Pilz looks into the merger of the functional safety standards EN ISO 13849 and EN 62061, and VDMA’s proposal for a common file structure
A joint technical committee ISO/TC 199 - IEC/TC 44 is working on the merger of the functional safety standards EN ISO 13849 (with its Performance Levels, PL) and EN 62061 (with its Safety Integrity Levels, SIL). In addition, the German Engineering Federation VDMA (Verband Deutscher Maschinen und Anlagenbau) has produced a draft document, ‘Functional Safety- Universal Database for safety-related values of components or parts of control system’, which could help the merger. This provides clarity on the safety-related data available to designers of safety functions on machines.
VDMA’s proposal is to create a common file structure which is readable by all of the functional safety performance calculation tools – such as IFA Sistema or Pilz PAScal.
A sub-system approach
Safety functions are essentially engineered systems, which comprise subsystems, and quantifying either the Performance Level or Safety Integrity Level of the system requires a sub-
systematic analysis. The rationale is that any safety function is akin to a ‘safety chain’ made up of links, or subsystems, and if a subsystem fails, the safety function is lost. When assessing the probability of hardware failure and its potential impact it therefore makes sense to focus on the subsystem level. Another term for subsystem is safety related part of the control system or SRP/CS.
Engineers tend to favour EN ISO 13849-1 – according to which, for a safety function to be evaluated each subsystem must be defined in terms of its Category (or structure, either single or dual channel), Diagnostic Coverage ‘DC’ (expressed as percentage of dangerous detected failures over all dangerous failures), average failure rate of all components with the subsystem (Mean Time to Dangerous Failure, MTTFd), and steps taken against common cause failure, ‘CCF’. Once defined these parameters are then used to determine subsystem performance level (PL) and average probability of dangerous failure per hour (PFHD) from the most useful table in the standard, Table K1 right at the back of EN ISO 13849-1.
Safety functions are essentially engineered systems, which comprise subsystems, and quantifying either the Performance Level or Safety Integrity Level of the system requires a sub-systematic analysis
For example, a subsystem meeting Category 4, 99% diagnostic coverage, with MTTFd of 100 years and a CCF of 65 has a PL e and a PFHD of 2.47 x 10-8. This is the highest PL and lowest PFHD which users of EN ISO 13849-1 can evaluate in Table K1; lower PFHD values with magnitudes in the order of 10-9 only come from pre-certified components, such as safety relays, which the vendor has evaluated.
When it comes to a whole safety function, the highest achievable PL is limited by the lowest PL of all constituent subsystems (the ‘weakest link’ principle), and the PFHD of the safety function is determined by the addition of the PFHD of all subsystems.
VDMA file structure
In terms of data available to fulfil the above steps, it’s proposed by VDMA that there will be three key device types.
Type 1 devices are fully certified safety devices which can be viewed as complete subsystems in their own right. Failure rates are independent of operational frequency, and the vendor states internal PL, SILCL, PFHD, Category, and test interval T1. The vendor has developed the device in accordance with safety standards (e.g. IEC 61508, EN 61496, EN 61800-5-2) and had them certified by an independent Notified Body, to ensure the device can be incorporated into a safety function with the least effort on the user’s part – see Figure 1. Devices include safety light curtains, RFID coded switches, safety relays, safety PLCs, and safe drives with functions such as safe torque off (STO).
Type 2 devices are not necessarily certified like Type 1, however this does not exclude their use in safety functions provided that vendor’s MTTFd data is available. Since MTTFd is only a part of the story, such devices require the user to do more integration work than with Type 1 devices; defining category, diagnostic coverage, and common cause factors. Once the user has defined these parameters, the PL and a PFHD for the subsystem can be determined using Table K.1. in Annex K of EN ISO 13849-1 – see Figure 2. The procedure for evaluating the whole system as per Figure 1 follows. Such devices include non-safety-related electronics (e.g. phase detection relays, power monitors), pressure sensors, hydraulic valves, and standard VSDs.
Type 3 devices are electromechanical, the failure rate of which depend upon operational frequency, where provision of a PL and PDHD, or MTTFd by the vendor is not possible because the device is subject to wear (which is application-related and not known by the vendor). Instead, the vendor supplies B10d data and, if they do not, generic data is available in Table C1 of EN ISO 13849-1. As in Type 2, these are not necessarily developed according to safety standards but can be used once the MTTFd has been calculated from the known B10d value, and
the user-defined average number of annual cycles (nop). The user must also define the selected category, diagnostic coverage, and CCF. After this, the PL and a PFHD for the subsystem can be determined using Table K.1. in Annex K of EN ISO 13849-1. The final evaluation of the whole system in Figure 1 then follows. Such devices include contactors, switches, single piloted valves, solenoid device mechanisms, and command devices.
Types 1-3 are described also by VDMA for EN 62061, with some common and some slightly different parameters, but exactly the same increasing level of user integration work required when moving from Type 1 to Type 2 and Type 3.
There is a Type 4, constituting devices for which there is a limiting PL but no PFHD, implying that the device acts as a subsystem (like Type 1) and can limit the PL of the safety function, but for which there is no dangerous failure rate.
No matter which type of devices you use, which standard you use, or which safety calculation software you use, the structure of safety-related data proposed by VDMA makes it clear where the responsibility for defining specific parameters lies in the design of machine safety functions.
Pilz Automation Technology
T: 01536 460766