ISO 13849-1 PL Calculations Simplified - Robotics Online 13849 PL... · ISO 13849-1 PL Calculations...

ISO 13849-1 PL

Calculations Simplified

Heinz KnackstedtSafety Engineer

C&E sales, inc.

Cats, SILs and PLs… Oh My !!!

What is

ISO 13849-1:2015

Or

Safety Light

Curtain Type 2

Three PE with Standard dedicated PLC

vs.

Type 2 Safety Light Curtain and IM

BOTH are Structure Category 2, but is their

Safety Performance Level the same?

These two circuits are both identified as being

the “same” category

But, do they provide the same level of risk

reduction performance?

There may be “logical” arguments for

preference of one design over the other, but

there is no rigor to the evaluation using EN954-

1:1996

Switched

Output

PLC

K1

K1 V1

Red is Monitoring connections to PLC

FGR

V1

The “Spectrum” Within a EN954-1 Category

Which is the better safety circuit?

It has been a judgement call, based on experience

That was the problem so, what to do

We will get back to this example after we examine the

concepts embodied by ISO 13849-1:2015

Objectives of the New MachineryFunctional Safety Standards

• Replace “Qualitative” with “Quantitative” performance metrics of the Safety Related Parts of the Control Systems (SRP/CS)

• For a required level of risk reduction, as determined by the Risk Assessment, DEFINE the MINIMUM Safety System level of performance which may be utilized to achieve a risk reduction to an acceptable level

• What is Functional Safety– Control based Risk Reduction Measure which, if it fails to danger,

immediately increases risk back to the original level

• Safety Light Curtains, Safety Modules and PLC, Interlocked Guards, Two-Hand-Anti-Tie-Down, Robotic Safe Speed

• Fixed Guards and PPE are not part of functional safety

What Are• MTTFD Mean Time to Dangerous Failure

– Average value of operating time without a failure to danger for a component or channel

– Typically given in years

• PFHD Probability of Failure to Danger per Hour– Statistical probability of Failure to Danger of a system or sub-

system based on its:

• Channel(s) MTTFD

• Ability to detect failures to danger and to eliminate the hazard having sustained that fault

• Robustness against Common Cause Failure

– Given in Failure/hour

– For Cat B and Cat 1 and single components it is

• λD = 1/(MTTFD) if MTTFD is expressed in hours

Performance Level PL

Performance Level PL:

– Discrete value used to specify the ability of the Safety Related Parts of Control System (SRP/CS ) to perform a safety function under foreseeable conditions.

Performance Level is a discrete value of the PROBABILISTICoccurrence of a failure to danger expressed as Probability of

Dangerous Failures per Hour, PFHD

– Failure of a Channel is the Mean Time to Dangerous Failure, MTTFD of its components, typically expressed in years

• For non-monitoring structures, system failure rate depends solely on MTTFD of its components

– Failure of a monitored single or dual channel system is the Probability of Dangerous Failure per Hour PFHD

• Its failure rate is lower than the MTTFD of its components due to monitoring which, upon detecting a failure to danger, removes the hazard before the control system has an opportunity to fail to danger

Performance Level PL

PFHD

BGIA Report 2/2008e

One year of 24/7=8760 hr..... or just under 104 hours

Graph for determining required PLr for Safety Function

a

b

c

d

e

SIL

N/A

1

2

3Note: Correlation of risk levels between EN-954-1 and ISO 13849 or IEC 62061 are not identities, but are given for relative comparisons only

B

2

4

S1

S2

P1

P2

3

F1

F2

P2

P1

F1

F2

P2

P1

B

P2

P1

1

< 3.8 x10-4

< 10-5

< 3x10-6

< 10-6

< 10-7

PLr PFHDEN954-1 ISO 13849-1:2015 IEC 62061

λD =1/ 8760 MTTFD

Adapted from Appendix A Fig A.1 ISO 13849-1-2015

Verification

and

Validation

The

UnderpinningDoes it meet the

design requirements?

Risk AssessmentThe Basis of Design of the

Safety Function

CCFCommon Cause

FailureMTTFD Mean Time

To

Dangerous

Failure

StructureCircuit

Configurations

DCDiagnostic

Coverage

FUNCTIONAL SAFETY

RISK REDUCTION MEASURE

CAPABILITY

The FOUR Legged Stool of ISO 13849-1,2:2015

Each Performance Level PL, is defined by FOUR specific, quantitative, requirements

1 Category (Cat.) also known as STRUCTUREHow the components in the SRP/CS are

. interconnected2 Mean time to dangerous failure of the Channel(s) . (MTTFD)

MTTFD from manufacturer of electronic componentsB10D cycles from manufacturer for wear componentsMTTFD is then calculated from the application cycle rate

ISO 13849-1:2015

ISO 13849-1:20153 Diagnostic Coverage (DC and DC avg) in %

DC Ratio of Detected Failures to Danger to all Failures to Danger which result in the loss of the Safety Function for a component or sub-system

DC avg Rate of failures to danger detected divided by the rate of all failures to danger for ALL COMPONENTS in the SRP/CS

4 Common Cause Failure (CCF)

How well does the design and construction prevent CCF

Verification is part of the process

Do the components of choice, in the proposed structure, meet the requirement of the risk reduction per the PLr as determined by the Risk Assessment

The process to meet PLr

• Evaluate the four parts of the Performance Levels:

– Category (Cat.)– Mean Time To dangerous Failure (MTTFD)– Diagnostic Coverage (DCavg)– Common Cause Failure (CCF)

• The structure of the Safety Related Parts of the Control System and how the failure of each component affects the safety performance of the safety control system

Functional Safety-Related Block Diagram

• Each circuit has these three elements of either :• Individual components• Sub-systems, with internal monitoring, which perform that function,

• A failure in any block in the series safety-related block diagram, can lead to the loss of the safety function• To evaluate safety performance, each proposed SRP/CS must be

broken into a block diagram of Series Safety Failure Events• Note: this includes the interconnection of the blocks

Sensors

( Status )

Logic

( What When )

Outputs

( How )

Monitoring Monitoring

“Smart” Sensors “Smart” ActuatorsSafety Capable

Communication Communication

Internal Monitor Internal Monitor Internal Monitor

Functional Safety-Related Block Diagram

• Sensor Logic Output• Each circuit has at least these three functions composed

of either :• Individual elements (components)

• Interlock limit switch, contactor• Sub-systems of components in a specific structure

which are grouped to perform that function• Encapsulated sub-system sold as stand alone

functions as independent SRP/CS• Will have their own published PFHD

• Safety Light Curtain, Safety Interlock Module, VFD Safe Stop Controller

• The final power device such as the motor or cylinder is not included in the safety-related block diagram

Safety Function Block Rules• All items which can lead to the loss of safety are

shown in “Series”

• Items which provide an alternate means of performing the safe shut down function when one component fails are shown in “Parallel”

• Do not confuse the electrical or fluid power flow with the orientation of the safety function block– EX: A Safety Interface Module used for Manual Suspension of a

Door Interlock has it contacts in parallel with those of the Door Interlock SIM BUT:

– The safety function block shows them in a series flow since the failure of the Manual-Suspension SIM to drop out, leads to a failure to danger of the Door Interlock Safety Function, as it can no longer perform its safety function

Safety -related Block Diagram

• Devices whose failure to danger causes the loss of the system safety function are

shown as series blocks

• Devices whose failure to danger do not cause the immediate loss of the system

safety, because another element can continue the lost function, are shown in parallel

with that device(s) Either Q1 or Q2 can shut down the hazard

• The order of the components is not significant

– This can simplify calculations and entry into calculation packages.

I1

I2

L1

O1

O2

I1

I2

O1

O2

L1

I1 L1 O1

I1 L1

O1

O2

=

Safety Function Block Rules

• Some PLC and remote devices may have separate components such as I/O modules in addition to the logic unit.

• Example: PLC Remote I/O, Smart drive with field bus

• Safety-related Block Diagram includes the hardware for interconnection of the blocks

• Example: Hard Wire integrity

Safety Networks

Safety Wireless Remote I/O

PFHDS MTTFDQPFHDL

Devices may be simple or complex sub-systems, each with its own individual S, L, and O functions

Adapted From Fig 6.13 BGIA Report 2-2008e

Hazardous

Movement

Pressure Switch

3Way Dump Pilot Check

Directional Valve

Scanner Safety PLC

Note that the Pressure Switch 1S3 is not

part of the Safety –related Block Diagram as

its failure does not directly lead to the loss of

the safety function. It is shown as a

component of the safety-related diagram

The undetected failure of 1S3 will result in

the reduction of the PL of the SRP/CS as its

function in Discovery Coverage to detect

safety critical function of 1V4 and 1V3 is now

lost

If possible, the pressure switch should be

checked for cycling within the safety circuit.

If this is not possible, it should be monitored

in the control circuit. Since PS are typically

not available with Force Guided contacts,

monitor the cycling of it one contact, or add

an intervening FG relay and monitor both its

N.O. and N.C. contacts.

Fig 8.28 BGIA Report 2/2008e

Identify the Category (Structure)

Cat B & Cat 1 = Single Channel

Cat 2 = Single Channel with Monitoring

Cat 3 & Cat 4 = Dual Channel w/ Monitoring

Graphical representation of the four ISO 13849-1:2015 quantitative

measures of the SRP/CS

ISO 13849-1:2015 retains “Categories” as ONE of the components of determining a Performance Level. Also called Structure.

If a circuit cannot be reduced to one of these categories, ISO 13849-1:2015 simplified calculations may not be used

MTTFd Low

MTTFdMedMTTFdHigh

Adapted from Fig 5 ISO 13849-1:2015

The Process to Meet PLr

• Evaluate the four parts of Performance

Levels:

– Category (Cat.)

– Mean Time To dangerous Failure

(MTTFD)

– Diagnostic Coverage (DCavg)

– Common Cause Failure (CCF)

The Process to Meet PLr• The operational time of use at which the component reaches its Mean Time to Dangerous Failure is based on the device and its application

– Electronics: Measured by on-line time

– Mechanically based component which has a wear out mechanism:

• Time of use to reach 10 x B10D number of cycles at the cycle rate of the application

–B10D is the number of cycles at which 10% of test group failed to danger

• Typically expressed in terms of years

In order for the value of ISO 13849-1:2015 to be realized, one must accept the validity of Statistical Mathematics

.

FACT.

MTTFD is a statistical value which in NO WAY MEANS

“Guaranteed Lifetime”, or “Failure-Free-Time”, “Time to First Failure” or any other such concept

It is a numerical value, usually stated in years, which permits the calculation, in percent, of a probability failure to danger during a given period of use

MTTFD in years can be converted to Failure to Danger Rate in terms of failures per hour, λD ,typically based on a 24/7 day 365 days per year

λD (hr.) = 1/(MTTFD (yr.) x 8760)hr./yr.

MTTFD of one year of 24/7 is a λD of 1.14 x 10-4 failures per hour (1.14E-4)

MEAN TIME TO DANGEROUS FAILURE

Mean Time To DANGEROUS Failure MTTFDOne of the quantifiable aspects to the contribution of reliability that is measured in time, of hours or years of use

– Used to predict the Percent of DANGEROUS failures in a population over a defined time period of use

– Not to be confused with Mean Time To (ALL) Failure (MTTF) data – Assumes constant failure rate over time by ignoring the two

curved ends of the “Bath Tub” failure rate curve• Infant mortality by good product design and manufacturing

and/or burn in• Wear out by replacement AT or BEFORE B10D is reached

B10D has been reachedInfant mortality excluded

by manufacturing controls

and burn in

Adapted from Fig. D.1 BGIA 2/200e

Distribution of Failures to Danger

λ=1.9x10-5 PLb λ=6.3x10-6 PLc λ=1.9x10-6 PLd

37%

63%

37%

63%

L

o

g

a

r

i

t

h

m

i

c

S

c

a

l

e

tuse = 1/λd

74%

26%05%

95%

INTACT

FAILED

04%

96%

%f(t) = 1-e-λt

Individual Channel Performance

Adapted from “A New Approach to Machine Safety”Schmersal IPEC Industrial Controls Ltd

3

t=1/λ63.2%

%f(t) = 1-e-λt

%f(t)

3y

10y

30y

100y

•Channel MTTFD of 3 years and less is not acceptable for safety controls since 1/3 would fail to danger within the first year•Single channel capped at 100 year (Exc. Cat 4)

• Electronics (non wear) are assumed to have a linear failure distribution

– Life dependent on hours of use, powered, “on-line”

• Mechanical Components

– “Well Tried” proven performance in similar applications

– Wear out typically driven by number of cycles under load

– B10 Life: cycles of use where 10% of a test population has failed

• Use 10xB10D or 2x10xB10 (assumes 50% of all failures are to danger) to obtain Mean Cycles to Failure, MCTF

– MTTFD is calculated using the Use Profile (nop) of the component

– 10 x B10D x tcycle(sec)

Component Failure

x xDays

YearHours

Day

3600 sec

Hour

• Replace after usage reaches B10D life at T10D = B10D / nop or 20 Years

MTTFD = 10B10D / nop =

Vendor Data• Safety Products previously Certified by a Notified Body

(3d Party) as meeting a Category per EN954-1:1996 may not be automatically extended/converted to a SIL or PL

• Each must be re-certified to the new standard(s)

– This is an expensive endeavor (10 -15K $ each )

• Requires economical justification, by product

– This does NOT mean that a product is no longer safe, just that it have not been validated to the newest standard

– May be freely used in the US as ISO 13849-1 is not an American Standard

• Exception if conformance to RIA15.06:2012 is required since it includes ISO 13849-1:2006 performance level (PL) requirements

Vendor Data• There are four types of functional safety

products

– Electronic components

• Primarily photo-electric and inductive sensors

– Electronic sub- systems

• Safety Light Curtains w/ Solid State output, RFID safety sensors

• Contain self-test to provide PFHD , PL, and/or SIL

Vendor Data– Mechanical components for use as part of a SRP/CS

• Limit switches, relays, contactors, switches, fluid power valves

– Used with Input, Logic, and Output components

– Period of use until replacement, T10D ,must be calculated from B10D and application use rate

• May have dual B10D data for mechanical and for electrical cycle life (including variations due to load/power level) .

– Electro-mechanical sub-systems

• Safety Interface Module with Relay output

• Internal failure is detected by the product and included in the vendor’s published PFHD , PL, or SIL

– Check for MTTFD of relays based on load and cycle rate to calculate T10D

Electronic with Relay output

Safety

Controller

Safety Light

Curtain

Limit Switch

Note: Additional application data

must be followed for given values

of B10 or B10D to be valid• Construction details ex: direct

operating

• Often given with restrictions, most

often loading, approach speed,

and cycle rate

Note: These last two specifications certify the acceptable

performance of specific logic safety function blocks

Electromechanical Components• High Current Rating

If higher loads must be switched through one or moreof the contacts, the minimum and maximum values ofthe contact(s) changes to:

• UL Listed: Min voltage: 15V ac/dc; Min current: 30 mA• ac/dc; Min power: 0.45 W (0.45 VA); Max: 250V ac /• 24V dc, 6 A resistive - B300, R300 per UL508• CE: Min voltage: 15V ac/dc; Min current: 30 mA ac/dc;• Min power: 0.45 W (0.45 VA); Max: 250V ac / 24V dc,• 6 A resistive - IEC 60947-5-1: AC15: 230V ac, 3 A;• DC-13: 24V dc, 2 A• Mechanical life• ≥ 50,000,000 operations• Electrical life (switching cycles of the output contacts,• resistive load)• 150,000 cycles @ 900 VA• 1,000,000 cycles @ 250 VA• 2,000,000 cycles @ 150 VA• 5,000,000 cycles @ 100 VA• NOTE: Transient suppression is recommended when switching inductive• loads. Install suppressors across load. Never install suppressors• across output contacts (see Warning in Overvoltage Cat• II and III).• Output Response Time• 35 ms max.

Safety-related block diagram of

the Output of this component

Mm McMm

Mc

Note specific B10 for each VA loading

Electro Mechanical Component

Safety PLC and Controllers• Failure mode data may be given in different

forms– Controllers which are self contained have data which

includes failure mode of their input and output hardware

• If relay output, may have B10D of the contacts

– PLC which have selectable input and output modules have the main frame values independent of their I/O

• The B10D or PFHD of the I/O may be device specific

• Are added as individual items to safety related block diagram

– Communication between modules such as wire network, wireless, and fiber optical have a separate PFHD for those devices

Remote I/O and Safety PLC

Note each PLC K3, K4 has

an independent remote I/O

module K1 K2

S1 and the horn P1 are a Cat

2 warning sub-system

T1a is a SS1

T1B is a SLS

A separate safety function is

developed for the Gate

interlock by replacing S1

data with B1 and using the

same remaining

configuration

B1

S1

Adapted from Fig. 8.42 BGIA 2/200e

When used per Manufacture’s or Designers use specification Some adjustment for duty cycle and loading is allowed/required. “Full Load” applies not only to electrical load but extreme conditions or marginal operating conditions

B10D examples of “Well Tried” components

Loading variation

provides a

variation factor

of 50x

Partial Table C.1 ISO 13849-1-2015

Cycle/year

variation

provides a

variation factor

of 10x

B10D for Electronic Devices

Tables C.2 C.3 ISO 13849-1-2015

The limitation of MTTFD of each channel values to a maximum of 100 years refers to the single channel of the SRP/CS which carries out the safety function. Higher MTTFD values can be used for single components

How to determine the MTTFD value of a component or sub-system

1. Manufacturer’s data in Powered time or B10D cycles

2. Table Annex C of ISO 13849-1:2015

3. Parts Count in Annex D of ISO 13849-1:2015

4. Choose ten years (i.e. “Medium”).

MTTFD Classification

3.81x10-5 /hr..... 1.14x10-5 /hr.....

1.14x10-5 /hr..... 3.81x10-6 /hr.....

1.14x10-6 /hr.....3.81x10-6 /hr.....

Adapted from Table 4 ISO 13849-2-2015

Capability of the SRP/CS in Order to Achieve a Given PL

MTTFD Low

MTTFD Med

MTTFD High

Channel

(symmetrized)


Figure: 5 ISO 13849-1:2015


Evaluate the four Quantitative parts of the Performance Levels:

– Category (Cat.)

– Mean Time To dangerous Failure (MTTFD)

– Diagnostic Coverage of a Component (DC) or Channel(s) Diagnostic Average Rate (DCavg)

– Common Cause Failure (CCF)


• DC The percentage of a component’s failures to DANGER which are DETECTED divided by ALL of its failures to DANGER

• DCavg For Channels,

• The ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures of all components in the SRP/CS

Diagnostic Coverage

• DC: Ratio of Detected Failures to danger to All Failures to danger

• DCavg: The Diagnostic Coverage for the SRP/CS is the ratio of the failure rate of detected failures to danger to the failure rate of all failures to danger of the individual components (not complete sub-systems wit their own PHFD.

D, n

D, n

Note: For SRP/CS consisting of several parts an average value, DCavg, is used for DC in Fig 5 and Table K

• Determine the DC for each component or sub-system– Percentage of dangerous failures detected

• For an estimation, in most cases, failure mode and effects analysis (FMEA) or similar methods can be used

• A “simplified” approach to estimating DC, using design and construction characteristics (see Annex E ISO 13849-1:2015).

• Obtain DCavg or use worst case DC of a high failure rate component

Diagnostic Coverage for Components and Channel(s)

Table 6 ISO 13849-1:2015

Electro Mechanical Component

Diagnostic Coverage (DC)A table is given in ISO 13849-1:2015 Annex E for examples

. (for additional estimations, see IEC 61508-2)

Adapted from Table E.1 ISO 13849-1:2015

DC and DCavg


MTTFD Low

MTTFD Med

MTTFD High



Channel

(symmetrized)Figure: 5 ISO 13849-1:2015


Evaluate the four parts of the Performance Level:

• Category (Cat.)

• Mean Time To dangerous Failure (MTTFD)

• Diagnostic Coverage (DCavg)

• Common Cause Failure (CCF)

Common Cause Failure

Common Cause Failure CCF: failures of different items, resulting from a single event, where these failures are not consequences of each other.

– Causing simultaneous failures in two separate devices rendering DC ineffective

• EX: two positively mounted limit switches on a common base

• (see Annex F ISO 13849-1:2015)

– Applicable to Categories 2, 3, and 4 • Those which have component monitoring

Common Cause Failure

(Table F.1 [worksheet] lists CCF reduction measures and contains associated values, based on engineering judgment, which represent the contribution each measure makes to the reduction of common cause failures

• For each listed measure, only the full score or nothing can be claimed. If a measure is only partly fulfilled, the score according to this measure is zero.

• Sufficient measures against CCF to claim DC >60% require the attainment of a minimum score of 65 out of 100 from table F.1.

– An initial score of less than 65 requires implementation of additional CCF reduction measures to reach an acceptable score else no diagnostic coverage may be claimed.

Clause Measure Against CCF Score

1 Separation/Segregation 15

2 Diversity 20

3 Design/application/experience

3.1 Protection against over-voltage, over-pressure, over-

current etc..

15

3.2 Components used are “WELL TRIED” 5

4 Assessment/analysis 5

5 Competence/training 5

6 Environmental

(All according to Manufacturer’s Specifications)

6.1 Pertaining to the power source for electrical and fluid power

EMI, RFI, Filtration, Drainage, Dirt Entry

25

6.2 Temperature, Humidity, Dust, Shock, Vibration 10

Data From Table F.1 ISO 13849-1:2015

Must reach a score of at least 65 for Cat 2, 3, or 4 structure to claim a DCAll components in channel must meet requirement to get score > 0 No partial sores

Table F.1 Common Cause Failure (CCF) worksheet

1 Separation/segregation 15

Electro Mechanical component

MTTFD Low

MTTFD Med

MTTFD High


CCF score of 65% or higher


Channel

(symmetrized)Figure: 5 ISO 13849-1:2015

Category B 1 2 2 3 3 4

DCavg None none low medium low medium High

MTTFD of

each channel

low

a Not

covered

a b b c Not

covered

MTTFD of

each channel

medium

b Not

covered

b c c d Not

covered

MTTFD of

each channel

high

Not

covered

c c d d d e

Also see graphic representation

Four Quantitative Measures to Achieve a Required PL

Table 6 ISO 13849-1:2015

• We have now identified sufficient data to provide an estimate of the PL of a safety circuit proposal

• Impact of structure and fault detection

– The MTTFD of a Cat B or 1 is a function ONLY of the failure rates of its parts

– The PFHD of a Cat 2, 3 or 4 system is greater than that of the λ D of its component parts due to the impact of fault detection and/or multiple channels since a component’s failure to danger which is detected, leads to the safe shutdown of the hazard before a system failure to danger can occur

Safety System Defined

So, now what is the Performance Level of a SRP/CS for this Safety Function?

• Having the four pieces of data from above, the PL Graph may be utilized to estimate PL of the SRP/CS– This provides a range of PL possible, depending on the Structure, and

the MTTFD, DCavg, and CCF of the components chosen

• For a more detailed resolution, the data above may be used with ISO 13849-1:2015 Table K.1 to obtain an estimate of the SRP/CS performance– PFHD in failures per hour and thus the PL of the design

– This also permits separation of product characteristics which split the PL lines since their evaluation is based on channel MTTFD ranges

• Use component information and use commercial computer programs

Sy

stem

< 3.8x10-5

< 10-5

< 3x10-6

< 10-6

< 10-7

d

SIL 1

SIL 2

SIL 3

ISO

62061

N/AFigure: 5 ISO 13849-1:2015

PL

CCF=>65

Each Channel with MTTFD of:

3<=MTTFD <10 3.8*10-5 > λ > 10-5

10<=MTTFD <30 10-5 > λ > 3.8*10-6

30<= MTTFD <100 3.8*10-6 > λ > 10-6

Years 1/Hour

PFHD 1/hPL of Safety Related Function of the Control System as a

function of Risk Category

< 10-8


DC avg probability of fault discovery as

% of occurrence

Low 60% <= DC < 90%

Med 90% <= DC < 99%

High 99% <= DC

1.14 E-4

λD

MTTFD =

SO: If the Risk Assessment indicates that the Functional Safety risk reduction measure must meet a performance level PLr = PLd , there are several design choices of both structure and component performance which may meet the design requirement

Practical Application of ISO 13849-1:2015Various Method of Determining PL

• Each method makes certain assumptions and/or simplifications

• The simpler the method, the greater the assumptions

– This drives the solution to the more conservative result

– The highest performance level predictions are obtained using the more detailed calculation methods, typically full computer programs designed for ISO 13849-1:2015

• Mean Time To Dangerous Failure of Mechanical components

• MTTFD is in Years while λD is in per Hour • MTTFD in years = 8760 hours/year λD 1.141E-04 (1.141 x 10-4 )• B10 Number of cycles until 10% of a test population has failed• If B10D is not specifically stated, the Fraction of Failure Rate may

be given B10D= B10/FFR or estimated at 50% of the total failures • MTTFD = Nominal cycles to failure to danger/ Cycles per Year • = 10xB10D / nop

– Ex: To convert B10 life of a component to MTTFD in years on a machine which, runs 240 days per year, for 16 hours per day with a 15 sec machine cycle

(2 x 10 x B10)cycles x 15 sec/cycle

240 days/yr x 16 hr/day x 60 min/hr x 60sec/min

Conversions

MTTFD (years) =

~~

Mission Time T10D

• Note: Mechanical components, which wear out, such as Contactors, Valves etc.. should be replaced at their B10D cycle life since their rate of failure can no longer be considered to be a constant and the MTTFD no longer valid

This includes electro-mechanical relays in Safety Interface Modules which may have a PFHD of 1E-9 but whose relay in that application may have a MTTFD of 25 yr. and a T10D of 2.5 yr.

• Operating time ( also known as Mission Time or )

• TM = T10D = B10D / nop = MTTFD / 10

Single Channel MTTFD of Components or Systems

• MTTFD of a channel is the reciprocal of the sums of the reciprocals of MTTFD of the individual components or sub-systems in the channel.

• Failure to danger of ANY component in the series string faults the system to danger– Therefore in a single channel system:

1/MTTFD Chn = 1/MTTFD comp1 +1/MTTFD comp2 +…..1/MTTFD comp n

OR.

λD Chn = λ D comp 1 + λ D comp 2 +………… λ D comp n

Comp1 Comp 2 Comp n

• MTTFD of Individual CHANNELS are each capped:– Cat 1, 2, and 3 = 100 years

– Cat 4 at 2,500 years

• Components and Sub-systems within a channel are not capped

MTTFD of Channels

MTTFD of Dual Channels• In a Dual channel system, to gain a system MTTFD if:

– The two channels have the same MTTFD , their symmetrized value is the same as that of a channel

– The channel MTTFD are not the same, a symmetrized value calculated as below is used for the combined channels.

– Else the lowest MTTFD of the two is used

• EX: By calculation two channels one 100yr and one 33yr yield a

symmetrized value of 72yr

Calculating DC avg

• The system DCavg is calculated using the Diagnostic Coverage percentage and the MTTFDor λD of all functional components in the system

• Or use the DC value of a high failure rate with lowest DC component for the total system

Note: If a component has a DC of <60% enter DC = Zero

However, its 1/MTTFD must still be added to the denominator

Table K.1 ISO 13849-1:2015• Determine the SYSTEM MTTFD values of Channel or

component Structure, MTTFD , DCavg , and CCF value– Single channels are listed as Structure B or 1 depending

on their MTTFD– MTTFD ≥ 30 years is High = Cat 1

• Locate the closest lower MTTFD in the left column of table K.1

• Locate the Category and DCavg column from the heading left to right.

• From the MTTFD trace to the right until the appropriate Cat/DCavg column is intersected

• Read the sub-system or channel PL or PFHD

ISO 13849-1:2015 Table “K”

Mixed SystemPLe PLe

Safety Light

CurtainSafety PLC

Output is two contactors driven by two outputs of the PLC and monitored by the

Safety PLC

B10 of contactor is 5,000,000 cycles, assume B10D = 2xB10, MTTFD = 10xB10D

Rate of use is 10/hour, 24hour per day, 5 days per week, 50 weeks per year

10x24x5x50 = 60,000 cycles per year (nop)

MTTFD = B10x2x10/ nop = 5x106 x 2x10 / 6x104 = 10x107/ 6x104 = 1.7x103

MTTFD is 1,700 years which is capped at 100 years

DC = 99% from table E1 therefor use HIGH

From Table K.1 this is a PLe for the dual channel of two monitored contactors

Force Guided

Contactor

Force Guided

Contactor

From Table K.1 ISO 13849-1:2015

• The PFHD of the two contactors monitored with the safety PLC was found to be 2.47E-8

• Vendor data supplies values for the SLC and the PLC

• These are added to the contactor PFHD for a total system performance

• PFHDsys = PFHDn

• 4.5E-8 + 1.1E-8 + 2.5E-8 = 8.1 E-8 for a system PLe

Mixed System

PLe PLe

Safety Light

CurtainSafety PLC

Force Guided

Contactor

Force Guided

Contactor

Use of the circular Performance Level

Calculator instead of Table K.1 from

ISO 13849-1:2015this is the same data as Table K

Rotate calculator to expose the

channel MTTFD in the lower

window

Read the MTTFD of a system

with the selected attributes from

the upper window.

Based on color code find PL

exponent

EX: For a Channel or Channel

combination with a MTTFD of

33 years, used in a given

structure and with a given DC,

the MTTFD of the component

when used in this CONTROL

SYSTEM is from 3.46x10-6

/hr..... in a Cat 1 to 8.57x10-8

/hr..... in a Cat 4 with a High DC

These numbers translate into a

PL of “b” to an “e” (Ref pg. 7)Can be ordered on-line from IFA.org

Values for “B” only between 3 and <30 years

Determine the SYSTEM PL

an EXAMPLE

Convert the Functional Safety SRP/CS to a Safety-Related Block Diagram

• Determine the structure of the circuit and identify its in-series components or sub-systems for each channel– Determine the structure and components of the

three functions for each sub-system

• Input, Logic, Output• Identify which components or sub-systems,

will cause failure to danger of the entire channel when their failure to danger occurs

ALWAYSCreate the Safety-related block diagram from the

circuit drawing

OPENOPEN

A1

S11

S21

S22

S12

SIM

13 14

23 24

Machine

Sequence

S31

S32

FGC1

FGC2

LS1 LS3

LS2 LS4

SIM

FGC 1

FGC 2

LS1

LS2

FGC 1

FGC 2

SIM

LS3

LS4

FGC 1

FGC 2

SIM

Each door, with its two interlock

switches, is evaluated independently

The impact of the series connection of

the two door interlocks is reflected by

reduction of DC to MED

The MTTFD of the FGC is based on the

SUM of the cycles of both doors

PLC is for machine sequence logic only

and does NOT enter the safety-

related diagram

NOTE: The cycles/yr.

of the SIM and FGC are the

Sum of Door 1 and Door 2

cycles

Door 1

Door 2

PLC

Methodology

PL Graph(Estimate)

Diagram of Circuit to be Verified to Meet or Exceed PLr

Verification Process

Identify:• Category (Cat.) = known circuit structure

• MTTFD = calculated from data provided by the manufacturer to determine “low”, medium”, or “high” for the channel(s)

• Diagnostic Coverage (DCavg) = identify methods and the “percentage” from a table to determine “none”, “low”, medium”, or “high”

• Common Cause Failure (CCF) = Do the worksheet and determine if the design meets a score of 65 or better for Cat ≥ 2.

Then apply the above information to the chart…

Machine

Logic only

MTTFD Low

MTTFD Med

MTTFD High

PL Verification

CCF>65

The resulting PL = “d” or “e”

(meets or exceeds the

required PLr level of “d” from

the Risk Assessment

Cat 3

MTTFD =High

DC avg = Medium

CCF = 70

PLr = PLd


Figure: 5 ISO 13849-1:2015

Matrix of generalized requirements of the four Quantitative Measures when used with a specific structure to achieve a required PLr

.

Here to achieve a PLd, any of the shaded methods can meet the requirement

Category B 1 2 2 3 3 4

DCavg None none low medium low medium High

MTTFD of

each channel

low

a Not

covered

a b b c Not

covered

MTTFD of

each channel

medium

b Not

covered

b c c d Not

covered

MTTFD of

each channel

high

Not

covered

c c d d d e

Adapted from Table 6 ISO 13849-1:2015

Methodology

• Summation of PL sub-systems

Summation of PL Systems

• Determine the structure of the circuit and identify its in-series components or sub-systems for each channel

• Draw the Safety-related block diagram to identify which components or sub-systems, will cause failure to danger of the entire channel when their failure occurs

• Determine the PL of each component or sub-system using:– Published manufacturer’s data – Estimates from Appendix of safety components– Calculate from MTTFD and Table K.1 or Circular Calculator

• Use PL count chart to reduce to system PL performance

• Determine the PL of each sub-system connected in Series in the Safety-related Block Diagram

• Determine lowest PL=PLlow

• Count number of PLlow in the series string

• Use clause 6.3 Table 11 to determine PL of the string

• This is simplified method of the mathematical summation of the probabilities of failure using sub-system 1/MTTFD values

Sub-Systems’ PL Count

Table: 11 ISO 13849-1:2015

PLn Count Method

Lowest PL=d

Number of lowest PL =2

For PLd ≤ 3 = PLd

If we had used a remote I/O structure using a network, two additional elements would have been added to the safety-related block diagram as shown on the next page

Safety Light

CurtainSafety PLC

Safety Rated

ROBOT Stop

PLe PLd PLd

PLe PLd PLd PLd PLd

Safety Light

CurtainSafety PLC

Safety Rated

ROBOT Stop

Remote

Network Input

Remote Network

Output

Lowest PL=dNumber of lowest PL = 4For PLd > 3 = PLc

Note: There is a good reason to use the finer granularity method of summing actual 1/MTTFD for each component or sub-system. If actual values are used, they may be capable of achieving a higher system PLd. This is due to the use of the Mid value of MTTFD for each sub-system PL rather than the exact value which might be higher than its PL mid-value

PLn Count Method

PLn Count Method with Components

• Channel mixed with individual components, – ISO 13849-1:2015 Table K.1 or its circular calculator may be used to

establish the component’s PL for use with PL count method– Using the Safety-related block diagram, determine the structure category

(Cat 3 or 4)– Determine the MTTFD of the component(s) (51 years)– Calculate DCavg of their portion of the system (high) and confirms Cat 4– Determine the equivalent PL from the table K.1 or circular calculator

PFHD= 5.3E-8 which is Cat 4 PLe– Use this PL as one of the sub-systems in the series channel string– Lowest PLe, number of lowest is ≤3 therefore system is PLe

PLe PLe

Safety Light

CurtainSafety PLC

Force Guided

Contactor

Force Guided

Contactor

PFHD=5.3E-8 converts to PLe

Calculation of System PFHD to Define System PL

Determine the MTTFD of each component in series

– Each component can cause the loss of the safety function

– Determine the MTTFD of the series system

– Calculate the DCavg

– Verify CCF score ≥65

– Use Table K.1 or circular calculator to determine system PL

Is This a Cat 4 PLe Circuit?

Safety Interface

Module

Force Guided

Contactor

A

Force Guided

Contactor

B

Limit Switch

A

Limit Switch

B

Safety Interface

Module

Force Guided

Contactor

A

Force Guided

Contactor

B

Limit Switch

A

Limit Switch

B

From ISO

13849-1:2015

Table K.1

Using B10 and cycle rate we calculated the following

MTTFD of Limit switch A=B= 65 yearsMTTFD of Contactor A=B = 80 years

MTTFD of either channel = 1/ (1 MTTFD2 +MTTFD3)= 1/ ( 1/65+1/80) = .0153+.0125= .0278 MTTFD = 37 Years

Since both channels are the same, that is also the symmetrized System channel MTTFD

Assume DCavg = >90, but <99 therefore is MEDIUM From ISO 13849-1:2015 table K.1 next lowest MTTFD value of 36 PFHD = 2.01E-7, Safety Interface Module vendor data PLe PFHD= 6.26E-8

TOTAL the system PFHD is 2.01E-7 + 6.26E-8 = 2.64E-7 ; Cat 3 PLd

Numerical Example of a Mixed System

Example

Pressure Switch

3Way Dump Pilot Check

Directional Valve

Scanner Safety PLC

3.0E-7 1.5E-7

150yr 150yr

150yr

75yr

• Symmetrized MTTFD of valve dual channel of 75 and capped single valve 150 to 100 = 88 yr.

• DC of both 1V3 and 1V4 is 99% via 1S3

• DC of 1V5 by process monitoring is 60%

• DCavg is calculated to be 86%, <90% therefore low

• Valve channel is Cat 3 DCavg Low

• CCF score from table F.1 >65

• From table K.1 closest lower values of 82 yr. and low DCavg (60%) hydraulic system PFHD is 1.14E-7

– This is conservative due round down, actual calculations using SISTEMA would yield a value of 6.2E-8

• Resultant system performance is sum of the three PFHD

Conservative 5.6E-7 PLd or calculated 5.1E-7 PLd

Fig 8.28 BGIA Report 2/2008e

We can now take a closer look at the two “Equivalent” light barriers introduced at the start of the

discussion

Example of the “Spectrum” Within a Given Category

• The dedicated standard PLC monitors the function of the

three photoelectric sensors and the follower relay K1

• The PLC is not a Serial component in the Safety-related

Block Diagram, i.e. its failure does not directly result in the

loss of the safety function, therefore its MTTFD is not

included in the safety channel calculation

• MTTFD of the PLC is 50 years and is >1/2x the MTTFD of

the system being monitored, thus meets the minimum

requirement for a test component for this system

•

•The Type 2 Safety Light Curtain is certified by a Third Party

Test Laboratory to meet the required standards of Cat 2 and

has a PLd

• The Interface Module is a pre-wired set of two Force

Guided Relays, monitored by the SLC

• The solenoid valve is a Well Tried hydraulic component

with a MTTFD of 150 years at this operation rate

• Both systems’ performance is limited by V1 because it is

not monitored

• For a Mission Live of 20 years, the PE circuit has a 42%

chance of Failure To Danger while the Type 2 Safety Light

curtain PLc has a 18% chance of failure.

Safety Light

Curtain Type 2

V1

Switched

Output

PLC

K1

K1 V1


FGR

P1 K1P2 P3 V1

PLC

1.86E-6 + 1.14E-6 = 3.0E-6

MTTFd = Yr. PLb 41% fail @20 Yr.

Cat 2, DC=low, MTTFd 33, λ=1.86E-6Capped

MTTFd=100

100 100 100 1302 150

6.9E-8 2.5E-8 150

1214 100

9.4E-8 1.14E-6

6.9E-8 + 2.5E-8 + 1.14E-6 = 1.23 E-6

MTTFd = 93 Yr. PLc 19% fail @20 Yr.

Note: SPR/CS performance limited by un-monitored valve

32.5

Switched

Output

PLC

K1

K1 V1


FGR

Safety Light

Curtain Type 2

V1

SLC

IM

V1

IM

Computer Based Calculation of System PL

• Computer programs both free and for purchase are available to calculate system PL• These have the advantage of using the full range of

values of MTTFD and DCavg rather than round down use of the granular values of ISO 13849-1:2015 table K.1, programs typically will result in a higher System MTTFD

• These programs should not be used without a thorough understanding of ISO 13849-1:2015.• Failure to understand the safety evaluation process

will result in a “Plug In and Grind” effort which, while providing a numerical value, may contain serious errors.

• A generic no-cost program is briefly represented in Appendix A. At-cost as well as no-cost programs are available from numerous Safety Product vendors

Appendix A

SISTEMA Evaluation tool

• A free software to assist in determining PLs from the IFA (research arm of the BG, German Insurance Agency)– http://www.dguv.de/ifa/en/pub/rep/rep07/bgia0208/index.jsp– Program accepts component values and topography as well as DC and CCF data

and calculates the final value of PL and 1/MTTFD also known as λD– Shows shortfalls in performance– Useful in component and structure “what if ” scenarios for specific PL– Standardized Component files may be imported from vendors or user specific

data

• SISTEMA Calculator Program for PL per ISO 13849-1-2015– FIA Software– Identify

• Category• Safety Logic Blocks• MTTFD of components

– Standard components file– User components customized file

• DCavg • CCF

SISTEMA

http://www.dguv.de/ifa/en/pub/rep/rep07/bgia0208/index.jsp

Annex BFrom ISO 13849-1:2015

Safety-Related Block Diagram

Annex B Table: B.1 ISO 13849-1:2015

Annex CFrom ISO 13849-1:2015

MTTFD and B10D

for components

Annex C Table: C.1 ISO 13849-1:2015

Annex EFrom ISO 13849-1:2015

Table E.1 Diagnostic Coverage ISO 13849-1:2015

Annex E Table: E.1 ISO 13849-1:2015

Measure DC

Logic component

Table E.1 ISO 13849-1:2015

Continued

Annex E Table: E.1 ISO 13849-1 :2015

Table E.1 ISO 13849-1:2015Continued

Annex E Table: E.1 ISO 13849-1:2015

Appendix FFrom ISO 13849-1:2015

Clause Measure Against CCF Score

1 Separation/Segregation 15

2 Diversity 20

3 Design/application/experience

3.1 Protection against over-voltage, over-pressure, over-current etc.

15

3.2 Components used are “WELL TRIED” 5

4 Assessment/analysis 5

5 Competence/training 5

6 Environmental

6.1 Pertaining to the power source for electrical and fluid power

EMI, RFI, Filtration, Drainage, Dirt Entry

(All according to Manufacturer’s Specifications)25

6.2 Temperature, Humidity, Dust, Shock, Vibration 10

Quantification of Measures CCF

Annex F Table: F.1 ISO 13849-1:2015

Must reach a score of at least 65 for Cat 2, 3, or 4

All components/components in channel must meet requirement to get score >0 No partials

Appendix KFrom ISO 13849-1:2015

Table K.1 ISO 13849-1:2015

Annex K Table K.1 ISO 13849-1:2015

Heinz Knackstedt

Safety Engineer

TÜV Functional Safety Engineer

C&E sales, inc.Dayton, Ohio USA

Office: +1 (937) 434-8830

Cell: +1 (937) 545-6494

[email protected]

Add Your

Logo Here

Contact Information

ISO 13849-1 PL Calculations Simplified - Robotics Online 13849 PL... · ISO 13849-1 PL Calculations...

Documents

Transcript of ISO 13849-1 PL Calculations Simplified - Robotics Online 13849 PL... · ISO 13849-1 PL Calculations...