Danfoss Functional Safety User guide

MAKING MODERN LIVING POSSIBLE
Technical Information
Functional Safety
An overview
powersolutions.danfoss.com
Technical Information Functional Safety - An overview
Contents
General ........................................................................................................................................................................................ 3
Introduction ................................................................................................................................................................................ 3
European Union standards structure ................................................................................................................................ 3
Designing a safe machine .................................................................................................................................................. 4
The process ................................................................................................................................................................................. 4
Hazard and Risk Analysis ........................................................................................................................................................ 4
Determining the safety requirement ................................................................................................................................ 9
Applying ISO 13849 .......................................................................................................................................................... 10
Severity of injury ......................................................................................................................................................... 10
Frequency of exposure ............................................................................................................................................. 10
Possibility of avoidance ............................................................................................................................................ 10
PLr ..................................................................................................................................................................................... 10
Applying EN 62061 ........................................................................................................................................................... 11
SRP/CS architecture ................................................................................................................................................................ 13
Category B ........................................................................................................................................................................... 13
Category 1 ........................................................................................................................................................................... 13
Category 2 ........................................................................................................................................................................... 14
Category 3 ........................................................................................................................................................................... 14
Category 4 ........................................................................................................................................................................... 14
System mapping .....................................................................................................................................................................15
Selecting the components .................................................................................................................................................. 17
Validation of the system ....................................................................................................................................................... 18
Applying ISO 13849 .......................................................................................................................................................... 18
Applying EN 62061 ........................................................................................................................................................... 20
Speaking functional safety ............................................................................................................................................. 22
L1326395 • Rev AA • Oct 20132
Technical Information Functional Safety - An overview

General

Introduction

The purpose of this document is to provide a brief overview of applicable standards in regards to functional safety and to highlight the cooperation needed between OEM customers and Danfoss as sub-supplier.
A safety system has three important key elements; the user(s), the instructions/manuals and the machine itself. This document only shows aspects related to the machine Functional Safety (FS), dened as all the measures aiming to protect the machine operator or bystander from risk during work with and/or around the machine. Not in scope are risks due to other hazards such as electro­magnetic capability (EMC), explosive atmospheres (ATEX) etc. These should, however, be evaluated by the machine manufacturer.
WARNING
The manufacturer has the sole responsibility for the machine Design, including all three parts of the safety system.

European Union standards structure

In order to be freely marketed in the countries of the European Community, every device or piece of machinery must comply with Community Directives. The Community Directives establish a series of general principles preventing manufacturers from placing products on the market that are hazardous for the operator or bystanders. Any hazard to an operator or bystander due to machine functioning is governed by the Machinery Directive 2006/42/EC. A series of harmonized standards are issued, which translate the content of directives into technical requirements in order to protect the operator and bystanders from risks as well as being used for the risk assessment of a machine. Any manufacturer who applies these standards to his machine is also presumed to conform to the directives.
Machinery Directive
Type A - Bacis safety standards
Type B - Generic safety standards
ISO
12100
2006/42/EC
ISO
14121
It is not mandatory to follow the harmonized standards* when releasing a machine on the market. However, the machine must always comply to the requirements given by the Machinery Directive and the simplest way to meet EU directives is to comply to the harmonized standards.
If applying the standards, the manufacturer of devices or machines must rst verify whether the product is covered by a type C standard. If so, this standard provides the safety requirements. If not, type B standards for any device or specic aspect of the product shall apply. Failing further requirements, the manufacturer must follow general guidelines as stated in the type A standards.
ISO 13849
ISO 62061
ISO 4413
IEC 61508
Type C - Machine safety standards
ISO 25119 ISO 15998 ISO 12999
P301 568
* http://ec.europa.eu/enterprise/policies/european-standards/harmonised-standards/machinery/index_en.htm
L1326395 • Rev AA • Oct 2013 3
Technical Information Functional Safety - An overview

Designing a safe machine

The process

A user expects a safe machine. The machine design also has a signicant impact on safety. When working with and/or around a machine, they expect to complete the tasks unharmed. Therefore, it is vital to think of functional safety in machine development. Applying functional safety to the machine is a process like many others in the development project. Dividing the complete process into steps will allow for a systematic approach starting with dening the boundaries and requirements and ending up with an evaluation of the safety level achieved.

Hazard and Risk Analysis

There is no such thing as a risk-free machine or application. It is impossible to make a machine that will never fail nor expose the operator or bystander to some extent of hazard. Everybody faces risks every single day. Risks that could potentially harm us but we live with these risks because they are tolerable. Therefore, the challenge is to design a machine with a tolerable risk level.
A standard way of identifying and analyzing the hazards and the risk are found in the standard ISO 12100. This standard describes an iterative cyclic model that will run until a satisfactory result is achieved.
Hazard and risk
analysis
Determining
safety
requirement
SRP/CS
architecture
System
mapping
Component
selection
System
validation
P301 569P301 569

Determine machinery limits

In order to identify, and later evaluate the exact risk that is associated with an application/machine, it is tremendously important to create a clear overview of the operational limits of the particular machine in question. Dening very clear and basicl set of boundaries will vastly aid in the risk identication and make sure the end result will t the application without compromising any use cases.
The rst step is to dene the machine type. The overall type should already be clear when applying a type B standard, as it must be ensured that the machine type is not subject to any type C standards. Below each machine category, a sub-category may exist e.g. distinguished by weight or power. If so, the particular machine sub-category should be clearly specied.
It is also relevant to identify the specic tasks that the machine is designed to handle. A clear understanding of these will be needed in the next step when identifying hazards.
Another subject to consider when dening the operational limits is the operational environment. It will have an impact on the risk estimation where the machine is used. Naturally, other risks will be present if a machine is operated in a close-quarter, urban environment compared to operating in a forest. One major dierence is the people interacting with the machine in operation such as unrelated bystanders.
L1326395 • Rev AA • Oct 20134
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
• What is the machine type
• What tasks does the machine handle
Determine
machinery limits
• What is the operating environment
• Who are potentialy at Risk
(according to ISO 12100)
Hazard Analysis
Identify Hazards

Harm sequence

Estimate the Risk
(according to ISO 12100)
Risk Evaluation
Evaluate the Risk
• Unexpected movement
• Sharp edges
• Falling objects
• Pinch points
• Machine designation
• Hazard descroption
• Harm sequence
• Severity of Harm
• Probability of Hazard
• Probability that soemone is expossed to Hazard
• Probability that contact with Hazard is inevitable
• Can I reduce the Risk
• Does the Risk feel comfortable
• Is it safe enough for my family
• Can I justify the decision to anyone
S
Is the
machine
safe?
• YES The End
• NO Take measures for Risk reduction according to ISO 12100
P301 570
Hazard identication
When the boundaries of the machine are clearly dened, the next step is to identify the hazards. Without clear boundaries, a lot of resources will be wasted trying to solve hazards that are not relevant to the actual operating situation.
The identication of a hazard can also be described as the identication of unexpected occurrances during an operating situation. It is crucial to both discover all hazards and to understand them. If either of these fail, a person may get injured and/or it will require a great deal of resources to correct the design.
To aid the identication of the hazards, it would be valueable to assemble a multi-functional team with dierent backgrounds within all aspects of work with the machine. To facilitate the identication process, an incident history or database might also be of value.
Harm sequence
Once the machine limits and possible hazards are known, these can be put together into a harm sequence. The harm sequence will be the basis for risk estimation later on in the process. Another way of describing the harm sequence is as a “chain of events”.
The harm sequence always starts with a task within the machine’s operational limits and ends with injury to a person. The goal of the harm sequence is to remove one single element which will prevent the nal harm or injury.
L1326395 • Rev AA • Oct 2013 5
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
An example of a harm sequence can be seen below.
Machine designation:
Warehouse truck model X2012.
Hazard description:
An unexpected change of direction due to steering system failure.
Harm sequence:
y Machine is travelling inside a factory facility y Failure of steering system occurs
– Hose breaks, loss of hydraulic pressure – Or valve spring failure
y Unexpected change of direction occurs y Bystander in close proximity
– On-coming warehouse truck – Worker passing by on foot
y Machine operator unable to avoid collision
– Shut o machine
y Bystander unable to avoid collision
– Stopping or steering
y Machine collides with another truck y Impact energy is sucient to cause injury y Machine operator is injured y Possible injuries are lacerations or broken
bones.
S

Risk estimation

Estimating the risks is very important as it is the prerequisite for risk evaluation. Estimating the risk will give a clear indication of the safety level of the machine and in turn the need of implementing safety functions.
Severity of
harm
Risk
Probability
of
occurence
P301 572
A good approach to organize the risk estimation is to make a scorecard with both severity and occurrence. For each hazard identied, a score for all severities and occurrence probability should be given. It is important not only to look at worst case. There is no ranking governed by the standards on severity or occurrence. Multiplying the two scores will give a numerical expression of the seriousness of a risks associated with a specic hazard.
L1326395 • Rev AA • Oct 20136
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)

Risk evaluation

The risk evaluation is the point in the process where the safety level of the machine and the possible need for safety features to reduce risk are decided. By completing the risk evaluation, a guide to risk reduction is made.
For each risk identied and scored in the risk estimation, an evaluation must be performed. The purpose of the evaluation is to decide if the current safety level are sucient to the machine builder. In other words, the risk evaluation determines if the risk present is tolerable. It is important to keep in mind that there is no such thing as a risk-free machine or application. The goal is to design and build a machine which only has tolerable risks.
If the risk is tolerable by the way the machine is designed, the hazard and risk analysis is complete and the machine/application is compliant with all regulations and conforms with the machinery directive.
If the risk is not tolerable, measures for risk reduction must be taken.

Risk reduction

The aim of the risk reduction is to reduce the risks to what reasonable practical or mitigate to a tolerable level of residual risk. But as the word reduction indicates, the purpose is to reduce the risks that are found as there will always be risk that cannot be eliminated. A rule of thumb is that if a risk can be reduced, then it must be reduced.
Avoid Risk by
design
• Design the machinery in such a way that the Risk does not appear
Avoid Risk by
safeguard
• Incorporate guards to minimize the Risk
(according to ISO 12100)
Risk reduction
Avioid Risk by
information
SRP/CS
Dene safety
function
Resedual
Risks?
• Warning labels
• User manual
• Training
• Is the safety measure dependant on a control system?
• Yes: Dene safety functions based on applicable level B standard
• No: Consider resedual Risks
• Example 1: Machinery cannot move unless an operator is present
• Example 2: Deliver no ow when neutral set point is given
• Return to Hazard and Risk Analysis according to 14121
P301 573
L1326395 • Rev AA • Oct 2013 7
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
The optimum way of reducing a risk, is to design the machine in such a way that the risk cannot be visible. However, this is not always possible if this will limit or conict with machine operational limits. The commercial realities of putting a machine on the market also have a signicant impact on the machine design and cost of same. Examples of risk reduction by design are openings made too small for human limbs to enter or rotating spoke-discs replaced by plate-discs.
Another way of reducing risks is to incorporate safe guards on the machine. Safe guards are not seen as a way to design out the risk, but as a separate way of reducing them. Examples of safe guards are light curtains, two hand control and system interlocks.
The last way of reducing the risk is to inform the user about them. This covers training, manuals, etc. It is important to have in mind that training the user will only aect the probability of harm to the user. Bystanders and similar will not be eected by this and the probability of harm will therefore not decrease much. Examples of information could bewarning labels, display information or use cases in manuals.
This document does not cover Information on use. Please refer to DIN 4844-2 for warning symbols
When the risk reduction measures are identied, their method of implementation must be evaluated. If the risk reduction measure is realized by a control system, a safety function of each risk must be dened. The activation of the safety function will result in a dened safe state. A failure to perform the safety function is equal to an increased risk. A safety function is not part of a machine/application standard operation, meaning that in case the safety function fails, the machine/application can still operate but with an increased risk.
The process of reducing the risks is repetitive. Whenever a measure for risk reduction has been decided and implemented it must be evaluated if this addition or design change to the machine/ application has caused new risks not present before. If so, one must return to hazard identication and repeat the process from there.
L1326395 • Rev AA • Oct 20138
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)

Determining the safety requirement

When entering this point in the process, all risks will be identied and evaluated. This means that the residual risks are acceptable to the machine builder. This also means that only the risks that need to be countered are left. One or more of these risks might be relying on parts of the control system to perform a safety function which should be avoided.
There are two possible type B standards that can be applied to determine the requirement of the SRP CS.
– ISO 13849 which uses the term Performance Level (PL) – IEC 62061 which uses the term Safety Integrity Level (SIL)
Selecting which standard to apply is a choice of the designer. However, it is also to some extent given by the way the safety function is realized.
Technology ISO 13849 EN 62061
Non-electrical/hydraulics Covered Not covered
Electromechanical and non­complex electronics
Complex or programmable electronics
Combination of hydraulics and electromechanics
Combination of complex or programmable elctronics and electromechanics
Covered Covered
Covered up to PLd Covered
Covered Covering only
electromechanics
Covered up to PLd Covered
Combination of complex or programmable elctronics and hydraulics
Combination of hydraulics with electromechanics and complex or programmable electronics
Covered, for the electronics up to PLd
Covered, for the electronics up to PLd
Covering only complex or programmable electronics
Covering only complex or programmable electronics
P301 574
WARNING
The manufacturer has sole responsibility for choosing the correct standard and ensuring conformity with 2006/42/ EC
Both standards are harmonized standards giving Presumption of Conformity to the Machinery Directive. This means that unless a type C standard (product specic standard) species a required Performance Level or Safety Integrity Level, the designer is free to choose to apply any of the two standards.
L1326395 • Rev AA • Oct 2013 9
Technical Information Functional Safety - An overview
P301 575
Designing a safe machine
(continued)

Applying ISO 13849

To nd the required performance level of the safety-related part of the control system ensuring a specic safety function, it is assumed that an accident occurs. This means that a person has been exposed to a hazard. The severity of the injury, the frequency of exposure and the possibility of avoidance must then be evaluated.
P1 PLa
F1
P2 PLb
S1
P1 PLb
F2
P2 PLc
Accident
P1 PLc
F1
P2 PLd
S2
P1 PLd
F2
P2 PLe
• F1 = less often/
Severity of
injury
• S1 = slight reversible injury
• S2 = serious ireversible injury or death
Frequency
exposure
of
short exposure time
• F2 = frequent to continous/ exposure time long
Possibility
of
avoidance
• P1 = possible under specic conditions
• P2 = scarcely possible
Severity of injury
Two types of injury are considered. The rst one is a reversible injury. This means that the injury will heal itself and the injured person(s) will recover without permanent injury. The last step of the harm sequence ended with a person getting injured. Therefore it is worth looking at the harm sequence again when evaluating the severity.
Frequency of exposure
The exposure rate to the hazard is also evaluated. This is a measure of how often any person(s) are exposed to the specic harm. This can range from the entire time of operation to only at service intervals. If it is not possible to evaluate the exposure based on how often it will happen, it is evaluated by the exposure time. To make a qualied assumption about the exposure, it is very important to have the boundaries in place in respect to operational limits. A sound understanding of the way operators work with the machine/application is also very important.
Possibility of avoidance
The possibility of avoidance looks at the probability that any person(s) exposed to the hazard can avoid it, hence not getting injured. Things to consider here is the speed at which the failure happens, the reaction time of involved persons and the hazards they are exposed to.
PLr
Following the gure from left to right, choosing the path based on the answers to the three questions evaluated will lead to a required performance level for the safety related part of the control system. This is a measurable requirement that the nal performance level of the chosen solution must be compared against.
L1326395 • Rev AA • Oct 201310
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
PL
achieved

Applying EN 62061

To nd the required safety integrity level, the required probability that the safety function will be performed must be set up. This is done by looking at the hazard. All needed information is already set up by the harm sequence.
PLr
Conformity
ISO 13849
P301 576
Fr Frequency durationPrProbability of hazard eventAvAvoidance
≤ 1 hour 5 Very high 5
> 1h ≤ 1 day 5 Likely 4
> 1day ≤ 2 weeks 4 Possible 3 Impossible 5
> 2 wk ≤ 1 year 3 Rarely 2 Possible 3
> 1 year 2 Negligible 1 Likely 1
P301 577
Fr Pr Av
In scoring the dierent consequences of a specic hazard, a clearly dened operational limit is vital along with a sound understanding of the operator/machine interaction.
The severity of the hazard has already been dened at the end of the harm sequence.
Se Consequences (severity)
Class of probability of harm
3 - 4 5 - 7 8 - 10 11 - 13 14 - 15
Probability
of harm
P301 578
Death, losing eye or arm 4 SIL2 SIL2 SIL2 SIL3 SIL3
Permanent, losing ngers 3 SIL1 SIL2 SIL3
Reversible, medical attention 2 SIL1 SIL2
Reversible, rst aid 1 SIL1
P301 579
L1326395 • Rev AA • Oct 2013 11
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
When having the SIL class, this must be translated into a SIL level which is the measurable requirement that the chosen solution must be compared against.
SIL level
achieved
SIL level
required
Conformity
to IEC 61508
P301 580
L1326395 • Rev AA • Oct 201312
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)

SRP/CS architecture

Having a tangible requirement of the safety function, the next step is to build on these creating requirements that it must fulll. These are the architecture on a block diagram level together with the level of self-diagnostics and the permissible failure rate.
The category heading in this section is used from the standard ISO 13849. The EN 62061 standard has similar headings comparable to the one used here. The range of categories according to EN 62061 is A to D corresponding to category 1 to 4 respectively. Category B is not allowed according to EN 62061.
PLa PLb PLc PLd PLe
Category B/1
I O L
Category 2
L
I
TE
Category 3
I1 O1 L1
I2 O2 L2
Category 4
O
OTE
MTTFd = Low
DC = None
MTTFd = Low
DC = Low
MTTFd = Low DC = Medium
MTTFd = Medium
DC = None
MTTFd = Medium
DC = Low
MTTFd = Medium
MTTFd = Low
DC = Low
MTTFd = Low DC = Medium
DC = Medium
MTTFd = Medium
DC = Low
MTTFd = High
DC = None
MTTFd = High
DC = Low
MTTFd = Medium
DC = Medium
MTTFd = High DC = Medium
MTTFd = High
DC = Low
MTTFd = High
DC = Medium
I1 O1L1
I2 O2 L2
PFHd > 10
-5
to < 10-4
PFHd > 3x10-6 to < 10-5
PFHd > 10-6 to < 3x10-6
PFHd > 10-7 to < 10-6
MTTFd = High
DC = High
PFHd > 10-8 to < 10-7
P301 581

Category B

The category B architecture is recognized by the use of basic safety principles like e.g. the de-energization principle. With this category, a single fault may lead to the loss of the safety function.
Category B
Input Output
Logic
im
i
m
P301 582

Category 1

The category 1 architecture is recognized by the use of basic safety principles like in the category B as well as the use of well-tried components. These components are usually applied in similar applications in the same manor. With this category, a single fault may lead to the loss of the safety function but it is less likely than with category B.
Category 1
Input Output
Logic
im
i
m
P301 583
L1326395 • Rev AA • Oct 2013 13
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)

Category 2

The category 2 architecture is recognized by the test equipment (TE). This part of the machine control will verify the safety function in suitable intervals. With this category, the occurrence of a fault between the verications may lead to a loss of the safety function. Losing the safety function will be detected by the verication by the test equipment.
Category 2
Input Logic Output
im
i
m
m
im
Test equipment
Output TE
P301 584

Category 3

The category 3 architecture is recognized by a single fault in any of the three elements (Input, Logic and Output) and cannot lead to the loss of the safety function. It is also recognized by the possibility of the control system to detect faults in the individual elements whenever practical. Accumulated faults can lead to the loss of the safety function.
Category 3
im
i
m
Input 1 Logic 1 Output 1
m
m
im
im
Input 2
Logic 2
m
Output 2
P301 585

Category 4

The category 4 architecture is recognized by a single fault in any of the elements which cannot lead to the loss of the safety function. Furthermore, if fault is not detected, the accumulation of faults can never lead to the loss of the safety function as they are detected in due time.
Category 4
im
i
m
Input 1 Logic 1 Output 1
m
m
im
m
Output 2
P301 586
Input 2
im
Logic 2
L1326395 • Rev AA • Oct 201314
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)

System mapping

With the requirements for the implementation of the dened safety functions in hand, the physical representation of the safety function and its components must be constructed. Looking at a complete machine, it will often be dicult to imagine the architecture of the category found earlier on. A breakdown of the system into chucks will enable a system mapping giving a relationship between architecture and physical components. This must be done for all specic safety functions.
In order to describe the system mapping, an example of a man lift will be used. The example will not feature any specic data or PL/SIL. The intention is to only represent the process. The safety function dened for this example is: “unable to move basket in vertical direction unless an operator is present in the basket.”
Looking at the complete application, two types of wiring are relevant for the system mapping. There is the electrical wiring represented by blue lines and the hydraulic piping represented by the red lines. Both wirings are relevant with respect to the safety function. The sensing of operator presence is done by electronics and the movement of the cylinder, and in turn the arm, is done by the hydraulics.
Identifying the components that are activly performing operations that the safety function must act on will simplify the system dramatically as it removes components not in scope for this specic investigation, such as a propel system for the wheels. Keeping the interaction between the components will give a natural structure to the block diagram.
HIC HIC HIC valve
P301 594
L1326395 • Rev AA • Oct 2013 15
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
The dierent architectures are all sorted in the way of input, logic and output. As the aim is to have a direct relation between the architecture and the components, they too, should be ordered in input elements, logic elements and output elements. Again, it is helpful to keep not only the interaction between the elements but also the direction meaning input or output.
HIC HIC HIC valve
P301 595
The relationship between architecture and system will then be comparable. The result of this example for the specic safety function dened is: Input element consists of three joysticks. The logic element consists of two controllers, one as logic and one as test equipment. The output consists of one valve (section) and a cut-o valve as test equipment output.
Category 2
Input Logic Output
im
m
Test equipment
i
im
m
Output TE
HIC HIC HIC valve
P301 595
P301 584
L1326395 • Rev AA • Oct 201316
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)

Selecting the components

The process so far has identied the requirements that the safety function has to fulll to claim conformity to the Machinery Directive. This is expressed in the PLr or required SIL level. The process has also dened the architecture of the system in order to fulll the safety function. Based on these requirements, components must be selected to fulll the requirements. Before selecting the components, the machine builder faces a choice. Is the safety function going to be fullled by using individual components or by using sub-systems? This choice has a great impact on the next step in the process as it determines the level of needed calculations for the machine builder and also what the supplier can be expected to oer.
PL/PHFd
Category
Category
DC
System PL
PL/PHFd
Category
Safety Functions
DC
System PL
P301 587
SRP/CS
Components
Sub-systems
Supplier
Electronis
Machine builder System PL
Supplier MTTFd/PFHd
Hydraulics
Machine builder
Supplier
Electro-hydraulic
solutions
Machine builder
WARNING
The manufacturer has sole responsibility for the machine design and implementation of the safety function
Both components and sub-systems can have a SIL certicate. If choosing such a component, it is the responsibility of the manufacturer of the device to document that the component has a PFHd equivalent to the certied SIL level. Just one part being SIL certied does not make the complete system certied.
Selecting the right components are not a matter of selecting the ones with the highest MTTFd number or SIL certication. Other considerations might be caused by machine specic type C standards. One example is on cranes. Of course the economic perspective must also be evaluated. Achieving a high performance level or safety integrity level sets high demands to the design and construction of the components.
L1326395 • Rev AA • Oct 2013 17
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)

Validation of the system

The nal step in the process is to verify the system and prove conformity to the Machinery Directive. This is the step where the requirements to the safety functions found is evaluated against the components or sub-systems used to implement them in the physical machine.
Validating the system is dependent on the standard applied as the ISO 13849 and the EN 62061 although comparable is using two dierent ways and expressions.

Applying ISO 13849

The rst step is to verify the system setup. This is done by looking at the common cause failure and the susceptibility of the system.
This in only valid for CAT2 andCAT3 systems
A common cause failure or CCF is when one failure leads to more than one part of the safety function to fail.
Channel
1
Channel
2
P301 588
A scoring card is used to evaluate the CCF. The total score must be higher than 65 in order to proceed with claiming conformity to the Machinery Directive.
No Measure against CCF Score
1 Separation/Segregation
Physical separation between signal paths: separation in wiring/piping Sucient clerance and creep age distance on PCB
2 Diversity
Diernet technologies/design are used: rst channel progrmammable electronic and second channel hardwired kind of initiation pressure and temperature Measuring of distance and pressure: digital and analogue
3 Design/application/experience
3.1 Over-voltage, over-pressure, over-current etc. protection 15
3.2 Components used are well-tried 5
4 Assesment/analysis
Are results of FMEA taken into account t
5 Compentance/training
Has designers/maintainers been trained in the understanding of CCF 5
6 Environmental
6.1 Prevencion of contamination and EMC according tp appropriate standards Fluid systems: ltration of pressure source according to manufacturer requirements Electric systems: Check for electromagnetic immunity by relevant standards
6.2 Other inuences Have immunity to all relevant environmental inuences e.g. temperature, shock, etc. been considered
o avoid CCF in design 5
15
20
25
10
P301 589
L1326395 • Rev AA • Oct 201318
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
When having achieved a CCF over 65, the achieved performance level must be found. The PL is found by evaluating the category which has been dened earlier, the MTTFd of the system and the average diagnostic coverage of the system.
The MTTFd is found by looking at the dierent elements in the architecture.
1/MTTFd
input
1/MTTFd
logic
1/MTTFd
output
1/MTTFd
system
P301 590
As several measures of fault detection can be used in dierent parts of a SRP/CS, there could be many dierent DC. Therefore an average DC for the system is used for the verication process.
DC1 MTTFd1
1 MTTFd1
DC2 MTTFd2
1 MTTFd2
DC3 MTTFd3
DCavg
1 MTTFd3
P301 591
Having the category, MTTFd and DCavg, the performance level can be found by using the table.
PLa PLb PLc PLd PLe
Category B/1
I O L
Category 2
L
I
TE
Category 3
I1 O1 L1
I2 O2 L2
Category 4
I1 O1L1
I2 O2 L2
O
OTE
MTTFd = Low
DC = None
MTTFd = Low
DC = Low
MTTFd = Low DC = Medium
MTTFd = Medium
DC = None
MTTFd = Medium
DC = Low
MTTFd = Medium
MTTFd = Low
DC = Low
MTTFd = Low DC = Medium
DC = Medium
MTTFd = Medium
DC = Low
MTTFd = High
DC = None
MTTFd = High
DC = Low
MTTFd = Medium
DC = Medium
MTTFd = High DC = Medium
MTTFd = High
DC = Low
MTTFd = High
DC = Medium
MTTFd = High
DC = High
PFHd > 10
-5
to < 10-4
PFHd > 3x10-6 to < 10-5
PFHd > 10-6 to < 3x10-6
PFHd > 10-7 to < 10-6
PFHd > 10-8 to < 10-7
P301 581
L1326395 • Rev AA • Oct 2013 19
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
Looking back at the step determining the safety requirement, a required performance level was dened. Based on achieved performance level and the required performance level, conformity to the Machinery Directive can now be proven. This must be done for each safety function.
PL
achieved
PLr
Conformity
ISO 13849
P301 576
This document only covers the functional safety part of the Machinery Directive. Conformity to the functional safety part does not mean conformity to the complete Machinery Directive. Other standards may apply.
When proving the conformity, it is very important to remember that this is not a verbal process performed at meetings. All steps in the process, thoughts, prerequisites, considerations and choices must be carefully documented.

Applying EN 62061

The rst step is to nd the Safety Integrity Level Claim Limit or SILCL. The SILCL is equivalent to the lowest safety integrity level of the three sub-systems or elements in the category. If the system is made up of an input element with SIL 2 and logic – and output elements with SIL 3 the overall system cannot be claimed to have a higher SIL than SIL 2.
SIL PFHd
-6
-8
PFHd of
output
elements
-5
P301 592
System
PFHd
P301 593
SIL 1 ≥ 3 x10-6up to < 10
SIL 2 ≥ 10-7up to < 10
SIL 3 ≥ 10-7up to < 10
The next step is to calculate the probability of a dangerous failure in the system per hour. This is achieved by adding the PFHd values for each element or sub-system together.
PFHd of
input
elements
The achieved PFHd will give the achieved SIL level of the system according to the table.
PFHd of
logic
elements
L1326395 • Rev AA • Oct 201320
Technical Information Functional Safety - An overview
Designing a safe machine
(continued)
SIL PFHd
SIL 1 ≥ 3 x10-6up to < 10
SIL 2 ≥ 10-7up to < 10
SIL 3 ≥ 10-7up to < 10
Looking back at the step determining the safety requirement, a required SIL level was dened. Based on achieved SIL level and the required SIL level, conformity to the Machinery Directive can now be proven. This must be done for each safety function.
SIL level
achieved
When proving the conformity, it is very important to remember that this is not a verbal process performed at meetings. All steps in the process, thoughts, prerequisites, considerations and choices must be carefully documented.
SIL level
required
-5
-6
-8
P301 592
Conformity
to IEC 61508
P301 580
This document only covers the functional safety part of the Machinery Directive. Conformity to the functional safety part does not mean conformity to the complete Machinery Directive. Other standards may apply.
L1326395 • Rev AA • Oct 2013 21
Technical Information Functional Safety - An overview

Speaking functional safety

There are a lot of abbreviations, terms etc. when speaking about functional safety that are not usually encountered in everyday jargon. Getting to speak the same language involvs a common understanding and denition of the terms and words in use. This glossary gives an overview of some of the expressions used.
2006/42/EC Machinery Directive: European legislation superseding the old Machinery Directive98/37/EC.
The Machinery Directive applies to EEA plus Iceland, Norway and Lichtenstein. The Machinery Directive addresses “an assembly, tted with or intended to be tted with a drive system other than direct applied human or animal eort consisting of linked parts or components, at least one of which moves, and which are joined together for a specic purpose.”
Category Block diagram architecture of the safety related part of the control system.
CCF Common Cause Failure. Failure of dierent items derived from a single
event.
Dangerous Failure A failure that potentially will put the SRP/CS in a hazardous state or failure
mode in which it does not function.
DC Diagnostic Coverage. Measure of the eectiveness of self-diagnostics.
EN 62061 Safety of machinery – Functional safety of safety-related electrical,
electronic and programmable electronic control systems.
Functional safety Part of the overall safety depending on a system or application to operate
correctly.
Harm Physical injury or damage to health of person(s)
Hazard Potential source of harm
ISO 1384 9 Safety on Machinery – SRP/CS
MTTFd Mean Time To dangerous Failure. The mean time between failures
classied as dangerous of a subjects measured in years.
PFHd Probability of dangerous Failure per Hour: The calculated number of
failures classied as dangerous that will occur within one hour.
PL Performance level. Discrete level used to specify the ability of the
safety-related part of the the control system to perform specic safety function under foreseeable conditions.
PLr Required performance level. Required performance level to be applied in
order to achieve the required risk reduction for each safety function.
Risk The probability of harm occurrence and resulting severity of that harm.
Safety function Functionality increasing machine safety and not part of normal machinery
operation. A failure in the safety function will result in an immediate increase in risk(s)
SIL Safety Integrity Level: Relative measure of the performance of a safety
function in order to reduce risk.
SILCL Safety Integrity Level Claim Limit. The highest safety integrity level that
can be claimed for a safety function. The SILCL is dependent on the sub-systems used to realize the safety function.
SRP/CS Safety Related Part of Control System. Part of a control system that
responds to safety related inputs with a safety related output.
L1326395 • Rev AA • Oct 201322
Technical Information Functional Safety - An overview
Notes
L1326395 • Rev AA • Oct 2013 23
Products we o er:
 Bent Axis Motors
 Closed Circuit Axial Piston
Pumps and Motors
 Displays
 Electrohydraulic Power
Steering
 Electrohydraulics
 Hydraulic Power Steering
 Integrated Systems
 Joysticks and Control
Handles
 Microcontrollers and
Software
 Open Circuit Axial Piston
Pumps
 Orbital Motors
 PLU S +1® GUIDE
 Proportional Valves
 Sensors
 Steering
 Transit Mixer Drives
Danfoss Power Solutions is a global manufacturer and supplier of high-quality hydraulic and electronic components. We specialize in providing state-of-the-art technology and solutions that excel in the harsh operating conditions of the mobile o -highway market. Building on our extensive applications expertise, we work closely with our customers to ensure exceptional performance for a broad range of o -highway vehicles.
We help OEMs around the world speed up system development, reduce costs and bring vehicles to market faster. Danfoss – Your Strongest Partner in Mobile Hydraulics.
Go to www.powersolutions.danfoss.com for further product information.
Wherever o -highway vehicles are at work, so is Danfoss.
We o er expert worldwide support for our customers, ensuring the best possible solutions for outstanding performance. And with an extensive network of Global Service Partners, we also provide comprehensive global service for all of our components.
Please contact the Danfoss Power Solution representative nearest you.
Comatrol
www.comatrol.com
Schwarzmüller-Inverter
www.schwarzmueller-
Local address:
inverter.com
Turolla
www.turollaocg.com
Valmova
www.valmova.com
Hydro-Gear
www.hydro-gear.com
Daikin-Sauer-Danfoss
www.daikin-sauer-danfoss.com
Danfoss Power Solutions US Company
2800 East 13th Street Ames, IA 50010, USA Phone: +1 515 239 6000
Danfoss can accept no responsibility for possible errors in catalogues, brochures and other printed material. Danfoss reserves the right to alter its products without notice. This also applies to products already on order provided that such alterations can be made without subsequential changes being necessary in specifications already agreed. All trademarks in this material are property of the respective companies. Danfoss and the Danfoss logotype are trademarks of Danfoss A/S. All rights reserved.
L1326395 • Rev AA • Oct 2013 www.danfoss.com © Danfoss A/S, 2013-10
Danfoss Power Solutions GmbH & Co. OHG
Krokamp 35 D-24539 Neumünster, Germany Phone: +49 4321 871 0
Danfoss Power Solutions ApS
Nordborgvej 81 DK-6430 Nordborg, Denmark Phone: +45 7488 2222
Danfoss Power Solutions
22F, Block C, Yishan Rd Shanghai 200233, China Phone: +86 21 3418 5200
Loading...