A unified, sub-systematic approach to safe machine control
18 December 2012
At some point in the future the functional safety standards EN ISO 13849 (with its Performance Levels, PL) and EN 62061 (with its Safety Integrity Levels, SIL) will merge; a joint technical committee ISO/TC 199 - IEC/TC 44 is currently working on this merger.
At the same time, the German Engineering Federation, Verband Deutscher Maschinen und Anlagenbau (VDMA) has produced a draft document, Functional Safety - Universal Database for safety-related values of components or parts of control system, albeit only in German at the time of writing.
This document could help the merger of the two standards, and provides much needed clarity on the plethora of safety-related data available to designers of safety functions on machines. VDMA’s proposal is to create a common file structure which is readable by all of the functional safety performance calculation tools (such as IFA Sistema or Pilz PAScal).
A sub-systematic approach
It is important to understand that safety functions are essentially engineered systems, which comprise subsystems, and that quantifying either the Performance Level of Safety Integrity Level of the system requires a sub-systematic analysis. The rationale is that any safety function is akin to a ‘safety chain’ made up of links, or subsystems; a chain is only as strong as the weakest link, so if a subsystem fails, the safety function is lost.
When assessing the probability of hardware failure and its potential impact on a safety function, it therefore makes sense to focus attention at the subsystem level. Another term used for subsystem is ‘safety related part of the control system’ or SRP/CS.
Even before the merger of the two standards, it’s clear most engineers tend to favour EN ISO 13849-1. According to this standard, for a safety function to be evaluated each subsystem must be defined in terms of its Category (or structure, either single or dual channel), Diagnostic Coverage ‘DC’ (expressed as percentage of dangerous detected failures over all dangerous failures), average failure rate of all components with the subsystem (Mean Time to Dangerous Failure, MTTFd), and steps taken against common cause failure, ‘CCF’.
Once defined these parameters are then used to determine subsystem performance level (PL) and average probability of dangerous failure per hour (PFHD) from the most useful table in the standard, Table K1 right at the back of EN ISO 13849-1.
For example, a subsystem meeting Category 4, 99 percent diagnostic coverage, with MTTFd of 100 years and a CCF of 65 has a PL e and a PFHD of 2.47 x 10-8. This is the highest PL and lowest PFHD which users of EN ISO 13849-1 can evaluate in Table K1; lower PFHD values with magnitudes in the order of 10-9 only come from pre-certified components, such as safety relays, which the vendor has evaluated.
When it comes to a whole safety function, the highest achievable PL is limited by the lowest PL of all constituent subsystems (the ‘weakest link’ principle), and the PFHD of the safety function is determined by the addition of the PFHD of all subsystems.
The VDMA file structure
In terms of data available to fulfil the above steps, it’s proposed by VDMA that there will be three key device types. The following explains the VDMA file structure when applied to the current standard EN ISO 13849-1:
Type 1 devices are fully certified safety devices which can be viewed as complete subsystems in their own right. Failure rates are independent of operational frequency, and the vendor states internal PL, SILCL, PFHD, Category, and test interval T1.
The vendor has developed the device in accordance with safety standards (e.g. IEC 61508, EN 61496, EN 61800-5-2) and had them certified by an independent Notified Body, to ensure the device can be incorporated into a safety function with the least effort on the user’s part.
Such devices include safety light curtains, RFID coded switches, safety relays, safety PLCs, and safe drives with drive functions such as safe torque off (STO).
Type 2 devices are not necessarily certified like Type 1, however, this does not exclude their use in safety functions provided that vendor’s MTTFd data is available. Since MTTFd is only a part of the story, such devices require the user to do more integration work than with type 1 devices; defining category, diagnostic coverage, and common cause factors.
Once the user has defined these parameters, the PL and a PFHD for the subsystem can be determined using Table K.1. in Annex K of EN ISO 13849-1. The procedure for evaluating the whole system follows. Such devices include non-safety-related electronics (for example, phase detection relays and power monitors), pressure sensors, hydraulic valves, and standard variable speed drives.
Type 3 devices are electromechanical devices, the failure rate of which depend upon operational frequency, where provision of a PL and PFHD, or MTTFd by the vendor is not possible because the device is subject to wear (which is application-related and not known by the vendor). Instead, the vendor supplies B10d data; and if they do not, generic data is available in Table C1 of EN ISO 13849-1.
As in Type 2, Type 3 devices are not necessarily developed according to safety standards but can be used once the MTTFd has been calculated from the known B10d value, and the user-defined average number of annual cycles (nop). The user must also define the selected category, diagnostic coverage, and CCF.
After this, the PL and a PFHD for the subsystem can be determined using Table K1 in Annex K of EN ISO 13849-1. The final evaluation of the whole system then follows. Such devices include contactors, switches, single piloted valves, solenoid device mechanisms, and command devices.
The Types 1-3 devices are described also by VDMA for EN 62061, with some common and some slightly different parameters, but exactly the same increasing level of user integration work required when moving from Type 1 to Type 2 and Type 3.
There is a Type 4, constituting devices for which there is a limiting PL but no PFH, implying that the device acts as a subsystem (like Type 1) and can limit the PL of the safety function (perhaps for internal Category or Diagnostic Coverage reasons to PL d), but for which there is no dangerous failure rate.
No matter which type of devices you use, which standard you use, or which safety calculation software you use, the structure of safety-related data proposed by VDMA makes it abundantly clear where the responsibility for defining specific parameters lies in the design of machine safety functions; it lies on a sliding scale between the component vendors and those using the components.
Opting to use Type 1 devices simplifies matters for the user dramatically, with increasing levels of work involved in Type 2 and Type 3. The author believes this provides the clearest perspective possible, and is one paving stone in the long path to a unified machine-specific functional safety standard for the future.
This technical article was supplied by Pilz Automation Technology
Contact Details and Archive...