System Design According to ISO/EN 13849-1:2006
EN ISO 13849-1:2006 Safety of machinery. Safety-related parts of control systems. General principles for design
We are currently in the transition period where EN ISO 13849-1 replaces EN 954-1:1997. On the 30th December 2009 all safety systems should be designed in accordance with EN ISO 13849 part 1 and 2 or other ‘Functional Safety’ safety standards like IEC 62061 and IEC 61508. If all of these standards are unfamiliar to you then the easiest place to start is EN ISO 13849-1.
EN ISO 13849-1:2006 uses the category system (from EN954-1) many of us are familiar with but expands on it using other pieces of data that are relevant to the performance of a safety system.
SISTEMA
You can download SISTEMA from the BGIA website for free. This software tool is designed by the authors of the standard. It is aimed at helping you organise and document your workings for EN ISO 13849-1:2006. The following link will take you to the download load:
No guidance has been written for this software yet. Please contact us if you need help working with this tool. We may be able to arrange some tuition on this subject.
The standard provides a simplified categories-based procedure for estimating the PL. The intention behind this approach
is to provide a recognizable transition path from the original Category based standard to the Performance Level based 2006 version. The standard
gives five designated architectures as shown below. They correspond to the existing five Categories B, 1, 2, 3 and 4. These diagrams must be studied
carefully in clause 6 of the standard where the requirements, differences, and assumptions are explained. The architecture diagrams for Categories B
and 1 and also 3 and 4 may look the same, but the standard explains the detail differences in terms of their requirements including diagnostic coverage,
etc. Figure 1 to figure 3 show block diagrams of the 5 category architectures.
It will also be helpful to study Structures of Safety Related
Systems in this publication which discusses the Categories in detail with practical examples of their implementation.
A full and detailed study of ISO/EN 13849-1:2006 is required before it can be correctly applied. The following is a brief overview:
This standard provides requirements for the design and integration of safety-related parts of control systems, including some software aspects. The
standard applies to a safety-related system but can also be applied to the component parts of the system.
This standard also has wide applicability,
as it applies to all technologies, including electrical, hydraulic, pneumatic, and mechanical. Although ISO13849-1 is applicable to complex systems, it refers
the reader to IEC 62061 and IEC 61508 for complex software embedded systems.
With this standard the safety integrity of a system is classified into 5 PLs (Performance Levels). PLa is the lowest integrity and PLe is the highest integrity. They are evaluated taking the following factors into account:
STRUCTURE – given as designated architectures. These are directly related to the categories.
MTTFd – mean-time-to-dangerous failure
DC – diagnostic coverage
CCF – common cause failures
Behaviour under fault conditions
Software
Systematic failures
Environmental conditions
The standard provides a simplified categories-based procedure for estimating the PL. The intention behind this approach
is to provide a recognizable transition path from the original Category based standard to the Performance Level based 2006 version. The standard
gives five designated architectures as shown below. They correspond to the existing five Categories B, 1, 2, 3 and 4. These diagrams must be studied
carefully in clause 6 of the standard where the requirements, differences, and assumptions are explained. The architecture diagrams for Categories B
and 1 and also 3 and 4 may look the same, but the standard explains the detail differences in terms of their requirements including diagnostic coverage,
etc. Figure 1 to figure 3 show block diagrams of the 5 category architectures.
It will also be helpful to study Structures of Safety Related
Systems in this publication which discusses the Categories in detail with practical examples of their implementation.
|
| Figure 1: Designated architecture for Category B and 1 |
|
| Figure 2: Designated architecture for Category 2 |
|
| Figure 3: Designated architecture for Category 3 and 4 |
Mission time represents the maximum period of time for which a subsystem (or system) can be used. After this time, it must be replaced. Mission time must be declared by the manufacturer of the components. Mission time will usually be the same as the proof-test interval as used in IEC/EN62061. The safety system designer must then consider the mission time of the components to determine the mission time of each safety function.
MTTFd (Mean-Time-to-Dangerous Failure) Is used directly in ISO 13849-1:2006 as part of estimating the PL. The standard offers three methods to determine the MTTFd: 1) use Manufacturer’s Data, 2) use Annexes C and D which provide component failure rates, or 3) use a default value of 10 years. Selecting the default value restricts the range to Medium as shown in Table 18.
| Denotation of MTTFd of each Channel | Range of MTTFd of each Channel |
| Low | 3 years <= MTTFd < 10 years |
| Medium | 10 years <= MTTFd < 30 years |
| High | 30 years <= MTTFd < 100 years |
| Table 18: Levels of MTTFd | |
When the safety system involves interfacing with IEC62061, the MTTFd number must be converted to PFHD.
This is done by using the following relationship:
PFHD = 1 / MTTFd
And, for electromechanical
devices:
MTTFd = B10d/(0.1 x mean number of operations per year).
The MTTFd and PFHD will usually be derived from the same source of test or analysis data. For low-complexity electromechanical devices, the failure mechanism is usually linked to the number and frequency of operations rather than just time. Therefore, for these components, the data will be derived from some form of lifetime testing e.g., B10 testing. Application based information such as the anticipated number or operations per year is then required in order to convert the B10d or similar data to MTTFd.
Diagnostic coverage (DC) represents the effectiveness of fault monitoring of a system or subsystem. DC is the ratio between the failure
rate of detected dangerous failures and the failure rate of total dangerous failures.
ISO/EN 13849-1:2006 and IEC 61508 provide tables
that can be used in deriving the DC, and in some cases, the DC may be provided by manufacturers.
Common-cause failures (CCF) occur when multiple faults resulting from a single cause produce a dangerous failure. These are failures of different items, resulting from a single event. The failures are not consequences of each other. Annex F of ISO/EN 13849-1:2006 provides a simplified qualitative method for determining the CCF. Table 19 shows a summary of the scoring process.
| No. | Measure Against CCF | Score |
| 1 | Separation/Segregation | 15 |
| 2 | Diversity | 20 |
| 3 | Design/Application/ Experience |
20 |
| 4 | Assessment/Analysis | 5 |
| 5 | Competence/Training | 5 |
| 6 | Environmental | 35 |
| Table 19: Scoring for Common-Cause Failure | ||
A score of at least 65 must be achieved to claim conformance to Categories 2, 3, and 4.
The standards have requirements for the control and avoidance of systematic failure. Typical types of possible
systematic failure are software design errors, hardware design errors, and requirement specification errors.
Systematic
failures differ from random hardware failures which are failures occurring at a random time, typically resulting from degradation
of parts of hardware. Annex G of ISO/EN 13849-1:2006 describes measures for the control and avoidance of systematic failure.
When the design criteria are evaluated, the SRCS will be assigned a Performance Level. The performance level is a discrete
level that specifies the ability of the safety related parts of the control system to perform a safety function.
In order
to assess the PL achieved by an implementation of any of the five designated architectures, the following data is required for the
system (or subsystem):
- MTTFd (mean-time-to-dangerous failure of each channel)
- DC (diagnostic coverage)
- Architecture (the category)
Figure 4 shows a graphical method for determining the PL from the combination of these factors. Table 21 shows the tabular results of different Markov models that created the basis of this Figure 4. Refer to the table when more precise determination is needed.
|
Figure 4: Graphical method to determine PL
The reader will notice there is some overlap at the PL division lines. If MTTF is only provided in categorical terms (as low, medium or high), use Figure 5 to determine the PL.
|
Figure 5: Simplified graphical method
For example, an application uses the Category 3 architecture. If the DC is between 60% and 90%, and if the MTTFd of
each channel is between 10 and 30 years, then according to Figure 5, PLd is achieved.
Other factors must also be realized
to satisfy the required PL. These requirements include the provisions for common cause failures, systematic failure, environmental
conditions and mission time.
If the PFHD of the system or subsystem is known, Table 20 (Annex K of the standard)
can be used to derive the PL.
Subsystems that conform to a PL can be combined into a system using Table 20. The rationale behind this table is clear. First, the system can only be as good as its weakest subsystem. Second, the more subsystems there are, the greater the possibility for failure.
| PLlow | Nlow | PL |
| a | >3 | Not allowed |
| =<3 | a | |
| b | >2 | a |
| =<2 | b | |
| c | >2 | b |
| =<2 | c | |
| d | >3 | c |
| =<3 | d | |
| e | >3 | d |
| .3 | e | |
| Table 20: PL calculation for series combined subsystems | ||
In the system shown in Figure 6 the lowest Performance Levels are at Subsystems 1 and 2. Both are PLb. Therefore, using Table 20, we can read across b (in the PLlow column), through 2 (in the Nlow column) and find the achieved system PL as b (in the PL column). If all three subsystems were PLb the achieved PL would be PLa.
|
| Figure 6: Combination of series subsystems as a PLb system |
Validation plays an important role throughout the safety system development and commissioning process. ISO/EN 13849-2:2003 sets the requirements for validation for systems designed to the original ISO 13849-1 (EN 954-1). It is anticipated that this standard will be revised to bring it in line with EN ISO 13849-1:2006 of systems designed to ISO/EN 13849-1:2006. Validation in ISO 13849-2 calls for a validation plan and discusses validation by testing and analysis techniques such as Fault Tree Analysis and Failure Modes, Effects and Criticality Analysis. Most of these requirements will apply to the manufacturer of the subsystem rather than the subsystem user.
At the system or machine commissioning stage, validation of the safety functions must be carried out in all operating modes and should cover all normal and foreseeable abnormal conditions. Combinations of inputs and sequences of operation must also be taken into consideration. This procedure is important because it is always necessary to check that the system is suitable for actual operational and environmental characteristics. Some of those characteristics may be different from the ones anticipated at the design stage.
One of the primary analysis tools for safety systems is failure analysis. The designer and user must understand how the
safety system performs in the presence of faults. Many techniques are available to perform the analysis. Examples include
Fault Tree Analysis; Failure Modes, Effects and Criticality Analysis; Event Tree Analysis; and Load-Strength reviews.
During
the analysis, certain faults may be uncovered that cannot be detected with automatic diagnostic testing without undue economic costs.
Further, the probability that these faults might occur may be made extremely small, by using mitigating design, construction and test
methods. Under these conditions, the faults may be excluded from further consideration. Fault exclusion is the ruling out of the occurrence
of a failure because the probability of that specific failure of the SRCS is negligible.
ISO13849-1:2006 allows fault exclusion based
on the technical improbability of occurrence, generally accepted technical experience and the technical requirements related to the application.
ISO13849-2:2003 provides examples and justifications for excluding certain faults for electrical, pneumatic, hydraulic and mechanical systems.
Fault exclusions must be declared with detailed justifications provided in the technical documentation.
Fault exclusion can lead to a
very high PL. Appropriate measures to allow this fault exclusion must be applied during the complete mission time. It is not always possible
to evaluate SRCS without assuming that certain faults can be excluded. For detailed information on fault exclusions, see ISO 13849-2.
| MTTFd for each channel | Average probability of a dangerous failure per hour (1/h) and corresponding performance level (PL) | |||||||||||||
| Cat. B | PL | Cat. 1 | PL | Cat. 2 | PL | Cat. 2 | PL | Cat. 3 | PL | Cat. 3 | PL | Cat. 4 | PL | |
| Years | DCavg= none | DCavg= none | DCavg= low | DCavg= medium | DCavg= low | DCavg= medium | DCavg= high | |||||||
| 3 | 3,80 x 10-5 | a | 2,58 x 10-5 | a | 1,99 x 10-5 | A | 1,26 x 10-5 | a | 6,09 x 10-6 | b | ||||
| 3,3 | 3,46 x 10-5 | a | 2,33 x 10-5 | a | 1,79 x 10-5 | A | 1,13 x 10-5 | a | 5,41 x 10-6 | b | ||||
| 3,6 | 3,17 x 10-5 | a | 2,13 x 10-5 | a | 1,62 x 10-5 | a | 1,03 x 10-5 | a | 4,86 x 10-6 | b | ||||
| 3,9 | 2,93 x 10-5 | a | 1,95 x 10-5 | a | 1,48 x 10-5 | a | 9,37 x 10-6 | b | 4,40 x 10-6 | b | ||||
| 4,3 | 2,65 x 10-5 | a | 1,76 x 10-5 | a | 1,33 x 10-5 | a | 8,39 x 10-6 | b | 3,89 x 10-6 | b | ||||
| 4,7 | 2,43 x 10-5 | a | 1,60 x 10-5 | a | 1,20 x 10-5 | a | 7,58 x 10-6 | b | 3,48 x 10-6 | b | ||||
| 5,1 | 2,24 x 10-5 | a | 1,47 x 10-5 | a | 1,10 x 10-5 | a | 6,91 x 10-6 | b | 3,15 x 10-6 | b | ||||
| 5,6 | 2,04 x 10-5 | a | 1,33 x 10-5 | a | 9,87 x 10-6 | b | 6,21 x 10-6 | b | 2,80 x 10-6 | c | ||||
| 6,2 | 1,84 x 10-5 | a | 1,19 x 10-5 | a | 8,80 x 10-6 | b | 5,53 x 10-6 | b | 2,47 x 10-6 | c | ||||
| 6,8 | 1,68 x 10-5 | a | 1,08 x 10-5 | a | 7,93 x 10-6 | b | 4,98 x 10-6 | b | 2,20 x 10-6 | c | ||||
| 7,5 | 1,52 x 10-5 | a | 9,75 x 10-6 | b | 7,10 x 10-6 | b | 4,45 x 10-6 | b | 1,95 x 10-6 | c | ||||
| 8,2 | 1,39 x 10-5 | a | 8,87 x 10-6 | b | 6,43 x 10-6 | b | 4,02 x 10-6 | b | 1,74 x 10-6 | c | ||||
| 9,1 | 1,25 x 10-5 | a | 7,94 x 10-6 | b | 5,71 x 10-6 | b | 3,57 x 10-6 | b | 1,53 x 10-6 | c | ||||
| 10 | 1,14 x 10-5 | a | 7,18 x 10-6 | b | 5,14 x 10-6 | b | 3,21 x 10-6 | b | 1,36 x 10-6 | c | ||||
| 11 | 1,04 x 10-5 | a | 6,44 x 10-6 | b | 4,53 x 10-6 | b | 2,81 x 10-6 | c | 1,18 x 10-6 | c | ||||
| 12 | 9,51 x 10-6 | b | 5,84 x 10-6 | b | 4,04 x 10-6 | b | 2,49 x 10-6 | c | 1,04 x 10-6 | c | ||||
| 13 | 8,78 x 10-6 | b | 5,33 x 10-6 | b | 3,64 x 10-6 | b | 2,23 x 10-6 | c | 9,21 x 10-7 | d | ||||
| 15 | 7,61 x 10-6 | b | 4,53 x 10-6 | b | 3,01 x 10-6 | b | 1,82 x 10-6 | c | 7,44 x 10-7 | d | ||||
| 16 | 7,31 x 10-6 | b | 4,21 x 10-6 | b | 2,77 x 10-6 | c | 1,67 x 10-6 | c | 6,76 x 10-7 | d | ||||
| 18 | 6,34 x 10-6 | b | 3,68 x 10-6 | b | 2,37 x 10-6 | c | 1,41 x 10-6 | c | 5,67 x 10-7 | d | ||||
| 20 | 5,71 x 10-6 | b | 3,26 x 10-6 | b | 2,06 x 10-6 | c | 1,22 x 10-6 | c | 4,85 x 10-7 | d | ||||
| 22 | 5,19 x 10-6 | b | 2,93 x 10-6 | c | 1,82 x 10-6 | c | 1,07 x 10-6 | c | 4,21 x 10-7 | d | ||||
| 24 | 4,76 x 10-6 | b | 2,65 x 10-6 | c | 1,62 x 10-6 | c | 9,47 x 10-7 | d | 3,70 x 10-7 | d | ||||
| 27 | 4,23 x 10-6 | b | 2,32 x 10-6 | c | 1,39 x 10-6 | c | 8,04 x 10-7 | d | 3,10 x 10-7 | d | ||||
| 30 | 3,80 x 10-6 | b | 2,06 x 10-6 | c | 1,21 x 10-6 | c | 6,94 x 10-7 | d | 2,65 x 10-7 | d | 9,54 x 10-8 | e | ||
| 33 | 3,46 x 10-6 | b | 1,85 x 10-6 | c | 1,06 x 10-6 | c | 5,94 x 10-7 | d | 2,30 x 10-7 | d | 8,57 x 10-8 | e | ||
| 36 | 3,17 x 10-6 | b | 1,67 x 10-6 | c | 9,39 x 10-7 | d | 5,16 x 10-7 | d | 2,01 x 10-7 | d | 7,77 x 10-8 | e | ||
| 39 | 2,93 x 10-6 | c | 1,53 x 10-6 | c | 8,40 x 10-7 | d | 4,53 x 10-7 | d | 1,78 x 10-7 | d | 7,11 x 10-8 | e | ||
| 43 | 2,65 x 10-6 | c | 1,37 x 10-6 | c | 7,34 x 10-7 | d | 3,87 x 10-7 | d | 1,54 x 10-7 | d | 6,37 x 10-8 | e | ||
| 47 | 2,43 x 10-6 | c | 1,24 x 10-6 | c | 6,49 x 10-7 | d | 3,35 x 10-7 | d | 1,34 x 10-7 | d | 5,76 x 10-8 | e | ||
| 51 | 2,24 x 10-6 | c | 1,13 x 10-6 | c | 5,80 x 10-7 | d | 2,93 x 10-7 | d | 1,19 x 10-7 | d | 5,26 x 10-8 | e | ||
| 56 | 2,04 x 10-6 | c | 1,02 x 10-6 | c | 5,10 x 10-7 | d | 2,52 x 10-7 | d | 1,03 x 10-7 | d | 4,73 x 10-8 | e | ||
| 62 | 1,84 x 10-6 | c | 9,06 x 10-7 | d | 4,43 x 10-7 | d | 2,13 x 10-7 | d | 8,84 x 10-8 | e | 4,22 x 10-8 | e | ||
| 68 | 1,68 x 10-6 | c | 8,17 x 10-7 | d | 3,90 x 10-7 | d | 1,84 x 10-7 | d | 7,68 x 10-8 | e | 3,80 x 10-8 | e | ||
| 75 | 1,52 x 10-6 | c | 7,31 x 10-7 | d | 3,40 x 10-7 | d | 1,57 x 10-7 | d | 6,62 x 10-8 | e | 3,41 x 10-8 | e | ||
| 82 | 1,39 x 10-6 | c | 6,61 x 10-7 | d | 3,01 x 10-7 | d | 1,35 x 10-7 | d | 5,79 x 10-8 | e | 3,08 x 10-8 | e | ||
| 91 | 1,25 x 10-6 | c | 5,88 x 10-7 | d | 2,61 x 10-7 | d | 1,14 x 10-7 | d | 4,94 x 10-8 | e | 2,74 x 10-8 | e | ||
| 100 | 1,14 x 10-6 | c | 5,28 x 10-7 | d | 2,29 x 10-7 | d | 1,01 x 10-7 | d | 4,29 x 10-8 | e | 2,47 x 10-8 | e | ||
| Table 21: Precise MTTFd to Determine PL | ||||||||||||||
| |||
 |