Safety@Festo

Evaluation and assessment of safety measures

in accordance with EN ISO 13849-1/IEC 61508/IEC 61511/IEC 62061

Risk assessment 10 safety functions

Trigger
Input Logic Output Drive
event
Risk analysis Risk evaluation Risk reduction What triggers the Device that Device that Device that controls www.festo.com
safety measure? recognises the safely processes the dangerous
Design measures Pressurising Maintaining Reducing Exhausting Tamper-proof, prevention of
trigger situation the signal movement
pressure pressure and force unexpected starting-up
For example: Light curtain Hard-wiring Pneumatic
Technical measures Approaching a Safety door Safety relay Elektrical
hazardous area Pressure mat Safety PLC Hydraulic
Opening a safety Emergency Stop Pneumatic Energy
Two-hand Reducing Free of forces Reversing Stopping, holding and door Failure control system
User information control speed a movement blocking a movement Laser scanner
Camera

6 steps for evaluating whether safety measures are sufficient

EN ISO 13849-1 Applicable to safety-related parts of control systems and for all types of machines, IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems
regardless of the technology and power used electric, pneumatic, hydraulic, mechanic.
IEC 61511 Functional safety safety instrumented systems for the process industry sector.

IEC 62061 Safety of machinery functional safety of safety-related electrical, electronic and programmable
electronic control systems.

1 Risk assessment Determining the required Performance Level (PLr) Determining the required Safety Integrity Level (SILr)
W1 W2 W3 S Consequence
Low risk S1 Minor injuries to a person
Evaluation of the application

S1 S2 Severe injury to multiple persons

S Severity of injury
P1 up to death of a person
F1
a S1 Slight (normally reversible injury) P1
SIL1 S3 Multiple deaths
P2 S2 Serious (normally irreversible injury, or death) F1
S1 P2 S4 Catastrophic effects with many deaths
P1 b S2 SIL1 SIL1
F Frequency and/or exposure to hazard F Frequency
F2 P1
P2
F1 Seldom to less often and/or exposed time is short F2 SIL2 SIL1 SIL1 F1 Seldom to reasonably frequent
F2 Frequent to continuous and/or exposed P2 F2 Frequent to continuous
c SIL3 SIL2 SIL1
P1 time is long
F1 F1 P Possibility of avoidance
P2 S3 SIL3 SIL3 SIL2
P Possibility of avoiding the hazard P1 Possible under certain conditions
S2 F2
d P1 Possible under specific conditions SIL4 SIL3 SIL3 P2 Scarcely possible
P1
F2 P2 Scarcely possible S4
P2 SIL4 SIL4 SIL3 W Probability of occurrence
e W1 Relatively high
ae Performance Level (PLr)
SIL (Safety Integrity Level) W2 Low
Four discrete steps (SIL1 to SIL4). The higher the SIL of a safety-related W3 Very low
High risk Source: DIN EN ISO 13849-1 Appendix 1.2.3
system, the lower the probability of the system not being able to execute
the necessary safety functions.

2 Designated architectures Specifications of categories HFT Defining the Hardware Failure Tolerance
Category B/Category 1 Category 3
Monitoring HFT 0 HFT 1 HFT 2
Evaluation of safety measures

Input
Input Output
Input Logic Output Input Logic Output
Output
signal
signal signal
signal
Test signal
Monitoring
Input
Input Logic Output Output
signal
Category 2 signal

Test signal Monitoring

Example: 1oo2 Example: 1oo3
Input Output Category 4
Input Logic Output
signal signal Input Monitoring
Input Logic Output
Trigger signal Monitoring signal Output
signal
1oo1 (One out of One) 1oo2 (One out of Two) 1oo3 (One out of Three)
Test signal
Second shut-down Output Monitoring
Test Input A single failure can lead to a At least 2 failures must occur simultaneously At least 3 failures must occur simultaneously
of test
unit criterion or display Input Logic Output loss of safety to cause a loss of safety to cause a loss of safety
unit signal Output
signal HFT (Hardware Failure Tolerance)
Ability of a required function to still perform in case of failures and deviations

3 CCF Common Cause Failure/DC Determining Diagnostics Coverage SFF Defining the Safe Failure Fraction
DD + S High Demand Mode Low Demand Mode
SFF = ________
D + S
Measures against CCF Points Start Component DC SFF 1 FME(D)A
FME(D)A FME(D)A
FME(D)A

for S = 0 > SFF = DC

Separation/Segregation 15 System structure: What failures could occur? for D = 0 > SFF = 1 Type of failure
Ausfallart Detected
Erkannt Undetected
Unerkannt Type of failure
Ausfallart Detected
Erkannt Undetected
Unerkannt
(Detected dangerous failures)
Diversity 20 Category, MTTFd, DC, CCF
Are the failures dangerous? DC1 = ___________________________ safe safe safe safe safe safe
(Total dangerous failures) detected undetected detected undetected
Design/application 20 Checking the achieved PL Can the dangerous failures be detected? S SD SU S SD SU
Assessment/analysis 5
dangerous dangerous dangerous dangerous dangerous dangerous
n
Competence/training 5 Points 65 detected undetected detected undetected
D DD DU D DD DU
Environmental 35 y DC1 DC2 DCn
______ + ______ + ... + ______
MTTF d1 MTTF d2 MTTF
______________________________ dn
End Entire system DC
avg = 1 1 1
______ + ______ + ... + ______ SD + SU + DD SD + SU + DD
DD DD
MTTFd1 MTTFd2 MTTFdn SFF = ___________________ DC = ______ SFF = ___________________ DC = ______
Total D Total D

(failure rates) FME(D)A (Failure Modes, Effects and SFF (Safe Failure Fraction)
S: Failure rate for safe failures SU: Failure rate for safe, undetected failures Diagnostics Analysis) Proportion of all safe and detected
D: Failure rate for dangerous failures DD: Failure rate for dangerous, detected failures Methods of analysis for quantitative failures based on the total amount
SD: Failure rate for safe, detected failures DU: Failure rate for dangerous, undetected failures determination of types of failure and failure rates of failures

4 MTTFd Definition of the Mean Time To Failure PFH/PFD Determination of the probability of failure
High Demand Mode Low Demand Mode
MTBF = MTTF + MTTR
Input Input signal Logic Control signal Output Control signal Drive Formula for determining Input Input signal Logic Control signal Output Control signal Drive Input Input signal Logic Control signal Output Control signal Drive
B10d for MTTF ,, MTTR
MTTF _______ the MTTFd value for
d = > MTBF = MTTF
Characteristic service life values B10d B10d 0,1 . nop a mechanical element in a Characteristic service life values B10d B10d Characteristic service life values B10d B10d
of the individual components channel of the individual components of the individual components
(from the data sheets) Application data (from the data sheets) Application data (from the data sheets) Application data
dop . hop . 3600 s/h Mean number of annual
MTTFd MTTFd MTTFd MTTFd nop = _________________ actuations nop for the MTBF MTBF MTTFd MTTFd MTBF MTBF MTTFd MTTFd
tcycle mechanical element

Calculation of total MTTFd 1

2 1 PFH = ______ Good engineering practice Good engineering practice
1 N ____
1 MTTF = _ MTTF MTTF ________________ for two different channels MTTFd
______ = d 3 dC1 + dC2 1 1 1 N ____
1 Test attempt 1 Test attempt
______ + ______ PFH = ______ =
MTTFd MTTFd,i PFD = _ DU . Tp DU = D . (1-DC)
i=1 MTTFdC1 MTTFdC2 MTTFd MTTFd,i Operating experience 2 Operating experience
i=1

MTTFd (Mean Time to Failure) Evaluation MTTFd

PFH (Probability of failure per hour) PFD (Probability of Failure on Demand)
Mean time until a dangerous failure Low 3 years MTTFd . 10 years Probability of failure of a safety function Probability that a safety function will not be
MTTR (Mean Time to Restoration) Medium 10 years MTTFd . 30 years under continuous use executed on demand at a low requirement rate
Mean repair time High 30 years MTTFd . 100 years MTBF (Mean Time between Failure) Tp (Proof test interval)
Source: DIN EN ISO 13849-1, Chapter 4.5.2 Mean time between two successive failures Regularly complete examination of the function

5 Entire system Target: PL PLr Target: SIL SILr

Example layout of safety-related parts of a control system Typical distribution of the PFH Typical distribution of the PFD
between the sub-systems of a safety function in single safety loops between the sub-systems of a safety function in single safety loops

Input Logic Output Drive Sensor 35% Logic 15% Actuator 50% Sensor 35% Logic 15% Actuator 50%

Component 1 Component 2 Lowest PL Number of lowest PL Entire system

PLlow Nlow PL
B10d B10d B10d PFH SD PFH SD PFH SD PFD SD PFD SD PFD SD
,3 not allowed
a
MTTFd MTTFd 3 a SFF SU SFF SU SFF SU SFF SU SFF SU SFF SU
,2 a
MTTFd MTTFd per channel b
2 b HFT DD HFT DD HFT DD HFT DD HFT DD HFT DD
Cat Cat ,3 b
c
3 c MTBF DU MTBF DU MTBF DU MTBF DU MTBF DU MTBF DU
DC DC ,3 c
d
3 d SILrequired (SILr) SILrequired (SILr)
CCF CCF
,3 d
e
PL PL PL 3 e PFHtotal PFDtotal

Defined by manufacturer To be determined by the system operator Defined by manufacturer To be determined by the system operator Defined by manufacturer To be determined by the system operator

6 Evaluation Target: PL PLr Target: SIL SILr

Definition of MTTFd = Mean Time To Failure (dangerous) Device type A Device type B

SIL-Level Safe Failure Fraction (SFF)

Max. acceptable failure
High Demand Mode .60% 60...90% 90...99% ,99% .60% 60...90% 90...99% ,99% Low Demand Mode
of the safety system
One risk of failure
a 105 PFH . 104 every 10,000 hours
Definition of PL = Performance Level

One risk of failure 102 PFD . 101 Once every 10 years

b 3 . 106 PFH . 105 every 1,250 days
1 HFT 0 HFT 1 HFT 0
One risk of failure
c 106 PFH . 3 . 106 every 115.74 years

One risk of failure Once every 100 years

d 2 107 PFH . 106 HFT 1 HFT 0 HFT 2 HFT 1 HFT 0 103 PFD . 102
every 115.74 years

One risk of failure

e 3 108 PFH . 107 every 1,157.41 years HFT 2 HFT 1 HFT 0 HFT 0 HFT 2 HFT 1 HFT 0 104 PFD . 103 Once every 1,000 years

One risk of failure HFT 1 HFT 1 HFT 1

4 109 PFH . 108 HFT 2 HFT 2 105 PFD . 104 Once every 10,000 years
every 11,574.1 yeras HFT 2 HFT 2 HFT 2
[per hour]
DC . 60% DC . 60% 60% DC 90% DC 60% DC 90% DC 99% DC
. 90% . 99% . 90% . 99%
Device type A
none none
Evaluation MTTFd low medium low medium high Device for which the failure behaviour of all components and the
failure characteristics are sufficiently determined
Low 3 years MTTFd . 10 years
Kat B Kat 1 Kat 2 Kat 3 Kat 4

PL PLr SIL SILr

Medium 10 years MTTFd . 30 Jahre
54707 en 2010/05

Device type B
High 30 years MTTFd . 100 Jahre
CCF not relevant CCF 65 %
Device for which the failure behaviour of at least one component
and the behaviour in case of a failure are not sufficiently determined.