PLr(e) provides the greatest contribution to risk reduction, whereas PLr(a) makes the lowest contribution.
Safety Related Parts of Control Systems, Part 1: General principles for design
ISO 13849-1 is a revised version of EN 954-1.
The complex mathematical formulas of the system reliability theory were replaced with pre-calculated tables.
Some concepts of EN 954 were retained, i.e. categories, redundancy, monitoring.
A number were modified, i.e. risk graph, selection of Categories.
The role of Categories is no longer crucial as in EN 954-1.
To assess the resistance to dangerous failure, the Category concept is replaced by Performance Level (PL) as the ability of the safety-related machine control system (hereinafter called SRP/CS) to assure protection in specified operating conditions.
The parameter used to evaluate the PL of the safety-function is the Average probability of dangerous failure/hour. A failure is considered to be dangerous where it inhibits the system protection function if undetected.
Table of ISO 13849-1
The greater the contribution to reducing risk the lower must be the average probability of dangerous failure of the
PL is a function of control system architecture, component reliability, ability to promptly detect internal failure potentially affecting the safety function and quality of the design.
The table below summarizes mandatory qualitative and quantitative requirements to be met for safe control system design to ISO 13849-1.
Mandatory qualitative and quantitative requirements to be met for safe control system design to ISO 13849-1
To claim a given PL, in addition to evaluating the Average probability of dangerous failure/hour for the control system in question, it will also be necessary to prove compliance with quality requirements specified by the standard.
The claimed PL must be validated using ISO 13849-2 Safety Related Parts of Control Systems - Validation defining procedures tests andanalysis, for the assessment of:
- Safety function provided
- Category attained
- Performance level reached
|Average Probability of Dangerous Failure/Hour is only one of the parameters contributing to assignment of PL.
To obtain a PL rating, it is also mandatory to prove and substantiate having considered and complied with all requirements, including:
• Monitoring of systematic failures
• Using robust and reliable components (in line with Product Standards if available)
• Working according good engineering practice
• Considering environmental conditions in which the safety-related system will operate
• In the case of new software, adopting all organizational aspects of V-type development model shown in Figure 6 of the Standard
ISO 13849-1 and meeting development requirements for applications and built-in SW.
Design of an SRP/CS as per ISO 13849-1 may be summarized in the following eight steps
1 – Identification of safety-related function through risk analysis
2 – Assignment of Performance Level requested (PLr) through risk graph
3 – Selection of system structure (architectures) and self-diagnostic techniques
4 – Technical development of control system
5 – Calculation of MTTFd, DCavg and verification of CCF
6 – Calculation of PL using Table 5
7 – Verification of PL (if calculated PL is below PLr return to Step 3)
8 – Validation.
Identification of safety related item and assignment of Performance Level required - PLh
For each safety-related function identified (e.g. through the use of ISO/TR14121-2 - Risck Assessment) the designer of the SRP/CS decides the contribution to reduction of risk to be provided, i.e. PL r.
This contribution does not cover overall machine risk but only the part of risk related to the application of the safety function in question.
Parameter PL r represents the Performance Level required for the safety-related function in question.
Parameter PL represents the Performance Level reached by the implementation hardware. PL of hardware must be equal to orhigher than specified PL r.
A tree type graph of decisions is used to find the contribution to risk reduction that must be provided by the safety-related function, leading to univocal identification of PL r. If more than one safety-related function are identified, PL r shall be identified for each of them.
Tree type graph of decision
Design of the safety related control system and evaluation of the PL
After deciding on the PLr needed, a suitable SRP/CS is designed, calculating the resulting PL and ensuring that it is higher than or equal to PLr.
To obtain the PL, the Average probability of dangerous failure/hour of the SRP/CS designed must be calculated.
The Average probability of dangerous failure/hour for a safety-related control system may be estimated in various ways.
Using such methods implies that for each components the following are known:
- Failure rate (λ)
- Percent distribution of failure rate for all component failure modes, (e.g. if for a positive action switch the failure modes are: the contact will not open when required = 20% of cases and the contact will not close when required = 80% of cases. Gives: will not open = λ x 0,2 will not close = λ x 0,8 )
- The effect of each failure on safety-related system performance, (e.g. dangerous failure = λd, or non-dangerous failure = λs)
- Percent of dangerous failures detected (by automatic self-diagnostic techniques implemented) out of total dangerous failures: λdd = λd x DC.
- Percent of dangerous failures not detected (by automatic self-diagnostic techniques implemented) out of total dangerous failures: λdu = λd x (1-DC).
ISO 13849-1 simplifies calculation by providing a table based on Markov modeling in which average probability of dangerous failure per hour is precalculated for various Category combinations and range values of MTTFd and DCavg which are in turn obtained using tables.
|Range of MTTFd||Denomination DCavg||Range of value DC/ DCavg|
|Low||3 years ≤ MTTFd < 10||None||DC < 60%|
|Medium||10 years ≤ MTTFd < 30||Low||60% ≤ DC < 90%|
|High||30 years ≤ MTTFd < 100||Medium||90% ≤ DC < 99%|
|High||Alto 99% ≤ DC|
|B||SRP/CS and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence. Basic safety principles shall be used||The occurrence of a fault can led to the loss of the safety function||Mainly characterized by selection of components|
|1||Requirements of B shall apply. Well-tried components and well-tried safety principles shall be used||The occurrence of a fault can led to the loss of the safety function but the probability of occurrence is lwer than for category B|
|2||Requirements of B and the use of well-tried safety principles shall apply. Safety function shall be checked at suitable intervals by the machine||The occurrence of a fault can led to the loss of the safety function between the checks. the loss of safety function is detected||Mainly characterized by
|3||Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that:
- a single fault in any of these parts does
not lead to the loss of the safety
- whenever reasonably practicable, the
single fault is detected.
|When a single fault occurs, the safety function is always performed. Some, but not all faults will be detected. Accumulation of undetected faults can lead to the loss of the safety function|
|4||Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that:
- a single fault in any of these parts does
not lead to the loss of the safety
- the single fault is detected at or
before the next demand upon the
safety function, but that if this
detection is not possible, an
accumulation of undetected faults shall
not lead to the loss of the safety function
|When a single fault occurs, the safety function is always performed.
Detection of accumulated faults reduces the probability of the loss of the safety function (high DC).
the fault will be detected in time to prevent the loss of the safety function
For Cat. B and Cat.1 the ability to resist failure is due to robustness of components (avoid failures as far as possible).
For Cat. 2,3,4 the ability to resist failure is due to the system structure (control of the failure). Failure is controlled through cycle monitoring for Cat.2, redundancy for Cat.3 , redundancy plus monitoring for Cat.4.
Operational requirements are specified for each Category. The failure modes of the electric components are defined and listed. The relationship among Categories and the safety performance of the control system in case of failure is well defined (deterministic approach).
The problem is thus reduced to: selecting the architecture, calculating DCavg in relation to self-diagnostic techniques implemented, calculating simplified MTTFd of circuit designed and verifying compliance with requirements for independent channel operation (CCF) for redundant architectures (Cat. 2, 3 and 4).
The combination of Category plus DCavg adopted, is shown in one of the seven columns of fig. 5 of ISO 13849-1.
Calculated MTTFd determines which part of the column is to be considered. Corresponding PL is shown on the left of the table.
Figure of ISO 13849-1
The part of column selected may include two or three possible values of PL, e.g. for Cat. 3, DCavg = Medium and MTTFd = Low, the following three values are possible: PLb, PLc, PLd. In these cases, to obtain the correct PL use is made of Table K.1 of Annex K of the Standard (not shown) providing detailed values of Average probability of dangerous failure per hour and PL in relation to actual value of MTTFd and the combination Category-plus-DCavg implemented.
As can be seen from previous figure for each Performance Level specified are available different choices. An example is given in Table 5 where for a system having PL of “c” the following five alternatives are possible:
1. Category 3 with MTTFd = Low and DCavg medium
2. Category 3 with MTTFd = Medium and DCavg low
3. Category 2 with MTTFd = Medium and DCavg medium
4. Category 2 with MTTFd = High and DCavg low
5. Category 1 with MTTFd = High
Exception only for the output part of the SRP/CS.
If for machanical, hydraulic or pneumatic components (or components comprising a mixture of technologies) no application-specific reliability data are available, the machine manufacturer may evaluate the quantificable aspects of the PL without any MTTFd calculation.
For such cases, the safety-related performance level (PL) is implemented by the architecture, the diagnostic and the measures against CCF. The next table shows the relationship between achievable PL and categories.
|PFHd 1/h)||Cet. B||Cat. 1||Cat. 2||Cat. 3||Cat. 4|
|*||Applied category is recommended|
|0||Applied category is optional|
|-||Category is not allowed|
|*1||Proven in use or well-tried (confirmed by the component manufacturer to be suitable for particular appllication) components and well-tried safety priciples must be used|
|*2||Well-tried components and well-tried safety priciples must be used. For safety-related components that are not monitored in the process, the T10d value can be dtermined based on proven in use data by the machine manufacturer|
Combination of several SRC/PS to achieve the overall PL
The safety-related function may include one or more SRP/CSs, and several safety-related function may use the same SRP/CSs. Individual SRP/CSs could also be obtained using other architectures. Where the safety-related function is obtained by a series connection of several SRP/CSs, e.g. safety light curtains, control logics, power output, and if the PFHd values of all SRP/CSs are known, than the PHFd of the combined SRP/CS is the sum of all PFHd values of the N individual SRP/CSs.
The PL of the combined SRP/CS is limited by:
- the lowest PL of any individual SRP/CSs involved in performing the safety function (because the PL is determined also by non-quantifiable aspects) and
- the PL corresponding to the PFHd of the combined SRP/CS according to tabel 3 of ISO 13849-1
If the PFHd valuers of all individual SRP/CSs are not know:
Locate the part with PL = PL low
Find the number of parts having PL = PL low
Enter data in the following table to obtain total PL
The PL obtained using this table refers to reliability values at mid-position for each of the intervals in Table 3 of ISO 13849-1.
We have: PL low = d N low = 1 (< 3)
Therefore: PL total = d
and average probability of dangerous failure per hour for the entire system will be a number somewhere between
1 x 10-6 and 1 x 10-7 (see Table 3 of ISO 13849-1).
Next ... IEC 62061 SIL - Conclusions