Documente Academic
Documente Profesional
Documente Cultură
2007
2008
6 Introduction to Safety
The approach given by new standards is a probabilistic type and their formulation, briefly, extend deterministic concepts introduced with the EN
954-1 through new statistic variables indicated by terms as PL, MTTFd, SIL and others that, a few at a time, we have to get used.
Nowadays (2007) the course outlined by new standards presents obstacles because they are based on
some assumptions that are not realized in electromechanical sector. For example these standards require
the availability of statistic data to manufacturers, but without defining methodologies for the calculation of
these values and consequently creating an uncertain situation, so that every manufacturer could manage the
situation his own way. As these statistic data indicate the quality of products with a quantitative value it’s
plain that, without any clear and common definition, we could have more or less flexible interpretations from
manufacturers, with the risk of a lot of confusion not desirable in the safety sector.
Furthermore new standards are not very easy to treat and a possible overlapping between the EN 13849 and
the EN 62061 complicates further the situation.
But the path has been outlined and we wish that in future all problems will be solved with the common aim
of improve the machines’ safety.
(1)
EN 954-1:1996 Machinery safety – safety related parts of control systems: part 1: General design guidelines
In the text, this standard will be indicated as EN 954-1, if not otherwise specified
EN 61508-1:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 1: General requirements
EN 61508-2:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 2: Requirements for electrical/electronic/programmable electronic safety-
related system
EN 61508-3:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 3: Software requirements
EN 61508-4:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 4: Definitions and abbreviations
EN 61508-5:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 5: Examples of method for the determination of safety integrity levels
EN 61508-6:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
EN 61508-7:2001. Functional safety of electrical/electronic/programmable electronic safety-related systems. Part 7: Overview of techniques and measures
In the text, these standards will be indicated as EN 61508, if not otherwise specified
EN 62061:2005. Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems
In the text, this standard will be indicated as EN 62061, if not otherwise specified
EN 13849-1:2006. Safety of machinery – Safety-related parts of control systems: Part 1: General design guidelines. (Note: ISO 13849-1:1999 is identical to EN 954-1:1996)
EN 13849-2:2003. Safety of machinery – Safety-related parts of control systems: Part 2: Validation.
In the text, these standards will be indicated as EN 13849, if not otherwise specified
The standard EN 61508 was issued initially to define the electronic devices safety, particularly the complex programmable electronic devices, so
covering the “lack” left by the EN 954-1. But during its developing at the IEC, this standard has gradually widened its application field becoming
a very complex standard (it’s 800 pages volume, divided in 7 parts) and suitable for different application fields (process industry, industrial
machinery, nuclear plants), so that has achieved the status of type A standard.
Theoretically the EN 62061, derived from the EN 61508 for industrial machinery, should had covered only the complex or programmable
electronic but owing to the widened approach of its ancestor, it has finally included all electrical, electronic and programmable electronic circuits.
The approach of these two standards is fundamentally of probabilistic type and there are introduced new statistic variables which require a deep
analysis (mathematic also) of machinery, analysis that could require much time and not of simple application.
In the meantime was at developing stage the revision of the EN 954-1, carried by the CEN under the aegis of ISO, with the standard project
which then has become the EN 13849. The references between two standards means that commissions have talked to each other, but finally
they prefer to create an overlapping of application fields so that also the final version of the EN 13849 covers electronic and programmable
electronic systems, even if only for some predefined structures and for not maximum safety levels. The application ambit is clearly stated in the
EN 13849-1 (see table 1) and, as you can see, for wide product typologies both standards could be applied.
The choice of the standard to use is up to the manufacturer and to the market, even if we believe that the EN 13849, with its mediate approach
and reutilization of the EN 954-1 concepts (supplemented with some others introduced by the EN 61508), is a standard easier to understand for
small and medium machinery manufacturers.
5.1 - Procedure for the choice and the design of safety measures
The following 5 steps are quoted from the standard EN 954-1 par. 4.3 for the correct choice and design of safety measures.
Step 1 Danger analysis and risks computation on the machine.
Step 2 Arrangement of measures for the risk reduction by means of control devices.
Step 3 Specification of the safety requirements in terms of:
- selection of the safety category,
- realization of the safety functions
Step 4 Design and check of the relevant parts for the safety of a control system.
Step 5 Validation of the functions and of the achieved categories by their comparison with what previously defined in step 3.
Safety categories
B 1 2 3 4
Risk table in accordance with the
standard EN 954-1/enclosure B S1
I
P1
II
Starting point F1
P2
III
S2
P1
IV
F2
P2
V
Legend:
It is possible to use different categories than the preferential ones (big circle ), but the foreseen behaviour of the system in case of faults must
be taken into consideration. Also, the reasons for the derogation must be indicated by the machine manufacturer. When categories indicated by
a small circle ( ) are chosen, some additional measures can be required, as for example:
- over-sizing or use of techniques for the fault elimination;
- use of a dynamic monitoring.
5.3 - Table of requirements for each category according to the standard EN 954-1 par. 6.2
The requirements of category B are applied. An occurring error may cause the loss of the
1 Well-tested components and safety principles safety function, but the probability of error
must be used. occurrence is lower than in category B.
6.0 - Risk analysis and assessment through EN 13849 and ISO 14121
Also in the case of the EN 13849 and ISO 14121 (mentioned in the EN 13849 but still today not in force) the process for risk analysis, assessment
and reduction is iterative and structurally similar to the couple of standards EN 954-1 and 1050 case.
The following figure shows the iterative evaluation process as stated on the EN 13849-1.
START
Risk evaluation
(see 5.3a) Are other
No
hazards
generated?
Has the risk Yes
been adequately END Verification of safety-related
reduced? control systems according
to ISO 13849-1
No
Risk reduction process for the hazard: ldentify the safety functions to be
1) by intrinsic design, performed by SRP/CSs
2) by safeguards,
3) by information for use For each safety function specify the
(see lSO 12100-1: 2003, Figure 4) required characteristics (see Clause 5b )
Verification of PL No
for the safety function:
is PL r PLr (see 4.7b)
Yes
Validation No
(see Clause 8bc)
Are all requirements
met?
Yes
Yes Have No
all safety functions
been analysed?
Note: this figure has been obtained by the combination of figures 1 and 3 of EN 13849-1:2006.
Risk graph for determining required PLr for safety function (taken by EN 13849-1, figure A.1)
PL are classified in 5 levels, from PLa to PLe on risk increasing, and each one of them identifies a numerical range of average probability of
dangerous failure per hour. For example, PLd indicates that the average probability of a dangerous failure per hour is included between 1 x 10-6 and
1 x 10-7 that is about 1 dangerous failure every 100-1000 years.
PL PL average probability of a
PL=
dangerous failure per hour (1/h)
a ≥ 10-5 and < 10-4
b ≥ 3 x 10 and <10-5
-6
RY
GO)
There is no direct correlation between PL and Safety Categories of EN 954-1.
E
The EN 13849 reuses concepts of safety categories as aggregation of system
AT -1
topology (with single channel, redundant, etc… using the term “Designated
RY C 9 54
Architectures”) and of system resistance to failure, supplementing them with FE E N
the calculation of further new numerical parameters as: SA rom
(f
DC (Diagnostic Coverage)
This parameter tries to indicate how much the system is able to “self-control” its own possible failure. According to the percentage of dangerous
failures detectable by the system, thanks to its structure, the diagnostic coverage will be different. Also in this case, the parameter DC is divided
into categories, in detail: high, medium, low and none. None diagnostic coverage is admitted only for systems with category B or 1.
Through these three parameters Category, MTTFd and DC, the standard supplies a table (see figure or annex K of EN 13849-1) that allows seeing
which PL level is possible to achieve.
Relationship between categories DCavg, MTTFd of each channel and PL (taken from EN 13849-1, figure 5)
PL performance level
1 MTTFd of each channel = low
2 MTTFd of each channel = medium
3 MTTFd of each channel = high
The manufacturer who want to verify machines safety, have to follow the iterative approach provided by standards. In particular, after the first
stage of risk assessment (according to EN 1050 or ISO 14121), if the protection is supplied by a control system, will follow an iterative stage to
verify that the system itself is able to supply the protection level required.
This second phase will start determining the required performance level PLr to supply the necessary protection degree according to found risks.
During this phase, it will be used the graphic afore seen.
Then a protection system will be assumed, identifying the safety category (according to the Architecture and failure resistance) and calculating
the MTTFd and verifying DC and CCF as well. With these values, it will possible to calculate the PL of own system and, if this one will result
higher or equal to PLr the system will be considered suitable. At this point, a validation system stage (according to EN 13849-2) will follow and
if also this verification will be positive, the risk at issue could be defined sufficiently limited.
There are also two important differences introduced by new standards concerning the risk analysis and assessment as regards what has been
done so far:
1) The risk of slight accident (not permanent wounds) doesn’t carry anymore to a necessarily low safety level (category B or 1) as in the EN
954-1. Now a frequent and difficult to avoid slight accident risk it is considered equal to an infrequent and avoidable permanent accident risk
(level PLr=c).
Safety categories
B 1 2 3 4
S1
I
Start P1
II Start
F1
P2
III
S2
P1
IV
F2
P2
V
2) Whereas in the EN 954-1 standard a system of a certain category had to have a specific structure, in the new standard to obtain intermediate
performance level many path are possible. For instance to obtain a system having a PL equal to “c” level all the following solutions are
correct:
1. A Category 3 system with little affordable components (MTTFd=low) and medium DC.
2. A Category 3 system with affordable components (MTTFd=medium) and low DC.
3. A Category 2 system with affordable components (MTTFd=medium) and medium DC.
4. A Category 2 system with highly affordable components (MTTFd=high) and low DC.
5. A Category 1 system with highly affordable components (MTTFd=high).
Simplified procedure for evaluating PL achieved by SRP/CS (derived from EN 13849-1, figure 7)
Category B 1 2 2 3 3 4
DCavg none none low medium low medium high
The machine manufacturer has to consider which combination is the best for his machine for the ratio performance/price.
Safety
category Wiring diagram Circuit structure
KM1
L/+
Stop
E-stop1
KM1
E-stop2
E-stop1 E-stop2 E-stop3
B-1 E-stop3 FD 1878 FD 1878 FD 1878
M
KM1
Start
KM1
N/-
L/+
E-stop1 E-stop2 E-stop3
CC 01AAB00AB CC 01AAB00AB CC 01AAB00AB
Stop
CS AR-40....
E-stop1
E-stop2
E-stop3
A1 13
CS AR-40.....
E-stop1 E-stop2 E-stop3
2 A2 S33 S34 14 FD 1878 FD 1878 FD 1878
Start KM1
CS AR-40....
N/-
KM1
M
If an external contactor (KM1) is used to increase the load capacity of the contacts,
this contactor should have forced guided contacts.
Emergency stop push button and rope safety switches for emergency stop installation.
Safety
category Wiring diagram Circuit structure
L/+
E-stop1
CS AR-20....
E-stop2
E-stop3
A1 13 23
CS AR-20.....
A2 S33 S34 14 24
E-stop1 E-stop2 E-stop3
KM1 FD 978 FD 978 FD 978
3 Start
KM1 CS AR-20....
N/-
KM2
KM1
M
If external contactors (KM1-KM2) are used to increase the load capacity of the
contacts, these contactors should have forced guided contacts.
L/+ N/-
E-stop1
CC 01AAB00AC
E-stop1
CS AR-01....
A1 S35 S22 S21 S12 S11 S31 13 23
E-stopn
CS AR-01.....
CC 01AAB00AC
A2 S33 S34 14 24
KM1 CS AR-01....
Start
KM2
KM2
4 KM1
E-stop
E-stop1
A1 S35 S22 S21 S12 S11 S31 13 23 FD 978
CS AR-01.....
M CS AR-01....
E-stopn
A2 S33 S34 14 24 FD 978
KM1 CS AR-01....
Start
KM2
If external contactors (KM1-KM2) are used to increase the load capacity of the contacts, these contac-
tors should have forced guided contacts.
Attention: the examples mentioned above are purely descriptive and give only an indication about how to set up a safety circuit according to the categories foreseen by standard EN 954-1.
It is the manufacturer’s responsibility to control that correct circuits are applied on each specific machine.
Safety
category Wiring diagram Circuit structure
SS3
FX 693
L/+
Stop
SS1
KM1
SS2 SS2
FX 693
B-1 SS3
Start
M
KM1
SS1
N/- FX 693
KM1
L/+
Stop
SS3
SS1 FX 693
SS2
SS3
A1 13
CS AR-40.....
SS2
S33 S34 FX 693
2 A2 14
Start KM1
N/-
KM1 SS1
FX 693
CS AR40....
M
If an external contactor (KM1) is used to increase the load capacity of the contacts,
this contactor should have forced guided contacts.
Safety
category Wiring diagram Circuit structure
L/+
Stop
SS1 SS3
FX 993
SS2
SS3
A1 13 23
CS AR-20.....
N/-
KM2 SS1
FX 993
KM1
CS AR-20....
M
If external contactors (KM1-KM2) are used to increase the load capacity of the Attention: the utilisation of only one switch for each guard requires that in the risk
contacts, these contactors should have forced guided contacts. analysis the mechanical breaking of the same can be excluded.
L/+ N/-
SS2
FR 1896
SS2 SS1
SS1
A1 S35 S22 S21 S12 S11 S31 13 23 FR 693
CS AR01....
CS AR-01.....
A2 S33 S34 14 24
SS4
KM1 FR 1896
Start
KM2
KM2
SS3
4 KM1 CS AR01....
FR 693
SSm SSn
CS AR-01.....
M SSn
FR 1896
If external contactors (KM1-KM2) are used to increase the load capacity of the
contacts, these contactors should have forced guided contacts.
Attention: the examples mentioned above are purely descriptive and give only an indication about how to set up a safety circuit according to the categories foreseen by standard EN 954-1.
It is the manufacturer’s responsibility to control that correct circuits are applied on each specific machine.
Dangerous failures: The machine keeps working. Dangerous failures: The machine keeps working.
The positive manner avoids, with a preventive maintenance, the dangerous failures indicated above. On the contrary, the negative
manner failures occur inside the switch and are therefore difficult to be detected.
With the positive manner, internal failures (welded contacts or broken springs) allow the opening of the contacts and therefore
the stop of the machine.
If the switches are two or more, it is suggested that they should operate in opposite manners, for example:
- One with a normally closed contact (opening contact) actuated by the guard in a positive manner.
- The other with a normally open contact (closing contact), actuated by the guard in a non positive manner.
This is a common practice, however, it does not exclude, if justified, the use of two switches actuated in a positive manner (see
diversification).
Diversification
Safety in the redundant system is increased by diversification. It is obtained by the application of two limit switches with different
project and/or technology, in order to avoid failures caused by the same reasons. Some examples of diversification are: the use of a
switch working in positive manner together with one working in non-positive manner; a switch with mechanical actuation and one with
non mechanical actuation ( e.g. electronic sensor); two switches with mechanical actuator working in positive manner but with different
actuation principles ( e.g. one actuator operated FR 693 and one hinge operated FR 1896 switch).
Redundancy
Redundancy is the use of more than one device or system in order to guarantee that, in case of a function failure in one of them, another
one is available to perform the safety functions. If the first failure is not detected, an eventual second failure may cause the loss of the
safety functions.
Self-monitoring
Self-monitoring consists in the automatic checking of the right function of every device running in the machine working-cycle.
Consequently, the next working-cycle can be either accepted or rejected.