A joint ISO/IEC technical committee is currently working towards a unified machinery safety standard to replace ISO 13849-1 and IEC 62061. Meanwhile, the VDMA in Germany has proposed a file structure for component safety data that could help in merging the two existing standards.
At some point in the future the functional safety standards EN ISO 13849 (with its Performance Levels, PL) and IEC 62061 (with its Safety Integrity Levels, SIL) will merge; a joint technical committee ISO/TC 199 - IEC/TC 44 is working towards this.
At the same time the German Engineering Federation, the VDMA (Verband Deutscher Maschinen und Anlagenbau), has produced a draft document, Functional Safety - Universal Database for safety-related values of components or parts of control system, though it is only in German at time of writing. This document could help the merger of the two standards and also provides clarity on the safety-related data available to designers of safety functions on machines. The VDMA's proposal is to create a common file structure that can be read by all of the functional safety performance calculation tools (such as IFA Sistema or Pilz PAScal - see below).
Note that it is important to understand that safety functions are engineered systems comprising subsystems, and that quantifying either the Performance Level or Safety Integrity Level of the system requires a sub-systematic analysis. The rationale is that any safety function is akin to a 'safety chain' made up of links, or subsystems; like a chain that is only as strong as the weakest link, the entire safety function is lost if just one subsystem fails. When assessing the probability of a hardware failure and its potential impact on a safety function, it therefore makes sense to focus attention at the subsystem level. Another term used for subsystem is 'safety-related part of the control system' (SRP/CS).
Even before the merger of the two standards, it is clear most engineers tend to favour EN ISO 13849-1 (BS EN ISO 13849-1 in the UK). According to this standard, for a safety function to be evaluated each subsystem must be defined in terms of its Category (or structure, either single- or dual-channel), Diagnostic Coverage (DC, expressed as percentage of dangerous detected failures over all dangerous failures), average failure rate of all components with the subsystem (Mean Time to Dangerous Failure, MTTFd), and steps taken against common cause failure (CCF). Once defined, these parameters are used to determine subsystem performance level (PL) and average probability of dangerous failure per hour (PFHD) from Table K1 at the back of EN ISO 13849-1.
For example, a subsystem meeting Category 4, with 99 per cent diagnostic coverage, MTTFd of 100 years and a CCF of 65 has a PL e and a PFHD of 2.47 x 10-8. This is the highest PL and lowest PFHD that users of EN ISO 13849-1 can evaluate in Table K1; lower PFHD values with magnitudes in the order of 10-9 only come from pre-certified components such as safety relays that have been evaluated by the vendor.
When it comes to a whole safety function, the highest achievable PL is limited by the lowest PL of all constituent subsystems (the 'weakest link' principle), and the PFHD of the safety function is determined by the addition of the PFHD of all subsystems.
The VDMA file structure
In terms of data available to fulfil the above steps, the VDMA proposes that there will be three key device types. There follows an explanation of the VDMA file structure when applied to the current standard EN ISO 13849-1.
Type 1 devices are fully certified safety devices that can be viewed as complete subsystems in their own right. Failure rates are independent of operational frequency, and the vendor states internal PL, SILCL, PFHD, Category, and test interval T1. The vendor has developed the device in accordance with safety standards (eg IEC 61508, EN 61496, EN 61800-5-2) and had them certified by an independent Notified Body to ensure the device can be incorporated into a safety function with the least effort on the user’s part (as per Fig 1 below). Such devices include safety light curtains, RFID coded switches, safety relays, safety PLCs, and drives with safety functions such as safe torque off (STO).
Type 2 devices are not necessarily certified like Type 1 devices but this does not preclude their use in safety functions provided that the vendor's MTTFd data is available. Since MTTFd is only a part of the story, such devices require the user to do more integration work than with type 1 devices, defining the category, diagnostic coverage, and common cause factors. Once the user has defined these parameters, the PL and a PFHD for the subsystem can be determined using Table K1 in Annex K of EN ISO 13849-1 (as per Fig 2 below). The procedure for evaluating the whole system as per Fig 1 follows. Such devices include non-safety-related electronics (eg phase detection relays and power monitors), pressure sensors, hydraulic valves, and standard variable-speed drives.
Type 3 devices are electromechanical devices, the failure rate of which depend upon operational frequency, where provision of a PL and PDHD, or MTTFd by the vendor is not possible because the device is subject to wear (which is application-related and not known by the vendor). Instead, the vendor supplies B10d data or, if they do not provide this, generic data is available in Table C1 of EN ISO 13849-1. As in Type 2 devices, Type 3 devices are not necessarily developed according to safety standards but can be used once the MTTFd has been calculated from the known B10d value and the user-defined average number of annual cycles (nop). The user must also define the selected category, diagnostic coverage and CCF. After this, the PL and a PFHD for the subsystem can be determined using Table K1 in Annex K of EN ISO 13849-1 (as per Fig 3 below). The final evaluation of the whole system in Fig 1 then follows. Type 3 devices include contactors, switches, single piloted valves, solenoid device mechanisms, and command devices.
The devices of Types 1, 2 and 3 are described also by VDMA for EN 62061, with some common and some slightly different parameters, but exactly the same increasing level of user integration work required when moving from Type 1 to Type 2 and Type 3.
There is a Type 4, constituting devices for which there is a limiting PL but no PFHD, implying that the device acts as a subsystem (like Type 1) and can limit the PL of the safety function (perhaps for internal Category or Diagnostic Coverage reasons to PL d), but for which there is no dangerous failure rate.
No matter which type of device is selected, which standard is applied, or which safety calculation software is used, the structure of safety-related data proposed by VDMA makes it clear where the responsibility for defining specific parameters lies in the design of machine safety functions; it lies on a sliding scale between the component vendors and those using the components. Opting to use Type 1 devices simplifies matters considerably for the user, whereas increasing levels of work are involved when using Type 2 and Type 3 devices. The author believes this provides the clearest perspective possible, and is a significant step towards one unified machine-specific functional safety standard for the future.
For further information, please email , telephone +44 (0)1536 460766 or visit www.pilz.co.uk/services.