components in the SRP/CS are
. interconnected2 Mean time to dangerous failure of the Channel(s) . (MTTFD)
MTTFD from manufacturer of electronic componentsB10D cycles from manufacturer for wear componentsMTTFD is then calculated from the application cycle rate
ISO 13849-1:2015
page 14
ISO 13849-1:20153 Diagnostic Coverage (DC and DC avg) in %
DC Ratio of Detected Failures to Danger to all Failures to Danger which result in the loss of the Safety Function for a component or sub-system
DC avg Rate of failures to danger detected divided by the rate of all failures to danger for ALL COMPONENTS in the SRP/CS
4 Common Cause Failure (CCF)
How well does the design and construction prevent CCF
Verification is part of the process
Do the components of choice, in the proposed structure, meet the requirement of the risk reduction per the PLr as determined by the Risk Assessment
page 15
The process to meet PLr
• Evaluate the four parts of the Performance Levels:
– Category (Cat.)– Mean Time To dangerous Failure (MTTFD)– Diagnostic Coverage (DCavg)– Common Cause Failure (CCF)
• The structure of the Safety Related Parts of the Control System and how the failure of each component affects the safety performance of the safety control system
page 16
Functional Safety-Related Block Diagram
• Each circuit has these three elements of either :• Individual components• Sub-systems, with internal monitoring, which perform that function,
• A failure in any block in the series safety-related block diagram, can lead to the loss of the safety function• To evaluate safety performance, each proposed SRP/CS must be
broken into a block diagram of Series Safety Failure Events• Note: this includes the interconnection of the blocks
Sensors
( Status )
Logic
( What When )
Outputs
( How )
Monitoring Monitoring
“Smart” Sensors “Smart” ActuatorsSafety Capable
Communication Communication
Internal Monitor Internal Monitor Internal Monitor
page 17
Functional Safety-Related Block Diagram
• Sensor Logic Output• Each circuit has at least these three functions composed
of either :• Individual elements (components)
• Interlock limit switch, contactor• Sub-systems of components in a specific structure
which are grouped to perform that function• Encapsulated sub-system sold as stand alone
functions as independent SRP/CS• Will have their own published PFHD
• Safety Light Curtain, Safety Interlock Module, VFD Safe Stop Controller
• The final power device such as the motor or cylinder is not included in the safety-related block diagram
page 18
Safety Function Block Rules• All items which can lead to the loss of safety are
shown in “Series”
• Items which provide an alternate means of performing the safe shut down function when one component fails are shown in “Parallel”
• Do not confuse the electrical or fluid power flow with the orientation of the safety function block– EX: A Safety Interface Module used for Manual Suspension of a
Door Interlock has it contacts in parallel with those of the Door Interlock SIM BUT:
– The safety function block shows them in a series flow since the failure of the Manual-Suspension SIM to drop out, leads to a failure to danger of the Door Interlock Safety Function, as it can no longer perform its safety function
page 19
Safety -related Block Diagram
• Devices whose failure to danger causes the loss of the system safety function are
shown as series blocks
• Devices whose failure to danger do not cause the immediate loss of the system
safety, because another element can continue the lost function, are shown in parallel
with that device(s) Either Q1 or Q2 can shut down the hazard
• The order of the components is not significant
– This can simplify calculations and entry into calculation packages.
I1
I2
L1
O1
O2
I1
I2
O1
O2
L1
I1 L1 O1
I1 L1
O1
O2
=
page 20
Safety Function Block Rules
• Some PLC and remote devices may have separate components such as I/O modules in addition to the logic unit.
• Example: PLC Remote I/O, Smart drive with field bus
• Safety-related Block Diagram includes the hardware for interconnection of the blocks
• Example: Hard Wire integrity
Safety Networks
Safety Wireless Remote I/O
page 21
PFHDS MTTFDQPFHDL
Devices may be simple or complex sub-systems, each with its own individual S, L, and O functions
Adapted From Fig 6.13 BGIA Report 2-2008e
page 22
Hazardous
Movement
Pressure Switch
3Way Dump Pilot Check
Directional Valve
Scanner Safety PLC
Note that the Pressure Switch 1S3 is not
part of the Safety –related Block Diagram as
its failure does not directly lead to the loss of
the safety function. It is shown as a
component of the safety-related diagram
The undetected failure of 1S3 will result in
the reduction of the PL of the SRP/CS as its
function in Discovery Coverage to detect
safety critical function of 1V4 and 1V3 is now
lost
If possible, the pressure switch should be
checked for cycling within the safety circuit.
If this is not possible, it should be monitored
in the control circuit. Since PS are typically
not available with Force Guided contacts,
monitor the cycling of it one contact, or add
an intervening FG relay and monitor both its
N.O. and N.C. contacts.
Fig 8.28 BGIA Report 2/2008e
page 23
Identify the Category (Structure)
Cat B & Cat 1 = Single Channel
Cat 2 = Single Channel with Monitoring
Cat 3 & Cat 4 = Dual Channel w/ Monitoring
page 24
Graphical representation of the four ISO 13849-1:2015 quantitative
measures of the SRP/CS
page 25
. ISO 13849-1:2015 retains “Categories” as ONE of the components of determining a Performance Level. Also called Structure.
If a circuit cannot be reduced to one of these categories, ISO 13849-1:2015 simplified calculations may not be used
MTTFd Low
MTTFdMedMTTFdHigh
Adapted from Fig 5 ISO 13849-1:2015
page 26
The Process to Meet PLr
• Evaluate the four parts of Performance
Levels:
– Category (Cat.)
– Mean Time To dangerous Failure
(MTTFD)
– Diagnostic Coverage (DCavg)
– Common Cause Failure (CCF)
page 27
The Process to Meet PLr• The operational time of use at which the component reaches its Mean Time to Dangerous Failure is based on the device and its application
– Electronics: Measured by on-line time
– Mechanically based component which has a wear out mechanism:
• Time of use to reach 10 x B10D number of cycles at the cycle rate of the application
–B10D is the number of cycles at which 10% of test group failed to danger
• Typically expressed in terms of years
page 28
In order for the value of ISO 13849-1:2015 to be realized, one must accept the validity of Statistical Mathematics
.
FACT.
MTTFD is a statistical value which in NO WAY MEANS
“Guaranteed Lifetime”, or “Failure-Free-Time”, “Time to First Failure” or any other such concept
It is a numerical value, usually stated in years, which permits the calculation, in percent, of a probability failure to danger during a given period of use
MTTFD in years can be converted to Failure to Danger Rate in terms of failures per hour, λD ,typically based on a 24/7 day 365 days per year
λD (hr.) = 1/(MTTFD (yr.) x 8760)hr./yr.
MTTFD of one year of 24/7 is a λD of 1.14 x 10-4 failures per hour (1.14E-4)
MEAN TIME TO DANGEROUS FAILURE
page 29
Mean Time To DANGEROUS Failure MTTFDOne of the quantifiable aspects to the contribution of reliability that is measured in time, of hours or years of use
– Used to predict the Percent of DANGEROUS failures in a population over a defined time period of use
– Not to be confused with Mean Time To (ALL) Failure (MTTF) data – Assumes constant failure rate over time by ignoring the two
curved ends of the “Bath Tub” failure rate curve• Infant mortality by good product design and manufacturing
and/or burn in• Wear out by replacement AT or BEFORE B10D is reached
B10D has been reachedInfant mortality excluded
by manufacturing controls
and burn in
Adapted from Fig. D.1 BGIA 2/200e
page 30
Distribution of Failures to Danger
λ=1.9x10-5 PLb λ=6.3x10-6 PLc λ=1.9x10-6 PLd
37%
63%
37%
63%
L
o
g
a
r
i
t
h
m
i
c
S
c
a
l
e
tuse = 1/λd
74%
26%05%
95%
INTACT
FAILED
04%
96%
%f(t) = 1-e-λt
page 31
Individual Channel Performance
Adapted from “A New Approach to Machine Safety”Schmersal IPEC Industrial Controls Ltd
3
t=1/λ63.2%
%f(t) = 1-e-λt
%f(t)
3y
10y
30y
100y
•Channel MTTFD of 3 years and less is not acceptable for safety controls since 1/3 would fail to danger within the first year•Single channel capped at 100 year (Exc. Cat 4)
page 32
• Electronics (non wear) are assumed to have a linear failure distribution
– Life dependent on hours of use, powered, “on-line”
• Mechanical Components
– “Well Tried” proven performance in similar applications
– Wear out typically driven by number of cycles under load
– B10 Life: cycles of use where 10% of a test population has failed
• Use 10xB10D or 2x10xB10 (assumes 50% of all failures are to danger) to obtain Mean Cycles to Failure, MCTF
– MTTFD is calculated using the Use Profile (nop) of the component
– 10 x B10D x tcycle(sec)
Component Failure
x xDays
YearHours
Day
3600 sec
Hour
• Replace after usage reaches B10D life at T10D = B10D / nop or 20 Years
MTTFD = 10B10D / nop =
page 33
Vendor Data• Safety Products previously Certified by a Notified Body
(3d Party) as meeting a Category per EN954-1:1996 may not be automatically extended/converted to a SIL or PL
• Each must be re-certified to the new standard(s)
– This is an expensive endeavor (10 -15K $ each )
• Requires economical justification, by product
– This does NOT mean that a product is no longer safe, just that it have not been validated to the newest standard
– May be freely used in the US as ISO 13849-1 is not an American Standard
• Exception if conformance to RIA15.06:2012 is required since it includes ISO 13849-1:2006 performance level (PL) requirements
page 34
Vendor Data• There are four types of functional safety
products
– Electronic components
• Primarily photo-electric and inductive sensors
– Electronic sub- systems
• Safety Light Curtains w/ Solid State output, RFID safety sensors
• Contain self-test to provide PFHD , PL, and/or SIL
page 35
Vendor Data– Mechanical components for use as part of a SRP/CS
• Limit switches, relays, contactors, switches, fluid power valves
– Used with Input, Logic, and Output components
– Period of use until replacement, T10D ,must be calculated from B10D and application use rate
• May have dual B10D data for mechanical and for electrical cycle life (including variations due to load/power level) .
– Electro-mechanical sub-systems
• Safety Interface Module with Relay output
• Internal failure is detected by the product and included in the vendor’s published PFHD , PL, or SIL
– Check for MTTFD of relays based on load and cycle rate to calculate T10D
page 36
Electronic with Relay output
page 37
Safety
Controller
Safety Light
Curtain
Limit Switch
Note: Additional application data
must be followed for given values
of B10 or B10D to be valid• Construction details ex: direct
operating
• Often given with restrictions, most
often loading, approach speed,
and cycle rate
Note: These last two specifications certify the acceptable
performance of specific logic safety function blocks
page 38
Electromechanical Components• High Current Rating
If higher loads must be switched through one or moreof the contacts, the minimum and maximum values ofthe contact(s) changes to:
• UL Listed: Min voltage: 15V ac/dc; Min current: 30 mA• ac/dc; Min power: 0.45 W (0.45 VA); Max: 250V ac /• 24V dc, 6 A resistive - B300, R300 per UL508• CE: Min voltage: 15V ac/dc; Min current: 30 mA ac/dc;• Min power: 0.45 W (0.45 VA); Max: 250V ac / 24V dc,• 6 A resistive - IEC 60947-5-1: AC15: 230V ac, 3 A;• DC-13: 24V dc, 2 A• Mechanical life• ≥ 50,000,000 operations• Electrical life (switching cycles of the output contacts,• resistive load)• 150,000 cycles @ 900 VA• 1,000,000 cycles @ 250 VA• 2,000,000 cycles @ 150 VA• 5,000,000 cycles @ 100 VA• NOTE: Transient suppression is recommended when switching inductive• loads. Install suppressors across load. Never install suppressors• across output contacts (see Warning in Overvoltage Cat• II and III).• Output Response Time• 35 ms max.
Safety-related block diagram of
the Output of this component
Mm McMm
Mc
Note specific B10 for each VA loading
page 39
Electro Mechanical Component
page 40
Safety PLC and Controllers• Failure mode data may be given in different
forms– Controllers which are self contained have data which
includes failure mode of their input and output hardware
• If relay output, may have B10D of the contacts
– PLC which have selectable input and output modules have the main frame values independent of their I/O
• The B10D or PFHD of the I/O may be device specific
• Are added as individual items to safety related block diagram
– Communication between modules such as wire network, wireless, and fiber optical have a separate PFHD for those devices
page 41
Remote I/O and Safety PLC
Note each PLC K3, K4 has
an independent remote I/O
module K1 K2
S1 and the horn P1 are a Cat
2 warning sub-system
T1a is a SS1
T1B is a SLS
A separate safety function is
developed for the Gate
interlock by replacing S1
data with B1 and using the
same remaining
configuration
B1
S1
Adapted from Fig. 8.42 BGIA 2/200e
page 42
When used per Manufacture’s or Designers use specification Some adjustment for duty cycle and loading is allowed/required. “Full Load” applies not only to electrical load but extreme conditions or marginal operating conditions
B10D examples of “Well Tried” components
Loading variation
provides a
variation factor
of 50x
Partial Table C.1 ISO 13849-1-2015
Cycle/year
variation
provides a
variation factor
of 10x
page 43
B10D for Electronic Devices
Tables C.2 C.3 ISO 13849-1-2015
page 44
The limitation of MTTFD of each channel values to a maximum of 100 years refers to the single channel of the SRP/CS which carries out the safety function. Higher MTTFD values can be used for single components
How to determine the MTTFD value of a component or sub-system
1. Manufacturer’s data in Powered time or B10D cycles
2. Table Annex C of ISO 13849-1:2015
3. Parts Count in Annex D of ISO 13849-1:2015
4. Choose ten years (i.e. “Medium”).
MTTFD Classification
3.81x10-5 /hr..... 1.14x10-5 /hr.....
1.14x10-5 /hr..... 3.81x10-6 /hr.....
1.14x10-6 /hr.....3.81x10-6 /hr.....
Adapted from Table 4 ISO 13849-2-2015
page 45
Capability of the SRP/CS in Order to Achieve a Given PL
MTTFD Low
MTTFD Med
MTTFD High
Channel
(symmetrized)
Adapted from Fig 5 ISO 13849-1:2015
Figure: 5 ISO 13849-1:2015
page 46
The Process to Meet PLr
Evaluate the four Quantitative parts of the Performance Levels:
– Category (Cat.)
– Mean Time To dangerous Failure (MTTFD)
– Diagnostic Coverage of a Component (DC) or Channel(s) Diagnostic Average Rate (DCavg)
– Common Cause Failure (CCF)
page 47
The Process to Meet PLr
• DC The percentage of a component’s failures to DANGER which are DETECTED divided by ALL of its failures to DANGER
• DCavg For Channels,
• The ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures of all components in the SRP/CS
page 48
Diagnostic Coverage
• DC: Ratio of Detected Failures to danger to All Failures to danger
• DCavg: The Diagnostic Coverage for the SRP/CS is the ratio of the failure rate of detected failures to danger to the failure rate of all failures to danger of the individual components (not complete sub-systems wit their own PHFD.
D, n
D, n
page 49
Note: For SRP/CS consisting of several parts an average value, DCavg, is used for DC in Fig 5 and Table K
• Determine the DC for each component or sub-system– Percentage of dangerous failures detected
• For an estimation, in most cases, failure mode and effects analysis (FMEA) or similar methods can be used
• A “simplified” approach to estimating DC, using design and construction characteristics (see Annex E ISO 13849-1:2015).
• Obtain DCavg or use worst case DC of a high failure rate component
Diagnostic Coverage for Components and Channel(s)
Table 6 ISO 13849-1:2015
page 50
Electro Mechanical Component
page 51
Diagnostic Coverage (DC)A table is given in ISO 13849-1:2015 Annex E for examples
. (for additional estimations, see IEC 61508-2)
Adapted from Table E.1 ISO 13849-1:2015
page 52
DC and DCavg
Adapted from Table E.1 ISO 13849-1:2015
page 53
MTTFD Low
MTTFD Med
MTTFD High
Capability of the SRP/CS in Order to Achieve a Given PL
Adapted from Fig 5 ISO 13849-1:2015
Channel
(symmetrized)Figure: 5 ISO 13849-1:2015
page 54
The Process to Meet PLr
Evaluate the four parts of the Performance Level:
• Category (Cat.)
• Mean Time To dangerous Failure (MTTFD)
• Diagnostic Coverage (DCavg)
• Common Cause Failure (CCF)
page 55
Common Cause Failure
Common Cause Failure CCF: failures of different items, resulting from a single event, where these failures are not consequences of each other.
– Causing simultaneous failures in two separate devices rendering DC ineffective
• EX: two positively mounted limit switches on a common base
• (see Annex F ISO 13849-1:2015)
– Applicable to Categories 2, 3, and 4 • Those which have component monitoring
page 56
Common Cause Failure
(Table F.1 [worksheet] lists CCF reduction measures and contains associated values, based on engineering judgment, which represent the contribution each measure makes to the reduction of common cause failures
• For each listed measure, only the full score or nothing can be claimed. If a measure is only partly fulfilled, the score according to this measure is zero.
• Sufficient measures against CCF to claim DC >60% require the attainment of a minimum score of 65 out of 100 from table F.1.
– An initial score of less than 65 requires implementation of additional CCF reduction measures to reach an acceptable score else no diagnostic coverage may be claimed.
page 57
Clause Measure Against CCF Score
1 Separation/Segregation 15
2 Diversity 20
3 Design/application/experience
3.1 Protection against over-voltage, over-pressure, over-
current etc..
15
3.2 Components used are “WELL TRIED” 5
4 Assessment/analysis 5
5 Competence/training 5
6 Environmental
(All according to Manufacturer’s Specifications)
6.1 Pertaining to the power source for electrical and fluid power
EMI, RFI, Filtration, Drainage, Dirt Entry
25
6.2 Temperature, Humidity, Dust, Shock, Vibration 10
Data From Table F.1 ISO 13849-1:2015
Must reach a score of at least 65 for Cat 2, 3, or 4 structure to claim a DCAll components in channel must meet requirement to get score > 0 No partial sores
Table F.1 Common Cause Failure (CCF) worksheet
1 Separation/segregation 15
page 58
Electro Mechanical component
page 59
MTTFD Low
MTTFD Med
MTTFD High
Capability of the SRP/CS in Order to Achieve a Given PL
CCF score of 65% or higher
Adapted from Fig 5 ISO 13849-1:2015
Channel
(symmetrized)Figure: 5 ISO 13849-1:2015
page 60
Category B 1 2 2 3 3 4
DCavg None none low medium low medium High
MTTFD of
each channel
low
a Not
covered
a b b c Not
covered
MTTFD of
each channel
medium
b Not
covered
b c c d Not
covered
MTTFD of
each channel
high
Not
covered
c c d d d e
Also see graphic representation
Four Quantitative Measures to Achieve a Required PL
Table 6 ISO 13849-1:2015
page 61
• We have now identified sufficient data to provide an estimate of the PL of a safety circuit proposal
• Impact of structure and fault detection
– The MTTFD of a Cat B or 1 is a function ONLY of the failure rates of its parts
– The PFHD of a Cat 2, 3 or 4 system is greater than that of the λ D of its component parts due to the impact of fault detection and/or multiple channels since a component’s failure to danger which is detected, leads to the safe shutdown of the hazard before a system failure to danger can occur
Safety System Defined
page 62
So, now what is the Performance Level of a SRP/CS for this Safety Function?
• Having the four pieces of data from above, the PL Graph may be utilized to estimate PL of the SRP/CS– This provides a range of PL possible, depending on the Structure, and
the MTTFD, DCavg, and CCF of the components chosen
• For a more detailed resolution, the data above may be used with ISO 13849-1:2015 Table K.1 to obtain an estimate of the SRP/CS performance– PFHD in failures per hour and thus the PL of the design
– This also permits separation of product characteristics which split the PL lines since their evaluation is based on channel MTTFD ranges
• Use component information and use commercial computer programs
page 63
Sy
stem
< 3.8x10-5
< 10-5
< 3x10-6
< 10-6
< 10-7
d
SIL 1
SIL 2
SIL 3
ISO
62061
N/AFigure: 5 ISO 13849-1:2015
PL
CCF=>65
Each Channel with MTTFD of:
3<=MTTFD <10 3.8*10-5 > λ > 10-5
10<=MTTFD <30 10-5 > λ > 3.8*10-6
30<= MTTFD <100 3.8*10-6 > λ > 10-6
Years 1/Hour
PFHD 1/hPL of Safety Related Function of the Control System as a
function of Risk Category
< 10-8
Adapted from Table E.1 ISO 13849-1:2015
DC avg probability of fault discovery as
% of occurrence
Low 60% <= DC < 90%
Med 90% <= DC < 99%
High 99% <= DC
1.14 E-4
λD
MTTFD =
page 64
SO: If the Risk Assessment indicates that the Functional Safety risk reduction measure must meet a performance level PLr = PLd , there are several design choices of both structure and component performance which may meet the design requirement
page 65
Practical Application of ISO 13849-1:2015Various Method of Determining PL
• Each method makes certain assumptions and/or simplifications
• The simpler the method, the greater the assumptions
– This drives the solution to the more conservative result
– The highest performance level predictions are obtained using the more detailed calculation methods, typically full computer programs designed for ISO 13849-1:2015
page 66
• Mean Time To Dangerous Failure of Mechanical components
• MTTFD is in Years while λD is in per Hour • MTTFD in years = 8760 hours/year λD 1.141E-04 (1.141 x 10-4 )• B10 Number of cycles until 10% of a test population has failed• If B10D is not specifically stated, the Fraction of Failure Rate may
be given B10D= B10/FFR or estimated at 50% of the total failures • MTTFD = Nominal cycles to failure to danger/ Cycles per Year • = 10xB10D / nop
– Ex: To convert B10 life of a component to MTTFD in years on a machine which, runs 240 days per year, for 16 hours per day with a 15 sec machine cycle
(2 x 10 x B10)cycles x 15 sec/cycle
240 days/yr x 16 hr/day x 60 min/hr x 60sec/min
Conversions
MTTFD (years) =
~~
page 67
Mission Time T10D
• Note: Mechanical components, which wear out, such as Contactors, Valves etc.. should be replaced at their B10D cycle life since their rate of failure can no longer be considered to be a constant and the MTTFD no longer valid
This includes electro-mechanical relays in Safety Interface Modules which may have a PFHD of 1E-9 but whose relay in that application may have a MTTFD of 25 yr. and a T10D of 2.5 yr.
• Operating time ( also known as Mission Time or )
• TM = T10D = B10D / nop = MTTFD / 10
page 68
Single Channel MTTFD of Components or Systems
• MTTFD of a channel is the reciprocal of the sums of the reciprocals of MTTFD of the individual components or sub-systems in the channel.
• Failure to danger of ANY component in the series string faults the system to danger– Therefore in a single channel system:
1/MTTFD Chn = 1/MTTFD comp1 +1/MTTFD comp2 +…..1/MTTFD comp n
OR.
λD Chn = λ D comp 1 + λ D comp 2 +………… λ D comp n
Comp1 Comp 2 Comp n
page 69
• MTTFD of Individual CHANNELS are each capped:– Cat 1, 2, and 3 = 100 years
– Cat 4 at 2,500 years
• Components and Sub-systems within a channel are not capped
MTTFD of Channels
page 70
MTTFD of Dual Channels• In a Dual channel system, to gain a system MTTFD if:
– The two channels have the same MTTFD , their symmetrized value is the same as that of a channel
– The channel MTTFD are not the same, a symmetrized value calculated as below is used for the combined channels.
– Else the lowest MTTFD of the two is used
• EX: By calculation two channels one 100yr and one 33yr yield a
symmetrized value of 72yr
page 71
Calculating DC avg
• The system DCavg is calculated using the Diagnostic Coverage percentage and the MTTFDor λD of all functional components in the system
• Or use the DC value of a high failure rate with lowest DC component for the total system
Note: If a component has a DC of <60% enter DC = Zero
However, its 1/MTTFD must still be added to the denominator
page 72
Table K.1 ISO 13849-1:2015• Determine the SYSTEM MTTFD values of Channel or
component Structure, MTTFD , DCavg , and CCF value– Single channels are listed as Structure B or 1 depending
on their MTTFD– MTTFD ≥ 30 years is High = Cat 1
• Locate the closest lower MTTFD in the left column of table K.1
• Locate the Category and DCavg column from the heading left to right.
• From the MTTFD trace to the right until the appropriate Cat/DCavg column is intersected
• Read the sub-system or channel PL or PFHD
page 73
ISO 13849-1:2015 Table “K”
page 74
Mixed SystemPLe PLe
Safety Light
CurtainSafety PLC
Output is two contactors driven by two outputs of the PLC and monitored by the
Safety PLC
B10 of contactor is 5,000,000 cycles, assume B10D = 2xB10, MTTFD = 10xB10D
Rate of use is 10/hour, 24hour per day, 5 days per week, 50 weeks per year
10x24x5x50 = 60,000 cycles per year (nop)
MTTFD = B10x2x10/ nop = 5x106 x 2x10 / 6x104 = 10x107/ 6x104 = 1.7x103
MTTFD is 1,700 years which is capped at 100 years
DC = 99% from table E1 therefor use HIGH
From Table K.1 this is a PLe for the dual channel of two monitored contactors
Force Guided
Contactor
Force Guided
Contactor
From Table K.1 ISO 13849-1:2015
page 75
• The PFHD of the two contactors monitored with the safety PLC was found to be 2.47E-8
• Vendor data supplies values for the SLC and the PLC
• These are added to the contactor PFHD for a total system performance
• PFHDsys = PFHDn
• 4.5E-8 + 1.1E-8 + 2.5E-8 = 8.1 E-8 for a system PLe
Mixed System
PLe PLe
Safety Light
CurtainSafety PLC
Force Guided
Contactor
Force Guided
Contactor
page 76
Use of the circular Performance Level
Calculator instead of Table K.1 from
ISO 13849-1:2015this is the same data as Table K
page 77
Rotate calculator to expose the
channel MTTFD in the lower
window
Read the MTTFD of a system
with the selected attributes from
the upper window.
Based on color code find PL
exponent
EX: For a Channel or Channel
combination with a MTTFD of
33 years, used in a given
structure and with a given DC,
the MTTFD of the component
when used in this CONTROL
SYSTEM is from 3.46x10-6
/hr..... in a Cat 1 to 8.57x10-8
/hr..... in a Cat 4 with a High DC
These numbers translate into a
PL of “b” to an “e” (Ref pg. 7)Can be ordered on-line from IFA.org
Values for “B” only between 3 and <30 years
page 78
Determine the SYSTEM PL
an EXAMPLE
page 79
Convert the Functional Safety SRP/CS to a Safety-Related Block Diagram
• Determine the structure of the circuit and identify its in-series components or sub-systems for each channel– Determine the structure and components of the
three functions for each sub-system
• Input, Logic, Output• Identify which components or sub-systems,
will cause failure to danger of the entire channel when their failure to danger occurs
page 80
ALWAYSCreate the Safety-related block diagram from the
circuit drawing
OPENOPEN
A1
S11
S21
S22
S12
SIM
13 14
23 24
Machine
Sequence
S31
S32
FGC1
FGC2
page 81
LS1 LS3
LS2 LS4
SIM
FGC 1
FGC 2
LS1
LS2
FGC 1
FGC 2
SIM
LS3
LS4
FGC 1
FGC 2
SIM
Each door, with its two interlock
switches, is evaluated independently
The impact of the series connection of
the two door interlocks is reflected by
reduction of DC to MED
The MTTFD of the FGC is based on the
SUM of the cycles of both doors
PLC is for machine sequence logic only
and does NOT enter the safety-
related diagram
NOTE: The cycles/yr.
of the SIM and FGC are the
Sum of Door 1 and Door 2
cycles
Door 1
Door 2
PLC
page 82
Methodology
PL Graph(Estimate)
page 83
Diagram of Circuit to be Verified to Meet or Exceed PLr
Verification Process
Identify:• Category (Cat.) = known circuit structure
• MTTFD = calculated from data provided by the manufacturer to determine “low”, medium”, or “high” for the channel(s)
• Diagnostic Coverage (DCavg) = identify methods and the “percentage” from a table to determine “none”, “low”, medium”, or “high”
• Common Cause Failure (CCF) = Do the worksheet and determine if the design meets a score of 65 or better for Cat ≥ 2.
Then apply the above information to the chart…
Machine
Logic only
page 84
MTTFD Low
MTTFD Med
MTTFD High
PL Verification
CCF>65
The resulting PL = “d” or “e”
(meets or exceeds the
required PLr level of “d” from
the Risk Assessment
Cat 3
MTTFD =High
DC avg = Medium
CCF = 70
PLr = PLd
Adapted from Fig 5 ISO 13849-1:2015
Figure: 5 ISO 13849-1:2015
page 85
Matrix of generalized requirements of the four Quantitative Measures when used with a specific structure to achieve a required PLr
.
Here to achieve a PLd, any of the shaded methods can meet the requirement
Category B 1 2 2 3 3 4
DCavg None none low medium low medium High
MTTFD of
each channel
low
a Not
covered
a b b c Not
covered
MTTFD of
each channel
medium
b Not
covered
b c c d Not
covered
MTTFD of
each channel
high
Not
covered
c c d d d e
Adapted from Table 6 ISO 13849-1:2015
page 86
Methodology
• Summation of PL sub-systems
page 87
Summation of PL Systems
• Determine the structure of the circuit and identify its in-series components or sub-systems for each channel
• Draw the Safety-related block diagram to identify which components or sub-systems, will cause failure to danger of the entire channel when their failure occurs
• Determine the PL of each component or sub-system using:– Published manufacturer’s data – Estimates from Appendix of safety components– Calculate from MTTFD and Table K.1 or Circular Calculator
• Use PL count chart to reduce to system PL performance
page 88
• Determine the PL of each sub-system connected in Series in the Safety-related Block Diagram
• Determine lowest PL=PLlow
• Count number of PLlow in the series string
• Use clause 6.3 Table 11 to determine PL of the string
• This is simplified method of the mathematical summation of the probabilities of failure using sub-system 1/MTTFD values
Sub-Systems’ PL Count
Table: 11 ISO 13849-1:2015
page 89
PLn Count Method
Lowest PL=d
Number of lowest PL =2
For PLd ≤ 3 = PLd
If we had used a remote I/O structure using a network, two additional elements would have been added to the safety-related block diagram as shown on the next page
Safety Light
CurtainSafety PLC
Safety Rated
ROBOT Stop
PLe PLd PLd
page 90
PLe PLd PLd PLd PLd
Safety Light
CurtainSafety PLC
Safety Rated
ROBOT Stop
Remote
Network Input
Remote Network
Output
Lowest PL=dNumber of lowest PL = 4For PLd > 3 = PLc
Note: There is a good reason to use the finer granularity method of summing actual 1/MTTFD for each component or sub-system. If actual values are used, they may be capable of achieving a higher system PLd. This is due to the use of the Mid value of MTTFD for each sub-system PL rather than the exact value which might be higher than its PL mid-value
PLn Count Method
page 91
PLn Count Method with Components
• Channel mixed with individual components, – ISO 13849-1:2015 Table K.1 or its circular calculator may be used to
establish the component’s PL for use with PL count method– Using the Safety-related block diagram, determine the structure category
(Cat 3 or 4)– Determine the MTTFD of the component(s) (51 years)– Calculate DCavg of their portion of the system (high) and confirms Cat 4– Determine the equivalent PL from the table K.1 or circular calculator
PFHD= 5.3E-8 which is Cat 4 PLe– Use this PL as one of the sub-systems in the series channel string– Lowest PLe, number of lowest is ≤3 therefore system is PLe
PLe PLe
Safety Light
CurtainSafety PLC
Force Guided
Contactor
Force Guided
Contactor
PFHD=5.3E-8 converts to PLe
page 92
Calculation of System PFHD to Define System PL
Determine the MTTFD of each component in series
– Each component can cause the loss of the safety function
– Determine the MTTFD of the series system
– Calculate the DCavg
– Verify CCF score ≥65
– Use Table K.1 or circular calculator to determine system PL
page 93
Is This a Cat 4 PLe Circuit?
Safety Interface
Module
Force Guided
Contactor
A
Force Guided
Contactor
B
Limit Switch
A
Limit Switch
B
page 94
Safety Interface
Module
Force Guided
Contactor
A
Force Guided
Contactor
B
Limit Switch
A
Limit Switch
B
From ISO
13849-1:2015
Table K.1
Using B10 and cycle rate we calculated the following
MTTFD of Limit switch A=B= 65 yearsMTTFD of Contactor A=B = 80 years
MTTFD of either channel = 1/ (1 MTTFD2 +MTTFD3)= 1/ ( 1/65+1/80) = .0153+.0125= .0278 MTTFD = 37 Years
Since both channels are the same, that is also the symmetrized System channel MTTFD
Assume DCavg = >90, but <99 therefore is MEDIUM From ISO 13849-1:2015 table K.1 next lowest MTTFD value of 36 PFHD = 2.01E-7, Safety Interface Module vendor data PLe PFHD= 6.26E-8
TOTAL the system PFHD is 2.01E-7 + 6.26E-8 = 2.64E-7 ; Cat 3 PLd
page 95
Numerical Example of a Mixed System
page 96
Example
Pressure Switch
3Way Dump Pilot Check
Directional Valve
Scanner Safety PLC
3.0E-7 1.5E-7
150yr 150yr
150yr
75yr
• Symmetrized MTTFD of valve dual channel of 75 and capped single valve 150 to 100 = 88 yr.
• DC of both 1V3 and 1V4 is 99% via 1S3
• DC of 1V5 by process monitoring is 60%
• DCavg is calculated to be 86%, <90% therefore low
• Valve channel is Cat 3 DCavg Low
• CCF score from table F.1 >65
• From table K.1 closest lower values of 82 yr. and low DCavg (60%) hydraulic system PFHD is 1.14E-7
– This is conservative due round down, actual calculations using SISTEMA would yield a value of 6.2E-8
• Resultant system performance is sum of the three PFHD
Conservative 5.6E-7 PLd or calculated 5.1E-7 PLd
Fig 8.28 BGIA Report 2/2008e
page 97
We can now take a closer look at the two “Equivalent” light barriers introduced at the start of the
discussion
page 98
Example of the “Spectrum” Within a Given Category
• The dedicated standard PLC monitors the function of the
three photoelectric sensors and the follower relay K1
• The PLC is not a Serial component in the Safety-related
Block Diagram, i.e. its failure does not directly result in the
loss of the safety function, therefore its MTTFD is not
included in the safety channel calculation
• MTTFD of the PLC is 50 years and is >1/2x the MTTFD of
the system being monitored, thus meets the minimum
requirement for a test component for this system
•
•The Type 2 Safety Light Curtain is certified by a Third Party
Test Laboratory to meet the required standards of Cat 2 and
has a PLd
• The Interface Module is a pre-wired set of two Force
Guided Relays, monitored by the SLC
• The solenoid valve is a Well Tried hydraulic component
with a MTTFD of 150 years at this operation rate
• Both systems’ performance is limited by V1 because it is
not monitored
• For a Mission Live of 20 years, the PE circuit has a 42%
chance of Failure To Danger while the Type 2 Safety Light
curtain PLc has a 18% chance of failure.
Safety Light
Curtain Type 2
V1
Switched
Output
PLC
K1
K1 V1
Red is Monitoring connections to PLC
FGR
page 99
P1 K1P2 P3 V1
PLC
1.86E-6 + 1.14E-6 = 3.0E-6
MTTFd = Yr. PLb 41% fail @20 Yr.
Cat 2, DC=low, MTTFd 33, λ=1.86E-6Capped
MTTFd=100
100 100 100 1302 150
6.9E-8 2.5E-8 150
1214 100
9.4E-8 1.14E-6
6.9E-8 + 2.5E-8 + 1.14E-6 = 1.23 E-6
MTTFd = 93 Yr. PLc 19% fail @20 Yr.
Note: SPR/CS performance limited by un-monitored valve
32.5
Switched
Output
PLC
K1
K1 V1
Red is Monitoring connections to PLC
FGR
Safety Light
Curtain Type 2
V1
SLC
IM
V1
IM
page 100
Computer Based Calculation of System PL
• Computer programs both free and for purchase are available to calculate system PL• These have the advantage of using the full range of
values of MTTFD and DCavg rather than round down use of the granular values of ISO 13849-1:2015 table K.1, programs typically will result in a higher System MTTFD
• These programs should not be used without a thorough understanding of ISO 13849-1:2015.• Failure to understand the safety evaluation process
will result in a “Plug In and Grind” effort which, while providing a numerical value, may contain serious errors.
• A generic no-cost program is briefly represented in Appendix A. At-cost as well as no-cost programs are available from numerous Safety Product vendors
page 101
Appendix A
SISTEMA Evaluation tool
page 102
• A free software to assist in determining PLs from the IFA (research arm of the BG, German Insurance Agency)– http://www.dguv.de/ifa/en/pub/rep/rep07/bgia0208/index.jsp– Program accepts component values and topography as well as DC and CCF data
and calculates the final value of PL and 1/MTTFD also known as λD– Shows shortfalls in performance– Useful in component and structure “what if ” scenarios for specific PL– Standardized Component files may be imported from vendors or user specific
data
• SISTEMA Calculator Program for PL per ISO 13849-1-2015– FIA Software– Identify
• Category• Safety Logic Blocks• MTTFD of components
– Standard components file– User components customized file
• DCavg • CCF
SISTEMA
page 103
page 104
Annex BFrom ISO 13849-1:2015
page 105
Safety-Related Block Diagram
Annex B Table: B.1 ISO 13849-1:2015
page 106
Annex CFrom ISO 13849-1:2015
page 107
MTTFD and B10D
for components
Annex C Table: C.1 ISO 13849-1:2015
page 108
Annex EFrom ISO 13849-1:2015
page 109
Table E.1 Diagnostic Coverage ISO 13849-1:2015
Annex E Table: E.1 ISO 13849-1:2015
page 110
Measure DC
Logic component
Table E.1 ISO 13849-1:2015
Continued
Annex E Table: E.1 ISO 13849-1 :2015
page 111
Table E.1 ISO 13849-1:2015Continued
Annex E Table: E.1 ISO 13849-1:2015
page 112
Appendix FFrom ISO 13849-1:2015
page 113
Clause Measure Against CCF Score
1 Separation/Segregation 15
2 Diversity 20
3 Design/application/experience
3.1 Protection against over-voltage, over-pressure, over-current etc.
15
3.2 Components used are “WELL TRIED” 5
4 Assessment/analysis 5
5 Competence/training 5
6 Environmental
6.1 Pertaining to the power source for electrical and fluid power
EMI, RFI, Filtration, Drainage, Dirt Entry
(All according to Manufacturer’s Specifications)25
6.2 Temperature, Humidity, Dust, Shock, Vibration 10
Quantification of Measures CCF
Annex F Table: F.1 ISO 13849-1:2015
Must reach a score of at least 65 for Cat 2, 3, or 4
All components/components in channel must meet requirement to get score >0 No partials
page 114
Appendix KFrom ISO 13849-1:2015
page 115
Table K.1 ISO 13849-1:2015
Annex K Table K.1 ISO 13849-1:2015
page 116
Table K.1 ISO 13849-1:2015
Annex K Table K.1 ISO 13849-1:2015
page 117
Table K.1 ISO 13849-1:2015
Annex K Table K.1 ISO 13849-1:2015
page 118
Table K.1 ISO 13849-1:2015
Annex K Table K.1 ISO 13849-1:2015
page 119
Heinz Knackstedt
Safety Engineer
TÜV Functional Safety Engineer
C&E sales, inc.Dayton, Ohio USA
Office: +1 (937) 434-8830
Cell: +1 (937) 545-6494
Add Your
Logo Here
Contact Information