Functional Safety of Machinery: How to Apply ISO 13849-1 and IEC 62061

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

FUNCTIONAL SAFETY OF MACHINERY

Enables readers to understand ISO 13849-1 and IEC 62061 standards and provides a practical approach to functional safety in machinery design

Functional Safety of Machinery: How to Apply ISO 13849-1 and IEC 62061 introduces functional safety of machinery as a single unified approach, despite the existence of two standards. Aligning with the latest updates of ISO 13849-1 and IEC 62061, the book explains the intent behind the standards and the mathematical basis on which they are written, details the differences between the two standards, and prescribes ways to put them into practice.

To aid in seamless reader comprehension, detailed examples are included throughout the book which walk readers through concepts like Random and Systematic Failures, High and Low demand mode of operation, Diagnostic Coverage, and Safe Failure Fraction. Other sample topics covered within the book include:

  • Basics of reliability engineering and functional safety
  • Roles of the standards in the design and evaluation of safety functions
  • Description of the Main Parameters used in the two standards
  • How to deal with Low Demand Safety Systems
  • The Categories of ISO 13849-1 and the Basic Subsystem Architectures of IEC 62061
  • How Categories and Architectures can be validated

Machinery design engineers, machinery manufacturers, and professionals in system and industrial safety fields can use this book as a one-stop resource to understand the specifics and applications of ISO 13849-1 and IEC 62061.

Author(s): Marco Tacchini
Publisher: Wiley
Year: 2023

Language: English
Pages: 353
City: Hoboken

Cover
Title Page
Copyright Page
Contents
Preface
Acknowledgments
About the Author
Before You Start Reading this Book
Chapter 1 The Basics of Reliability Engineering
1.1 The Birth of Reliability Engineering
1.1.1 Safety Critical Systems
1.2 Basic Definitions and Concepts of Reliability
1.3 Faults and Failures
1.3.1 Definitions
1.3.2 Random and Systematic Failures
1.3.2.1 How Random is a Random Failure?
1.4 Probability Elements Beyond Reliability Concepts
1.4.1 The Discrete Probability Distribution
1.4.1.1 Example: 10 Colored Balls
1.4.1.2 Example: 2 Dice
1.4.2 The Probability Density Function f (x)
1.4.2.1 Example
1.4.3 The Cumulative Distribution Function F(x)
1.4.4 The Reliability Function R(t)
1.5 Failure Rate λ
1.5.1 The Maclaurin Series
1.5.2 The Failure in Time or FIT
1.5.2.1 Example
1.6 Mean Time to Failure
1.6.1 Example of a Non-Constant Failure Rate
1.6.2 The Importance of the MTTF
1.6.3 The Median Life
1.6.4 The Mode
1.6.4.1 Example
1.6.4.2 Example
1.7 Mean Time Between Failures
1.8 Frequency Approach Example
1.8.1 Initial Data
1.8.2 Empirical Definition of Reliability and Unreliability
1.9 Reliability Evaluation of Series and Parallel Structures
1.9.1 The Reliability Block Diagrams
1.9.2 The Series Configuration
1.9.3 The Parallel Configuration
1.9.3.1 Two Equal and Independent Elements
1.9.4 M Out of N Functional Configurations
1.10 Reliability Functions in Low and High Demand Mode
1.10.1 The PFD
1.10.1.1 The Protection Layers
1.10.1.2 Testing of the Safety Instrumented System
1.10.2 The PFDavg
1.10.2.1 Dangerous Failures
1.10.2.2 How to Calculate the PFDavg
1.10.3 The PFH
1.10.3.1 Unconditional Failure Intensity w(t) vs Failure Density f (t)
1.10.3.2 Reliability Models Used to Estimate the PFH
1.11 Weibull Distribution
1.11.1 The Probability Density Function
1.11.2 The Cumulative Density Function
1.11.3 The Instantaneous Failure Rate
1.11.4 The Mean Time to Failure
1.11.4.1 Example
1.12 B10D and the Importance of T10D
1.12.1 The BX% Life Parameter and the B10D
1.12.1.1 Example
1.12.2 How λD and MTTFD are Derived from B10D
1.12.3 The Importance of the Parameter T10D
1.12.4 The Surrogate Failure Rate
1.12.5 Markov
1.13 Logical and Physical Representation of a Safety Function
1.13.1 De-energization of Solenoid Valves
1.13.2 Energization of Solenoid Valves
Chapter 2 What is Functional Safety
2.1 A Brief History of Functional Safety Standards
2.1.1 IEC 61508 (All Parts)
2.1.1.1 HSE Study
2.1.1.2 Safety Integrity Levels
2.1.1.3 FMEDA
2.1.1.4 High and Low Demand Mode of Operation
2.1.1.5 Safety Functions and Safety-Related Systems
2.1.1.6 An Example of Risk Reduction Through Functional Safety
2.1.1.7 Why IEC 61508 was Written
2.1.2 ISO 13849-1
2.1.3 IEC 62061
2.1.4 IEC 61511
2.1.4.1 Introduction
2.1.4.2 The Second Edition
2.1.4.3 Designing a SIS
2.1.4.4 Three Methods
2.1.4.5 The Concept of Protection Layers
2.1.4.6 The Different Types of Risk
2.1.4.7 The Tolerable Risk
2.1.4.8 The ALARP Principle
2.1.4.9 Hazard and Operability Studies (HAZOP)
2.1.4.10 Layer of Protection Analysis (LOPA)
2.1.5 PFDavg for Different Architectures
2.1.5.1 1oo1 Architecture in Low Demand Mode
2.1.5.2 Series of 1oo1 Architecture in Low Demand Mode
2.1.5.3 1oo2 Architecture in Low Demand Mode
2.1.5.4 1oo3 Architecture in Low Demand Mode
2.1.5.5 2oo3 Architecture in Low Demand Mode
2.1.5.6 Summary Table
2.1.5.7 Example of PFDAvg Calculation
2.1.6 Reliability of a Safety Function in Low Demand Mode
2.1.7 A Timeline
2.2 Safety Systems in High and Low Demand Mode
2.2.1 Structure of the Control System in High and Low Demand Mode
2.2.1.1 Structure in Low Demand Mode, Process Industry
2.2.1.2 Structure in High Demand Mode, Machinery
2.2.1.3 Continuous Mode of Operation
2.2.2 The Border Line Between High and Low Demand Mode
2.2.2.1 Considerations in High Demand Mode
2.2.2.2 Considerations in Low Demand Mode
2.2.2.3 The Intermediate Region
2.3 What is a Safety Control System
2.3.1 Control System and Safety System
2.3.2 What is Part of a Safety Control System
2.3.3 Implication of Implementing an Emergency Start Function
2.4 CE Marking, OSHA Compliance, and Functional Safety
2.4.1 CE Marking
2.4.2 The European Standardization Organizations (ESOs)
2.4.3 Harmonized Standards
2.4.4 Functional Safety in North America
2.4.4.1 The Concept of Control Reliable
2.4.4.2 Functional Safety in the United States
Chapter 3 Main Parameters
3.1 Failure Rate ( λ)
3.1.1 Definition
3.1.2 Detected and Undetected Failures
3.1.3 Failure Rate for Electromechanical Components
3.1.3.1 Input Subsystem: Interlocking Device
3.1.3.2 Input Subsystem: Pressure Switch
3.1.3.3 Output Subsystem: Solenoid Valve
3.1.3.4 Output Subsystem: Power Contactor
3.2 Safe Failure Fraction
3.2.1 SFF in Low Demand Mode: Pneumatic Solenoid Valve
3.2.1.1 Example
3.2.2 SFF in High Demand Mode: Pneumatic Solenoid Valve
3.2.2.1 Example for a 1oo1 Architecture
3.2.2.2 Example for a 1oo2D Architecture
3.2.3 SFF and Electromechanical Components
3.2.3.1 The Advantage of Electronic Sensors
3.2.3.2 SFF and DC for Electromechanical Components
3.2.4 SFF in Low Demand Mode: Analog Input
3.2.5 SFF and DC in High Demand Mode: The Dynamic Test and Namur Circuits
3.2.5.1 Namur Type Circuits
3.2.5.2 Three Wire Digital Input
3.2.6 Limits of the SFF Parameter
3.2.6.1 Example
3.3 Diagnostic Coverage (DC)
3.3.1 Levels of Diagnostic
3.3.2 How to Estimate the DC Value
3.3.3 Frequency of the Test
3.3.4 Direct and Indirect Testing
3.3.4.1 DC for the Component and for the Channel
3.3.5 Testing by the Process
3.3.6 Examples of DC Values
3.3.7 Estimation of the Average DC
3.4 Safety Integrity and Architectural Constraints
3.4.1 The Starting Point
3.4.2 The Systematic Capability
3.4.2.1 Systematic Safety Integrity
3.4.3 Confusion Generated by the Concept of Systematic Capability
3.4.3.1 Random Capability
3.4.3.2 Systematic Capability
3.4.3.3 ISO 13849-1
3.4.4 The Safety Lifecycle
3.4.5 The Software Safety Lifecycle
3.4.6 Hardware Fault Tolerance
3.4.7 The Hardware Safety Integrity
3.4.7.1 Type A and Type B Components
3.4.8 Route 1H
3.4.8.1 Route 1H and Type A Component: Example
3.4.8.2 Route 1H and Type B Component: Example
3.4.9 High Demand Mode Safety-Related Control Systems
3.4.9.1 Example
3.4.10 Route 2H
3.5 Mean Time to Failure (MTTF)
3.5.1 Examples of MTTF Values
3.5.2 Calculation of MTTFD and λD for Components from B10D
3.5.3 Estimation of MTTFD for a Combination of Systems
3.5.3.1 Example for Channels in Series
3.5.3.2 Example for Redundant Channels
3.6 Common Cause Failure (CCF)
3.6.1 Introduction to CCF and the Beta-Factor
3.6.2 How IEC 62061 Handles the CCF
3.6.3 How ISO 13849-1 Handles the CCF
3.7 Proof Test
3.7.1 Proof Test Procedures
3.7.1.1 Example of a Proof Test Procedure for a Pressure Transmitter
3.7.1.2 Example of a Proof Test Procedure for a Solenoid Valve
3.7.2 How the Proof Test Interval Affects the System Reliability
3.7.2.1 Example
3.7.3 Proof Test in Low Demand Mode
3.7.3.1 Imperfect Proof Testing and the Proof Test Coverage (PTC)
3.7.3.2 Partial Proof Test (PPT)
3.7.3.3 Example for a Partial Valve Stroke Test
3.7.4 Proof Test in High Demand Mode
3.8 Mission Time and Useful Lifetime
3.8.1 Mission Time Longer than 20 Years
Chapter 4 Introduction to ISO 13849-1 and IEC 62061
4.1 Risk Assessment and Risk Reduction
4.1.1 Cybersecurity
4.1.2 Protective and Preventive Measures
4.1.3 Functional Safety as Part of the Risk Reduction Measures
4.1.4 The Naked Machinery
4.2 SRP/CS, SCS, and the Safety Functions
4.2.1 SRP/CS and SCS
4.2.2 The Safety Function and Its Subsystems
4.2.3 The Physical and the Functional Level
4.3 Examples of Safety Functions
4.3.1 Safety-Related Stop
4.3.2 Safety Sub-Functions Related to Power Drive Systems
4.3.2.1 Stopping Functions
4.3.2.2 Monitoring Functions
4.3.2.3 Information to be Provided by the PDS Manufacturer
4.3.3 Manual Reset
4.3.3.1 Multiple Sequential Reset
4.3.3.2 How to Implement the Reset Electrical Architecture
4.3.4 Restart Function
4.3.5 Local Control Function
4.3.6 Muting Function
4.3.7 Operating Mode Selection
4.4 The Emergency Stop Function
4.5 The Reliability of a Safety Function in High Demand Mode
4.5.1 PFHD and PFH
4.5.2 The Performance Level
4.5.3 The Safety Integrity Level
4.5.4 Relationship Between SIL and PL
4.5.5 Definition of Harm
4.6 Determination of the Required PL (PLr) According to ISO 13849-1
4.6.1 Risk Parameters
4.6.1.1 S: Severity of Injury
4.6.1.2 F: Frequency and/or Exposure Time to Hazard
4.6.1.3 P: Possibility of Avoiding Hazard or Limiting Harm
4.6.1.4 An Example on How to Use the Graph
4.7 Rapex Directive
4.8 Determination of the Required SIL (SILr) According to IEC 62061
4.8.1 Risk Elements and SIL Assignment
4.8.2 Severity (Se)
4.8.3 Probability of Occurrence of Harm
4.8.3.1 Frequency and Duration of Exposure (Fr)
4.8.3.2 Probability of Occurrence of a Hazardous Event (Pr)
4.8.3.3 Probability of Avoiding or Limiting the Harm (Av)
4.8.3.4 Example of the Table Use
4.9 The Requirements Specification
4.9.1 Information Needed to Prepare the SRS or the FRS
4.9.2 The Specifications of All Safety Functions
4.10 Iterative Process to Reach the Required Reliability Level
4.11 Fault Considerations and Fault Exclusion
4.11.1 How Many Faults Should be Considered?
4.11.2 Fault Exclusion and Interlocking Devices
4.11.2.1 Fault Exclusion Applied to Interlocking Devices
4.11.2.2 Fault Exclusion on Pre-defined Subsystems
4.11.2.3 Fault Exclusion Made by the Machinery Manufacturer
4.11.2.4 Types of Guard Locking Mechanism
4.11.2.5 What Are the Safety Signals in an Interlocking Device with Guard Lock?
4.11.2.6 What Safety Functions are Associated to a Guard Interlock
4.11.3 Other Examples of Fault Exclusions
4.11.3.1 Short Circuit Between any Two Conductors
4.11.3.2 Welding of Contact Elements in Contactors
4.12 International Standards for Control Circuit Devices
4.12.1 Direct Opening Action
4.12.1.1 Direct and Non-Direct Opening Action
4.12.2 Contactors Used in Safety Applications
4.12.2.1 Power Contactors
4.12.2.2 Auxiliary Contactors
4.12.2.3 Electromechanical Elementary Relays
4.12.3 How to Avoid Systematic Failures in Motor Branch Circuits
4.12.3.1 How to Protect Contactors from Overload and Short Circuit
4.12.3.2 Contactor Reliability Data
4.12.4 Implications Coming from IEC 60204-1 and NFPA 79
4.12.4.1 Wrong Connection of the Emergency Stop Button
4.12.4.2 Situation in Case of Two Faults: Again a Wrong Connection!
4.12.4.3 Correct Wiring and Bonding in a Control Circuit
4.12.5 Enabling and Hold to Run Devices
4.12.5.1 Enabling Devices
4.12.5.2 Hold to Run Device
4.12.6 Current Sinking and Sourcing Digital I/O
4.13 Measures for the Avoidance of Systematic Failures
4.13.1 The Functional Safety Plan
4.13.2 Basic Safety Principles
4.13.2.1 Application of Good Engineering Practices
4.13.2.2 Use of De-energization Principles
4.13.2.3 Correct Protective Bonding (Electrical Basic Safety Principle)
4.13.3 Well-Tried Safety Principles
4.13.3.1 Positively Mechanically Linked Contacts
4.13.3.2 Fault Avoidance in Cables
4.14 Fault Masking
4.14.1 Introduction to the Methodology
4.14.1.1 Redundant Arrangement with Star Cabling
4.14.1.2 Redundant Arrangement with Branch Cabling
4.14.1.3 Redundant Arrangement with Loop Cabling
4.14.1.4 Single Arrangement with Star Cabling
4.14.1.5 Single Arrangement with Branch Cabling
4.14.1.6 Single Arrangement with Loop Cabling
4.14.2 Fault Masking Example: Unintended Reset
4.14.3 Methodology for DC Evaluation
4.14.3.1 The Simplified Method
4.14.3.2 Regular Method
4.14.3.3 Example
Chapter 5 Design and Evaluation of Safety Functions
5.1 Subsystems, Subsystem Elements, and Channels
5.1.1 Subsystems
5.1.2 Subsystem Element and Channel
5.1.3 Decomposition of a Safety Function
5.1.4 Definition of Device Types
5.1.4.1 Device Type 1
5.1.4.2 Device Type 2
5.1.4.3 Device Type 3
5.1.4.4 Device Type 4
5.1.4.5 Implication for General Purpose PLCs
5.2 Well-Tried Components
5.2.1 List of Well-Tried Components
5.2.1.1 Mechanical Systems
5.2.1.2 Pneumatic Systems
5.2.1.3 Hydraulic Systems
5.2.1.4 Electrical Systems
5.3 Proven in Use and Prior Use Devices
5.3.1 Proven in Use
5.3.2 Prior Use Devices
5.3.3 Prior Use vs Proven in Use
5.4 Use of Process Control Systems as Protection Layers
5.5 Information for Use
5.5.1 Span of Control
5.5.2 Information for the Machinery Manufacturer
5.5.3 Information for the User
5.6 Safety Software Development
5.6.1 Limited and Full Variability Language
5.6.2 The V-Model
5.6.3 Software Classifications According to IEC 62061
5.6.3.1 Software Level 1
5.6.3.2 Software Safety Requirements for Level 1
5.6.3.3 Software Design Specifications for Level 1
5.6.3.4 Software Testing for Level 1
5.6.3.5 Validation of Safety-Related Software
5.6.4 Software Safety Requirements According to ISO 13849-1
5.6.4.1 Requirements When SRASW is Developed with LVL
5.6.4.2 Software-Based Manual Parameterization
5.7 Low Demand Mode Applications in Machinery
5.7.1 How to Understand if a Safety System is in High or in Low Demand Mode
5.7.1.1 Milling Machine
5.7.1.2 Industrial Furnaces
5.7.2 Subsystems in Both High and Low Demand Mode
5.7.3 How to Address Low Demand Mode in Machinery
5.7.4 Subsystems Used in Both High and Low Demand Mode
5.7.5 How to Assess “Mixed” Safety Systems: Method 1
5.7.5.1 How to Estimate the Failure Rate of the Shared Subsystem
5.7.5.2 Relationship Between PFDavg and PFHD
5.7.5.3 Safety Functions 1 with a Shared Subsystem: Method 1
5.7.5.4 Safety Functions 2 with a Shared Subsystem: Method 1
5.7.6 How to Assess “Mixed” Safety Systems: Method 2
5.7.6.1 How the Method Works
5.7.6.2 Safety Function 2 with a Shared Subsystem: Method 2
Chapter 6 The Categories of ISO 13849-1
6.1 Introduction
6.1.1 Introduction to the Simplified Approach
6.1.2 Physical and Logical Representation of the Architectures
6.1.3 The Steps to be Followed
6.2 The Five Categories
6.2.1 Introduction
6.2.2 Category B
6.2.3 Category 1
6.2.3.1 Example of a Category 1 Input Subsystem: Interlocking Device
6.2.4 Category 2
6.2.5 Markov Modelling of Category 2
6.2.5.1 The OK State
6.2.5.2 From the OK State to the Failure State
6.2.5.3 From the Failure State to the Hazardous Event
6.2.5.4 Other States in the Transition Model
6.2.5.5 The Simplified Graph of the Markov Modelling
6.2.5.6 The Importance of the Time-Optimal Testing
6.2.5.7 1oo1D in Case of Time-Optimal Testing
6.2.6 Conditions for the Correct Implementation of a Category 2 Subsystem
6.2.7 Examples of Category 2 Circuits
6.2.7.1 Example of Category 2 – PL c
6.2.7.2 Example of Category 2 – PL d
6.2.7.3 Example of a Category 2 with Undervoltage Coil
6.2.8 Category 3
6.2.8.1 Diagnostic Coverage in Category 3
6.2.8.2 Example of Category 3 for Input Subsystem: Interlocking Device
6.2.8.3 Example of Category 3 for Output Subsystem: Pneumatic Actuator
6.2.9 Category 4
6.2.9.1 Category 4 When the Demand Rate is Relatively Low
6.2.9.2 Example of a Category 4 Input Subsystem: Emergency Stop
6.2.9.3 Example of Category 4 for Output Subsystems: Electric Motor
6.3 Simplified Approach for Estimating the Performance Level
6.3.1 Conditions for the Simplified Approach
6.3.2 How to Calculate MTTFD of a Subsystem
6.3.3 Estimation of the Performance Level
6.3.3.1 The Simplified Graph
6.3.3.2 Table K.1 in Annex K
6.3.3.3 The Extended Graph
6.4 Determination of the Reliability of a Safety Function
Chapter 7 The Architectures of IEC 62061
7.1 Introduction
7.1.1 The Architectural Constraints
7.1.2 The Simplified Approach
7.1.2.1 Differences with ISO 13849-1
7.1.2.2 How to Calculate the PFHD of a Basic Subsystem Architecture
7.1.3 The Avoidance of Systematic Failures
7.1.4 Relationship Between λD and MTTFD
7.2 The Four Subsystem Architectures
7.2.1 Repairable vs Non-Repairable Systems
7.2.2 Basic Subsystem Architecture A: 1oo1
7.2.2.1 Implications of the Architectural Constraints in Basic Subsystem Architecture A
7.2.2.2 Example of a Basic Subsystem Architecture A
7.2.3 Basic Subsystem Architecture B: 1oo2
7.2.3.1 Implications of Architectural Constraints in Basic Subsystem Architecture B
7.2.3.2 Example of a Basic Output Subsystem Architecture B: Electric Motor
7.2.4 Basic Subsystem Architecture C: 1oo1D
7.2.4.1 Conditions for a Correct Implementation of Basic Subsystem Architecture C
7.2.4.2 Basic Subsystem Architecture C with Fault Handling Done by the SCS
7.2.5 Basic Subsystem Architecture C with Mixed Fault Handling
7.2.5.1 PFHD in Case of Four Conditions Satisfied
7.2.5.2 PFHD in Case One of the Four Conditions is Not Satisfied
7.2.5.3 Implications of the Architectural Constraints in Basic Subsystem Architecture C
7.2.6 Example of a Basic Subsystem Architecture C
7.2.7 Alternative Formula for the Basic Subsystem Architecture C
7.2.8 Basic Subsystem Architecture D: 1oo2D
7.2.8.1 Implications of the Architectural Constraints in Basic Subsystem Architecture D
7.2.8.2 Example of Input Basic Subsystem Architecture D: Emergency Stop
7.2.8.3 Example of Input Basic Subsystem Architecture D: Interlocking Device
7.2.8.4 Example of a Basic Subsystem Architecture D Output
7.3 Determination of the Reliability of a Safety Function
Chapter 8 Validation
8.1 Introduction
8.1.1 Level of Independence of People Doing the Validation
8.1.2 Flow Chart of the Validation Process
8.2 The Validation Plan
8.2.1 Fault List
8.2.2 Validation Measures Against Systematic Failures
8.2.3 Information Needed for the Validation
8.2.4 Analysis and Testing
8.2.4.1 Analysis
8.2.4.2 Testing
8.2.4.3 Validation of the Safety Integrity of Subsystems
8.2.4.4 Validation of the Safety-related Software
8.2.4.5 Software-based Manual Parameterization
Chapter 9 Some Final Considerations
9.1 ISO 13849-1 vs IEC 62061
9.2 High vs Low-Demand Mode Applications
9.3 The Importance of Risk Assessment
9.3.1 Principles of Safety Integration
9.3.1.1 The Glass Dome
9.3.2 How to Run a Risk Assessment
Bibliography
Index
EULA