Implementing functional safety with EN ISO 13849-1 and EN/IEC 62061

Risk assessment and risk reduction

Risk assessment
in accordance with EN ISO 14121

EN ISO 13849-1
Applicable for electrical/electronic/ programmable electronic/hydraulic/ pneumatic/mechanical systems

EN/IEC 62061
Applicable for electrical/electronic/ programmable electronic systems

START

The following versions of the standards have been quoted: EN ISO 12100-1 2003 EN ISO 12100-2 2003 EN ISO 13849-1 2008 EN ISO 14121-1 2007 EN/IEC 62061 2005

Risk analysis
in accordance with EN ISO 14121

Risk estimation
Determination of the required performance level (PLr)
S Severity of injury S1 = Slight (normally reversible injury) S2 = Serious (normally irreversible injury or death) F Frequency and/or exposure to hazard F1 = Seldom to less often and/or exposure time is short F2 = Frequent to continuous and/or exposure time is long
Yes

Determination of the limits of the machinery space, time, environmental conditions, use EN ISO 14121-1 Clause 5 EN ISO 12100-1 Clause 5.2

Determination of the required safety integrity level (SIL)

Frequency Fr Fr and duration > 10 min 10 min 1 hour 5 5 > 1 hour 1 day 5 4 > 1 day 2 wks 4 3 > 2 wks 1 year 3 2 > 1 year 2 1 Probability of hazardous event Very high Likely Possible Rarely Negligible Pr 5 4 3 2 1 Avoidance Av

Hazard identication for all lifecycles and operating modes EN ISO 14121-1 Clause 6 and A EN ISO 12100-1 Clause 4 and 5.3

Impossible Possible Likely

5 3 1

P Possibility of avoiding hazard or limiting harm P1 = Possible under specic conditions P2 = Scarcely possible Low risk

Consequences Death, losing an eye or arm Permanent, losing ngers Reversible, medical attention Reversible, rst aid S 4 3 2 1 3-4 SIL 2

Separate for each risk

Risk estimation Severity, possibility of avoidance, frequency, duration EN ISO 14121-1 Clause 7 EN/IEC 62061 Annex A EN ISO 13849-1 Annex A (risk graph)

Starting point for evaluation of safety functions contribution to risk reduction

Required performance level (PLr)

Class Cl = Fr+Pr+Av 5-7 8 - 10 11 - 13 SIL 2 SIL 2 SIL 3 OM SIL 1 SIL 2 OM SIL 1 OM

14 - 15 SIL 3 SIL 3 SIL 2 SIL 1

OM = other measures required

High risk

Risk evaluation in accordance with C standards or risk estimation EN ISO 14121-1 Clause 8

Evaluation of the safety function

No

Necessary safety performance data

Has the risk been sufciently reduced? Yes

END

EN ISO 13849-1 PL Category T1 MTTFd -

Unit type Units with internal diagnostics Programmable control system, safety relays Input devices PFH SIL T1 MTTFd d s B10d d s

EN/IEC 62061 -

No Assess measures independently and consecutively

DC, CCF, Category DC, CCF, Category, nop

Units without internal diagnostics

No wearing components With wearing components

DC, CCF, Subsystem type DC, CCF, Subsystem type, nop

B10d

E-STOPs, relays, switches

Risk reduction
in accordance with EN ISO 12100-1 Clause 5.4 +5.5

Have other hazards been generated? Can the hazard be eliminated? No

Calculation EN ISO 13849-1

Yes

Calculation EN/IEC 62061

Component 1 Component 2
Subject to wear; without internal diagnostics

Risk reduction through inherently safe design EN ISO 12100-2 Clause 4

Has the intended risk minimisation been achieved?

Yes

Component 1
Non-wearing; without internal diagnostics

Component 2
Subject to wear; without internal diagnostics

Non-wearing; without internal diagnostics

Can the risk be reduced through an inherently safe design?

MTTFd , s , d

B10d , s , d Component 3
with internal diagnostics

Yes

MTTFd

B10d Component 4 nop MTTFd

Subject to wear; without internal diagnostics

Component 5
Non-wearing; without internal diagnostics

SIL, PFH

No No

MTTFd per channel Component 3

with internal diagnostics

B10d , s , d

MTTFd , s , d

Implementation of safety function SRCF/SRP/CS

EN ISO 13849-1/EN/IEC 62061

Component 4
Subject to wear; without internal diagnostics

Component 5
Non-wearing; without internal diagnostics

Can the risk be reduced through guards and other safety devices?

Yes

Risk reduction through safeguarding measures Incorporation of additional safeguarding EN ISO 12100-2 Clause 5

PL, CAT, PFH

DC, CCF, nop, Subsystem type SIL, PFH

DC, CCF, nop, Subsystem type SIL, PFH

Has the intended risk minimisation been achieved?

Yes

B10d

MTTFd

No No Yes

nop MTTFd

SIL, PFH

Can the limits be redened? No Risk reduction through user information EN ISO 12100-2 Clause 6 Has the intended risk minimisation been achieved?

nop MTTFd per channel

Calculation is made in accordance with the graphic from inside outwards; data source: Data from manufacturer Data from the application

DC, CCF. CAT PL, PFH

Calculation in accordance with the standard

No Yes

PL, PFH

Specication of categories/subsystem types

Lexicon
B10d nop Residual risk SIL claim limit (SILCL) Validation Diversity Mean frequency of Remaining risk left over Maximum SIL that can A conrmation process Lifetime of products before Use of diverse means to once safety measures have be claimed for an SRECS which takes the form of 10 % of the product range execute a required function. operation per year been put in place. subsystem in relation to an investigation and the fails dangerously dop PAScal Risk architectural constraints provision of a certicate Average operating time in Calculation software for Combination of the and systematic safety and is carried out in order days per year Beta factor or common verifying functional safety probability of occurrence integrity to demonstrate complicause factor; Performance Level (PL) of harm and the severity SRCF Safety-related ance with the special Fault CCF measurements; Discrete level to specify of that harm control function requirements of a specic State of an item charproportion of failures which the ability of safety-related Risk analysis Control function impleintended use acterised by inability to have a common cause Combination of the specimented by an SRECS with Verication perform a required function, parts of control systems to perform a safety function cation of the limits of the a specied integrity level A conrmation process excluding the inability dur Category (CAT) under foreseeable condimachine, hazard identicathat is intended to maintain which takes the form of ing preventive maintenance Classication of the safety tions tion and risk estimation the safe condition of the an investigation and the or other planned actions, related parts of a control Performance Level, Risk assessment machine or to prevent an provision of a certicate or due to lack of external system in respect of their required (PLr) The overall process immediate increase of the and is carried out in order resources resistance to faults and Performance level (PL) comprising risk analysis risk(s) to demonstrate compliance their subsequent behaviour in order to achieve the and risk evaluation SRECS with requirements hop in the fault condition, and required risk reduction for Risk evaluation Electrical control system Average operating time which is achieved by the each safety function Judgement, on the basis of a machine whose failure in hours per day structural arrangement of PFH = PFHd of risk analysis, of whether can result in an immediate the parts, fault detection Probability of dangerous risk reduction objectives increase of the risk Intended use of and/or by their reliability failure per hour with have been achieved SRP/CS Safety-related a machine CCF continual use part of a control system Use of a machine in Failure due to a common Probability of Safety function Part of a control system accordance with the cause a dangerous failure Function of the machine that responds to safetyinformation provided in per hour whose failure can result in related input signals and the user information DCavg ( PFH) an immediate increase of generates safety-related Average diagnostic Proof test (T1) the risk(s) output signals coverage Periodic test performed to Safety integrity Subsystem Diagnostic coverage Average probability of detect failures in a safetyProbability of a safety-reEntity of the top-level (DC) failure related system so that, if lated system satisfactorily architectural design of the Measure for the effectivity D necessary, the system can performing the required SRECS where a failure of Dangerous failure rate of diagnostics, may be debe restored to an as-new safety functions under all any subsystem will result in S termined as ratio between condition or as close as stated conditions within a a failure of a safety-related Safe failure rate the failure rate of detected practical to this condition. stated period of time control function dangerous failures and For most units, a proof test Safety Integrity Level (SIL) Mission time (TM) the failure rate of total cannot be implemented for Discrete level (one out of a T1 Period of time covering the dangerous failures technical reasons possible four) for specify( Proof test) intended use of a SRP/CS Diagnostic test interval MTTFd ing the safety integrity TM Time period between Mean time to dangerous Redundancy requirements of the safety ( Mission time) online tests carried out in failure The duplication of means functions to be allocated to tCycle order to detect faults in a required by a functional the E/E/PE system, where Mean time between the safety-related system with entity to perform a required SIL 3 (SIL 4 in the process start of two consecutive the specied degree of function or in order for data industry) has the highest cycles of a component diagnostic coverage to represent information level of safety integrity and (e.g. switching a valve) in SIL 1 has the lowest seconds per cycle

Category B,1

Subsystem A

Category 2

Subsystem C

Category 3

Subsystem B
instantaneous

Category 4

Subsystem D

OSSD1

OSSD2

delayed

Verication of safety function

Probability of a dangerous failure per hour comparison PL/SIL
Performance Level (PL) in accordance with EN ISO 13849-1 a b c d e Probability of a dangerous failure per hour [1/h] 10-5 PFH < 10-4 3 x 10-6 PFH < 10-5 10-6 PFH < 3 x 10-6 10-7 PFH < 10-6 10-8 PFH < 10-7 Safety Integrity Level (SIL) in accordance with EN/IEC 62061 no special safety requirements 1 (1 failure in 100,000 h) 2 (1 failure in 1,000,000 h) 3 (1 failure in 10,000,000 h)

Achieved PL PLr?

Achieved SIL Required SIL?

8-8-2-0-072, 2008-11 Printed in Germany Pilz GmbH & Co. KG, 2008

PAScal Safety Calculator Calculation software for verifying functional safety

The PAScal Safety Calculator calculates the PFHD value of safety functions on plant and machinery. The result is veried with the prescribed performance level (PL) in accordance with EN ISO 13849 or safety integrity level (SIL) in accordance with EN/IEC 62061. The graphical representation shows how individual components inuence overall safety. Benets to you: Simple handling saves time Comprehensive component database Simple import and update function Report generator as documentary evidence Download the current version: www.pilz.com
Webcode 0971

The measures outlined on this sheet are simplied descriptions and are intended to provide an overview of the standards EN ISO 13849-1 and EN/IEC 62061. Detailed understanding and correct application of all relevant standards and directives are needed for validation of safety circuits. As a result, we cannot accept any liability for omissions or incomplete information.

International hotline: +49 711 3409-444