Professional Documents
Culture Documents
1013 職安署&工安協會 - iso 13849-1 工業機械安全相關控制系統設計
1013 職安署&工安協會 - iso 13849-1 工業機械安全相關控制系統設計
1013 職安署&工安協會 - iso 13849-1 工業機械安全相關控制系統設計
ISO 13849-1
Alex Cheng
Assistant Manager
Tel: +886 2 2172 1565
Mail: alex.cheng@tuv.com
CEN
2
• (FS) (PL)
• (SRP/CS)
• (Category)?
• (MTTFD) ?
• (DC) ?
• (CCF) ?
• (PL)
4
? From google pictures
5
5
• EN954-1
•
6
safety standard EN ISO 13849-1?
(FS) (PL)
• IEC 61508 is a Functional Safety basic standard for electrical, electronic and programmable electronic
system of each professions.
(Functional safety) IEC 61508
ISO 13849-1
From google pictures
10
11
Step 1: Risk assessment (from intend use, hazardous injure degree, access frequency,
Possibility of avoiding the hazard)
( )
Step 2: Define the safety-related part control system (Start/stop, safeguarding, hold-to-run
control, Emergency stop, anti-unexceptional start, SF required in C-type standard…etc.)
( / C-type
… )
Step 4: Check constructions of SRP/CSs and sure the I, L and O for each channel (input, logic,
output, monitor…)
( … )
13
(PL) PL a ( ) PL e ( )
PLr EN ISO 12100 EN ISO 13849-1
14 14
From google pictures
15 15
16
? Machining Center
17
/ , “ (PLr)”?
18
/ , “ (PLr)”?
19
20
How to define the PLr? “ (PLr)”?
21
22
How to define the PLr? “ (PLr)”?
PLr=b
PLr=b
PLr=d
PLr=d
:
:
23
24
How to define the PLr? “ (PLr)”?
Safety functions of
personal care robots
Type 1.1 Type 1.2 Type 2.1 Type 2.2 Type 2.3 Type 2.4 Type 3.1 Type 3.2
6.2.2.2 d d c d c d d d
6.2.2.3 b d b d b c c e
6.3 6.5.3 b (*d) d b d a d N/A e
6.4 b d b b b d c e
6.7 b d b (*) e (*d) a b (*d) N/A N/A
6.5.2.1,6.5.2.2 b d N/A N/A b d N/A e (*)
6.6,6.7 b d (*e) N/A c b d (*e) b (*c) d (*e)
25
PLr=d
26
How to define the PLr? “ (PLr)”?
PLr=c
PLr=c
PLr=c
27
MTTFD: mean time to dangerous failure- lifetime of the components and system
-
MTTFD high, medium, low
DC: diagnostic coverage- monitoring (failure- detection) of the components and system
- - ( )
DCavg high, medium, low, none
CCF: common cause failure- safety design of SRP/CS (reliability for design)
- -
CCF 65(YES), <65(NO)
28
29
Category B B
• The SRP/CS shall, as a minimum, be designed, constructed, selected, assembled and combined in accordance with the relevant standards
and use basic safety principles for the specific application.
SRP/CS
• The SRP/CS shall be withstood the expected operating stresses, influence of the processed material, vibration, EMC, power
interruptions…etc.
--
• The MTTFD of each channel shall be low to mindium” , DCavg and CCF are not relevant.
MTTFD “low to medium”, CDavg CCF
• The maximum PL achievable with category B is PL = b.
B PL PL=b
30
Category B B
31
Category 1 1
• SRP/CS of category 1 shall be designed and constructed using well-tried components and well-tried safety principles (see ISO 13849-2).
1 SRP/CS ISO 13849-2
• NOTE 1 Complex electronic components (e.g. PLC, microprocessor, application-specific integrated circuit) cannot be considered as
equivalent to “well tried”.
PLC “ ”
• When a fault occurs it can lead to the loss of the safety function. However, the MTTFD of each channel in category 1 is higher than in
category B. Consequently, the loss of the safety function is less likely.
MTTFD B
• The MTTFD of each channel shall be low to mindium” , DCavg and CCF are not relevant.
MTTFD “high”, CDavg CCF
• The maximum PL achievable with category 1 is PL = c.
32
1 PL PL=c
What is “well-tried” component?
33
34
What is “well-tried” component?
ISO 13849-2: 2012
35
36
What is “well-tried safety principles”?
ISO 13849-2: 2012
37
Category 1 1
38
Example circuit of Category 1 ..\draft\Example of Cat. 1 circuit.pdf
39
Category 2 2
• SRP/CS of category 2 shall be designed and constructed using well-tried safety principles (see ISO 13849-2).
2 SRP/CS ISO 13849-2
• SRP/CS of cat. 2 shall be designed that their functions are checked at suitable intervals by the “machine start-up” and “new cycle start”.
“ ” “new cycle ”
• The initiation of this check may be automatic, this check function shall allow machine operation if no faults have been detected, or an output
(OTE) to initiates the control action if a fault is detected.
; (OTE)
40
Category 2 2
• For PLr up to and including PLr = c, whenever practicable the output (OTE) shall initiate a safe state which is maintained until the fault is
cleared. When this is not practicable (e.g. welding of the contact in the final switching device) it may be sufficient for the output of the test
equipment OTE to provide a warning.
PLr PLr = c (OTE)
OTE
• For PLr = d the output (OTE) shall initiate a safe state which is maintained until the fault is cleared.
PLr = d (OTE)
41
Category 2 2
• The check itself shall not lead to a hazardous situation (e.g. due to an increase in response time). The test equipment may be integral with, or
separate from, the safety-related part(s) providing the safety function.
• The MTTFd of each channel shall be “low to high” , the DCavg shall be “low” and “CCF shall be “Yes”.
MTTFd “low to high” ; SRP/CS DCavg “low”; CCF ”Yes”
• The maximum PL achievable with category 2 is PL = d.
2 PL PL=d
42
2 ?
• As it is not possible to exclude faults that can cause the malfunction of an integrated circuit (see Tables D.20 and D.21), a single fault can lead
to loss of a safety function (including its check/test) implemented in a single integrated circuit. Consequently, it is highly unlikely that the multi-
channel functionality necessary for the fault tolerance and/or detection requirements of category 2, 3 or 4 can be achieved using a single
integrated circuit, unless it satisfies the special architecture requirements of IEC 61508-2:2010, Annex E.
D.20 D.21
/
IEC 61508-2:2010, E 2 3
4 /
43
Category 3 3
• SRP/CS of category 3 shall be designed and constructed using well-tried safety principles (see ISO 13849-2).
3 SRP/CS ISO 13849-2
44
Category 3 3
• SRP/CS of category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function.
Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.
Single fault ,
• The single fault detection does not mean that all faults will be detected.
single fault detection (DC will be low), ;
• When the single fault occurs the safety function is always performed.
single fault , ( )
• Accumulation of undetected faults can lead to the loss of the safety function.
,
• The MTTFd of each channel shall be low to high” , the DCavg shall be “low” and “CCF shall be “Yes”.
MTTFd “low to high” ; SRP/CS DCavg “low”; CCF ”Yes”
45
3 (Category 3 )
46
Example circuit of Category 3
47
48
Example circuit of Category 3
49
:
• EN ISO 10218 PL (performance level)
- (PL) EN ISO 13849-1 4.5.1 SIL (safety integrity level)
- (SIL) IEC 62061 5.2.4
Input >> Logic >> Output
• EN ISO 13849-1 3
PLr = d IEC 62061 SIL2
• IEC 60204-1 0
1
50
: _
ISO 10218-1 1
ISO 13855
51
: _ 3 (Category 3 )
ISO 13849-1 3 PLr = d IEC 62061
SIL2
a) a single fault in any of these parts does not lead to the loss of the safety function;
b) whenever reasonably practicable, the single fault shall be detected at or before the next demand upon
the safety function;
c) when the single fault occurs, the safety function is always performed and a safe state shall be
maintained until the detected fault is corrected; and
52
: _ 3 (Category 3 )
From google pictures
Robot Controller
53
54
Safety functions of IEC 61800-5-2 [SOS] From SIEMENS
55
56
Category 4 4
• SRP/CS of category 4 shall be designed and constructed using well-tried safety principles (see ISO 13849-2).
4 SRP/CS ISO 13849-2
57
Category 4 4
• SRP/CS of category 4 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function.
Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.
Single fault ,
• If this detection is not possible, then an accumulation of undetected faults shall not lead to the loss of the safety function.
• When the single fault occurs the safety function is always performed.
single fault , ( )
• All faults will be detected in time to prevent the loss of the safety function.
, ,
• Accumulation of undetected faults can is taken into account.
,
• In practice, the consideration of a fault combination of two faults may be sufficient.
• The MTTFd of each channel shall be “high” , the DCavg shall be “high” and “CCF shall be “Yes”.
MTTFd “high” ; SRP/CS DCavg “high”; CCF ”Yes”
58
Example circuit of Category 4
59
60
Example circuit of non-contact safety switch EN ISO 14119
61
• (PLr)
• ISO 13849-2
• ISO 13849-2 FMEA IEC 60812
ISO 13849-2: 2012
62
FMEA
BMS Failure Mode and Effect Analysis (FMEA)
Effect Analysis
Diagnostic
Item Section Function Subfunction Failure Mode / Symptom Dangerous Dangerous No technique and Remark
Safe
detectable undetectable Effect measure
Open circuit
Short circuit
1 48V to 12V
Voltage too high
Voltage too low
Power Supply
Open circuit
Short circuit
2 12V to 3.3V
Voltage too high
Voltage too low
3 TCP/TP Open circuit
PCS
4 CAN Open circuit
50% dangerous safety function lost
5 CPU-RAM
50% safe V
6 50% dangerous safety function lost
CPU-ROM
7 50% safe V
CPU
8 50% dangerous safety function lost
soft-error
9 50% safe V
10 Clock clock (frequency )
11 I/O I/O pin
12 Open circuit
Overvoltage Voltage sensor
13 Short circuit
14 Open circuit
Undervoltage Voltage sensor
15 Short circuit
16 Open circuit
Overtemperature Temperature sensor
Sensor Short circuit
Open circuit
Undertemperature Temperature sensor
Short circuit
Open circuit
Overcurrent Current sensor
17 Short circuit
18 broken
63
64
What is “fault exclusion” ?
ISO 13849-2: 2012
65
66
How to find the value of MTTFD? MTTFD ?
67
68
How to find the value of MTTFD ? MTTFD ?
2) Value form calculation
• B10D- number of cycles till 10% of component fail dangerously
69
Example 1:
70
How to find the value of MTTFD? MTTFD ?
71
72
How to calculating the value of MTTFD of semiconductors?
73
74
How to calculating the value of MTTFD of passive components?
75
• “ ” MTTFD
76
Final value of MTTFD MTTFD
MTTFD
77
78
Estimates for diagnostic coverage (DC)?
79
Validity check
e.g.: Use of mechanically linked NO and NC contacts
80
Estimates for diagnostic coverage (DC)?
Dynamic test
EN ISO 14119
81
82
FS approved safety module (Logic subsystem)
SIL
(IEC61508-1)
PL
high/continuous mode of
operation
a No correspondence
b 1
c 1
d 2
e 3
83
Average probability of
dangerous failure per
PL hour (PFH)
1/h
a 10-5 to 10-4
b 3×10-6 to 10-5
c 10-6 to 3×10-6
d 10-7 to 10-6
e 10-8 to 10-7
84
Estimates for diagnostic coverage (DC)?
85
Forcibly-guided contacts
EN 50205
86
Mechanically-linked contacts
IEC 60947-5-1/A2 ed. 2 - Annex L
87
Mechanically-linked contacts
IEC 60947-5-1/A2 ed. 2 - Annex L
Control relay
88 88
Power contacts and mirror contacts
NC mirror contact, mechanically linked to the power poles
IEC 60947- 4-1 - Annex F
89 89
90
Final value of DCavg DCavg
DCavg
None DC<60%
Low 60% DC<90%
Medium 90% DC<99%
High 99% DC
91
92
How to decide the value of CCF? CCF ?
• The quantitative process of CCF should be passed for the whole system, every parts of SRP/CS
should be considered.
CCF
• Measure and contains associated values, are based on engineering judgement.
• For each listed, only the full score or nothing can be claim. If only partly fulfilled, the score is zero.
, , 0”
• Definition of an common cause failures (CCF) is estimated by table F.1.
“ table F.1
93
94
Estimates for common cause failure (CCF)?
95
96
Relationship between Category, MTTFD, DC and PL
97
Category
MTTFD
DCavg
CCF
98
1
99
100
1
101
102
2
103
Software coding
Testing
Verification
Modifications
104
Document Expectation
1 Information of develop environment - MCU type name
- Development Language
- Development tools
2 Safety function specifications - Specific explanation of the safety functions including response time.
6 Safety functions validation records - The validation records of all the safety functions
7 Software diagnostic measures test records - The test records of all the software diagnostic measures
105
106
Definition of SF, SB, BL and channels
channel 1
channel 2
subsystem
Block
107
Category 1
SB
channel
Block
108 2021/10/21
Thank you for your attention.
109
Vickey Chen
02-2172-1561
0919 828 889
TÜV Rheinland Taiwan Ltd.
E-Mail: vickeycc.chen@tuv.com
LEGAL DISCLAIMER
This document remains the property of TÜV Rheinland. It is supplied in confidence solely for information purposes for the recipient. Neither this document nor any
information or data contained therein may be used for any other purposes, or duplicated or disclosed in whole or in part, to any third party, without the prior written
authorization by TÜV Rheinland. This document is not complete without a verbal explanation (presentation) of the content.
TÜV Rheinland AG