Upload
vanphuc
View
245
Download
5
Embed Size (px)
Citation preview
1
PL estimation acc. to EN ISO 13849-1 Example calculation for an application
MAC Safety / Armin Wenigenrath, January 2007
MAC – A.Wenigenrath – JAN 2007 - EN 2
Select the suitable standard for your application
Reminder: The standards and the technologies
"X" indicates that this item is dealt with by this standard.
NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849-1 to give a simplified approach for quantification of performance level.
NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849-1 up to PL=d or any architecture according to EN IEC 62061.
NOTE 3 For non-electrical technology use parts according to EN ISO 13849-1 as subsystems.
X see Note 3 X see Note 2 C combined with A, orC combined with A and B
F
All architectures and up to SIL 3 Restricted to designated architectures (see Note 1) andup to PL=d
C combined with B E
X see Note 3 Restricted to designated architectures (see Note 1) andup to PL=e
A combined with B D
All architectures and up to SIL 3 Restricted to designated architectures (see Note 1) andup to PL=d
Complex electronics, e.g. programmable C
All architectures and up to SIL 3 Restricted to designated architectures (see Note 1) andup to PL=e
Electromechanical, e.g. relays,or non complex electronics
B
Not coveredX Non electrical, e.g. hydraulics A
EN IEC 62061EN ISO 13849-1Technology implementing the safety related control function(s)
"X" indicates that this item is dealt with by this standard.
NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849-1 to give a simplified approach for quantification of performance level.
NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849-1 up to PL=d or any architecture according to EN IEC 62061.
NOTE 3 For non-electrical technology use parts according to EN ISO 13849-1 as subsystems.
X see Note 3 X see Note 2 C combined with A, orC combined with A and B
F
All architectures and up to SIL 3 Restricted to designated architectures (see Note 1) andup to PL=d
C combined with B E
X see Note 3 Restricted to designated architectures (see Note 1) andup to PL=e
A combined with B D
All architectures and up to SIL 3 Restricted to designated architectures (see Note 1) andup to PL=d
Complex electronics, e.g. programmable C
All architectures and up to SIL 3 Restricted to designated architectures (see Note 1) andup to PL=e
Electromechanical, e.g. relays,or non complex electronics
B
Not coveredX Non electrical, e.g. hydraulics A
EN IEC 62061EN ISO 13849-1Technology implementing the safety related control function(s)
Table 1
MAC – A.Wenigenrath – JAN 2007 - EN 3
The 6 Steps to Safety with EN ISO 13849-1
STEP 1: Risk Assessment and basic structure of Safety-Related Parts of a Control System (SRP/CS) implementing a Safety Function
STEP 2:
Determine the required Performance Level PLr
for the safety function.
STEP 3:
Identify the combination
of safety-related parts
which carry out the safety function.
STEP 4:
Evaluate the Performance Level PL
for the all safety-related parts.
STEP 5:
Verify that the PL
of the SRP/CS for the safety function is greater or equal to the PLr
.
STEP 6:
Validate that all requirements
are met.
MAC – A.Wenigenrath – JAN 2007 - EN 4
STEP1: Risk Assessment and basic structure of the safety chain
We will take as example the Safety Function which will disconnect a motor when the Safety Guard is open.From the Risk Assessment (see Annex 1) we got the safety requirements for this structure. It needs to achieve the PL e in order to provide the necessary risk reduction (see Annex 2). The diagram shows the combination of safety-related parts of control systems processing a typical safety function:
A Safety Function may be implemented by one ore more Safety-Related Parts of a Control System (SRP/CS)and several safety functions may share one ore more SRP/CS, e.g.:
Input (SRP/CSa)Logic / processing (SRP/CSb)Output / power control elements (SRP/CSc)Interconnecting means (iab, ibc)
SRP/CSa SRP/CSb SRP/CSc
INPUT LOGIC OUTPUT
Initiation
event
Machine actuator
e.g. Motor brakes
iab ibc
SRP/CS ⇨ PLr
= e
MAC – A.Wenigenrath – JAN 2007 - EN 5
STEP 2: Determine the required Performance Level
In this example the Safety Function is the disconnection of a motor when the safety guard is open.Without the guard the possible harm is to loose an arm:
With the answers for S2, F2 and P2 the graph leads to a required performance level of PLr = e.
S = Severity of injuryS1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death
F = Frequency and/or exposure time to the hazardF1 = Seldom to less often and/or the exposure time is shortF2 = Frequent to continuous and/or the exposure time is long
P = Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible
Starting point for the evaluation ofthe contribution to the risk reduction
of a safety function
Required Performance Level(PLr)
Low contributionto risk reduction
High contributionto risk reduction
b
c
d
e
a
S1
S2
F1
F2
F1
F2
P1
P1
P1
P1
P2
P2
P2
P2S = Severity of injury
S1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death
F = Frequency and/or exposure time to the hazardF1 = Seldom to less often and/or the exposure time is shortF2 = Frequent to continuous and/or the exposure time is long
P = Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible
Starting point for the evaluation ofthe contribution to the risk reduction
of a safety function
Required Performance Level(PLr)
Low contributionto risk reduction
High contributionto risk reduction
b
c
d
e
a
S1
S2
F1
F2
F1
F2
P1
P1
P1
P1
P2
P2
P2
P2
MAC – A.Wenigenrath – JAN 2007 - EN 6
STEP 3: Identify the safety-related parts
All parts which carry out to the safety function must be identified; in our example we use a redundant structure with 2 inputs, 2 logic channels and 2 outputs switching the power.Each block in the diagram represents one hardware device implementing the safety function:
In this example the two channels provide redundancy, the Safety Module provides the logic solving and diagnostics for both channels; both channels of the SRP/CS are equal.
LOGIC
SRP/CSb
OUTPUT
SRP/CSc
INPUT
SRP/CSa
Interlocking Switch 1SW1
Interlocking Switch 2SW2
Safety ModuleXPS
Contactor 1CON1
Contactor 2CON2
L2
L1 O1
O2
I1
I2
MAC – A.Wenigenrath – JAN 2007 - EN 7
STEP 4: Evaluate the Performance Level PL
For each selected SRP/CS and/or for the combination of SRP/CS that performs the safety function the estimation of PL shall be done.
The PL of the SRP/CS shall be determined by the estimation of the following parameters: (see Annex 2):
The CATEGORY (structure) (see Clause 6 of EN ISO 13849-1)
The MTTFd for the single components (see Annex C, D of EN ISO 13849-1)
The DC (see Annex E of EN ISO 13849-1)
The CCF (see score table in Annex F of EN ISO 13849-1)
(If the PLs of all SRP/CS in the combination are known you can estimate the overall PL according to Annex 4.)
MAC – A.Wenigenrath – JAN 2007 - EN 8
STEP 4: Evaluate the Performance Level PL 4.1 Category, MTTFd
, DC and CCF
From the safety related block diagram we know the category 4 structure, the channels and the safety-related parts in each channel:
From the catalogue of the supplier we get the values of MTTFd or B10 for the selected devices:
The DC values we take from the Table E.1 in Annex E of EN ISO 13849-1
The measures against CCF must be checked using the Table F.1 in Annex F of EN ISO 13849-1. The score for the example achieves 80 points which is OK.
CON1
CON2
SW1
SW2
XPS
Example SRP/CS B10
(operations) MTTFd
(years) DCInterlocking Switches SW1, SW2 10.000.000 99%
Safety Module XPS (here XPSAK) 72,2 99%
Contactors CON1, CON 2 1.000.000 99%Table 2a
MAC – A.Wenigenrath – JAN 2007 - EN 9
STEP 4: Evaluate the Performance Level PL 4.2 The MTTFd of single components
With the formulae from Annex 4 we calculate the MTTFd for the interlocking switches and the contactors. The operation of the example machine is notified with the following data:
the mean time between two cycles is 90s,
the machine is used on 220 days per year, and 8 hours per day
so that nop = 70400 operations per year. (see Annex 4)
MTTFd = B10d / (0,1 • nop), with B10d= 2 • B10
The MTTFd values in blue are depending on the number of annual operations in the application; that’s why the supplier can only provide the B10 or B10d values for the life time.
Example SRP/CS B10
(operations) MTTFd
(years) DCInterlocking Switches SW1, SW2 10.000.000 2840 99%
Safety Module XPS (XPSAK) 72,2 99%
Contactors CON1, CON 2 1.000.000 284 99%Table 2b
MAC – A.Wenigenrath – JAN 2007 - EN 10
STEP 4: Evaluate the Performance Level PL 4.3 The MTTFd
of each channel
With the formula for the parts count method we calculate the MTTFd for the channels:
The MTTFd for each channel in the example is 56,4 years, which is “high” according to Table 1 in Annex 2.
CON1MTTFd = 284y
CON2MTTFd
= 284y
SW1MTTFd
= 2840y
SW2MTTFd
= 2840y
XPS
MTTFd
=72,2y
Channel 1
Channel 2
∑=
=N
1i did MTTF1
MTTF1
~
dCON1,2dXPSdSW1,2dC2dC1 MTTF1
MTTF1
MTTF1
MTTF1
MTTF1
++==
years56,41
years2841
years72,21
years28401
MTTF1
dC1,2
=++=
MAC – A.Wenigenrath – JAN 2007 - EN 11
STEP 4: Evaluate the Performance Level PL 4.4 The average DC (DCavg
)
The diagnostic coverage is defined as the ratio between the detected dangerous failure rate and the failure rate of the total dangerous failures. According to this definition an average diagnostic coverage DCavg is estimated with the following formula:
For our example we get:
The DCavg in the example is 99%, which is “high” according to Table 2 in Annex 2.
CON1
MTTFd = 284y
DC = 99%
CON2
MTTFd
= 284yDC=99%
SW1
MTTFd
= 2840yDC = 99%
SW2
MTTFd
= 2840y
DC=99%
DC=99%
XPS
MTTFd
=72,2y
Channel
1
Channel
2
dNd2d1
dN
N
d2
2
d1
1
avg
MTTF1...
MTTF1
MTTF1
MTTFDC...
MTTFDC
MTTFDC
DC+++
+++=
99%
2841
72,21
24801
2840,99
72,20,99
24800,99
DCavg =++
++=
MAC – A.Wenigenrath – JAN 2007 - EN 12
STEP 5: Verify the achieved PL
We put the data for the example SRP/CS with MTTFd = high, DCavg = 99% and category 4 in the graph below in order to find the achieved performance level for our safety function:
The graph shows that the achieved PL = e.
a
b 1
c 1
d 2
e 3
Cat. BDCavg= none
Cat. 1DCavg= none
Cat. 2DCavg= low
Cat. 2DCavg= medium
Cat. 3DCavg= low
Cat. 3DCavg= medium
Cat. 4DCavg= high
Perf
orm
ance
Lev
el
Saf
ety
Inte
grity
Lev
el
MTTFd of each channel = lowMTTFd of each channel = mediumMTTFd of each channel = high
a
b 1
c 1
d 2
e 3
Cat. BDCavg= none
Cat. 1DCavg= none
Cat. 2DCavg= low
Cat. 2DCavg= medium
Cat. 3DCavg= low
Cat. 3DCavg= medium
Cat. 4DCavg= high
Perf
orm
ance
Lev
el
Saf
ety
Inte
grity
Lev
el
MTTFd of each channel = lowMTTFd of each channel = mediumMTTFd of each channel = high
MAC – A.Wenigenrath – JAN 2007 - EN 13
STEP 6: Validation
The design of the SRP/CS shall be validated.
The validation shall demonstrate that the combination of SRP/CSs providing each safety function meet all the relevant requirements of the EN ISO 13849-1.
The details of validation can be found in EN ISO 13849-2.
MAC – A.Wenigenrath – JAN 2007 - EN 14
Annex 1:
Risk Graph
The EN ISO 13849-1 refers to the ISO 14121 (EN 1050) regarding the Risk Assessment.The safety requirements for a control system contributing to the reduction of risk can be determined with the risk graph from the Annex A of EN ISO 13849-1:
S =Severity of injuryS1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death
F = Frequency and/or exposure time to the hazardF1 = Seldom to less often and/or the exposure time is shortF2 = Frequent to continuous and/or the exposure time is long
P =Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible
Starting point for the evaluation ofhe contribution to the risk reduction
of a safety function
Required Performance Level(PLr)
Low contributionto risk reduction
High contributionto risk reduction
b
c
d
e
a
S1
S2
F1
F2
F1
F2
P1
P1
P1
P1
P2
P2
P2
P2S =Severity of injuryS1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death
F = Frequency and/or exposure time to the hazardF1 = Seldom to less often and/or the exposure time is shortF2 = Frequent to continuous and/or the exposure time is long
P =Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible
Starting point for the evaluation ofhe contribution to the risk reduction
of a safety function
Required Performance Level(PLr)
Low contributionto risk reduction
High contributionto risk reduction
b
c
d
e
a
S1
S2
F1
F2
F1
F2
P1
P1
P1
P1
P2
P2
P2
P2
MAC – A.Wenigenrath – JAN 2007 - EN 15
Annex 2:
Category, structure and behavior
Category B When a fault occurs it can lead to the loss of the safety function
Category 1When a fault occurs it can lead to the loss of the safety function, but the MTTFd of each channel in category 1 is higher than in category B. Consequently the loss of the safety function is less likely.
Category 2Category 2 system behavior
allows that: the occurrence of a fault it can lead to the loss of the safety function between the checks; the loss of the safety function is detected by the check.
Category 3SRP/CS to category 3 shall be designed so that a single fault in
any of these safety-related parts does not lead to the loss of the safety function. Whenever reasonably possible the single fault shall be
detected at or before the next demand upon the safety function.
Category 4
SRP/CS to category 4 shall be designed so that a single fault in
any of these safety-related parts does not lead to the loss of the safety function,
and the single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at switch on, at end of a machine operation cycle. If this detection is not possible an accumulation of undetected faults shall not lead to the loss of the safety function.
Input Logic Outputim imInput Logic Outputim im
Input Logic Outputim im
Testequipment
Testoutput
im
Input Logic Outputim im
Testequipment
Testoutput
im
Input Logic Outputim imInput Logic Outputim im
Input 1 Logic 1 Output 1im im
m
Input 2 Logic 2 Output 2im im
mcross monitoring
Input 1 Logic 1 Output 1im im
m
Input 1 Logic 1 Output 1im im
m
Input 2 Logic 2 Output 2im im
m
Input 2 Logic 2 Output 2im im
mcross monitoring
Input 1 Logic 1 Output 1im im
m
Input 2 Logic 2 Output 2im im
mcross monitoring
Input 1 Logic 1 Output 1im im
m
Input 1 Logic 1 Output 1im im
m
Input 2 Logic 2 Output 2im im
m
Input 2 Logic 2 Output 2im im
mcross monitoring
MAC – A.Wenigenrath – JAN 2007 - EN 16
Annex 2:
Mean Time to dangerous Failure (MTTFd
)
The value of MTTFd of each channel is given in three levels and shall be taken into account for each channel (e.g. single channel, each channel of a redundant system) individually.
For the estimation of MTTFd of a component the hierarchical procedure to find data shall be:1.
use manufactures data;
2.
use methods of Annexes C and D of EN ISO 13849-1;
3.
choose 10 years.
Denotation of mean time to dangerous failure Range of MTTFd
low 3 years ≤
MTTFd
< 10 years
medium 10 years ≤
MTTFd
< 30 years
high 30 years ≤
MTTFd
< 100 yearsTable 1
MAC – A.Wenigenrath – JAN 2007 - EN 17
Annex 2:
Diagnostic Coverage (DC)
The value of the diagnostic coverage (DC) is given in four levels:
For the estimation of DC in most cases, Failure Mode and Effects Analysis (FMEA) or similar methods can be used.
Examples of DC for functions and modules can be found in Annexes E of EN ISO 13849-1
Denotation of diagnostic coverage Range of DC
none DC < 60%
low 60% ≤
DC < 90%
medium 90% ≤
DC < 99%
high 99% ≤
DC
Table 2
MAC – A.Wenigenrath – JAN 2007 - EN 18
Annex 2:
Common Cause Failure (CCF)
The common cause failures (CCF) should also be taken into account (see Annex F of EN ISO 13849-1).
In Category B and 1 the common cause failures (CCF) are not relevant.
Examples of measures against CCF:separation
diversity
prevention of contamination and electromagnetic compatibility (EMC)
MAC – A.Wenigenrath – JAN 2007 - EN 19
Annex 3:
MTTFd
calculation for components from the B10
For the electromechanical, mechanical, pneumatic or hydraulic devices normally the supplier should provide the MTTFd or the B10d values (mean number of cycles until ten percent of the components fail dangerously).
Where this data is not available the calculation of the MTTFd from the B10 may be necessary:
If the dangerous fraction of B10 is not given 50% of B10 may be used, so B10d = 2 • B10is recommended.
With B10d and the mean number of annual operations (nop) the MTTFd for components can be calculated as: MTTFd = B10d / (0,1 • nop).
nop can be calculated as: nop = (dop • hop • 3600s/h) / tcycle,
–
where
dop
= mean operation days per year,
hop
= mean operation per hours per day,
tcycle
= mean time between the beginning of two successive cycles
MAC – A.Wenigenrath – JAN 2007 - EN 20
Annex 4:
The overall PL for a combination of SRP/CS
If the PLs of each SRP/CS in a combination is known, the new complex calculation of the overall performance level achieved can be avoided.
For a serial alignment of SR/CS the following estimations are presented:
Example:
1.
Identify the lowest PL, this PLlow
→ PLlow
= d
2.
Identify the number Nlow ≤
N of SRP/CS with PLlow → Nlow
= 2
3.
Look-up PL in the following table:
→ PL = d
SRP/CS1
PL1 = d
SRP/CS2
PL2 = e
SRP/CS3
PL3 = d
PLlow Nlow ⇒ PL
a> 3 ⇒ No, not allowed
≤
3 ⇒ a
b> 2 ⇒ a
≤
2 ⇒ b
c> 2 ⇒ b
≤
2 ⇒ c
d> 3 ⇒ c
≤
3 ⇒ d
e> 3 ⇒ d
≤
3 ⇒ e
MAC – A.Wenigenrath – JAN 2007 - EN 21
Glossary
Safety-Related Parts of Control Systems (SRP/CS)A part of a control system that responds to input signals and generates safety-related output signals.
CategoryThe classification of safety-related parts of a control, respective their resistance against faults and their behaviour in the fault condition, which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability.
Performance Level (PL)The ability of safety-related parts to perform a safety function under foreseeable conditions (which should be taken into account) to fulfil the expected risk reduction. The performance level is indicated in five possible discrete levels from a to e according to Table 1.
Safety Integrity Level (SIL)One of three possible discrete levels for specifying the safety integrity requirements to be allocated to the safety-related electrical control system (SRECS), where the SIL 3 has the highest level of safety integrity for machinery and SIL 1 the lowest.
Mean Time To dangerous Failure (MTTFd) Expectation of the mean time to dangerous failure.
Diagnostic Coverage (DC) The DC is a measure for the effectivity of diagnostics, may be determined as the ratio between the rate of the detected dangerous failures (λDD) and the rate of total dangerous failures (λD):DC = ΣλDD / ΣλD total
Common Cause Failure (CCF)The CCF-factor b is a measure for a failure, which is the result of one or more events causing coincident failure of two or more separate channels in a multiple channel (redundant architecture) subsystem, leading to failure of a safety function.
MAC – A.Wenigenrath – JAN 2007 - EN 22
Glossary
RiskCombination of the probability of the occurrence of a harm and severity of that harm.
Risk assessmentOverall process comprising of risk analysis and risk evaluation.
Risk analysisCombination of the specification of the limits of the machine, hazard identification and risk estimation.
Risk evaluationJudgment, on the basis of risk analysis, of whether risk reduction objectives have been achieved.
Low Complexity Componentcomponent in which
failure modes are well-defined, andthe behavior under fault conditions can be completely defined
Complex Componentcomponent in which
failure modes are not well-defined, orthe behavior under fault conditions cannot be completely defined