overview of iso 13849-1 -...

Machine safety ydesignOverview of ISO 13849-1Overview of ISO 13849 1

Copyright © 2007 Rockwell Automation, Inc. All rights reserved.


Agenda

1. Evolution of the EN ISO 13489-1

2. EN ISO 13849-1 Performance Levels

3. Performance Level Estimation


Evolution of EN ISO 13849-1: 2206

EN 954 1 [G l P i i l ]• EN 954-1 [General Principles]

– also published as ISO 13849-1 : 1999– based on a risk assessment

– Will remain valid until: Got 2 years more so now for use until 2011

P t 2 f EN 954 1 [V lid ti ]• Part 2 of EN 954-1 [Validation]

– is published as EN ISO 13849-2 : 2003

• EN 954-1 has been revised to include aspects of functional safety. It has changed number to EN ISO 13849-1 (2006)

• Got 2 years more so now for use until 2011………………….


EN ISO 13489-1 Performance levels


EN ISO 13849-1:2006 Performance levels

Estimation of the Performance Level (PL) requiredCategory

B 1 2 3 4

PerformanceLevel, PLr

aP1

P2F1

S1b

P2

P1

P2F2

F1

cP2

P1

S2

F2

dP2

P1


eP2

S = SeverityF = Frequency or Duration of ExposureP = Avoidance Probability






Performance Level (PL) is related to the Probability of Dangerous failure per Hour (PFHD)

The standard give a simplified procedure for estimating the Performance Level


Performance Level Estimation


Performance level estimation

PLd is required What does that mean?

Choose the most suitable combination of

Structure (Category), Reliability (MTTFd) and Diagnostics (DC)







Structure

• Typical safety function diagram:

INPUT LOGIC SOLVING

OUTPUT

Sensing element Final elementControl element

or actuator

• The machine designer shall select an architecture that will meet the needs • The machine designer shall select an architecture that will meet the needs of the safety function.– Cat B 1 2 3 or 4


Cat B, 1, 2, 3 or 4

Structure

The structure and behaviour of the safety function under fault conditions

Designated Architecture Category B Typical implementationDesignated Architecture Category B Typical implementation

Contactor Motor

Requirements• Basic Safety principles

• Withstand expected influences Machine ControlSensor

• Withstand expected influences

Behaviour under fault conditionsA fault can cause a loss of the safety function.

Designed to product standards e.g. IEC 60947-5-2 (not specific safety standards)

Designed for environment and electrical safety aspects


Designed for environment and electrical safety aspects e.g IEC 60204-1

Structure


Designated Architecture Category 1 Typical implementationDesignated Architecture Category 1 Typical implementation

Contactor Motor

Requirements• Category B

• Well tried components Machine Control

Guard interlock switch

• Well tried components

•Well tried safety principles

Behaviour under fault conditionsA fault can cause a loss of the safety function.


Structure



Contactor Motor

Guard interlock switch

Safety monitoring relay with start up check

Requirements

Machine Control

•Category B

•Well tried safety principles

•Functional check at start up and periodically (on/off check)

Behaviour under fault conditionsA fault occurring between the checks can cause a loss of the safety function.


Structure


Designated Architecture Category 3 Typical implementationDesignated Architecture Category 3 Typical implementationContactors with mechanically linked

contacts

Motor

RequirementsSafety monitoring relay

Contactor monitoring

Guard interlock switches

• Category B

• Well tried safety principles

• Single fault does not cause a loss of safety function

Wh ti bl th t f lt h ld b d t t d• Where practicable that fault should be detected

Behaviour under fault conditionsAccumulation of undetected faults can cause a loss of the safety

Machine Control


yfunction.

Structure



Contactors with mechanically linked contacts

Motor

RequirementsS f t

Contactor monitoring

Guard interlock switches

• Category B

• Well tried safety principles

• An accumulation of faults does not cause a loss of safety function

Safety monitoring relays

function

Behaviour under fault conditionsFaults will be detected in time to prevent a loss of safety function

Machine Control


Structure: Fault exclusion


Designated Architecture Categories B 1 2 3 & 4Designated Architecture Categories B, 1, 2, 3 & 4

Fault exclusion

•Clause 7.3 deals with Fault Exclusion. It states:

"It is not always possible to evaluate safety related parts of control systems without assuming that certain faults can be excluded…..

F lt l i i i b t th t h i l f t i t d th th ti l ibilit f Fault exclusion is a compromise between the technical safety requirements and the theoretical possibility of occurrence of a fault.

Fault exclusion can be based on:

th t h i l i b bilit f th f f lt•the technical improbability of the occurrence of some faults.

•generally accepted technical experience, independent of the considered application, and

•technical requirements related to the application and the specific hazard

Example list of excludable in annex of EN 13849-2

• Example


– short between conductors belonging to different sheathed wires or cable conduit can be excluded.






Reliability

Reliability (MTTFd –– Mean Time To Failure Dangerous of each channel )

Denotation of MTTF of each Denotation of MTTFd of each channel

Range of MTTFd of each channel

Low 3 years <= MTTFd < 10 yearsLow 3 years MTTFd 10 years

Medium 10 years <= MTTFd < 30 years

High 30 years <= MTTF < 100 yearsHigh 30 years <= MTTFd < 100 years


Reliability

Reliability (MTTFd –– Mean Time To Failure Dangerous of each channel )

Channel 1

Data sources preference:

1. provided by manufacturers Channel 2B10d =400,000MTTFd = 277yMission time = 27y

2. from generic handbook sources

3. use 10 yearsFault Exclusion? or:

B10d =2,000,000MTTFd = 1388y

Mission time = 27y

4

Simplified into 3 ranges

Low = 3 years to <10 years

MTTFd 1388yMission time = 138y

B10d =20,000,000MTTFd = 13,888yMission time = 1,388y1 2

3

o 3 yea s o 0 yea s

Medium = 10 years to <30 years

High = 30 years to <100 years

Mission time 1,388y

Both guard doors access the same hazard zone

1/MTTFdtotal= 1/MTTFd1 + 1/MTTFd2 + 1/MTTFd3 + 1/MTTFd4

1/MTTFdtotal= 1/1388 + 1/1388 + 1/13888 + 1/277


1/MTTFdtotal 1/1388 1/1388 1/13888 1/277

MTTFdtotal= 195 years = High

Reliability

What data is available?Generic data fromEN/ISO 13849-1: 2006

•• B10d: Number of cycles until a component fails d l dangerously

• MTTFd: Mean time to dangerous failure


Reliability

• B10d = Number of cycles until a component fails dangerously

• dop = Number of days per year when the machine is operational

• h = Number of hours per day the hop = Number of hours per day the machine is operational

• tcycle = Mean time in seconds between the b i i f t ti l f beginning of two consecutive cycles of the component

• To be determined: hshd /3600××– Number of switching cycles per year:

Operation time of the component ntil it

cycle

opopop t

hshdn

/3600××=

B– Operation time of the component until it fails dangerously: op

dd n

BT 10

10 =

T


– Mean time to dangerous failure (MTTFd):1.0

10 dd

TMTTF =






Diagnostic

(average) Diagnostic coverage (DC)

Denotation of DC Range of DC

None DC < 60%

Low 60% <= DC < 90%

Medium 90% <= DC < 99%90% C 99%

High 99% <= DC

This is a measure of the effectiveness of the diagnostics

Detected Dangerous FailuresDC = ----------------------------------------

All Dangerous Failures


All Dangerous Failures

Diagnostic Coverage

Channel 1

99%

(average) Diagnostic coverage (DC)

Data sources:

1 A E f h d d

Channel 2

Fault Exclusion? or:

99% reduced to

99%

4

1. Annex E of the standard

2. provided by manufacturers

3. FMEA

60% (due to shadowing)

99%

3

3. FMEA

Simplified into 4 ranges

99%1 2

1. None = <60%

2. Low = 60% to <90%

Both guard doors access the same hazard zone

1/MTTFd1 + 1/MTTFd2 + 1/MTTFd3 + 1/MTTFd4

DCavg=DC1/MTTFd1 + DC2/MTTFd2 + DC3/MTTFd3 + DC4/MTTFd4

3. Medium = 90% to <99%

4. High = 99%1/1388 + 1/1388 + 1/13888 + 1/277

DCavg=0.6/1388 + 0.6/1388 + 0.99/13888 + 0.99/277


DCavg = 88% = Low

Diagnostic

Simplified DC estimationAnnex E of EN/ISO 13849-1: 2006

1 and 21 and 2

3


4


• Structure: Cat. 3

• Reliability (MTTFD): HighReliability (MTTFD): High

• Diagnostics (DC): Low


Common Cause Failures (CCF)

• These are failures of different items, resulting from a single event.

• The failures are not consequences of each other.(see Annex F)

No. Measure Against CCF ScoreNo. Measure Against CCF Score

1 Separation/Segregation 15

2 Diversity 20

3 Design/application/experience 20

4 Assessment/analysis 5

5 Competence/training 5 M t hi 5 Competence/training 5

6 Environmental 35

Must achieve a score of at least 65

for Cat 2, 3 or 4!


PL estimation, the easy way

Combining subsystems with known PLs

PLeSubsystem PL

NlAchieved system

PLPLlowNlow PL

a>3 Not allowed

≤3 aPLe

1 2b>2 a

≤2 b

>2 bPLd PLdc

>2 b

≤2 c

d>3 c

d≤3 d

e>3 d

≤3 e

PLd is achieved

Based on the number of the lowest PL


≤3 e Based on the number of the lowest PL subsystems

overview of iso 13849-1 -...

Documents