Catalogs > Safety Products Catalog > Principles, Standards and Implementation > System Design According to ISO/EN 13849 and SISTEMA
System Design According to ISO/EN 13849 and SISTEMA
| SISTEMA Software PL Calculation Tool |  |
System Structure | |
Reliability Data | |
Methods of Data Determination | |
Diagnostic Coverage | |
Common-Cause Failure | |
Mission Time | |
| Systematic Faults | |
Fault Exclusion | |
Performance Level (PL) | |
Subsystem Design and Combinations | |
Validation | |
Machine Commissioning | |
We now need to delve one stage deeper into how a manufacturer determines the data either in the form of PFHD or MTTFd. An understanding of this is essential when dealing with manufacturers data.
Data can be grouped into two basic types: 1) mechanistic (electro-mechanical, mechanical, pneumatic and hydraulic) and 2) electronic (solid state).
There is a fundamental difference between the common failure mechanisms of these three technology types. In basic form it can be summarized as follows:
Mechanistic Technology: Failure is proportional to both the inherent reliability and the usage rate. The greater the usage rate, the more likely that one of the component parts may be degraded and fail. Note that this is not the only failure cause, but unless we limit the operation time/cycles it will be the predominant one. It is self evident that a contactor that has switching cycle of once per ten seconds will operate reliably for a far shorter time than an identical contactor that operates one per day. Physical technology devices generally comprise components that are individually designed for their specific use. The components are shaped, molded, cast, machined etc. They are combined with linkages, springs, magnets, electrical windings etc to form a mechanism. Because the component parts do not, in general, have any history of use in other applications, we cannot find any pre-existing reliability data for them. The estimation of the PFHD or MTTFd for the mechanism is normally based on testing. Both EN/IEC 62061 and EN ISO 13849-1 advocate a test process known as B10d Testing.
In the B10d test a number of device samples [usually at least ten] are tested under suitably representative conditions. The mean number of operating cycles achieved before 10% of the samples fail to the dangerous condition is known as the B10d value.
In practice it is often the case that all of the samples will fail to a safe state but in that case the standard states that the B10d[dangerous] value can be taken as twice the B10[safe] value.
Electronic Technology: There are no physical wear related moving parts. Given an operating environment commensurate with the specified electrical and temperature [etc] characteristics, the predominant failure of an electronic circuit is proportional to the inherent reliability of its constituent components [or lack off it]. There are many reasons for individual component failure; imperfection introduced during manufacture, excessive power surges, mechanical connection problems etc. In general, faults in electronic components are difficult to predict by analysis and they appear to be random in nature. Therefore testing of an electronic device in test laboratory conditions will not necessarily reveal typical long term failure patterns.
In order to determine the reliability of electronic devices it is usual to use analysis and calculation. We can find good data for the individual components in reliability data handbooks. We can use analysis to determine which component failure modes are dangerous. It is acceptable and usual to average out the component failure modes as 50% safe and 50% dangerous. This normally results in relatively conservative data.
IEC 61508 provides formulae that can be used to calculate the overall probability of dangerous failure [PFH or PFD] of the device i.e. the subsystem. The formulae are quite complex and take into account [where applicable] component reliability, potential for common cause failure [beta factor], diagnostic coverage [DC], functional test interval and proof test interval. The good news is that this complex calculation will normally be done by the device manufacturer. Both EN/IEC 62061 and EN ISO 13849-1 accept a subsystem calculated in this way to IEC 61508. The resulting PFHD can be used directly into either Annex K of EN ISO 13849-1 or the SISTEMA calculation tool.
Software: Failures of software are inherently systematic in nature. Any failures are caused by the way it is conceived, written or compiled. Therefore all failures are caused by the system under which it is produced, not by its use. Therefore in order to control the failures we must control that system. Both IEC 61508 and EN ISO 13849-1 provide requirements and methodologies for this. We do not need to go into detail here other than to say they use the classic V model.
|
| Figure 132: V Model for Software Development |
Embedded software is an issue for the designer of the device. The usual approach is to develop embedded software in accordance with the formal methods explained in IEC 61508 part 3. When it comes to application code, the software that a user interfaces with, most programmable safety devices are provided with "certified" function blocks or routines. This simplifies the validation task for application code but it must be remembered that the completed application program still needs to be validated. The way the blocks are linked and parameterized must be proved correct and valid for the intended task. EN ISO 13849-1 and IEC/EN 62061 Both provide guidelines for this process.