Safety and functional safety
A general guide
This document is an informative aid only. The information and
examples given are for general use only. They do not describe
all the necessary details for implementing a safety system.
The manufacturer of the machinery always remains ultimately
responsible for the safety and compliance of the product.
ABB does not accept any liability for direct or indirect injury
or damage caused by the use of information contained in
this document. The manufacturer of the machinery is always
responsible for the safety of the product and its suitability under
applicable laws. ABB hereby disclaims all liabilities that may
result from this document.
2 Safety and functional safety | ABB brochure 1SFC001008B0201
Contents
Background.....................................................................................................................4
Introduction .....................................................................................................................5
Two new standards
ISO 13849-1 – for making machines safe ............................................................... 6-7
EN 62061 - for designing electrical safety systems ...................................................... 6-7
Meeting Machinery Directive requirements ........................................................ 8-9
Steps to meet the Machinery Directive requirements
Step 1: Assessment and risk reduction ................................................................ 10-11
Step 2: Establish safety requirements .................................................................. 12-13
Step 3: Implement functional safety ..........................................................................14
Step 4: Verify functional safety ............................................................................. 15-17
Step 5: Validate functional safety ...............................................................................18
Step 6: Document functional safety............................................................................18
Step 7: Prove compliance .............................................................................................18
Glossary ......................................................................................................................19
3 Safety and functional safety | ABB brochure 1SFC001008B0201
Background
Area of growing importance
This document helps specifiers, designers, manufacturers
and users of machinery, plus related personnel, gain a better
understanding of the requirements of the EU Machinery
Directive 2006/42/EC, and of the measures required to
conform with the directive and its harmonized standards.
National laws of the European Union require that machines meet
the Essential Health and Safety Requirements (EHSR) defined in
the Machinery Directive 2006/42/EC. Harmonized standards listed
under the Directive are one preferred way of showing compliance.
This means that all new machinery must fulfill the same legal
requirements when supplied throughout the EU. The same
standards are also recognized in many areas outside Europe, for
example, through equivalency charts, which facilitates machinery
trade and machine shipments between countries within and even
outside the EU.
Machine safety is one of the most rapidly growing areas of
importance in industrial automation. New and improved safety
strategies offer manufacturers a way of improving their productivity
and competitiveness in the market. Safety becomes an integrated
part of machine functionality, rather than after-thoughts added to
meet regulations.
4 Safety and functional safety | ABB brochure 1SFC001008B0201
Introdution
Safety and functional safety
Functional safety systems implemented through defined
processes and using certified sub-systems to achieve
specific safety performance are thus becoming a must in the
marketplace.
This general guide describes the standards that must be taken
into account when designing a machine in order to achieve functional safety. It explains, in general terms, the process for meeting
the requirements of the Machinery Directive 2006/42/EC and how
CE marking, which indicates that the machinery conforms to
these requirements, is attained.
In the context of this guide, the purpose of safety is to protect
people from harm. Functional safety achieves this via systems that
lower the probability of undesired events, thereby minimizing
mishaps.
Safety standards define safety as freedom from unacceptable
risk. The most effective way to eliminate risks is to design them
away. But as risk reduction by design is not always possible or
practical, safeguarding with static guards are often the next best
option, and for several reasons. Stopping a machine quickly and
safely, not only reduces risk but also increases machine uptime
and productivity compared with abrupt safety stops. At the same
time, the legal obligations are met and the safety of people and
the environment is ensured.
Functional safety in machinery usually means systems that safely
monitor and, when necessary, override the machine applications
to ensure safe operation. A safety-related system thus implements
the required safety functions by detecting hazardous conditions
and bringing operation to a safe state, by ensuring that a desired
action, e.g. safe stopping, takes place.
Safety system monitoring can include machine speed, direction
of rotation, stopping and standstill. When executing a safety
function, e.g. monitoring a crawl speed that deviates from the
expected value (i.e. is too fast), the safety system detects this
deviation and actively returns machine operation to a safe state
by, for example, stopping the machine safely and removing the
torque from the motor shaft.
Any failure in the safety system will immediately increase risks
related to machine operation.
Role of the Machinery Directive 2006/42/EC
The Machinery Directive, with the harmonized standards listed
under it, defines the Essential Health and Safety Requirements
(EHSR) for machinery at European Union level. The idea behind
the Machinery Directive is to ensure that a machine is designed
and constructed to be safe so that it can be used, configured and
maintained throughout all phases of its life, causing minimal risk to
people and the environment.
The EHSR state that machine manufacturers must apply the
following principles in the given order:
– Eliminate or minimize hazards as much as resonable
possible by considering safety aspects in machine design
and construction phases.
– Apply necessary protection measures against hazards
that cannot be eliminated.
– Inform users of the risks that remain despite all feasible
protection measures being taken, while specifying any
requirements for training or personal protective
equipment.
5 Safety and functional safety | ABB brochure 1SFC001008B0201
Two standards
Machine builders
ISO and IEC
EN ISO 13849-1
New Machinery
Directive
EN 62061
Transition period
EN 954-1
2005
Note: According to the
convention used in the
harmonized standards
list, EN ISO standards
are presented using the
‘ISO’ mark as well. EN IEC
standards are presented
without ‘IEC’, i.e. with EN
only. This document now
follows this convention.
Earlier Deadline
11/2006
Extended transition period
11/2009
12/2009
12/2011
Two new standards
Machine manufacturers implementing functional safety systems in compliance with the Machinery
Directive can follow one of two alternative European standards developed by the International
Organization for Standardization (ISO) the International Electrotechnical Commission (IEC). These are
designated EN ISO 13849-1 and EN 62061 respectively. EN 62061 is applicable only to electrical control
systems. Both replace the old standard EN 954-1, which will become obsolete on December 31, 2011,
after a 3+2-year allowable transition period. Furthermore, both fall under the basic safety of machinery
standards for risk-minimization (EN ISO 12100-1:2003) and risk-assessment in risk-reduction (EN ISO
14121-1:2007). Figure 1 illustrates this hierarchy.
The standards for electronic safety systems are formally designated as follows: EN ISO 138491:2008 (Safety of machinery – Safety-related parts of control system – General Principles for design),
EN 62061:2005 (Safety of machinery – Functional safety of safety-related electrical, electronic and
programmable electronic control systems). References to these standards in this document always
apply to the above-mentioned versions.
Note: A table explaining the
suitability of the two new
standards for designing
systems with particular
technologies can be found
in the standards.
Manufacturers can choose which – if any – of the two safety system standards to use (i.e. ISO 13849-1
or EN 62061). However, to ensure congruity, it is recommended to follow the same, chosen standard all
the way from beginning to end.
Following either standard leads to a very similar outcome and their resulting safety integrity levels (SIL)
and performance levels (PL) are comparable (see Table 7). This document includes safety performance/
integrity examples for both standards.
ISO 13849-1 – for making machines safe
ISO 13849-1 provides instructions to designers to make machines safe. These instructions include
recommendations for system design, integration and validation. The standard can be used for the
safety-related parts of control systems and various kinds of machinery, regardless of the technology
or energy source used. It also includes special requirements for safety-related parts that have
programmable electronic systems. This standard thus covers the entire safety function for all included
devices (i.e. a complete safety chain such as sensor-logic-actuator).
Fig. 1.
Basic concepts
and terminology:
EN ISO 12100
Risk assessment
ISO 14121-1
6 Safety and functional safety | ABB brochure 1SFC001008B0201
Standard for creating safety
system: EN 62061
Standard for creating safety
system: EN ISO 13849-1
Process
for creating
safety system
1. Safety system
2. Safe Machine
3. CE marking
Performance Level (PL)
ISO 13849-1 defines how to determine the required Performance Level (PL) and how to verify the
achieved PL within a system. PL describes how well a safety system is able to perform a safety
function under foreseeable conditions. Five possible PLs are available: a, b, c, d and e. PL ‘e’ has the
highest safety reliability, PL ‘a’ the lowest. See the example on page 13.
EN 62061 – for designing electrical safety systems
EN 62061, a machine-sector-specific standard within the IEC 61508 framework, is the standard
for designing electrical safety systems. It includes recommendations for the design, integration and
validation of safety-related electrical, electronic and programmable electronic control systems for
machinery.
EN 62061 also covers the entire safety chain, e.g. sensor-logic-actuator. As long as the entire safety
function fulfills the defined requirements, individual sub-systems need not be certified.
Note: Unlike ISO 13849-1,
EN 62061 does not cover
requirements for nonelectrical safety-related
control equipment for
machinery.
Safety Integrity Level (SIL)
EN 62061 defines how to determine the Safety Integrity Level (SIL). SIL represents the reliability
of safety functions. Four SIL levels are possible: 1, 2, 3, and 4. ‘SIL 4’ is the highest level of safety
integrity and ‘SIL 1’ the lowest. Only levels 1-3 are used in machinery. See the example on page 12.
7 Safety and functional safety | ABB brochure 1SFC001008B0201
Meeting Machinery Directive requirements
The Machinery Directive 2006/42/EC requires machinery to be safe. However, as zero risk can
never be achieved in practice, the key objective is to minimize risk. Compliance with this goal can be
achieved:
– By meeting the requirements set by the harmonized standards, or
– By having a machine acceptance investigation carried out by an authorized third party.
Achieving and managing functional safety
Achieving functional safety that fulfills the EHSR of the Machinery Directive, i.e. the first of the above
alternatives, involves several steps, all of which must consider the system as a whole as well as the
environment with which it interacts. These steps include risk assessment, identification of required
safety functions risk reduction through implementing the safety function, and ensuring that the safety
function performs as intended.
All functional safety activities must be managed during the lifecycle of the machine. A project
management and quality management system specified in the form of a safety plan will help meet
these goals.
Note: Unlike EN 62061,
ISO 13849-1 does not
specify the safety plan
activities listed above.
However, similar activities
are needed to fully meet
the requirements of the
Machinery Directive.
Safety plan
A safety plan for meeting the requirements of the Machinery Directive is specified in EN 62061.
It identifies all relevant activities, describes the policy and strategy for fulfilling functional safety
requirements, identifies responsibilities, identifies or establishes procedures and resources for
documentation, describes a strategy for configuration management, and includes plans for
verification and validation. This plan needs to be designed and documented for each safety system,
and updated when necessary.
When a safety plan according to EN 62061 has been created, the more practical aspects can begin.
These follow the step-by-step procedure summarized in Table 1, starting with risk assessment and
reduction.
Table 1. Steps to meet Machinery Directive requirements for functional safety. Each of these seven
steps is explained in more detail below.
Table 1.
Step
Task
Step 1: Assessment and risk reduction
Analyze risks and evaluate how to eliminate or minimize them (3 steps
strategy see EN ISO 12100-1)
Step 2: Establish safety function requirements
Define what functionality and safety performance is needed to eliminate the risk or reduce it to an acceptable level.
Step 3: Implement functional safety
Design and create the safety system functions
Step 4: Verify functional safety
Ensure that the safety system meets the defined requirements
Step 5: Validate functional safety
Return to risk assessment and ensure that the safety system actually
succeeds in reducing risks as specified
Step 6: Document functional safety
Document the design and produce user-documentation
Step 7: Prove compliance
Prove the machine‘s compliance with EHSR of the Machinery Directive
through compliance assessments and technical file
8 Safety and functional safety | ABB brochure 1SFC001008B0201
9 Safety and functional safety | ABB brochure 1SFC001008B0201
Step 1: Assessment and risk reduction
Risk assessment
Risk assessment is a process that analyzes and evaluates risks, which are regarded as a combination
of the consequence of harm and the probability of the harm occurring when exposed to a hazard.
According to the new Machinery Directive 2006/42/EC, it is mandatory to perform a risk assessment
for a machine, and the results must be taken into account when designing a machine.
Any risk considered ‘high’ must be reduced to an acceptable level via design changes or by applying
appropriate safety measures. The assessment process helps machinery designers design inherently
safe machinery. Assessing risks at the design phase is very important as it is generally more effective
than providing user instructions on how to operate the equipment safely. Risk assessment according
to ISO 12100-1 (the safety of machinery standards for risk-minimization, see Fig. 1) consists of two
parts: risk analysis and risk evaluation. Risk analysis means identifying and estimating the risks, risk
evaluation means deciding whether the risk is acceptable, or if risk reduction is necessary.
Risk evaluation thus depends on the results of the risk analysis. Similarly, decisions regarding the
necessity of risk reduction are made according to the risk evaluation procedure. Note that risk
evaluation must be carried out separately for each identified hazard.
Fig. 2 outlines the risk analysis and evaluation steps according to ISO 14121-1, the safety of
machinery standards for risk-assessment in risk-reduction (see Fig. 1).
Fig 2. Risk assessment and
evaluation according to ISO
14121-1. Always document
this process and its results
for each individual hazard.
The limits of the machine referred to in Fig. 2 include limits of use, spatial limits, ambient or
environmental limits, and lifetime limits. Estimating risk severity covers its potential consequences,
while risk probability covers frequency, probability and avoidance.
If the outcome of the risk analysis and evaluation outlined in Fig. 2 is YES, the risk reduction target is
considered met and the risk process ends. In the latter case, the machine has reached the adequate
level of safety required by the Machinery Directive.
If the outcome is NO, i.e. the risk remains unacceptable, apply risk reduction measures and then
return to step 2 in the risk analysis.
Fig. 2.
Risk assessment and evaluation
1. Determine limits/intended use of the
machine
2. Identity hazards
3. Estimate risks on at a time
- Severity and Probability
4. Evaluate the risk. Risk low enough?
No
Yes
End
10 Safety and functional safety | ABB brochure 1SFC001008B0201
Risk reduction
The most effective way to minimize risks is to eliminate them in the design phase, for example, by
changing the machine design or work process.
However, if this is not possible, reduce risks and ensure conformance in accordance with the
Machinery Directive requirements by applying the harmonized standards under it. ISO 12100-1
divides the method for risk reduction into three main steps:
– Inherently safe design measures (creating a safer design, changing the process).
– Safeguarding and complementary protective measures (safety functions, static guarding).
– Information for use (warning signs, signals and devices on the machine and in the operating
instructions, protective measures taken by the user for example training).
Machine users/organizations
are a valuable source
of safety feedback and
designers should seek
their input when defining
protective measures.
Fig. 2 illustrates this three-step risk-reduction workflow.
Fig. 2 Risk reduction according to ISO 12100-1. Always document residual (remaining) risks in the
operating instructions.
The latter aspect (information on use) is called residual risk management. Residual risk is the risk
that remains when all protective measures have been considered and implemented. Technology
measures alone are never able to achieve a state of zero risk, hence some residual risk always
remains. These risks must be documented in the operating instructions.
Machine-users and organizations have an important role to play in risk reduction and are generally
provided with relevant information by the machine designer (manufacturer). Reduction measures
commonly undertaken by an organization include:
– Introducing safe working procedures, work supervision and permit-to-work systems.
– Provision and use of additional safeguards.
– Use of personal protective equipment.
– User training.
– Ensuring that operating and safety instructions are read and acted on.
When the risk reduction has been executed, it must be examined to ensure that the measures taken
were adequate for reducing the risk to an appropriate level. Repeat the risk assessment process to
achieve this.
Risk reduction 3-step method
1. Risk reduction by design and safety?
Yes
No
2. Risk reduction by functional safety?
Yes
No
3. Risk reduction by process and information?
No
Yes
End
11 Safety and functional safety | ABB brochure 1SFC001008B0201
Step 2: Establish safety requirements
Safety functions
A safety function is a function of a machine whose failure can result in an immediate increase in
risk. Simply put, it is a measure taken to reduce the likelihood of an unwanted event occurring and
exposing a hazard. A safety function is not part of machine operation: if such a function fails, the
machine can still operate normally, but the risk of injury from its operation increases.
Defining a safety function is a key issue. This always includes two components:
– Action (what must be done to reduce the risk).
– Safety performance (SIL or PL – Safety Integrity Level and Performance Level respectively).
Additional safeguarding needs
to be specified once the risk
reduction that can be achieved
via design changes has been
obtained. This additional
risk reduction measure uses
functional safety solutions.
Note: A safety function must be
specified, verified (functionality
and safety performance) and
validated separately for each
identified hazard.
Table 2. SIL assignment table
showing the procedure to
follow when determining safety
integrity. The overall result of
the above example is SIL 2.
Example of a safety function:
Hazard: An exposed rotating shaft may cause injury if a person gets too close.
Action: To prevent personal injury, the motor must stop within one (1) second from opening the safety
gate. After the safety function that executes the action has been identified, its required safety level is
determined as described below. This completes defining the safety function.
Safety performance/integrity
Safety integrity measures the performance of a safety function. It helps quantify the likelihood of
the safety function being achieved when requested. The required safety integrity for a function is
determined during risk assessment and is represented by the achieved SIL or PL, depending on the
standard used. SIL and PL use different evaluation techniques for a safety function, but their results
are comparable and the terms and definitions are similar for both.
How to determine the required SIL (EN 62061)
This process is as follows:
1. Determine the severity of the consequence of a hazardous event.
2. Determine the point value for the frequency and duration the person is exposed to harm.
3. Determine the point value for the probability of the hazardous event occurring when exposed
to it.
4. Determine the point value for the possibility of preventing or limiting the scope of the harm.
Table 2.
Probability of occurence of harm
Fr
Pr
Frequency, duration
Probability of hazardous event
<= hour
5
Av
Very high
Avoidance
5
> 1h <= day
5
Likely
4
> day <= 2 wks
4
Possible
3
Impossible
5
> 2 wks <= 1 yr
3
Rarely
2
Possible
3
> 1 yr
2
Negligible
1
Likely
1
Total: 5 + 3 + 3 = 11
Severity of harm
SIL Class
Se
Class CI
Consequences (severity)
Death, losing an eye or arm
4
Permanent, losing fingers
3
Reversible, medical attention
2
Reversible, first aid
1
3-4
5-7
8-10
11-13
14-15
SIL2
SIL2
SIL2
SIL3
SIL3
SIL1
SIL2
SIL3
SIL1
SIL2
Other measures
SIL1
SIL2 safety function is required.
12 Safety and functional safety | ABB brochure 1SFC001008B0201
Example:
Table 2 shows a SIL assignment table containing parameters used in determining the point values in
the example of a hazard analysis carried out for an exposed rotating shaft.
–
–
–
–
–
A person is exposed to the hazard several times a day. Frequency (Fe) is thus high = 5.
It is possible that the hazard will take place. Therefore probability (Pr) = 3.
The hazard can be avoided, so avoidance (Av) = 3.
The sum of Fe, Pr and Av (5 + 3 + 3) = 11.
The determined consequence of the hazard is permanent injury, possibly loss of fingers.
Hence severity (Se) = 3.
How to determine the required PL (ISO 13849-1)
PL is an alternative parameter to SIL. To determine the required PL, select one of the alternatives
from the following categories and create a ‘path’ to the required PL in the risk graph (Fig. 3), which
lists the resulting performance level as a, b, c, d or e.
Determine the severity of injury/damage:
– S1 Slight, usually reversible injury
– S2 Severe, usually irreversible injury, including death
Determine the frequency and duration of exposure to the hazard:
– F1 Rare to often and/or short exposure
– F2 Frequently to continuous and/or long exposure
Determine the possibility of preventing the hazard or limiting the damage caused by the hazard:
– P1 Possible under certain conditions
– P2 Hardly possible
Example:
Hazard analysis for an exposed rotating shaft.
– The consequence is severe, irreversible injury. Severity = S2.
– A person is exposed several times a day. Frequency = F2.
– It is possible to avoid or limit the harm caused. Possibility =P1.
The overall result as read from
Table 2 is SIL 2.
The tables used for determining
these points are presented
in the standard. After the
required SIL has been defined,
implementation of the safety
system can begin (see Step 3:
Implement functional safety).
Fig. 3 PL risk graph showing
the procedure to follow when
determining safety performance
level. The overall result of the
above example is PL d.
The path leads to the Required PL (PLr) value d.
As with SIL, the tables used to determine the points are presented in the standard. Similarly, once the
PLr has been defined, implementation of the safety system can begin.
Fig 3.
13 Safety and functional safety | ABB brochure 1SFC001008B0201
Step 3: Implement functional safety
To construct a safety function, design it to meet the required SIL/PL specified in step 2: Establish
safety requirements. Using certified sub-systems when constructing functional safety systems could
save safety system designers a lot of work. For example, implementing safety functions is more
convenient when certain safety and reliability calculations are already made and the sub-systems are
certified.
Implementation and verification processes are iterative and run parallel with each other. Use
verification as a tool during implementation to ensure that the defined safety level is reached with the
implemented system. For more information on verification, see Step 4: Verify functional safety. Several
calculation software programs for verifying functional safety systems are available. These programs
make creating and verifying the system more convenient.
Note: If certified sub-systems
are not used, it may be
necessary to carry out safety
calculations for each subsystem. Standards EN 62061
and ISO 13849-1 include
information on the process and
calculation parameters needed.
Note: To fulfill the EHSR set
by the Machinery Directive, all
sub-systems of a functional
safety system must meet at
least the required SIL/PL value
of the system.
The general steps for implementing a functional safety system include:
1. Defining the safety requirements as SIL or PL according to standard EN 62061 or EN ISO
13849-1.
2.
Selecting the system architecture to be used for the safety system. ISO 13849-1 and EN 62061
standards offer basic architectures with calculation formulas.
Determine category B, 1, 2, 3 or 4 as presented in ISO 13849-1, or designated architecture A,
B, C or D as presented in EN 62061. Do this for the sub-systems and the whole system. For
more information on designated architectures, see the respective standards.
3.
Constructing the system from safety-related sub-systems – sensor/switch, input, logic, output
and actuator.
Use either certified sub-systems (strongly recommended) or perform safety calculations for each
sub-system. Add together the sub-system safety levels to establish the safety level of the complete system. Fig. 4 shows the structure of a safety function.
4.
Installing the safety system. The system needs to be installed properly to avoid common failure
possibilities due to improper wiring, environmental, or other such factors. A safety system that
does not perform correctly due to careless installation is of little use. It may even pose a risk in
itself.
Fig. 4
14 Safety and functional safety | ABB brochure 1SFC001008B0201
Step 4: Verify functional safety
Step 4: Verify functional safety
Verifying safety system SIL (EN 62061)
Verify safety integrity levels by showing that the safety performance of the created safety function,
i.e. its reliability, is equal to or greater than the required performance target set during risk evaluation.
Certified sub-systems are again recommended because their manufacturer has already defined
values for determining systematic safety integrity (SILCL) and random hardware safety integrity
(PFHd) for them.
To verify the safety system SIL where certified sub-systems are used:
1. Determine the systematic safety integrity for the system using SIL Claim Limit (SILCL) values
defined for the sub-systems.
SILCL represents the maximum SIL value for which the sub-system is structurally suitable. SILCL
is an indicator for determining the achieved SIL: the SILCL of the whole system can not be
higher than the SILCL for the lowest sub-system.
2.
Calculate the random hardware safety integrity for the system using Probability of a dangerous
Failure per Hour (PFHd) values defined for the sub-systems. PFHd is the random hardware failure
value that is used for determining the SIL. Manufacturers of certified sub-systems usually provide
PFHd values for their systems.
3.
Use the Common Cause Failure (CCF) checklist to make sure that all necessary aspects of creating the safety systems have been considered. CCF checklist tables can be found in EN 62061
standard, Annex F.
4.
Calculate the points according to the list and compare the overall score to the values listed in the
standard EN 62061 Annex F, Fig. 6 and Table 4 results in the CCF factor (β). This value is used
to estimate the probability value of PFHd.
5.
Determine the achieved SIL from Table 3.
15 Safety and functional safety | ABB brochure 1SFC001008B0201
Example:
Verifying SIL for the rotating shaft functional safety system
(Fig. 5).
Fig. 5
Systematic safety integrity:
SILCLsys ≤ (SIL CLsub-system)lowest -> SIL Claim Limit 2
Random hardware safety integrity:
PFHd = PFHd1+PFHd2+PFHd3 = 2.5 x 10-7 < 10-6
The system meets SIL 2 according to Table 3.
Table 3. Determine SIL according to the PFHd value obtained
from the whole safety system. In the above example, the system
meets SIL 2.
Table 3. High demand mode values shown here.
SIL
SIL 1
SIL 2
SIL 3
Probability of dangerous failures per hour (1/h)
≥ 10-6 up to < 10-5
≥ 10-7 up to < 10-6
≥ 10-8 up to < 10-7
Verifying safety system PL (ISO 13849-1)
To verify performance level, establish that the PL of the
corresponding safety function matches the required PLr.
If several sub-systems make up one safety function, their
performance levels must be equal to or greater than the
performance level required for the safety function. Certified subsystems are recommended as the safety performance values will
have already been defined for them.
b
To verify the PL of a safety system where certified subsystems are used:
Determine the system’s susceptibility to Common Cause Failure
Low
(CCF) using the CCF checklist. The required minimum score is
65 points. (CCF checklist tables can be found in ISO 13849Medium 1:2008 standard, Annex I).
c
High
Fig. 6
PL
a
d
e
Cat. B
Cat. 1
Cat. 2
Cat. 2
Cat. 3
Cat. 3
Cat. 4
DCavgnone DCavgnone DCavglow DCavgmedium DCavglow DCavgmedium DCavghigh
MTTFd: Low 3 years ≤ MTTFd < 10 years
Medium 10 years ≤ MTTFd < 30 years
Determine the achieved PL with the bar graph utilizing the
established:
– Category
– Mean Time To dangerous Failure (MTTFd)
– Diagnostic Coverage (DC)
MTTFd is the average time it takes for a dangerous failure to
occur. DC represents the number of dangerous failures that can
be detected by diagnostics. More information on calculation
details can be found in the ISO 13849-1 standard.
High 30 years ≤ MTTFd ≤ 100 years
Enter the resulting values into the PL graph diagram (Fig. 6),
from which the resulting PL can be determined.
Note: Channel MTTFd can only be
up to 100 years. Single component
(subsystem) MTTFd can be higher
16 Safety and functional safety | ABB brochure 1SFC001008B0201
Example of verifying PL:
Verifying the rotating shaft functional safety system (Fig. 6).
Fig. 6. Verifying PL for the rotating shaft example. In the above
example, the system meets PL d.
To achieve the PLr defined in the earlier example:
– The designated architecture is in Category 3.
– MTTFd value is high.
– DC average value is low.
Table 4. Determine PL according to PFHd value
PL
a
b
c
d
e
Probability of dangerous failures per hour (1/h)
≥ 10-5 up to < 10-4
≥ 3 x 10-6 up to < 10-5
≥ 10-6 up to < 3 x 10-6
≥ 10-7 up to < 10-6
≥ 10-8 up to < 10-7
Table 5. Comparing SIL and PL values
The system thus meets PL value d according to Fig. 6. Table 4
shows how to determine PL according to PFHd value obtained
for the whole safety system. The result (d) is the same.
Comparing SIL and PL values
Although the methods of evaluation between the two standards
differ, the results can be compared on the basis of random
hardware failure, as Table 5 shows.
Safety integrity level SIL
no correspondence
SIL 1
SIL 1
SIL 2
SIL 3
Performance level PL
a
b
c
d
e
17 Safety and functional safety | ABB brochure 1SFC001008B0201
Steps 5, 6 and 7
Step 5: Validate functional safety
Each safety function must be validated to ensure that it reduces risk as required/defined in Step 1:
Assess and reduce risks.
To determine the validity of the functional safety system, inspect it against the risk assessment
process carried out at the beginning of the procedure for meeting the EHSR of the Machinery
Directive. The system is valid if it truly reduces the risks analyzed and evaluated in this process.
Step 6: Document functional safety
Before the machine can fulfill the requirements of the Machinery Directive, its design must be
documented and relevant user documentation produced.
Documentation needs to be carefully produced. It has to be accurate and concise, but at the
same time informative and easy for the user to understand. User documentation must document
all residual risk and contain proper instructions on how to operate the machine safely. It must be
accessible and maintainable. User documentation is delivered with the machine.
For more information on the
documentation required and its
nature, see the EHSR in Annex
I of the Machinery Directive.
Step 7: Prove compliance
Before a machine can be placed on the market, the manufacturer must ensure that the EHSR are
fulfilled and presumption is given by conformance with harmonized standards. It must also be proved
that the combination of the safety-related parts meets the defined requirements for each safety
function.
To prove conformance with the Machinery Directive, it must be shown that:
– The machinery fulfills the relevant Essential Health and Safety Requirements (EHSR) defined
in the Machinery Directive.
– The machinery fulfills the requirements of other Directives related to it.
(Conformity with both above requirements can be ensured by following the relevant
harmonized standards.)
– The technical file is up-to-date and available.
– The technical file demonstrates that the machine is in accordance with the regulations
presented in the Machinery Directive.
– Conformity assessment procedures have been applied. (Special requirements for machines
listed in the Machinery Directive’s Annex IV are met where appropriate.)
– The EC declaration of conformity has been produced and is delivered with the machine.
The technical file should cover the design, manufacture and operation of the machinery in so far as
necessary to demonstrate compliance. For more information on the contents of the technical file, see
Annex VI of the Machinery Directive 98/37/EC, or Annex VII of the new Machinery Directive 2006/42/
EC after the new directive is applicable.
Once conformity has been established, a CE marking is affixed. Machinery that carries CE markings
and is accompanied by an EC declaration of conformity is presumed to comply with the requirements
of the Machinery Directive.
18 Safety and functional safety | ABB brochure 1SFC001008B0201
Glossary
CE marking
CE marking shall mean a marking by which the manufacturer
indicates that the product is in conformity with the applicable
requirements set out in Community harmonisation legislation
providing for its affixing; (NLF R1 16)
CCF, Common Cause Failure
A situation where several sub-systems fail due to a single
event. All failures are caused by the event itself and are not
consequences of each other.
DC, Diagnostic Coverage
The effectiveness of fault monitoring of a system or sub-system. It
is the ratio between the failure rate of detected dangerous failures
and the failure rate of total dangerous failures.
EHSR, Essential Health and Safety Requirements
Requirements that machinery must meet in order to comply
with the European Union Machinery Directive and thereby obtain
CE marking. These requirements are listed in the Machinery
Directive’s Annex I.
EN
Stands for European Standard (‘EuroNorm’).
Functional safety
Functional safety is part of the overall safety that depends on a
system or equipment operating correctly in response to its inputs.
Harm
Physical injury or damage to health.
Harmonized standard
‘harmonised standard’ shall mean a standard adopted by one of
the European standardisation bodies listed in Annex I to Directive
98/34/EC on the basis of a request made by the Commission in
accordance with Article 6 of that Directive; (NLF R1 9)
ISO, International Organization for Standardization
A worldwide federation of national standards member bodies.
www.iso.org
MTTFd, Mean Time To dangerous Failure
Expectation of the average time for a dangerous failure to occur.
PFHd, Probability of dangerous Failure per Hour
Average probability of dangerous failure taking place during one
(1) hour. PFHd is the value that is used for determining the SIL or
PL value of a safety function.
PL, Performance Level
Levels (a, b, c, d, e) for specifying the capability of a safety system
to perform a safety function under foreseeable conditions.
PLr
Required Performance Level (based on risk evaluation).
Risk
A combination of how possible it is for the harm to happen and
how severe the harm would be.
Safety
This is freedom from unacceptable risk of physical injury or of
damage to the health of people, either directly, or indirectly as a
result of damage to property or to the environment.
Safety function
A function designed for adding safety to a machine whose failure
can result in an immediate increase in risk(s).
SIL, Safety Integrity Level
Levels (1, 2, 3, 4) for specifying the capability of an electrical safety
system to perform a safety function under foreseeable conditions.
Only levels 1-3 are used in machinery.
SILCL, SIL Claim Limit
Maximum Safety Integrity Level (SIL) that can be claimed for an
electrical safety system, taking account of architectural constraints
and systematic safety integrity.
Hazard
Potential source of harm.
IEC, International Electrotechnical Commission
A worldwide organization for standardization that consists of
national electrotechnical committees.
www.iec.ch
Sub-system
A component of a safety function that has its own safety level
(SIL/PL) that affects the safety level of the whole safety function.
If any of the sub-systems fail, the whole safety function fails.
Other references:
Technical guide No.10
Safety Handbook
Approach to Functional Safety and reliability Electromechanical and electrical components
Functional Safety and reliability data
Doc.No: 3AVA000048753 rev.B
Doc.No: 1SAC103201H0201
Doc.No: 2CMT002568
Doc.No: 2CMT00254
19 Safety and functional safety | ABB brochure 1SFC001008B0201
Contact us
www.abb.com/drives
www.abb.com/lowvoltage
www.abb.com/motors&generators
www.abb.com/plc
www.abb.com
© Copyright 2010, All rights reserved. Specification subject to change without notice. 1SFC001008B0201, February 2010 Prod ABB AB, Cewe Control/XM