Catalogs > Safety Products Catalog > Principles, Standards and Implementation > System Design According to ISO/EN 13849 and SISTEMA
System Design According to ISO/EN 13849 and SISTEMA
| SISTEMA Software PL Calculation Tool |  |
System Structure | |
Reliability Data | |
Methods of Data Determination | |
Diagnostic Coverage | |
Common-Cause Failure | |
Mission Time | |
| Systematic Faults | |
Fault Exclusion | |
Performance Level (PL) | |
Subsystem Design and Combinations | |
Validation | |
Machine Commissioning | |
This standard provides requirements for the design and integration of safety-related parts of control systems, including some software aspects. The standard applies to a safety-related system but can also be applied to the component parts of the system.
SISTEMA Software PL Calculation Tool
SISTEMA is a software tool for the implementation of EN ISO 13849-1. Its use will greatly simplify the implementation of the standard.
SISTEMA stands for "Safety Integrity Software Tool for the Evaluation of Machine Applications" It was developed by the BGIA in Germany and is free for use. It requires the input of various types of functional safety data as described later in this section.
The Data can be input manually or automatically by using a Manufacturer’s SISTEMA Data Library.
The Rockwell Automation SISTEMA Data Library is available for download, together with a link to the SISTEMA download site, at: http://discover.rockwellautomation.com/EN_Safety_Solutions.aspx.
Overview of EN ISO 13849-1
This standard has wide applicability, as it applies to all technologies, including electrical, hydraulic, pneumatic and mechanical. Although ISO 13849-1 is applicable to complex systems, it also refers the reader to IEC 62061 and IEC 61508 for complex software embedded systems.
Let's have look at what are the basic differences between the old EN 954-1 and the new EN ISO 13849-1. The outputs of the old standard were Categories [B, 1, 2, 3 or 4]. The outputs of the new standard are Performance Levels [PL a, b, c, d or e]. The Category concept is retained but there are additional requirements to be satisfied before a PL can be claimed for a system.
The requirements can be listed in basic form as follows:
- The architecture of the system. Essentially this captures what we have become used to as the Categories
- Reliability data is required for the constituent parts of the system
- The Diagnostic Coverage [DC] of the system is required. This effectively represents the amount of fault monitoring in the system
- Protection against common cause failure
- Protection against systematic faults
- Where relevant, specific requirements for software
Later we will take a closer look at these factors but before we do it will be useful to consider the basic intent and principle of the whole standard. It is clear at this stage that there are new things to learn but the detail will make more sense once we have understood what it is trying to achieve and why.
First of all why do we need the new standard? It is obvious that the technology used in machine safety systems has progressed and changed considerably over the last ten years. Until relatively recently safety systems have depended on "simple" equipment with very foreseeable and predictable failure modes. More recently we have seen an increasing use of more complex electronic and programmable devices in safety systems. This has given us advantages in terms of cost, flexibility and compatibility but it has also meant that the pre-existing standards are no longer adequate. In order to know whether a safety system is good enough we need to know more about it. This is why the new standard asks for more information. As safety systems start to use a more "black box" approach we start to rely more heavily on their conformity to standards. Therefore those standards need to be capable of properly interrogating the technology. In order to fulfill this they must speak to the basic factors of reliability, fault detection, architectural and systematic integrity. This is the intent of EN ISO 13849-1.
In order to plot a logical course through the standard, two fundamentally different user types must be considered: the designer of safety-related subsystems and the designers of safety-related systems. In general the subsystem designer [typically a safety component manufacturer] will be subjected to a higher level of complexity. They will need to provide the required data in order that the system designer can ensure that the subsystem is of adequate integrity for the system. This will usually require some testing, analysis and calculation. The results will be expressed in the form of the data required by the standard.
The system designer [typically a machine designer or integrator] will use the subsystem data to perform some relatively straightforward calculations to determine the overall Performance Level [PL] of the system.
PLr is used to denote what performance level is required by the safety function. In order to determine the PLr the standard provides a risk graph into which the application factors of severity of injury, frequency of exposure and possibility of avoidance are input.
|
| Figure 119: Risk Graph from Annex A of EN ISO 13849-1 |
The output is the PLr. Users of the old EN 954-1 will be familiar with this approach but take note that the S1 line now subdivides whereas the old risk graph did not. Note that this means a possible reconsideration of the integrity of safety measures required at lower risk levels.
|
| Figure 120: Risk Graph from Annex B of EN 945-1 |
There is one very important part yet to be covered however. We now know from the standard how good the system needs to be and also how to determine how good it is but we don't know what it needs to do. We need to decide what the safety function is. Clearly the safety function must be appropriate to the task so how do we ensure this? How does the standard help us?
It is important to realize that the functionality required can only be determined by considering the characteristics prevailing at the actual application. This can be regarded as the safety concept design stage. It cannot be completely covered by the standard because the standard does not know about all the characteristics of a specific application. This also often applies to the machine builder who produces the machine but does not necessarily know the exact conditions under which it will be used.
The standard does provide some help by listing out many of the commonly used safety functions (e.g. safety-related stop function initiated by safeguard, muting function, start/restart function) and giving some normally associated requirements. Other standards such as EN ISO 12100: Basic design principles and EN ISO 14121: Risk assessment, are highly recommended for use at this stage. Also there is a large range of machine specific standards that will provide solutions for specific machines. Within the European EN standards they are termed C type standards, some of them have exact equivalents in ISO standards.
So we can now see that the safety concept design stage is dependant on the type of machine and also on the characteristics of the application and environment in which it is used. The machine builder must anticipate these factors in order to be able to design the safety concept. The intended [i.e. anticipated] conditions of use should be given in the user manual. The user of the machine needs to check that they match the actual usage conditions.
So now we have a description of the safety functionality. From annex A of the standard we also have the required performance level [PLr] for the safety-related parts of the control system [SRP/CS] that will be used to implement this functionality. We now need to design the system and make sure that it complies with the PLr.
One of the significant factors in the decision on which standard to use [EN ISO 13849-1 or EN/IEC 62061] is the complexity of the safety function. In most cases, for machinery, the safety function will be relatively simple and EN ISO 13849-1 will be the most suitable route. Reliability data, diagnostic coverage [DC], the system architecture [Category], common cause failure and, where relevant, requirements for software are used to assess the PL.
This is a simplified description meant only to give an overview. It is important to understand that all the provisions given in the body of the standard must be applied. However, help is at hand. The SISTEMA software tool is available to help with the documentation and calculation aspects. It also produces a technical file.
At time of going to print of this publication SISTEMA is available in German and English. Other languages will be released in the near future. BGIA, the developer of SISTEMA, is a well-respected research and testing institution based in Germany. It is particularly involved in solving scientific and technical problems relating to safety in the context of statutory accident insurance and prevention in Germany. It works in cooperation with occupational health and safety agencies from over 20 countries. Experts from the BGIA, along with their BG colleagues had significant participation in the drafting of both EN ISO 13849-1 and IEC/EN 62061.
The “library” of Rockwell Automation safety component data for SISTEMA is available at: http://discover.rockwellautomation.com/EN_Safety_Solutions.aspx.
Whichever way the calculation of the PL is done it is important to start of from the right foundation. We need to view our system in the same way as the standard so let's start with that.