0% found this document useful (0 votes)

27 views108 pages

04 Iso13849-1 Bg-Etem

The document outlines the requirements and guidelines for functional safety in control systems as per ISO 13849-1, including the steps to determine performance levels (PL) and the necessary safety functions. It highlights the changes in the revised standard, the importance of risk assessment, and the need for reliable control systems to prevent hazardous situations. Additionally, it discusses the relationship between performance levels and safety objectives, emphasizing the need for thorough specification and verification of safety functions.

Uploaded by

Jude Okoye

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

27 views108 pages

04 Iso13849-1 Bg-Etem

Uploaded by

Jude Okoye

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 108

Promoting and Developing

Social Security Worldwide.

Safety-related parts of control systems

ISO 13849-1
Bangalore, India
Pune, India

Klaus-Dieter Becker
BGETEM

www.issa.int

Functional safety, Dipl.-Ing. Klaus-Dieter Becker

Promoting and Developing
Social Security Worldwide.

Overview EN ISO 13849 part 1:

 Scope
 Motivation for the revision of
ENISO 13849-1
 overview over the new concept
 Performance Level
 introduction of the designated
architectures“
 requirements for the safety
related software
 Use of the standard
 Combination SRP/C
 New requirements (revision)

www.issa.int
Promoting and Developing
Social Security Worldwide.

Changing ISO 13849-1:23

content: • Annax A (Riskgraph)
• Annax B (Block method)
• 1 Introduction • Annax C (calculation MTTFD- (values)
• 2 Normative references • Annex D (Simplified method for estimation of
• 3 Terms, definitions and abbreviations MTTFD)
• 4 Overview • Annex E (Estimation of DC)
• 5 Spezification of safety functions • Annex F (Measures against CCF)

• 6 design considerations • Annex G (Systematic failure)

• Annex H (Combinationen SRP/CS)
• 7 Software requirements • Annex I (Examples)
• 8 Verification PL • Annex J (Example of SRESW)
• 9 Ergonomic aspects of design • Annex K (Table PFHD)
• 10 Validation (from part 2) • Annex L EMC immunity
• 11 Maintainability • Annex M Additional information for Spez. of SF
• 12 Technical documentation • Annex N Software-requirements
• 13 Information for use • Anhang O device -Typs 1 to 4

www.issa.int
Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

2. Determination of the required PL (PLr)
3. Category selection for each Subsystem
4. Modeling the safety-related block diagram
5. Determination of reliability at component & structure level
6. Determination of the diagnostic coverage DC
7. Consideration of the CCF
8. Determination of PL (table in Appendix K
9. Verification whether the achieved PL ≥ PLr
10. Implementation of software requirements according to EN ISO 13849-1
paragraph 7
11. Measures to avoid systematic faults
12. Validation

www.issa.int
Promoting and Developing
Social Security Worldwide.

Requirements of control systems

(new regulation machinery, Annex III)
1.2.1 Safety and reliability of control system
Control systems shall be designed and constructed in such a way that:
• they can withstand, where appropriate to the circumstances and
the risks, the intended operating stresses and intended and
unintended external influences, including reasonably foreseeable
malicious attempts from third parties leading to a hazardous
situation;
• a fault in the hardware or the logic of the control system shall not
lead to hazardous situations;
• errors in the control system logic shall not lead to hazardous
situations;

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Requirements of EN 60204-1 clause 9.4.1

Where failures or disturbances in the electrical equipment can

cause a hazardous condition or damage to the machine or to
the work in progress, appropriate measures shall be taken to
minimize the probability of the occurrence of such failures or
disturbances

The required measures and the extent to which they are

implemented, either individually or in combination, depend
on the level of risk associated with the respective application
(see 4.1).

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

criticism to the previously valid EN 954-1

 EN 954-1 has no requirements for complex electronics

and programmable electronic systems
 no causal relationship between categories and risk
reduction
 no requirements for the reliability for the components

Risk reduction =
Category ???

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Situation of the standards

construction and risk assessment

Machinery directive EN ISO 14121
EN ISO 12100

Functional safety for machinery control systems

Design and realisation of safety control systems of machinery

EN 62061/IEC 62061 EN ISO 13849-1/2

Elektric
Hydraulic
Pneumatic
IEC 61508 EN 60204/IEC 204 Mechanic

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Balance between deterministic and probabilistic

EN ISO 13849-1:2023

DIN EN 954-1:1997 DIN EN IEC 61508:2010

deterministic Probabilistic

Well proven
New approach
methods
 Safety functions  Quantification: reliability
and diagnostic
 Risk graph
 Commen cause failture
 Categories
 Software requirements

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Scope :

 Safety related parts of control systems of all kind of machines

independent of the technology and the energy
 elektric,
 hydraulic,
 pneumatic,
 mechanic.

supply safety requirements and an guideline for the design of

 Safety related parts of control systems

and
 Software

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Risk reduction from the safety function carry out by

SRP/CS:
 The strategy for the risk reduction at the machine is given in ISO
12100, clause 6
 For each selected safety function to be carry out by a SRP/CS,
a required performance level (PLr) shall be determined and
documented.
 The contribution does not cover the overall risk of machinery
under control
 By the ENISO 13849-1 can the amount of risk reduction by design
and safeguarding techniques which are realized by control
systems, be assessed

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

goal:

In order that the safety function can be performed by the control

system, the following has to be considered
 Determination of required characteristics of the safety related
part of control systems (SRP/CS) and
 Perform an „Assessment plan “ (Performance Level = PL) for the
control systems
 As the result of the assessment plane (Performance Level = PL) it
is possible to compare the quality of the control systems,
including the software

 PL illustrates the performance of the control systems.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

 Category: Graduation of the safety of control systems in terms

of resistance against faults
 CCF: Common Cause Failure
 PES: Programable electronic systems
 PLr: performance level (PL) in order to achieve the required
risk reduction for each safety function
 PL: Discrete level used to specify the ability of safety related
parts of control systems to perform a safety function under
foreseeable conditions
 MTTFD: mean time to dangerous failure
 DC: measure of the effectiveness of diagnostic
 B10D: number of cycles until 10% of the componets fail
dangeroursly (for pneumatic and electromechanical
components)
 SRP/CS: safety part of control systems

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

The key to success: Performance Level PL

PL: discrete level to specify the ability of safety–related parts of

control systems to perform a safety function under foreseeable
conditions
PL is determined:
 Category (Architecture)
 MTTFD - Mean Time to Dangerous Failure
 DC – Diagnostic coverage (Tests)
 CCF – common cause failure
 Measures against systematic failure
 Software
failures of different items, resulting from a single event,
where these failures are not consequences of each other

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Definition of PL and Relation to SIL

Probability of a Dangerous Failure per Hour

10-4 10-5 10-6 10-7 10-8

EN ISO
310-6
13849-1
PL a b c d e
SIL no special
safety 1 2 3
IEC requirements
61508 Low Risk High Risk
Requirements Requirements

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Performance Level (PL) Max. toleranced failure degree:

a 1 dangerours failure per 10.000 h

b 1 dangerours failure per 30.000 h

c 1 dangerours failure per 100.000 h

d 1 dangerours failure per 1.000.000 h

e 1 dangerours failure per 10.000.000 h

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Priority levels of safety objectives

Avoiding risks
Direct safety technology

Safeguarding risks
Indirect safety technology

Warning of danger points

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Risk assessment  Risk reduction

Rh = Risk before protective measures are applied

Rr = risk reduction required from protective measures

Ra = Actual risk reduction achieved with protective measures

Residual
risk

adequately/
Reduced risk R1SRP/CS R1M risk reduction from protective measures other SRP/CS
solution 1
R2SRP/C carry out by safety related parts of control systems R2M
solution 2

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Requirements according to EN 12100,

EN 1050, EN ISO13849

Identifikation of all hazards

i.e.
assignment to safety function

For each safety function :

Determination of the required
Performance level

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

www.issa.int
Promoting and Developing
Social Security Worldwide.

Functional Safety needs Safety Functions

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

1. Safety requirements specification

term name of the safety function
Triggering event the initiation event that triggers the safety function
Safety reaction What is the safety related reaction
Operation mode the mode(s) of operation during which the safety function is
to be active
PLr the required performance level PLr for each safety function
frequency How often is the safety related function requested
Stopping time the response time for the machine to achieve a safe state
after the demand is made upon the safety function e.g., the
overall system stopping performance (reaction time plus
stopping time) according to ISO 13855
Behaviour by loss of the behaviour of the machine on the loss of power
the power

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

1. Safety requirements specification

term Name of the safety function
priority Is the safety function prior or subordinate to other safety
functions?
Addional safety Does the use of the safety function require further active
function safety functions?
Addional parameters What kind of parameters have to be taken to account?

fault-detecting Which diagnostic measures must be taken into account?

measures
reaction reaction What measures are required for fault detection?
activities

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

1. Specification of each safety function

Determination of the safety function
 emergency stop circuits
 electric interlocking circuits
 prevention of unexpected start up
 muting
 limitation of speed and travel under hold-to-run
control
 throttle valve control on continuous flow driers
 safe stops

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Review of the safety requirement

specification

The safety requirements specification shall be verified

before starting the design, since every other activity is
based on these requirements. The check shall assure
that all safety functions are specified to achieve the
intended risk reduction at the machine.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

2. Determination of the („r“ = required)

Performance Level PLr for each
safety function:
 taking to account exsisting european standards
(e.g. EN ISO 12643)
or
 using risk graf

It will be incooperated:
 severity of injury S
 Frequency and the duration of exposure
 Possibility of avoiding the hazard P

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

2. Determination of the PLr

The Easy Method: Risk Analysis by Risk Graph

Note: In case of no other justification F2 should be chosen,

if the frequency is higher than once per 15 minutes.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

probability of failure： mathematically methods

Reliability block diagrams Fault Tree ?

Reliability Block ?
Markov models

Petri networks
problem：
Markov-Models ?
 partially complicated，for machine designer not reasonable
methods

 difficult determination of the input data

 MTTFD, DC and ß

 so：simplified precedure

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

precalculated architecture: designated architectures

„designated architectures“, typ. Designed

Architectures

 Already precalculated typical structures with

inputs, logic and outputs (I/L/O)

 Conditions by the quantification:

 Mission time 20 years
 Constant failure rates within the mission time

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

„Typical diagramme for failure rate over

time - called a "bathtub curve“  assembly fault
 manufacturing
defect
Normal life  materials fault
Wear out  design fault
maturity
Infant  fatique fracture
mortality  ageing
 wear
 dimples

 operation fault
Thus a component's lifetime can be divided into three periods:  soil particle
 Infant mortality, precocious failures.  service faults
 Useful life, failure rates significantly constant.
 Wear out, wear failures.
Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int
Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

3./4. Design of the safety related block diagram

and determination of the Categories
Principle applied to
Categorie Short description System behaviour achieve safety
By selection of com-
B Control system according to state A fault can lead to the loss ponents and safety
of the art safety principles
Use of well-tried safety principles As described for category
1 B, but with higher reliablity
Checking of safety function by the Possible loss of safety
2 machine control system function between checks
Redundancy with partial fault detec- By structure and de-
tion, as far as practicable according A fault does not lead to the sign of the control
3 to the state of the art loss of safety system
Self-monitoring, faults are detected multiple faults do not lead
4 in time to the loss of safety

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Die EN ISO 13849-1 provides 5 designated

archituctures:

maximum maximum maximum maximum maximum

reachable: reachable: reachable: reachable: reachable:
PL = b PL = c PL = d PL = e PL = e

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Category B

Input Output
I Signal
L Signal
O

 their components, shall be designed, constructed, selected,

assembled and combined in accordance with relevant standards so
that they can withstand the expected influence
 Zero fault tolerance
 Mainly characterised by selection of components
 MTTFD = low to medium

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Example for category B

 Selection of degree of protection

 Correct selection of the cross section
 Selection of cable insulation
 Selection of the colours of indication instrument
 Selection of measures against environments influence
 Selection of protection measures
 Correct dimensioning of motors

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

category 1

Input Output
I Signal
L Signal
O

 Requirements of B shall apply

 Well-tried components and well-tried safety principles shall be used
 Zero fault tolerance but better than category B

 Mainly characterised by selection of components

 MTTFD = high
 Dccav = non

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Example for category 1

Emergency stop

open
Interlocked
safetyguard
enable

close Dangerous
movement initiated
by motor M

Auxiliary relais Power relais

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

 Fault current without

bridge XB
 Stopcontact will be
bypassed

 Fault current with bridge

XB
 The circuit is interrupted
automatically in the event
of an earth fault

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Safety switch according category 1

Safety switch
positive
mechanically
linked contacts

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Example for category 3

Interlocked safetyguard

CC: Current Converter

PLC: Programmable Logic Controller
M: Motor
RS: Rotation Sensor
Switch shown in actuated position

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Example for category 4

Interlocked safetyguard

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Identification of SRP/CS

SRP/CS: Parts of control system what generate

Input signals to safety related output signals

Typical safety function

SRPa iab SRPb ibc SRPc

Input Logic Output

Actuation by hand
Actors
Other signal
Breaks

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Determination of the
logical
Block diagram of
SRP/CS

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Illustration of logical block diagram of different

systems
I1 O1

I2 O2

I1 O1

I2 O2

data from the producer Calculation considering:

e.g.: PFH values ß10D, DCD, structur

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

www.issa.int
Promoting and Developing
Social Security Worldwide.

5. Calculation of MTTFD

Some Definitions: MTTFD

MTTFd: mean value of operation time where a single channel of the
system is expected to have no dangerous failure

denotation range of MTTFD

3 years ≤ MTTFD < 10
low
years
10 years ≤ MTTFd < 30
medium
years
30 years ≤ MTTFd ≤ 100
high
years

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Determination of MTTFD for each channel

For each
channel identification of all safety
separately
relevant components in each channel

Determine for each component the MTTFD-

Values

calculate
the MTTFD value for each channel

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

MTTFD pneumatic & (elekctronic-) mechanical

Components

determination of the components

MTTFD-values

 use manufacturer’s data;

 use methods in Annexes C and D;
 choose ten years.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

MTTFD pneumatic & (elektro-)mechanical Components

Good engineering practices method: Worst Case Werte

For pneumatic, mechanical , electromechanical components,
position switches etc.
• The components are manufactured according to basic and well-tried
safety principles in accordance with ISO 13849-2:2012, or the relevant
standard (see Table C.1) for the design of the component (confirmation
in the data sheet of the component).
• The manufacturer of the component specifies the appropriate
application and operating conditions for the user.
• The design of the SRP/CS fulfils the basic and well-tried safety
principles according to ISO 13849-2:2015, for the implementation and
operation of the component.
assumptions: B10D = 2*B10 (50% dangerous faults)

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

MTTFD pneumatic & (electro-)mechanical components

e.g. pneumatic valves, relays, contactors, position switches,

cam of position switches)
 Determination of the mean cycle of machine
 the manufacturers of these kinds of components only give the
mean number of cycles until ten percent of the components fail
dangerously (B10d).
 method to calculate a MTTFd for components by using B10d:
s
B10D dop ⋅ hop ⋅ 3600
MTTFD = nop = h
0,1⋅ nop tcycle
nop:mean number of annual operations
dop mean operation days per year
hop mean operation hour per day correspond to 10%
Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int
Promoting and Developing
Social Security Worldwide.

Determination of B10D and MTTFD of relais

dop: 240
240 ⋅16 ⋅ 3600 cycles
nop = = 691.200 hop: 16
20 year tcycle: 20

B10D=20000000 for relais

20.000.000
MTTFD = = 289 years
0,1 ⋅ 691.200

According to the standard maximum application time:

T10D = B10D/nop = 28,9 years

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Diagnostic Coverage DC

 ddλ probability of detected dangerous failures

DC =
 λdd + λdu probability of total dangerous failures
Denotation Values of DC
Example:
Dynamic testing of inputs using none DC < 60 %
cyclic testing procedure
low 60 % ≤ DC < 90 %

medium medium 90 % ≤ DC < 99 %

high 99 % ≤ DC

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Other sources for DC-Values

DIN EN ISO 13489-1 list in chart E.1 the efficiency of diagnostic measures
,
Measure Maximum of Comment
Diagnostic coverage

Sensors (process discover low to middle (depends on the depends on the DC for failures
failures) rate of demands)

switch with positive high

mechanically linked
contacts
(plausibility-check)
Actors (redundand switch- middle
off circuit with supervising)

Logic high All parts of the logic asume the

Dynamic Principles change on-off-on in the case of
demand of safety (function)

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Monotoring of relais

Ö S S

Relais without positive mechanically linked

contacts

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Monotoring of relais
Use of well- tried principle and components

Ö S S

EN 50205 04/97 Abs. 4.6.2

Relais with positive mechanically linked contacts Symbol for mechanically

linked contacts

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Monotoring of relais
Opener and closer have always a different mode

Ö S S

EN 50205 04/97 Abs. 4.6.2

Relais without positive mechanically linked
contacts Symbol for mechanically
linked contacts

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Measures for Input devices DC

Cyclic test stimulus by dynamic change of the input signals 90%
Plausibility check, e.g. use of normally open and normally closed mechanicall linked contacts 99%
90% to 99% depending on how often a signal
Cross monitoring of inputs without dynamic test
change is done by the application
Cross monitoring of input signals with dynamic test if short circuits are not detectable (for multiple I/O) 90%

Cross monitoring of input signals and intermediate results within the logic (L), and temporal and logical
99%
software monitor of the program flow and detection of static faults and short circuits (for multiple I/O)

Indirect monitoring (e.g. monitoring by pressure switch, electrical position monitoring of actuators) 90% to 99% depending on the application
Direct monitoring (e.g. electrical position monitoring of control valves, monitoring of electromechanical
99%
devices by mechanically linked contact elements)
0 % to 99% depending on the application.This
Fault detection by the process measure alone is no sufficient if the required
performance level is "e"
Monitoring some characteristics of the sensor (response time, range of
60%
analogue signals) e.g. electrical resistance, capacitance

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

The ratio of the test rate (rt) to the request rate of the safety
function (rd) limits the effectively achievable DC:
The maximum DC achievable by the process is limited
rt/rd = 1
to 60%.
The maximum DC achievable by the process is limited
rt/rd = 10
to 90%.
The maximum DC achievable by the process is limited to
rt/rd = 100
99%.
For Category 3 and 4
rt<1/year DC is 0%
rt >=1/year DC is limited to 90%
rt >=1/month DC is limited to 99%

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

How to determine DC using Chart

Identify all Selftests and all

Possibilites for Diagnostic

Withdraw the particular DC-

values
from the charts

Apply the averaging-formula

to determine the general DC

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Determination of the diagnostic value DC

DCSW2=90%

DCK1B=99%

DCPLC=60%

DCCC=90%

CC: Current Converter DCSW1=99%

PLC: Programmable Logic Controller
M: Motor
RS: Rotation Sensor RS
Switch shown in actuated positon

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

DCavg
In PL is only the average value of DCavg taken in account,
weightes and evaluated over all the tests.
Factor for weighting is MTTFd of the tested part:

DC1 DC2 DC N
+ +L+
MTTFD1 MTTFD 2 MTTFDN
DCavg= 1 1 1
+ +L+
MTTFD1 MTTFD 2 MTTFDN

For non-tested parts is DC = 0.

To summerise, all parts without failures-exclusion must be taken in to
account. (failures-exclusion => MTTFD = ∞).

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Determination of DCavg

 DCSW2=90%
 DCK1B=99%
 DCPLC=60%
 DCCC=90%
 DCSW1=99%
0,90 0,99 0,30 0,90 0,99
—— +—— + —— +—— + ——
MTTFDSW2 MTTFDK1B MTTFDPLC MTTFDCC MTTFDK1B
DCDavg = —————————————————————
1 1 1 1 1
—— + —— + —— + —— + ——
MTTFDSW2 MTTFDK1B MTTFDPLC MTTFDCC MTTFDK1B

DCavg of 87,6% in the case all componets have the

same MTTFD value

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

www.issa.int
Promoting and Developing
Social Security Worldwide.

7. Considering of CCF
Measures against Common Cause Failure

Minimum requirement
for CCF

Choose a measure in the chart

Technology Failure of
common
Architecture cause channel2
Application Failure of
Environment channel 1

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Measures against common cause failure

UB
T1 Driver block 1
Canal 1

T2 Driver block 2
Canal 2

output

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Measures against common cause failure

UB
Driver block 1
Canal 1
K1
K1

Driver block
T2
2
Canal 2

Output

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Measures against Common Cause Failure (CCF)

CCF: failures of different part through a common cause

For redundant channel (Cat. 2, 3 and 4) are measures against CCF

required in according to IEC 61508-6,
65 scores or better meets the requirements:

 Separation of signal path 15 Pt

 Diversity 20 Pt
 Design (e.g. protection against over-voltage, over-pressure etc) 15 Pt
 Components used are well-tried 5 Pt
 FMEA 5 Pt
 Competence/Training of the designer 5 Pt
 environmental - EMC 25 Pt
 Others (e.g. shock, temperature 5 Pt

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Separation & segregation

 Proper design of cable trays, piping ways, wiring ducts
 Apply ISO 3313 for hydraulik equipment
 Apply IEC 60204-1 for electrical equipment
 Seperate power cables from signaling cables
 Apply mechanical shielding to piping
 Avoid kinking of hoses
 Use accessories offered by installation material providers

17.10.2023
wwww

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Diversity

 Use of different sensor technollogies

 Use of different modes of actuation
 Use componests of different maufactures but
check of different!!
 Use different techniques for insulating energy

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

design with specified limits

Planung EMC areas within the cabinet

Area 3
Control
Controlsignals

Area 2
Coupling- power-
technic elektronic

Sensor signals
Actor signals
Area 1

Sensorik Power Aktorik

EMC Levels and limits supply

17.10.2023
wwww

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Risk assessment of safely related in accordance of

EN ISO 13849-1:2023:

The following properties are determined:

 Design of an logical diagram (Designated Architecture)
 Mean time to dangerous failure MTTFD,
 Diagnostic Coverage (DC),

failures of different items, resulting from a single event, where

these failures are not consequences of each other
(CCF)： As a last Step the Performance Level PL („actual-
Value“) for each Safety function has to be determinded.

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

www.issa.int
Promoting and Developing
Social Security Worldwide.

8. Determination of PL

Comparision category with PL

PL DC DC
a medium high

SIL
MTTFD b
3y 1
low

c
10y
medium

d 2
30y
high

DC DC DC DC DC
e zero zero low medium Low 3
100y
EN ISO 13849-1 Cat B Cat 1 Cat 2 Cat 3 Cat 4

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Average frequency of dangerous failure per hour )PFH) (1/h) and corresponding performence Level (PL)

MTTFD MTTFD [a] Cat.B DCavg Cat.1 Cat.2 Cat.2 Cat.3 Cat.3
= no DCavg = no DCavg = low DCavg = low DCavg = low DCavg = low

12 9,51 10-6 b 5,84 10-6 b 4,04 10-6 b 2,49 10-7 c 1,04 10-6 c

13 8,78 10-6 b 5,33 10-6 b 3,64 10-6 b 2,23 10-7 c 9,21 10-7 d

15 7,61 10-6 b 4,53 10-7 b 3,01 10-6 b 1,82 10-7 c 7,44 10-7 d

16 7,13 10-6 b 4,21 10-7 b 2,77 10-6 b 1,67 10-7 c 6,76 10-7 d

18 6,34 10-6 b 3,68 10-6 b 2,37 10-6 c 1,41 10-7 c 5,67 10-7 d
medium
20 5,71 10-6 b 3,26 10-6 c 2,06 10-6 c 1,22 10-7 c 4,85 10-7 d

22 5,19 10-6 b 2,93 10-6 c 1,82 10-6 c 1, 07 10-7 c 4,21 10-7 d

24 4,76 10-6 b 2,65 10-6 c 1,62 10-6 c 9,47 10-7 d 3,70 10-7 d

27 4,23 10-6 b 2,32 10-6 c 1,39 10-6 c 8,04 10-7 d 3,10 10-7 d

30 3,80 10-6 b 2,06 10-6 c 1,21 10-6 c 6,94 10-7 d 2,65 10-7 d

33 3,46 10-6 b 1,85 10-6 c 1,06 10-6 c 5,94 10-7 d 2,30 10-7 d

36 3,17 10-6 b 1,67 10-6 c 9,39 10-7 d 5,16 10-7 d 2,01 10-7 d

39 2,93 10-6 c 1,53 10-6 c 8,40 10-7 d 4,53 10-7 d 1,78 10-7 d

43 2,65 10-6 c 1,37 10-6 c 7,34 10-7 d 3,87 10-7 d 1,54 10-7 d

47 2,43 10-6 c 1,24 10-6 c 6,49 10-7 d 3,35 10-7 d 1,34 10-7 d
high 51 2,24 10-6 c 1,13 10-6 c 5,80 10-7 d 2,93 10-7 d 1,19 10-7 d

56 2,04 10-6 c 1,02 10-6 c 5,10 10-7 d 2,52 10-7 d 1,03 10-7 d

62 1,84 10-6 c 9,06 10-7 d 4 ,43 10-7 d 2,13 10-7 d 8,84 10-8 e

68 1,68 10-6 c 8,7 10-7 d 3,90 10-7 d 1,84 10-7 d 7,68 10-8 e

75 1,52 10-6 c 7,31 10-7 d 3,40 10-7 d 1,57 10-7 d 6,62 10-8 e

82 1,39 10-6 c 6,61 10-7 d 3,01 10-7 d 1,35 10-7 d 5,79 10-8 e

91 1,25 10-6 c 6,88 10-7 d 2,61 10-7 d 1,14 10-7 d 4,94 10-8 e

100 1,14 10-6 c 5,28 10 d-7 2,29 10-6 d 1,01 10-7 d 4,29 10-6 e
www.issa.int
Promoting and Developing
Social Security Worldwide.

Steps to performance level

1. Specification of the safety functions

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.
9. Verification of PL

Functional Safety needs Safety Functions

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Observation of Failure, Exclussion of Failure

 as an exception only
 justification in detail is necessary
 listed failures in EN ISO 13849-2
 for new Components the application of FMEA is
necessary as an evidence for exclusion of certains
failure
 consecutive failure consider as single failure
 common cause failure consider as single failure
17.10.2023

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Identification of SRP/CS

SRP/CS: Parts of control system what generate

Input signals to safety related output signals

Typical safety function

SRPa iab SRPb ibc SRPc

Actuation Actors
by hand Breaks
Other signal Input Logic Output

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Combination von SRP/CS

17.10.2023

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Serial combination of SRP/CS

wwww
Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int
Promoting and Developing
Social Security Worldwide.

Serial Combination of SRP/CS

i=n

Σ PFH Di = PFH D1+ …..… + PFH Dn

i=1

N = number of all involved safety functions of the sub systems

PFHi = average probability of an dangerous fault per hour of the each

Subsystem

Functional safety ISO 13849-1, Dipl.-Ing. Klaus-Dieter Becker www.issa.int

Promoting and Developing
Social Security Worldwide.

Combination von SRP/CS

+ +
1,21×10-6 2,65×10-7 1,14×10-6 = 2,62×10-6