Supersedes
This standard takes effect on 2008-12-01.
DIN EN 954-1:1997-03 and DIN EN 954-1 Supplement 1:2000-01 may be used in parallel until 2009-11-30 and DIN EN ISO 13849-1:2007-07 until 2009-12-28.
This standard includes safety requirements within the meaning of the
This standard has been prepared by Technical Committee ISO/TC 199 “Safety of machinery” in collaboration with Technical Committee CEN/TC 114 “Safety of machinery” (Secretariat: DIN, Germany).
The responsible German body involved in its preparation was the
This standard concretizes the basic requirements set out in EU Machinery Directive
Once this standard is designated a harmonized standard in the Official Journal of the European Union, a manufacturer applying this standard may assume compliance with the requirements of the Machinery Directive (the so-called “presumption of conformity”).
The DIN Standards corresponding to the International Standards referred to in this document are as follows: Referred to in Referred to in the
This standard differs from
Supersedes
The text of
This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by 2008-12, and conflicting national standards shall be withdrawn at the latest by 2009-12.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This document supersedes
This document has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association, and supports essential requirements of EC Directive(s).
For relationship with EC Directive(s), see informative
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom.
The text of
The structure of safety standards in the field of machinery is as follows. Type-A standards (basis standards) give basic concepts, principles for design and general aspects that can be applied to machinery. Type-B standards (generic safety standards) deal with one or more safety aspect(s), or one or more type(s) of safeguards that can be used across a wide range of machinery: type-B1 standards on particular safety aspects (e. g. safety distances, surface temperature, noise); type-B2 standards on safeguards (e. g. two-hands controls, interlocking devices, pressure sensitive devices, guards). Type-C standards (machinery safety standards) deal with detailed safety requirements for a particular machine or group of machines.
This part of ISO 13849 is a type-B-1 standard as stated in
When provisions of a type-C standard are different from those which are stated in type-A or type-B standards, the provisions of the type-C standard take precedence over the provisions of the other standards for machines that have been designed and built according to the provisions of the type-C standard.
This part of ISO 13849 is intended to give guidance to those involved in the design and assessment of control systems, and to Technical Committees preparing Type-B2 or Type-C standards which are presumed to comply with the Essential Safety Requirements of the Council Directive
As part of the overall risk reduction strategy at a machine, a designer will often choose to achieve some measure of risk reduction through the application of safeguards employing one or more safety functions.
Parts of machinery control systems that are assigned to provide safety functions are called safety-related parts of control systems (SRP/CS) and these can consist of hardware and software and can either be separate from the machine control system or an integral part of it. In addition to providing safety functions, SRP/CS can also provide operational functions (e. g. two-handed controls as a means of process initiation).
The ability of safety-related parts of control systems to perform a safety function under foreseeable conditions is allocated one of five levels, called performance levels (PL). These performance levels are defined in terms of probability of dangerous failure per hour (see
The probability of dangerous failure of the safety function depends on several factors, including hardware and software structure, the extent of fault detection mechanisms [diagnostic coverage (DC)], reliability of components [mean time to dangerous failure (
In order to assist the designer and help facilitate the assessment of achieved PL, this document employs a methodology based on the categorization of structures according to specific design criteria and specified behaviours under fault conditions. These categories are allocated one of five levels, termed Categories B, 1, 2, 3 and 4.
The performance levels and categories can be applied to safety-related parts of control systems, such as protective devices (e. g. two-hand control devices, interlocking devices), electro-sensitive protective devices (e. g. photoelectric barriers), pressure sensitive devices, control units (e. g. a logic unit for control functions, data processing, monitoring, etc.), and power control elements (e. g. relays, valves, etc),
as well as to control systems carrying out safety functions at all kinds of machinery — from simple (e. g. small kitchen machines, or automatic doors and gates) to manufacturing installations (e. g. packaging machines, printing machines, presses).
This part of ISO 13849 is intended to provide a clear basis upon which the design and performance of any application of the SRP/CS (and the machine) can be assessed, for example, by a third party, in-house or by an independent test house.
This part of ISO 13849 provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS), including the design of software. For these parts of SRP/CS, it specifies characteristics that include the performance level required for carrying out safety functions. It applies to SRP/CS, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery.
It does not specify the safety functions or performance levels that are to be used in a particular case.
This part of ISO 13849 provides specific requirements for SRP/CS using programmable electronic system(s).
It does not give specific requirements for the design of products which are parts of SRP/CS. Nevertheless, the principles given, such as categories or performance levels, can be used.
Examples of products which are parts of SRP/CS: relays, solenoid valves, position switches, PLCs, motor control units, two-hand control devices, pressure sensitive equipment. For the design of such products, it is important to refer to the specifically applicable International Standards, e. g.
For the definition of
The requirements provided in this part of ISO 13849 for programmable electronic systems are compatible with the methodology for the design and development of safety-related electrical, electronic and programmable electronic control systems for machinery given in
For safety-related embedded software for components with
See also
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
Technology implementing the safety-related control function(s) | ISO 13849-1 |
|
|
---|---|---|---|
A | Non-electrical, e. g. hydraulics | × | Not covered |
B | Electromechanical, e. g. relays, and/or non complex electronics | Restricted to designated architectures |
All architectures and up to SIL 3 |
C | Complex electronics, e. g. programmable | Restricted to designated architectures |
All architectures and up to SIL 3 |
D | A combined with B | Restricted to designated architectures |
× |
E | C combined with B | Restricted to designated architectures |
All architectures and up to SIL 3 |
F | C combined with A, or C combined with A and B | × |
× |
Indicates that this item is dealt with by the International Standard shown in the column heading. |
Designated architectures are defined in
For non-electrical technology, use parts in accordance with this part of ISO 13849 as subsystems.
For complex electronics: use designated architectures according to this part of ISO 13849 up to
For the purposes of this document, the terms and definitions given in
part of a control system that responds to safety-related input signals and generates safety-related output signals
The combined safety-related parts of a control system start at the point where the safety-related input signals are initiated (including, for example, the actuating cam and the roller of the position switch) and end at the output of the power control elements (including, for example, the main contacts of a contactor).
If monitoring systems are used for diagnostics, they are also considered as SRP/CS.
classification of the safety-related parts of a control system in respect of their resistance to faults and their subsequent behaviour in the fault condition, and which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability
state of an item characterized by the inability to perform a required function, excluding the inability during preventive maintenance or other planned actions, or due to lack of external resources [
A fault is often the result of a failure of the item itself, but may exist without prior failure.
In this part of ISO 13849, “fault” means
termination of the ability of an item to perform a required function [
After a failure, the item has a fault.
“Failure” is an event, as distinguished from “fault”, which is a state.
The concept as defined does not apply to items consisting of software only.
Failures which only affect the availability of the process under control are outside of the scope of this part of ISO 13849.
failure which has the potential to put the SRP/CS in a hazardous or fail-to-function state
Whether or not the potential is realized can depend on the channel architecture of the system; in redundant systems a dangerous hardware failure is less likely to lead to the overall dangerous or fail-to-function state.
Adapted from
failures of different items, resulting from a single event, where these failures are not consequences of each other [
Common cause failures should not be confused with common mode failures (see
failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors [
Corrective maintenance without modification will usually not eliminate the failure cause.
A systematic failure can be induced by simulating the failure cause.
Examples of causes of systematic failures include human error in the safety requirements specification, the design, manufacture, installation, operation of the hardware, and the design, implementation, etc., of the software.
temporary automatic suspension of a safety function(s) by the SRP/CS
function within the SRP/CS used to restore manually one or more safety functions before re-starting a machine
physical injury or damage to health [
potential source of harm [
A hazard can be qualified in order to define its origin (e. g. mechanical hazard, electrical hazard) or the nature of the potential harm (e. g. electric shock hazard, cutting hazard, toxic hazard, fire hazard).
The hazard envisaged in this definition: either is permanently present during the intended use of the machine (e. g. motion of hazardous moving elements, electric arc during a welding phase, unhealthy posture, noise emission, high temperature); or may appear unexpectedly (e. g. explosion, crushing hazard as a consequence of an unintended/unexpected startup, ejection as a consequence of a breakage, fall as a consequence of acceleration/deceleration).
circumstance in which a person is exposed to at least one hazard, the exposure having immediately or over a long period of time the potential to result in harm [
combination of the probability of occurrence of harm and the severity of that harm [
risk remaining after protective measures have been taken
See
Adapted from
overall process comprising risk analysis and risk evaluation [
combination of the specification of the limits of the machine, hazard identification and risk estimation [
judgement, on the basis of risk analysis, of whether risk reduction objectives have been achieved [
use of the machine in accordance with the information provided in the instructions for use [
use of a machine in a way not intended by the designer, but which may result from readily predictable human behaviour [
function of the machine whose failure can result in an immediate increase of the risk(s) [
safety function which ensures that a protective measure is initiated if the ability of a component or an element to perform its function is diminished or if the process conditions are changed in such a way that a decrease of the amount of risk reduction is generated
system for control, protection or monitoring dependent for its operation on one or more programmable electronic devices, including all elements of the system such as power supplies, sensors and other input devices, contactors and other output devices
Adapted from
discrete level used to specify the ability of safety-related parts of control systems to perform a safety function under foreseeable conditions
See
performance level (PL) applied in order to achieve the required risk reduction for each safety function
See
expectation of the mean time to dangerous failure
Adapted from
measure of the effectiveness of diagnostics, which may be determined as the ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures
Diagnostic coverage can exist for the whole or parts of a safety-related system. For example, diagnostic coverage could exist for sensors and/or logic system and/or final elements.
Adapted from
measure intended to achieve risk reduction
Implemented by the designer: inherent design, safeguarding and complementary protective measures, information for use.
Implemented by the user: organization (safe working procedures, supervision, permit-to-work systems), provision and use of additional safeguards, personal protective equipment, training.
Adapted from
period of time covering the intended use of an SRP/CS
frequency of automatic tests to detect faults in a SRP/CS, reciprocal value of diagnostic test interval
frequency of demands for a safety-related action of the SRP/CS
reciprocal value of the period of time between detection of a dangerous failure by either an online test or obvious malfunction of the system and the restart of operation after repair or system/component replacement
The repair time does not include the span of time needed for failure-detection.
system which responds to input signals from parts of machine elements, operators, external control equipment or any combination of these and generates output signals causing the machine to behave in the intended manner
The machine control system can use any technology or any combination of different technologies (e. g. electrical/electronic, hydraulic, pneumatic, mechanical).
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems, where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest [
type of language that provides the capability of combining predefined, application-specific library functions to implement the safety requirements specifications
Adapted from
Typical examples of LVL (ladder logic, function block diagram) are given in
A typical example of a system using LVL: PLC.
type of language that provides the capability of implementing a wide variety of functions and applications
C,
Adapted from
A typical example of systems using FVL: embedded systems.
In the field of machinery, FVL is found in embedded software and rarely in application software.
software specific to the application, implemented by the machine manufacturer, and generally containing logic sequences, limits and expressions that control the appropriate inputs, outputs, calculations and decisions necessary to meet the SRP/CS requirements
software that is part of the system supplied by the control manufacturer and which is not accessible for modification by the user of the machinery
Embedded software is usually written in FVL.
See
Symbol or abbreviation | Description | Definition or occurrence |
---|---|---|
a, b, c, d, e | Denotation of performance levels |
|
AOPD | Active optoelectronic protective device (e. g. light barrier) |
|
B, 1, 2, 3, 4 | Denotation of categories |
|
|
Number of cycles until |
|
Cat. | Category |
|
CC | Current converter |
|
CCF | Common cause failure |
|
DC | Diagnostic coverage |
|
|
Average diagnostic coverage |
|
F, F1, F2 | Frequency and/or time of exposure to the hazard |
|
FB | Function block |
|
FVL | Full variability language |
|
FMEA | Failure modes and effects analysis |
|
I, I1, I2 | Input device, e. g. sensor |
|
|
Index for counting |
|
I/O | Inputs/outputs |
|
|
Interconnecting means |
|
K1A, K1B | Contactors |
|
L, L1, L2 | Logic |
|
LVL | Limited variability language |
|
M | Motor |
|
MTTF | Mean time to failure |
|
|
Mean time to dangerous failure |
|
|
Number of items |
|
|
Number of SRP/CS with |
|
O, O1, O2, OTE | Output device, e. g. actuator |
|
P, P1, P2 | Possibility of avoiding the hazard |
|
PES | Programmable electronic system |
|
PL | Performance level |
|
PLC | Programmable logic controller |
|
|
Lowest performance level of a SRP/CS in a combination of SRP/CS |
|
|
Required performance level |
|
|
Demand rate |
|
RS | Rotation sensor |
|
S, S1, S2 | Severity of injury |
|
SW1A, SW1B, SW2 | Position switches |
|
SIL | Safety integrity level |
|
SRASW | Safety-related application software |
|
SRESW | Safety-related embedded software |
|
SRP | Safety-related part | General |
SRP/CS | Safety-related part of a control system |
|
TE | Test equipment |
|
|
Mission time |
|
The SRP/CS shall be designed and constructed so that the principles of
Refers to
Refers to this part of ISO 13849.
The strategy for risk reduction at the machine is given in
The hazard analysis and risk reduction process for a machine requires that hazards are eliminated or reduced through a hierarchy of measures: hazard elimination or risk reduction by design (see risk reduction by safeguarding and possibly complementary protective measures (see risk reduction by the provision of information for use about the residual risk (see
The purpose in following the overall design procedure for the machine is to achieve the safety objectives (see
For each safety function, the characteristics (see
In this part of ISO 13849 the performance levels are defined in terms of probability of dangerous failure per hour. Five performance levels (a to e) are set out, with defined ranges of probability of a dangerous failure per hour (see
PL | Average probability of dangerous failure per hour |
---|---|
|
|
a |
|
b |
|
c |
|
d |
|
e |
|
Besides the average probability of dangerous failure per hour other measures are also necessary to achieve the PL. |
From the risk assessment (see
Risk reduction can be achieved by applying various protective measures (both SRP/CS and non SRP/CS) with the end result of achieving a safe condition (see
for a specific hazardous situation, the risk before protective measures are applied
risk reduction required from protective measures
actual risk reduction achieved with protective measures
solution 1 — important part of risk reduction due to protective measures other than SRP/CS (e. g. mechanical measures), small part of risk reduction due to SRP/CS
solution 2 — important part of risk reduction due to the SRP/CS (e. g. light curtain), small part of risk reduction due to protective measures other than SRP/CS (e. g. mechanical measures)
adequately reduced risk
inadequately reduced risk
risk
residual risk obtained by solutions 1 and 2
adequately reduced risk
risk reduction from the safety function carried out by the SRP/CS
risk reduction from protective measures other than SRP/CS (e. g. mechanical measures)
See
For each selected safety function to be carried out by a SRP/CS, a required performance level (
The greater the amount of risk reduction required to be provided by the SRP/CS, the higher the
Part of the risk reduction process is to determine the safety functions of the machine. This will include the safety functions of the control system, e. g. prevention of unexpected start-up.
A safety function may be implemented by one or more SRP/CS, and several safety functions may share one or more SRP/CS [e. g. a logic unit, power control element(s)]. It is also possible that one SRP/CS implements safety functions and standard control functions. The designer may use any of the technologies available, singly or in combination. SRP/CS may also provide an operational function (e. g. an AOPD as a means of cycle initiation).
A typical safety function diagrammatic presentation is given in input ( logic/processing ( output/power control elements ( interconnecting means (
Within the same machinery it is important to distinguish between different safety functions and their related SRP/CS carrying out a certain safety function.
Having identified the safety functions of the control system, the designer shall identify the SRP/CS (see
Designated architectures are given in
All interconnecting means are included in the safety-related parts.
input
logic
output
initiation event (e. g. manual actuation of a push button, opening of guard, interruption of beam of AOPD)
machine actuator (e. g. motor brakes)
For the purposes of this part of ISO 13849, the ability of safety-related parts to perform a safety function is expressed through the determination of the performance level.
For each selected SRP/CS and/or for the combination of SRP/CS that performs a safety function the estimation of PL shall be done.
The PL of the SRP/CS shall be determined by the estimation of the following aspects: the the DC (see the CCF (see the structure (see the behaviour of the safety function under fault condition(s) (see safety-related software (see systematic failure (see the ability to perform a safety function under expected environmental conditions.
Other parameters, e. g. operational aspects, demand rate, test rate, can have certain influence.
These aspects can be grouped under two approaches in relation to the evaluation process: quantifiable aspects ( non-quantifiable, qualitative aspects which affect the behaviour of the SRP/CS (behaviour of the safety function under fault conditions, safety-related software, systematic failure and environmental conditions).
Among the quantifiable aspects, the contribution of reliability (e. g.
There are several methods for estimating the quantifiable aspects of the PL for any type of system (e. g. a complex structure), for example, Markov modelling, generalized stochastic petri nets (GSPN), reliability block diagrams (see, e. g.
To make the assessment of the quantifiable aspects of the PL easier, this part of ISO 13849 provides a simplified method based on the definition of five designated architectures that fulfil specific design criteria and behaviour under a fault condition (see
For a SRP/CS or combination of SRP/CS designed according to the requirements given in
For a SRP/CS which deviates from the designated architectures, a detailed calculation shall be provided to demonstrate the achievement of the required performance level (
In applications where the SRP/CS can be considered simple, and the required performance level is a to c, a qualitative estimation of the PL may be justified in the design rationale.
For the design of complex control systems, such as PES designed to perform safety functions, the application of other standards can be appropriate (e. g.
The achievement of qualitative aspects of the PL can be demonstrated by the application of the recommended measures given in
In standards in accordance with
PL | SIL |
---|---|
( |
|
high/continuous mode of operation | |
a | No correspondence |
b | 1 |
c | 1 |
d | 2 |
e | 3 |
PL a has no correspondence on the SIL scale and is mainly used to reduce the risk of slight, normally reversible, injury. Since SIL 4 is dedicated to catastrophic events possible in the process industry, this range is not relevant for risks at machines. Thus PL e corresponding to SIL 3 is defined as the highest level.
Therefore, protective measures to reduce the risk shall be applied, principally the following. Reduce the probability of faults at the component level. The aim is to reduce the probability of faults or failures which affect the safety function. This can be done by increasing the reliability of components, e. g. by selection of well-tried components and/or applying well-tried safety principles, in order to minimize or exclude critical faults or failures (see Improve the structure of the SRP/CS. The aim is to avoid the dangerous effect of a fault. Some faults may be detected and a redundant and/or monitored structure could be needed.
Both measures can be applied separately or in combination. With some technologies, risk reduction can be achieved by selecting reliable components and by fault exclusions; but with other technologies, risk reduction could require a redundant and/or monitored system. In addition, common cause failures (CCF) shall be taken into account (see
For architectural constraints, see
The value of the
According to
|
|
---|---|
Denotation of each channel | Range of each channel |
Low |
|
Medium |
|
High |
|
The choice of the The indicated borders of this table are assumed within an accuracy of |
For the estimation of use manufacturer's data; use methods in choose ten years.
The value of the DC is given in four levels (see
For the estimation of DC, in most cases, failure mode and effects analysis (FMEA, see
DC | |
---|---|
Denotation | Range |
None |
|
Low |
|
Medium |
|
High |
|
For SRP/CS consisting of several parts an average value The choice of the DC ranges is based on the key values |
The PL may be estimated by taking into account all relevant parameters and the appropriate methods for calculation (see
This clause describes a simplified procedure for estimating the PL of a SRP/CS based on designated architectures. Some other architectures with similar structure may be transformed to these designated architectures in order to obtain an estimation of the PL.
The designated architectures are represented as block diagrams, and are listed in the context of each category in
The designated architectures show a logical representation of the system structure for each category. The technical realization or, for example, the functional circuit diagram, may look completely different.
The designated architectures are drawn for the combined SRP/CS, starting at the points where the safety-related signals are initiated and ending at the output of the power control elements (see also
For the designated architectures, the following typical assumptions are made: mission time, 20 years (see constant failure rates within the mission time; for category 2, demand rate for category 2,
When blocks of each channel cannot be separated, the following can be applied:
The methodology considers the categories as architectures with defined
Common cause failures (CCF) should also be taken into account (for guidance, see
For SRP/CS with software, the requirements of
If quantitative data is not available or not used (e. g. low complexity systems), the worst case of all relevant parameters should be chosen.
A combination of SRP/CS or a single SRP/CS may have a PL. The combination of several SRP/CS with different PL is considered in
In the case of applications with
For the estimation of the PL,
Before using this simplified approach with
For categories 2, 3 and 4, sufficient measures against common cause failure shall be carried out (for guidance, see
The vertical position of this area determines the achieved PL which can be read off the vertical axis. If the area covers two or three possible PLs, the PL achieved is given in
performance level
Category | B | 1 | 2 | 2 | 3 | 3 | 4 | |
---|---|---|---|---|---|---|---|---|
|
none | none | low | medium | low | medium | high | |
|
||||||||
Low | a | Not covered | a | b | b | c | Not covered | |
Medium | b | Not covered | b | c | c | d | Not covered | |
High | Not covered | c | c | d | d | d | e |
All lifecycle activities of safety-related embedded or application software shall primarily consider the avoidance of faults introduced during the software lifecycle (see
For SRESW for components with software safety lifecycle with verification and validation activities, see documentation of specification and design; modular and structured design and coding; control of systematic failures (see where using software-based measures for control of random hardware failures, verification of correct implementation; functional testing, e. g. black box testing; appropriate software safety lifecycle activities after modifications.
For SRESW for components with project management and quality management system comparable to, e. g. documentation of all relevant activities during software safety lifecycle; configuration management to identify all configuration items and documents related to a SRESW release; structured specification with safety requirements and design; use of suitable programming languages and computer-based tools with confidence from use; modular and structured programming, separation in non-safety-related software, limited module sizes with fully defined interfaces, use of design and coding standards; coding verification by walk-through/review with control flow analysis; extended functional testing, e. g. grey box testing, performance testing or simulation; impact analysis and appropriate software safety lifecycle activities after modifications.
SRESW for components with
For a detailed description of such measures, see e. g.
For SRESW with diversity in design and coding, for components used in SRP/CS with category 3 or 4, the effort involved in taking measures to avoid systematic failures can be reduced by, for example, reviewing parts of the software only by considering structural aspects instead of checking each line of code.
The software safety lifecycle (see
SRASW written in LVL and complying with the following requirements can achieve a PL a to e. If SRASW is written in FVL, the requirements for SRESW shall apply and PL a to e is achievable. If a part of the SRASW within one component has any impact (e. g. due to its modification) on several safety functions with different PL, then the requirements related to the highest PL shall apply. For SRASW for components with development lifecycle with verification and validation activities, see documentation of specification and design; modular and structured programming; functional testing; appropriate development activities after modifications.
For SRASW for components with safety functions with required PL and associated operating modes, performance criteria, e. g. reaction times, hardware architecture with external signal interfaces, and detection and control of external failure. Suitable tools with confidence from use: for Whenever reasonable and practicable, validated function block (FB) libraries should be used — either safety-related FB libraries provided by the tool manufacturer (highly recommended for A justified LVL-subset suitable for a modular approach should be used, e. g. accepted subset of semi-formal methods to describe data and control flow, e. g. state diagram or program flow chart, modular and structured programming predominantly realized by function blocks deriving from safety-related validated function block libraries, function blocks of limited size of coding, code execution inside function block which should have one entry and one exit point, architecture model of three stages, Inputs ⇒ Processing ⇒ Outputs (see assignment of a safety output at only one program location, and use of techniques for detection of external failure and for defensive programming within input, processing and output blocks which lead to safe state. SRASW and non-SRASW shall be coded in different function blocks with well-defined data links; there shall be no logical combination of non-safety-related and safety-related data which could lead to downgrading of the integrity of safety-related signals, for example, combining safety-related and non-safety-related signals by a logical “OR” where the result controls safety-related signals. code shall be readable, understandable and testable and, because of this symbolic variables (instead of explicit hardware addresses) should be used; justified or accepted coding guidelines shall be used (see also data integrity and plausibility checks (e. g. range checks.) available on application layer (defensive programming) should be used; code should be tested by simulation; verification should be by control and data flow analysis for the appropriate validation method is black-box testing of functional behaviour and performance criteria (e. g. timing performance); for test planning is recommended and should include test cases with completion criteria and required tools; I/O testing shall ensure that safety-related signals are correctly used within SRASW. all lifecycle and modification activities shall be documented; documentation shall be complete, available, readable and understandable; code documentation within source text shall contain module headers with legal entity, functional and I/O description, version and version of used library function blocks, and sufficient comments of networks/statement and declaration lines. Review, inspection, walkthrough or other appropriate activities. It is highly recommended that procedures and data backup be established to identify and archive documents, software modules, verification/validation results and tool configuration related to a specific SRASW version. After modifications of SRASW, impact analysis shall be performed to ensure specification. Appropriate lifecycle activities shall be performed after modifications. Access rights to modifications shall be controlled and modification history shall be documented.
Modification does not affect systems already in use.
Software-based parameterization of safety-related parameters shall be considered as a safety-related aspect of SRP/CS design to be described in the software safety requirements specification. Parameterization shall be carried out using a dedicated software tool provided by the supplier of the SRP/CS. This tool shall have its own identification (name, version, etc.) and shall prevent unauthorized modification, for example, by use of a password.
The integrity of all data used for parameterization shall be maintained. This shall be achieved by applying measures to control the range of valid inputs, control data corruption before transmission, control the effects of errors from the parameter transmission process, control the effects of incomplete parameter transmission, and control the effects of faults and failures of hardware and software of the tool used for parameterization.
The parameterization tool shall fulfil all requirements for SRP/CS according to this part of ISO 13849. Alternatively, a special procedure shall be used for setting the safety-related parameters. This procedure shall include confirmation of input parameters to the SRP/CS by either retransmission of the modified parameters to the parameterization tool, or other suitable means of confirming the integrity of the parameters.
as well as subsequent confirmation, e. g. by a suitably skilled person and by means of an automatic check by a parameterization tool.
This is of particular importance where parameterization is carried out using a device not specifically intended for the purpose (e. g. personal computer or equivalent).
The software modules used for encoding/decoding within the transmission/retransmission process and software modules used for visualization of the safety-related parameters to the user shall, as a minimum, use diversity in function(s) to avoid systematic failures.
Documentation of software-based parameterization shall indicate data used (e. g. pre-defined parameter sets) and information necessary to identify the parameters associated with the SRP/CS, the person(s) carrying out the parameterization together with other relevant information such as date of parameterization.
The following verification activities shall be applied for software based parameterization: verification of the correct setting for each safety-related parameter (minimum, maximum and representative values); verification that the safety-related parameters are checked for plausibility, for example by use of invalid values, etc.; verification that unauthorized modification of safety-related parameters is prevented; verification that the data/signals for parameterization are generated and processed in such a way that faults can not lead to a loss of the safety function.
This is of particular importance where the parameterization is carried out using a device not specifically intended for this purpose (e. g. personal computer or equivalent).
For each individual safety function the PL of the related SRP/CS shall match the required performance level (
The PL of the different SRP/CS which are part of a safety function shall be greater than or equal to the required performance level (
The interface between operators and the SRP/CS shall be designed and realized such that no person is endangered during all intended use and reasonable foreseeable misuse of the machine [see also
Ergonomic principles shall be used so that the machine and the control system, including the safety-related parts, are easy to use, and so that the operator is not tempted to act in a hazardous manner.
The safety requirements for observing ergonomic principles given in
This clause provides a list and details of safety functions which can be provided by the SRP/CS. The designer (or type-C standard maker) shall include those necessary to achieve the measures of safety required of the control system for the specific application.
Safety-related stop function, prevention of unexpected start-up, manual reset function, muting function, hold-to-run function.
Machinery control systems provide operational and/or safety functions. Operational functions (e. g. starting, normal stopping) can also be safety functions, but this can be ascertained only after a complete risk assessment on the machinery has been carried out.
Additional requirements are set out in this clause for certain of the safety function characteristics .
Where necessary, the requirements for characteristics and safety functions shall be adapted for use with different energy sources.
As most of the references in
Safety function/characteristic | Requirement(s) | For additional information, see: | ||
---|---|---|---|---|
ISO 13849-1:2006 |
|
|
||
Safety-related stop function initiated by safeguard |
|
|
|
|
Manual reset function |
|
— | — |
|
Start/restart function |
|
— |
|
|
Local control function |
|
— |
|
|
Muting function |
|
— | — | — |
Hold-to-run function | — |
|
|
|
Enabling device function | — | — |
|
|
Prevention of unexpected start-up | — | — |
|
|
|
||||
Escape and rescue of trapped persons | — | — |
|
— |
Isolation and energy dissipation function | — | — |
|
|
|
||||
Control modes and mode selection | — | — |
|
|
Interaction between different safety-related parts of control systems | — | — |
|
|
Monitoring of parameterization of safety-related input values |
|
— | — | — |
Emergency stop function |
— | — |
|
|
|
Including interlocked guards and limiting devices (e. g. overspeed, overtemperature, overpressure).
Complementary protective measure, see
Safety function/safety-related parameter | Requirement | For additional information, see: | |
---|---|---|---|
ISO 13849-1:2006 |
|
||
Response time |
|
— |
|
Safety-related parameter such as speed, temperature or pressure |
|
|
|
Fluctuations, loss and restoration of power sources |
|
|
|
Indications and alarms | — |
|
|
|
|||
|
|||
|
|||
|
|||
|
|||
|
When identifying and specifying the safety function(s), the following shall at least be considered: results of the risk assessment for each specific hazard or hazardous situation; machine operating characteristics, including intended use of the machine (including reasonable foreseeable misuse), modes of operation (e. g. local mode, automatic mode, modes related to a zone or part of the machine), cycle time, and response time; emergency operation; description of the interaction of different working processes and manual activities (repairing, setting, cleaning, trouble shooting, etc.); the behaviour of the machine that a safety function is intended to achieve or to prevent; condition(s) (e. g. operating mode) of the machine in which it is to be active or disabled; the frequency of operation; priority of those functions that can be simultaneously active and that can cause conflicting action.
The following applies in addition to the requirements of
A safety-related stop function (e. g. initiated by a safeguard) shall, as soon as necessary after actuation, put the machine in a safe state. Such a stop shall have priority over a stop for operational reasons.
When a group of machines are working together in a coordinated manner, provision shall be made for signalling the supervisory control and/or the other machines that such a stop condition exists.
A safety-related stop function can cause operational problems and a difficult restart, e. g. in an arc welding application. To reduce the temptation to defeat this stop function, it can be preceded with a stop for operational reasons to finalize the actual operation and prepare for an easy and quick restart from the stop position (e. g. without any damage of the production). One solution is the use of interlocking device with guard locking where the guard locking is released when the cycle has reached a defined position where the easy restart is possible.
The following applies in addition to the requirements of
After a stop command has been initiated by a safeguard, the stop condition shall be maintained until safe conditions for restarting exist.
The re-establishment of the safety function by resetting of the safeguard cancels the stop command. If indicated by the risk assessment, this cancellation of the stop command shall be confirmed by a manual, separate and deliberate action (manual reset).
The manual reset function shall be provided through a separate and manually operated device within the SRP/CS, only be achieved if all safety functions and safeguards are operative, not initiate motion or a hazardous situation by itself, be by deliberate action, enable the control system for accepting a separate start command, only be accepted by disengaging the actuator from its energized (on) position.
The performance level of safety-related parts providing the manual reset function shall be selected so that the inclusion of the manual reset function does not diminish the safety required of the relevant safety function.
The reset actuator shall be situated outside the danger zone and in a safe position from which there is good visibility for checking that no person is within the danger zone.
Where the visibility of the danger zone is not complete, a special reset procedure is required.
One solution is the use of a second reset actuator. The reset function is initiated within the danger zone by the first actuator in combination with a second reset actuator located outside the danger zone (near the safeguard). This reset procedure needs to be realized within a limited time before the control system accepts a separate start command.
The following applies in addition to the requirements of
A restart shall take place automatically only if a hazardous situation cannot exist. In particular, for interlocking guards with a start function,
These requirements for start and restart shall also apply to machines which can be controlled remotely.
A sensor feedback signal to the control system can initiate an automatic restart.
In automatic machine operations, sensor feedback signals to the control system are often used to control the process flow. If a work piece has come out of position, the process flow is stopped. If the monitoring of the interlocked safeguard is not superior to the automatic process control, there could be a danger of restarting the machine while the operator readjusts the work piece. Therefore the remotely controlled restart ought not to be allowed until the safeguard is closed again and the maintainer has left the hazardous area. The contribution of prevention of unexpected start-up provided by the control system is dependant on the result of the risk assessment.
The following applies in addition to the requirements of
When a machine is controlled locally, e. g. by a portable control device or pendant, the following requirements shall apply: the means for selecting local control shall be situated outside the danger zone; it shall only be possible to initiate hazardous conditions by a local control in a zone defined by the risk assessment; switching between local and main control shall not create a hazardous situation.
The following applies in addition to the requirements of
Muting shall not result in any person being exposed to hazardous situations. During muting, safe conditions shall be provided by other means.
At the end of muting, all safety functions of the SRP/CS shall be reinstated.
The performance level of safety-related parts providing the muting function shall be selected so that the inclusion of the muting function does not diminish the safety required of the relevant safety function.
In some applications, an indication signal of muting is necessary.
The following applies in addition to the requirements of
The response time of the SRP/CS shall be determined when the risk assessment of the SRP/CS indicates that this is necessary (see also
The response time of the control system is part of the overall response time of the machine. The required overall response time of the machine can influence the design of the safety-related part, e. g. the need to provide a braking system.
The following applies in addition to the requirements of
When safety-related parameters, e. g. position, speed, temperature or pressure, deviate from present limits the control system shall initiate appropriate measures (e. g. actuation of stopping, warning signal, alarm).
If errors in manual inputting of safety-related data in programmable electronic systems can lead to a hazardous situation, then a data checking system within the safety-related control system shall be provided, e. g. check of limits, format and/or logic input values.
The following applies in addition to the requirements of
When fluctuations in energy levels outside the design operating range occur, including loss of energy supply, the SRP/CS shall continue to provide or initiate output signal(s) which will enable other parts of the machine system to maintain a safe state.
The SRP/CS shall be in accordance with the requirements of one or more of the five categories specified in
Categories are the basic parameters used to achieve a specific PL. They state the required behaviour of the SRP/CS in respect of its resistance to faults based on the design considerations described in
Category B is the basic category. The occurrence of a fault can lead to the loss of the safety function. In category 1 improved resistance to faults is achieved predominantly by selection and application of components. In categories 2, 3 and 4, improved performance in respect of a specified safety function is achieved predominantly by improving the structure of the SRP/CS. In category 2 this is provided by periodically checking that the specified safety function is being performed. In categories 3 and 4 this is provided by ensuring that the single fault will not lead to the loss of the safety function. In category 4, and whenever reasonably practicable in category 3, such faults will be detected. In category 4 the resistance to the accumulation of faults will be specified.
Category | Summary of requirements | System behaviour | Principle used to achieve safety |
|
|
CCF |
---|---|---|---|---|---|---|
B (see |
SRP/CS and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence. Basic safety principles shall be used. | The occurrence of a fault can lead to the loss of the safety function. | Mainly characterized by selection of components | Low to medium | None | Not relevant |
1 (see |
Requirements of B shall apply. Well-tried components and well-tried safety principles shall be used. | The occurrence of a fault can lead to the loss of the safety function but the probability of occurrence is lower than for category B. | Mainly characterized by selection of components | High | None | Not relevant |
2 (see |
Requirements of B and the use of well-tried safety principles shall apply. Safety function shall be checked at suitable intervals by the machine control system. |
The occurrence of a fault can lead to the loss of the safety function between the checks. The loss of safety function is detected by the check. |
Mainly characterized by structure | Low Lto high | Low to medium | See |
3 (see |
Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that a single fault in any of these parts does not lead to the loss of the safety function, and whenever reasonably practicable, the single fault is detected. |
When a single fault occurs, the safety function is always performed. Some, but not all, faults will be detected. Accumulation of undetected faults can lead to the loss of the safety function. |
Mainly characterized by structure | Low to high | Low to medium | See |
4 (see |
Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that a single fault in any of these parts does not lead to a loss of the safety function, and the single fault is detected at or before the next demand upon the safety function, but that if this detection is not possible, an accumulation of undetected faults shall not lead to the loss of the safety function. |
When a single fault occurs the safety function is always performed. Detection of accumulated faults reduces the probability of the loss of the safety function (high DC). The faults will be detected in time to prevent the loss of the safety function. |
Mainly characterized by structure | High | High including accumulation of faults | See |
For full requirements, see |
When considering the causes of failures in some components it is possible to exclude certain faults (see
The selection of a category for a particular SRP/CS depends mainly upon the reduction in risk to be achieved by the safety function to which the part contributes, the required performance level ( the technologies used, the risk arising in the case of a fault(s) in that part, the possibilities of avoiding a fault(s) in that part (systematic faults), the probability of occurrence of a fault(s) in that part and relevant parameters, the mean time to dangerous failure ( the diagnostic coverage (DC), and the common cause failure (CCF) in the case of categories 2, 3 and 4.
Each SRP/CS shall comply with the requirements of the relevant category, see
The following architectures typically meet the requirements of the respective category.
The following figures show not examples but general architectures. A deviation from these architectures is always possible, but any deviation shall be justified, by means of appropriate analytical tools (e. g. Markov modelling, fault tree analysis), such that the system meets the required performance level (
The designated architectures cannot be considered only as circuit diagrams but also as logical diagrams. For categories 3 and 4, this means that not all parts are necessarily physically redundant but that there are redundant means of assuring that a fault cannot lead to the loss of the safety function.
The lines and arrows in
The structure of a SRP/CS is a key characteristic having great influence on the PL. Even if the variety of possible structures is high, the basic concepts are often similar. Thus, most structures which are present in the machinery field can be mapped to one of the categories. For each category, a typical representation as a safety-related block diagram can be made. These typical realizations are called designated architectures and are listed in the context of each of the following categories.
It is important that the PL shown in
In some cases arising from a specific technical solution or determined by a type-C standard, the safety-related performance of the SRP/CS can be required only by a category without additional
The SRP/CS shall, as a minimum, be designed, constructed, selected, assembled and combined in accordance with the relevant standards and using basic safety principles for the specific application to withstand the expected operating stresses, e. g. the reliability with respect to breaking capacity and frequency, the influence of the processed material, e. g. detergents in a washing machine, and other relevant external influences, e. g. mechanical vibration, electromagnetic interference, power supply interruptions or disturbances.
There is no diagnostic coverage (
The maximum PL achievable with category B is
When a fault occurs it can lead to the loss of the safety function.
Specific requirements for electromagnetic compatibility are found in the relevant product standards, e. g.
interconnecting means
input device, e. g. sensor
logic
output device, e. g. main contactor
For category 1, the same requirements as those according to
SRP/CS of category 1 shall be designed and constructed using well-tried components and well-tried safety principles (see
A “well-tried component” for a safety-related application is a component which has been either widely used in the past with successful results in similar applications, or made and verified using principles which demonstrate its suitability and reliability for safety-related applications.
Newly developed components and safety principles may be considered as equivalent to “well-tried” if they fulfil the conditions of b).
The decision to accept a particular component as being “well-tried” depends on the application.
Complex electronic components (e. g. PLC, microprocessor, application-specific integrated circuit) cannot be considered as equivalent to “well tried”.
The
The maximum PL achievable with category 1 is
There is no diagnostic coverage (
When a fault occurs it can lead to the loss of the safety function. However, the
It is important that a clear distinction between “well-tried component” and “fault exclusion” (see means to secure the fixing of the switch after its adjustment, means to secure the fixing of the cam, means to ensure the transverse stability of the cam, means to avoid overtravel of the position switch, e. g. adequate mounting strength of the shock absorber and any alignment devices, and means to protect it against damage from outside.
interconnecting means
input device, e. g. sensor
logic
output device, e. g. main contactor
For category 2, the same requirements as those according to
SRP/CS of category 2 shall be designed so that their function(s) are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be performed at the machine start-up, and prior to the initiation of any hazardous situation, e. g. start of a new cycle, start of other movements, and/or periodically during operation if the risk assessment and the kind of operation shows that it is necessary.
The initiation of this check may be automatic. Any check of the safety function(s) shall either allow operation if no faults have been detected, or generate an output which initiates appropriate control action, if a fault is detected.
Whenever possible this output shall initiate a safe state. This safe state shall be maintained until the fault is cleared. When it is not possible to initiate a safe state (e. g. welding of the contact in the final switching device) the output shall provide a warning of the hazard.
For the designated architecture of category 2, as shown in
The diagnostic coverage (
The check itself shall not lead to a hazardous situation (e. g. due to an increase in response time). The checking equipment may be integral with, or separate from, the safety-related part(s) providing the safety function.
The maximum PL achievable with category 2 is
In some cases category 2 is not applicable because the checking of the safety function cannot be applied to all components.
Category 2 system behaviour allows that the occurrence of a fault can lead to the loss of the safety function between checks, the loss of safety function is detected by the check.
The principle that supports the validity of a category 2 function is that the adopted technical provisions, and, for example, the choice of checking frequency can decrease the probability of occurrence of a dangerous situation.
interconnecting means
input device, e. g. sensor
logic
monitoring
output device, e. g. main contactor
test equipment
output of TE
For category 3, the same requirements as those according to
SRP/CS of category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function. Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.
The diagnostic coverage (
The requirement of single-fault detection does not mean that all faults will be detected. Consequently, the accumulation of undetected faults can lead to an unintended output and a hazardous situation at the machine. Typical examples of practicable measures for fault detection are use of the feedback of mechanically guided relay contacts and monitoring of redundant electrical outputs.
If necessary because of technology and application, type-C standard makers need to give further details on the detection of faults.
Category 3 system behaviour allows that when the single fault occurs the safety function is always performed, some but not all faults will be detected, accumulation of undetected faults can lead to the loss of the safety function.
The technology used will influence the possibilities for the implementation of fault detection.
interconnecting means
cross monitoring
input device, e. g. sensor
logic
monitoring
output device, e. g. main contactor
For category 4, the same requirements as those according to
SRP/CS of category 4 shall be designed such that a single fault in any of these safety-related parts does not lead to a loss of the safety function, and the single fault is detected at or before the next demand upon the safety functions, e. g. immediately, at switch on, or at end of a machine operating cycle,
but if this detection is not possible, then an accumulation of undetected faults shall not lead to the loss of the safety function.
The diagnostic coverage (
Category 4 system behaviour allows that when a single fault occurs the safety function is always performed, the faults will be detected in time to prevent the loss of the safety function, accumulation of undetected faults is taken into account.
The difference between category 3 and category 4 is a higher
interconnecting means
cross monitoring
input device, e. g. sensor
logic
monitoring
output device, e. g. main contactor
A safety function can be realized by a combination of several SRP/CS: input system, signal processing unit, output system. These SRP/CS may be assigned to one and/or different categories. For each SRP/CS used, a category according to
According to
Assumed are
The following method allows the calculation of the PL of the whole combined SRP/CS performing the safety function: Identify the lowest Identify the number Look-up PL in
|
|
|
PL |
---|---|---|---|
a |
|
|
None, not allowed |
|
|
a | |
b |
|
|
a |
|
|
b | |
c |
|
|
b |
|
|
c | |
d |
|
|
c |
|
|
d | |
e |
|
|
d |
|
|
e | |
The values calculated for this look-up table are based on reliability values at the midpoint for each PL. |
In accordance with the category selected, safety-related parts shall be designed to achieve the required performance level (
In general, the following fault criteria shall be taken into account: if, as a consequence of a fault, further components fail, the first fault together with all following faults shall be considered as a single fault; two or more separate faults having a common cause shall be considered as a single fault (known as a CCF); the simultaneous occurrence of two or more faults having separate causes is considered highly unlikely and therefore need not be considered.
It is not always possible to evaluate SRP/CS without assuming that certain faults can be excluded. For detailed information on fault exclusions, see
Fault exclusion is a compromise between technical safety requirements and the theoretical possibility of occurrence of a fault.
Fault exclusion can be based on the technical improbability of occurrence of some faults, generally accepted technical experience, independent of the considered application, and technical requirements related to the application and the specific hazard.
If faults are excluded, a detailed justification shall be given in the technical documentation.
The design of the SRP/CS shall be validated (see
For details of validation, see
Preventive or corrective maintenance can be necessary to maintain the specified performance of the safety-related parts. Deviations with time from the specified performance can lead to a deterioration in safety or even to a hazardous situation. The information for use of the SRP/CS shall include instructions for the maintenance (including periodic inspection) of the SRP/CS.
The provisions for the maintainability of the safety-related part(s) of a control system shall follow the principles given in
When designing a SRP/CS, its designer shall document at least the following information relevant to the safety-related part: safety function(s) provided by the SRP/CS; the characteristics of each safety function; the exact points at which the safety-related part(s) start and end; environmental conditions; the performance level (PL); the category or categories selected; the parameters relevant to the reliability ( measures against systematic failure; the technology or technologies used; all safety-relevant faults considered; justification for fault exclusions (see the design rationale (e. g. faults considered, faults excluded); software documentation; measures against reasonably foreseeable misuse.
In general, this documentation is foreseen as being for the manufacturer's internal purposes and will not be distributed to the machine user.
The principles of the limits of the safety-related parts to the category(ies) selected and any fault exclusions; the limits of the SRP/CS and any fault exclusions (see the effects of deviations from the specified performance on the safety function(s); clear descriptions of the interfaces to the SRP/CS and protective devices; response time; operating limits (including environmental conditions); indications and alarms; muting and suspension of safety functions; control modes; maintenance (see maintenance check lists; ease of accessibility and replacing of internal parts; means for easy and safe trouble shooting; information explaining the applications for use relevant to the category to which reference is made; checking test intervals where relevant.
Specific information shall be provided on the category or categories and performance level of the SRP/CS, as follows: dated reference to this part of ISO 13849 ( i. e. “ISO 13849-1:2006”); the Category, B, 1, 2, 3, or 4; the performance level, a, b, c, d, or e.
An SRP/CS in accordance with this edition of ISO 13849-1, of Category B and performance level a, would be referred to as follows:
This annex is concerned with the contribution to the reduction in risk made by the safety-related parts of the control system being considered. The method given here provides only an estimation of risk reduction and is intended as guidance to the designer and standard maker in determining the
The risk assessment assumes a situation prior to provision of the intended safety function. Risk reduction by other technical measures independent of the control system (e. g. mechanical guards), or additional safety functions, can be taken into account in determining the frequency and time of exposure to the hazard (F), and possibility of avoiding the hazard or limiting the harm (P).
Experience has shown that these parameters can be combined, as in
starting point for evaluation of safety function's contribution to risk reduction
low contribution to risk reduction
high contribution to risk reduction
required performance level
severity of injury
slight (normally reversible injury)
serious (normally irreversible injury or death)
frequency and/or exposure to hazard
seldom-to-less-often and/or exposure time is short
frequent-to-continuous and/or exposure time is long
possibility of avoiding hazard or limiting harm
possible under specific conditions
scarcely possible
In estimating the risk arising from a failure of a safety function only slight injuries (normally reversible) and serious injuries (normally irreversible) and death are considered.
To make a decision the usual consequences of accidents and normal healing processes should be taken into account in determining S1 and S2. For example, bruising and/or lacerations without complications would be classified as S1, whereas amputation or death would be S2.
A generally valid time period to be selected for parameter F1 or F2 cannot be specified. However, the following explanation could facilitate making the right decision where doubt exists.
F2 should be selected if a person is frequently or continuously exposed to the hazard. It is irrelevant whether the same or different persons are exposed to the hazard on successive exposures, e. g. for the use of lifts. The frequency parameter should be chosen according to the frequency and duration of access to the hazard.
Where the demand on the safety function is known by the designer, the frequency and duration of this demand can be chosen instead of the frequency and duration of access to the hazard. In this part of ISO 13849, the frequency of demand on the safety function is assumed to be more than once per year.
The period of exposure to the hazard should be evaluated on the basis of an average value which can be seen in relation to the total period of time over which the equipment is used. For example, if it is necessary to reach regularly between the tools of the machine during cyclic operation in order to feed and move work pieces, then F2 should be selected. If access is only required from time to time, then F1 should be selected.
In case of no other justification F2 should be chosen, if the frequency is higher than once per hour.
It is important to know whether a hazardous situation can be recognized and avoided before leading to an accident. For example, an important consideration is whether the hazard can be directly identified by its physical characteristics, or recognized only by technical means, e. g. indicators. Other important aspects which influence the selection of parameter P include, for example: operation with or without supervision; operation by experts or non-professionals; speed with which the hazard arises (e. g. quickly or slowly); possibilities for hazard avoidance (e. g. by escaping); practical safety experiences relating to the process.
When a hazardous situation occurs, P1 should only be selected if there is a realistic chance of avoiding an accident or of significantly reducing its effect; P2 should be selected if there is almost no chance of avoiding the hazard.
The simplified approach requires a block-oriented logical representation of the SRP/CS. The SRP/CS should be separated into a small number of blocks according to the following: blocks should represent logical units of the SRP/SC related to the execution of the safety function; different channels performing the safety function should be separated into different blocks — if one block is no longer able to perform its function, the execution of the safety function through the blocks of the other channel should not be affected; each channel may consist of one or several blocks — three blocks per channel in the designated architectures, input, logic and output, is not an obligatory number, but simply an example for a logical separation inside each channel; each hardware unit of the SRP/CS should belong to exactly one block, thus allowing for the calculation of the hardware units only used for diagnostics (e. g. test equipment) and which do not affect the execution of the safety function in the different channels when they fail dangerously, may be separated from hardware units necessary for the execution of the safety function in the different channels.
For the purposes of this part of ISO 13849, “blocks” do not correspond to functional blocks or reliability blocks.
The blocks defined by the block method may be used to graphically represent the logical structure of the SRP/CS in a safety-related block diagram. For such a graphical representation, the following may be of guidance: the failure of one block in a series alignment of blocks leads to the failure of the whole channel (e. g. if one hardware unit in one channel of the SRP/CS fails dangerously, the whole channel might not be able to execute the safety function any longer); only the dangerous failure of all channels in a parallel alignment leads to the loss of the safety function (e. g. a safety function performed by several channels is executed as long as at least one channel has no failure); blocks used only for testing purposes and which do not affect the execution of the safety function in the different channels when they fail dangerously may be separated from blocks in the different channels.
See
input device, e. g. sensor
logic
output device, e. g. main contactor
testing device
This annex gives several methods for calculating or evaluating
If the following criteria are met, the The components are manufactured according to basic and well-tried safety principles in accordance with ISO 13849-2:2003, or the relevant standard (see This information can be found in the data sheet of the component manufacturer. The manufacturer of the component specifies the appropriate application and operating conditions for the user. The design of the SRP/CS fulfils the basic and well-tried safety principles according to
Basic and well-tried safety principles according to |
Other relevant standards | Typical values: |
|
---|---|---|---|
Mechanical components |
|
— |
|
Hydraulic components |
|
|
|
Pneumatic components |
|
|
|
Relays and contactor relays with small load (mechanical load) |
|
|
|
Relays and contactor relays with maximum load |
|
|
|
Proximity switches with small load (mechanical load) |
|
|
|
Proximity switches with maximum load |
|
|
|
Contactors with small load (mechanical load) |
|
|
|
Contactors with nominal load |
|
|
|
Position switches independent of load |
|
|
|
Position switches (with separate actuator, guard-locking) independent of load |
|
|
|
Emergency stop devices independent of the load |
|
|
|
Emergency stop devices with maximum operational demands |
|
|
|
Push buttons (e. g. enabling switches) independent of the load |
|
|
|
For the definition and use of “Small load” means, for example, |
If fault exclusion for direct opening action is possible.
If the following criteria are met, the The hydraulic components are manufactured according to basic and well-tried safety principles in accordance with This information can be found in the data sheet of the component manufacturer. The manufacturer of the hydraulic component specifies the appropriate application and operating conditions for the user. The SRP/CS manufacturer shall provide information pertaining to his responsibility to apply the basic and well-tried safety principles according to
But if either a) or b) is not achieved, the
For pneumatic, mechanical and electromechanical components (pneumatic valves, relays, contactors, position switches, cams of position switches, etc.) it may be difficult to calculate the mean time to dangerous failure (
If the following criteria are met, the The components are manufactured according to basic safety principles in accordance with This information can be found in the data sheet of the component manufacturer. The components to be used in category 1, 2, 3 or 4 are manufactured according to well-tried safety principles in accordance with This information can be found in the data sheet of the component manufacturer. The manufacturer of the component specifies the appropriate application and operating conditions for the user. The SRP/CS manufacturer shall provide information pertaining to his responsibility to fulfil the basic safety principles according to
The mean number of cycles until
With
The operation time of the component is limited to
Explanation of the formulas in
The reliability methods in this part of ISO 13849 assume that the failure of components is distributed exponentially over time:
Mit
For a pneumatic valve, a manufacturer determines a mean value of 60 million cycles as
With these input data the following quantities can be calculated::
This will give a
The values given in
In the MTTF column of the tables, the values from SN 29500 are for generic components for all possible failure modes which are not necessarily dangerous failures. In the
See
Transistor | Example | MTTF for components |
|
Remark | |
---|---|---|---|---|---|
years | |||||
years | Typical | Worst case | |||
Bipolar | TO18, TO92, SOT23 | 34247 | 68493 | 6849 |
|
Bipolar, low power | TO5, TO39 | 5708 | 11416 | 1142 |
|
Bipolar, power | TO3, TO220, D-Pack | 1941 | 3881 | 388 |
|
FET | Junction MOS | 22831 | 45662 | 4566 |
|
MOS, power | TO3, TO220, D-Pack | 1142 | 2283 | 228 |
|
Diode | Example | MTTF for components |
|
Remark | |
---|---|---|---|---|---|
years | |||||
years | Typical | Worst case | |||
General purpose | — | 114155 | 228311 | 22831 |
|
Suppressor | — | 15981 | 31963 | 3196 |
|
Zener diode |
— | 114155 | 228311 | 22831 |
|
Rectifier diodes | — | 57078 | 114155 | 11416 |
|
Rectifier bridges | — | 11415 | 22831 | 2283 |
|
Thyristors | — | 2283 | 4566 | 457 |
|
Triacs, Diacs | — | 1484 | 2968 | 297 |
|
Integrated circuits (programmable and non-programmable) | Use manufacturer's data |
|
See
Capacitor | Example | MTTF for components |
|
Remark | |
---|---|---|---|---|---|
years | |||||
years | Typical | Worst case | |||
Standard, no power | KS, KP, KC, KT, MKT, MKC, MKP, MKU, MP, MKV | 57078 | 114155 | 11416 |
|
Ceramic | — | 22831 | 45662 | 4566 |
|
Aluminium electrolytic | Non-solid electrolyte | 22831 | 45662 | 4566 |
|
Aluminium electrolytic | Solid electrolyte | 37671 | 75342 | 7534 |
|
Tantalum electrolytic | Non-solid electrolyte | 11415 | 22831 | 2283 |
|
Tantalum electrolytic | Solid electrolyte | 114155 | 228311 | 22831 |
|
Resistor | Example | MTTF for components |
|
Remark | |
---|---|---|---|---|---|
years | |||||
years | Typical | Worst case | |||
Carbon film | — | 114155 | 228311 | 22831 |
|
Metal film | — | 570776 | 1141552 | 114155 |
|
Metal oxide and wire-wound | — | 22831 | 45662 | 4566 |
|
Variable | — | 3767 | 7534 | 753 |
|
Inductor | Example | MTTF for components |
|
Remark | |
---|---|---|---|---|---|
years | |||||
years | Typical | Worst case | |||
For MC application | — | 37671 | 75342 | 7534 |
|
Low frequency inductors and transformers | — | 22831 | 45662 | 4566 |
|
Main transformers and transformers for switched modes and power supplies | — | 11415 | 22831 | 2283 |
|
Optocouplers | Example | MTTF for components |
|
Remark | |
---|---|---|---|---|---|
years | |||||
years | Typical | Worst case | |||
Bipolar output | SFH 610 | 7648 | 15296 | 1530 |
|
FET output | LH 1056 | 2854 | 5708 | 571 |
|
Use of the “parts count method” serves to estimate the
The general formula is is for the complete channel; is the
The first sum is over each component separately; the second sum is an equivalent, simplified form where all
The example given in
|
Component | Units |
|
|
|
---|---|---|---|---|---|
Worst case | Worst case | Worst case | |||
|
years | 1/year | 1/year | ||
1 | Transistors, bipolar, low power (see |
2 | 1142 | 0,000876 | 0,001752 |
2 | Resistor, carbon film (see |
5 | 22831 | 0,000044 | 0,000219 |
3 | Capacitor, standard, no power (see |
4 | 11416 | 0,000088 | 0,000350 |
4 | Relay (with small load, see |
4 | 315,66 | 0,003168 | 0,012672 |
( |
|||||
5 | Contactor (with nominal load, see |
1 | 31,57 | 0,031676 | 0,031676 |
( |
|||||
|
0,046669 | ||||
|
21,43 |
This method is based on the presumption that a dangerous failure of any component within a channel leads to dangerous failure of the channel. The
In this example, the main influence comes from the contactor. The chosen values for
The designated architectures of
If the as a worst case assumption, the lower value should be taken into account;
where
One channel has an
A redundant system with two channels and different
This method assumes independent parallel channels.
See
Measure | DC |
---|---|
|
|
Cyclic test stimulus by dynamic change of the input signals |
|
Plausibility check, e. g. use of normally open and normally closed mechanically linked contacts |
|
Cross monitoring of inputs without dynamic test |
|
Cross monitoring of input signals with dynamic test if short circuits are not detectable (for multiple I/O) |
|
Cross monitoring of input signals and intermediate results within the logic (L), and temporal and logical software monitor of the program flow and detection of static faults and short circuits (for multiple I/O) |
|
Indirect monitoring (e. g. monitoring by pressure switch, electrical position monitoring of actuators) |
|
Direct monitoring (e. g. electrical position monitoring of control valves, monitoring of electromechanical devices by mechanically linked contact elements) |
|
Fault detection by the process |
|
Monitoring some characteristics of the sensor (response time, range of analogue signals, e. g. electrical resistance, capacitance) |
|
|
|
Indirect monitoring (e. g. monitoring by pressure switch, electrical position monitoring of actuators) |
|
Direct monitoring (e. g. electrical position monitoring of control valves, monitoring of electromechanical devices by mechanically linked contact elements) |
|
Simple temporal time monitoring of the logic (e. g. timer as watchdog, where trigger points are within the program of the logic) |
|
Temporal and logical monitoring of the logic by the watchdog, where the test equipment does plausibility checks of the behaviour of the logic |
|
Start-up self-tests to detect latent faults in parts of the logic (e. g. program and data memories, input/output ports, interfaces) |
|
Checking the monitoring device reaction capability (e. g., watchdog) by the main channel at start-up or whenever the safety function is demanded or whenever an external signal demand it, through an input facility |
|
Dynamic principle (all components of the logic are required to change the state ON-OFF-ON when the safety function is demanded), e. g. interlocking circuit implemented by relays |
|
Invariable memory: signature of one word ( |
|
Invariable memory: signature of double word ( |
|
Variable memory: RAM-test by use of redundant data e. g. flags, markers, constants, timers and cross comparison of these data |
|
Variable memory: check for readability and write ability of used data memory cells |
|
Variable memory: RAM monitoring with modified Hamming code or RAM self-test (e. g. “galpat” or “Abraham”) |
|
Processing unit: self-test by software |
|
Processing unit: coded processing |
|
Fault detection by the process |
|
|
|
Monitoring of outputs by one channel without dynamic test |
|
Cross monitoring of outputs without dynamic test |
|
Cross monitoring of output signals with dynamic test without detection of short circuits (for multiple I/O) |
|
Cross monitoring of output signals and intermediate results within the logic (L) and temporal and logical software monitor of the program flow and detection of static faults and short circuits (for multiple I/O) |
|
Redundant shut-off path with no monitoring of the actuator |
|
Redundant shut-off path with monitoring of one of the actuators either by logic or by test equipment |
|
Redundant shut-off path with monitoring of the actuators by logic and test equipment |
|
Indirect monitoring (e. g. monitoring by pressure switch, electrical position monitoring of actuators) |
|
Fault detection by the process |
|
Direct monitoring (e. g. electrical position monitoring of control valves, monitoring of electromechanical devices by mechanically linked contact elements) |
|
For additional estimations for DC, see, e. g., If medium or high DC is claimed for the logic, at least one measure for variable memory, invariable memory and processing unit with each DC at least |
In many systems, several measures for fault detection might be used. These measures could check different parts of the SRP/CS and have different DC. For an estimation of the PL according to
DC may be determined as the ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures. According to this definition an average diagnostic coverage
Here all components of the SRP/CS without fault exclusion have to be considered and summed up. For each block, the
A comprehensive procedure for measures against CCF for sensors/actuators and separately for control logic is given, for example, in
In this part of ISO 13849, it is assumed that for redundant systems a
This quantitative process should be passed for the whole system. Every part of the safety-related parts of the control system should be considered.
For each listed measure, only the full score or nothing can be claimed. If a measure is only partly fulfilled, the score according to this measure is zero.
No. | Measure against CCF | Score |
---|---|---|
|
|
|
Physical separation between signal paths: separation in wiring/piping, sufficient clearances and creep age distances on printed-circuit boards. |
|
|
|
|
|
Different technologies/design or physical principles are used, for example: first channel programmable electronic and second channel hardwired, kind of initiation, pressure and temperature, Measuring of distance and pressure, digital and analog, Components of different manufactures. |
|
|
|
|
|
3.1 | Protection against over-voltage, over-pressure, over-current, etc. |
|
3.2 | Components used are well-tried. |
|
|
|
|
Are the results of a failure mode and effect analysis taken into account to avoid common-cause-failures in design. |
|
|
|
|
|
Have designers/maintainers been trained to understand the causes and consequences of common cause failures? |
|
|
|
|
|
6.1 |
Prevention of contamination and electromagnetic compatibility (EMC) against CCF in accordance with appropriate standards. Fluidic systems: filtration of the pressure medium, prevention of dirt intake, drainage of compressed air, e. g. in compliance with the component manufacturers' requirements concerning purity of the pressure medium. Electric systems: Has the system been checked for electromagnetic immunity, e. g. as specified in relevant standards against CCF? For combined fluidic and electric systems, both aspects should be considered. |
|
6.2 |
Other influences Have the requirements for immunity to all relevant environmental influences such as, temperature, shock, vibration, humidity (e. g. as specified in relevant standards) bee considered? |
|
|
|
|
|
---|---|
65 or better | Meets the requirements |
Less than 65 | Process failed |
Where technological measures are not relevant, points attached to this column can be considered in the comprehensive calculation.
The following measures should be applied. Use of de-energization (see Measures for controlling the effects of voltage breakdown, voltage variations, overvoltage, undervoltage — SRP/CS behaviour in response to voltage breakdown, voltage variations, overvoltage, and undervoltage conditions should be predetermined so that the SRP/CS can achieve or maintain a safe state of the machine (see also Measures for controlling or avoiding the effects of the physical environment (for example, temperature, humidity, water, vibration, dust, corrosive substances, electromagnetic interference and its effects) — SRP/CS behaviour in response to the effects of the physical environment should be predetermined so that the SRP/CS can achieve or maintain a safe state of the machine (see also, for example, Program sequence monitoring shall be used with SRP/CS containing software in order detect defective program sequences — A defective program sequence exists if the individual elements of a program (e. g. software modules, subprograms or commands) are processed in the wrong sequence or period of time or if the clock of the processor is faulty (see Measures for controlling the effects of errors and other effects arising from any data communication process (see
In addition, one or more of the following measures should be applied, taking into account the complexity of the SRP/CS and its PL: failure detection by automatic tests; tests by redundant hardware; diverse hardware; operation in the positive mode; mechanically linked contacts; direct opening action; oriented mode of failure; over-dimensioning by a suitable factor, where the manufacturer can demonstrate that derating will improve reliability — where over-dimensioning is appropriate, an over-dimensioning factor of at least 1,5 should be used.
See also
The following measures should be applied. Use of suitable materials and adequate manufacturing — Selection of material, manufacturing methods and treatment in relation to, e. g. stress, durability, elasticity, friction, wear, corrosion, temperature, conductivity, dielectric rigidity. Correct dimensioning and shaping — Consideration of, e. g. stress, strain, fatigue, temperature, surface roughness, tolerances, manufacturing. Proper selection, combination, arrangements, assembly and installation of components, including cabling, wiring and any interconnections — Apply appropriate standards and manufacturer's application notes, e. g. catalogue sheets, installation instructions, specifications, and use of good engineering practice. Compatibility — Use components with compatible operating characteristics. Withstanding specified environmental conditions — Design the SRP/CS so that it is capable of working in all expected environments and in any foreseeable adverse conditions, e. g. temperature, humidity, vibration and electromagnetic interference (EMI) (see Use of components designed to an appropriate standard and having well-defined failure modes — To reduce the risk of undetected faults by the use of components with specific characteristics (see
In addition, one or more of the following measures should be applied, taking into account the complexity of the SRP/CS and its PL. Hardware design review (e. g. by inspection or walk-through) — To reveal by reviews and analysis discrepancies between the specification and implementation (see Computer-aided design tools capable of simulation or analysis — Perform the design procedure systematically and include appropriate automatic construction elements that are already available and tested (see Simulation — Perform a systematic and complete inspection of an SRP/CS design in terms of both the functional performance and the correct dimensioning of their components (see
The following measures should be applied during integration of the SRP/CS: functional testing; project management; documentation.
In addition, black-box testing should be applied, taking into account the complexity of the SRP/CS and its PL.
The control is provided through electronic control logic and a hydraulic directional valve. The risk is reduced by a AOPD, which detects access to the hazardous situation and prevents start-up of the fluidic actuator when the light beam is interrupted.
The safety-related parts which provide the safety function are: AOPD, electronic control logic, hydraulic directional valve and the interconnecting means.
These combined safety-related parts provide a stop function as a safety function. As the AOPD is interrupted, the outputs transfer a signal to the electronic control logic, which provides a signal to the hydraulic directional valve to stop the hydraulic flow as the output of the SRP/CS. At the machine, this stops the hazardous movement of the actuator.
This combination of safety-related parts creates a safety function demonstrating the combination of different categories and technologies based on the requirements given in Category 2, Category 3, Category 1,
The position, size and layout of the interconnecting means have also to be taken into account.
This combination leads with
In case of one fault in the category 1 or the category 2 parts of
active optoelectronic protective device (e. g. light barrier),
electronic control logic,
fluidics,
fluidic actuator
hazardous movement
active optoelectronic protective device (e. g. light barrier)
electronic control logic
fluidics
input devices, e. g. sensor
logic
output devices, e. g. main contactor
test equipment
This annex illustrates the use of the methods given in preceding annexes for identifying safety functions and determining PL. The quantification of two widely used control circuits is given. For the stepwise procedure, see
Two different examples of control circuits, A and B are examined, see
For both examples, the safety function of the interlocking of a guard may be chosen as follows.
The dangerous movement will be stopped when the guard door is opened (by de-energizing the power of the electrical motor).
The risk parameters according to the risk graph method (see severity of injury, frequency and/or exposure time to hazard, possibility of avoiding the hazard,
These decisions lead to a required performance level
Determination of the preferred category: A performance level of c can be achieved typically by very reliable single-channel systems (category 1) or redundant architectures (category 2 or 3) (see
All components contributing to the safety function are represented in
open
close
motor
contactor
switch (NC)
In this example, a door switch has normally closed contacts (but no fault exclusion is justified) and is connected to a contactor able to switch off the power connection to the motor: one channel of electromechanical components; switch SW1A has medium contactor K1A has low
The chosen contactor in this example is a well-tried component when implemented according to
Thus the safety-related parts and their division into channels can be illustrated in a safety-related block diagram as shown in Figure I.2.
contactor
switch
The values for If no information for K1A were available, a worst case assumption according to
Input data for
This may be interpreted as performance level b.
This result does not match the required performance level c according to
All components contributing to the safety function are represented in
programmable logic controller
current converter
motor
rotation sensor
open
close
stop function (standard)
safe impulse blocking
contactor
switch (NC)
switch (NO)
In this second example two channels providing redundancy are used. The first channel, similarly to that in example A, uses a door switch having direct opening action and which is used in the positive mode of actuation. This door switch is connected to a contactor able to switch off the power connection to the motor. In the second channel additional (programmable) electronic components are used. A second door switch is connected to a programmable logic controller which can control the current converter to switch off the power connection to the motor: redundant channels, one electromechanical and the other programmable electronic; switch SW1B has positive mechanical action of the contacts, SW2 has medium contactor K1B has medium electronic components have medium
So the safety-related parts and their division into channels can be illustrated in a safety-related block diagram as shown in
With respect to redundant diversity, requirements for software according to
interlocking device
contactor
switch
programmable logic controller
current converter
rotation sensor
The values for
The switch SW1B has a direct opening action and is used in the positive mode of actuation. Therefore, a fault exclusion is made concerning non-opening of a contact and non-actuation of the switch due to mechanical failure (e. g. break of plunger, wear of the actuating cam, maladjustment).
These assumptions are valid for auxiliary circuit switches according to
For an estimation of the PL, an average DC value (
No. | Item | Score for control circuit | Maximum possible score |
---|---|---|---|
|
|
||
Physical separation between signal paths | 15 | 15 | |
|
|
||
Different technologies/design or physical principles are used | 20 | 20 | |
|
|
||
3.1 | Protection against overvoltage, overpressure, overcurrent, etc. | None | 15 |
3.2 | Components used are well-tried | 5 | 5 |
|
|
||
Are the results of a failure mode and effect analysis taken into account to avoid common cause failures in design? | 5 | 5 | |
|
|
||
Have designers been trained to understand the causes and consequences of common cause failures? | None | 5 | |
|
|
||
6.1 | Prevention of contamination and electromagnetic compatibility (EMC) against CCF in accordance with appropriate standards | 25 | 25 |
6.2 |
Have the requirements for immunity to all relevant environmental influences, such as temperature, shock, vibration, humidity (e. g. as specified in relevant standards) been considered? |
10 | 10 |
|
80 | Max. 100 |
Sufficient measures against CCF require a minimum score of 65. In example B, a score of 80 is sufficient to fulfil the requirements against CCF.
A single fault in any of the parts does not lead to the loss of the safety function. Whenever reasonably practicable the single fault is detected at or before the next demand upon the safety function. The diagnostic coverage (
Input data for
This may be interpreted as performance level c.
This result matches the required performance level c of
In this annex, exemplary activities for realizing the SRESW of a SRP/CS for the acquisition of information sent by the various sensors, the processing required to operate the control elements taking into account the safety requirements, and the control of the actuators.
The design of the SRESW of this application on function block level is as shown in
Development activity | Verification activity | Associated documentation |
---|---|---|
Machine aspect: Identification of the functions involving the SRP/CS |
Identification of safety-related functions | “Safety-related specification for machine control” |
Architecture aspect: Definition of the control architecture with sensors and actuators |
Comments upon safety characteristics of chosen components | “Definition of the control architecture” |
Software specification aspect: Transcription of machine functions into software functions |
Re-reading of the descriptions (see |
“Software descriptions” |
Software architecture aspect: To detail the functions into functional blocks |
Definition of critical blocks which are subject of greater review and validation effort | “Function block modelling” |
Encoding aspect: Encoding according to the programming rules (see |
Re-reading of the code. Verification of functions and compliance with rules. |
“Encoding comments in the code” “Encoding re-reading sheets” |
Validation aspect: Making of test scenarios: operation aspect of functions behaviour-on-failure aspect |
Verification of the test covering Verification of the test results |
“Correspondence matrix” which cross-references specification paragraphs and tests “Test sheets” comprising test scenario and comments upon results achieved |
As part of the software safety lifecycle, the verification activity at level of the software specification consists in reading the descriptions so as to verify that all the sensitive points are properly described. The following should be considered when verifying each function: limiting the cases of erroneous interpretation of the system specification; avoiding gaps in specification resulting in an a precisely defining conditions for activation and de-activation of functions; precisely guaranteeing that all the possible cases are handled; consistency tests; the different parameterizing cases; the reaction following a failure.
For the CCF, in general it should be possible to authenticate the program by author, date of loading, version and last type of access. Concerning the programming rules the following rules can be differentiated. The programming should be structured so as to display a consistent and understandable general skeleton allowing the different processings to be easily localized. This implies use of templates for typical program or function blocks, partitioning of the program into segments in order to identify main parts corresponding to “inputs”, “processings” and “outputs”, comments on each program section in the source of the program to facilitate the updating of the comment in case of modification, description of the role a function block has when calling this block, that memory location should be used only by one single kind of data type and be marked by unique labels, and that the working sequence should not depend on variables such as a jump address calculated at runtime of the program, conditional jumps being authorized. The activation or de-activation of any output should take place only once (centralized conditions). The program should be structured such that the equations for updating a variable are centralized. Each global variable, input or output, should have a mnemonic name explicit enough and be described by a comment within the source. Preferably use function blocks that have been validated by the supplier of the SRP/CS, checking that the assumed operating conditions for these validated blocks correspond to the conditions of the program. The size of the coded block should be limited to the following guideline values: i) parameters — maximum eight digital and two integer inputs, one output; ii) function code — maximum ten local variables, maximum 20 Boolean equations. The function blocks should not modify the global variables. A digital value should be controlled relative to pre-set benchmarks to ensure the domain of validity. A function block should try to detect inconsistencies of variables to be processed. The fault code of a block should be accessible to discriminate a fault among others. The fault codes and the state of the block after fault detection should be described by comments. The resetting of the block or the restoration of a normal state should be described by comments.
See
|
|
To be published. (Revision of
Verification is only necessary for application-specific code, and not for validated library functions.
If the dangerous fraction of
The
This European Standard has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association to provide a means of conforming to Essential Requirements of the New Approach Directive
Once this standard is cited in the Official Journal of the European Communities under that Directive and has been implemented as a national standard in at least one Member State, compliance with the normative clauses of this standard confers, within the limits of the scope of this standard, a presumption of conformity with Essential Requirements of Directive Other requirements and other EU Directives may be applicable to the products falling within the scope of this standard.
This European Standard has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association to provide a means of conforming to Essential Requirements of the New Approach Directive Machinery
Once this standard is cited in the Official Journal of the European Communities under that Directive and has been implemented as a national standard in at least one Member State, compliance with the normative clauses of this standard confers, within the limits of the scope of this standard, a presumption of conformity with Essential Requirements of Directive Other requirements and other EU Directives may be applicable to the product(s) falling within the scope of this standard.