WELCOME

The topic for today is:

Sensors Safety Vision Motion Automation Controls

Circuit Design for ISO13849-1-2006

Your presenter is: Heinz Knackstedt
hknackstedt@cesales.com (937) 434-8830 Office (937) 545-6494 Cell

A Single SourceA Total Solution

page 1 Design with ISO 13849 110401

Who we are and what we do

Thirty+ years serving the automation industry 30 account representatives who live near their customers 12 Technical Support Specialists, both in the field & in the office 8 Customer Service Reps, quotes, delivery information, expediting

Sensors Safety Vision Motion Automation Controls

Large inventory; same day shipping on stock items 95% or better on time delivery Order online, via EDI, Credit Card, Fax, or Phone 24 Hour emergency assistance Lunch & Learns, Seminars, and in-depth training classes
Generic Technology or Product application specific www.cesales.com 800-228-2790
page 2 Design with ISO 13849 110401

A Single SourceA Total Solution

Circuits for ISO 13849-1-2006

Objective
Functional over view of ISO 13849-1 Establish basis for further self study

Contents
Background and safety with EN-954-1-1996 Basic Safety Circuit Structure from EN-954-1 Introduction to ISO13849-1 Component failure and MTTFd Evaluation of sub-systems and systems Explanation of DCavg and CCF Example of simplified PL evaluation Commercial PL Calculation programs Simplified example

page 3 Design with ISO 13849 110401

MACHINE SAFETY IS NOT AN OPTION!

The General Duty Clause 5(a) (1) of the OSH Act-1970 Public Law 91-596 requires that:
Each employer shall furnish to each of his employees, employment and a place of employment, which is free from recognized hazards that are causing or are likely to cause death or serious physical harm

A less well known part 5(b) further states that:

Each employee shall comply with occupation safety and health standards and all rules, regulations and orders issued pursuant to this Act which are applicable to his own actions and conduct
page 4 Design with ISO 13849 110401

Performance of the Safety Related Parts of the Control System

U.S. OSHA Control Reliable
No single fault shall cause the loss of the safety function B11.0-2010 and RIA-15.06-1999 provided some guidance of the construction and performance of the SRP/CS as a function of the level of risk reduction required

International - Machinery Directive

ISO and EN consensus standards are harmonized so that if a machine is designed to these standards, there is a Presumption of Conformity with the Machinery Directive. Standards describe a method of determining the performance and design requirements of a level of risk reduction as established by a Risk Assessment
EN-954-1-1996 ISO-13849-1-2006 Hundreds of Machine specific C level standards
page 5 Design with ISO 13849 110401

Some Background
Safety of Machinery EN-954-1-1996 Was the Starting point

page 6 Design with ISO 13849 110401

EN-954-1-1996
Defined five Level of Risk categories each of which described a safety control system with appropriate performance for its risk reduction It is considered Deterministic or Qualitative so that conformance to the requirement cannot not be positively established nor substantiated Resulted in a spectrum of acceptable system performance within a category Specifically defined the categories as Non Hierarchical
A system which meets the risk reduction requirements for one risk level, does not necessarily provide a greater risk reduction than one which meets the requirement for a lower risk level. In practice, the hierarchical approach has been quite successful when
Components of similar reliability are used Exclusions used in a lower category are valid Same preventive maintenance is applied Environmental conditions have the same effect on the devices

This system was adopted as a functional guide line in the US, as initially, there was no similar U.S. system
Control Reliable term was used but not well defined. RIA-15.06-1999 offered an alternative with both a risk assessment and risk reduction strategy, with some specific guidelines, modeled after EN-954-1. B11.0-2010 has a very qualitative description of the process.
page 7 Design with ISO 13849 110401

Example of the spectrum within a given category

P.E. Switched Output PLC

PLC Q1

Safety Light Curtain Type 2

SIM Cat 4

Using standard Photo Electric sensors, this circuit has been certified by TUV as meeting Cat 2 if monitored by a DEDICATED, but non Safety Rated, PLC The TYPE 2 Safety Light Curtain has been certified as meeting Cat 2 The probability of the TYPE 2 safety light screen failing UNSAFELY is incredibly small due to internal testing (per IEC 61496 Type 2) while the chances of a P.E. sensor failing to ON is much higher. The external testing of the P.E. by the standard PLC is less positive Both been certified as meeting the same Category risk reduction requirements. page 8
Design with ISO 13849 110401

EN-954-1 The Process

Perform a Task based Risk Assessment
Identify all Hazards and the Tasks performed while exposed to them

For each Task/Hazard pair, qualify the three variables which together determine the level of risk
Seriousness of the potential injury
Serious Slight

Frequency of Exposure to the Hazard

Continuous Seldom

Ability to Avoid the Harm

Difficult, hardly possible Easy, almost assured

The Level of Risk identifies a reasonable minimum safety systems functional performance appropriate to reduce that risk to a tolerable level
There are Five Risk Level Categories B, 1, 2, 3, and 4 Each has a functional description of the behavior of the safety system under fault conditions, and a suggested circuit architecture to attain such performance.
page 9 Design with ISO 13849 110401

EN-954-1-1996

P1 F1 P2 P1 P2 P1 P2 P1 P2

EN954-1 ISO13849-1-2006 IEC 62061

PLr 1/h= a b <10-4 <10-5

SIL N/A 1

B B 1

S1

F2 F1

h is Mean Time to Dangerous Failure MTTFd in hours

<3x10-6

One year of 24/7=8736 hr or just under 104 hours

2 3 4
Risk Category
page 10 Design with ISO 13849 110401

S2

F2

d e

<10-6

2 3

<10-7

What does the categorys structure look like?

CR1 CR1

CR1

Cat B
Safety Block Diagram
I
Input Signal

Output Signal

Cat B = Single Channel also often called Simple

page 11 Design with ISO 13849 110401

What does the categorys structure look like?

CR1

CR1

CR1

Cat 1
Safety Block Diagram
I
Input Signal

Cat 1 = Single Channel Cat 1 uses Better Stuff than B Components with longer mean time to DANGEROUS failure (MTTFd) and at least some are Safety Rated Postpone but not prevent the failure to danger
page 12 Design with ISO 13849 110401

Output Signal

What does the categorys structure look like?

Safety Block Diagram

Test Stimulus Monitoring

Cat 2
I
Input Signal

L
Trigger Signal Monitoring

Control Signal

Cat 2 = Single Channel with monitoring Monitor at suitable interval May not always be able to shut down the hazard, but only warn and inhibit next hazardous cycle/situation
page 13 Design with ISO 13849 110401

Dashed monitoring lines represent reasonably practicable fault detection

2nd Switchoff Path

TE

OTE

What does the categorys structure look like?

Safety Block Diagram

I1
Input Signal Monitoring

Cat 3
O1

L1
Cross Monitoring

Output Signal

Dashed monitoring lines represent reasonably practicable fault detection

Monitoring

Cat 3 = Dual Channel No Single Fault causes loss of the Safety Function w/ Conditional Monitoring (May not detect all failures)
page 14 Design with ISO 13849 110401

I2

Input Signal

L2

Output Signal

O2

What does the categorys structure look like?

10

Safety Block Diagram

I1
Input Signal Monitoring

Cat 4
O1

L1
Cross Monitoring

Output Signal

Cat 4 = Dual Channel

No Single Fault causes loss of the Safety Function

Solid monitoring lines represent technically feasible fault detection

Monitoring

w/ Complete Monitoring Must detect first fault or continue to protect with this fault until the next fault, when it or the combination of faults, must be detected
page 15 Design with ISO 13849 110401

I2

Input Signal

L2

Output Signal

O2

page 16 Design with ISO 13849 110401

Then came the new Machinery Directive 2006/42/EC which drove the need for a new Machinery Safety standard ISO 13849-1-1999 2006
Safety of Machines Safety Related Parts Of Control Systems General Design Principles Performance Defined in Performance Levels PL IEC 62061 Safety of Machines Functional Safety of Electrical, Electronic, and Programmable Electronic Control Systems Performance Defined in Safety Integrity Levels SIL CL
page 17 Design with ISO 13849 110401

Current Standing
To meet the safety performance required for sale and use in the European and some other International Markets, a machine must meet the current Machinery Directive When a standard is harmonized with the Machinery Directive, building the machine to that standard is presumed as proof of conformity to the Machinery Directive What is status ISO 13849-1 has been listed as a Harmonized Standard with the M.D.
When a standard is superseded it is retired and can no longer be used as proof of conformity EN 954-1 has been extended through Dec 2011
which means either may be used as presumption of conformity to M.D.

Machine Level C standards are still presumed to be in conformance, but require adherence to EN-954-1
At issue is can a machine be built to the C standard if its safety related parts of the control system are designed to ISO13849-1 Or Does a machine built to the C standard meet the Machinery Directive if built to EN-954-1

The data and Third Party certification to the new standard of many safety rated components are not available, which precludes their use in a system to the new standards
page 18 Design with ISO 13849 110401

Why worry about ISO13849 in the US, isnt it a European problem?

There are many aspects of the new standard which can help our industry understand the design of safer and perhaps more cost effective machines Provides a quantitative method to evaluate the impact of component, circuit or fault detection changes on the system performance This standard can manage mixed category construction U.S. is theoretically bound by this international standard (ISO)
EN-954-1 was a European Standard

Many organizations build machines for both markets, or purchase them there Although never part of our regulatory system, the Risk Categories of EN-954-1 have become engrained in our safety vocabulary and in the machinery safety design for the U.S. market EN-954-1 has influenced both ANSI B11.0 and RIA 15.06 RIA is looking at adoption of the Robotic standards ISO 10218-1 and -2 with National Deviations.

page 19 Design with ISO 13849 110401

Objectives of the new Machinery Safety standard

Replace Qualitative with Quantitative SRP/CS performance Based on Probabilistic Calculations of MTTFd of the SRP/CS Mean Time To Dangerous Failure For a required level of risk reduction, as determined by the Risk Assessment, DEFINE the MINIMUM:
Performance criterion of individual components, sub-systems and channels in terms of MTTFd Structure of the SRP/CS Considerations for reduction of Common Cause Failures (CCF) Requirements of Diagnostic Coverage (DCavg) component failure discovery, capable of being detected, in terms of % of failures to danger.

15

page 20 Design with ISO 13849 110401

Objectives of the new Machinery Safety standard

Continue the use of the general structure used in EN-954-1 Categories as the basis for circuit design
These standard structures have made it possible for many of the simplifications of the statistical calculations of MTTFd in ISO 13849 to be made Alternative is to do complete FMEA calculations per IEC 61508

Based on safety circuits MTTFd performance requirement, permit simpler structure for some level of risk reduction which otherwise would not meet the qualitative definition under EN-954-1
Using components with varying individual MTTFd values, complete safety control systems may be capable of meeting system performance level with sub-systems of less complicated structures than is possible under EN-954-1
May permit use of sub-system with mixed structure, not possible in the qualitative evaluation
page 21 Design with ISO 13849 110401

Organization of ISO 13849-1

Safety of Machines
Risk assessment according to ISO 14121-1 now incorporated into just released ISO 12100 For a given risk as defined above:
Determine the Performance Level of the Safety Related Parts of the Control System required to reduce the risk to a tolerable level

Functional Safety
Divided into SIX steps Performed Sequentially
page 22 Design with ISO 13849 110401

The Process,
1 Definition of the safety-technological requirements
Safety function characteristics and interface to the basic machine control

2 Selection of required performance level

From Risk Assessment results
PLa through PLe for Machine and electromechanical and mechanical devices SIL 1 through 3 for electronic and programmable devices

3 Safety Design
Execution of the design requirements above with appropriate components

4 Definition of the achieved performance

Determine Safety System Mean Time To Dangerous Failure MTTFd
Using vendor data for safety rated components B10 life for components which have a wear out cycle

5 Verification 6 Validation

All Safety Functions meet risk reduction requirements PLr determined by the risk assessment All safety relevant parts meet the Qualitative reduction requirements

page 23 Design with ISO 13849 110401

Editorial Comment
In order for the value of ISO13849-1 to be realized, one must accept the validity of Statistical Mathematics

FACT
MTTFd is a statistical value and in NO WAY MEANS Guaranteed Lifetime, or Failure-Free-Time, Time to First Failure or any other such concept It is a numerical value, usually stated in years, which permits the calculation of probability of failures in terms of % for a given period of use MTTFd in years can be converted to Failure Rate in terms of failures per hour d typically based on a 24/7 day 365 days per year
d(hr) = 1/(MTTFd(yr) *8760)hr/yr or MTTFd of one year of 24/7 is approximately a d of 10-4 failures per hour
page 24 Design with ISO 13849 110401

Distribution of Failures to Danger

L o g a r i t h m i c S c a l e

20

= tuse = 1/d
37% 63%

37% 63%

=1.9x10-5 PLb

=6.3x10-6 PLc

=1.9x10-6 PLd

page 25 Design with ISO 13849 110401

Individual Channel Performance

3y 10y

%f(t) = 1-e-t
t=1/
30y

63.2%

100y

%f(t)
3

From A New Approach to Machine Safety Schmersal IPEC Industrial Controls Ltd

Channel MTTFd of 3 years and less is not acceptable for safety controls Channel MTTFd cap of 100 years is used to prevent overshadowing a lesser capable second channel

page 26 Design with ISO 13849 110401

ISO 13849-2006

P1 F1 P2 P1 P2 P1 P2 P1 P2

EN954-1 ISO13849-1-2006

PLr 1/h= a <10-4 b <10-5

SIL
IEC 62061

B B 1

N/A 1

S1

F2 F1

<3x10-6

2 3 4
d <10-6 e <10-7 2

S2

F2

Note: Correlation of risk levels between EN-954-1 and ISO 13849 or IEC 62061 are not identities, but are given for relative comparisons only See also B11-TR4

h is Mean Time to Dangerous Failure MTTFd in hours

One year of 24/7=8760 hr or just under 104 hours

page 27 Design with ISO 13849 110401

PL of Safety Related Function of the Control System as a function of Risk Category

ISO 62061 N/A PL

ISO 13849-1-2006 d 1/h

< 10-4 < 10-5

System

SIL 1

< 3x10-6

SIL 2

Channel

< 10-6

SIL 3

< 10-7

CCF=>65

A Cat 3 structure, with Medium MTTFD a Low DCavg and a CCF score 65, can achieve a PLc
page 28 Design with ISO 13849 110401

Safety Rated Components

Tested to product specific standards Performance under failure modes
Categorized by the different standards Older or legacy product may have only the category
Each product must be re-certified to the current standard by a 3d party testing laboratory (NRTL) to obtain the PL or SIL Products with only EN-954-1 Cat are not necessarily less capable, just not re-tested to the latest standard Were totally acceptable for the same risk category in the old standard SIL, PL, Cat, MTTFd , or B10d

The PL level describes the potential performance of the device when correctly used following the manufacturers recommendation Well Tried are listed with industry or manufacturer developed B10d or B10
page 29 Design with ISO 13849 110401

 Electronic (non wear) are assumed to have a linear failure distribution

Life dependent on hours of use Ignore the two ends of the Bath Tub
Infant mortality due to manufacturers burn in Component degradation is too far out

Device Failure

25

Mechanical Devices
Well Tried proven performance in similar applications Wear out typically driven by cycles under load B10 Life, level of use where 10% of the population has failed
Use 10xB10d or 2x10xB10 (assumes 50% of failures are to danger) to obtain Mean Cycles to Failure MCTF

MTTFd is calculated using the Use Profile (nop) of the device MTTFd = 10B10d / nop = 10 x B10d x tcycle(sec)
Days x Hours x 3600 sec Year Hour Day

Replace after usage reaches B10d life at T10d = B10d / nop or 20 Years page 30
Design with ISO 13849 110401

B10d examples of Well Tried components

Table D.2
partial table

Loading variation provides a factor of 50x

From Appendix D BGIA Report 2/2008e

When used per Manufactures or Designers use specification

Some adjustment for duty cycle and loading is allowed/required. Full Load applies not only to electrical load but extreme conditions or marginal operating conditions
page 31 Design with ISO 13849 110401

Limit Switch

Safety Light Curtain

Safety Controller

Note: These specifications certify the acceptable performance of specific logic safety functions
page 32 Design with ISO 13849 110401

Fault Exclusion
If a fault may be excluded, its occurrence does not need to detected, thereby decreasing the systems requirement to detect faults, DCavg

Technical improbability of certain faults Generally excepted technical experience Technical demands regarding the application and special hazards Design and construction may be used to exclude some faults

Excluded faults must have a documented explanation why the exclusion is valid
page 33 Design with ISO 13849 110401

Determination of PL
Determine the structure and components of the three functions for each sub-system
Input, Logic, Output Identify when failure occurs, which components will cause failure of the entire sub-system

30

Determine the PL of each Channel, System, and Subsystem using

Published manufacturers data Estimates from Standards Appendix of Safety and Well Tried devices Summation of 1/MTTFd of series components or Sub-systems Commercial programs for complex sub-systems
page 34 Design with ISO 13849 110401

Safety Related Parts of the Control System

Safety Functions are implemented by the Safety Related Parts of the Control System (SRP/CS)

Sensor Detect

Logic Process

Actuator Actuation

SRP/CS

iab

SRP/CS

iix

SRP/CS

PL

Any Sub-System or Channel

The design presented here is based on the simplifications to the statistical analysis allowed by the use of the structures required for given PL. Deviation from these structures will require full analysis using FMEA and full statistical methods. Any failure modes in the interconnection iix between sub systems must be included on one of the sub-systems
page 35 Design with ISO 13849 110401

Sub-Systems
I1 L1 I2 O2 O1

Simplification by Re-arrangement

I1 L1 I2

O1 O2

Note One of the advantages of ISO13849-1, allows the evaluation of mixed risk category solutions

From BGIA Report 2-2008e

MTTFdS

MTTFdL

MTTFdQ

page 36 Design with ISO 13849 110401

Here comes the math

The MTTFd of a single channel with N series failure components is:
1 MTTFd Chnl

i=1

1 MTTFdi Comp

The MTTFd of two channels, each with a MTTFd with no monitoring is: 1 MTTFdC1+MTTFdC2 1 MTTFdC1 + 1 MTTFdC2

MTTFd=

Ex: if MTTFdC1=50 years and MTTFdC2 =100 years MTTFd= 77.8 years

page 37 Design with ISO 13849 110401

 Determine the PL of each sub system connected in Series using MTTFd data Determine lowest PL=PLlow Count number of PLlow in the series string Use table 6.6 to determine PL of the string This table is a simplified method of the mathematical summation of the probabilities of failure using sub system mid-point 1/MTTFd values Or
1
N

MTTFd Chnl

i=1

1 MTTFd (Subsystem)i

Table 6.6 BGIA2/2008e

page 38 Design with ISO 13849 110401

Average Diagnostic Coverage

Is typically very difficult to calculate, it depends on
The ratio of undiscovered to discovered faults to danger The mean time of occurrence of each of these faults

The standards provide some guidance tables of the average achievable, given certain design considerations and features.
These allow for the DCavg groupings of 60% to 90%, 90% to 99%, and greater than 99%

Estimate DCavg of n components of a sub-system

DCavg =

i=1

DC(i) MTTFd(i) 1 MTTFd(i)

page 39 Design with ISO 13849 110401

From Table E.1 Diagnostic Coverage ISO 13849-1-2006

Partial listing

page 40 Design with ISO 13849 110401

Common Cause Failure CCF

Especially important where the same cause results in dangerous failures in both channels of a dual channel system Common Cause could result in the failure of one system and its failure to be incapable of being detected by the Open other channel, negating the value of dual channel Hazard monitoring
Access One lies, and the other swears to it ! Two door closed limit switches mounted in a positive mode, but on the same mounting plate. If the plate becomes detached, neither limit switch will detect that the door is open To assure that common cause failures do not negate the value of dual channel systems and their monitoring function, they must be designed with the following characteristics to amass a point total of at least 65 points

page 41 Design with ISO 13849 110401

CCF are Failures of different devices, resulting from the same single event Failures are not consequences of each other ISO 13849-1-2006
Clause 1 2 3 3.1 3.2 4 5 6 6.1 Measure Against CCF Separation/Segregation Diversity Design/application/experience Protection against over-voltage, over-pressure, overcurrent etc Components used are WELL TRIED Assessment/analysis Competence/training Environmental
Pertaining to the power source for electrical and fluid power EMI, RFI, Filtration, Drainage, Dirt Entry (All according to Manufacturers Specifications)

Reducing Common Cause Failures

Score 15 20 15 5 5 5

25 10
From ISO 13849-1:2006 Table F.1 page 42 Design with ISO 13849 110401

6.2 Temperature, Humidity, Dust, Shock, Vibration Must reach a score of at least 65 for Cat 2, 3, or 4 structure

All devices/components in channel must meet requirement to get score >0 No partials

System PL performance using:

The performance level of dual channel monitored systems can only be calculated using FMEA and complicated statistics Simplifications can be permitted in calculation of system MTTFd using:
Category Structure PL, or MTTFd of the components and sub systems DCavg % Common Cause Failure scoring system

OR

This statistical treatment of failure and detection results in complete systems whose performance exceeds that of the individual components or channels Means available to the average, non-mathematician, user
Use of PL estimation wheel Commercial and Free SIL and PL Computer Programs
Vendors contain library of components of their products SIL, PL, or MTTFd Most will permit import of user library data
page 43 Design with ISO 13849 110401

PL of Safety Related Function of the Control System as a function of Risk Category

ISO 62061 N/A PL MTTFd=

35

ISO 13849-1-2006
1 d

1 MTTFd Sys

% failure @ time t

f(t)=1-e- d t

d 1/h

< 10-4 < 10-5

If t=1/d then f(t) = 63%

System

SIL 1

< 3x10-6

SIL 2

Each Channel with MTTFd of:

< 10-6

SIL 3

Years 1/Hour -5 3<=MTTFd<10 4*10 > > 10-5 10<=MTTFd<30 10-5 > > 4*10-6

30<=MTTFd<100 4*10-6 > > 10-6

< 10-7 CCF=>65

DC avg probability of fault discovery as = % of occurrence Low 60% <= DC < 90% Med 90% <= DC < 99% High 99% <= DC

[(D* di
i-1

(t)
Ddi) di]
i-1

D= Faults to danger D*=Faults detected

di
1 MTTFd Chnl

i=1

1 MTTFdi Comp

page 44 Design with ISO 13849 110401

Calculation Estimate by PL Wheel

Circular Calculator

Channel MTTFd of 30 years DC High (Cat4) CCF 65

Align 30 years in disks bottom window Locate Characteristic in slot Cat 4 DC High 9.54 Identify color and locate Exponent 10-8 Control System is : 9.54x10-8 equal to PLe

page 45 Design with ISO 13849 110401

from BGIA

page 46 Design with ISO 13849 110401

Safety Evaluation Tool

Required Achieved
page 47 Design with ISO 13849 110401

PAScal Demo Version 1.5.2

page 48 Design with ISO 13849 110401

Example of the spectrum within a given category

40

P.E. Switched Output PLC

PLC Q1

The dedicated PLC monitors the function of the three photoelectric sensors and the follower relay K1 Since the PLC is not a Serial device in the system, i.e. its failure does not result in the loss of the safety function, its MTTFd is not included in the safety channel calculation MTTFd of the PLC is 50 years and is >2x the MTTFd of the system being monitored, it meets the minimum requirement for a test component for this system The Type 2 Safety Light Curtain is certified by a Third Party Test Laboratory to meet the required standards and is certified as a PLd safety component. The Safety Interface module is a certified PLe safety component The solenoid valve is a Well Tried component with a MTTFd of 100 years at this operation rate

Safety Light Curtain Type 2

SIM Cat 4

See following page for estimated PLr

page 49 Design with ISO 13849 110401

System Performance Level Comparison of Three P.E. and PLC vs. Type 2 SLC and SIM
3 P.E. with PLC monitor.

Cat 2 DCavg Low

Type 2 SLC with SIM.

Cat 2 DCavg Med

At the end of 20 years of use, the P.E. and PLC has a 44% chance of failure to danger, while the Type 2 SLC with SIM has a 6.6% failure rate Note: Some of the data is estimated and is intended only as an example of the impact of multiple series components and DC coverage in a Cat 2 configuration.
page 50 Design with ISO 13849 110401

Appendix A
References
BGIA Report 2/2008e ISO 13849-1-2006 BGIA Report 6/2004 Untersuchung des Alterungsprozesses von hydraulischen Vegeventilen (Study of the ageing process of hydraulic valves)

Links to Calculation Programs

BGIA FIA Performance Level Calculator (Disc Calculator
http://www.dguv.de/ifa/en/pra/drehscheibe/index.jsp

BGIA FIA SISTEMA Safety Integrity Software Tool for the Evaluation of Machine Applications
http://www.dguv.de/ifa/en/pra/softwa/sistema/index.jsp

Siemens Safety Evaluation Tool

https://eb.automation.siemens.com/registration/login.aspx?ret=https %3a%2f%2feb.automation.siemens.com%2fspice%2fsid%2fmain% 2fsid.jsf

Pilz Demo copy of PAScal

http://www.pilz.com/login.jsp?restricted=true
page 51 Design with ISO 13849 110401