ISO 13849-1,2 Safety of Machinery

Safety Related Parts of Control Systems – General principles for design

EN ISO 13849-1,2 are used as part of the systematic risk reduction described in ISO 12100 for the part concerning the design of the machine safety-related control system.

ISO 13849-1 is a Standard for designing the parts of the control system that implement the safety functions. It can be used for all types of machinery regardless of the type of technology used (electrical, hydraulic, pneumatic, etc.). These parts can be made up of hardware and / or software and can be separated from the machine control system or be an integral part of it.

ISO 13849-1 is applicable only if the safety function is demanded with a frequency higher than once a year (operation in High demand mode) or if it is demanded continuously (Continuous mode of operation) because the tables and formulas provided in the standard relate to these two modes of operation.

Examples of products that are commonly integrated into a safety-related control system are: relays, solenoid valves, position switches, configurable PLCs, safety modules, motor drives, two-hand control devices, pressure sensitive equipment, photoelectric barriers, laser scanner.

The parts of the machine control system that perform safety-related tasks are designated with the acronym SRP / CS (Safety Related Parts of Control System).

In addition to implementing safety functions, an SRP / CS can also provide operational functions, but only the parts that are safety-related fall within the scope of the standard

For the evaluation of the safety performance of an SRP / CS, the term PL (Performance Level) is used which specifies the ability of an SRP / CS to ensure adequate risk reduction within predefined operating conditions.

The performance level is measured on a 5-level scale, from PL a to PL e; each level is associated with a range of values of mean probability of dangerous failure (PFHD).
 
PL
Average probability of dangerous failure per hour (PFHD) 1/h
a ≥ 10-5 a < 10-4
b ≥ 3 x 10-6 a < 10-5
c ≥ 10-6 a < 3 x10-6
d ≥ 10-7 a < 10-6
e ≥ 10-8 a < 10-7
 
Fig. 5 – Table of ISO 13849 standard: Performance leves (PL)

Risk assessment and required Performance Level – PL r assignment

For each safety function identified, the designer must decide what is the contribution to risk reduction the safety function should provide.

This contribution does not cover the overall machine risk but only the part of risk related to the application of that particular safety function.

The parameter. that is used to estabilsh what is the amount of risk reduction that the safety function is required to provide is the PL r (Performance Level Required).

Parameter PL, instead, represents the Performance Level reached by the hardware implementing the safety function. PL of the hardware must be equal to or higher than specified PL r.

After deciding the necessary PL r, it is necessary to design a suitable SRP / CS, calculate the resulting PL of that piece of hardware and check if it is greater than or equal to the PL r.

To get the contribution to risk reduction that must be provided by the safety- related function a graph of decisions is used, leading to univocal identification of the PL r. If more than one safety-related function are identified, PL r shall be identified for each of them.

S:severity of injury
  • S1: Slight injury generally reversible
  • S2: Serious injury generally irreversible or died
F:frequency or time exposure to hazard
  • F1: From rare to short and or short exposure time
  • F2: From frequent to continuous and or long exposure time
P: avoidable risk or limitation of damage
(it depends on the speed of the event, the possibility of perception of danger and the possibility of escape) 
  • P1:avoidable within given conditions
  • P2: almost unavoidable

Fig. 6 – Graph of decisions for evaluation of the Pl r

 
 
Consideatrion on the S, F and P parameters

Considerations on the S parameter

It is necessary to make an assessment on the type of injuries that could result from a failure of the safety function. EN 13849-1 proposes only two possibilities:
  • S1 = slight injury
  • S2 = severe injury

Slight injuries are considered to be scratches, peeling, bruising, lacerations without complications. Amputations, loss of function of a limb, loss of an eye, death are considered serious injuries.

Considerations on parameter F

The distinction between F1 and F2 can be formulated as follows:
F2 is chosen if the frequency of exposure to the hazard is greater than once every 15 minutes.
F1 is chosen if the frequency of exposure to the hazard is not greater than once every 15 minutes and the accumulated exposure time does not exceed 1/20 of the overall operating time

Considerations on the probability of occurrence of the dangerous event

The probability of the occurrence of a dangerous event depends on both human behaviour and technical failures, it should be based on factors such as:
  • Reliability data of the control system
  • History of accidents on similar machines (with the same risk, same process, same operator action and same technology causing the hazard).

The probability of occurrence is always evaluated to be equal to 1 because in most cases, the correct probability is not known or is difficult to estimate.

If the probability of occurrence of a dangerous event can be judged low, the PL r can be reduced by one level.

Tree type graph of decisions for Plr value determination if (P) probability of a dangerous event occurring can be judged low

Fig. 7 – Graph of decisions for evaluation of the Pl r if (P) probability of occurrence of a dangerous event can be judged low

Overlapping of hazards

It is possible that the same person may be subjected to the simultaneous interaction of multiple hazards due, for example, to the presence of multiple dangerous movements of the machine that could potentially create harm.

If the evaluation of the probability of failure were made by taking into account all the hardware components of the overall safety related control system, very high PFHD values would soon be reached (even if components with very high MTTFD values were used) with consequent impossibility to stay within the required PL r.

Things get even more complicated if the individual risks require different PL r.

To overcome the problem it is allowed to separate the risks, if this is possible, and to assign to each of them a separate safety function.

The designer must analyse this possibility during the risk assessment process. First, the dangerous zone is identified, then all dangerous movements of the machine parts that are located in the same dangerous zone are identified, then all the operations carried out by the machine in the same zone are considered and which are the parts of the body that are subjected to risk.

If the analysis shows the possibility of separating the various dangerous movements, then a separate safety function is assigned to each dangerous movement and the relevant PL is calculated.

Example 1

In a working cell that involves several robots on different operations, the stopping function following the actuation of the light curtain can be evaluated individually for each robot.

For the example of the machining cell shown in the picture, the following safety functions can be identified:

  • SF1: The interruption of the safety curtain involves the stopping of all robot 1 drives
  • SF2: The interruption of the safety curtain involves the stopping of all the robot 2 drives
  • SF3: The interruption of the safety curtain involves the stopping of all robot 3 drives

Fig. 8 – Working cell involving multiple robots on different operations

The same consideration applies for example to a rotary table equipped with several clamping devices; the risk assessment can be done separately for each clamp.

Example 2

In a welding robot the operator is exposed simultaneously to the risk of crushing due to the movement of the robot head and to the risk of burning due to the tool mounted on the head. In this case the robot head and tool must be taken into account at the same time in the evaluation of the safety function.

Example 3

For a robot in learning mode it is possible to keep power to the robot when the entrance door of the cell is open, only if a local enabling device (hold-to-run control) is used and that the robot is operated at a reduced safety speed.

The probability of failure of all three devices (door interlock, hold-to-run and speed monitor) must therefore be included in the calculation of the PFHD because the dangerous failure of one of them immediately leads to a dangerous condition.

Identification of the safety function and design specification

To decide which safety functions are required, the intended use of the machine must be considered (including reasonably foreseeable misuse). For each safety function, a document must be drawn up in which at least the following specifications are detailed:

  • Result of the risk assessment for each hazard (PL r value)
  • Behaviour that is intended to be achieved or prevented with the safety function (e.g. when the guard is opened the machine performs a stop Cat.0)
  • Intended use of the machine and reasonably foreseeable misuse
  • Operation in emergency conditions
  • Safety function response time
  • Restart after a protective action (automatic or manual restart)
  • Actuation mode (related to a section or part of the machine)
  • Need to suspend the safety function (muting, banking)
  • By-pass mode of the safety function for repair, tuning, cleaning, troubleshooting, etc.
  • Description of connections between different safety function, if eny
  • Safety function actuation frequency
  • Priority of functions which, if active at the same time, can cause operating conflicts

To help the designer, the standard lists the main safety functions that are generally implemented in an SRP / CS and for some of them it provides the main safety requirements:

  • Safety related stop function started by a safety measure
  • Manual restart function
  • Start / Restart function
  • Local command function
  • Muting function
  • Hold-to-run control function
  • Enable device
  • Prevention of unexpected start-up
  • Escape and rescue of trapped people
  • Isolation function and energy dissipation
  • Command mode and enable mode
  • Emergency stop function

Safety-realted stop function

The stop function activated by the actuation of a protective device must bring the machine to a safe state in the shortest time possible.

The safety-related stop unction has priority over a stop for operational reasons.

When a group of machines work together, it is necessary to report to the supervisory control and / or to the other machines the existence of the safety stop.

After the actuation of a stop command by a protective device, the stop condition must be maintained until a safe condition exist for restarting

After a stop command by a protection device activation, the stop condition of the machine must be maintained until safe conditions exist for restarting.

Manual restart function

Reset command restarts the protective device and cancels the safety stop command. If established by the risk assessment, this cancellation must be confirmed through a manual, separate and deliberate action (manual reset).
The manual reset function:

  • It must be authorized through a separate device, included in the SRP / CS and operated manually
  • It must be enabled only if all protective devices are operational
  • The manual restart must not initiate a movement or a dangerous situation
  • It must take place through deliberate action
  • It must enable the control system to accept the start command
  • It must be enabled only when the machine actuator is in the OFF state

Muting function

Muting function must not expose people to dangerous situations. During Muting, the safety conditions must be guaranteed by other protection devices. At the end of Muting, all the safety functions of the SRP / CS must be reset automatically. The PL of the parts of the SRP / CS that perform the Muting function must not decrease the safety level of the protective device to which are connected.

Safety related parameters

When the deviation of parameters such as position, speed, temperature or pressure, beyond the set limits can cause safety problems, the control system must implement appropriate measures (for example, stopping, warning signal, alarm).

Fluctuations, loss and restoration of power sources

When fluctuations in power levels exceed the designed operating range, including loss of power, the SRP / CS must continue to provide or send output signals that allow other parts of the machine system to maintain a safe state.

E – Stop

The E-Stop is defined as a “complementary protection measure” (it is not a safety function).

It is used to reduce the risk of unreasonably foreseeable failure or accidents in parts of the machine, including failure of protective devices. Since it must be available in case of failure of the other protective devices, it is also advisable to consider it in EN ISO 13849-1.

It must be available and operational at all times and must bypass all other functions and operating modes of the machine (without compromising any structures designed for the escape of trapped peoples). Any start command
(voluntary, unintentional, or unexpected) must not have effect on those parts of the machine stopped by the E-stop command until the device is manually reset.

The PL r of the E-Stop function should be the same of the safety function with the highest PL r involved in the realisation of the SRP / CS.

Local control function

When a machine is locally controlled, e.g. by means of a portable control device it is necessary that:

  • The local control device selector must be located outside the danger zone
  • Local control must be active only in the part of the dangerous area identified by the risk analysis
  • The change from local control to main control must not create a dangerous situation

Response time

When, following the risk assessment, it is found that the response time of the SRP / CS can be decisive for safety purposes, its response time must be added to the response time of the other devices of the safety loop in order to get the overall response time of the machine.

The overall response time required for stopping the machine can affect the design of the SRP/CS, e.g, for some applications it can be necessary to add a braking system.

Realization of a safety function with an SRP/CS

A safety function can be done using one or more SRP/CS.

All available technologies can be used, also in combination; electrical, hydraulic, pneumatic, mechanical etc.

It is also possible for an SRP/CS to implement safety functions and normal command functions (for example a photoelectric light curtain or two-hand control can be used for both protection and start cycle).

Fig. 9 – Typical architecture of the SRE / CS

Fig. 10 – Several safety functions can share one or more SRP/CS

The designer has to decide the required contribution to risk reduction for each safety function.

The evaluation of PL r must be carried out separately for each individual safety function.

SRP/CS design phase – Organisational aspects

Before creating an SRP/CS, in order to reduce as much as possible the introduction of systematic failures during the design phase or as a result of subsequent modifications, it is necessary to have a management organization that follows structured procedures covering the entire life cycle of the SRP/CS. Each design activity should be properly specified, documented and verified.

PL of the SRP/CS

PL is a function of several factors such as:

  • Hardware and software architecture
  • Ability to promptly detect internal failures potentially affecting the safety function
  • Component reliability, the ability to limit common cause failures
  • Quality of the design
  • Environmental conditions and operational stresses
  • The operating cycle of the machine.

Intended use and reasonably foreseeable misuse must be considered.

The table below summarizes the quantitative requirements, assigning them an overall value of probability of dangerous failure, and the qualitative aspects that must be met in order to obtain a PL.

Fig. 11 – Mandatory qualitative and quantitative requirements to be met for safe control system design according to ISO 13849-1

Reminder

Average Probability of Dangerous Failure/Hour is only one of the parameters contributing to assignment of PL. To claim a PL rating, it is also mandatory to prove having considered and complied with all requirements, including:
– Monitoring of systematic failures
– Using robust and reliable components (according to Product Standards if available)
– Use of good engineering practice
– Considering environmental conditions in which the safety-related system will operate
– In the case of new software, adopting all organisational aspects of V-type development model shown in Figure 6 of ISO 13849-1 and meeting development requirements for application SW and enbedded SW.

PFHD Calculation

The method used for the evaluation of the part of the PL linked to the quantitative aspects is the computation of the probability that a dangerous failure may occur to the SRP/CS in a certain period of time, considering the reliability of its components.

NOTE: The greater the contribution to risk reduction provided by the safety function the lower must be the PFHd (average probability of dangerous failure) of the SRP/CS. A fault is considered dangerous ifit inhibits the protection function of the safety related control-system.

The Average probability of dangerous failure for a safety-related control system, or for a sub-system, may be estimated in various ways. These methods require the use of complex mathematical formulas which typically belong to the field of system reliability theory. The use of such methods implies that for each components the following are known:

  • Failure rate (λ)
  • Percent distribution of failure rate for each component failure modes, (example: for a positive action switch the failure modes are: the contact will not open when required = 20% of the times and the contact will not close when required = 80% of the times
  • The effect of each failure on safety-related system performance, (e.g dangerous failure or not dangerous failure)
  • Percent of dangerous failures detected (by automatic self-diagnostic techniques implemented) out of total dangerous failures
  • Percent of dangerous failures not detected (by automatic self-diagnostic techniques implemented) out of total dangerous failures

ISO 13849-1 simplifies this process by replacing the mathematical formulas with precalculated tables for different combinations of Categories, average MTTFD and DC values which are also determined through tables

Design of an SRP/CS as per ISO 13849-1 may be summarized in the following eight steps:

  1. Selection of system structure (architectures)
  2. Calculation of MTTFD
  3. Selection of the self-diagnostic techniques and DC calculation
  4. Verification of CCF for redundant architecture
  5. Calculation of PL using Table 5 or Table K.1
  6. Verification of PL (if calculated PL is below PL r return to Step 1)
  7. Validation.

Categories and their relationship with the MTTFD, with the DC and with the CCFs

EN / ISO 13849 uses a methodology based on 5 particular structures called “Categories” which constitute the backbone on which all the quantifiable aspects that contribute to the formation of the PL are based.

The categories describe the performance of an SRP/CS in relation to:

  • Structural arrangement of its parts
  • Its fault tolerance
  • Its behaviour under fault conditions
  • Reliability of its components

This means that the safety performance is achieved not only through particular hardware architectures (which the standard defines as designated architecture), but also through a careful use of reliable components and, if necessary, of adequate monitoring techniques. The choice of a category mainly depends on:

  • Ammount of risk reduction needed
  • Required performance level (PL r)
  • Technology used
  • Type of risk due to the failure of the SRP/CS
  • Possibility to avoid systematic failures in the SRP/CS
  • Probability of failures in the SRP/C
  • Mean Time to Dangerous Failure (MTTFD)
  • Diagnostic coverage (DC)
  • Common Cause Failures (CCF) in the case of categories 2, 3 and 4

It should be noted that the designated architectures give a logical representation of the system structure, while the technical implementation and the functional circuit diagram may appear completely different.

Designated architectures can also be used to describe a part or a sub-part of a control system responding to certain input signals and generating safety output signals. Therefore the “input” block can represent, for example, a photoelectric light curtain (AOPD) or switch contacts. The “output” block can represent, for example, a safety-related output (OSSD) or a combination of relay contacts.

For categories 3 and 4 the dual channel representation does not mean that all parts need to be physically redundant but that redundant means exist to ensure that a single fault cannot lead to the loss of the safety function.

There are certainly several ways to create architectures that can satisfy the requirements established by the categories. If the structure of the control system is made by one (or more) of the 5 categories, then for the computation of the safety performance level (PL) it is possible to use the simplified procedures described in the standard.

If an architecture deviates from those of the Categories, then its PL cannot be evaluated with the simplified method of the standard, but must be justified by other analytical means, for example by Markov modeling, in order to show that through this non designated architecture it is possible to achieve the required performance level (PL r). Markov offers a remarkable ability to manage many of the technical characteristics that are implemented in modern safety devices, for example it is possible to model periodic events such as automatic fault diagnostics tests.

PL r(e) provides the greatest contribution to risk reduction, whereas PL r(a) makes the lowest contribution.