Catalogs > Safety Products Catalog > Principles, Standards and Implementation > System Design According to ISO/EN 13849 and SISTEMA
System Design According to ISO/EN 13849 and SISTEMA
| SISTEMA Software PL Calculation Tool |  |
System Structure | |
Reliability Data | |
Methods of Data Determination | |
Diagnostic Coverage | |
Common-Cause Failure | |
Mission Time | |
| Systematic Faults | |
Fault Exclusion | |
Performance Level (PL) | |
Subsystem Design and Combinations | |
Validation | |
Machine Commissioning | |
Any system can be split into basic system components or "subsystems." Each subsystem has its own discrete function. Most systems can be split into three basic functions; input, logic solving and actuation [some simple systems may not have logic solving]. The component groups that implement these functions are the subsystems.
|
| Figure 121 |
A simple single channel electrical system example is given in Figure 122. It comprises only input and output subsystems.
|
| Figure 122: Interlock Switch and Contactor |
In Figure 123 the system is a little more complex because some logic is also required. The safety controller itself will be fault tolerant (e.g. dual channel) internally but the overall system is still limited to single channel status because of the single limit switch and single contactor.
|
| Figure 123: Interlock Switch, Safety Controller and Safety Contactor |
If we take the basic architecture of Figure 123, there are also some other things to consider. First how many "channels" does the system have? A single channel system will fail if one of its subsystems fails. A two channel [also called redundant] system would need to have two failures, one in each channel before the system fails. Because it has two channels it can tolerate a single fault and still keep working. Figure 124 shows a two channel system.
|
| Figure 124: Dual Channel with Interlock Switch, Safety Controller and Safety Contactors |
Clearly the system shown in Figure 124 is less likely to fail than the one shown in Figure 123 but we can make it even more reliable [in terms of its safety function] if we include diagnostic measures for fault detection. Of course, having detected the fault we also need to react to it and put the system into a safe state. Figure 125 shows the inclusion of diagnostic measures achieved through monitoring techniques.
|
| Figure 125: Dual Channel System with Interlock Switch, Safety Controller and Safety Contactors—Diagnostics Shown by Dashed Arrows |
It is usually [but not always] the case that the system comprises two channels in all its subsystems as shown in Figure 125. Therefore we can see that, in this case each subsystem has two "sub channels." The standard describes these as "blocks." A two channel subsystem will have two blocks and a single channel subsystem will have one block. It is possible that some systems will comprise a combination of dual channel and single channel blocks.
If we want to investigate the system in more depth we need to look at the components parts of the blocks. The SISTEMA tool uses the term "elements" for these component parts. Figure 126 shows our system using the SISTEMA terminology.
|
| Figure 126: Dual Channel System Shown Subdivided into Subsystems, Blocks and Elements |
The limit switches subsystem is shown subdivided down to its element level. The output contactor subsystem is subdivided down to its block level and the logic subsystem is not subdivided at all. The monitoring function for both the limit switches and the contactors is performed at the logic controller. Therefore the boxes representing the limit switch and contactor subsystems have a small overlap with the logic subsystem box.
This principle of system subdivision can be recognized in the methodology given in EN ISO 13849-1 and in the basic system structure principle for the SISTEMA tool. However, it is important to note that there are some subtle differences. The standard is not restrictive in its methodology but for the simplified method for estimating the PL the usual first step is to break the system structure into channels and the blocks within each channel. With SISTEMA the system is first divided into subsystems. The standard does not explicitly describe a subsystem concept but its use as given in SISTEMA provides a more understandable and intuitive approach. Of course there is no effect on the final calculation. SISTEMA and the standard both use the same principles and formulae. It is interesting to note that the subsystem approach is also used in EN/IEC 62061.
The system we have been using as an example is just one of the five basic types of system architectures that the standard designates. Anyone familiar with the Categories system will recognize our example as representative of either Category 3 or 4.
The standard uses the original EN 954-1 Categories as its five basic types of designated system architectures. It calls them Designated Architecture Categories. The requirements for the Categories are almost [but not quite] identical to those given in EN 954-1. The Designated Architecture Categories are represented by the following figures. It is important to note that they can be applied either to a complete system or a subsystem. The diagrams should not be taken purely as a physical structure. They are intended more as a graphical representation of conceptual requirements.
A more detailed look at the practical implementation of categories is dealt with in a later chapter.
|
| Figure 127: Designated Architecture Category B |
Designated Architecture Category B must use basic safety principles [see annex of EN ISO 13849-2]. The system or subsystem can fail in the event of a single fault. See EN ISO 13849-1 for full requirements.
|
|
| Figure 128: Designated Architecture Category 1 |
Designated Architecture Category 1 has the same structure as Category B and can still fail in the event of a single fault. But because it must also use well tried safety principles [see annex of EN ISO 13849-2] this is less likely than for Category B. See EN ISO 13849-1 for full requirements.
|
| Figure 129: Designated Architecture Category 2 |
Designated Architecture Category 2 must use basic safety principles [see annex of EN ISO 13849-2]. There must also be diagnostic monitoring via a functional test of the system or subsystem. The test must occur at start up and then periodically with a frequency that equates to at least one hundred tests to every demand on the safety function. Note that this test rate is an additional requirement to that given in the old EN 954-1. The system or subsystem can still fail if a single fault occurs between the functional tests but this is usually less likely than for Category 1. See EN ISO 13849-1 for full requirements.
|
| Figure 130: Designated Architecture Category 3 |
Designated Architecture Category 3 must use basic safety principles [see annex of EN ISO 13849-2]. There is also a requirement that the system/subsystem must not fail in the event of a single fault. This means that the system needs to have single fault tolerance with regard to its safety function. The most common way of achieving this requirement is to employ a dual channel architecture as shown in Figure 130. In addition a single fault shall be detected, wherever practicable. This requirement is the same as the original requirement for Category 3 from EN 954-1. In that context the meaning of the phrase "wherever practicable" proved somewhat problematic. It meant that Category 3 could cover everything from a system with redundancy but no fault detection [often descriptively and appropriately termed "stupid redundancy"] to a redundant system where all single faults are detected. This issue is addressed in EN ISO 13849-1 by the requirement to estimate the quality of the Diagnostic Coverage [DC]. By reference to Annex K or Table 10. We can see that the greater the reliability [MTTFd] of the system, the less the DC we need. However, DC needs to be at least 60% for Category 3 Architecture.
|
|
| Figure 131: Designated Architecture Category 4 |
Designated Architecture Category 4 must use basic safety principles [see annex of EN ISO 13849-2]. It has a similar requirements diagram to Category 3 but it demands greater monitoring i.e. higher Diagnostic Coverage. This is shown by the heavier dotted lines representing the monitoring functions. In essence the difference between Categories 3 and 4 is that for Category 3 most faults must be detected but for Category 4 all faults must be detected. The DC needs to be at least 99%. Even an accumulation of faults must not cause a dangerous failure.