PL estimation acc. to EN ISO 13849-1 - sapient.net.au Files/PL estimation acc... · 1 PL estimation acc. to EN ISO 13849-1 Example calculation for an application MAC Safety / Armin

1

PL estimation acc. to EN ISO 13849-1 Example calculation for an application

MAC Safety / Armin Wenigenrath, January 2007

MAC – A.Wenigenrath – JAN 2007 - EN 2

Select the suitable standard for your application

Reminder: The standards and the technologies

"X" indicates that this item is dealt with by this standard.

NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849-1 to give a simplified approach for quantification of performance level.

NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849-1 up to PL=d or any architecture according to EN IEC 62061.

NOTE 3 For non-electrical technology use parts according to EN ISO 13849-1 as subsystems.

X see Note 3 X see Note 2 C combined with A, orC combined with A and B

F

All architectures and up to SIL 3 Restricted to designated architectures (see Note 1) andup to PL=d

C combined with B E

X see Note 3 Restricted to designated architectures (see Note 1) andup to PL=e

A combined with B D


Complex electronics, e.g. programmable C

All architectures and up to SIL 3 Restricted to designated architectures (see Note 1) andup to PL=e

Electromechanical, e.g. relays,or non complex electronics

B

Not coveredX Non electrical, e.g. hydraulics A

EN IEC 62061EN ISO 13849-1Technology implementing the safety related control function(s)

"X" indicates that this item is dealt with by this standard.

NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849-1 to give a simplified approach for quantification of performance level.

NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849-1 up to PL=d or any architecture according to EN IEC 62061.

NOTE 3 For non-electrical technology use parts according to EN ISO 13849-1 as subsystems.

X see Note 3 X see Note 2 C combined with A, orC combined with A and B

F


C combined with B E

X see Note 3 Restricted to designated architectures (see Note 1) andup to PL=e

A combined with B D


Complex electronics, e.g. programmable C

All architectures and up to SIL 3 Restricted to designated architectures (see Note 1) andup to PL=e

Electromechanical, e.g. relays,or non complex electronics

B

Not coveredX Non electrical, e.g. hydraulics A

EN IEC 62061EN ISO 13849-1Technology implementing the safety related control function(s)

Table 1


The 6 Steps to Safety with EN ISO 13849-1

STEP 1: Risk Assessment and basic structure of Safety-Related Parts of a Control System (SRP/CS) implementing a Safety Function

STEP 2:

Determine the required Performance Level PLr

for the safety function.

STEP 3:

Identify the combination

of safety-related parts

which carry out the safety function.

STEP 4:

Evaluate the Performance Level PL

for the all safety-related parts.

STEP 5:

Verify that the PL

of the SRP/CS for the safety function is greater or equal to the PLr

.

STEP 6:

Validate that all requirements

are met.


STEP1: Risk Assessment and basic structure of the safety chain

We will take as example the Safety Function which will disconnect a motor when the Safety Guard is open.From the Risk Assessment (see Annex 1) we got the safety requirements for this structure. It needs to achieve the PL e in order to provide the necessary risk reduction (see Annex 2). The diagram shows the combination of safety-related parts of control systems processing a typical safety function:

A Safety Function may be implemented by one ore more Safety-Related Parts of a Control System (SRP/CS)and several safety functions may share one ore more SRP/CS, e.g.:

Input (SRP/CSa)Logic / processing (SRP/CSb)Output / power control elements (SRP/CSc)Interconnecting means (iab, ibc)

SRP/CSa SRP/CSb SRP/CSc

INPUT LOGIC OUTPUT

Initiation

event

Machine actuator

e.g. Motor brakes

iab ibc

SRP/CS ⇨ PLr

= e


STEP 2: Determine the required Performance Level

In this example the Safety Function is the disconnection of a motor when the safety guard is open.Without the guard the possible harm is to loose an arm:

With the answers for S2, F2 and P2 the graph leads to a required performance level of PLr = e.

S = Severity of injuryS1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death

F = Frequency and/or exposure time to the hazardF1 = Seldom to less often and/or the exposure time is shortF2 = Frequent to continuous and/or the exposure time is long

P = Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible

Starting point for the evaluation ofthe contribution to the risk reduction

of a safety function

Required Performance Level(PLr)

Low contributionto risk reduction

High contributionto risk reduction

b

c

d

e

a

S1

S2

F1

F2

F1

F2

P1

P1

P1

P1

P2

P2

P2

P2S = Severity of injury

S1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death


P = Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible

Starting point for the evaluation ofthe contribution to the risk reduction





b

c

d

e

a

S1

S2

F1

F2

F1

F2

P1

P1

P1

P1

P2

P2

P2

P2


STEP 3: Identify the safety-related parts

All parts which carry out to the safety function must be identified; in our example we use a redundant structure with 2 inputs, 2 logic channels and 2 outputs switching the power.Each block in the diagram represents one hardware device implementing the safety function:

In this example the two channels provide redundancy, the Safety Module provides the logic solving and diagnostics for both channels; both channels of the SRP/CS are equal.

LOGIC

SRP/CSb

OUTPUT

SRP/CSc

INPUT

SRP/CSa

Interlocking Switch 1SW1

Interlocking Switch 2SW2

Safety ModuleXPS

Contactor 1CON1

Contactor 2CON2

L2

L1 O1

O2

I1

I2


STEP 4: Evaluate the Performance Level PL

For each selected SRP/CS and/or for the combination of SRP/CS that performs the safety function the estimation of PL shall be done.

The PL of the SRP/CS shall be determined by the estimation of the following parameters: (see Annex 2):

The CATEGORY (structure) (see Clause 6 of EN ISO 13849-1)

The MTTFd for the single components (see Annex C, D of EN ISO 13849-1)

The DC (see Annex E of EN ISO 13849-1)

The CCF (see score table in Annex F of EN ISO 13849-1)

(If the PLs of all SRP/CS in the combination are known you can estimate the overall PL according to Annex 4.)


STEP 4: Evaluate the Performance Level PL 4.1 Category, MTTFd

, DC and CCF

From the safety related block diagram we know the category 4 structure, the channels and the safety-related parts in each channel:

From the catalogue of the supplier we get the values of MTTFd or B10 for the selected devices:

The DC values we take from the Table E.1 in Annex E of EN ISO 13849-1

The measures against CCF must be checked using the Table F.1 in Annex F of EN ISO 13849-1. The score for the example achieves 80 points which is OK.

CON1

CON2

SW1

SW2

XPS

Example SRP/CS B10

(operations) MTTFd

(years) DCInterlocking Switches SW1, SW2 10.000.000 99%

Safety Module XPS (here XPSAK) 72,2 99%

Contactors CON1, CON 2 1.000.000 99%Table 2a


STEP 4: Evaluate the Performance Level PL 4.2 The MTTFd of single components

With the formulae from Annex 4 we calculate the MTTFd for the interlocking switches and the contactors. The operation of the example machine is notified with the following data:

the mean time between two cycles is 90s,

the machine is used on 220 days per year, and 8 hours per day

so that nop = 70400 operations per year. (see Annex 4)

MTTFd = B10d / (0,1 • nop), with B10d= 2 • B10

The MTTFd values in blue are depending on the number of annual operations in the application; that’s why the supplier can only provide the B10 or B10d values for the life time.

Example SRP/CS B10

(operations) MTTFd

(years) DCInterlocking Switches SW1, SW2 10.000.000 2840 99%

Safety Module XPS (XPSAK) 72,2 99%

Contactors CON1, CON 2 1.000.000 284 99%Table 2b


STEP 4: Evaluate the Performance Level PL 4.3 The MTTFd

of each channel

With the formula for the parts count method we calculate the MTTFd for the channels:

The MTTFd for each channel in the example is 56,4 years, which is “high” according to Table 1 in Annex 2.

CON1MTTFd = 284y

CON2MTTFd

= 284y

SW1MTTFd

= 2840y

SW2MTTFd

= 2840y

XPS

MTTFd

=72,2y

Channel 1

Channel 2

∑=

=N

1i did MTTF1

MTTF1

~

dCON1,2dXPSdSW1,2dC2dC1 MTTF1

MTTF1

MTTF1

MTTF1

MTTF1

++==

years56,41

years2841

years72,21

years28401

MTTF1

dC1,2

=++=


STEP 4: Evaluate the Performance Level PL 4.4 The average DC (DCavg

)

The diagnostic coverage is defined as the ratio between the detected dangerous failure rate and the failure rate of the total dangerous failures. According to this definition an average diagnostic coverage DCavg is estimated with the following formula:

For our example we get:

The DCavg in the example is 99%, which is “high” according to Table 2 in Annex 2.

CON1

MTTFd = 284y

DC = 99%

CON2

MTTFd

= 284yDC=99%

SW1

MTTFd

= 2840yDC = 99%

SW2

MTTFd

= 2840y

DC=99%

DC=99%

XPS

MTTFd

=72,2y

Channel

1

Channel

2

dNd2d1

dN

N

d2

2

d1

1

avg

MTTF1...

MTTF1

MTTF1

MTTFDC...

MTTFDC

MTTFDC

DC+++

+++=

99%

2841

72,21

24801

2840,99

72,20,99

24800,99

DCavg =++

++=


STEP 5: Verify the achieved PL

We put the data for the example SRP/CS with MTTFd = high, DCavg = 99% and category 4 in the graph below in order to find the achieved performance level for our safety function:

The graph shows that the achieved PL = e.

a

b 1

c 1

d 2

e 3

Cat. BDCavg= none

Cat. 1DCavg= none

Cat. 2DCavg= low

Cat. 2DCavg= medium

Cat. 3DCavg= low

Cat. 3DCavg= medium

Cat. 4DCavg= high

Perf

orm

ance

Lev

el

Saf

ety

Inte

grity

Lev

el

MTTFd of each channel = lowMTTFd of each channel = mediumMTTFd of each channel = high

a

b 1

c 1

d 2

e 3

Cat. BDCavg= none

Cat. 1DCavg= none

Cat. 2DCavg= low

Cat. 2DCavg= medium

Cat. 3DCavg= low

Cat. 3DCavg= medium

Cat. 4DCavg= high

Perf

orm

ance

Lev

el

Saf

ety

Inte

grity

Lev

el

MTTFd of each channel = lowMTTFd of each channel = mediumMTTFd of each channel = high


STEP 6: Validation

The design of the SRP/CS shall be validated.

The validation shall demonstrate that the combination of SRP/CSs providing each safety function meet all the relevant requirements of the EN ISO 13849-1.

The details of validation can be found in EN ISO 13849-2.


Annex 1:

Risk Graph

The EN ISO 13849-1 refers to the ISO 14121 (EN 1050) regarding the Risk Assessment.The safety requirements for a control system contributing to the reduction of risk can be determined with the risk graph from the Annex A of EN ISO 13849-1:

S =Severity of injuryS1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death


P =Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible

Starting point for the evaluation ofhe contribution to the risk reduction





b

c

d

e

a

S1

S2

F1

F2

F1

F2

P1

P1

P1

P1

P2

P2

P2

P2S =Severity of injuryS1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death


P =Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible

Starting point for the evaluation ofhe contribution to the risk reduction





b

c

d

e

a

S1

S2

F1

F2

F1

F2

P1

P1

P1

P1

P2

P2

P2

P2


Annex 2:

Category, structure and behavior

Category B When a fault occurs it can lead to the loss of the safety function

Category 1When a fault occurs it can lead to the loss of the safety function, but the MTTFd of each channel in category 1 is higher than in category B. Consequently the loss of the safety function is less likely.

Category 2Category 2 system behavior

allows that: the occurrence of a fault it can lead to the loss of the safety function between the checks; the loss of the safety function is detected by the check.

Category 3SRP/CS to category 3 shall be designed so that a single fault in

any of these safety-related parts does not lead to the loss of the safety function. Whenever reasonably possible the single fault shall be

detected at or before the next demand upon the safety function.

Category 4

SRP/CS to category 4 shall be designed so that a single fault in

any of these safety-related parts does not lead to the loss of the safety function,

and the single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at switch on, at end of a machine operation cycle. If this detection is not possible an accumulation of undetected faults shall not lead to the loss of the safety function.

Input Logic Outputim imInput Logic Outputim im

Input Logic Outputim im

Testequipment

Testoutput

im

Input Logic Outputim im

Testequipment

Testoutput

im

Input Logic Outputim imInput Logic Outputim im

Input 1 Logic 1 Output 1im im

m


mcross monitoring


m


m


m


mcross monitoring


m


mcross monitoring


m


m


m


mcross monitoring


Annex 2:

Mean Time to dangerous Failure (MTTFd

)

The value of MTTFd of each channel is given in three levels and shall be taken into account for each channel (e.g. single channel, each channel of a redundant system) individually.

For the estimation of MTTFd of a component the hierarchical procedure to find data shall be:1.

use manufactures data;

2.

use methods of Annexes C and D of EN ISO 13849-1;

3.

choose 10 years.

Denotation of mean time to dangerous failure Range of MTTFd

low 3 years ≤

MTTFd

< 10 years

medium 10 years ≤

MTTFd

< 30 years

high 30 years ≤

MTTFd

< 100 yearsTable 1


Annex 2:

Diagnostic Coverage (DC)

The value of the diagnostic coverage (DC) is given in four levels:

For the estimation of DC in most cases, Failure Mode and Effects Analysis (FMEA) or similar methods can be used.

Examples of DC for functions and modules can be found in Annexes E of EN ISO 13849-1

Denotation of diagnostic coverage Range of DC

none DC < 60%

low 60% ≤

DC < 90%

medium 90% ≤

DC < 99%

high 99% ≤

DC

Table 2


Annex 2:

Common Cause Failure (CCF)

The common cause failures (CCF) should also be taken into account (see Annex F of EN ISO 13849-1).

In Category B and 1 the common cause failures (CCF) are not relevant.

Examples of measures against CCF:separation

diversity

prevention of contamination and electromagnetic compatibility (EMC)


Annex 3:

MTTFd

calculation for components from the B10

For the electromechanical, mechanical, pneumatic or hydraulic devices normally the supplier should provide the MTTFd or the B10d values (mean number of cycles until ten percent of the components fail dangerously).

Where this data is not available the calculation of the MTTFd from the B10 may be necessary:

If the dangerous fraction of B10 is not given 50% of B10 may be used, so B10d = 2 • B10is recommended.

With B10d and the mean number of annual operations (nop) the MTTFd for components can be calculated as: MTTFd = B10d / (0,1 • nop).

nop can be calculated as: nop = (dop • hop • 3600s/h) / tcycle,

–

where

dop

= mean operation days per year,

hop

= mean operation per hours per day,

tcycle

= mean time between the beginning of two successive cycles


Annex 4:

The overall PL for a combination of SRP/CS

If the PLs of each SRP/CS in a combination is known, the new complex calculation of the overall performance level achieved can be avoided.

For a serial alignment of SR/CS the following estimations are presented:

Example:

1.

Identify the lowest PL, this PLlow

→ PLlow

= d

2.

Identify the number Nlow ≤

N of SRP/CS with PLlow → Nlow

= 2

3.

Look-up PL in the following table:

→ PL = d

SRP/CS1

PL1 = d

SRP/CS2

PL2 = e

SRP/CS3

PL3 = d

PLlow Nlow ⇒ PL

a> 3 ⇒ No, not allowed

≤

3 ⇒ a

b> 2 ⇒ a

≤

2 ⇒ b

c> 2 ⇒ b

≤

2 ⇒ c

d> 3 ⇒ c

≤

3 ⇒ d

e> 3 ⇒ d

≤

3 ⇒ e


Glossary

Safety-Related Parts of Control Systems (SRP/CS)A part of a control system that responds to input signals and generates safety-related output signals.

CategoryThe classification of safety-related parts of a control, respective their resistance against faults and their behaviour in the fault condition, which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability.

Performance Level (PL)The ability of safety-related parts to perform a safety function under foreseeable conditions (which should be taken into account) to fulfil the expected risk reduction. The performance level is indicated in five possible discrete levels from a to e according to Table 1.

Safety Integrity Level (SIL)One of three possible discrete levels for specifying the safety integrity requirements to be allocated to the safety-related electrical control system (SRECS), where the SIL 3 has the highest level of safety integrity for machinery and SIL 1 the lowest.

Mean Time To dangerous Failure (MTTFd) Expectation of the mean time to dangerous failure.

Diagnostic Coverage (DC) The DC is a measure for the effectivity of diagnostics, may be determined as the ratio between the rate of the detected dangerous failures (λDD) and the rate of total dangerous failures (λD):DC = ΣλDD / ΣλD total

Common Cause Failure (CCF)The CCF-factor b is a measure for a failure, which is the result of one or more events causing coincident failure of two or more separate channels in a multiple channel (redundant architecture) subsystem, leading to failure of a safety function.


Glossary

RiskCombination of the probability of the occurrence of a harm and severity of that harm.

Risk assessmentOverall process comprising of risk analysis and risk evaluation.

Risk analysisCombination of the specification of the limits of the machine, hazard identification and risk estimation.

Risk evaluationJudgment, on the basis of risk analysis, of whether risk reduction objectives have been achieved.

Low Complexity Componentcomponent in which

failure modes are well-defined, andthe behavior under fault conditions can be completely defined

Complex Componentcomponent in which

failure modes are not well-defined, orthe behavior under fault conditions cannot be completely defined

Documents

PL estimation acc. to EN ISO 13849-1 - sapient.net.au Files/PL estimation acc... · 1 PL estimation acc. to EN ISO 13849-1 Example calculation for an application MAC Safety / Armin