Catalogs > Safety Products Catalog > Principles, Standards and Implementation > System Design According to ISO/EN 13849 and SISTEMA
System Design According to ISO/EN 13849 and SISTEMA
| SISTEMA Software PL Calculation Tool |  |
System Structure | |
Reliability Data | |
Methods of Data Determination | |
Diagnostic Coverage | |
Common-Cause Failure | |
Mission Time | |
| Systematic Faults | |
Fault Exclusion | |
Performance Level (PL) | |
Subsystem Design and Combinations | |
Validation | |
Machine Commissioning | |
EN ISO 13849-1 uses quantitative reliability data as part of the calculation of the PL achieved by the safety-related parts of a control system. This is a significant departure from EN 954-1. The first question this raises is "where do we get this data from?" It is possible to use data from recognized reliability handbooks but the standard makes it clear that the preferred source is the manufacturer. To this end, Rockwell Automation is making the relevant information available in the form of a data library for SISTEMA. In due course it will also publish the data in other forms. Before we go any further we should consider what types of data are required and also gain an understanding of how it is produced.
The ultimate type of data required as part of the PL determination in the standard [and SISTEMA] is the PFH [the probability of dangerous failure per hour]. This is the same data as represented by the PFHd abbreviation used in IEC/EN 62061.
| PL | Average Probability of Dangerous Failure per Hour (1/h) | SIL |
| a | ³10-5 to <10-4 | No correspondence |
| b | ³3 x 10-6 to <10-5 | 1 |
| c | ³10-6 to <3 x 10-6 | 1 |
| d | ³10-7 to <10-6 | 2 |
| e | ³10-8 to <10-7 | 3 |
| Table 9 | ||
Table 9 shows the relationship between PFH and PL and SIL. For some subsystems the PFH may be available from the manufacturer. This makes life easier for the calculation. The manufacturer will usually have to perform some relatively complex calculation and/or testing on their subsystem in order to provide it. In the event that it is not available, EN ISO13849-1 gives us an alternative simplified approach based on the average MTTFd [mean time to a dangerous failure] of a single channel. The PL [and therefore the PFH] of a system or subsystem can then be calculated using the methodology and formulae in the standard. It can be done even more conveniently using SISTEMA.
NOTE: It is important to understand that, for a dual channel system (with or without diagnostics), it is not correct to use 1/PFHD to determine the MTTFd that is required by EN ISO 13849-1. The standard calls for the MTTFd of a single channel. This is a very different value to the MTTFd of the combination of both channels of a two channel subsystem. If the PFHD of a two channel subsystem is known, it can simply be entered directly in to SISTEMA.
MTTFd of a Single Channel
This represents the average mean time before the occurrence of a failure that could lead to the failure of the safety function. It is expressed in years. It is an average value of the MTTFd's of the "blocks" of a single channel and can be applied to either a system or a subsystem. The standard gives the following formula which is used to calculate the average of all the MTTFd's of each element used in a single channel or subsystem.
At this stage the value of SISTEMA becomes apparent. Users are spared time consuming consultation of tables and calculation of formulae since these tasks are performed by the software. The final results can be printed out in the form of a multiple page report.
|
| Formula D1 from EN ISO 13849-1 |
In most dual channel systems both channel are identical therefore the result of the formula represents either channel.
If the system/subsystem channels are different the standard provides a formula to cater for this.
|
| Formula 1 from EN ISO 13849-1 |
This, in effect, averages the two averages. In the cause of simplification it is also allowable to just use the worst case channel value.
The standard groups the MTTFd into three ranges as follows:
| Denotation of MTTFd of each channel | Range of MTTFd of each channel |
| Low | 3 years <= MTTFd < 10 years |
| Medium | 10 years <= MTTFd < 30 years |
| High | 30 years <= MTTFd < 100 years |
| Table 10: Levels of MTTFd | |
Note that EN ISO 13849-1 limits the usable MTTFd of a single channel of a subsystem to a maximum of 100 years even though the actual values derived may be much higher.
As we will see later, the achieved range of MTTFd average is then combined with the designated architecture Category and the diagnostic coverage [DC] to provide a preliminary PL rating. The term preliminary is used here because other requirements including systematic integrity and measures against common cause failure still have to be met where relevant.