International Safety Standards Designing the Future

4 Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Evolution of Safety Systems 1960 1970 1980 1990 2000 2010 Future Legacy High Productivity Low Safety No Assessment Initial Safety Lower Productivity Medium to High Safety Hazard Assessment Modern Safety High Productivity High Safety Risk Assessment You invest in a safety system to protect people. You invest in advanced safety technology to enhance machine performance.

What Is Functional Safety? Functional Safety (FS) of machinery are those parts of the machine control system that ensures the safety of personnel and machinery. An example of Functional Safety is a simple interlock circuit. The Safety Function could be described as follows: The Safety Gate is opened, the relay detects the SensaGuard outputs going low and de-energises the contactors thus stopping the associated motor. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 5

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. What Is Functional Safety? What is it? It s NOT just about Equations, Standards and schematics It s about ISO 13849-1 IEC 62061 Performance Productivity Sustainability Time to market Information Development Costs Ops & Maintenance Costs Compliance

Solving the Problem 28% traceable to changes 5. Maintain & Improve 1. Hazard or Risk Assessment Safety Life Cycle 4. Installation & Validation 3. Design & Verification 2. Functional Requirements 42% of Safety control accidents traceable to design & spec stage System design based on integrating safety & machine functionality. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 7

Modern Safety Thinking It s a Culture; It s a Process; It s a design Philosophy It is a combination of people, systems, technologies and work habits It is a systematic approach Not a component approach!!! For Machine and Process Safety it is a lifecycle From System Concept, through Risk Assessment, Verification & Design, Install, Commissioning & Validation, Operations and Decommissioning Safety Specifications Drive the Safety Lifecycle 8 Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

ISO 12100:2010 Safety of machinery General principles for design Risk assessment and risk reduction (ISO 12100:2010) Note: ISO 12100:2010 combines ISO 12100:2010, ISO 12100-2 and ISO 14121-1 into one document. All three standards are complied into one document with no editorial changes other than referential. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 11

What s Up with EN 954 (AS4024-1)? The standard provided the safety requirements and guiding principles for design and integration of safety-related parts of control systems. The problem with EN 954 was that it was viewed as an oversimplification of safety concepts that were very subjective or qualitative. The standard failed to force designers to assess the reliability of the safety components. The superseding Functional Safety (ISO 13849:2008) standard added quantitative calculations to the qualitative requirements of the previous standard (EN 954) as a way to factor in the likelihood of failure of any component that is part of the safety system. A risk assessment is still necessary to determine the requirements of risk reduction strategy. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 14

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Functional Safety EN 954-1 has been withdrawn at the end of 2011 it designated safety related control systems as Categories (B, 1, 2, 3, 4). EN 954-1 has been replaced by EN ISO 13849-1 in December 2011. EN ISO 13849-1 is a standard for machinery safety related control systems that is available for use now. It designates safety related control systems as Performance Levels (PL a, b, c, d, e) 1996-2006 2006-2011 2011 -> EN 954-1 Transition to ISO 13849-1 All safety systems in Europe must meet EN ISO 13849-1 or EN IEC 62061 EN 954-1 remained effective until December 31 st 2011, at which point it was replaced with ISO 13849-1

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 16 Risk Assessment AS4024.1 / EN954-1 Risk Graph acc. to AS4024.1 / EN 954-1 (ISO 13849-1:1999) Severity of injury S1 slight (usually reversible) injury S2 serious (usually irreversible) injury, including death Frequency and/or exposure time for hazard F1 seldom to less often and/or short duration of exposure time F2 frequent to continuous and/or long duration of exposition Possibilities of avoiding the hazard P1 possible under certain conditions P2 almost impossible Choice of category B, 1 to 4 categories for safety related parts of controls

Risk Assessment The Foundation Performance Level, PLr Contribution to Risk Reduction Task/Hazard S1 S2 F1 F2 F1 F2 P1 P2 P1 P2 P1 P2 P1 P2 S = Severity F = Frequency or Duration of Exposure P = Avoidance Probability a b c d e Low High Provides Safety Performance Level Design Target Creates the Foundation of the Safety System Functional Requirements, System Design & Validation Protocol Shows Due Diligence & Compliance to Global Standards Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 17

Functional Safety Standards Application Standards Rating GENERIC Electrical Control Systems IEC EN AS 61508 Top level standard PROCESS Electrical Control Systems IEC AS 61511 SIL Safety Integrity Level MACHINERY Electrical Control Systems MACHINERY Control Systems (All technologies) IEC EN AS 62061:2006 ISO 13849-1: 2008 PL Performance Level Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 18

ISO 13849-1:2008 or IEC EN AS 62061 Both address the functional safety of machinery control systems ISO13849-1:2008 IEC EN AS 62061:2006 Can the system be designed simply using the designated architectures? Will the system include technologies other than electrical? e.g. Hydraulics, Pneumatics Are there complex safety functions e.g. depending on complex logic decisions? Will the system require validation to SIL? e.g. Safety PLC, Safety PAC IF the answer to either question is YES THEN select ISO 13849-1: 2008 IF the answer to either question is YES THEN select IEC 62061 19 You can choose the most suitable standard for your use Two Methods to Achieve the Same Goal of Risk Reduction EN ISO 13849-1: 2008 is the usual choice Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 19

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Measures to avoid systematical failures (QM) What are Performance Level PL? Hardware Fault Tolerance Categories (structure) B 1 2 3 4 + Reliability of the HW: Mean Time To Failure (dangerous MTTF d ) Quality of the diagnostic measures: DC (CAT. 2 and higher) Sufficient measures against Common Cause Failures (CCF) = Performance Level (PL) acc. to ISO 13849-1 a b c d e

System Requirements Old vs. New EN 954 / AS4024-1 ISO 13849-1 New Requirements Functional Safety standards bring additional requirements Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 22

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. The New, Additional Requirements MTTFd Mean Time to Dangerous Failure Low 3 <= - < 10 Years Medium 10 <= - < 30 Years High 30 <= - < 100 Years DC Diagnostic Coverage = Ratio of Detected Dangerous Failures/ All Dangerous Failures None DC < 60% Low 60 < DC < 90% Medium 90 < DC < 99% High DC > = 99% CCF Common Cause Failure Two or more separate faults having a common cause shall be considered as a single fault.

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Basic and well-tried Safety Principles (ISO 13849-2:2012) Basic Safety Principles (selection): Correct dimensioning and construction Use of suitable materials and appropriate manufacturing process Use of NC contacts at inputs (position switches, buttons,...) and NO contacts at outputs Sufficient protection elements for immunity against transient interferences Well-tried Safety Principles (selection): Use of mechanically linked contacts Limitation of energy Over-dimensioning (factor 1.5-2) no undefined states Separation of safety relevant and non-safety relevant functions When ever possible the device should fail into the safe state

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Deterministic Fault Consideration (Safety of Machinery) In order to prove the fail-safety (safe behavior of a control / device in case of a fault) the following shall be considered: which faults (failures) have to be assumed which faults can be excluded under which conditions/constraints can these faults be excluded how are the effects of faults when is a fault revealed (time until fault detection) Fault lists / fault models can be found in : ISO 13849-2 (various technologies) For detailed information see also EN 982, EN 983 and Annex B of IEC 61496-1 (electrical / electronic components) All faults that are physically possible, shall be considered as faults.

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 32 Relationship between PL and SIL Performance level (PL) Average probability of a dangerous failure per hour [1/h] Safety Integrity Level (SIL) a 10-5 to < 10-4 No special safety requirements b 3 x10-6 to < 10-5 1 c 10-6 to < 3 x10-6 1 d 10-7 to < 10-6 2 e 10-8 to < 10-7 3

Performance Level Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Evaluate Design to Requirement - Simplified a b c d e Cat B DC avg none MTTF d low MTTF d medium MTTF d high Cat 1 DC avg none Cat 2 DC avg Low Cat 2 DC avg Med Cat 3 DC avg Low Cat 3 DC avg Med Cat 4 DC avg High

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 34 Calculations for Electro-Mechanical Components B 10d = Number of cycles until a component fails dangerously d op = Number of days per year when the machine is operational h op = Number of hours per day the machine is operational t cycle = Mean time in seconds between the beginning of two consecutive cycles of the component To be determined: Number of switching cycles per year: Operation time of the component until it fails dangerously: Mean time to dangerous failure (MTTF d ): n op d op h op t 3600 cycle B n 10d T10 d op T MTTF d 10d 0.1 s / h

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Two Types of Failure Data Mechanical or Electromechanical Failure is dependent on load and operating frequency B10 d Number of operations where 10% of the sample has failed to danger. Electronic Failure is dependent on temperature and time. MTTF d or PFH d Mean time to failure - dangerous Probability of dangerous failure per year MTTF d 1 / PFH d (must convert years to hours) Need to convert these to one data type to complete the analysis. We convert B10 d to MTTF d.

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Common Cause (CCF) Failure (b-factor) Common Cause Failures (CCF) result from a single cause and affect more than one channel. One part of the failures in both channels reveals as CC failures; that means due to one cause a failure in one channel is followed by the same failure in the other channel, either at the same time or some time later. Common causes are: External stress as excessive temperature, high e/m-interferences, e.g. Systematic design failures due to the high complexity of the product or missing experience with the new technology No spatial separation between channels, use of common cables, on one PCB, etc. Human errors during maintenance and repair

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Assessment of the Measures against CCF For multi-channel structures (CAT 2, 3 and 4) measures are required against Common Cause Failures (CCF). From the total list of measures to reduce common cause effects to ISO 13849-1 Annex F. Here only the relevant measures for machinery applications are considered. The total maximum score is 100. The achieved total score must be >=65. This complies to a beta factor of 2 %. If the score is < 65, there is not a sufficient allowance for CCF and additional measures must be realized.

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Summary ISO 13849 deals with SRP/CS for machines regardless of the used technology (except highly complex electronic) ISO 13849-1: 2006 integrates categories and probabilistic aspects (MTTFd, DC, CCF) to establish a performance level (PL) PL: Ability to perform the Safety Function: Required risk reduction IEC 61508 is a flexible standard useful for any type of E/E/PES. ISO 13849-1 can be considered as a sub-set of the requirements of IEC 61508 with design restrictions (simplified methods relative to IEC 61508) The simplified methods to show, that the required PLr is met, are very conservative. They always end on the safe side.

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Overview AS 62061- Table of contents Introduction 1 Scope and object 2 Normative references 3 Terms, definitions and abbreviations 4 Management of functional safety 5 Requirements for the specification of SRCFs 6 Design and integration of the SRECS 7 Information for use of the SRECS 8 Validation of the safety-related electrical control system 9 Modification 10 Documentation Annex SIL FSM & Life cycle

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Terms, definitions and abbreviations (clause 3) IEC 62061: E/E/PE - electric, electronic, programmable electronic system SRECS - Safety related electrical control system SRCF - Safety related control function CCF - Common Cause Failure(s) DC - Diagnostic Coverage EMC - Electromagnetic Compatibility FB - Function Block FVL - Full Variability Language LVL - Limited Variability Language PFH D - Probability of dangerous Failure per Hour MTTF - Mean Time To Failure MTTF D - Mean Time To Failure Dangerous MTTR - Mean Time To Restoration MTBF - Mean Time Between Failure PTE - Probability of dangerous Transmission Error SFF - Safe Failure Fraction SIL - Safety Integrity Level SILCL - Safety Integrity Level (SIL) Claim Limit (for subsystems) SRS - Safety Requirements Specification

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Common Cause (CCF) Failure (b-factor) Common Cause Failures (CCF) result from a single cause and affect more than one channel. One part of the failures in both channels reveals as CC failures; that means due to one cause a failure in one channel is followed by the same failure in the other channel, either at the same time or some time later. Common causes are: External stress as excessive temperature, high e/m-interferences, e. g. Systematic design failures due to the high complexity of the product or missing experience with the new technology No spatial separation between channels, use of common cables, on one PCB etc. Human errors during maintenance and repair The b-factor describes the fraction of the failures, which effects both channels as common cause failure. Annex F

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Functional Safety Management (FSM) Considers the aspect Quality Management, Quality Assurance and documentation Describes the process to guarantee quality and functional safety and the requested organisational measures (development process, production, installation, operation, maintenance etc.) Life cycle model: Over the entire life time (all phases in the life of a product) by appropriate quality assurance measures it shall be ensured, that: Creation of systematic failures is avoided as much as possible Systematic failures are recognised by testing/verification activities All phases in the life of the product have to be sufficiently documented, both product design and records of the test/verification activities Installation and application of a Functional Safety Management System (FSM)

Functional Safety Management Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Qualitative requirements (QM) over the Machine Life Cycle Concept / Scope Hazard Analysis & Risk Assessment Safety Requirement Specifications ANALYSIS Conceptional Design Detailed Design Installation, Commissioning, Validation REALISATION Operation & Maintenance Decommissioning Modifications OPERATION

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Fault Tolerance - Structural and Quantitative Requirements Architectural constraints (Safety structure required SFF) Safety Integrity Level: SIL1, SIL 2 and SIL3

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Terminology for the Description of a Safety Function System (SRECS) Input Logic Solving Output Subsystem elements Subsystem A safety function is executed by a System A system is consisting of Subsystems A subsystem consists of Subsystem elements

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Basic subsystem architecture A & B Subsystem A Subsystem element 1: D1 Subsystem element n: Dn HFT = 0 no diagnosis DssA = D1 +...+ Dn PFH D = DssX * 1h Subsystem B Subsystem element 1: D1 Subsystem element 2: D2 Common Cause effect b HFT = 1 no diagnosis DssB = (1-b) 2 * D1 * D2 * T+ b* ( D1 + D2 )/2 D1, D2 = Failure rate of dangerous failures T = Proof Test Interval b = Common Cause Factor

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Basic subsystem architecture C & D Subsystem C Subsystem element 1: D1 DC 1 Diagnostic functions Subsystem element n: Dn DC n PFH D = DssX * 1h HFT = 0 Diagnosis with DC DssC = D1 (1-DC 1 ) +...+ Dn (1-DC n ) Subsystem D Subsystem element 1: D1 DC 1 Diagnostic function(s) Subsystem element 2: D2 DC 2 Common Cause effect b HFT = 1 Diagnosis with DC 1 and DC 2 2 T (1 b ) ( DC DC ) DssD D1 b D2 D1 D2 (2 DC DC 1 D1 D2 2 1 1 2 T ) 2 2 D 2

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Summary This standard provides a methodology and defines requirements, in order to: determine the required SIL for any safety related function, which is executed by SRECS enable the design of the SRECS in accordance to the determined SIL rating (which requirements have to be fulfilled by any (sub-) system for the Hardware, Software, QM and documentation), integrate safety-related subsystems, which have been designed in accordance with EN/ISO 13849 (which devices can be combined, in order to meet the requested requirements) validate the SRECS. contains only requirements for Functional Safety at a machine not applicable for non-electric control elements defines no requirements for the Electrical Equipment (Electrical Safety): Application of IEC 60204-1

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Merger of ISO 13849 and IEC 62061 2005/6 2011 2016? IEC ISO 17305 EN ISO 13849 PL IEC/EN 62061 SIL FAULT TOLERANCE DIAGNOSTICS RELIABILITY SYSTEMATIC SRS FSM EN 954 CATEGORY FAULT TOLERANCE DIAGNOSTICS Withdrawn

Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. Merger of ISO 13849 and IEC 62061 Objective Based on the feedback gathered from approximately five years, this proposal aims at merging ISO 13849-1 Safety of machinery Safetyrelated parts of control system Part 1: General principles for design and IEC 62061 Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems. It is based on the following principles: No alteration of the methodology or the basic approach introduced by both standards Deletion of overlaps Simplification of use Introduction of additions stemming from the feedback