Machine Safety Handbooks e 6534

7/30/2019 Machine Safety Handbooks e 6534

http://slidepdf.com/reader/full/machine-safety-handbooks-e-6534 1/64

Sae Machinery

Handbook





For more inormation call us on 0870 608 8 608

or visit www.schneider-electric.co.uk

Introduction ........................................................4

Why saety? ........................................................6

Legal ramework..............................................10

Risk assessment ..............................................16

Sae design and saeguarding ....................

Functional Saety ........................................... 0

Control system standards

including worked examples ........................ 8

Sources o inormation ................................. 56

Annexes - architectures ............................... 58

Contents



4

Introduction



5

There are various guides to machinery saety

legislation which tend to present a distorted view o the

requirements o that legislation.

This handbook is an attempt to provide inormation that is up-to-date and unbiased

in order to help machine builders and users to provide workers with machines thatare sae, legal, and efcient. It is not intended as an exhaustive guide to compliance

with saety legislation, nor as a replacement or reerring to the relevant standards

themselves; it is to guide you through the logical steps and to point you to the relevant

sources o inormation.



6

Why saety



7

As well as the moral obligation to avoid harming anyone,

there are laws that require machines to be sae, and sound

economic reasons or avoiding accidents.

Saety must be taken into account right rom the design stage and must be kept in mind at

all stages in the lie o a machine: design, manuacture, installation, adjustment, operation,

maintenance and eventual scrapping.

New machines - the Machinery Directive

In the UK, at present the Machinery Directive 98/37/EC is implemented as the Supply o

Machinery (saety) regulations 1992 as amended.

From 29 December 2009 the relevant UK regulations will be the Supply o Machinery (saety)

regulations 2008, which implement the European Machinery Directive 2006/42/EC.

Machines have to comply with the Essential Health and Saety Requirements (EHSRs) listed in

Annex I o the Directive, thus setting a common minimum level o protection across the EEA

(European Economic Area).

Machine manuacturers, or their authorised representatives within the EU, must ensure that the

machine is compliant, the Technical File can be made available to the enorcing authorities on

request, the CE marking is axed, and a Declaration o Conormity has been signed, beorethe machine may be placed on the market within the EU.

Design/manuacture Installation Adjustment/operation Maintenance



8

Existing machines – the Work Equipment Directive

This is implemented in UK law as the Provision and use o Work Equipment Regulations 1998

(PUWER 1998).

It applies to the provision o all work equipment, including mobile and liting equipment, in all

workplaces and work situations where the Health and Saety at Work etc Act 1974 (HSW Act)

applies, and extends outside Great Britain to some oshore activities.

They require that all equipment is suitable or use, and is inspected and maintained as

necessary to ensure that it remains so.

The cost o accidents

Some o the costs are obvious, such as sick pay or injured

employees, whereas some costs are harder to identiy. The Health

and Saety Executive (HSE) give an example o an accident at a

drilling machine that resulted in costs to the business o £45 000

(HSE INDG355). However this does not include some o the less

obvious costs, and some estimates amount to double that gure.

An accident analysed by Schneider Electric Ltd, the outcome o

which was a reversible head injury, cost the employer some £90

000, o which only £37 000 was insurable. The ull nancial impact

can include increase in insurance premiums, lost production, lost

customers and even loss o reputation.

Some risk reduction measures can actually increase productivity;

or example the use o light curtains to protect access points o

machines can allow easier access or loading and unloading; zoning

o isolation devices can allow parts o a machine to be shut down or

maintenance while other parts remain productive.

The regulationsapply to all

employers, the

sel-employed,

and others who

have control o the

provision o work

equipment.





1010

Legal ramework



11

Presumption o conormity:

When a product conorms to a harmonised European standard, the reerence to which has

been published in the Ocial Journal o the European Union or a specic Directive, and which

covers one or more o the essential saety requirements, the product is presumed to comply

with those essential saety requirements o the Directive. A list o such standards can be

accessed at http://www.newapproach.org/Directives/DirectiveList.asp

EC Directive:

Legal instrument to harmonise the legislation o the European member states

Denes the essential health and saety requirements (EHSRs)

Transposed into national law (act, decree, order, regulations)

Standard:

A “standard” is a technical specication approved by a recognised standardisation body or

repeated or continuous application, with which compliance is not compulsory

Harmonised standard:

A standard becomes harmonised when published throughout the member states

It is o course

necessary to ensure

compliance with

all the other EHSRs

as well as those or

which a Presumption

o Conormity is

given by the use o a

specifc standard.



1

A B & C standards:

European standards or the Saety o machinery orm the ollowing structure:

A B1 B2 C

Type A standards

(Basic saety standards) giving basic concepts, principles or design, and general aspects

that can be applied to all machinery;

Type B standards

(Generic saety standards) dealing with one saety aspect or one type o saeguard that can

be used across a wide range o machinery:

- Type B1 standards on particular saety aspects (e.g. saety distances, surace

temperature, noise);

- Type B2 standards on saeguards (e.g. two-hand controls, interlocking devices, pressure

sensitive devices, guards);

Type C standards

(Machine saety standards) dealing with detailed saety requirements or a particular

machine or group o machines.



1

When a Type-C standard deviates rom one or more

provisions dealt with by a Type A standard or by a

Type B standard, the Type C standard takes precedence.

BS EN ISO 1100 -1, 1100-, and 1411-1 are

Type A standards.

Some examples o these types o standards are:

EN/ISO 12100-1 A Saety o machinery - Basic concepts, general principles or design

Part 1: Terminology, methodology

EN/ISO 12100-2 A Saety o machinery - Basic concepts, general principles or design

Part 2: Technical principles

EN/ISO 14121-1 A Saety o machinery - Principles or risk assessment

EN 574 B Two-hand control devices - Functional aspects - principles or design

EN/ISO 13850 B Emergency stop - Principles or design

EN/IEC 62061 B Functional saety o saety-related electrical, electronic and electronic

programmable control systems

EN/ISO 13849-1 B Saety o machinery - Saety-related parts o control systems -

Part 1 general principles or design

EN 349 B Minimum gaps to avoid crushing o parts o the human body

EN ISO 13857 B Saety o machinery - Saety distances to prevent hazard zones being

reached by upper and lower limbs

EN 60204-1 B Saety o machinery - Electrical equipment o machines - Part 1:

general requirements

EN 999 B Positioning o protective equipment in respect o approach speeds o

parts o the human body

EN 1088 B Interlocking devices associated with guards - Principles or design and

selectionEN/IEC 61496-1 B Electro-sensitive protective equipment Part 1: General requirements

and tests

EN/IEC 60947-5-5 B Low-voltage switchgear and control gear - Part 5-5: Control circuitdevices and switching elements - Electrical emergency stop device

with mechanical latching unction

EN 842 B Visual danger signals - General requirements, design and testing

EN 1037 B Prevention o unexpected start-up

EN 953 B General requirements or the design and construction o fxed and

movable guards

EN 201 C Machinery or plastics and rubber - Injection moulding machines -

Saety requirements

EN 692 C Machine Tools - Mechanical presses - Saety requirements

EN 693 C Machine Tools - Hydraulic presses - Saety requirements

EN 289 C Rubber and plastics machines - Saety - Blow moulding machines

intended or the production o hollow articles - Requirements or the

design and construction

EN 422 C Blow moulding machines or producing hollow parts - Design and

construction requirements

EN ISO 10218-1 C Robots or industrial environments - Saety requirements - Part 1:Robot

EN 415-4 C Saety o packaging machines - Part 4: palletisers and depalletisers

EN 619 C Continuous handling equipment and systems - Saety and EMC

requirements or equipment or mechanical handling o unit loads

EN 620 C Continuous handling equipment and systems - Saety and EMC

requirements or fxed belt conveyors or bulk material



14

Acts o parliament (primary legislation)

An Act o Parliament creates a new law or changes an existing law. An Act is a Bill

approved by both the House o Commons and the House o Lords and ormally agreed to

by the reigning monarch (known as Royal Assent). Once implemented, an Act is law and

applies to the UK as a whole or to specic areas o the country.

An Act may come into orce immediately, on a specic starting date, or in stages.

The practical implementation o an Act is the responsibility o the appropriate government

department, not Parliament. For example, laws relating to transport issues would come

under the administration o the Department or Transport.

Delegated or secondary legislation

Delegated or secondary legislation allows the Government to make changes to a law

without needing to push through a completely new Act o Parliament. The original Act (also

known as primary legislation) would have made provisions or uture delegated legislation

that could alter the law to diering degrees.

Statutory Instruments (SIs), oten called orders or regulations, are a type o delegated

legislation requiring Parliament’s approval - through the armative or negative procedure

- beore the change to the law can be made.

AcoPs (Approved Codes o Practice)

AcoPs are approved by or example the Health and Saety Commission, with the consent

o the Secretary o State. They give practical advice on how to comply with the law. I

you ollow the advice you will be doing enough to comply with the law in respect o thosespecic matters on which the Code gives advice.

CoPsCodes o practice other than AcoPs are considered to be good practice only, and should

be regarded as guidance.

Other documents

Non-harmonised standards and other documents rom standards bodies, such as,

Technical Specications, Publicly Available Specications, Published Documents, Dratsor Development, etc., can contain useul guidance but should not be relied on to ensure

compliance with the law.



15

Manuacturers’ responsibilities

Manuacturers placing machines on the market within the European Economic Area must

comply with the requirements o the Machinery Directive. Note that “placing on the market”

includes an organisation supplying a machine to itsel, i.e. building or modiying machines

or its own use, or importing machines into the EEA.

Users’ responsibilities

Users o machines need to ensure that newly-purchased machines are CE marked, and

accompanied by a Declaration o Conormity to the Machinery Directive. Machines must be

used in accordance with the manuacturer’s instructions.

Existing machines taken into service beore the Machinery Directive came into orce do

not need to comply, although they need to comply with PUWER and be sae and t or

purpose.

Modication o machines can be considered as manuacture o a new machine, even i or

use in-house, and the company modiying a machine needs to be aware that it might needto issue a Declaration o Conormity and CE marking.



16

Risk assesment



17

In order or a machine (or other equipment) to be made

sae, it is necessary to assess the risks that can result rom

its use. Risk assessment or machines is described in

BS EN ISO 1411-1.

There are various techniques or risk assessment, and none can be

said to be “the right way” to perorm a risk assessment. The British

Standard species some general principles but cannot speciy exactly

what has to be done in every case. It would seem to be nice i the

standard could give a value or ‘score’ or each risk, and then a target

value or the maximum value that must not be exceeded, but that is

not the case or several reasons. The score that would be allocated to

each risk, as well as on the level o risk that can be tolerated, depend

on a series o judgements, and will vary with the person doing the

judging as well as on the environment. For example the risks that

might be reasonable in a actory employing skilled workers might

be unacceptable in an environment where members o the public,

including children, might be present. Historical accident/incident

rates can be useul indicators, but cannot give a reliable indication o

accident rates that can be expected.



18

Identiy the limits o the machinery

That is, just what is being assessed? What are the speeds/loads/substances etc that

might be involved? For example how many bottles is the extruder blow moulding per hour,

and how much material is being processed at what temperature? Remember to include

oreseeable misuse, such as the possible use o a machine outside its specication. What

is the expected lie o the machinery and its application? How is it likely to be disposed o

at the end o its lie?

Identiy the hazards

What aspects o the machine might cause harm to a person? Consider the possibility o

entanglement, crushing, cutting rom tools, sharp edges on the machine or on the material

being processed. Other actors such as the stability o the machine, noise, vibration, and

emission o substances or radiation also need to be considered, as well as burns rom hot

suraces, chemicals, or riction due to high speeds. This stage should include all hazards

that can be present during the liecycle o the machinery, including the construction,

installation, and disposal.

Examples o typical hazards are illustrated below, though this is not an exhaustive list. A

more detailed list can be ound in BS EN ISO 14121-1.

Who might be harmed by the identifed hazards, and when?

Who interacts with the machine, when, and why? Again remember oreseeable misuse

including the possibility o use o a machine by untrained persons, and persons who might

be present in the workplace; not just machine operators, but cleaners, security sta,

visitors, and members o the public.

Puncturing, stabbing,

shearing, severing, cutting

Catching, entanglement,

drawing in, trapping

Impact Crushing

Electrocution Discharge o dangerous

substances

Burns

Examples o

typical hazards are

illustrated here,

though this is not

an exhaustive list. A

more detailed list canbe ound in

BS EN ISO 1411-1.



1

Prioritise the risks according to their seriousness

BS EN ISO 14121-1 describes this stage as Risk Estimation. This can be done by

multiplying the potential harm that can come rom the hazard by the exposure to the

hazard, remembering that there can be more than one person exposed.

It is dicult to estimate the potential harm, given the possibility that every accident can lead

to a atality. However usually when there is more than one possible consequence, one will

be more likely than the others. All plausible consequences should be considered, not just

the worst case.

The result o the Risk Assessment process should be a table o the various risks that exist

at the machine, together with an indication o the seriousness o each. There is not a single

“risk rating” or “risk category” or a machine – each risk must be considered separately.

Note that the seriousness can only be estimated – Risk Assessment is not a precise

science. Neither is it an end in itsel; the purpose o Risk Assessment is to guide Risk

Reduction.

Riskrelated

to the

potential

hazard

Severityo the

potential

harm

Probabilityo

occurence

Frequency and

duration o exposure

Possibility o

avoiding or limiting

the probability o the

ocurence o anevent that could

cause harm

x=



Risk Reduction

Risk reduction is dealt with in BS EN ISO 12100-2.

Risk reduction is dened in terms o eliminating risk: “the aim o measures taken must be to

eliminate any risk throughout the oreseeable lietime o the machinery including the phases

o transport, assembly, dismantling, disabling and scrapping.”

In general, i a risk can be reduced then it should be reduced. This has to be tempered

by commercial realities though, and the UK Regulations use words like “reasonable”

to indicate that it might not be possible to eliminate some risks without a grossly

disproportionate cost.

The process o risk assessment is iterative – risks need to be identied, prioritised,

quantied, design steps taken to reduce them (rst by sae design, then by saeguarding),

and then this process is to be repeated to assess whether the individual risks have been

reduced to a tolerable level and that no additional risks have be introduced. In the next

chapter we examine sae design and saeguarding.

0



End

R i s k e v a l u a t i o n R

i s k a n a l y s i s

1

Risk evaluation

Start

Determination o

machine limits

Identifcation o the

potential hazards

Risk estimation

Risk reduction

Is the

machine

sae?

NoYes



Sae design & sae-

guarding



Inherently sae design measures(as per BS EN 1100-, clause 4)

Some risks can be avoided by simple measures; can the task that results in the risk be

eliminated? Elimination can sometimes be achieved by automation o some tasks such as

machine loading. Can the hazard be removed? For example, the use o a non-fammable

solvent or cleaning tasks can remove the re hazard associated with fammable solvents.

This stage is known as inherently safe design, and is the only way o reducing a risk to

zero.

Removing the drive rom the end roller o a roller conveyor will reduce the possibility o

someone being caught up by the roller. Replacing spoked pulleys with smooth discs can

reduce shearing hazards. Avoidance o sharp edges, corners and protusions can help to

avoid cuts and bruises. Increasing minimum gaps can help to avoid body parts getting

crushed, reducing maximum gaps can eliminate the possibility o body parts entering.

Reduced orces, speeds and pressures can reduce the risk o injury.

Removal o shear traps by inherently sae design measures Source: BS PD 5304

Take care to avoid substituting one hazard or another. For example air-powered tools

avoid the hazards associated with electricity, but can introduce other hazards rom the use

o compressed air, such as injection o air into the body and compressor noise.

Standards and

legislation express

a distinct hierarchy

or controls. The

elimination o

hazards or reduction

o risks to a tolerable

level, by inherently

sae design

measures is the frst

priority.



4

Saeguarding & complementary protective measures(as per BS EN 1100-, clause 5)

Where inherently sae design is not practicable, the next step is safeguarding. This measure can include, or

example, xed guarding, interlocked guarding, presence sensing to prevent unexpected start-up, etc.

Saeguarding should prevent persons rom coming into contact with hazards, or reduce hazards to a sae state,

beore a person can come into contact with them.

Guards themselves can be xed to enclose or distance a hazard, or movable such that they are either sel-closing,

power-operated or interlocked.

Typical protective devices used as part o saeguarding systems include:

Interlock switches to detect the position o movable guards or control interlocking, usually

to permit tasks such as loading/unloading, cleaning, setting, adjustment etc.

Protection o operators is provided by stopping the machine when the actuator iswithdrawn rom the head o the switch, when the lever or plunger is actuated, when the

guard is opened or the guard hinge rotates through 5° – generally on machines with low

inertia (i.e. quick stopping times)



5

Light curtains to detect approach to dangerous areas

By nger, hand or body (upto 14mm, upto 30mm and above 30mm resolution)

Light curtains are typically used in material handling, packaging, conveyor,

warehousing and other applications. They are designed or the protection o persons

operating or working in the vicinity o machinery, by the stopping o dangerous

movement o parts as soon as one o the light beams is broken. They make it

possible to protect personnel whilst allowing ree access to machines. The absence

o a door or guard reduces the time taken required or loading, inspection or

adjustment operations as well as making access easier.

Saety mats to detect persons

Approaching, standing in or climbing into the danger area

Saety oot mats are typically used in ront o or around potentially

dangerous machines or robots. They provide a protection zone

between the machine operators and any dangerous movements.

They are mainly designed to ensure the saety o personnel, and

supplement saety products such as light curtains to enable ree

access or the loading or unloading o machines. They work

by detecting persons stepping onto the mat and instigating a

stopping o the dangerous movement.



6

Two hand control stations and ootswitches

Used to ensure the operator is standing away rom the danger

area when causing dangerous movements (e.g. down stroke in

press applications)

They provide protection primarily to the machine operator.

Supplementary protection to other personnel can be provided

through other measures, such as the positioning o light curtains.

Enabling switches to permit access underspecifc conditions o reduced risk

To areas or ault-nding, commissioning etc (e.g. jogging and

inching), with a central position and 2 “o” positions (ully released

or clenched).

Solenoid interlocks (powered guards)to prevent opening o guards

During dangerous phases o operation. Unlike non-solenoid interlocks, they

are used on loads with high inertia i.e. where the stopping time is long and it is

preerable to permit access only when the dangerous movement has stopped.

These are oten used with either a time delay circuit (where machine stopping

time is dened and known) or actual detection o zero speed (where stopping

times can vary) to permit access only when sae conditions are met.

Interlocking devices should be selected and installed with regard to minimising

the possibility o deeat and ailure, and the overall saeguard should not

unnecessarily impede production tasks. Steps to achieve this include:

- devices astened securely in a (xed) place and requiring a tool to

remove or adjust;

- coded devices or systems, e.g. mechanically, electrically,

magnetically or optically;

- physical obstruction or shielding to prevent access to the interlocking device

when the guard is open;

- the support or devices shall be suciently rigid to maintain correct operation



7

Monitoring o saety signals – control systems

The signals rom saeguarding components are typically monitored using saety relays,

saety controllers or saety PLCs (collectively reerred to as “saety logic solvers”), which in

turn are used to drive (and sometimes monitor) output devices such as contactors.

The choice o logic solver will depend upon many actors including the number o saety

inputs to process, cost, complexity o the saety unctions themselves, the need to reduce

cabling through decentralisation using a eldbus such as AS-Interace Saety at Work or

SaeEthernet, or even the need to send saety signals/data over long distances across

large machines or between machines on large sites. The now common use o complex

electronics and sotware in saety controllers and saety PLCs has, in part, driven the

evolution o the standards relating to saety related electrical control systems.

Saeguarding will usually involve the use o some kind o control system, and the Machinery

Directive gives various requirements or the perormance o the control system. In particular

it states “Control systems must be designed and constructed in such a way as to prevent

hazardous situations rom arising”. The Machinery Directive does not speciy the use o any

particular standard, but the use o a control system meeting the requirements o

harmonised standard(s) is one means o demonstrating compliance with this requirement

o the Machinery Directive. Two such standards available at the time o writing are BS EN

ISO 13849-1 (replacing EN 954-1 in November 2009) and BS EN 62061.

Two such standards

available at time o

writing include

BS EN ISO 184-1

(directly replacing

BS EN 54-1 in

November 00)

and BS EN 6061.

Saety relay Saety controller Compact saety PLC Modular saety PLC



8

Complementary protective measures - Emergency stop

Although emergency stops are required or all machines (the Machinery Directive allows

two very specic exemptions) they are not considered to be a primary means o risk

reduction. Instead they are reerred to as a “complementary protective measure”. They

are provided as a backup for use in an emergency only . They need to be robust,

dependable, and available at all positions where it might be necessary to operate them.

BS EN 60204-1 denes the ollowing three categories o stop unctions as ollows:

– Stop category 0: stopping by immediate removal o power to the machine actuators

(uncontrolled stop);

– Stop category 1: a controlled stop with power available to the machine actuators to

achieve the stop and then removal o power when the stop is achieved;

– Stop category 2: a controlled stop with power let available to the machine actuators.

However stop category 2 is not usually considered suitable or emergency stops.

Emergency stops on machinery must be “trigger action”. This means that their design

ensures that however slowly the button is pressed, or cable pulled, i the normally-closed

contact opens the mechanism must latch. This prevents “teasing”, which can cause

dangerous situations. The converse must also be true, i.e. latching must not take place

unless the NC contact opens. Emergency stop devices should comply with

BS EN 60947-5-5.

Residual risks

Ater risks have been reduced as ar as possible by design, and then by saeguarding,

the risk assessment process should be repeated to check that no new risks have been

introduced (e.g. powered guards can introduce trapping hazards) and to estimate whether

each risk has been reduced to a tolerable level. Even ater some iterations o the risk

assessment/risk reduction procedure, it is likely that there will be some residual risks.

Except or machines built to a specic harmonised standard (C Standard) it is or the

designer to judge whether the residual risk is tolerable or whether urther measures need

to be taken, and to provide inormation about those residual risks, in the orm o warning

labels, instructions or use, etc. The instructions might also speciy measures such as the

need or personal protective equipment (PPE) or special working procedures, but these are

not as dependable as measures implemented by the designer.







1

Functional Saety

The IEC have published a series o FAQs related to Functional Saety at

http://www.iec.ch/zone/saety/

A number o standards have been published in recent years that use the concept o

unctional saety. Examples include IEC 61508, IEC 62061, IEC 61511, ISO 13849-1, and

IEC 61800-5-2 which have all been adopted in Europe and published as BS ENs.

Functional saety is a relatively recent concept that replaces the old ‘Categories’ o

behaviour under ault conditions that were dened in BS EN 954-1, and were oten

mistakenly described as ‘Saety Categories’.

A reminder o the principles o EN 54-1

Users o BS EN 954-1 will be amiliar with the old “risk graph” which many used to design

their saety related parts o electrical control circuits to the categories B, 1, 2, 3 or 4. The

user was prompted to subjectively assess severity o injury, requency o exposure and

possibility o avoidance in terms o slight to serious, rare to requent, and possible tovirtually impossible, to arrive at a required category or each saety related part.

The thinking is that the more the risk reduction depends upon the saety-related control

system (SRECS), the more the SRECS needs to be resistant to aults (such as short

circuits, welded contacts etc).

The behaviour o the categories under ault conditions was dened as ollows:

- Category B control circuits are basic and can lead to a loss o the saety unction due to a

ault.

- Category 1 can also lead to a loss o the saety unction, but with less probability than

category B.

- Category 2 circuits detect aults by periodic testing at suitable intervals (the saety

unction can be lost between the periodic tests)

S1

P1

P2

P1

P2

F1

F2

S2

B 1 2 3 4

KM1

KM1

KM1



- Category 3 circuits ensure the saety unction, in the presence o a single ault, or

example by employing two (redundant) channels, but a loss o the saety unction can

occur in the case o an accumulation o aults

KM1

KM2

KM2

KM1

1 2

- Category 4 circuits ensure that the saety unction is always available even in the case o

one or more aults, usually by employing both input and output redundancy, together with

a eedback loop or continuous monitoring o the outputs

KM1

KM2

KM2

KM1

KM1 KM2

21



Functional saety is “part o the overall saety relating to the EUC* and the EUC control

system which depends on the correct unctioning o the E/E/PE** saety-related systems,

other technology saety-related systems and external risk reduction acilities”. Note

that it is an attribute o the equipment under control and o the control system, not o any

particular component or specic kind o device. It applies to all components that contribute

to the perormance o a saety unction, including or example, input switches, logic solvers

such as PLCs and IPCs (including their sotware and rmware) and output devices such as

contactors and variable speed drives.

* EUC means Equipment Under Control

**Note E/E/PE means Electrical/Electronic/Programmable Electronic.

It should also be remembered that the words “correct unctioning” mean that the

unction is correct, not just what was expected, which means the functions have to be

selected correctly . In the past there has been a tendency or components specied to

a high category o BS EN 954-1 to be chosen instead o components that have a lower

category, but might actually have more suitable unctions. This might be as a result o the

misconception that the categories are hierarchical such that or example, category 3 isalways “better” than category 2 and so on. Functional saety standards are intended to

encourage designers to ocus more on the unctions that are necessary to reduce each

individual risk, and what perormance is required or each unction, rather than simply

relying on particular components.





5

BS EN ISO 184-1

BS EN ISO 13849-1 uses a combination o the Mean Time To Dangerous Failure (MTTF d ),

Diagnostic Coverage (DC) and architecture (category) to determine Perormance Level PL

(a, b, c, d, e), and a simplied method o estimating PL is given in Table 7 o the standard.

The categories are the same as those in BS EN 954-1, which are explained in Annex 2.

DCavg

None None Low Medium Low High High

aNot

covereda b b c

Not

coveredLow

bNot

coveredb c c d

Not

coveredMedium

Not

coveredc c d d d eHigh

MTTFd

o each channel

Table 2: Simplied procedure or evaluating PL achieved by SRP/CS

From the table above it can be seen that only a category 4 architecture can be used

to achieve the highest PLe, but that is possible to achieve lower PLs using categories

depending upon the mix o MTTFd and DC o the components used.

Category B 1 2 2 3 3 4

Cat. B Cat. 1 Cat. Cat. Cat. Cat. Cat. 4

DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg =

0 0 low medium low medium high

a

b

c

d

e

1

1

Saety category level “EN 54-1”

P e r f o r m a n c e l e v e l “ E N I S O 1 8 4 - 1 ”

S a f e t y I n t e g r i t y L e v e l “ E N I E C 6 0 6 1 ”

MTTFd o each channel = low

MTTFd o each channel = medium

MTTFd o each channel = high



6

Low >3 years to <10 years

Medium >10 years to <30 years

High >30 years to <100 years

Table 3: MTTFd levels

For the estimation o MTTFd o a component the ollowing data can be used, in order o

preerence:

1. Manuacturer’s data (MTTFd, B10 or B10d )

2. Methods in Annexes C and D o BS EN ISO 13849-1

3. Choose 10 years

Nil <60%

Low >60% to <90%

Medium >90% to <99%

High >99% Table 4: Diagnostic Coverage levels

Common Cause Failures (CCF) is when an external eect (such as physical damage)

renders a number o components unusable irrespective o MTTFd. Steps taken to reduce

CCF include:

- Diversity in the components used and modes in which they are driven

- Protection against pollution

- Separation

- Improved electromagnetic compatibility

Index MTTFd range

Index Diagnostic coverage

Diagnostic coverage is a measure o how many dangerous ailures the diagnostic system

will detect. The level o saety can be increased where sub-systems are tested internallyusing sel-diagnostics.



7

Which standard to use?

Unless a C-standard species a target SIL or PL, the designer is ree to choose whether to

use BS EN 62061 or BS EN ISO 13849-1, or indeed any other standard. Both

BS EN 62061 and BS EN ISO 13849-1 are harmonised standards that give a Presumption

o Conormity to the Essential Requirements o the Machinery Directive, in so ar as they

apply. However it should be remembered that whichever standard is chosen must be used

in its entirety, and they cannot be mixed in a single system.

Work is ongoing in a liaison group between IEC and ISO, to produce a common Annex or

the two standards with the aim o eventually producing a single standard.

BS EN 62061 is perhaps more comprehensive on the subjects o specication and

management responsibilities, whereas BS EN ISO 13849-1 is designed to allow an easier

transition rom BS EN 954-1.

Certifcation

Some component products are available with certication to a specic SIL or PL. It shouldbe remembered that these certicates are only an indication o the best SIL or PL that can

be achieved by a system using that component in a specic conguration, and are not a

guarantee that a completed system will meet any specic SIL or PL.



8

Control system

standards workedexamples



Perhaps the best way to understand the application o BS

EN 6061 and BS EN ISO 184-1 is by way o the worked

examples on the ollowing pages.

For both standards we will use the example where the opening o a

guard must cause the moving parts o a machine to stop, where i

it did not stop the resulting possible injury could be a broken arm or

amputated nger.



40

Saety-related electrical control systems in machines (SRECS) are playing an increasing role

in ensuring the overall saety o machines and are more and more requently using complex

electronic technology. This standard is specic to the machine sector within the ramework

o BS EN 61508.

It gives rules or the integration o sub-systems designed in accordance with

BS EN ISO 13849-1. It does not speciy the operating requirements o non-electrical

control components in machines (or example: hydraulic, pneumatic).

Functional approach to saety The process starts with analysis o the risks (BS EN ISO 14121-1) in order to be able to

determine the saety requirements. A particular eature o BS EN 62061 is that it prompts

the user to make an analysis o the architecture to perorm the saety unctions, then

consider sub-unctions and analyse their interactions beore deciding on a hardware

solution or the control system (the SRECS).

A functional safety plan must be drawn up and documented for each design

project. It must include:

A specication o the saety requirements or the saety unctions (SRCF) that is in two

parts:

- A description o the unctions and interaces, operating modes, unction priorities,

requency o operation, etc.

- Specication o the saety integrity requirements or each unction, expressed in terms

o SIL (Saety Integrity Level).

- Table 1 below gives the target maximum ailure values or each SIL.

Worked example using standard

BS EN 6061

3 >10-8 to <10-7

2 >10-7 to <10-6

1 >10-6 to <10-5

Saety integrity level Probability o a dangerousSIL Failure per Hour, PFHD

- The structured and documented design process or electrical control systems (SRECS),

- The procedures and resources or recording and maintaining appropriate inormation,

- The process or management and modication o the conguration, taking into accountorganisation and authorised personnel,

- The verication and validation plan.

Saety o Machinery - Functional Saety o saety-related electrical,electronic and electronic programmable control systems



41

The advantage o this approach is that it can oer a calculation method that incorporates

all the parameters that can aect the reliability o control systems. The method consists o

assigning a SIL to each unction, taking into account the ollowing parameters:

- The probability o a dangerous ailure o the components (PFHD ),

- The type o architecture (A, B, C or D), i.e.;

With or without redundancy,

With or without diagnostic eatures making it possible to control some o thedangerous ailures,

- Common cause ailures (CCF), including;

Short-circuits between channels,

Overvoltage,

Loss o power supply, etc.,

- The probability o dangerous transmission errors where digital communication is used,

- Electromagnetic intererence (EMI).

Designing a system is split into 5 steps ater having drawn up the unctional saety plan:

1. Based on the risk assessment, assign a saety integrity level (SIL) and identiy the basic

structure o the electrical control system (SRECS), describe each related unction (SRCF),

2. Break down each unction into a unction block structure (FB),

3. List the saety requirements or each unction block and assign the unction blocks to

the sub-systems within the architecture,

4. Select the components or each sub-system,

5. Design the diagnostic unction and check that the specied saety integrity level (SIL) is

achieved.

In our example, consider a unction which removes the power to a motor when a guard

is opened. I the unction ails, it would be possible or the machine operator’s arm to be

broken or a nger amputated.



4

Step 1 - Assign a saety integrity level (SIL) and identiy thestructure o the SRECS

Based on the risk assessment perormed in accordance with BS EN ISO 14121-1,

estimation o the required SIL is perormed or each saety-related control unction (SRCF)

and is broken down into parameters, as shown in the illustration below.

Frequency and

duration o

exposure

&

Severity o

the possible

harm

=Risk

related

to the

identifed

hazard

Probability o

occurrence o a

hazardous event

Probability o

avoiding or

limiting harm Av

Pr

FrProbability o

occurrence

o that harm

Se



4

Severity Se

The severity o injuries or damage to health can be estimated by taking into account

reversible injuries, irreversible injuries or death.

The recommended classication is shown in the table below.

Irreversible: death, losing an eye or arm 4

Irreversible: broken limb(s), losing a fnger(s) 3

Reversible: requiring attention rom a

medical practitioner 2

Reversible: requiring frst aid 1

Probability o the harm occurring

Each o the three parameters Fr, Pr, Av is estimated separately using the least avourable

case. It is recommended that a task analysis is used in order to ensure that estimation o

the probability o the harm occurring is correctly taken into account.

Frequency and duration o exposure Fr

The level o exposure is linked to the need to access the hazardous zone (normal

operation, maintenance, ...) and the type o access (manual eeding, adjustment, ...).

It is then possible to estimate the average requency and duration o exposure.

The recommended classication is shown in the table below:

< 1 h 5

> 1 h to < 1 day 5

> 1 day to < 2 weeks 4

> 2 weeks to < 1 year 3

> 1 year 2

Consequences Severity (Se)

Frequency o exposure Duration

> 10 min



44

Probability o occurrence o a hazardous event Pr

Two basic concepts must be taken into account:

the predictability o the dangerous components in the various parts o the machine in

its various operating modes (normal, maintenance, troubleshooting), paying particular

attention to unexpected restarting;

behaviour o the persons interacting with the machine, such as stress, atigue,inexperience, etc.

Very high 5

Likely 4

Possible 3

Rarely 2

Negligible 1

Probability o avoiding or limiting the harm Av

This parameter is linked to the design o the machine. It takes into account the suddenness

o the occurrence o the hazardous event, the nature o the hazard (cutting, temperature,

electrical), the possibility o physically avoiding the hazard, and the possibility or a person

to identiy a hazardous phenomenon.

Impossible 5

Rarely 3

Probable 1

Probabilities o avoiding or limiting harm (AV)

Probability o occurrence Probability (Pr)



45

SIL assignment:

Estimation is made with the help o the table below.

In our example, the degree o severity (Se) is 3 because there is a risk o a nger being

amputated; this value is shown in the rst column o the table. All the other parameters

must be added together in order to select one o the classes (vertical columns in the table

below), which gives:

Fr = 5 accessed several times a day

Pr = 4 hazardous event probable

Av = 3 probability o avoiding almost impossible

Thereore a class CI = 5 + 4 + 3 = 12

The saety-related electrical control system (SRECS) o the machine must perorm this

unction with an integrity level o SIL 2.

4

3

2

1

Severity (Se) Class (Cl)

3-4 5-7 8-10 11-13 14-15SIL 2 SIL 2 SIL 2 SIL 3 SIL 3

(OM) SIL 1 SIL 2 SIL 3

(OM) SIL 1 SIL 2

(OM) SIL 1

Basic structure o the SRECS

Beore going into detail about the hardware components to be used, the system is broken

down into sub-systems. In this example, 3 sub-systems are necessary to perorm theinput, processing and output unctions. The gure opposite illustrates this stage, using the

terminology given in the standard.

S u b s y s t e m

e l e m e n t s

Logic

solving

output

SubsystemsSRECS



46

Step - Break down each unction into a unction block structure (FB)

A unction block (FB) is the result o a detailed break down o a saety-related unction.

The unction block structure gives an initial concept o the SRECS architecture. The saety

requirements o each block are derived rom the saety requirements specication o the

corresponding saety-related control unction.

SRECSSIL target = SIL

Subsystem 1

Guard Sensing

Function blockFB1

Input

Subsystem

Logic Solving

Function blockFB2

Logic

Subsystem

Motor Power

Switching

Function blockFB3

Output

Step - List the saety requirements or each unction blockand assign the unction blocks to the sub-systems within thearchitecture.

Each unction block is assigned to a sub-system in the SRECS architecture. (The standard

denes ‘subsystem’ in such a way that ailure o any sub-system will lead to the ailure

o a saety-related control unction.) More than one unction block may be assigned to

each sub-system. Each sub-system may include sub-system elements and, i necessary,

diagnostic unctions in order to ensure that ailures can be detected and the appropriate

action taken.

These diagnostic unctions are considered as separate unctions; they may be perormed

within the sub-system, or by another sub-system. The sub-systems must achieve at least

the same SIL capability as assigned to the entire saety-related control unction, each with

its own SIL Claim Limit (SILCL). In this case the SILCL o each subsystem must be 2.

SRECSSubsystem 1

SILCL

Subsystem

Safety

Controller

SILCL

Subsystem

SILCL

Guard Sensing Logic Solving Motor PowerSwitching

Interlock Switch 1

Subsystem

element 1.1

Interlock Switch 2

Subsystem

element 1.2

Contactor 1

Subsystem

element 3.1

Contactor 2

Subsystem

element 3.2



47

Step 4 - Select the components or each sub-system

The products shown below are selected.

Guard SensingSubsystem 1 (SS1)

Logic SolvingSubsystem 2 (SS2)

Power SwitchingSubsystem 3 (SS3)

Interlock Switch 1

Interlock Switch 2

(Subsystem elements)

SS1 SILCL

Saety Relay

SS SILCL

Contactor 1

Contactor 2

(Subsystem elements)

SS SILCL

XCS saety limit switches 10 000 000 20% 10 years

XPS AK saety logic module PFHD = 5.96 x 10-9

LC1 TeSys contactor 1 000 000 73% 20 years

Component Number o % dangerous Lietime

operations (B10) ailures

The reliability data is obtained rom the manuacturer.

The cycle length in this example is 450 seconds, so the duty cycle C is 8 operations per hour,

i.e. the guard will be opened 8 times per hour.



48

Step 5 - Design the diagnostic unction

The SIL achieved by the sub-systems depends not only on the components, but also

on the architecture selected. For this example, we will choose architectures B or the

contactor outputs and D or the limit switch (See Annex 1 o this Guide or explanation o

architectures A, B, C and D).

In this architecture, the saety logic module perorms sel-diagnostics, and also checks the

saety limit switches. There are three sub-systems or which the SILCLs (SIL Claim Limits)

must be determined:

SS1: two saety limit switches in a sub-system with a type D (redundant) architecture;

SS2: a SILCL 3 saety logic module (determined rom the data, including PFHD, provided

by the manuacturer);

SS3: two contactors used in accordance with a type B (redundant with no eedback)

architecture

The calculation takes into account the ollowing parameters:

B10: number o operations at which 10% o the population will have ailed.

C: Duty cycle (number o operations per hour).

lD: rate o dangerous ailures (l = x proportion o dangerous ailures).

b: common cause ailure actor: see Annex F o the standard.

T1: Proo Test Interval or lie time, whichever is smaller, as specied by the manuacturer.

The standard states that designers should use a lietime o 20 years, to avoid the use o an

unrealistically short proo test interval being use to improve the SIL calculation. However

it recognises that electromechanical components can need replacement when their

specied number o operations is reached. Thereore the gure used or T1 can be themanuacturer’s quoted lietime, or in the case o electromechanical components the B10

value divided by the rate o operations C.

T2: diagnostic test interval.

DC: Diagnostic coverage rate = lDD

/ lDtotal

, the ratio between the rate o detected

dangerous ailures and the rate o total dangerous ailures.



4

Guard SensingSubsystem 1 (SS1)

Logic SolvingSubsystem 2 (SS2)

Power SwitchingSubsystem 3 (SS3)

Subsystem element 1.1

le

= 0,1 • C/B10

lDe

= l

e• 20%

Subsystem SS1

PFHD

= ? (Architecture D)

Subsystem SS

PFHD

= 5•6x10-

Subsystem SS

PFHD

= ? (Architecture B)Feed back loop

not used


le

= 0,1 • C/B10

lDe

= l

e• 20% D

D

Saety Relay


le

= 0,1 • C/B10

lDe

= l

e• 75%


le

= 0,1 • C/B10

lDe

= l

e• 75%

The ailure rate, l, o an electromechanical subsystem element is dened as

le = 0,1 x C / B10 , where C is the number o operations per hour in the application and

B10 is the expected number o operations at which 10% o the population will have ailed.

In this example we will consider C = 8 operations per hour.

SS1

2 monitored

limit switches

SS32 contactorswithoutdiagnostics

Failure rate or

each

element le

le

= 0.1 C/B10

Dangerous ailure

rate or each ele-

ment lDe

lDe

= le

x

proportion o

dangerous ailures

DC Not Applicable

Common cause

ailure actor bAssumed worst case o 10%

T1 T1 = B10

/C10 000 000/8 =

1250000

1000000/8 =

125000

Diagnostic test

interval T2

Each demand, i.e.

8 times per hour,

= 1/8 = 0.125 h

Not applicable

Dangerous ailurerate or each

subsystem

Formula orarchitecture B: Formula orarchitecture D lDssB =(1 – 0.9)

2

xlDe1

x lDe2

x T1

+ b

x (lDe1

+ lDe2

)/2l

DssB=(1 – b)2 x

lDe1

x lDe2

x T 1 + b

x (lDe1

+ lDe2

)/2

lDssD

= (1 – b)2 {[

lDe2

x 2 x DC ] x

T2 /2 + [ l

De2x (1

– DC) ] x T1} + b

x lDe



50

Looking at the output contactors in subsystem SS3 we need to calculate the PFHd. For the

type B architecture (single ault tolerant, without diagnostics) the probability o dangerous

ailure o the subsystem is:

lDssB

=(1 – b )2 x lDe1

x lDe2

x T 1

+ b x (lDe1

+ lDe2

)/2

[Equation B o the standard]

PFHDssB = lDssB x 1h

In this example, b = 0.1

lDe1

= lDe2

= 0.73 (0.1 X C / 1 000 000) = 0.73(0.8/1 000 000) = 5.84 x 10-7

T1 = 125 000 hours [B10/C]

lDssB

= (1 – 0.1)2 x 5.84 x 10-7 x 5.84 x 10-7 x 125 000 + 0.1 x ((5.84 x 10-7 ) + (5.84 x 10-7 ))/2

= 0.81 x 5.84 x 10-7 x 5.84 x 10-7 x 125 000 + 0.1 x 5.84 x 10-7

= 0.81x 3.41056 x 10-13 x 125000 + 0.1 x 5.84 x 10-7

= (3.453 x 10-8 ) + (5.84 x 10-8 ) = 9.29 x 10-8

Since PFHDssB = lDssB x 1h, PFHD or the contactors in Subsystem SS3 = 9.29 x 10-8

For the input limit switches in Subsystem SS1 we need to calculate the PFHD. For the Type D

architecture, single ault tolerance with diagnostic unction is dened.

This architecture is such that a single ailure o any subsystem element does not cause a loss

o the SRCF, where

T2

is the diagnostic test interval;

T1

is the proo test interval or lietime whichever is the smaller.

b is the susceptibility to common cause ailures;lD

= lDD

+ lDU

; where lDD

is the rate o

detectable dangerous ailures and lDU

is the rate o undetectable dangerous ailure.

lDD

= lD

x DC

lDU

= lD

x (1 – DC)

For subsystem elements o the same design:

lDe

is the dangerous ailure rate o a subsystem element;

DC is the diagnostic coverage o a subsystem element.

lDssD

= (1 – b )2 {[ lDe

2 x 2 x DC ] x T 2 /2 + [l

De2 x (1 – DC) ] x T

1} + b x l

De



51

D.2 o the standard

PFHDssD

= lDssD

x 1h

le= 0,1 •C / B10 = 0.1 x 8/10 000 000 = 8 x 10-8

lDe

= le

x 0.2 = 1.6 x 10-8

DC = 99%

b = 10% (worst case)

T 1

= B10/C – 10 000 000/8 = 1 250 000

T 2 = 1/C = 1/8 = 0.125 hour

From D.2:

lDssD

= (1 – 0.1)2 {[ 1.6 x 10-8 x 1.6 x 10-8 x 2 x 0.99 ] x 0.125 /2 + [1.6 x 10-8 x 1.6 x 10 -8 x

(1 – 0.99) ] x 1 250 000} + 0.1 x 1.6 x 10-8

= 0.81 x {[5.0688 x 10-16] x 0.0625 + [2.56 x 10-16 x(0.01)] x 1.250 000} + 1.6 x 10 -9

= 0.81 x {3.168 x 10-17 + [2.56 x 10-18] x 1250 000} + 1.6 x 10-9

= 0.81 x {3.96 x 10-11} + 1.6 x 10-9

= 1.63 x 10-9

Since PFHDssD

= lDssD

x 1h, PFHD or the limit switches in Subsystem SS1 = 1.63 x 10-9

We already know that or Subsystem SS2, PFHD

or the logic solver Function Block

(implemented by the saety relay XPSAK) is 5.96 x 10-9 (manuacturer’s data)

The overall PFHD

or the saety related electrical control system (SRECS) is the sum o the

PFHDs or all the Function Blocks, and is thereore:

PFHDSRECS

= PFHDSS1

+ PFHDSS2

+ PFHDSS3

=

(9.29 x 10-8 ) + (5.96 x 10-9 )+ (1.63 x 10-9 )

= 1.0049 x 10-7, which by referring to the table below from the standard, is within

the limits of SIL 2.

3 >10-8 to <10-7

2 >10-7 to <10-6

1 >10-6 to <10-5

Saety integrity level Probability o a dangerous

Failure per Hour, PFHD

Note that if the mirror contacts on the contactors are used the architecture of the

power control function would become type D (redundant with feedback) and the

resulting SIL claim limit would increase from SIL2 to SIL 3.

This provides further risk reduction of the probability of failure of the safety

function, being in tune with the concept of reducing risk to be as low as

reasonably practical (ALARP)

LC1D TeSys contactors

eature mirror contacts



5

As with BS EN 62061, the process can be considered to comprise a series o 6 logical

steps.

STEP 1: Risk Assessment and identication o the necessary saety unctions.

STEP 2: Determine the required Perormance Level (PLr) or each saety unction.

STEP 3: Identiy the combination o saety-related parts which carry out the saety unction.

STEP 4: Evaluate the Perormance Level PL or the all saety-related parts.

STEP 5: Veriy that the PL o the SRP/CS or the saety unction is at least equal to the PLr.

STEP 6: Validate that all requirements are met (see BS EN ISO 13849-2).

For more detail please reer to Annex o this Guide.

STEP 1: As in the previous example, we need a saety unction to remove the power

supply to the motor when the guard is open.

STEP 2: Using the “risk graph” rom Figure A.1 o BS EN ISO 13849-1, and the same

parameters as in the previous example, the required Perormance Level is d

(note: PLd is oten compared to SIL 2 as “equivalent”).

H = High contribution to reduction o the risk by the control system

L = Low contribution to reduction o the risk by the control system

S = Severity o injury

S1 = Slight (normally reversible injury)

S2 = Serious (normally irreversible injury including death)

F = Frequency and/or exposure time to the hazard

F1 = seldom or less oten and/or the exposure time is short

F2 = frequent to continuous and/or the exposure time is long

P = Possibility o avoiding the hazard or limiting the harm

P1 = possible under specic conditions

P2 = scarcely possible

Worked example using standard

BS EN ISO 184-1

Saety o machinery - Saety-related parts o control systems - Part 1:General principles or design



5

STEP 3: The same basic architecture as in the previous example or BSEN 62061 will be

considered, in other words category 3 architecture without eedback

Input Logic Output

Interlock Switch 1SW1

Interlock Switch 2

SW2

Contactor 1CON1

Contactor 2

CON2

Safety relay

XPS

SRP/CSa

SRP/CSb

SRP/CSc

STEP 4: The PL o the SRP/CS is determined by estimation o the ollowing parameters:

(see Annex 2):

- The CATEGORY (structure) (see Clause 6 o BS EN ISO 13849-1). Note that in this

example the use o a category 3 architecture means that the mirror contacts on the

contactors are not used.

- The MTTFd

or the single components (see Annexes C & D o BS EN ISO 13849-1)

- The Diagnostic Coverage (see Annex E o EN BS EN ISO 13849-1)

- The Common Cause Failures (see score table in Annex F o BS EN ISO 13849-1)

The manuacturer gives the ollowing data or the components:

Example SRP/CS B10 (operations) MTTFd

(years) DC

Saety limit

switches10 000 000 99%

Saety logic

module XPSAK 72.2 99%

Contactors 1 000 000 99%

Note that because the manuacturer does not know the application details, and specically

the cycle rate o the electromechanical devices, he can only give B10 or B10d

data or the

electromechanical components. This explains why no manuacturer should provide an

MTTFd

gure or an electromechanical device.



54

The MTTFd

or components can be determined rom the ormula:

MTTFd

= B10d / 0.1 x nop

Where nop

is the mean annual number o operations.

B10 is number o operations at which 10% o the population will have ailed.

B10d is the expected time at which 10% o the population will have ailed in a “dangerous”

mode. Without specic knowledge o which mode in which a component is being used,

and hence what constitutes a dangerous ailure, it can generally be assumed that 50% o

ailures are dangerous, thereore B10d

= 2 x B10

Assuming the machine is used or 8 hours a day, or 220 days per year, with a cycle time o

90 seconds as beore, nop

will be 70400 operations per year.

Assuming that B10d = 2 x B10, the table becomes:

Example

SRP/CS

B10

(operations)B10d MTTFd (years) DC

Saety limit

switches 10 000 000 20 000 000 2840 99%

Saety logic

module XPSAK 72.2 99%

Contactors 1 000 000 2 000 000 284 99%

The MTTFd

gures in bold red have been derived rom the application data using the cycle

rates and B10 data.

The MTTFd

can be calculated or each channel by using the parts count method in

Annex D o the standard.

SW1MTTF

d= 840y

SWMTTF

d= 840y

XPS

MTTFd

=7,y

CON1MTTF

d= 84y

CONMTTF

d= 84y

Channel 1

Channel

In this example the calculation is identical or channels 1 and 2:

The MTTFd

or each channel is thereore 56.4 years; this is “high” according to Table 4

From the equations in Annex E o the standard we can determine that DCavg

= 99%

1 1 1 1 1

MTTFd 2840 years 72.2 years 284 years 56.4 years= =++



55

STEP 5: Veriy that the PL o the system matches the required PL (PLr)

Knowing that we have a category 3 architecture, a high MTTFd

and a high average

Diagnostic Coverage (DCavg

), it can be seen rom the table below (g. 5 o the standard) that

we have met either PLe or PLd, which meets the required PLd. To clariy accurately whether

PLd or PLe has been achieved reer to Annex K o the standard which reveals that, or dual

channel systems which have an MTTFd

o 56 years, the resulting average probability o

dangerous ailure per hour and corresponding PL are 1.03 x 10-7 and PLd, just on the edge

o becoming PLe.

Just as in the BS EN 62061 worked example, it only takes the wiring o both contactors’

normally closed auxiliary mirror contacts back to the external device monitoring input o the

saety relay to change the architecture to category 4. Doing this converts the PL rom d to e.

Knowing that we have a category 4 architecture, a high MTTFd

and a high average

Diagnostic Coverage (DCavg

), reerring to Table 7 o the standard shows that the resulting

Perormance Level is PLe, which matches the PLr.

STEP 6: Validation – check working and where necessary test

(BS EN ISO 13849-2 under revision).

Cat. B Cat. 1 Cat. Cat. Cat. Cat. Cat. 4

DCavg = DCavg = DCavg = DCavg = DCavg = DCavg = DCavg =

0 0 low medium low medium high

a

b

c

d

e

1

1

Saety category level “EN 54-1”

P e r f o r m a n c e l e v e l “ E N I S O 1 8 4 - 1 ”

S a f e t y I n t e g r i t y L e v e l “ E N I E C 6 0 6 1 ”

MTTFd o each channel = low

MTTFd o each channel = medium

MTTFd o each channel = high



56

Sources o

inormation



57

Legislation

UK Supply o Machinery (Saety) Regulations 2008, Statutory Instrument (SI) 2008/1597

European Machinery Directive 2006/42/EC

BS EN ISO 14121 Saety o machinery – principles o risk assessment

BS EN ISO 12100 Saety o machinery – basic concepts, general principles or design

- part 1: basic terminology, methodology

BS PD 5304:2005 Guidance on sae use o machinery

BS EN 60204 Saety o machinery. Electrical equipment o machines. General requirements

BS EN 13850 Saety o machinery. Emergency stop. Principles or design

BS EN 62061 Saety o machinery, Functional saety o saety-related electrical, electronic

and programmable electronic control systems

BS EN 61508 Functional saety o electrical/electronic/programmable electronic saety

- related systems

BS EN ISO 13849-1 Saety o machinery - Saety-related parts o control systems -

Part 1: General principles or design

Schneider Electric documents

Schneider Electric “Saety Functions and solutions using Preventa” Catalogue 2008/9,

Re. MKTED208051EN

Websites

New Approach Standardisation in the Internal Market - www.newapproach.org

Department or Business Enterprise & Regulatory Reorm - www.berr.gov.uk

British Standards Institution - www.bsi-global.com

International Electrotechnical Committee - www.iec.ch

European Committee or Standardisation (CEN) - www.cenorm.be

European Committee or Electrotechnical Standardisation (CENELEC) - www.cenelec.eu



58

Annexes -

architectures



5

Annex 1

Architectures o BS EN 6061

Architecture A: Zero ault tolerance, no diagnostic unction

Where: lDe

is the rate o dangerous ailure o the element

lDSSA

= lDE1

+ ... + lDen

PFHDSSA

= lDSSA

• 1h

Architecture A

Subsystem element 1

lDe1

Subsystem element 1

lDen

Architecture B: Single ault tolerance, no diagnostic unction

Where: T 1

is the proo test interval or lie time whichever is smaller

(Either rom the supplier or calculate or electromechanical product by: T 1

= B10 /C)

b is the susceptibility to common cause ailures

(b is determined using the Score Table F.1 rom EN IEC 62061)

lDSSB = (1 - b )2 • lDe1 • lDe2 • T 1 + b • (lDe1 + lDe2 )/2

PFHDSSB

= lDSSB

• 1h

Architecture B

Subsystem element 1

lDe1

Common cause failure

Subsystem element 2

lDe2

Logical representation o the subsystem




Diagnostic function(s)

60

Architecture C: Zero ault tolerance, with a diagnostic unction

Where: DC is the diagnostic coverage = S lDD / l

D

lDD

is the rate o detected dangerous ailure and lD

is the rate o total dangerous ailure

The DC depends on the eectivity o the diagnostic unction used in this subsystem

lDSSC

= lDe1

• (1 - DC1 ) + ... + l

Den• (1 - DC

n )

PFHDSSC

= lDSSC

• 1h

Architecture C

Subsystem element 1

lDe1

Subsystem element n

lDen


Diagnostic function(s)

Architecture D: Single ault tolerance, with a diagnostic unction

Where: T 1

is the proo test interval or lie time whichever is smaller

T 2

is the diagnostic test interval

(At least equal to the time between the demands o the saety unction)

b is the susceptibility to common cause ailures

(To be determined with the score table in Annex F o EN IEC 62061)

DC is the diagnostic coverage = S lDD / lD

(lDD

is the rate o the detected dangerous ailure and lD

is the rate o the total dangerous

ailure)

Architecture D

Subsystem element 1

lDe1

Common cause failure


Subsystem element 2

lDe2



61

Architecture D: Single ault tolerance, with a diagnostic unction

For Subsystem elements of different design

lDe1

= dangerous ailure rate o subsystem element 1; DC1

= diagnostic coverage o subsystem element 1

lDe2

= dangerous ailure rate o subsystem element 2; DC2

= diagnostic coverage o subsystem element 2

lDSSD

= (1-b )2 {[lDe1

• l

De2(DC

1+ DC

2 )]•T

2 /2 + [l

De1•

l

De2•(2-DC

1-DC

2 )]•T

1 /2}+b• (l

De1+

l

De2 )/2

PFHDSSD

= lDSSD

• 1h

For Subsystem elements of the same design

lDe

= dangerous ailure rate o subsystem element 1 or 2; DC = diagnostic coverage o the subsystem element 1 or 2

lDSSD

= (1-b )2 {[lDe

2 • 2 • DC] T

2 /2 + [l

De2 • (1-DC)] • T

1} + b • l

De

PFHDSSD

= lDSSD

• 1h

Annex Categories o BS EN ISO 184-1

Category Description Example

Category BWhen a ault occurs it can lead to the loss o the saety

unction

Category 1

When a ault occurs it can lead to the loss o the saety

unction, but the MTTFd

o each channel in Category 1 is

higher than in Category B. Consequently the loss o the saety

unction is less likely.

Category

Category 2 system behaviour allows that: the occurrence

o a ault can lead to the loss o the saety unction between

the checks; the loss o the saety unction is detected by the

check.

Category

SRP/CS to Category 3 shall be designed so that a single

ault in any o these saety-related parts does not lead to the

loss o the saety unction. Whenever reasonably possible the

single ault shall be detected at or beore the next demand

upon the saety unction

Category 4

SRP/CS to Category 4 shall be designed so that a single

ault in any o these saety-related parts does not lead to the

loss o the saety unction, and the single ault is detected on

or beore the next demand upon the saety unctions, e.g.

immediately, at switch on, at end o a machine operation

cycle. I this detection is not possible an accumulation o

undetected aults shall not lead to the loss o the saety

unction.

OutputInput Logicim

im

OutputInput Logicim

im

OutputInput Logicim

im

TestOutput

TestEquipment

im

Output 1Input 1 Logic 1im

im


im

m

m

Cross Monitoring


im


im

m

m

Cross Monitoring



6



6



Nationwide support on one number -

call the Customer Information Centre on

0870 608 8 608Schneider Electric’s local support

Schneider Electric is committed to supporting its customers at every stage o a project. Our 180 sales engineers, the largest

dedicated sales orce in the UK electrical industry, operate rom 4 customer support centres.

Our sales engineers are skilled at assessing individual requirements and combined with the expert support o our product

specialists, will develop the most eective and economical answer taking relevant regulations and standards ully into account.

To access the expertise o the Schneider Electric group, please call 0870 608 8 608. Each customer support centre includes

acilities or demonstrations and training, and presentation rooms ully equipped with audio visual and video, providing

excellent meeting acilities.

Merlin Gerin is a world leader in the manuacture and

supply o high, medium and low voltage products or the

distribution, protection, control and management o

electrical systems and is ocused on the needs o both the

commercial and industrial sectors. The newly launched VDI

Network Solutions oer provides exible, confgurable

ethernet systems or all communication needs.

Square D is a total quality organisation and its business

is to put electricity to work productively and eectively,

protecting people, buildings and equipment. Its low voltage

electrical distribution equipment, systems and services are

used extensively in residential and commercial applications.

Telemecanique is a UK market leader and world expert in

automation and control. It provides complete solutions, with

it’s range o components, Modicon range o high technology

programmable controllers (PLCs), multiple feldbus and

ethernet communication networks, HMI, motion control

systems, variable speed drives and communications sotware.

In addition, it oers power distribution through preabricated

busbar trunking.

Product showrooms

Local customer support centres

Scotland

Schneider Electric Ltd

Unit 18

Claremont Centre

112a Cornwall Street South

Kinning Park

Glasgow G41 1AA

South West


PO Box 41

Langley Road

Chippenham

Wiltshire SN51 1JJ

North West


First Floor

Market House

Church Street

Wilmslow

Cheshire SK9 1AY

Industrial systems and solutions showroom

Schneider Electric Ltd, University o Warwick Science Park, Sir William Lyons Road, Coventry CV4 7EZ

Building systems and solutions showroom

Schneider Electric Ltd, Staord Park 5, Telord, Shropshire TF3 3BL

Energy and Infrastructure systems and solutions showroom