Sei sulla pagina 1di 1

Functional safety with EN IEC 62061 and EN ISO 13849-1

When does which standard apply?

EN IEC 62061

Technology

EN ISO 13849-1

1)

Electrical/electronic/ programmable electronic

1)

Not applicable

Hydraulic/pneumatic/mechanical

1) Compliance with just one standard is generally sufficient to assume compliance.

one standard is generally sufficient to assume compliance. EN IEC 62061 EN ISO 13849-1 Risk assessment
one standard is generally sufficient to assume compliance. EN IEC 62061 EN ISO 13849-1 Risk assessment
EN IEC 62061 EN ISO 13849-1 Risk assessment and definition of the required safety integrity
EN IEC 62061
EN ISO 13849-1
Risk assessment and definition of the required safety integrity level (SIL)
Determination of the required performance level (PL r )
Low contribution to risk reduction
Consequences
Frequency
Probability of
Avoidance
S
– Severity of injury
P
a
1
and severity
Se
and duration
Fr
hazardous event
Pr
Av
3 - 4
5-7
Class Cl
8 - 10
11 - 13
14 - 15
F
1
Death, losing an eye
or arm
4
≤ 1 hour
5
Very high
5
SIL 2
SIL 2
SIL 2
SIL 3
SIL 3
S 1 = Slight (normally reversible injury)
S 2 = Serious (normally irreversible injury including death)
P
S
2
1
b
P
1
F
Permanent,
3
> 1 h – ≤ 1 day
5
Likely
4
OM
SIL 1
SIL 2
SIL 3
F
– Frequency and/or exposure to a hazard
2
P
2
c
losing fingers
P
1
Reversible,
2
> 1 day – ≤ 2 weeks
4
Possible
3
Impossible
5
OM
SIL 1
SIL 2
F 1 = Seldom to less often and/or the exposure time is short
F 2 = Frequent to continuous and/or the exposure time is long
F
1
Starting point
P
medical attention
2
S
d
for evaluation
of safety
functions‘
contribution to risk
reduction
2
P
1
Reversible, first aid
1
> 2 weeks – ≤1year
3
Rarely
2
Possible
3
OM
SIL 1
P
– Possibilities of avoiding the hazard or limiting the harm
F
2
> 1 year
2
Negligible
1
Likely
1
e
P
2
OM = other measures required
P 1 = Possible under specific conditions
P 2 = Scarcely possible
High contribution to risk reduction
Estimation of CCF factor
Determination of common cause failures
Assessment of CCF influence
Overall score
Common
cause failure factor
(beta)
SIL points
Requirement
PL points
Evaluation
CCF
25
Physical separation of safety circuits and other circuits
15 %
Compliance
> 65 %
38
Diversity (use of diverse technologies)
20
%
Noncompliance
< 65 %
<
35
10 % (0,1)
2
Design/application/experience
20
%
35
65
5 % (0,05)
18
Assessment/analysis
5
%
66
85
2 % (0,02)
4
Competence/training
5
%
86
– 100
1 % (0,01)
18
Environmental influences (EMC, temperature,
)
35
%
Architectural constraints on subsystems
Determination of the MTTF d per channel
Relationship between the categories
DC, MTTF d and PL
1
N
1
Ñ
n
Safe failure
Hardware
Hardware
Hardware
j
=
=
fraction (SFF)
fault tolerance
fault tolerance
fault tolerance
MTTF d
i=1
MTTF d,i
j=1
MTTF d,j
PFH/h -1
0
1
2
10
-4
∑λ S + ∑λ DD
∑λ SD + ∑λ SU + ∑λ DD
Performance Level
SFF =
=
< 60 %
not permitted
SIL 1
SIL 2
The following applies to diverse systems:
a
10
-5
∑λ SD + ∑λ SU + ∑λ DD + ∑λ DU
∑λ Dtotal
60 % – < 90 %
SIL 1
SIL 2
SIL 3
3 years
1
b
90 % – < 99 %
SIL 2
SIL 3
SIL 3
MTTF d = 2
MTTF d,C1 + MTTF d,C2 –
3x10 -6
99 %
SIL 2
SIL 3
SIL 3
3
1
1
c
10
years
MTTF d,C1 + MTTF d,C2
10
-6
d
30
years
Evaluation
MTTF d
10
-7
100
Low
3 years ≤ MTTF d < 10 years
e
■ MTTF oc = low, ■ MTTF oc = medium, ■ MTTF oc = high
years
-8
Medium
10 years ≤ MTTF d < 30 years
10
Cat B
Cat. 1
Cat. 2
Cat. 2
Cat. 3
Cat. 3
Cat. 4
High
30 years ≤ MTTF d < 100 years
DC
DC
DC
DC
DC
DC
DC
avg
avg
avg
avg
avg
avg
avg
= none
= none
= low
= med.
= low
= med.
= high
Determination of the degree of diagnostic coverage (DC)
Diagnostic coverage: DC = ∑λ DD /∑λ Dtotal
Diagnostic coverage
Range of DC
None
DC < 60 %
Low
60 % ≤ DC < 90 %
DC 1
DC 2
DC N
Medium
90 % ≤ DC < 99 %
DC avg = MTTF d1 + MTTF d2 + … + MTTF dN
Average DC:
High
99 % ≤ DC
1
1
1
MTTF d1 + MTTF d2 + … + MTTF dN
Subsystem architectures
Specification of categories
Subsystem A
Subsystem B
Category B,1
Category 2
S31 S32 S11 S12 S13 S14
CHIP-Card
X1
X2
X3
A1
B1
13
23
33
41
Made in Germany
www.pilz.com
PSENme 1S/1AS
570002
X4
PNOZ X3
IEC/EN 60947-5-1
Ui 250V
IP67
24V AC/DC
13 23 33
41
110
• 230V AC
AC15 230V/2.5A
POWER
1
contact rating
2
1
B300 R300
2
3
4
3
4
CH. 1
PNOZ m1p
PSEN 1.1p-20
PSEN 1.1-20
PSEN 1.1p-20
PSEN 1.1-20
Ident. No.
Ident. No.
CH. 2
Ident. No.
Ident. No.
524120
514120
524120
514120
03000000
03000000
03000000
03000000
14 24 34 42
Made in Germany
www.pilz.com
PSENme 1S/1AS
570002
X4
IEC/EN 60947-5-1
Ui 250V
IP67
24V AC/DC
110
• 230V AC
14
24
34
42
B2
A2
AC15 230V/2.5A
contact rating
B300 R300
X4
X5
X6
X7
Y31 Y32 S21 S22 S33 S34
Made in Germany
www.pilz.com
PSENme 1S/1AS
570002
X4
IEC/EN 60947-5-1
Ui 250V
IP67
24V AC/DC
110
• 230V AC
AC15 230V/2.5A
contact rating
B300 R300
Subsystem C
Subsystem D
Category 3
Category 4
A1
13
23
S12 S22
S34
S31 S32 S11 S12 S13 S14
Made in Germany
www.pilz.com
PSENme 1S/1AS
PNOZ s2
Made in Germany
Made in Germany
www.pilz.com
570002
X4
www.pilz.com
IEC/EN 60947-5-1
PSENme 1S/1AS
PSENme 1S/1AS
Ui 250V
IP67
570002
X4
570002
X4
24V AC/DC
IEC/EN 60947-5-1
A1
B1
13
23
33
41
IEC/EN 60947-5-1
110
• 230V AC
Ui 250V
IP67
Ui 250V
IP67
AC15 230V/2.5A
24V AC/DC
24V AC/DC
contact rating
110
• 230V AC
110
• 230V AC
In2+
In2–
B300 R300
AC15 230V/2.5A
AC15 230V/2.5A
A
A
contact rating
contact rating
B300 R300
B300 R300
Power
PNOZ X3
In1
mode
13 23 33
41
POWER
In2
Out
CH. 1
Reset
Fault
CH. 2
750103
000002 0.1
14 24 34 42
Made in Germany
www.pilz.com
PSENme 1S/1AS
570002
X4
IEC/EN 60947-5-1
Ui 250V
IP67
24V AC/DC
110 • 230V AC
14
24
34
42
B2
A2
AC15 230V/2.5A
S11 S21
Y32
contact rating
B300 R300
A2
14
24
Y31 Y32 S21 S22 S33 S34
Made in Germany
www.pilz.com
PSENme 1S/1AS
Made in Germany
Made in Germany
www.pilz.com
570002
X4
www.pilz.com
IEC/EN 60947-5-1
PSENme 1S/1AS
PSENme 1S/1AS
Ui 250V
IP67
570002
X4
570002
X4
24V AC/DC
IEC/EN 60947-5-1
IEC/EN 60947-5-1
110
• 230V AC
Ui 250V
IP67
Ui 250V
IP67
AC15 230V/2.5A
24V AC/DC
24V AC/DC
contact rating
110
• 230V AC
110
• 230V AC
B300 R300
AC15 230V/2.5A
AC15 230V/2.5A
contact rating
contact rating
B300 R300
B300 R300
Probability per hour of a dangerous failure occurring – comparison SIL/PL
Safety integrity level (SIL)
acc. to EN IEC 62061
Probability of a
dangerous failure
Performance level (PL)
acc. to EN ISO 13849-1
per
hour [1/h]
no special safety requirements
10 -5 < PFH < 10 -4
a
1 (1 failure in 100,000 h)
3 x 10 -6 < PFH < 10 -5
b
1 (1 failure in 100,000 h)
10 -6 < PFH < 3 x 10 -6
c
2 (1 failure in 1,000,000 h)
10 -7 < PFH < 10 -6
d
3 (1 failure in 10,000,000 h)
10 -8 < PFH < 10 -7
e
Verification
Achieved SIL >= SIL
Realisation of the safety function – determination of the achieved SIL
Determining the
required SIL
POWER
RUN
DIAG
FAULT
I
FAULT
O
FAULT
I0
I1
CI+
I2
CI
-
I3
CO
-
I4
CO+
I5
T0
I6
T1
I7
T2
T3
I8
I9
O0
I10
O1
I11
O2
I12
O3
I13
OA0
I14
24V
I15
24V
I16
0V
I17
0V
I18
I19
13
O4
A1
14
A1
23
A2
O5
A2
24
X4 X2
X1 X3
Required performance level (PL r )
Verification
Achieved PL >= PL r
Realisation of the safety function – determination of the achieved PL
Determination of the PL r

Safety Calculator PAScal – Calculation software for verifying functional safety

– Calculation software for verifying functional safety The safety calculator PAScal calculates the PFH D value

The safety calculator PAScal calculates the PFH D value of safety functions in machines and installations. The result is verified with the prescribed performance level in accordance with EN ISO 13849 or safety integrity level in accordance with EN IEC 62061. The graphical representa- tion shows how individual components influence overall safety.

Benefits to you:

Simple handling saves timecomponents influence overall safety. Benefits to you: Comprehensive component database Simple import and update

Comprehensive component databaseoverall safety. Benefits to you: Simple handling saves time Simple import and update function Report generator

Simple import and update functionSimple handling saves time Comprehensive component database Report generator as documented verification For more

Report generator as documented verificationcomponent database Simple import and update function For more information on laws and standards: Webcode 0240

update function Report generator as documented verification For more information on laws and standards: Webcode 0240

For more information on laws and standards:

Webcode 0240
Webcode 0240

Online information at www.pilz.com

standards: Webcode 0240 Online information at www.pilz.com Lexicon Architecture Specific configuration of hardware
standards: Webcode 0240 Online information at www.pilz.com Lexicon Architecture Specific configuration of hardware
standards: Webcode 0240 Online information at www.pilz.com Lexicon Architecture Specific configuration of hardware
standards: Webcode 0240 Online information at www.pilz.com Lexicon Architecture Specific configuration of hardware
standards: Webcode 0240 Online information at www.pilz.com Lexicon Architecture Specific configuration of hardware
standards: Webcode 0240 Online information at www.pilz.com Lexicon Architecture Specific configuration of hardware
standards: Webcode 0240 Online information at www.pilz.com Lexicon Architecture Specific configuration of hardware

Lexicon

Architecture Specific configuration of hardware and software elements in a system

Architecture Specific configuration of hardware and software elements in a system

B 10d

B

10d

Lifetime of products before 10 % of the product range fails “dangerously”

β

Beta factor or common cause factor; CCF measurement; propor- tion of failures which have a common cause.

Category (CAT) Classification of the safety related parts of a control system in respect of

Category (CAT) Classification of the safety related parts of a control system in respect of their resistance to faults and their subsequent behaviour in the fault condition, and which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability. CCF Failure due to a common cause

Demand rate r d Frequency of demands per time unit for a safety related action

Demand rate r d Frequency of demands per time unit for a safety related action of an SRP/CS. Diagnostic coverage (DC) Measure for the effectivity of diagnostics, may be deter- mined as a ratio between the failure rate of detected dangerous failures and the

failure rate of total dangerous failures.

DC

 
 

avg

 

Average diagnostic coverage Diagnostic test interval Time period between online tests carried out in order to detect faults in a safety related system with the specified degree of diagnostic coverage. Diversity Use of diverse means to execute a required function.

Electrical/electronic/ programmable electronic (E/E/PE) Based on electrical (E) and/or electronic (E) and/or program-

Electrical/electronic/ programmable electronic (E/E/PE) Based on electrical (E) and/or electronic (E) and/or program- mable electronic (PE) technology.

Failure Termination of the ability of an item to perform a required function. Fault State

Failure Termination of the ability of an item to perform a required function. Fault State of an item character- ized by inability to perform a required function, excluding

the inability during preventive maintenance or other planned actions, or due to lack of external resources. Functional safety Part of the overall safety (relating to the EUC and the EUC management or control system) which depends on the correct functioning of the safety related E/E/PE system, other technology safety-re- lated systems and external risk reduction facilities.

Intended use of a machine Use of a machine in accord- ance with the information

Intended use of a machine Use of a machine in accord- ance with the information provided in the user informa- tion.

λ

λ

Average probability of failure

λ

 

avg

 

Average probability of failure per hour

λ

DD

Dangerous detected failure

λ

DU

Dangerous undetected failure

λ

SD

Safe detected failure

λ

SU

Safe undetected failure

Mission time (T M )

Mission time (T M )

Period of time covering the intended use of a SRP/CS. MTTF d

- Mean time to danger-

 

ous failure; time for which

a

single channel can be

expected to remain free of dangerous failures

 

- Mean value for the operat- ing time during which a single channel of a system

 

is

expected to not have a

 

dangerous failure. MTTR Average length of time taken for the safety system to be restored, measured from the time of failure occurrence to the completion of repairs.

PAScal Calculation software for veri- fying functional safety Performance level (PL) Discrete level which specifies

PAScal Calculation software for veri- fying functional safety Performance level (PL) Discrete level which specifies the capability of safety related parts of a control system to perform a safety function under foreseeable conditions. Required performance level (PL r ) Performance level (PL) in order to achieve the required risk reduction for each safety function.

PFD Probability of failure on demand

PFD avg Average probability of failure

on demand PFH Probability of dangerous failure per hour

Probability of a dangerous failure per hour (PFH D ) Average probability of dangerous failure per hour

Redundancy The duplication of means The duplication of means

required by a functional entity to perform a required function or in order for data to represent information. Repeat test Recurring test designed to detect failures in a safety related system, with the aim of allowing the system to be restored if necessary to “as new” status or to a status which is as close as possible to this status under the given practical constraints. Residual risk

Risk remaining after protective measures have been taken. Risk Combination of the probabil- ity of occurrence of harm and the severity of that harm. Risk analysis Combination of the speci- fication of the limits of the machine, hazard identification and risk estimation. Risk assessment The overall process comprising risk analysis and risk evaluation. Risk evaluation Judgement, on the basis of risk analysis, of whether risk reduction objectives have been achieved.

Safety function Function of the machine whose failure can result in Function of the machine whose failure can result in

an immediate increase of the risk(s). Safety integrity Probability of a SRECS or its subsystem satisfactorily per- forming the required safety- related control functions under all stated conditions.

Safety integrity level (SIL) Discrete level (one out of a possible four) for specifying the safety integrity require- ments of the safety functions to be allocated to the E/E/PE safety-related systems, where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest. SFF Safe failure fraction, i.e. fraction of the overall failure rate that does not result in a dangerous failure SIL claim limit (SILCL) Maximum SIL that can be claimed for an SRECS subsystem in relation to architectural constraints and systematic safety integrity. SRCF – safety-related

control function Control function implemented by an SRECS with a specified integrity level that is intended to maintain the safe condition of the machine or to prevent

an immediate increase in risk. SRECS

Electric control system on a machine, the failure of which can result in an immediate

increase of the risk(s). SRP/CS – safety related

part of a control system Part of a control system

which reacts to safety related input signals and generates

safety related output signals Subsystem Entity of the top-level archi-

tectural design of the SRECS, where a failure of any subsys- tem will result in a failure of a safety-related control function

Test rate r t t

Frequency of automatic tests performed to detect faults in an SRP/CS; reciprocal value

of the diagnostic test interval

T i

Time intervals between peri-

odic tests on a safety system

Validation Confirmation by examination (e.g. tests, analysis) that the SRECS meets the functional safety requirements of Confirmation by examination (e.g. tests, analysis) that the SRECS meets the functional safety requirements of the specific application. Verification

Confirmation by examination (e.g. tests, analysis) that the SRECS, its subsystems or subsystem elements meet the requirements set by the relevant specification.

The measures outlined here are simplified descriptions and are intended to provide an overview of the standards EN ISO 13849-1 and EN IEC 62061. Detailed understanding and correct application of all relevant standards and directives are needed for validation of safety circuits. As a result, we cannot accept any liability for omissions or incomplete information.