Beruflich Dokumente
Kultur Dokumente
– July 2019 –
ISBN: 978-3-86423-232-9
ISSN: 2190-7994
Abstract Kurzfassung
The EN ISO 13849-1 standard, “Safety of machinery – Die Norm DIN EN ISO 13849-1 „Sicherheit von Maschinen
Safety-related parts of control systems”, contains provi- – Sicherheitsbezogene Teile von Steuerungen“ macht Vor-
sions governing the design of such parts. This report is gaben für die Gestaltung von sicherheitsbezogenen Teilen
an update of BGIA Report 2/2008e of the same name. It von Steuerungen. Dieser Report ist eine Aktualisierung
describes the essential subject-matter of the standard in des gleichnamigen BGIA-Reports 2/2008. Er stellt die
its third, revised 2015 edition, and explains its application wesentlichen Inhalte der Norm in ihrer dritten Ausgabe
with reference to numerous examples from the fields of von 2016 vor und erläutert deren Anwendung an zahl
electromechanics, fluidics, electronics and programmable reichen Beispielen aus den Bereichen Elektromechanik,
electronics, including control systems employing mixed Fluidtechnik, Elektronik und programmierbarer Elektro-
technologies. The standard is placed in its context of the nik, darunter auch Steuerungen gemischter Technologie.
essential safety requirements of the Machinery Directive, Der Zusammenhang der Norm mit den grundlegenden
and possible methods for risk assessment are presen- Sicherheitsanforderungen der Maschinenrichtlinie wird
ted. Based upon this information, the report can be used aufgezeigt und mögliche Verfahren zur Risikoabschätzung
to select the required Performance Level PLr for safety werden vorgestellt. Auf der Basis dieser Informationen
functions in control systems. The Performance Level erlaubt der Report die Auswahl des erforderlichen Perfor-
PL which is actually attained is explained in detail. The mance Level PLr für steuerungstechnische Sicherheits-
requirements for attainment of the relevant Performance funktionen. Die Bestimmung des tatsächlich erreichten
Level and its associated Categories, component reliability, Performance Level PL wird detailliert erläutert. Auf die
levels of diagnostic coverage, software safety and measu- Anforderungen zum Erreichen des jeweiligen Performance
res for the prevention of systematic and common-cause Level und seine zugehörigen Kategorien, auf die Bauteil-
failures are all discussed comprehensively. Background zuverlässigkeit, Diagnosedeckungsgrade, Softwaresicher-
information is also provided on implementation of the heit und Maßnahmen gegen systematische Ausfälle sowie
requirements in real-case control systems. Numerous Fehler gemeinsamer Ursache wird im Detail eingegangen.
example circuits show, down to component level, how Hintergrundinformationen zur Umsetzung der Anforde-
Performance Levels a to e can be engineered in the selec- rungen in die steuerungstechnische Praxis ergänzen das
ted technologies with Categories B to 4. The examples Angebot. Zahlreiche Schaltungsbeispiele zeigen bis auf
provide information on the safety principles employed die Ebene der Bauteile hinunter, wie die Performance
and on components with well-tried safety functionality. Level a bis e mit den Kategorien B bis 4 in den jeweiligen
Numerous literature references permit closer study of the Technologien technisch umgesetzt werden können. Sie
examples provided. The report shows how the require- geben dabei Hinweise auf die verwendeten Sicherheits-
ments of EN ISO 13849-1 can be implemented in enginee- prinzipien und sicherheitstechnisch bewährte Bauteile.
ring practice, and thus makes a contribution to consistent Zahlreiche Literaturhinweise dienen einem tieferen Ver-
application and interpretation of the standard at national ständnis der jeweiligen Beispiele. Der Report zeigt, wie
and international level. die Anforderungen der DIN EN ISO 13849-1 in die techni-
sche Praxis umgesetzt werden können, und leistet damit
einen Beitrag zur einheitlichen Anwendung und Interpre-
tation der Norm auf nationaler und internationaler Ebene.
Résumé Resumen
La norme DIN EN ISO 13849-1 « Sécurité des machines – La norma DIN EN ISO 13849-1 «Seguridad de las máqui-
Parties des systèmes de commande relatives à la sécurité nas: partes de los sistemas de mando relativas a la
» définit comment doivent être conçues les parties des seguridad» establece reglas para el diseño de partes de
systèmes de commande relatives à la sécurité. Le présent sistemas de mando relativas a la seguridad. El presente
rapport est une version actualisée du rapport 2/2008 du informe es una actualización del informe del mismo nom-
même nom du BGIA. Il présente les principaux contenus bre del BGIA 2/2008. En él se presentan los contenidos
de la norme dans sa troisième édition de 2015, et en esenciales de la norma en su tercera edición de 2015 y
explique l’application à partir de nombreux exemples pris se explica su aplicación con numerosos ejemplos de los
dans les domaines de l’électromécanique, de la tech- ámbitos de la electromecánica, la tecnología de fluidos,
nique des fluides, de l’électronique et de l’électronique la electrónica y la electrónica programable, incluidos los
programmable, et notamment aussi des systèmes de sistemas de mando de tecnologías mixtas. Se muestra
commande de technologie mixte. Ce texte met en évi- la relación de la norma con los requisitos básicos de
dence le lien entre la norme et les exigences essentielles seguridad de la directiva de maquinaria y se presentan
de sécurité de la directive Machines, et présente des los posibles procedimientos de estimación del riesgo.
procédures possibles permettant d’évaluer les risques. Sobre la base de estas informaciones, el informe permite
Sur la base de ces informations, le rapport permet de seleccionar el nivel de prestaciones requerido (required
sélectionner le niveau de performance PLr nécessaire performance level PLr) para las funciones de seguridad
pour les fonctions relatives à la sécurité des systèmes de los sistemas de mando. Se explica detalladamente
de commande. Il explique aussi en détail la manière de cómo de determinar el nivel de prestaciones PL que se ha
déterminer le niveau de performance PL effectivement alcanzado realmente. Se tratan en detalle los requisitos
atteint. Le rapport traite également en détail des exigen- para lograr el nivel de prestaciones en cuestión y sus
ces à satisfaire pour atteindre le niveau de performance categorías correspondientes, la fiabilidad de los compo-
donné et ses catégories correspondantes, de la fiabilité nentes, los grados de cobertura del diagnóstico, la seguri-
des composants, des taux de couverture de diagnostic, dad del software y las medidas contra fallos sistemáticos
de la sécurité des logiciels et des mesures à prendre con- así como los errores de causa común. La oferta se com-
tre les défaillances systématiques, ainsi que contre les pleta con informaciones de trasfondo para implementar
erreurs de cause commune. Cette offre est complétée par los requisitos en la práctica de la ingeniería de control.
des informations générales concernant la mise en œuvre Numerosos ejemplos de circuitos que abarcan hasta el
des exigences dans la pratique de la technique de com- nivel de sus componentes muestran cómo implementar
mande. De nombreux exemples de circuits allant jusqu’au técnicamente los niveles de prestaciones «a» hasta «e»
niveau des composants montrent comment les niveaux con las categorías B a 4 en las tecnologías correspon-
de performance ‘a’ à ‘e’ avec les catégories B à 4 peuvent dientes. Además, se dan indicaciones sobre los princi-
être réalisés techniquement dans les technologies res- pios de seguridad aplicados y los componentes que han
pectives. Ils fournissent des indications sur les principes demostrado su valía en materia de seguridad. Las nume-
de sécurité utilisés et sur les composants techniques qui rosas referencias bibliográficas tienen por objeto permitir
ont fait leurs preuves en matière de sécurité. De nombreu- entender en mayor profundidad los distintos ejemplos
ses références bibliographiques permettent d’approfondir citados. El informe muestra cómo se pueden implemen-
la compréhension des différents exemples. Montrant tar los requisitos de la norma DIN EN ISO 13849-1 en la
comment les exigences de la norme DIN EN ISO 13849-1 práctica técnica, contribuyendo así a la homogeneidad de
peuvent être mises en œuvre dans la pratique technique, aplicación y de interpretación de la norma a nivel nacio-
le rapport contribue ainsi à ce que la norme soit utilisée et nal e internacional.
interprétée de manière identique, tant au niveau national
qu’international.
Contents
1 Foreword............................................................................................................................................... 9
2 Introduction......................................................................................................................................... 11
9 References........................................................................................................................................ 243
7
Annex A: Examples of risk assessment............................................................................................................... 247
Annex G: What is the significance of the bar chart in Figure 5 of EN ISO 13849-1?............................................... 295
8
1 Foreword
The thoroughly revised version of the EN ISO 13849-1 con- Over the past years, EN ISO 13849-1 has become estab-
trol standard was published nine years ago. BGIA-Report lished worldwide as the definitive standard for machine
2/2008e, “Functional safety of machine controls – Appli- controls, and further practical experience with it has been
cation of DIN EN ISO 13849”, appeared shortly afterwards gathered. The IFA‘s experts have commented in publica-
and like the preceding report published in June 1997 tions of their own upon the essential issues concerning
proved once again to be a best-seller. Since then, over application of this standard, and have discussed their
20,000 orders have been met for copies of the printed opinions on standards committees. The result was the
German version. The number of downloads from the web- publication in 2015 of the third edition of EN ISO 13849-1.
site of the Institute for Occupational Safety and Health of
the German Social Accident Insurance (IFA) is even higher. Now is therefore an appropriate time for a revised IFA
Report on safety-related machine control systems.
With this report and further tools for application of the The team of authors has revised the entire report and
standard – the widely used SISTEMA software application, all examples. The changes to the standard have also
the SISTEMA cookbooks and the disc calculator – the received particular intention and have been interpreted.
IFA has made an important contribution to successful The present document is the English version of the report.
introduction of the new strategies for assessing and
designing the reliability of electronic and programmable This report, and the examples of controls that can be
control systems. This strategy, which gives consideration imported into SISTEMA, provide all stakeholders with
to the probabilities of failure of components, is enshrined straightforward access to the normative methods that
in the IEC 61508 series of basic safety standards and is have now become good practice. The report is intended as
now established in almost all sectors of industry, inclu- a tutorial and a reference work. It is not, of course, a sub
ding machine construction. Not least thanks to the close stitute for the standard itself. However, it contains valu-
involvement of experienced experts at the IFA, the authors able advice, and in particular, experience and guidance
of EN ISO 13849-1 have succeeded in presenting its con- that has already been developed in the field.
tent and developing it further such that it remains practi-
cal in its application, despite the complexity of the sub-
ject-matter. The preceding EN 954 standard with its purely
deterministic requirements has finally been replaced. The Professor Dr Dietmar Reinert
Performance Level is now firmly established in machine Director of the IFA
construction.
9
10
2 Introduction
Since 1 January 1995, all machines placed on the market port the underlying philosophy set out in Annex I of the
within the European Economic Area have been required Machinery Directive for the attainment of occupational
to satisfy the essential requirements of the Machinery safety and health on machines. EN ISO 12100 [3], a Type
Directive [1]. In accordance with Article 2 of this directive, A standard now comprising a single part only, governs
a machine is the assembly of linked parts or components, basic concepts and general principles for design for the
at least one of which moves, with the appropriate actua- safety of machinery. Content of the former EN ISO 14121-1
tors, control and power circuits, etc., joined together for a standard – the full procedure for identifying hazards and
specific application, in particular for the processing, treat- for risk estimation and risk evaluation of each indivi-
ment, moving or packaging of a material. In the amended dual hazard – has also been incorporated into the new
2006/42/EC [2] version of the Machinery Directive, safety EN ISO 12100 [3] standard. In addition to the standards,
components which are independently placed on the mar- the ISO/TR 14121-2:2013 [4] technical report serves as a
ket by manufacturers in order to fulfil a safety function, practical guide to risk assessment, and contains methodi-
the failure and/or malfunction of which endangers the cal examples.
safety of persons, and which are not necessary in order
for the machinery to function or for which normal compo- Based upon the (generic) EN ISO 12100 [3] standard,
nents may be substituted in order for the machinery to the updated EN ISO 13849-1:2015 [5] and EN ISO 13849-
function, are also included under the term “machinery” in 2:2012 [6] series of standards describes the risk reduction
the sense of the directive. The formal definition of “machi- required during the design, structuring and integration
nery” is also satisfied by interchangeable equipment, of safety-related parts of control systems and protective
certain lifting accessories, chains, ropes and webbing. devices, regardless of whether they are electrical, elec-
Detailed explanations of the individual points can be tronic, hydraulic, pneumatic or mechanical in nature.
found in the Guide to application of the Machinery Direc- These standards present a generically applicable system
tive 2006/42/EC [2]. The directive now also applies to of methods for machine controls and/or their protective
incomplete machines. devices. The Performance Levels described in the stan-
dards extend the concept of Categories familiar from
The essential requirements of the Machinery Directive for EN 954-1. The safety architectures can now be employed
the design and construction of machines and safety com- with significantly more flexibility. An essential advan-
ponents can be found in Annex I of the directive. In addi- tage of EN ISO 13849-1 is its treatment of safety-related
tion to general principles for the integration of safety, this parts of control systems independently of the techno-
annex contains dedicated subclauses governing controls logy employed, as has already been mentioned. The
for machines and the requirements placed upon protec- Performance Level enables different control structures
tive devices. The essential safety requirements applicable employing different technologies to be combined easily.
to the design of machines and safety components oblige The standard offers everything needed from a single
manufacturers to conduct a risk assessment in order to source comprising approximately 100 pages. The methods
identify any hazards associated with the machine. Three are formulated neutrally with regard to the specific appli-
principles are stated, in the following order, by which cation or the technology employed, and are therefore
the accident risks associated with each hazard are to be referenced by virtually all product standards for machine
reduced to an acceptable level: safety (generally Type C standards).
• The elimination or reduction of risks by inherently safe With entry into force of the revised 2006/42/EC Machinery
design Directive [2] in December 2009, the harmonized stan-
dard acquired greater importance. This can be attributed
• The taking of necessary measures for protection in rela- principally to the new provision that safety-related logic
tion to risks that cannot be eliminated – also described as the safety-related parts of control
systems – has been included in Annex IV of the directive.
• T he informing of users of the residual risks, particular Annex IV products of this kind are subject to special treat-
training, instruction and personal protective equipment ment under the directive, unless they are manufactured in
accordance with harmonized standards the reference of
Under Article 7, the observance of harmonized Euro- which is listed in the Official Journal.
pean standards the reference of which is listed in the
Official Journal of the European Union (EU) gives rise to a
presumption of conformity with the essential health and
safety requirements of the Machinery Directive. Several
hundred harmonized European standards detail/sup-
11
2 Introduction
On the one hand, Annex IV products are not in principle on relevant national and international standards commit-
subject to compulsory EC type examination1; they can, tees.
for example, be placed on the market on the basis of an
extended manufacturer‘s quality management system Chapter 3 deals with the generic standards governing
assessed by a notified body. However, the new directive functional safety on machines and machinery installati-
resulted in control systems becoming more strongly the ons. Chapter 4 presents an overview of the structure of
focus of the safety analysis [7; 8]. this report with regard to application of EN ISO 13849.
In its third, 2015 edition, EN ISO 13849-1 is the successor The authors hope that this report will be of genuine assis-
standard to EN 954-1:1996 [9], and is already listed in the tance during design and operation activities and will pro-
Official Journal of the EU. The presumption of conformity vide OSH experts with firm support in implementing the
to which the 2008 version gave rise expired on 30 June requirements upon the safety-related parts of control sys-
2016. The three-year transitional period in which EN 954-1 tems. The present interpretation of the standard has been
remained valid in parallel has long expired; users may tested in practice in diverse applications, and the princip-
therefore use this standard, if at all, only by making les underpinning the examples have been implemented
dated reference to individual subclauses of it. Part 2 of in technical form in numerous actual cases.
EN ISO 13849-2 [6] was published in 2012 following revi-
sion. The IFA web page at www.dguv.de/ifa/13849e serves as a
portal for the IFA‘s information on the functional safety of
The purpose of the present revised IFA Report is to machine controls (Figure 2.1). The free SISTEMA software
describe the application of EN ISO 13849 and in particular application (the German acronym “SISTEMA” stands for
its practical implementation with reference to numerous safety of controls on machinery) is available for download
model solutions. Particular attention has been attached from this portal, as are the SISTEMA project files for the
to the presentation and interpretation of the new or circuit examples shown in Chapter 8. Future extensions
revised requirements set out in the third edition of EN are planned to provide up-to-date assistance.
ISO 13849-1. Neither the explanations nor the examples
should be regarded as an official national or European i
comment upon (DIN) EN ISO 13849-1. Rather, the report is For readers already familiar with BGIA Report 2/2008e,
a compilation of thirty-five years‘ experience gained at the a brief summary is provided at the beginning of each
Institute for Occupational Safety and Health of the Ger- chapter of this report of the essential changes with
man Social Accident Insurance (IFA) in the assessment of respect to the BGIA Report 2/2008e.
safety and control equipment employing various forms of
technology, and the institute‘s many years of participation
1 As an alternative to EC type examination, the current Machinery Directive enables the manufacturer to perform his own conformity
assessment procedure in conjunction with internal production monitoring, in areas in which harmonized standards exist.
12
2 Introduction
Figure 2.1:
This website provides links to all practical tools concerning the safety of machine controls
13
14
3 Generic standards concerning the functional safety of machinery
control systems
In addition to EN ISO 13849, which is discussed in this demand or continuous mode of operation, the average
report, alternative generic standards of relevance exist probability of a dangerous failure per hour PFHD4 is eva-
in the area of functional safety2. As shown in Figure 3.1, luated by IEC 62061 (for further information, refer also to
these standards are those of the IEC 61508 series [10], [12]). With certain exceptions, only the second definition
and their sector standard IEC 62061 [11] for the machinery is relevant in the machinery sector and thus in IEC 62061.
industry. Both of these are limited in their scope to electri- The new edition of EN ISO 13849-1 has also adopted this
cal, electronic and programmable electronic systems. definition of the operating mode, and limits the scope of
the standard accordingly. SIL 4 systems with higher risks
A classification system involving “Safety Integrity Levels” are unknown in the area of machinery, and are not there-
(SILs) is set out in IEC 61508 and IEC 62061. The SILs serve fore considered in IEC 62061 (Figure 3.2, see Page 16).
as indicators of the level of safety-related reliability. The
associated values are target failure measures, each com- The essential approach of the standards governing func-
prising a decade3. IEC 61508 distinguishes two different tional safety (IEC 61508 and IEC 62061) developed by the
applications of safety functions: International Electrotechnical Commission (IEC), namely
that of defining probabilities of failure as the characteris-
• Safety functions in low demand mode (max. frequency tic parameter without the specific inclusion of architec-
of demands once per year) tures, initially appears more universal. The approach
of EN ISO 13849-1, however, offers users the facility for
• Safety functions in high demand mode or continuous developing and evaluating safety functions, ranging from
mode a sensor to an actuator (e.g. a valve), under the umbrella
of one standard, even though the functions may involve
In low demand mode, the dimension for the safety is the different technologies. Part 1 of EN ISO 13849 is accompa-
average probability of a dangerous failure of a safety func- nied by a Part 2 with the title of “Validation”. The present
tion at the point in time of the demand: PFDavg. In the high edition, published in 2012, also considers the current
Machinery Process
sector sector Figure 3.1:
Scope of generic
SRP/CS employing standards gover-
• Electrical/electronic/ ning functional
SRECS SIS
programmable safety; SRP/CS:
electronik systems safety-related part
• Hydraulic systems
IEC 62061 IEC 61511 of a control system;
• Pneumatic systems
SRECS: safety-rela-
• Mechanical systems
… ted electrical control
E/E/PE system in the system; SIS: safety
form of instrumented sys-
EN ISO 13849 IEC 61508 • Programmable electrical/ tem; E/E/PE system:
electronic/programmable electrical/electro-
electronic systems nic/programmable
electronic system
2
In this context, functional safety means that potential hazards that arise as a consequence of failures of a control system,
i.e. a malfunction, are dealt with.
3
In addition, deterministic requirements are imposed that must be satisfied in the level concerned.
4
In the second edition of IEC 61508:2010 – but not in its sector standard, IEC 62061 – the PFH was reformulated as the “average
frequency of a dangerous failure of the safety function”. The original abbreviation (PFH) was however retained (without the “D”
suffix in IEC 61508).
15
3 Generic standards concerning the functional safety of machinery control systems
Probability of a dangerous
failure per hour (PFHD)
topics of Part 1. Annexes A to D of Part 2 contain compre- EN ISO 13849-1, as the successor standard to EN 954-1,
hensive material on the subjects of “basic safety prin- attempts the balancing-act of uniting both the determini-
ciples“, “well-tried safety principles”, “well-tried compo- stic approach of the Categories and the aspect of safety
nents” and “fault lists”. Details can be found in Annex C reliability with the definition of the Performance Level (PL)
of the present report. (see also [13]). Numerically, corresponding classes (see
Figure 3.2) exist which permit rapid preliminary estima-
The apparent overlap in regulatory scope of the two tions for practical day-to-day use.
spheres of standardization initially appears unfavoura-
ble to manufacturers of control systems and other users In the sense of the standard, the designated architectures
of standards. Both EN ISO 13849-1 and IEC 62061 are are more an optional facility (simplified approach) than a
harmonized standards under the Machinery Directive. requirement. They should however be regarded as a key
Parts 1 to 4 of IEC 61508 have the status of basic safety element in simplification of the probabilistic approach
standards from the IEC perspective (with the exception of implemented in EN ISO 13849, and their application is
simple systems); this series of standards cannot however one of the tenets of this report. The scope of IEC 62061
be harmonized under the Machinery Directive, even as a indicates that it also covers complex, e.g. programmable
European standard. This situation prompts for example electronics. Although this is correct, the development of
the following questions: “SRECSs” (see Figure 3.1) employing this technology must
nonetheless satisfy the requirements of the standard in
• What standard(s) should be applied for compliance accordance with IEC 61508. The scope for the use of
with the Machinery Directive? SRP/CS developed against the standards originating at
IEC is emphasized by the new edition of EN ISO 13849-1.
• Where they overlap in their scope, do the standards This means that such SRP/CS can be considered equally
yield equivalent results? valid when used for the implementation of safety func-
tions under EN ISO 13849-1.
• Are the classification systems of the standards, such as
Categories, Performance Level (PL) and Safety Integrity Decisive arguments from the point of view of users in the
Level (SIL), compatible? field for selecting EN ISO 13849 as a basis for the imple-
mentation of functional safety in the area of machinery
• Can devices which have been developed in observance may be considered to be the cross-discipline approach
of one of the two standards be employed during imple- with regard to technology, and the simplified approach to
mentation of a safety function in accordance with a quantification with the use of the designated architectu-
different standard? res. This includes the detailed consideration of non-elec-
trical and electromechanical components. Large-volume
For attainment of the greatest possible compatibility producers of a safety component, such as a programma-
with IEC, and if possible to permit merging of the two ble logic controller (PLC) for safety applications, will of
spheres of standardization in the long term and also to course in particular wish to serve other world markets
enable the benefits of the probability approach to be in addition to that of machinery, and will therefore base
exploited without abandonment of the proven Categories,
16
3 Generic standards concerning the functional safety of machinery control systems
their development activity upon IEC 61508 in addition to in 2012. The result of an international survey conducted
EN ISO 13849. during work on ISO/IEC 17305 showed clearly that the
13849 standards predominated in application among
The table previously found in identical form in the intro- machine manufacturers and end users. As shown in
ductions of EN ISO 13849-1 and IEC 62061 for selection Figure 3.3, EN ISO 13849-1 was used by 90%, i.e. the great
of the appropriate standard for the relevant application majority of the 715 persons surveyed. Development of the
has now been deleted from both standards. A guidance planned ISO/IEC 17305 standard was the subject of hea-
document on application of EN ISO 13849-1 and IEC 62061 ted discussion among experts. The protracted discussions
during the design of safety-related machine controls had resulted in the project being at least two years behind
exists, although it has received little attention. As a sector its original schedule. The working group was already
standard of IEC 61508, IEC 62061 naturally describes the aware of the essential need to consider backward compa-
aspect of “management of functional safety” very expli- tibility to EN ISO 13849-1 and IEC 62061. Straightforward
citly. Development and verification of embedded software application of the new standard and retention of existing
to EN ISO 13849-1 is based upon the essential require- methods were explicit objectives. The question whether
ments for safety-related software that are currently stan- a new standard would have met these objectives and
dard practice and are also described in IEC 61508. Broad whether it would have been able to replace the existing
agreement exists however that requirements from the standards cannot be answered. In October 2015,
two standards should not be mixed. The ISO/TR 23849 ISO/TC 199 took the decision to abandon the work on a
guidance document [14] was developed by members of joint standard and to suspend the working group‘s activi-
both standards committees and was published in 2010 by ties. No sooner had the work officially stopped however,
ISO and IEC. Its core messages are: than it became clear that the topic would not rest. Recom-
mendations are therefore to be formulated for whether
• The methods described by the two standards differ, but and if so how a future joint project concerning functional
can attain a comparable level of risk reduction. safety could be conducted jointly by the two standards
organizations. Both standards will be revised in the near
• Activities merging the two standards require adequate future in the course of “routine maintenance”. The results
experience with their application in practice. of the work conducted to date on ISO/IEC 17305 will be
taken up in both standards.
The IEC proposed merging of the two standards to form
an ISO/IEC standard as long ago as 2011, and began work
100
Size of company ≤ 250 employees
90
Size of company > 250 employees
80
Proportion of companies, in %
70
60
50
40
30
Figure 3.3:
20 Standards used by
machine manu-
10 facturers and end
users as revealed by
0 a survey conducted
ne
in 2012/2013 by
1
8
51
5-
9-
06
9-
50
No
94
61
84
84
62
61
13
C
C
IE
IE
IE
O
the merging of
IS
IS
EN
EN
17
4 Report and standard: an overview
• New subclause 4.4 concerning changes arising from 4.1 Identification of safety functions and
the third edition of the standard, 2015 their properties
• Subclause 4.5 (formerly 4.4) concerning future deve- The design and assessment process begins with a well-
lopment of the standard updated tried concept, that of the definition of one or more safety
functions (SFs). The procedure is shown in Figure 4.1 by
blocks 1 to 3, and is described in greater detail in Chap-
This chapter cross-references the further chapters and ter 5. The question to be answered is: in what way do
annexes of this report to the standard. At the same time, the safety-related parts of the control system contribute
it provides an overview of the iterative process for design towards reducing the risk of a hazard on a machine?
yes
Validation: no
7 requirements met?
19
4 Report and standard: an overview
In the first instance, a machine should be constructed is conducted to ascertain whether the required risk
such that it is no longer able to present a hazard in use reduction, the target PLr value (block 6 in Figure 4.1), can
(inherent safety). The second step is then that of reducing be attained by means of the planned implementation
the risk of any hazard that may still arise. This can be (blocks 4 and 5 in Figure 4.1) with the actual PL value.
attained by protective measures, which often comprise The steps of blocks 4 and 5 are described in detail in
a combination of protective equipment and safe control. Chapter 6. Following the tradition of the previous control
In order for these protective measures to attain a defined system reports, Chapter 8 of this report also contains
quality in consideration of the risk, an essential step is a large number of formulated circuit examples for all
that of risk assessment, as required by the Machinery control technologies and each Category. In addition, the
Directive and described in EN ISO 12100 [3]. Protective general descriptions contained in Chapters 5, 6 and 7 are
devices are regarded in the sense of EN ISO 13849-1 accompanied by a comprehensive description of a circuit
(safeguards) together with the safe control as the safety- example (paper cutting guillotine). This provides the
related part of a control system. Together, they execute a developer with an illustrative explanation of the methods
safety function; they may for example prevent unexpected and parameters described below.
start-up when an operator enters a hazard zone. Since
a machine can easily have several safety functions (for Safety-related parts of control systems are able to exert
example for automatic and setup modes), it is important their risk-reducing effect only if the safety function was
for careful consideration to be given to each individual correctly defined from the outset. During the ensuing
hazard and the associated safety function. implementation, quality criteria are applied in the form
of the quality of the components employed (lifetime),
The safety function can be assumed by parts of the their interaction (dimensioning), the effectiveness of
machine control system or by components required in diagnostics (e.g. self-tests) and the fault tolerance of the
addition to it. In both cases, these parts are safety-related structure. These parameters determine the average pro-
parts of control systems. Although the same hardware bability of a dangerous failure per hour (PFHD) and thus
may well be involved in the performance of different the attained PL. EN ISO 13849-1 places the methods by
safety functions, the required quality of the risk reduc- which the PL is calculated at the user‘s discretion. Even
tion for each SF may differ. In the standard, the quality the highly complex Markov modelling method may there-
of the risk reduction is defined by the term “Performance fore be used, subject to the parameters stated above.
Level” (PL). The result of the risk assessment determines The standard, however, describes a much simplified
the level of the PL value required for the safety function. procedure, namely the use of designated architectures
This specification for the design of the control system is with application of a bar chart (see Page 61, Figure 6.10),
described as the “required Performance Level”, PLr. How in which the modelling of the PL is already taken up.
is the PLr obtained? Experts interested in the bar chart‘s derivation will find it
in Annex G.
The risk of a hazard on a machine can be reduced not only
by the control system, but also for example by a guard, The Categories continue to be the basis upon which the
such as a guard door, or by personal protective equip- PL is determined. Their definition remains essentially
ment, such as safety goggles. Once it has been establis- unchanged since the first edition of the standard; since
hed what part is to be played by the protective measures the second edition however, additional requirements
provided by the control system, the required Performance have been imposed upon the component quality and the
Level PLr is determined quickly and directly with the aid of effectiveness of diagnostics. Adequate measures against
a simple decision tree, the “risk graph”. Is the associated common cause failure are required in addition for the
injury irreversible (e.g. death, loss of limbs), or reversible Categories 2, 3 and 4 (see Table 4.1).
(e.g. crushing injuries, which can heal)? Is the operator
present in the danger zone frequently and for long periods Table 6.2 (Page 50) provides a summary of the Catego-
(e.g. more frequently than once every fifteen minutes), or ries. An essential aspect when the proposed simplified
infrequently and briefly? Is the operator still able to avoid calculation method is used is the presentation of the
an accident (e.g. owing to slow machine movements)? Categories as logical block diagrams, termed “designated
These three questions determine the PLr. Details can be architectures”.
found in subclause 5.4, examples in Annex A.
Since the Categories require analysis of the faults (avoi-
4.2 Design and technical implementation of dance and control of failures), additional aspects concern
the safety functions the reliability of the individual components, their failure
modes, and fault detection by automatic diagnostic
Once the requirements upon the safety-related parts measures. Fault lists and safety principles serve here as
of control systems have been defined, they are first a basis (see Annex C). In addition to the traditional FMEA
designed, and then implemented. Finally, a verification (failure mode and effects analysis), EN ISO 13849-1 offers
20
4 Report and standard: an overview
Table 4.1:
Deterministic and probabilistic characteristics of the Categories; probabilistic additions since the second edition of the standard
are highlighted in grey
Feature Category
B 1 2 3 4
Design according to relevant X X X X X
standards; withstand the expected
influence
Basic safety principles X X X X X
Well-tried safety principles X X X X
Well-tried components X
Mean Time to Dangerous Failure – Low to Medium High Low to High Low to High High
MTTFD
Fault detection (tests) X X X
Single-fault tolerance X X
Consideration of fault accumulation X
Average diagnostic coverage – DCavg None None Low to Medium Low to Medium High
Measures against CCF X X X
Characterized primarily by Selection of components Structure
simplified methods of calculation such as the parts count tamination, overtemperature or short circuit, can under
method. Further explanations of this subject can be found certain circumstances give rise to several faults which
in Annex B. may for example simultaneously disable both control
channels. For control of this source of hazard, it must
One of the questions most frequently asked regarding be demonstrated for Category 2, 3 and 4 systems that
the probability of failure concerns the sourcing of reliable adequate measures have been taken against CCF. This is
failure data for the safety-related components, the MTTFD achieved by means of a points system for eight typical,
(mean time to dangerous failure) values. The manufac- for the most part technical counter-measures, with which
turer of the parts or components, i.e. his technical data at least 65 of a possible 100 points must be attained (for
sheet, should be given preference here over all other details, see Annex F).
sources. Many component manufacturers already provide
such data. Even where manufacturers‘ data are not avail The random hardware failures, which can be controlled
able however, typical example values can be obtained by a good structure and by low probability of failure, are
from established databases (such as SN 29500 or accompanied by the broad field of systematic faults –
IEC/TR 62380). The standard and Annex D of this report i.e. faults inherent to the system since its design, such
also list a number of realistic values obtained from the as dimensioning faults, software faults, or logical faults
field, and provide information on modelling in the safety- – against which protection is to be provided by meas
related block diagram. ures for fault avoidance and control. The software faults
account for a large proportion of such faults. Since its
The effectiveness of diagnostics, in the form of the DCavg second edition, the standard has included the requi-
value (average diagnostic coverage), can be determined rements upon the safety-related software; individual
according to the following simple principle: the test meas aspects of them have however long been familiar from
ures that monitor the block are compiled for each block. relevant standards. The actual measures are graded
For each of these test measures, one of four typical DC according to the required PL. Further information can be
values is determined from a table in the standard. An ave- found in subclause 6.1.2 for systematic failures and in
raging formula, which appears complex but is essentially subclause 6.3 for software.
simple, can be used to calculate the DCavg parameter from
it. Further information can be found in subclause 6.2.14 4.3 Verification and validation of the control
and Annex E. system for each safety function
The final parameter, that of the CCF (common cause fai- If the design has already reached an advanced stage by
lure, subclause 6.2.15), is similarly easy to calculate: for the time that the achieved PL is determined, the question
this parameter, it is assumed that a cause, such as con- arises as to whether this PL is sufficient for each safety
21
4 Report and standard: an overview
function executed by the control system. For this purpose, cess with freely available guides to application. These
the PL is compared with the required PLr (see Block 6, guides take the form both of explanatory reference with
Figure 4.1). If the PL attained for a safety function is infe- examples, and of the “SISTEMA” free software program
rior to the required PLr, design improvements on a greater (the acronym stands for “Safety Integrity Software Tool
or lesser scale are required (such as the use of alternative for the Evaluation of Machine Applications”), which sup-
components with a superior MTTFD), until an adequate PL ports calculation and documentation of PLr and PL (see
is ultimately attained. Once this hurdle has been over- Annex H). The series of SISTEMA cookbooks, which has
come, a series of validation steps are necessary. Part 2 of been continually extended, is devoted to particular topics
EN ISO 13849 comes into play at this point. This validation that are relevant during application of the standard. These
process systematically assures that all functional and concern not only SISTEMA itself (the SISTEMA libraries,
performance requirements placed upon the safety-related use of network libraries, “Running several instances
parts of the control system have been attained (see Block of SISTEMA in parallel”), but also the entire process of
7, Figure 4.1). Further details can be found in Chapter 7. design against the standard (“Definition of safety func-
tions”, “From the schematic circuit diagram to the Perfor-
4.4 Changes arising from the third edition of mance Level”, “When the designated architectures don‘t
the standard published in 2015 match”). Finally, the resources include the “Performance
Level Calculator”[16] developed by the IFA. This presents
With Amendment 1, the third edition of the standard the bar chart in the form of a rotating disc by means of
was produced from the second. The amended passages which the PFHD and PL can be determined easily and
primarily serve to improve comprehension and applica- precisely at any time. All further resources and reference –
tion. A detailed overview focusing upon the changes was such as information on the test standards and principles
published by the IFA in 2015 [15]. The essential changes [17] of DGUV Test, the test and certification system of the
include consideration, during specification of the required German Social Accident Insurance – can be found on the
Performance Level (PLr), of the probability of occurrence of IFA‘s website at: www.dguv.de/ifa/13849.
a hazardous event; a new, simplified method for determi-
ning the PL for the output part of the safety-related part of During work on the third edition of EN ISO 13849-1, seve-
the control system (SRP/CS); and a proposal for the hand- ral major work packages were identified that lay outside
ling of requirements for SRESW (safety-related embedded the scope of an amendment. These included, for example,
software) when standard components are used. Table 4.2 thorough revision of the software requirements, in order
shows which main changes have been made in which to improve its suitability for application in practice, and
subclauses of the standard and of the present report. also consistent precision of when “SRP/CS” refers to the
entire control system executing a safety function, and
The example circuits in Chapter 8 of the report have been when to a subsystem that executes only a part of the
thoroughly updated from the 2008 versions based upon safety function. In order for these proposals to be imple-
the above changes to the standard. mented in the longer term, the committee responsible for
the standard decided as early as 2016 , following publica-
4.5 Future development of EN ISO 13849-1 tion of the third edition, to begin work on a revision of the
standard. The IFA will support this activity as it has done
The third edition of EN ISO 13849-1 replaces the previ- effectively in the past, in order for the anticipated results
ous edition without a specific transition period. Since (possibly in the form of a fourth edition of the standard)
the changes – as described in the preceding subclause once again to be prepared for practical application as
– essentially concern additions, updating and improve- described above.
ments, however, the transition from the second to the
third edition of the standard is not generally critical. As
it has done for some time, the IFA is supporting this pro-
22
4 Report and standard: an overview
Table 4.2:
Essential changes in the third edition of the standard and the affected subclauses of the standard and of the present report
23
24
5 Safety functions and their contribution to risk reduction
This Report deals with safety functions and their contribu- 5.2 Risk reduction strategy
tion to reducing risks in hazard zones on machinery. The
design of such safety functions is part of a process for the The risk reduction strategy presented in EN ISO 12100 [3]
design of safe machines. This chapter therefore begins by was adopted in Figure 1 of EN ISO 13849-1 and supple-
addressing the requirements of the Machinery Directive, mented with the aspects detailed in the latter standard
before describing the definition of safety functions and (see Figure 5.1). A risk assessment is first performed. An
their properties. Subclause 5.7 then demonstrates imple- important point is the assumption during the following
mentation with reference to the practical example of a steps that no protective measures have as yet been taken
paper cutting guillotine control. on the machine. Ultimately, the entire risk reduction pro-
cess serves to determine the type and also the “quality”
5.1 Requirements of the EC Machinery of the protective measure/safeguard that is to be imple-
Directive mented.
The EC Machinery Directive [2] has been transposed into The risk reduction process begins with definition of the
German law by the German Product Safety Act (ProdSG), limits of the machine. Besides the space limits and time
and sets out essential health and safety requirements for limits of the machine, attention must be paid in particular
machines. The general provisions of the Machinery Direc- to its use limits. Such limits include the intended use of
tive are supported by standards. Particularly significant the machine (e.g. materials which may permissibly be
in this respect is EN ISO 12100 [3], Safety of machinery machined on it), including all operating modes and the
–General principles for design. The machine designer is various intervention procedures. Reasonably foreseeable
presented with a design method that is suitable for achie- misuse of the machine must also be considered; this
ving machine safety. This method – a strategy for risk includes consideration for the defeating of safeguards.
reduction – includes the design of safety-related parts of
control systems1.
Safety-related parts of control systems are one means by which a safety function is implemented. The starting-point for these
1
systems is the reception of safety-related input signals, for example detection of the position of a guard door by means of a Type 2
position switch, the separate actuator of which is fitted to the door and itself constitutes a safety-related part. Once received, the
signals are processed, leading to generation of an output signal.
25
5 Safety functions and their contribution to risk reduction
Figure 5.1:
Iterative risk reduction process
START
yes
Hazard identification
(see section 5.4a and Annex Ba)
This iterative risk reduction
process shall be carried out
Risk estimation separately for each hazard
(see section 5.5a) under each condition
of use (task).
Risk evaluation
(see section 5.6a)
Are
no
other hazards
generated?
no
no
a
Refers to ISO 12100:2010
b
Refers to ISO 13849-1
26
5 Safety functions and their contribution to risk reduction
The hazards are then identified; all phases of the The objective of the further procedure is to reduce the risk
machine‘s lifetime must be considered in this process. In to an acceptable level. For this purpose, Figure 5.3 shows
addition to automatic mode, particular attention is paid to the proportions of risk reduction with and without safety-
operating modes requiring manual intervention, e.g. for: related parts of a control system. Further information on
the subject of risk can be found in the IFA Manual [19].
• Setting
• Testing 5.2.2 Risk evaluation
• Teaching/programming
• Commissioning Following the risk estimation, a risk evaluation is per-
• Material charging formed in order to determine whether a risk reduction is
• Retrieval of the product necessary. The criteria for adequate risk reduction are
• Troubleshooting and fault clearance specified in EN 12100 [3]:
• Cleaning
• Maintenance • Have all operating conditions and all intervention pro-
cedures been considered?
Further details of this process step can be found in
EN ISO 12100 [3]. A range of methods exist for systematic • Have hazards been eliminated by suitable protective
identification of the hazards; examples can be found measures or the risks reduced to the lowest practicable
in ISO/DTR 14121-2 [4]. Possible hazards are also listed level?
extensively in EN ISO 12100 [3]. Figure 5.2 shows an
excerpt. • Has it been ensured that the measures taken do not
give rise to new hazards?
5.2.1 Risk estimation
• Have the users been sufficiently informed and warned
Once all potential hazards which may be presented by the concerning the residual risks?
machine have been identified, the risk must be estima-
ted for each hazard. The risk associated with a particular • Has it been ensured that the protective measures taken
hazardous situation can be determined from the following do not adversely affect the operators‘ working condi-
risk elements: tions or the usability of the machine?
a) Severity of harm • Are the protective measures taken compatible with one
another?
b) Probability of this harm occurring as a function of:
–– Exposure of a person/of persons to the hazard • Has sufficient consideration been given to the conse-
–– A hazardous event occurring quences that can arise from the use in a non-profes
–– The technical and human possibilities for avoidance sional/non-industrial context of a machine designed for
or limitation of the harm professional/industrial use?
Counter-rotating rollers
27
5 Safety functions and their contribution to risk reduction
low high
Overall risk
presented by the machine
Necessary
minimum risk reduction
Covered by measured
Covered by
Remaining not involving safety-
safety-related parts
residual risk related parts
of control systems
Figure 5.3: of control systems
Risk estimation and
risk reduction
5.3 Identification of the required safety tions are defined that are executed by the SRP/CS (safety-
functions and their properties related parts of control systems) (see Figure 5.4).
28
5 Safety functions and their contribution to risk reduction
The necessary safety functions are defined in considera- g) Stopping of the closing movement controlled by two-
tion of both the application and the hazard. For example, hand operation in the event of intervention in the dan-
if flying debris must be anticipated, a light curtain will ger zone by a second person (initiated by means of a
be an unsuitable solution, and an arrester (guard) will light curtain)
be required. A safety function is therefore a function by
which measures (including measures in the control tech- Compound safety functions are frequently employed, as
nology) reduce the risk presented by a particular hazard to in the example in subclause 5.7. The movement is initi-
an acceptable level. In the absence of relevant provisions ally braked to a halt by the electronic drive, after which
in a Type C standard, the safety functions are defined by a mechanical holding brake is applied. The two tables
the designer of the machine, e.g.: below provide information on possible safety functions.
Table 5.1 summarizes the safety functions according to
a) Controlled stopping of the movement and application subclause 5.1 of EN ISO 13849-1 and adds examples of
of the holding brake in the rest position possible applications. The “emergency stop function” is
also included: though not part of a safeguard, it is used
b) Prevention of a crushing point being caused by for implementation of a complementary protective meas
descending machine parts ure (see subclause 5.5). Table 5.2 shows further safety
functions for safe power drive systems to IEC 61800-5-2
c) Reduction of the power of a cutting laser where the eye (PDS/SR, power drive systems/safety related) [20]. The
is directly exposed scope of this standard includes the safety functions fre-
quently employed for prevention of unexpected start-up
d) Prevention of dropping of the shaft in setup mode (safe torque off, STO), for safe stop SS1 and SS2 and for
safely-limited speed (SLS).
e) Evasion of the robot when a person enters its danger
zone Safety functions for pneumatic drive technology are
described in VDMA Technical Rule 24584 [21].
Table 5.1:
Safety functions described in EN ISO 13849-1
29
5 Safety functions and their contribution to risk reduction
Table 5.2:
Safety functions described in IEC 61800-5-2 (2016 edition) [20]
The manner in which a safety function is executed may • Specification of safety-related parameters, such as the
take very different forms. For this reason, certain characte- maximum permissible speed
ristics must be observed at selection, and specified on a
case-by-case basis. These include: • Required Performance Level PLr
• Use in different operating modes (e.g. automatic mode, Detailed information on the definition of safety functions
setup mode, troubleshooting) can be found in SISTEMA Cookbook 6, “Definition of
safety functions: what is important?” [23].
• Use of different safety functions according to whether
the power supply is available or has failed (see also 5.3.2 Examples in which the definition of the
subclause 4.3 of [22]) safety function has an influence upon
subsequent calculation of the PFHD
• Response(s) to tripping of the safety function
• Response(s) to detection of a fault in the safety function Later chapters will show how the average probability of
a dangerous failure per hour (PFHD) can be calculated for
• Response time a safety function. The foundation for this is however laid
at this stage, with definition of the safety function. By its
• Frequency of actuation nature, the technical implementation of a safety func-
tion determines the type and scale of the components
• Priority, in cases where several safety functions may be required for it. The definition of the safety function thus
active simultaneously has a considerable influence upon determination of the
30
5 Safety functions and their contribution to risk reduction
Example 1:
Safety function “Stopping when the guard door is Drive 1
opened”
Drive 2
When the guard door is opened, a machine operator has
access to a danger zone in which five drives control the
Position monitoring
movements of machine parts. Opening the guard door Logic Drive 3
of guard door
causes all five drives to be brought to a halt as quickly as
possible.
Drive 4
If more than one drive is involved in the hazardous Figure 5.7 shows the functional diagram and blocks of the
movements in the danger zone under consideration, the safety function SF3.
hazards are considered overlapping. If the number of
drives to be considered is too high, the sum of the PFHD Figure 5.7:
values of the individual drives may once again be a total Stopping of the drive when guard door 3 is opened
PFHD that is too high for the required PL of the safety
function. The revised standard makes provision for consi-
Positioning monitoring
deration of overlapping hazards. Accordingly, the hazards of guard door 1
considered in the safety function in question can under
certain circumstances be reduced to discrete hazards, i.e. Positioning monitoring
the hazardous machine movements can be reduced to the of guard door 2
movements of discrete parts of the machine. Whether this
is possible in a given case must be determined during the Positioning monitoring
Logic Drive
of guard door 3
risk assessment. Assistance in this context is provided by
Annex J of the present report and by [24].
Positioning monitoring
of guard door 4
Positioning monitoring
of guard door 5
Possible faults in the electrical system are assigned to the
2
relevant blocks.
31
5 Safety functions and their contribution to risk reduction
Twenty emergency-stop devices are installed on a larger • At what location are persons present at the point in time
machine; when actuated, they bring all 50 drives to a halt under analysis?
as rapidly as possible. What components must be con-
sidered in this case during implementation of the safety • What movements present hazards at the location of the
function? It cannot be predicted which of the emergency- person(s)?
stop devices will be actuated in order to initiate the safety
function. Since the user only ever actuates one emergency • What safeguards initiate the safety function at the point
stop device at any one time, safety functions SF1 to SF20 in time under analysis?
are defined. The location of a person exposed to a hazard
at the time the emergency stop is initiated is not known. 5.4 Determining of the required
Regardless of where this person is located however, not Performance Level PLr
all 50 drives present a hazard. The worst case should
therefore be considered representative for all conceivable A required Performance Level PLr – in technical terms, the
situations. The worst case is determined by the worst desired value – must be specified for each implemented
PFHD, and is therefore partly dependent upon the num- safety function3. The requirements are derived from the
ber of drives in the safety chain that generate hazardous necessary risk reduction. During definition of the risk
movements at the least favourable location, and upon the reduction, consideration must also be given to the likeli-
respective individual PFHD values. The associated block hood and severity of accident, which may not be known.
diagram is shown in Figure 5.8. ISO/TR 14121-2 [4] describes methods for determining
the required scale of the risk reduction. EN ISO 13849-1
The PFHD values of the following blocks must therefore be employs one of these methods, that of the risk graph.
taken into account during subsequent calculation of the
PFHD of the safety function: 5.4.1 Risk graph
• Emergency stop device 03 The diagram in Annex A of the standard leads directly to
• Logic the required Performance Level PLr and is explained below
• Drive 21 (see Figure 5.9). Further examples of determining of the
• Drive 35 PLr can be found in Annex A.
• Drive 47
Figure 5.9:
Figure 5.8: Risk graph for determining the PLr for each safety function
Emergency stop of the entire machine, worst case
Required
· Low Performance
· risk Level PLr
· P1 a
Emergency-stop device 01 Drive 21 F1
· S1 P2 b
Emergency-stop device 02 · Starting P1
· point for F2
P2
P1 c
Emergency-stop device 03 Logic Drive 35
estimation F1
· of the risk P2 d
Emergency-stop device 04 · reduction
S2 P1
· · F2
· Drive 47
P2 e
·
· High
· risk
·
The r (required) suffix indicates that the Performance Level in this case is that required for the safety function (desired value).
3
Validation at a later stage examines whether the PL attained by the actual control system (actual value) is greater than or equal to
the PL. In this context, “greater than” means: PL = e > PL = d > PL = c > PL = b > PL = a
32
5 Safety functions and their contribution to risk reduction
From the starting-point, the following risk parameters are considered for the duration of the hazard exposure in rela-
evaluated4: tion to the overall time for which a machine is in use.
Generally, the severity of injury (parameter S) in a hazard Aspects relevant to definition of this parameter include
zone will be found to vary widely. For the requirements the physical characteristics of a machine, the qualifica-
upon the control system however, only the following dis- tions of the operator, and their possible reaction. If, for
tinction is relevant: example, the machine must be set up whilst running at
limited speed, the parameter P1 will be the correct choice
• S1 – slight (normally reversible injury) at the low acceleration values for setup: with the slow
emergence of the hazards and given sufficient freedom
• S2 – serious (normally irreversible injury or death) of movement, the operator will be able to move out of
the hazard zone. Conversely, P2 must be selected when
The usual consequences of accidents and the normal higher speeds may rapidly be reached and the operator
healing processes must be taken into account for deter has no realistic chance of evading an accident. During this
mining between S1 and S2. evaluation, consideration should be given only to hazard
limitation by physically possible means, and not to limi-
Frequency of and/or exposure to the hazard F1 and F2 tation by control components, since the latter could fail
(parameter F) in the event of a fault. For example, rollers moving in the
direction of the operator‘s hand cannot entrap it under
The frequency of and/or exposure to the hazard are eva fault-free conditions. In the event of a control-system
luated as: fault, however, the direction of rotation could be rever-
sed, and under worst-case conditions, the hand would be
• F1 – seldom to less often, and/or exposure time is short drawn in.
• F2 – frequent to continuous, and/or exposure time is A further factor influencing determining of the PLr is the
long probability of the occurrence of a hazardous event ([3],
5.5.2.3.2). Human behaviour and technical failure may be
Consideration is therefore given both to the number of factors in this context. Both are difficult to estimate nume-
interventions in the danger zone within a period and to rically. The standard states the following example criteria
the duration of presence within it. The standard assists however:
decision-making by stating that where operator interven-
tions occur more frequently than once every 15 minutes, • Reliability data
F2 should be selected. In all other cases, F1 is the cor- • History of accidents on comparable machines
rect choice, provided the duration of hazard exposure
does not exceed 1/20 of the total operation time of the
machine. During evaluation, an average value should be
The probability of a hazardous event occurring is analysed in conjunction with the risk parameter P.
4
33
5 Safety functions and their contribution to risk reduction
Where factors exist that enable the probability of a hazar- • Measures for stopping in an emergency
dous event occurring to be deemed “low”, the PLr may • Reversal of movements
be reduced by one level; it must however not drop below • Isolation and energy dissipation
PL a.
According to the definition, these do not constitute tech-
What reasoning may now be given for a “low” ranking? nical protective measures the implementation of which
Consideration of reliability data refers (among other would require a certain Performance Level. These com-
aspects) to the process-related (i.e. not safety-related) plementary protective measures should however take
control system. The machine manufacturer must there- effect when technical protective measures (guards and/
fore assess for this purpose whether high reliability of or protective devices) have failed or have been defeated.
the components (high MTTF, in this case without “D”) In these cases in particular, an emergency stop function
can also be assumed for his machine. How great is there- for example is expected actually to be serviceable. The
fore the probability for example that a standard PLC for requirements placed by IEC 60204-1 [25] upon control
functional control of a machine will incorrectly initiate circuits and the control functions of machines should
unexpected start-up of a drive? How should new compo- therefore be observed. subclause 9.4, “Control functions
nents be evaluated that have good MTTF values but with in the event of failure”, requires an appropriate level of
which practical experience has not yet been gained? Are safety performance, which must be defined by the risk
the conditions of use of PLCs and associated components evaluation of the machine. Ultimately, the requirements
(sensors, frequency inverters, power supplies, etc.) com- of EN ISO 13849 therefore also apply to these comple-
parable with the usual applications? What are the charac- mentary protective measures. Under no circumstances
teristics of the supply network? Could there be elevated may complementary protective measures influence the
electromagnetic interference at the machine‘s planned function and standard of safeguards.
location of use? What are the prevailing temperatures?
Etc. Factors such as these may increase the probability 5.6 Treatment of legacy machinery
of failure, even if the specified limits of the components
used are not violated. The possibility further exists of Legacy machinery in this context refers to machines that
errors in the software, which of course may also give rise were placed on the market before the Machinery Directive
to hazardous events. came into force. The requirements of the directive were
not applied to these machines. However, its application
Where the incidence and severity of accidents on compa- may become necessary should legacy machines be exten-
rable machines with identical risks, the same operating ded, modified, modernized, etc. In such cases, it must
and safety concept and identical safeguards is known and be assessed whether an essential change has occurred.
is considered low, the probability of a hazardous event Should this be the case, the requirements of the EC
occurring can also be ranked as low. Machinery Directive apply to “old”, i.e. legacy machines
in the same way as to new machinery. These requirements
The PLr reduced as a result of these considerations must include the application of EN ISO 13849. An interpretation
not under any circumstances be lower than that of the paper produced by the German Federal Ministry of Labour
machines considered by way of comparison, since it does and Social Affairs (BMAS) assists in determining whether
not follow from a low incidence and severity of accidents an essential change has occurred [21].
that the level of safety provided by the implemented
safety functions is greater than that required. It cannot be 5.7 Risk reduction with reference to the
predicted whether a reduction of the existing level would example of a paper-cutting guillotine
lead to an unacceptable increase in the incidence and with diverse redundancy in the logic
severity of accidents. control (Category 4 – PL e)
Chapter 6 describes the subsequent design of the safety The example in this subclause illustrates the application
functions. of EN ISO 13849-1 on a paper-cutting guillotine. Only
certain aspects will be considered in detail, and not the
5.5 Complementary protective measures entire process.
The requirements for complementary protective measures Paper-cutting guillotines (see Figure 5.10) are used to cut
are contained in EN ISO 12100 [3], subclause 6.3.5. With stacks of paper sheets or similar materials by means of a
regard to the control technology issues addressed in this knife. The product to be cut is generally placed under the
report, these complementary protective measures parti- knife by hand. Immediately before the cutting action is
cularly include: performed, a clamping bar is lowered at high force onto
34
5 Safety functions and their contribution to risk reduction
ESPE
THC
Figure 5.10:
Paper cutting guillotine with two-hand
control (THC) and electro-sensitive
protective equipment (ESPE)
the stack in order to hold it in place during cutting. The The following operating modes are implemented:
knife and the clamping bar are driven hydraulically.
1. Pressing
5.7.1 Definition of the limits of the machine 2. Manual cutting (single cut)
3. Automatic sequence of cuts (automatic process
Space limits following the first, manual cut)
4. Knife change
Since paper-cutting guillotines are charged manually,
sufficient space is required for the handling of product In the first three operating modes, movement of the clam-
for cutting, onward transport and storage of the cut paper ping bar alone is possible, in order for the line of cut to
stack, and disposal of paper waste, as well as sufficient be indicated. For this purpose, the operator operates a
space for the operator to move. pedal, and is able at the same time to alter the position
of the paper stack with his or her hands within the danger
Time limits zone.
Depending upon the application, the machine may be 5.7.2 Identification of the hazards
used for a period of approximately 20 years. Component
wear may lengthen the time required for a movement to The following mechanical hazards are significant for a
stop. The resulting violation of the overrun must therefore paper-cutting guillotine:
be detected and must result in the machine being stop-
ped. • G1 – crushing by the clamping bar
• G2 – cutting by the knife during the cutting process
Use limits • G3 – cutting by the knife in the rest position
The intended use of the machine is that of cutting s tacked Risk estimation
sheets of paper or similar materials. The machine is
charged manually by a single person. Depending upon The dynamic press force of the clamping bar (hazard G1)
the site of installation and the width of the machine, how- is sufficiently great to cause not only reversible crushing
ever, the presence of other persons in the vicinity cannot injuries, but also broken bones. For hazard G2, amputa-
be excluded. tion of limbs must be assumed. During manual positio-
ning of the paper stack, hazard G3 may lead to injury to
the hands or forearms on the stationary knife. These inju-
ries are however generally reversible.
35
5 Safety functions and their contribution to risk reduction
The operators‘ exposure to hazard is very high, since they 7. The mechanical components for guiding the knife and
regularly (cyclically) intervene manually in the danger the clamping bar are linked such that in its top rest
zone in the course of routine work. position, the knife is shrouded by the clamping bar.
The drop speeds of the clamping bar and knife (hazards 5.7.3 Required safety functions
G1 and G2) are very high, with the result that the operator
has virtually no means of avoiding the hazard. When the In consideration of all operating modes and all manual
knife is stationary (hazard G3), the operator is able to interventions, the following safety functions are required:
avoid or limit harm.
• SF1 – STO (safe torque off), for avoidance of unexpected
The probability of a hazardous event occurring as a result start-up
of technical failure is not known. The incidence and seve-
rity on comparable machines is however low; the safe • SF2 – Controlled location of the operator‘s hands out-
guards implemented here are therefore evidently ade- side the danger zone during a hazardous movement
quate. Should the risk analysis for a safety function yield a
higher PLr than that actually implemented on the compa- • SF3 – Detection of intervention by further persons in the
rable machines, the PLr can in principle be reduced by one danger zone by means of ESPE (electro-sensitive pro-
level. However, since the safety functions on comparable tective equipment), e.g. a light curtain, and immediate
paper-cutting guillotines are achieved with the highest PL, interruption of the cutting operation
a reduction of the PLr will not be possible in this case (see
subclause 5.7.4). • SF4 – Automatic stopping of all movements following
each individual cut or following completion of the auto-
Risk evaluation matic cutting sequence
In consideration of all operating conditions and all possi- • SF5 – Reduction of the dynamic press force for the clam-
bilities for operator intervention, a risk reduction is found ping bar during the “indicate cut” function
to be required.
• SF6 – Automatic return of the clamping bar and knife to
Inherently safe design their initial positions following interruption of a cutting
operation
It is not possible for the dynamic press force of the clam-
ping bar and the energy of the knife to be reduced, as this Note: The principle of overlapping hazards could be
would impair the functionality of the machine. An arrange applied to the machine parts of knife and clamping bar
ment and design of the machine that would prevent the (see subclause 5.3.2). In this case, SF1, SF3, SF4 and SF6
operator from reaching into the danger zone is also not would be divided up such that dedicated safety functions
possible, since this is precisely where the operator must would be defined separately for the knife and the clam-
line up the stack of paper. ping bar. In the present case however, this division is not
made, since owing to the low number of components in
The following measures can however be taken: SF1 to SF6, the required PFHD can still be attained when
these safety functions are grouped.
1. Shrouding of all points of access to the danger zone
except on the operator side. Characteristics of the safety functions
2. Avoidance of sharp edges and corners. The cut must be interrupted immediately should the light
curtain be penetrated. The safety function SF3 therefore
3. Assurance of a suitable working position and accessi- takes priority over SF2. For SF5, the maximum permissible
bility of the controls. force for the clamping bar during the “indicate cut” func-
tion must be specified (see [27]).
4. Ergonomic design of the machine.
5.7.4 Determining of the required
5. Avoidance of electrical hazards. Performance Level PLr
6. Avoidance of hazards presented by the hydraulic The PLr must be determined for each safety function. If
equipment. the situations in which the individual safety functions are
used are analysed, evaluation of the risk parameters S,
F and P is seen to be similar for the safety functions SF1 to
SF6:
36
5 Safety functions and their contribution to risk reduction
• S2 – serious, generally irreversible injury of these machines have already been implemented with
PL e, as specified in [28]. The result of the risk analysis is
• F2 – continuous presence in the danger zone; the fre- therefore confirmed by the situation in practice; a possi-
quency is therefore greater than once every 15 minutes ble reduction in the PLr is not indicated. Figure 5.11 shows
the documentation and risk graph in the SISTEMA soft-
• P2 – evasion of a hazardous situation is virtually impos- ware application for the SF1 safety function.
sible
An adequate risk reduction has been achieved for the
In accordance with the risk graph in Figure 5.9, this hazard G3, “Cutting by the knife in the rest state”, by
evaluation yields a required Performance Level PLr of e. mechanical coupling of the knife and the clamping bar.
The incidence and severity of accidents on comparable A safety function is not required.
machines is low. The safety functions considered here
Figure 5.11:
Documentation and risk graph for SF1
37
5 Safety functions and their contribution to risk reduction
38
6 Design of safe control systems
Changes with respect to the second edition • Raising of the MTTFD capping in Category 4 to
i
(BGIA Report 2/2008e): 2,500 years added in subclause 6.2.13 (FMEA vs. parts
count method).
• Further information added in subclause 6.1.2 (Syste-
matic failures) on application-specific integrated cir- • Explanations of the test rate revised and information
cuits (ASICs), field programmable gate arrays (FPGAs), on components with DC < 60% down to DC = 0% added
programmable logic modules and complex standard in subclause 6.2.14 (diagnostic coverage).
modules. subclause 6.1.3 (Ergonomics) brought into
line with the new 2006/42/EC Machinery Directive. • New subclause 6.2.17 added on alternative determi-
ning of the PFHD for the output part of the SRP/CS in
• Recommendations added to subclause 6.2.5 (Cate- accordance with subclause 4.5.5 of the standard.
gory 2) for interpretation of the requirements for a
Category 2. • The previous subclause 6.2.17 (Bus systems as “inter-
connecting means”) becomes subclause 6.2.18 as a
• Clarification added in subclauses 6.2.5 (Category result.
2) and 6.2.14 (DC) that up to a PLr of c, providing a
warning is a permissible alternative under certain • Subclause 6.3.10 concerning requirements for SRESW
circumstances to initiation of a safe state. In addition, for standard components brought into line with the
testing immediately upon demand of the safety func- new subclause 4.6.2 of the standard. Reference to IFA
tion added as an alternative to testing being at least Report 2/2016 concerning safety-related application
100 times as frequent as the demand of the safety software for machinery also added.
function. If the safety function is tested only 25 times
as frequently as a demand is made upon it, this can • Summation of PFHD values stated as the new standard
be estimated on the safe side by multiplication of the procedure in subclause 6.4 (Combination of SRP/CSs
PFHD with the factor of 1.1. In addition, the requirement as subsystems); tabular method for downgrading of the
for the quality of the test equipment in Category 2 now PL according to the number of subsystems degraded to
refers to the MTTFD of the test channel (instead of only the status of an alternative solution for the event that
of the “TE” block) in relation to the MTTFD of the func- PFHD values are not available for subsystems.
tional channel (instead of only of the “L” block).
• Example of the paper-cutting guillotine in subclause
• “Encapsulated subsystem” introduced in subclauses 6.5 updated.
6.2.9 and 6.4.
• References to SISTEMA Cookbooks 1, 4 and 6 as sour-
ces of further information added.
39
6 Design of safe control systems
For
each Evaluation of PL for SRP/CSs concerning
SF 5 category, MTTFD, DCavg, CCF
40
6 Design of safe control systems
Non-safety-related parts
6.1.1 Design and development process in the machine's life cycle must therefore be considered
during identification of the safety functions and defini-
The objective of each activity during the design and inte tion of their characteristics. In order for this process to be
gration of the safety-related parts of control systems organized as comprehensibly and verifiably as possible,
(scope of the standard) is the development and use as safety functions are first specified. SISTEMA Cookbook
intended of products that are as free of faults as possible 6 [23] addresses this topic in detail: “Definition of the
and that satisfy the requirements. The objective is after safety functions: what is important?”. An SRP/CS that is
all the health of human beings and the avoidance of acci- not developed for a specific machine control system –
dents. The motto for the design and development process examples include light curtains or safety PLCs – therefore
must therefore be: “Structured and well documented”. requires a particularly precise description of their charac-
teristic data and their interfaces in order for proper use to
The process of risk reduction in accordance with be assured.
EN ISO 12100 [3] must be geared to the entire life
cycle of a machine, as shown in Figure 6.3. Although The life cycle of the SRP/CS begins with specification of
EN ISO 13849-1 contains no explicit provision to this the safety functions. Besides particular aspects of various
effect, the concept of the life cycle must also be taken up safety functions, EN ISO 13849-1 also lists general aspects
during design and integration of one or more SRP/CSs, that are a minimum requirement in such a specification.
in order for the activities to be structured appropriately.
The description of the standard in Chapter 4 also shows A specification of this kind sets out, at the beginning of
clearly that the iterative process described in the standard the design process, the framework for all parties involved.
for the design of the safety-related parts of control sys- It constitutes a set of requirements specifications; in no
tems is a process subdivided into individual phases. As way is it a product specification produced post-develop-
can be seen in Figure 6.3, the validation phase is charac- ment. A safety function is implemented by the SRP/CS
terized by structured procedures of its own. These will be that is part of the machine control system and that pos-
discussed in greater detail in Chapter 7. Structuring into sesses interfaces to further SRP/CSs and to the functional
life-cycle phases is characterized very comprehensively control system. A specification must therefore be drawn
by the V model employed during development of safety- up. Box 6.1 (Page 43) shows a general arrangement tem-
related software; this is explained in subclause 6.3. For plate for a specification of the safety requirements. The
example, although the maintenance phase is not expli- arrangement also includes the specification of the safety
citly addressed by the design process for the SRP/CS, it functions. This arrangement template refers to the SRP/CS
is taken into account by the required content of the infor that executes the entire safety function. Where the
mation for use. SRP/CS takes the form of subsystems, the specification
must be suitably adapted.
Since an SRP/CS constitutes parts of a machine, requi-
rements in virtually any phase of the machine's life cycle
may also have an influence upon an SRP/CS. All phases
41
6 Design of safe control systems
Figure 6.3:
Life cycles of machines and SRP/CS
Construction
Use:
- Set-up, teaching-in/programming
Transport, assembly and installation and/or process changeover
- Operation
- Cleaning
Commissioning - Maintenance
- Troubleshooting
risk reduction to
EN ISO 12100 System Integration
design tests
Start
Is analysis no
yes sufficient?
yes
Testing
Validate: no
(Section 7.1.6)
Requirements met? Safety functions
(Section 7.3)
42
6 Design of safe control systems
4 Safety functions (information applies to each safety function; see also Table 4 in [23])
– Description of the function (“input – logic – output“) including all functional characteristics (refer also to
Tables 5.1 and 5.2)
– Activation/deactivation conditions or events (e.g. operating modes of the machine)
– Behaviour of the machine when the safety function is triggered
– Conditions to be observed for re-starting
– Performance criteria/performance data
– Process (timing behaviour) of the safety function, including response time
– Frequency of actuation (i.e. demand rate), recovery time following demand
– Other data
– Adjustable parameters (where implemented)
– Classification and assignment of priorities in the event of simultaneous demand upon and processing of
multiple safety functions
– Behaviour in the event of a power failure
– Functional concept for separation or independence/freedom of reciprocal action from non-safety functions
and further safety functions
43
6 Design of safe control systems
5.6 Behaviour of the SRP/CS in the event of component failures and faults (achieving and maintenance of the
safe state), including timing behaviour
5.7 Failure modes of components, modules or blocks that are to be considered; where applicable, reasoning for
fault exclusions
5.8 Concept for implementation of the detection and control of random and systematic failures (self-tests, test
circuits, monitoring arrangements, comparisons, plausibility tests, fault detection by the process, etc.)
5.9 Quantitative aspects
5.9.1 Target values for MTTFD and DCavg
5.9.2 Switching frequency of components subject to wear
5.9.3 Frequency of measures for fault detection
5.9.4 Mission time, where different from the assumption upon which the designated architecture is based
(20 years)
5.10 Operating and limit data (operating and storage temperature range, humidity class, IP degree of protection,
values for resistance to shock/vibration, EMC values, supply data with tolerances, etc.) (IP = ingress protec-
tion; EMC = electromagnetic compatibility)
5.11 Generic standards to be applied for design (for the equipment, for protection against electric shock/
hazardous shock currents, for resistance to environmental conditions, etc.)
5.12 Technical and organizational measures for protected access to safety-related parameters and to SRP/CS
characteristics (protection against tampering, access protection, program/data protection) and for protection
against unauthorized operation (key switch, code, etc.), for example in non-standard operating modes
5.13 General technical requirements and organizational framework for commissioning, testing and acceptance,
and for maintenance and repair
In order to be valid, such a specification must be veri- for machines required in accordance with the European
fied prior to the next design step. Verification primarily Machinery Directive 2006/42/EC [2].
concerns completeness, correctness, intelligibility and
freedom from contradictions. It is clearly advantageous 6.1.2 Systematic failures
for verification to be performed, for example by way of an
inspection, by a party not involved in the project. If safety- In contrast to random component failures, systematic
related software is employed, this safety requirements failures have causes that can be eliminated only by modi-
specification must form the basis for a dedicated software fication for example of the design, the manufacturing
specification (see subclause 6.3.2). process, the operating methods or the documentation.
They arise at some point in the life cycle of a product, for
The specification is the first document to be created in example as a result of errors in the specification or the
the procedure for the design of the SRP/CS. The docu- design, or during modification of the SRP/CS. The imple-
mentation is of great importance in the interests of veri- mentation of multi-channel structures and analysis of the
fiable development. It must be considered that the task probability of component failures are important elements
of updating a product may lie with a party other than the in the design of safety technology. Should fundamental
original designer. Details concerning the necessary docu- aspects not be considered, even the most favourable
mentation in the context of the iterative design process of figures for the probability of failure are of no benefit. If, for
the SRP/CS can be found in subclause 6.3.8 concerning example, a product is not used correctly or is used in the
software, and in subclauses 7.1.4 ff. The reader is remin- wrong environment, a risk of systematic failure may exist.
ded at this point that the documents must be unambi- This fact is addressed by EN ISO 13849-1 in conjunction
guously identifiable; version management is therefore with Part 2, when it requires that possible systematic
essential. The contents of the information for use are ulti- failures also be considered for attainment of a PL. Essen-
mately of major importance for the proper implementa- tially, it can be said that many of the basic and well-tried
tion of safety functions. EN ISO 13849-1, Clause 11 lists the safety principles are already effective in preventing syste-
minimum items of information that must be included in matic failures (see Annex C). These principles, which sup-
the information for use. The content of the manufacturer's plement Annex G of the standard, should be considered
internal technical documentation for the SRP/CS is listed in accordance with EN ISO 13849-2.
in clause 10 of the standard. Requirements concerning
the documentation are also set out in legislation. Box The informative Annex G of the standard contains a list of
6.2 shows the content of the technical documentation measures, and therefore indirectly also of influences that
are to be considered. The measures are divided into those
44
6 Design of safe control systems
Box 6.2: Technical documentation for machines: excerpt from the Machinery Directive (2006/42/EC), Annex VII, A
for the avoidance of failures (G.3 and G.4) and those for lopment techniques and measures for the avoidance of
their control (G.2). Figure 6.4 provides an overview. The systematic failures.
measures for the avoidance of failures must be effective
throughout all phases of a product's lifetime, and are Particular care must be taken where complex standard
addressed accordingly to some degree in Chapter 7 of components are used. Should software be involved, the
this report, under the aspect of validation. Although not standard provides relevant information; refer in this con-
stated explicitly, appropriate care must be taken not text to subclause 6.3.10 of the present report. Manufactu-
least during modifications, troubleshooting and main- rers of standard components take only limited measures
tenance. It is during these phases in particular that the for fault avoidance in a safety context. The user must
details of development are not (or are no longer) evident. therefore concentrate on the measures for the control
Conversely, measures for the control of failures must be of systematic failures. Should for example two standard
implemented within a product, and take full effect during PLCs be used in two-channel structures, an overvoltage
operation. Besides basic requirements, the standard also in the power supply could give rise to a systematic failure
lists measures for selection, one or more of which are to despite redundancy (including diverse redundancy).
be applied in consideration of the complexity of the Systematic failure can be prevented in such cases only
SRP/CS and of the PL (marked “in addition” in Figure 6.4). by additional measures.The astute reader of this report
may wonder in what way these measures differ from those
Most of the measures are explained briefly in the stan- against common cause failure (CCF, see subclause 6.2.15).
dard. Attention is drawn to the fact that in the day-to-day Common cause failures are of course also to be regar-
activities of the IFA, diversity is assumed to be of major ded as systematic failures. The analysis of CCF however
benefit in general, and not only as shown for hardware in addresses only structures that are multi-channel in form
Figure 6.4 (see Page 46). Refer in this context also to the or that at least possess test equipment (Categories 2, 3
information in subclause 6.3.10 concerning the require- and 4). A further difference is the “attempt” to consider
ments upon software. CCF aspects numerically (quantitatively); by contrast, the
analysis described in Annex G of the standard is purely
Should application-specific integrated circuits (ASICs), qualitative. Given adequate measures against systematic
field programmable gate arrays (FPGAs), programmable failures in accordance with Annex G of the standard and
logic modules or similar be used, attention is drawn to observance of basic and well-tried safety principles, it
Annex F of IEC 61508-2:2010, which lists design and deve-
45
6 Design of safe control systems
Figure 6.4:
Measures against systematic failures in accordance with Annex G of the standard
Causes
Measures for the avoidance of failures
of systematic failures Suitable materials and suitable manufacturing methods
Correct dimensioning and geometry
·
–
Following commissioning, e.g.:
Power failure/fluctuation
Measures for the control of failures
De-energization principle
– Environmental influences Design for the control of voltage influences
– Wear, overload Design for the control of environmental influences
would not appear particularly difficult to satisfy the systematic failures – and in some cases even as operating
requirements for measures against common cause failure states – that must be controlled by the SRP/CS such that
(CCF). the safe state is achieved and/or maintained. Since its
third edition, the standard proposes that different safety
Three examples will show that actual requirements may functions be provided for these scenarios:
indeed vary according to application and technology, and
that the general requirements may therefore also require a) Where power is available
interpretation on occasion. b) Where power is not available
46
6 Design of safe control systems
such as stresses, durability, abrasion, wear, corrosion This requirement is illustrated well by the example of
and temperature, and the consideration of highly effective the development of application software. The most far-
filtration of the compressed air and the removal of solids reaching form of separation between standard applica-
and water. The requirements upon hydraulic components tion software and safety-related application software
are specified in a similar manner in Tables C.1 and C.2. (SRASW, see subclause 6.3) is of course for them to be
Here too, attention must be paid to “sufficient avoidance written with separate programming systems (engineering
of contamination of the fluid” and “correct dimensioning suites) and run on separate PLCs. For economic reasons in
and shaping”. particular, however, it is desirable for the entire applica-
tion software to be written by means of a single program-
Greater resistance to operating movement may neverthe ming system, possibly in the same engineering process.
less arise in fluid power components that are operated Numerous aspects must however be considered when
infrequently, owing to their design features (gap between this approach is followed. These include the requirement
the valving element and the enclosure): that safety-related variables, results or outputs must not
be overwritten by non-safety-related parts of software
• On pneumatic valves with soft seals that remain in the (program, function block, function/instruction, etc.).
same switching position for a longer period, the seals Links between the two environments are permissible,
may swell owing to chemical influences caused by the but only with the observance of specified conventions.
lubricant (oil with additives in the compressed air, int- One such convention is that safety-related signals and
roduced by the compressor, lubricator, or lubrication for functions must always retain priority: linking by means of
life), or the lubricating film may collapse under the pres- an OR operation, for example, is not permitted under any
sure of the seal edge, resulting in increased resistance circumstances. Modern software development tools sup-
to operation. port such approaches, and specified functions and rules
with automatic checking have been implemented in their
• On hydraulic valves, silting may occur when the valve editors and compilers. Errors in logic operations, which
remains in the same switching position for a longer may have an effect only in unpredictable operational situ-
period. In this case, fine dirt particles are deposited in ations and which may not be detectable with reasonable
the sealing gap between switching cycles, causing the effort during acceptance/commissioning, can thus be
valving element to stick. prevented in a user-friendly manner.
For these reasons, a high force surplus (e.g. spring force) This does not mean that the designer is spared a com-
must generally be engineered for return of the valving ele- plete analysis of the influence exerted by functional
ment to the “safety-oriented switching position”. On non- standard components of a control system upon its safety-
mechanical springs, retention of the reset function must related parts (including the influence of the safety-related
be assured by suitable measures. In addition, the effects functions upon each other); the analysis of where (tech-
described above must be prevented by cyclical switching, nically) and how (functionally) such influences may arise
to which the standard now refers. Failures caused by the is however considerably simplified and accelerated by the
absence of switching are to be prevented by suitable swit- use of the development tools referred to above. The even
ching cycles/test cycles at intervals for example of less more pertinent question, namely how to eliminate (avoid
than eight hours. or control) influences that are detected, may not even
arise.
Example 3:
Separation of safety-related and non-safety-related 6.1.3 Ergonomics
functions
Annex I, subclause 1.1.6 of the European 2006/42/EC
Standards governing functional safety generally address Machinery Directive requires requires manufacturers of
the separation of safety-related functions from other machines to reduce, at the design stage of the machine,
(non-safety-related) functions. EN ISO 13849-2 is one the discomfort, fatigue and psychological stress faced by
such example, regarding this separation for example as a the operator to the greatest possible extent, taking into
well-tried safety principle for electrical systems under the account ergonomic principles. This therefore also applies
heading “Minimise possibility of faults”. This requirement to the interfaces between operators of a machine/ins-
applies to both hardware and software. At the same time, tallation and the SRP/CS. These interfaces include both
there may be reasons why complete separation is disad- the safeguards themselves, such as a guard door with
vantageous. In such cases, clearly defined functional and position switch, and the operation of a safety function, for
technical interfaces must at least be implemented that example by means of pushbuttons or even by a software
enable influences upon the safety-related part to be avoi- display interface suitable for this purpose. A machine-
ded and/or controlled. determined work rate and monitoring that requires
lengthy concentration are also to be avoided.
47
6 Design of safe control systems
The importance of ergonomic principles for the SRP/CS, more precise methods; the method is, however, suitable
and the fact that the design of a machine does not always for practical application even by non-mathematicians,
take account of all cases of intended use or foreseeable and the procedure is largely transparent and therefore
misuse of the SRP/CS, is demonstrated by the HVBG verifiable. This simplified method is presented below
report on the defeating of protective devices on machi- in detail, both in general terms and with reference to a
nery [29]. Resources and further information on the sub- calculated practical example (see subclause 6.5). Further
ject of defeating can be found on the www.stop-defeating. details on selected specific subjects can be found in the
org website. annexes.
EN ISO 13849-1 therefore requires that ergonomic prin- 6.2.1 Designated architectures...
ciples be applied, and lists a number of useful standards
for this purpose in subclause 4.8. In order for designers The structure or architecture of a safety-related control
of machines to be able to check the design of the human- system determines its tolerance of faults, and constitutes
machine interface of the SRP/CS, the IFA has drawn up the framework upon which all other quantifiable aspects
a checklist for ergonomic machine design. In February are based, by which the PL of the safety-related parts
2018, this checklist was updated together with further of control systems is ultimately formed. The experience
documents in the form of DGUV Informative publication gained by the IFA in conjunction with industry since 1985
209-068/069 (formerly BGI/GUV-I 5048-1/2) [30]. Among confirms that the greater part of all implemented controls
the subjects addressed more specifically are: manually can be assigned to a very small number of basic types
operated actuators; keyboards, (keypad) keys and input of safety-related control systems (or to combinations of
devices; displays; visual danger signals; and the soft- these basic types, see below). These types are: at one end
ware ergonomics of user interfaces. VDI/VDE guideline of the spectrum, the single-channel untested system with
3850 [31] for example serves as an aid to the user-friendly components of differing reliability; in the middle of the
design of user interfaces for machines. spectrum, the same type, but enhanced by testing; and
at the other end, the two-channel systems featuring high-
6.2 Quantification of the probability of quality testing. Systems with more than two channels and
failure other “exotic” structures are extremely rare in machine
construction, and the simplified method is of only limi-
The numerical quantification of the probability of f ailure ted use for their assessment. Even where more than two
required by the standard for determining of the PL, often channels are present, however, it is generally sufficient
referred to (including in other standards) simply as for the two most reliable channels to be considered in
“quantification”, can strictly speaking never be attained order for the PL to be estimated with sufficient precision
exactly, but only by approximation with the aid of statis- by means of the simplified method involving designated
tical methods or other estimations. The main influencing architectures. Systems employing more than two chan-
variables that must be considered during this process nels are not therefore considered in EN ISO 13849-1.
of determination are stated; the method by which the SISTEMA Cookbook 4 [32] provides support in some of
probability of failure is actually determined from them these cases: “When the designated architectures don't
is however at the user's discretion. Any validated and match”. In addition to the “horizontal” division into dif-
recognized method can be used for this purpose. Such ferent functional or test channels, a “vertical” division
methods include reliability block diagrams, fault tree into a sensor level (input devices, “I”), a processing level
analysis, Markov modelling or Petri nets. Depending upon (logic, “L”) and an actuator level (output devices, “O”) is
who determines the probability of failure, i.e. the manu- generally also advantageous.
facturer of the control system, the user of the machine, or
a test body, preferences for and experience with different Continuity is assured, fully intentionally, to the Categories
methods may differ. For this reason, any suitable method set out in EN 954-1, which are established in the machine
is explicitly permitted in this context. construction industry and in the associated standards.
In accordance with this system, EN 954-1 defines five
At the same time, parties lacking prior experience in structures as Categories. EN ISO 13849-1 supplements
quantification of the probability of failure require some the former Category definition slightly with quantitative
degree of support in the use of EN ISO 13849-1. This requirements for the component reliability (MTTFD), the
need was addressed by the development of a simplified diagnostic coverage of tests (DCavg) and the resistance
approach which, whilst being based upon sound scien- to common cause failures (CCF). In addition, it maps the
tific principles (Markov modelling), describes a simple Categories to five basic structural types, termed “desig-
method for quantification in successive steps. At certain nated architectures”. The same Categories may still take
points, the description makes estimates erring on the different structural forms; the generalization which their
safe side which could result in a higher figure for the pro- mapping to the associated designated architecture repre-
bability of failure being estimated than that yielded by sents is still permissible as an approximation within the
48
6 Design of safe control systems
simplified approach, however. The number of “vertical” 3 and 4, the occurrence of a single fault does not result
blocks (input, logic, output) in a channel is for example in loss of the safety function. In Category 4, and where
generally of little relevance to determination of the PL reasonably practicable also in Category 3, such faults are
from a mathematical and safety technology perspective. detected automatically. In addition, the resistance to an
accumulation of undetected faults is also assured in Cate-
Where more complex safety functions are involved, it may gory 4.
no longer be possible to map the entire safety chain to
any single one of the five basic types. In this case, the Consideration of the faults must include an assessment of
solution is generally for the safety chain to be broken what component faults may be assumed, and what faults
down into several subclauses (“subsystems”), each of may (with reasoning) be excluded. Information on the
which can be mapped to a particular designated architec- faults to be considered is provided in Annex C.
ture. The method by which these subsystems are then
recomposed and an overall value determined from the In Categories 3 and 4, common cause failures capable of
individual Performance Levels is explained in greater causing simultaneous failure of more than one channel
detail in subclause 6.4. The following information relates must also be adequately controlled. The same applies to
to control systems (SRP/CS) that can be assigned to a Category 2, since the test equipment and its dedicated
Category without being broken down into subsystems. It shut-off path also constitute a second channel. Essen
can however be applied by analogy to subsystems that tially, it can be said that many of the basic and well-tried
perform only a part of a safety function. safety principles are effective not only against random
hardware failures, but also against systematic faults that
6.2.2 ... and Categories may creep into the product at some point in the product
life cycle, e.g. faults arising during product design or
The Categories classify safety-related parts of a control modification.
system (SRP/CS) with respect to their resistance to faults
and their subsequent behaviour in the fault condition, 6.2.3 Category B
based upon the reliability of the parts and/or their struc-
tural arrangement (see Table 6.2, see Page 50). A higher The SRP/CS must be designed, constructed, selected,
resistance to faults translates into a greater possible risk assembled and combined for the intended application in
reduction. For definition of the probability of failure and accordance with the relevant standards with application
of the PL, the Categories therefore form the backbone, of the basic safety principles in such a way that they can
complemented by the component reliability (MTTFD), the resist:
tests (DCavg), and the resistance to common cause failures
(CCF). • The expected operating stresses (e.g. reliability with
respect to breaking capacity and frequency)
Category B is the basic Category, the requirements of
which must also be met in all other Categories. In Catego- • The influence of the processed material (e.g. aggressive
ries B and 1, the resistance to faults is attained primarily chemical substances, dusts, chips)
by the selection and use of suitable components. The
safety function may be rendered ineffective by the occur- • Other relevant external influences (e.g. mechanical
rence of a fault. Category 1 has a greater resistance to vibration, electromagnetic interference, interruptions or
faults than Category B owing to the use of special compo- disturbances in the power supply)
nents and principles that are well-tried for safety applica-
tions. With regard to electromagnetic compatibility (EMC),
the standard refers to particular requirements stated in
In Categories 2, 3 and 4, superior performance in terms of the relevant product standards, such as IEC 61800-3 for
the specified safety function is attained primarily by struc- power drive systems. It emphasizes the importance of the
tural measures. In Category 2, performance of the safety requirements for immunity to interference in particular
function is generally checked automatically at regular for the functional safety of the SRP/CS. Where no pro-
intervals by self-tests performed by technical test equip- duct standard exists, the requirements of IEC 61000-6-2
ment (TE). The safety function may fail however should a concerning immunity to interference should at least be
fault arise between the test phases. By appropriate selec- observed. Annex K contains a detailed description of EMC
tion of the test intervals, a suitable risk reduction can and functional safety of machinery.
be attained with application of Category 2. In Categories
49
6 Design of safe control systems
Table 6.2:
Summary of the requirements for Categories; the three right-hand columns show the essential changes from the Category
definition in the first edition of the standard (EN 954-1)
Cate Summary of the requirements System behaviour Principle for MTTFD DCavg CCF
gory attainment of of each
safety channel
B SRP/CS and/or their protective The occurrence of a Mainly Low to None Not
equipment, as well as their compo- fault can lead to the characterized Medium relevant
nents, shall be designed, construc- loss of the safety by selection of
ted, selected, assembled and com- function. components
bined in accordance with relevant
standards so that they can with-
stand the expected influence. Basic
safety principles shall be used.
1 Requirements of B shall apply. Well- The occurrence of a Mainly High None Not
tried components and well-tried fault can lead to the characterized relevant
safety principles shall be used. loss of the safety func- by selection of
tion but the probability components
of occurrence is lower
than for Category B.
2 Requirements of B and the use of The occurrence of a Mainly Low to At least Measures
well-tried safety principles shall fault can lead to the characterized High Low required,
apply. Safety function shall be loss of the safety by structure see Annex F
checked at suitable intervals by the function between the
machine control system (see Section checks. The loss of the
6.2.14). safety function is detec-
ted by the check.
3 Requirements of B and the use of When a single fault oc- Mainly Low to At least Measures
well-tried safety principles shall curs, the safety function characterized High Low required,
apply. Safety-related parts shall be is always performed. by structure see Annex F
designed so that: Some, but not all,
• a single fault in any of these parts faults will be detected.
does not lead to the loss of the Accumulation of unde-
safety function, and tected faults can lead
to the loss of the safety
• whenever reasonably practicable,
function.
the single fault is detected.
4 Requirements of B and the use of When a single fault oc- Mainly High High Measures
well-tried safety principles shall curs, the safety function characterized including required,
apply. Safety-related parts shall be is always performed. by structure accumulation see Annex F
designed so that: Detection of accumula- of faults
• a single fault in any of these parts ted faults reduces the
does not lead to the loss of the probability of the loss
safety function, and of the safety function
• a single fault is detected at or (high DCavg). The faults
before the next demand upon will be detected in time
to prevent the loss of
the safety function, but that if
the safety function.
this detection is not possible, an
accumulation of undetected faults
shall not lead to the loss of the
safety function.
These general principles can be presented, both in gene- addition for the technology concerned. Since Category B
ral terms and with regard to specific technologies, in the is the basic Category underlying all other Categories (see
basic safety principles listed in Annex C. The general basic Table 6.2), the basic safety principles must be applied
safety principles apply in full here to all technologies, generically during the design of safety-related parts of
whereas the technology-specific principles are required in control systems and/or safeguards.
50
6 Design of safe control systems
For components that satisfy Category B, no further special The well-tried property of a component is dependent upon
safety measures are required. The MTTFD of each chan- its application, and indicates only that a dangerous failure
nel may therefore be low or medium (see below for the is improbable. It follows that the anticipated dangerous
definition of “low” and “medium”). Should a component failure rate is greater than zero, and is considered in the
failure occur, it may lead to loss of the safety function. form of the MTTFD during calculation of the PL. Conversely,
No monitoring measures, including DCavg, are required. the assumption of a fault exclusion (see subclause 6.2.10)
Common cause failures are also not relevant on single- gives rise to assumption of an “infinitely high” MTTFD that
channel control systems; no requirements therefore exist is not considered in the calculation.
with regard to CCF.
Owing to the expected higher component reliability, the
Owing to this very rudimentary resistance to failure, the MTTFD of the single channel in Category 1 must be high; as
maximum attainable PL of Category B systems is limited in Category B, however, no requirements are placed upon
to PL b. the DCavg and CCF. The occurrence of a fault can lead to the
loss of the safety function. The MTTFD of the channel in
The designated architecture for Category B in Figure 6.5 Category 1 is however greater than that in Category B. In
corresponds to a single-channel system with input (I), consequence, loss of the safety function is less probable,
logic (L) and output (O) levels. and the maximum PL that can be attained with Category 1
is PL c.
Figure 6.5:
Designated architecture for Category B and Category 1 The designated architecture for Category 1 is the same as
for Category B (see Figure 6.5), since the differences lie in
the component reliability and not in the structure.
II LL O
O
Input Logic Output
Eingang Logik Ausgang 6.2.5 Category 2
Interconnection
In addition to the requirements for Category B (e.g. the
application of basic safety principles), Category 2 SRP/CS
6.2.4 Category 1 must employ well-tried safety principles and be designed
such that their safety functions are tested at reasonable
In addition to satisfying the requirements for Category B, intervals, for example by the machine control system. The
for example the application of basic safety principles, safety function(s) must be tested:
Category 1 SRP/CS must be designed and constructed
using well-tried components and well-tried safety prin • at start-up of the machine, and
ciples.
• prior to initiation of any hazardous situation, e.g. the
A well-tried component for a safety-related application is start of a new cycle, start of other movements, as soon
a component that has been either as the safety function is required, and/or periodically
during operation, where the risk assessment and the
• widely used in the past with successful results in similar form of operation indicate that this is necessary.
applications, or
These tests can be initiated automatically. Each test of the
• made and verified using principles that demonstrate its safety function(s) must either:
suitability and reliability for safety-related applications.
• permit operation, if no faults have been detected, or
Annex C provides an overview of known components
employing a range of technologies that are well-tried for • should a fault have been detected, generate an output
safety applications. for the initiation of appropriate control action (OTE).
Newly developed components and safety principles may As a general rule, and always where PLr = d, the output
be considered as equivalent to “well-tried” when they (OTE) must initiate a safe state that is maintained until
fulfil the second condition stated above. The decision to the fault has been eliminated. Up to PLr = c, when initia-
accept a particular component as well-tried depends on tion of a safe state is not practicable (for example owing
the application. Complex electronic components, such as to welding of the contacts of the final switching device),
programmable logic controllers (PLCs), microprocessors a sufficient alternative may be for the output of the test
or application-specific integrated circuits (ASICs) cannot equipment (OTE) to provide only a warning.
generally be considered as equivalent to “well-tried”.
51
6 Design of safe control systems
For the designated architecture of Category 2 (Figure 6.6), attain in practice with external test equipment, undetec-
calculation of the MTTFD and DCavg considers only the ted first faults may result in loss of the safety function. For
blocks of the functional channel (i.e. I, L and O). When the these reasons, the maximum PL that can be attained with
simplified method in the standard is used, the MTTFD of Category 2 is limited to PL d.
the blocks of the test channel (i.e. TE and OTE) is consi
dered indirectly, since this method requires the MTTFD of Interpretation of the requirements for a Category 2 pre-
the test channel to be at least half the MTTFD of the func- sents certain difficulties that can sometimes only be deci-
tional channel. Values from “low” to “high” are permitted ded on a case-by-case basis. The following recommenda-
for the MTTFD of the functional channel. The DCavg must be tions can be made in this respect:
at least “low”. Adequate measures against CCF must also
be applied (see subclause 6.2.15 and Annex F). • The standard requires testing of the safety function.
Should this not be possible for all components, Cate-
Figure 6.6: gory 2 cannot be applied (Note 1 in EN ISO 13849-1:2015,
Designated architecture for Category 2; dashed lines indicate subclause 6.2.5). It thus follows that all components of
reasonably practicable fault detection the functional channel must be tested. The functional
channel encompasses all components that can cause
failure of the safety function by at least one failure
II LL O
O mode. The standard specifies at least a low DCavg for the
Input
Eingang Logic
Logik Ausgang
Output functional channel.
52
6 Design of safe control systems
• a single fault does not result in loss of the safety func- Monitoring
tion, and Cross monitoring
53
6 Design of safe control systems
“blocks” has a defined meaning of its own in this con- Figure 6.9:
text. It refers to function blocks only in the sense that the General example of a safety-related block diagram; I1 and O1
safety function is executed in smaller units arranged in constitute the first channel (series arrangement), whilst I2, L
series and in parallel. The following rules can be stated and O2 constitute the second (series arrangement); the safety
for mapping of the hardware structure to a safety-related function is performed redundantly with both channels (parallel
block diagram: arrangement); T is used only for testing
• The blocks should map, in abstract form, all control I1 O1 Series arrangement
Parallel
components that relate to performance of the safety SB1
arrangement
function. I2
I2 LL O2
O2 Series arrangement
54
6 Design of safe control systems
include the implementation of external diagnostics. It is limited here to low PLs; refer for example to Table D.8 of
presented in the safety-related block diagram at subsys- EN ISO 13849-2 and Annex D of the present report. If fault
tem level in single-channel form as a circle within a block exclusion applies, failure rates (MTTFD) and monitoring
(see subsystem “SB1” in Figure 6.9). It contributes to measures (DC) need not be considered for such compo-
quantification of the PL only through its parameters PFHD nents.
and PL; statement of the Category is merely informative.
6.2.11 Mean time to dangerous
6.2.10 Fault considerations and fault exclusion failure – MTTFD
In a real-case control system, there is no limit whatsoever The reliability of the individual components from which
to the number of theoretically possible faults. Evaluation the control system is constructed makes a decisive con-
must therefore be limited to the faults that are relevant. tribution to its overall reliability. The MTTFD (mean time
Certain faults can be excluded if the following points are to dangerous failure) is thus also considered in the PL as
considered: a reliability value. It is clear that “failure” in this context
refers to component defects that result in the implemen-
• The technical improbability of their occurrence (a proba- ted function not or no longer being performed. The other
bility that is several orders of magnitude lower than that parts of the term require explanation, however:
of other possible faults and the risk reduction that is to
be attained) • “Mean” indicates that the value is a statistical mean: it
does not refer to a specific component, but is defined
• Generally accepted technical experience, irrespective of as an anticipated value for the mean lifetime of the typi-
the application under consideration cal component. In this context, the anticipated value for
an individual component can be considered equal to
• The technical requirements relating to the application the mean value of a large number of components of the
and to the specific hazard same type. The value is not therefore a guaranteed mini-
mum lifetime in the sense of failure-free period. This
The component faults that may occur and those that can approach employing a mean value is also reflected in
be excluded are described in EN ISO 13849-2. The fol- the fact that the lifetime values are not normally adap-
lowing points must be observed: ted to the conditions of use (e.g. load, temperature,
climate), provided the components are employed within
• The fault lists constitute a selection only. Where neces- the conditions of use specified for them. It is generally
sary, new fault models must therefore be created (for assumed here that the higher load in one application
example for new components), or further fault types of a device is averaged out by a lower load in another
considered, depending upon the application. This can application. Should higher loads be anticipated in all
be determined for example by means of an FMEA. applications (e.g. owing to extreme temperatures), how-
ever, these conditions must be considered when the
• Secondary faults are evaluated as a single fault together MTTFD is determined.
with the initial fault giving rise to them, as are multiple
faults with a common cause (CCF, common cause fail • “Time” indicates that the reliability is expressed in
ures). terms of a time in the sense of a lifetime. The MTTFD is
generally indicated in years (abbreviated “a”). Other
• The simultaneous incidence of two or more faults diffe- forms of notation that may be converted to an MTTFD
ring in their cause is considered extremely unlikely, and include failure rates or (switching) cycles. Failure rates
need not therefore be taken into account. are generally indicated by the small Greek letter λ
(lambda) and expressed in the unit “FIT” (= 10-9/h, i.e.
Further information on fault exclusion can be found in failures per billion component hours). The relation-
Annex C and in Part 2 of EN ISO 13849. Should faults be ship between λD and MTTFD is expressed, at a constant
excluded without the reason for exclusion being imme- failure rate λD over the lifetime, as MTTFD = 1/λD. The
diately apparent (such as the peeling-off of tracks on a conversion from hours to years must of course be con-
properly dimensioned circuit-board layout), precise rea sidered. For components that wear primarily as a result
soning must be stated in the technical documentation. of their mechanical operation, the reliability is usually
expressed in switching cycles, for example as a B10D
Provided the relevant conditions are met, fault exclusions value, i.e. the mean number of cycles until 10% of the
are also possible for components, for example for the components fail dangerously. The MTTFD can be calcula-
electrical break contacts and the mechanical actuation ted in this case by consideration of the mean number of
of electromechanical position switches or emergency operations per year nop that are anticipated in the appli-
stop devices. The validity of fault exclusions may be cation concerned. For more details, refer to Annex D.
55
6 Design of safe control systems
• “Dangerous” indicates that only failures that impair for mechanical, hydraulic and electronic components,
performance of the safety function are ultimately consi the standard also contains B10D values for pneumatic and
dered for the PL (unsafe failure). By contrast, safe failu- electromechanical components. Details are described in
res may well cause the safe state to be assumed (opera- Annex D.
ting inhibition) or reduce the availability or productivity
of a machine, but the safety function is nevertheless A convenient source of reliability data for components
executed properly, or the safe state initiated/maintai- intended for use in safety-oriented control systems are
ned. In redundant structures, however, the “dangerous” the large number of available SISTEMA libraries (see
attribute refers to each individual channel. Should a Annex H). These contain MTTFD or B10D values for elements
failure in one channel result in the safety function being and components, and PL and PFHD values for entire sub-
rendered inoperative, the failure concerned is conside- systems.
red dangerous, even where a further channel is still able
to perform the safety function successfully. 6.2.13 FMEA versus the parts count method
An MTTFD may be stated both for an individual compo- Once the MTTFD values of all safety-related components
nent, such as a transistor, valve or contactor, and for a have been obtained, certain simple rules can be used to
block, a channel, or the control system as a whole. This calculate the MTTFD value of the control system from them.
overall MTTFD represents the value for a channel, possibly A number of methods can be used for this purpose: com-
symmetrized over several channels, and is based upon plex, with the use of a precise failure mode and effects
the MTTFD of all components involved in the SRP/CS. In analysis (FMEA), or fast and simple by means of the parts
accordance with the bottom-up principle, the unit under count method, involving minor estimations erring on the
consideration is successively enlarged. In the interests safe side. This begins with the small difference between
of minimizing effort, it is often advantageous only for MTTF and MTTFD: what proportion of failures of a certain
safety-related components to be considered in the ana- component are dangerous? All conceivable failure modes
lysis, i.e. components the failure of which could have an can be listed in a complex FMEA, evaluated as either
indirect or direct negative influence upon performance “safe” or “dangerous”, and the fraction of their occur-
of the safety function. For simplification purposes, fault rence estimated. Since the effects of a component failure
exclusions are possible in addition; these take account upon the block determine whether the failure mode is
of the fact that certain failures are extremely improbable safe or dangerous, detailed analyses of the effect caused
and their contribution to the overall reliability negligibly by a failure may be necessary. A greater number of failure
small. The assumption of fault exclusions is however modes may then prove to be “safe” than is the case with a
subject to certain conditions; these are set out in detail simplified assessment, as proposed by EN ISO 13849-1: if
in EN ISO 13849-2 and described more comprehensively the parts count method is used, its conservative approach
in subclause 6.2.10. Conductor short circuits or certain assumes that overall, the safe and dangerous failures are
mechanical failures can for example be excluded on the similar in number. In the absence of more detailed infor-
basis of the design, provided certain conditions are met. mation, the MTTFD is therefore always assumed with this
method to be double the MTTF.
6.2.12 Data sources for individual components
Once again, the principle is that of the statistical mean,
One of the questions most frequently posed in this con- i.e. an excessively favourable evaluation of one compo-
text concerns the sourcing of reliable failure data for the nent is cancelled out by an overly pessimistic evaluation
safety-related components. The manufacturer, and for of another. It is quite possible for the parts count method
example his technical data sheet, should be given prefe- and an FMEA to be combined. Where the values produced
rence here over all other sources. Many manufacturers, by a parts count alone yield a sufficiently low PFH, an
for example of electromechanical or pneumatic com- FMEA need not be performed. Should this not be the case,
ponents, now make such information available. Where however, a study of the failure modes is advantageous,
data are not available from the manufacturer, typical for example by means of a partial FMEA, particularly on
example values can still be obtained from established the components exhibiting poorer MTTFD values. Further
databases (see Annex D). Such sources do not generally explanations of this subject can be found in Annex B.
distinguish between dangerous and safe failures; it can
however be assumed as a general approximation that on As with other methods of quantification, evaluation to
average, only half of all failures are dangerous. With con- EN ISO 13849-1 assumes a constant failure rate through
sideration for the problem of obtaining reliability values, out the mission time of the component for all MTTFD
EN ISO 13849-1 lists a number of typical values. These values. Even if this does not directly reflect the failure
are however very conservative estimates, and their use is behaviour, as for example in the case of components
therefore recommended only if the data sources indica- subject to heavy wear, an approximate MTTFD value that
ted above are not available. In addition to MTTFD values remains valid throughout the component's mission time
56
6 Design of safe control systems
is nevertheless determined in this way by an estima- would of course be to take the lower value; results that
tion erring on the safe side. Early failures are generally are better whilst still being safe are however produced by
disregarded, since components exhibiting pronounced the following averaging formula (C1 and C2 refer here to
early failure patterns do not satisfy the availability the two channels, which are symmetrized):
requirements for a machine control system and are there-
fore not generally significant on the market. The advan-
⎠
⎟ ⎞
⎟
tage of this procedure is that the MTTFD is always equal to 2 1
MTTFD = MTTFDC1 + MTTFDC2 − (2)
the reciprocal of the associated dangerous failure rate λD. 3 1
+
1
Since the dangerous failure rates λD of the components in MTTFDC1 MTTFDC2
⎞
⎠
a block can simply be added together, the MTTFD values
of the components involved (N components with running
index i) give rise to the MTTFD of the block as follows: Where the channels concerned are balanced, the MTTFD
value calculated in this way corresponds to the MTTFD
N 1 N 1 value of one channel. Where they are imbalanced, the
λD = Σ λDi bzw. = Σ (1)
i=1
MTTFD i=1
MTTFDi result is an average MTTFD than can be no less than two-
thirds of the better value. In this scenario, the effect may
arise in addition that the better value was previously
The same relationship applies to calculation of the MTTFD capped to an MTTFD of 100 years (2,500 years in the case
of each channel from the MTTFD values of the associated of Category 4), and as a result the symmetrized value
blocks. Once the MTTFD for each channel is known, a is less than 100 years (2,500 years for Category 4). It is
further simplification is made in the form of a classifica- therefore generally more effective to implement channels
tion. The calculated values are assigned to three typical of balanced reliability wherever possible. Irrespective of
classes (Table 6.3). the number and form of the channels, this method always
produces an MTTFD value for a single control channel
Table 6.3: which, averaged over the control system, indicates the
Classification of the MTTFD of each channel level of component reliability.
57
6 Design of safe control systems
Σλ DD
Σλ
DD
be considered with which a demand is made upon the
DC = = (3) safety function, in order to ensure an adequate test
Σλ DD
+ Σ λDU ΣλD rate, as described in the next point.
The method favoured by EN ISO 13849-1 is based upon a • A further aspect is the question of the necessary test
reasoned conservative estimate of the DC directly on the rate. A test that is not executed sufficiently frequently
component or block level, followed by calculation of the may under certain circumstances be overtaken by the
DCavg from the individual DC values by means of an avera- incidence of a hazardous event, and may therefore
ging formula. Many tests can be classified as typical stan- create a false sense of safety. As a rule of thumb, the
dard measures for which estimated DC values are listed test rate is always in competition with other frequen-
in Annex E of the standard. These measures are assigned cies; for this reason, a generic adequate frequency can-
a coarse system comprising four key values (0%, 60%, not be stated. Furthermore, tests have the function of
90% and 99%). A comprehensive list of the typical test revealing not only random but also systematic failures.
measures stated in the standard can be found in Annex E.
Application is explained with reference to the example of On Category 2 single-channel tested systems, the test
the control system of a paper-cutting guillotine (see sub- must be passed before a demand is next made upon
clause 6.5). the safety function, i.e. before a potential hazard arises.
In this scenario, the test rate is therefore in competition
A number of boundary conditions must be observed for with the frequency of the demand of the safety function.
calculation of the DC of a component or block: In this case, a factor of 100 is considered sufficient, i.e.
a test rate that is at least 100 times the mean demand
• Detection of a dangerous failure is only the beginning. rate upon the safety function. By contrast, down to a
In order for the test to be passed, a safe state that pre- factor of 25, the maximum increase in the probability of
sents no further hazard must be initiated in time. This failure is approximately 10% (refer also to subclause 4
includes an effective shut-off path, which for example in in [32]). Below this level, the synchronization of demand
the case of single-channel tested systems (Category 2) and testing essentially determines whether testing even
entails a requirement for a second shut-off element. takes effect. Should, in single-channel tested systems,
This is required in order to initiate and maintain the the test be executed simultaneously with the demand
safe state when the test has detected failure of the nor- of the safety function and so quickly that the safe state
mal shut-off element (block “O” on the safety-related is attained before a hazard arises, no conditions are
block diagram). Only where the risk is low (up to PLr = c) imposed upon the frequency of testing. (This applies
and when initiation of a safe state is not possible (for – with reference to the recommendations stated below
example owing to welding of the contacts of the final for the test rate in two-channel systems – provided at
switching device) may it be sufficient in Category 2 for least one demand per year can be assumed.) A special
the output of the test equipment (OTE) only to provide example of this is continuous testing (e.g. analogue
a warning. overvoltage/undervoltage monitoring), for which the
requirements for the test rate are always met when the
• The initiation of a test, its performance, and the neces- safe state is attained sufficiently swiftly.
sary shut-off process should ideally be performed
automatically by SRP/CS. Only in exceptional cases is In two-channel Category 3 and 4 systems, the test rate
it acceptable to rely here upon manual intervention, for is in competition with the frequency of incidence of
example by the machine operator, since experience in a second dangerous failure, since only if the second
practice shows that the necessary measures are often channel fails before a test has detected the failure of
not adequately implemented, whether out of idleness, the first channel does a danger exist of the safety func-
or owing to pressure of work or poor information or tion not being executed. As per the definition, Category
organization. Effective implementation of manual tests 4 systems even tolerate the accumulation of undetected
involves greater involvement in the work process, or faults. In practice, a range of recommendations exist for
greater organizational effort and discipline. Calculation the minimum necessary test rate in Categories 3 and 4.
of the DC nonetheless takes account of fault detection
when a demand is made upon the safety function, i.e. IEC 61800-5-2 [20] governing the safety of electrical
consideration is not limited to tests initiated automati- power drive systems considers the following minimum
cally by programmable electronics; electromechanical diagnostic test frequencies acceptable for the case in
components such as relays or contactors constitute which testing cannot be performed without interruption
classic cases in which the fault of a “failure to drop of the machine's working cycle and in which no reaso-
out” can typically be detected only when a demand is nable technical solution can be implemented: one test
made upon the safety function. Where faults are to be per year for PL d with Category 3, one test every three
detected in the event of a demand, the frequency must
58
6 Design of safe control systems
months for PL e with Category 3, and one test per day for of the PL by means of the bar chart – that was set out
PL e in Category 4. during calculation of the “Category 2 bars”: in this case,
the dangerous failure rate of the test channel should
In EN ISO 14119 [35] and a “Recommendation for Use” be no more than twice the dangerous failure rate of the
by the notified test bodies in the machinery sector [36], functional channel that it monitors.
an automatic or manual test is required at the following
intervals for electromechanical outputs (relays or con- • The effectiveness of a given test measure, for example
tactors): at least once per month for PL e with Category fault detection by the process, may depend heavily
3 or 4 and at least once every twelve months for PL d upon the application, and can vary anywhere between
with Category 3. The test should preferably be perfor- 0 and 99%. Particular care must be taken here during
med automatically; alternatively, the test interval may selection of one of the DC key values. Further explana-
be monitored automatically. Only in exceptional cases tions can be found in Annex E.
should it be assured by organizational measures.
• Position switches connected in series, where present,
At the test rates stated here, these are minimum must be considered during determining of the DCavg
requirements that apply when more frequent tests are value for electromechanical contacts. Masking of faults
not possible, for example because the test can be per- may occur in such cases, requiring reduction of the
formed only when a demand is made upon the safety DCavg value and the attainable PL. Details can be found
function (for which a signal change is required, as for in Annex E.
example with electromechanical or fluid power techno-
logy), or because an interruption in the machine's work • A situation is possible in which components or blocks
cycle is required, as for example when the machine is are monitored by several tests, or in which different
started at the beginning of the shift. Automatic tests tests act upon different components, with the result
that are not subject to these constraints, such as pro- that an overall DC must be determined for the compo-
cessor or memory tests in electronic systems, can often nent or the block. Annex E provides assistance in these
be implemented at substantially higher frequency with issues.
out major overhead. In these cases, testing at least
once per shift for Category 3 has proved suitable in • The DCavg formula (4) provides a means of calculation
practice; in Category 4, a minimum test rate of once per in which blocks with different DC values are grouped
hour was already selected when EN 954-1, the predeces- in such a way that the minimum DCavg requirements for
sor standard, was in force. the attained Category are met even though individual
blocks have a DC below 60%, or even no diagnostics at
• A further point is the reliability of the test equipment all (DC = 0%). In such cases, it must be determined on
itself. For this, the standard sets out only the basic a case-by-case basis whether this form of implementa-
requirements of Category B, applicable to all Catego- tion is consistent with the requirements of the Category.
ries, i.e. compliance with the relevant standards in Category 3 requires for example that wherever reasona-
order for the anticipated influences to be withstood, bly possible, a single fault must be detected at or prior
and the application of basic safety principles. Well-tried to the next demand of the safety function. For Category
safety principles should also be applied to the extent 2, a “check of the safety function” is a generic require-
possible. Where dangerous failures of the test equip- ment. Category 4 also requires detection of the discrete
ment are detected by its cyclical incorporation into the fault, and only “if this detection is not possible” that
process, deviation from these basic requirements is the safety function also be performed in the event of an
permissible. An additional general requirement is that accumulation of undetected faults.
the test equipment should not fail prior to the compo-
nents that it monitors. At the same time, it is inefficient • With regard to programmable electronic systems in par-
for much greater investment to be made in the reliability ticular, a large number of complex faults is conceivable;
of the test equipment than in the safety equipment corresponding requirements must therefore also be
performing the safety function proper. EN ISO 13849-1 placed upon the complexity of the tests. In this case,
therefore imposes only limited requirements upon the should a DC of over 60% be required for the (program-
reliability of the test equipment. For Categories 3 and 4, mable or complex) logic, EN ISO 13849-1 calls for at
reliance is upon single-fault tolerance, since including least one measure for variable memory, invariableme-
failure of the test equipment, a total of three dangerous mory and the processing unit – where present – with a
failures must occur before the safety function ceases to DC of at least 60% in each case.
be performed. The occurrence of such a case unobser-
ved is considered extremely unlikely and not therefore
critical. For Category 2, a secondary condition exists –
at least with the simplified procedure for determining
59
6 Design of safe control systems
Once the DC values of all blocks are known, the DCavg or overloads that were not adequately addressed during
value for the system is calculated by means of the design of the control system. Should the channels not
approximation formula (4). This formula weights the indi- be adequately separated, dangerous secondary faults
vidual DC values with the associated MTTFD values, since may occur that render the intended single-fault tolerance
very reliable parts (with a high MTTFD) are less reliant ineffective. The quantitative relevance of these effects
upon effective tests than less reliable parts (the sums in in a specific system is difficult to estimate (refer also to
numerators and denominators are formed across N blocks Annex F). In Annex D of IEC 61508-6 [37], the “beta-factor”
of the entire system): model is used for this purpose. In this model, the rate of
common cause failure is placed, as β · λD, in relation to
DC1 DC2 DCN the dangerous failure rate of a channel λD. Without a pre-
+ + ... +
MTTFD1 MTTFD2 MTTFDN
(4)
cise FMEA, β can at best only be estimated for real-case
DCavg =
1 1 1 SRP/CS, however. For this purpose, EN ISO 13849-1 con-
+ + ... +
MTTFD1 MTTFD2 MTTFDN tains a checklist of eight important counter-measures, for
which between 5 and 25 points are awarded:
Once obtained, the DCavg constitutes a value describing
the quality of the test and monitoring measures averaged • Physical separation between the signal paths of diffe-
over the entire SRP/CS. Before this value can be substitu- rent channels (15 points)
ted in the simplified quantification of the PL together with
the Category (five classes) and the MTTFD of each channel • Diversity in the technology, the design or the physical
(three classes), it must be assigned to one of the four principles of the channels (20 points)
classes in Table 6.4.
• Protection against possible overloading (15 points)
Table 6.4:
The four classes of diagnostic coverage in accordance with the • Use of well-tried components (5 points)
simplified approach of EN ISO 13849-1
• Failure mode and effects analysis during development,
Diagnostic coverage (DC) for the identification of potential common cause fail
Description Range ures (5 points)
None DC < 60%
Low 60% ≤ DC < 90% • Training of designers/maintainers in CCF and its avoi-
Medium 90% ≤ DC < 99% dance (5 points)
High 99% ≤ DC
• Protection against common cause failures triggered by
contamination (mechanical and fluid power systems)
and electromagnetic interference (electrical systems)
When the DCavg is subsequently used in the simplified (25 points)
quantification involving the bar chart (see subclause
6.2.16), only the respective lower key value of a DCavg class • Protection against common cause failures triggered by
(0, 60, 90 or 99) is used. A further simplification thus unfavourable environmental conditions (10 points)
takes effect here, based upon an estimation erring on the
safe side. The points stated for a given counter-measure are to be
awarded either in full, or not at all; no points are awarded
In specific cases, this coarsely simplified system may for a “partial” implementation of the counter-measures.
however give rise to paradoxes, if for example an Different packages of measures may however be effective
unreliable component with an above-average DC for the against CCF at subsystem level. Should all eight counter-
SRP/CS is replaced by a more reliable component (for a measures be satisfied, a maximum total of 100 points is
more detailed explanation, refer to the end of Annex G). awarded. However, EN ISO 13849-1 requires only a mini-
mum total of 65 points and even then, only for SRP/CS in
6.2.15 Measures against common cause Categories 2, 3 and 4. In Category 2 systems, the objective
failure (CCF) is the avoidance of dangerous common cause failures
in test and functional channels that could give rise to an
The final parameter relevant to the simplified quantifi undetected occurrence of a dangerous fault. During crea-
cation of the probability of failure concerns common tion of the bar chart for simplified quantification, the 65
cause failures (CCF). Such failures are related dangerous points were equated to a beta factor of 2%. The coarse
failures, for example in both channels of a redundant approximation with respect to the five Categories and the
SRP/CS, that are attributable to a common cause. three MTTFD and four DCavg classes was carried further and
Examples include unfavourable environmental conditions reduced to a simple yes/no decision. Whereas the bene-
60
6 Design of safe control systems
fits of a redundant structure are wiped out almost com further details can be found in Annex G. When the bar
pletely even at a beta factor of 10% or higher, a beta factor chart is used, the relevant bar is first determined on the
of no more than 2% reduces the relevance of common horizontal axis from the attained Category in combination
cause failures to a justifiable level. with the attained DCavg class. Adequate measures against
CCF must be provided for Categories 2, 3 and 4 in this
6.2.16 Simplified determining of the PL by case. The level of the MTTFD attained by the SRP/CS on
means of the bar chart the selected bar determines the PL, which can be read
off on the vertical axis. This method permits rapid quali-
Even when the four essential quantitative parameters tative estimation of the attained PL even in the absence
for calculation of the probability of failure have been of precise quantitative data. Should more precise values
resolved, determining the PL attained for the SRP/CS from be required, for example not only the PL, but also a value
them is still a difficult task. Although in principle, any for the average probability of a dangerous failure per hour
suitable method is permitted, EN ISO 13849-1 proposes a PFHD, the tables in Annex K of the standard provide assis-
simple graphical method that is based upon more com- tance. Similar assistance is also provided by the IFA's
plex calculations and estimations erring on the safe side: SISTEMA software (see Annex H), which analyses the bar
the bar-chart method (see Figure 6.10). chart quantitatively, and by the IFA's user-friendly PLC disc
[16].
This diagram was generated by Markov modelling based
upon the designated architectures for the Categories;
PFHD
PL
(1/h)
10-4
a
10-5
b
3 · 10-6
c
10-6
d
10-7
e
10-8
Cat. B Cat. 1 Cat. 2 Cat. 2 Cat. 3 Cat. 3 Cat. 4
DC avg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg =
none none low medium low medium high
Legende
61
6 Design of safe control systems
During creation of the bar chart, consideration was not 6.2.17 Determining the PL for the output part
only given to designated architectures; certain conditions of the SRP/CS (power control elements)
were also laid down that must be observed when the in accordance with subclause 4.5.5 of
chart is applied: the standard
• A mission time of 20 years is assumed for the In response to calls voiced by industry, an alternative,
SRP/CS, within which the component reliabilities can simplified method for determining the PFHD and quanti-
be described or approximated by constant failure rates. fiable aspects of the PL was added in the third edition of
The actual mission time may fall below the assumed the standard. This method, described in subclause 4.5.5
20 years owing to the use of components subject to of the standard, can be applied only in certain cases,
severe wear (refer to the T10D value in Annex D) or for namely:
other reasons. Application of the bar chart is justified
in such cases by preventive replacement of the affected • for the output part of the SRP/CS (power control ele-
components or SRP/CS. This information must be made ments) and
available to the user in a suitable form, for example
in the information for use and by marking on the • when no application-specific reliability data (MTTFD, fai-
SRP/CS. Exceeding of the mission time of 20 years lure rate λD, B10D or similar) are available for mechanical,
from the outset or its extension retrospectively beyond hydraulic or pneumatic components (or components
20 years result in deviations from the bar chart. Annex G employing mixed technology, such as a pneumatically
shows how this can be addressed. driven mechanical brake).
• In the bars for Category 2, it has been assumed that This simplified determining of the PFHD is based primarily
the test rate is adequately high (refer also to sub- upon the implemented Category including DCavg and CCF.
clause 6.2.14 and Annex E) and also that the test chan- Calculation of the (channel ) MTTFD is not required; in
nel is at least half as reliable as the functional channel. return, well-tried components (in Categories 1, 2, 3 and 4)
or proven-in-use components (in Categories 2, 3 and 4)
Owing to capping of the MTTFD that can be allowed for must be used throughout. “Proven-in-use” is a new com-
each channel to 100 years (2,500 years in the case of ponent property used within the standard and should not
Category 4), a high PL can be attained only with certain be confused with the property of well-tried. The property
Categories. Although this is related to the simplified of proven-in-use is demonstrated based upon an analysis
approach of the designated architectures and the bar of experience gained in the field with a specific configura-
chart, the associated limitations also apply when the tion of a component in a specific application. The analysis
average probability of a dangerous failure per hour is cal- must show that the probability of dangerous systematic
culated by means of other, unrelated methods. As already faults is sufficiently low for each safety function using the
mentioned, the architecture imposes the following limita- component to reach its required Performance Level PLr
tions upon certain Categories. These limitations are inten- (new definition in 3.1.39 of the standard). Such a demon
ded to prevent the component reliability from being over- stration has not been common in machine construction
stated in comparison with the other influencing variables: before now. It is also unclear why the requirement refers
only to systematic faults, and fails to consider the random
• In Category B, a maximum PL of b can be attained. component faults.
• In Category 1, a maximum PL of c can be attained.
• In Category 2, a maximum PL of d can be attained. Table 6.5 shows the estimated PFHD value and the PL
• In Categories 3 or 4, even a PL of e can be attained. attainable with it, based upon Table 7 in the new sub-
clause 4.5.5 of the standard, as a function of the imple-
Besides the quantitative aspect of the probability of mented Category and subject to the additional conditions
failure, qualitative aspects must also be considered for placed upon the method.
attainment of a given PL. Such aspects include systematic
failures (see subclause 6.1.2), and software faults, which The method is subject to the following additional condi-
are discussed in greater detail in subclause 6.3. tions:
62
6 Design of safe control systems
Table 6.5:
PL and PFHD as an estimation erring on the safe side based upon the Category, DCavg and the use of well-tried or proven-in-use
components
PL d 2.9 · 10-7 ⇦ – – – ● ○
PL e 4.7 · 10-8 ⇦ – – – – ●
● Applied Category is recommended
Category 2, the tests must be performed adequately upon data for their proven-in-use property, unless fail
frequently. No provision is made here for a test rate that ure of these components becomes apparent through
is only 25 times the demand rate. the technical process.
• In Category 1: use of well-tried components and well- • Categories 2, 3 and 4: since recourse cannot be made to
tried safety principles (as in the past and as established formula E.1 of the standard (formula (4) of the present
in the Category 1 definition). report) for calculation of the DCavg owing to the unavai-
lability of MTTFD values, the DCavg is formed in this case
• In Category 2: the MTTFD of the test channel is at least simply as the arithmetic mean of the individual DCs of
ten years. all components in the functional channels of the output
part.
• In Categories 2, 3 and 4: use of well-tried or proven-in-
use components and use of well-tried safety principles. 6.2.18 Bus systems as “interconnecting means”
In Category 2, there is no advantage in extending this
requirement to the test channel, since the same result The discrete blocks of a designated architecture – input
(PFHD and PL) can be attained with a Category 1 single- unit, logic and output unit – must be connected together
channel system. not only logically, but also physically. For this purpose,
the standard defines “interconnecting means”, which
• In Categories 2 and 3: adequate measures against CCF, are regarded as part of the SRP/CS. The term “intercon-
and DC of each component at least “low”. necting means” may initially appear strange in the field
of electrical or fluid power technology. However, it serves
• In Category 4: adequate measures against CCF, and DC as a generic term for electrical and fluid power lines,
“high” for each component. and even for such components as mechanical plungers.
All requirements of the standard therefore also apply to
The DC requirement in the last two of these points applies these forms of “interconnecting means”. In the context of
to each component in the subsystem, and therefore fault consideration, a conductor short circuit for example
exceeds their respective generic requirements for the is an assumed fault. What is the situation however when
Category, which relate to DCavg. Since however this con- bus systems are used to transmit safety-related informa-
cerns the output part of the SRP/CS with mechanical, tion? Detailed consideration of such a complex subject is
hydraulic or pneumatic components, only one component of course outside the scope of the standard, particularly
per channel will be involved in most cases. Consequently, since the subject is already covered by DGUV test prin-
the requirement for the DC of each component does not ciples (GS-ET-26, [38]) and a standard (IEC 61784-3 [39]).
in practice constitute tightening of the requirements com Bus systems that satisfy the requirements set out in these
pared to the DCavg of the subsystem. publications can also be readily employed in the context
of EN ISO 13849-1. Numerous bus systems suitable for
The following additional information is provided: safety-related applications are already available on the
market.
• Category 1: the machine manufacturer must determine
the T10D values of safety-related components based
63
6 Design of safe control systems
The publications referred to above employ a special fault 6.3 Development of safety-related software
model in which consideration is given to the use of a
black-box channel for the transmission of safety-related Comments such as the following are frequently heard:
data: in other words, no particular requirements for fault “Of course, a software programmer with years of experi-
detection, for example, are placed upon this transmis- ence no longer makes mistakes.” This hubris is in fact the
sion channel itself. The model assumes the repetition, greatest mistake of all. Software is generally complicated,
loss, insertion, incorrect sequence, corruption and delay which is why the number of failures caused by software
of safety-related messages and the coupling of safety- faults is on the rise, in contrast to the situation for hard-
related and non-safety-related messages as possible ware. How often are PC users surprised when a computer
faults. Further possible aspects include faults that syste- peripheral ceases to work, and how often does the prob-
matically corrupt messages, for example by completely lem turn out to have been caused by a part of the software
inverting them. Measures in “safety layers” that are then that was not compatible with another piece of software,
implemented in safety-related parts of control systems such as a driver? By contrast, hardware tend to be rare.
enable transmission faults to be excluded with sufficient According to [41], normal software, i.e. simple software
probability. Suitable measures include, for example, for simple functions, contains approximately 25 errors per
the sequence number, timestamp, time expectations, 1,000 lines of code. Also according to [41], well written
connection authentication, feedback message and data software contains around two to three errors per 1,000
integrity assurance. Data integrity assurance in particular lines of code, and the software employed in the Space
frequently entails complex calculations. The purpose of Shuttle has (according to NASA) fewer than one error per
these calculations is to determine the residual error pro- 10,000 lines. What does this mean in practice? A mobile
bability R, and from it the residual error rate Λ (derived telephone has up to 200,000 lines of code and therefore
from the lower-case λ for the failure rate for components). up to 600 software errors. A PC operating system has
Exactly this value can then be calculated as the average 27 million lines of code and therefore up to 50,000 errors;
probability of a dangerous failure per hour required for a the Space Shuttle up to 300 errors; and the software for
PL as a proportion for the transmission of safety-relevant the Space Defense Initiative (SDI) up to 10,000 errors.
messages. Both of the above publications limit the resi- These programming errors lie dormant in the products
dual error rate to 1% of the maximum permissible value until, under certain conditions and in certain situations,
for the probability of a dangerous failure per hour. Values they impact upon the products' function. Like no other
stated by manufacturers are in fact frequently related to technology, software and therefore also its programmers
an SIL (see Chapter 3); in practice, however, these values assume a greater responsibility than ever before.
are compatible for use under a required PL (see also
Figure 3.2). The 1% rule results in the contribution to the One of the essential changes in EN ISO 13849-1 compared
probability of a dangerous failure per hour being virtually to its predecessor, EN 954-1, was the formulation for the
negligible, i.e. it enables it to be added to the values first time of requirements concerning software and its
determined for the SRP/CS. Comprehensive information development. For the sake of emphasis at this point: the
on bus systems for the transmission of safety-related requirements in subclause 4.6 of the standard enable
information can be found for example in [40]. safety-related software to be developed for all SRP/CS
in the machinery sector and for all required Performance
Where a bus system (i.e. its components), which is gene- Levels from a to e. This subclause is intended in the first
rally tested by an independent body, is employed for the instance for application programmers tasked with deve-
implementation of safety functions, planning of its use loping the safety functions for a machine, for example
and proper implementation with regard to fault avoidance in an application-oriented language on a programmable
are of great importance. A large number of parameters logic controller (PLC). By contrast, these requirements in
must be set correctly; this process is supported to a grea- EN ISO 13849-1 are not particularly new to developers of
ter or lesser degree by relevant tools. SRESW (safety-related embedded software), i.e. firmware
or software tools for electronic safety components. Such
Should none of the known, already assessed profiles “embedded software” developments for the components,
for functional safety be used, the assumed transmission which are generally certified, are often subject to the very
errors stated above must be considered, suitable (coun- complex requirements of the IEC 61508-3 basic safety
ter) measures implemented, and the residual error rate standard [42] (and its further seven parts), which is bin-
Λ in consideration of the typical bit error rate of 0.01 con- ding for IEC standards governing functional safety.
sidered during calculation of the total failure probability
PFHD. Test principles GS-ET-26 [38] provide information on IFA Report 2/2016 on safety-related application software
calculation of the residual error rate Λ. for machinery [43] has been published, addressing the
programming of SRASW (safety-related application soft-
ware). This report describes the IFA's matrix method for
the specification, verification, validation and documen-
64
6 Design of safe control systems
tation of SRASW. The matrix method can also be used 6.3.1 Error-free software …
with the IFA's SOFTEMA tool [44]. In addition, the report
provides detailed further information on the programming … unfortunately does not exist in the real world. In con
of SRASW. The descriptions below are therefore limited trast to hardware faults, which occur as a result of random
to a brief presentation of the normative requirements of component failure, the causes of software faults are
EN ISO 13849-1 concerning safety-related software. systematic. It is therefore all the more important that all
reasonable steps be taken to avoid errors during the deve-
The basic principles of this subclause can be applied to lopment of safety-related software, the purpose of which
both software types. Individual requirements tend to be is after all that of minimizing risks. What is considered
formulated in detail more for application programming of reasonable is determined on the one hand by the required
SRASW. Conversely, the example described in subclause Performance Level PLr. At the same time, safety-critical
6.5 of a control system for a paper-cutting guillotine faults tend to creep into particular phases of software
shows the development of SRESW. development, where, devastatingly, they remain undetec-
ted until they cause a failure in operation. These phases
The requirements governing software development are are known to be those of specification, design and modi-
geared to the software type (SRASW or SRESW) and the fication. The requirements of EN ISO 13849-1 – and the
language type. As in other current standards containing explanations provided in this subclause – are therefore
requirements for software, a distinction is drawn between aimed in particular at fault avoidance in these phases.
the language types FVL (full variability language) and Sadly, less attention is often paid in practice to these pha-
LVL (limited variability language). SRASW is generally ses of application programming.
programmed in LVL, for example in a graphical language
as defined in IEC 61131-3. The requirements contained in In order for the safety-related software produced to be of
subclause 4.6.3 of EN ISO 13849-1 apply in this case. high quality, it is clear that suitable up-to-date and well-
tried “software engineering” development models should
As soon as SRASW is programmed in FVL (for example, be followed. For safety-related systems, reference is gene-
a PLC in the high-level language “C”), however, the re rally made in this context to the “V model” [45]. Since the
quirements for SRESW contained in subclause 4.6.2 of the V model familiar from the reference is generally used for
standard must be met. If the SRASW is required to satisfy very complex software, EN ISO 13849-1, subclause 4.6.1
a Performance Level of e in this case, EN ISO 13849-1 requires only a more simplified form of it (Figure 6.11).
refers at the end of subclause 4.6.2, once only, but with
exceptions, to the requirements of IEC 61508-3:1998.
Specification
of the safety Validated
functions Safety-related software
software Validation Validation
specification
System Integration
design tests
Design Testing
activities Module activities
Module
design tests
Figure 6.11:
Result Simplified V model
Coding for the development
Verification
of safety-related
software
65
6 Design of safe control systems
This form is considered to be appropriate for the practical mented by the software. In addition, the following are
conditions and the objectives for safety-related SRP/CS in presented:
the machinery sector and specifically for the development
of SRASW. The actual objective here is the creation of rea- • Functions that detect and control hardware faults
dable, understandable, testable and maintainable soft-
ware. Programmers who do not normally develop safety- • Performance characteristics, such as the maximum
related software are likely to consider these requirements response time
tedious. However, they provide them with the certainty of
having developed the software to an adequate standard. • Fault-mode responses
In addition to the phases, Figure 6.11 also shows impor- • Interfaces provided to other systems, etc.
tant terminology that must first be defined (in a software
context). Besides these functional requirements, the PL to be
attained by the safety functions, the PLr, must be stated,
Result in order to permit selection of the necessary measures for
fault avoidance (see further below).
Refers to the product of a phase, for example the specifi-
cation, the software design, the code, and in the case of This specification (or “safety-related software require-
the final result, the tested, validated software. It may how- ments specification”) must be verified, for example by a
ever also refer for example to the result of a specification review performed by a person not involved in its creation.
phase in the form of a test plan that is not required until a The reviewer must confirm firstly that the requirements
much later phase, at which it can be used for systematic specification complies with the higher-level specification,
validation of the software. The result(s) of the preceding and secondly that it satisfies the formal requirements
phases serve as inputs for the subsequent phases. This is governing how a software specification is to be written.
indicated by the arrow. The specification should be structured and generated in
detail in such a way that it can also serve as a checklist for
Verification later validation.
Describes the quality assurance activity by which the The overall safety of a machine or machinery installation
result of a phase is checked against the specification of is assured by all safety-related parts of the control system
the preceding phase. During or at the end of the coding and their functions (components of all technologies, elec-
phase, for example, verification is performed of whe- tronics, software). A description is therefore required at
ther the code actually implements the specified module this point, in the form of a specification, of the safety for
design, and whether the programming guidelines have the machine/machinery installation. The document need
been observed in the process. not run into the hundreds of pages; it is acceptable for it
to be limited to the essential points in a comprehensible
Validation form. The specifications for the machine or machinery
installation as a whole will be followed by a subset of
In this context, software validation is a concluding, spe- tasks for programmers. The software specification thus
cial form of verification of the entire software. A check is forms a part of the overall concept, and can therefore be
performed of whether the requirements of the software regarded as a “contract” with a “subcontract” for the pro-
specification concerning the functionality of the software gramming function.
have been implemented.
The software specification begins with provisions con-
Selected phases of the simplified V model, and thus at cerning design and coding of the software. The other
the same time the “roadmap” for software development, elements involved in assuring safety must be able to rely
are described below. The downward-pointing part of the upon implementation of the functions in the software. The
“V” describes the design activities of development, the specification is thus also the point of reference for accep-
upward-pointing part the review activities. tance of the software: validation of the software functions
must demonstrate whether the “contractual obligations”
6.3.2 Overall safety interface: software have been met. In the area of SRASW, this must be taken
specification literally, since the engineering and programming of a con-
trol system are often assigned by the parties responsible
This document describes, based upon the higher-level for safety as a whole to other companies or corporate
specification of the safety functions of the SRP/CS, the divisions. In this case, the specification also serves as a
sub-functions of the specification that are to be imple- contractually binding interface to external or internal ser-
vice providers.
66
6 Design of safe control systems
6.3.3 System and module design for the 6.3.5 Module test, integration test and
“safety-related technical specification” validation
The software architecture is generally already defined by In the module test, the new software functions developed
the operating system or the development tool. The design specifically for the project are tested and simulated in
further defines the structure and modules to be employed order to check whether they are coded as specified in the
for implementation of the specified safety sub-functions. module design. At the integration test at the latest, for
What existing library functions are to be employed must example during the typical commissioning of a machine's
be determined, as must whether new functions may have PLC, the complete software is tested for proper operation
to be developed specifically for the project. In this sub- on the hardware (integration) and compliance with the
clause, the term software function/module also refers in system design (verification). Both are still verification
all cases to a function block. measures, i.e. they involve looking “into” the software.
Whether the safety-related sub-functions of the software
The software design document should describe the struc- perform as specified is determined by software validation,
ture and process of the software, supported by diagrams, which has already been described. For the higher PLs d
in a way that makes these aspects comprehensible to and e, an extended functional test is also required.
external parties. The more the program is based upon re-
used software functions that have already been validated Individual software functions that have been certified or
and are already documented elsewhere, the more concise validated by quality assurance measures do not need to
the software design document can be. The module design be tested again. As soon as a number of these functions
also specifies the new software functions that are to be are combined for a specific project, however, the resulting
produced specifically for the project, their interfaces, and new form of safety sub-function must be validated. Even
test cases for their module test. For less complex SRP/CS, on certified modules, dangerous systematic failures may
the system and module design can be summarized in a be caused by errors in parameterization and logic.
“safety-related software technical specification”.
6.3.6 Structure of the normative requirements
6.3.4 Finally: programming
Once the design process has been outlined, normative
Coding work proper then begins. In the interests of fault requirements are described for the software itself, for the
avoidance, the following three aspects must be observed: development tools used, and for the development acti-
vities. These requirements also contribute towards fault
• Code must be readable and clear, in order to facilitate avoidance. The effort involved should be commensurate
testing and error-free modification at a later stage. Bin- with the required risk reduction, in the same way as for
ding programming guidelines facilitate, among other the hardware of the programmable SRP/CS. The require
things, better commenting of the program and the ments and their effectiveness are therefore increased
assignment of self-explanatory names to variables and intelligently in line with rising PLr.
modules.
Figure 6.12 shows that a suitable package of basic meas
• Defensive programming, i.e. the assumption that inter- ures is first set out for all PLs for both SRASW and SRESW.
nal or external errors may always be present, and detec- These basic measures can be regarded as software-speci-
tion of them. If the characteristic of input signals over fic basic safety principles. They are sufficient for the deve-
time is known, for example, this anticipatory approach lopment of software for PL a or b. For software employed
can be used to detect errors in the peripheral circuitry. in SRP/CS for PL c to e, the basic measures are supple-
If a finite-state machine is being programmed, the state mented by additional measures for fault avoidance. The
variable is monitored for a valid value range, etc. latter are required for PL c with lower effectiveness, for
PL d with medium effectiveness and for PL e with higher
• The code must be analysed statically, i.e. without exe- effectiveness. Irrespective of whether the software now
cution: for low PLs, a code review is sufficient; for PLs acts in only one or in both channels of a desired Category,
d and e, the data and control flow should also be exa- the PLr of the implemented safety function(s) is always the
mined, ideally with the use of tools. Typical questions yardstick for the requirements.
are: is the code consistent with the preceding software
design? Do any points exist at which signals with a The aspect of “higher effectiveness” refers to the rising
lower PL (for example from a standard PLC) override a level of fault avoidance. This may be illustrated by the
signal with a higher PL? Where and by what modules are important task of production of the specification. For PL c,
variables initialized, written to, and then assigned to for example, it may be sufficient for programmers to write
the safety output? What software functions are executed the specification themselves and for it to be reviewed by
conditionally? others (internal review). Should the same software
67