Danfoss Functional Safety User guide

MAKING MODERN LIVING POSSIBLE

Technical Information

Functional Safety

An overview

powersolutions.danfoss.com

Technical Information Functional Safety - An overview

Contents

General ........................................................................................................................................................................................ 3

Introduction ................................................................................................................................................................................ 3

European Union standards structure ................................................................................................................................ 3

Designing a safe machine .................................................................................................................................................. 4

The process ................................................................................................................................................................................. 4

Hazard and Risk Analysis ........................................................................................................................................................ 4

Determine machinery limits ........................................................................................................................................... 4

Hazard identication ......................................................................................................................................................... 5

Harm sequence .................................................................................................................................................................... 5

Risk estimation ..................................................................................................................................................................... 6

Risk evaluation ..................................................................................................................................................................... 7

Risk reduction ....................................................................................................................................................................... 7

Determining the safety requirement ................................................................................................................................ 9

Applying ISO 13849 .......................................................................................................................................................... 10

Severity of injury ......................................................................................................................................................... 10

Frequency of exposure ............................................................................................................................................. 10

Possibility of avoidance ............................................................................................................................................ 10

PLr ..................................................................................................................................................................................... 10

Applying EN 62061 ........................................................................................................................................................... 11

SRP/CS architecture ................................................................................................................................................................ 13

Category B ........................................................................................................................................................................... 13

Category 1 ........................................................................................................................................................................... 13

Category 2 ........................................................................................................................................................................... 14

Category 3 ........................................................................................................................................................................... 14

Category 4 ........................................................................................................................................................................... 14

System mapping .....................................................................................................................................................................15

Selecting the components .................................................................................................................................................. 17

Validation of the system ....................................................................................................................................................... 18

Applying ISO 13849 .......................................................................................................................................................... 18

Applying EN 62061 ........................................................................................................................................................... 20

Speaking functional safety ............................................................................................................................................. 22

L1326395 • Rev AA • Oct 20132

Technical Information Functional Safety - An overview

General

Introduction

The purpose of this document is to provide a brief overview of applicable standards in regards to
functional safety and to highlight the cooperation needed between OEM customers and Danfoss as
sub-supplier.

A safety system has three important key elements; the user(s), the instructions/manuals and the
machine itself. This document only shows aspects related to the machine Functional Safety (FS),
dened as all the measures aiming to protect the machine operator or bystander from risk during
work with and/or around the machine. Not in scope are risks due to other hazards such as electro­magnetic capability (EMC), explosive atmospheres (ATEX) etc. These should, however, be evaluated
by the machine manufacturer.

WARNING

The manufacturer has the sole responsibility for the machine
Design, including all three parts of the safety system.

European Union standards structure

In order to be freely marketed in the countries of the European Community, every device or piece of
machinery must comply with Community Directives. The Community Directives establish a series of
general principles preventing manufacturers from placing products on the market that are hazardous
for the operator or bystanders. Any hazard to an operator or bystander due to machine functioning is
governed by the Machinery Directive 2006/42/EC.
A series of harmonized standards are issued, which translate the content of directives into technical
requirements in order to protect the operator and bystanders from risks as well as being used for the
risk assessment of a machine. Any manufacturer who applies these standards to his machine is also
presumed to conform to the directives.

Machinery Directive

Type A - Bacis safety standards

Type B - Generic safety standards

ISO

12100

2006/42/EC

ISO

14121

It is not mandatory to follow the harmonized standards* when releasing a machine on the market.
However, the machine must always comply to the requirements given by the Machinery Directive and
the simplest way to meet EU directives is to comply to the harmonized standards.

If applying the standards, the manufacturer of devices or machines must rst verify whether the
product is covered by a type C standard. If so, this standard provides the safety requirements. If not,
type B standards for any device or specic aspect of the product shall apply. Failing further
requirements, the manufacturer must follow general guidelines as stated in the type A standards.

ISO 13849

ISO 62061

ISO 4413

IEC 61508

Type C - Machine safety
standards

ISO 25119 ISO 15998 ISO 12999

P301 568

* http://ec.europa.eu/enterprise/policies/european-standards/harmonised-standards/machinery/index_en.htm

L1326395 • Rev AA • Oct 2013 3

Technical Information Functional Safety - An overview

Designing a safe machine

The process

A user expects a safe machine. The machine
design also has a signicant impact on safety.
When working with and/or around a machine,
they expect to complete the tasks unharmed.
Therefore, it is vital to think of functional safety
in machine development. Applying functional
safety to the machine is a process like many
others in the development project. Dividing the
complete process into steps will allow for a
systematic approach starting with dening the
boundaries and requirements and ending up
with an evaluation of the safety level achieved.

Hazard and Risk Analysis

There is no such thing as a risk-free machine or
application. It is impossible to make a machine
that will never fail nor expose the operator or
bystander to some extent of hazard. Everybody
faces risks every single day. Risks that could
potentially harm us but we live with these risks
because they are tolerable. Therefore, the
challenge is to design a machine with a tolerable
risk level.

A standard way of identifying and analyzing the
hazards and the risk are found in the standard
ISO 12100. This standard describes an iterative
cyclic model that will run until a satisfactory
result is achieved.

Hazard and risk

analysis

Determining

safety

requirement

SRP/CS

architecture

System

mapping

Component

selection

System

validation

P301 569P301 569

Determine machinery limits

In order to identify, and later evaluate the exact risk that is associated with an application/machine, it
is tremendously important to create a clear overview of the operational limits of the particular
machine in question. Dening very clear and basicl set of boundaries will vastly aid in the risk
identication and make sure the end result will t the application without compromising any use
cases.

The rst step is to dene the machine type. The overall type should already be clear when applying a
type B standard, as it must be ensured that the machine type is not subject to any type C standards.
Below each machine category, a sub-category may exist e.g. distinguished by weight or power. If so,
the particular machine sub-category should be clearly specied.

It is also relevant to identify the specic tasks that the machine is designed to handle. A clear
understanding of these will be needed in the next step when identifying hazards.

Another subject to consider when dening the operational limits is the operational environment. It
will have an impact on the risk estimation where the machine is used. Naturally, other risks will be
present if a machine is operated in a close-quarter, urban environment compared to operating in a
forest. One major dierence is the people interacting with the machine in operation such as
unrelated bystanders.

L1326395 • Rev AA • Oct 20134

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

• What is the machine type

• What tasks does the machine handle

Determine

machinery limits

• What is the operating environment

• Who are potentialy at Risk

(according to ISO 12100)

Hazard Analysis

Identify Hazards

Harm sequence

Estimate the Risk

(according to ISO 12100)

Risk Evaluation

Evaluate the Risk

• Unexpected movement

• Sharp edges

• Falling objects

• Pinch points

• Machine designation

• Hazard descroption

• Harm sequence

• Severity of Harm

• Probability of Hazard

• Probability that soemone is expossed to Hazard

• Probability that contact with Hazard is inevitable

• Can I reduce the Risk

• Does the Risk feel comfortable

• Is it safe enough for my family

• Can I justify the decision to anyone

S

Is the

machine

safe?

• YES → The End

• NO → Take measures for Risk reduction according to ISO 12100

P301 570

Hazard identication

When the boundaries of the machine are clearly dened, the next step is to identify the hazards.
Without clear boundaries, a lot of resources will be wasted trying to solve hazards that are not
relevant to the actual operating situation.

The identication of a hazard can also be described as the identication of unexpected occurrances
during an operating situation. It is crucial to both discover all hazards and to understand them. If
either of these fail, a person may get injured and/or it will require a great deal of resources to correct
the design.

To aid the identication of the hazards, it would be valueable to assemble a multi-functional team
with dierent backgrounds within all aspects of work with the machine. To facilitate the identication
process, an incident history or database might also be of value.

Harm sequence

Once the machine limits and possible hazards are known, these can be put together into a harm
sequence. The harm sequence will be the basis for risk estimation later on in the process. Another
way of describing the harm sequence is as a “chain of events”.

The harm sequence always starts with a task within the machine’s operational limits and ends with
injury to a person. The goal of the harm sequence is to remove one single element which will prevent
the nal harm or injury.

L1326395 • Rev AA • Oct 2013 5

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

An example of a harm sequence can be seen below.

Machine designation:

Warehouse truck model X2012.

Hazard description:

An unexpected change of direction due to
steering system failure.

Harm sequence:

y Machine is travelling inside a factory facility
y Failure of steering system occurs

– Hose breaks, loss of hydraulic pressure
– Or valve spring failure

y Unexpected change of direction occurs
y Bystander in close proximity

– On-coming warehouse truck
– Worker passing by on foot

y Machine operator unable to avoid collision

– Shut o machine

y Bystander unable to avoid collision

– Stopping or steering

y Machine collides with another truck
y Impact energy is sucient to cause injury
y Machine operator is injured
y Possible injuries are lacerations or broken

bones.

S

Risk estimation

Estimating the risks is very important as it is the prerequisite for risk evaluation. Estimating the risk
will give a clear indication of the safety level of the machine and in turn the need of implementing
safety functions.

Severity of

harm

Risk

Probability

of

occurence

P301 572

A good approach to organize the risk estimation is to make a scorecard with both severity and
occurrence. For each hazard identied, a score for all severities and occurrence probability should be
given. It is important not only to look at worst case. There is no ranking governed by the standards on
severity or occurrence. Multiplying the two scores will give a numerical expression of the seriousness
of a risks associated with a specic hazard.

L1326395 • Rev AA • Oct 20136

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

Risk evaluation

The risk evaluation is the point in the process where the safety level of the machine and the possible
need for safety features to reduce risk are decided. By completing the risk evaluation, a guide to risk
reduction is made.

For each risk identied and scored in the risk estimation, an evaluation must be performed. The
purpose of the evaluation is to decide if the current safety level are sucient to the machine builder.
In other words, the risk evaluation determines if the risk present is tolerable. It is important to keep in
mind that there is no such thing as a risk-free machine or application. The goal is to design and build a
machine which only has tolerable risks.

If the risk is tolerable by the way the machine is designed, the hazard and risk analysis is complete and
the machine/application is compliant with all regulations and conforms with the machinery directive.

If the risk is not tolerable, measures for risk reduction must be taken.

Risk reduction

The aim of the risk reduction is to reduce the risks to what reasonable practical or mitigate to a
tolerable level of residual risk. But as the word reduction indicates, the purpose is to reduce the risks
that are found as there will always be risk that cannot be eliminated. A rule of thumb is that if a risk
can be reduced, then it must be reduced.

Avoid Risk by

design

• Design the machinery in such a way that the Risk does not appear

Avoid Risk by

safeguard

• Incorporate guards to minimize the Risk

(according to ISO 12100)

Risk reduction

Avioid Risk by

information

SRP/CS

Dene safety

function

Resedual

Risks?

• Warning labels

• User manual

• Training

• Is the safety measure dependant on a control system?

• Yes: Dene safety functions based on applicable level B standard

• No: Consider resedual Risks

• Example 1: Machinery cannot move unless an operator is present

• Example 2: Deliver no ow when neutral set point is given

• Return to Hazard and Risk Analysis according to 14121

P301 573

L1326395 • Rev AA • Oct 2013 7

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

The optimum way of reducing a risk, is to design the machine in such a way that the risk cannot be
visible. However, this is not always possible if this will limit or conict with machine operational limits.
The commercial realities of putting a machine on the market also have a signicant impact on the
machine design and cost of same. Examples of risk reduction by design are openings made too small
for human limbs to enter or rotating spoke-discs replaced by plate-discs.

Another way of reducing risks is to incorporate safe guards on the machine. Safe guards are not seen
as a way to design out the risk, but as a separate way of reducing them. Examples of safe guards are
light curtains, two hand control and system interlocks.

The last way of reducing the risk is to inform the user about them. This covers training, manuals, etc. It
is important to have in mind that training the user will only aect the probability of harm to the user.
Bystanders and similar will not be eected by this and the probability of harm will therefore not
decrease much. Examples of information could bewarning labels, display information or use cases in
manuals.

This document does not cover Information on use.
Please refer to DIN 4844-2 for warning symbols

When the risk reduction measures are identied, their method of implementation must be evaluated.
If the risk reduction measure is realized by a control system, a safety function of each risk must be
dened. The activation of the safety function will result in a dened safe state. A failure to perform
the safety function is equal to an increased risk. A safety function is not part of a machine/application
standard operation, meaning that in case the safety function fails, the machine/application can still
operate but with an increased risk.

The process of reducing the risks is repetitive. Whenever a measure for risk reduction has been
decided and implemented it must be evaluated if this addition or design change to the machine/
application has caused new risks not present before. If so, one must return to hazard identication
and repeat the process from there.

L1326395 • Rev AA • Oct 20138

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

Determining the safety requirement

When entering this point in the process, all risks will be identied and evaluated. This means that the
residual risks are acceptable to the machine builder. This also means that only the risks that need to
be countered are left. One or more of these risks might be relying on parts of the control system to
perform a safety function which should be avoided.

There are two possible type B standards that can be applied to determine the requirement of the SRP
CS.

– ISO 13849 which uses the term Performance Level (PL)
– IEC 62061 which uses the term Safety Integrity Level (SIL)

Selecting which standard to apply is a choice of the designer. However, it is also to some extent given
by the way the safety function is realized.

Technology ISO 13849 EN 62061

Non-electrical/hydraulics Covered Not covered

Electromechanical and non­complex electronics

Complex or programmable
electronics

Combination of hydraulics and
electromechanics

Combination of complex or
programmable elctronics and
electromechanics

Covered Covered

Covered up to PLd Covered

Covered Covering only

electromechanics

Covered up to PLd Covered

Combination of complex or
programmable elctronics and
hydraulics

Combination of hydraulics with
electromechanics and complex or
programmable electronics

Covered, for the
electronics up to PLd

Covered, for the
electronics up to PLd

Covering only complex or
programmable electronics

Covering only complex or
programmable electronics

P301 574

WARNING

The manufacturer has sole responsibility for choosing the correct standard and ensuring conformity
with 2006/42/ EC

Both standards are harmonized standards giving Presumption of Conformity to the Machinery
Directive. This means that unless a type C standard (product specic standard) species a required
Performance Level or Safety Integrity Level, the designer is free to choose to apply any of the two
standards.

L1326395 • Rev AA • Oct 2013 9

Technical Information Functional Safety - An overview

P301 575

Designing a safe machine

(continued)

Applying ISO 13849

To nd the required performance level of the safety-related part of the control system ensuring a
specic safety function, it is assumed that an accident occurs. This means that a person has been
exposed to a hazard. The severity of the injury, the frequency of exposure and the possibility of
avoidance must then be evaluated.

P1 PLa

F1

P2 PLb

S1

P1 PLb

F2

P2 PLc

Accident

P1 PLc

F1

P2 PLd

S2

P1 PLd

F2

P2 PLe

• F1 = less often/

Severity of

injury

• S1 = slight
reversible injury

• S2 = serious
ireversible
injury or death

Frequency

exposure

of

short exposure
time

• F2 = frequent to
continous/
exposure time
long

Possibility

of

avoidance

• P1 = possible
under specic
conditions

• P2 = scarcely
possible

Severity of injury

Two types of injury are considered. The rst one is a reversible injury. This means that the injury will
heal itself and the injured person(s) will recover without permanent injury.
The last step of the harm sequence ended with a person getting injured. Therefore it is worth looking
at the harm sequence again when evaluating the severity.

Frequency of exposure

The exposure rate to the hazard is also evaluated. This is a measure of how often any person(s) are
exposed to the specic harm. This can range from the entire time of operation to only at service
intervals. If it is not possible to evaluate the exposure based on how often it will happen, it is
evaluated by the exposure time.
To make a qualied assumption about the exposure, it is very important to have the boundaries in
place in respect to operational limits. A sound understanding of the way operators work with the
machine/application is also very important.

Possibility of avoidance

The possibility of avoidance looks at the probability that any person(s) exposed to the hazard can
avoid it, hence not getting injured.
Things to consider here is the speed at which the failure happens, the reaction time of involved
persons and the hazards they are exposed to.

PLr

Following the gure from left to right, choosing the path based on the answers to the three questions
evaluated will lead to a required performance level for the safety related part of the control system.
This is a measurable requirement that the nal performance level of the chosen solution must be
compared against.

L1326395 • Rev AA • Oct 201310

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

PL

achieved

Applying EN 62061

To nd the required safety integrity level, the required probability that the safety function will be
performed must be set up. This is done by looking at the hazard. All needed information is already set
up by the harm sequence.

PLr

Conformity

ISO 13849

P301 576

Fr
Frequency durationPrProbability of hazard eventAvAvoidance

≤ 1 hour 5 Very high 5

> 1h ≤ 1 day 5 Likely 4

> 1day ≤ 2 weeks 4 Possible 3 Impossible 5

> 2 wk ≤ 1 year 3 Rarely 2 Possible 3

> 1 year 2 Negligible 1 Likely 1

P301 577

Fr Pr Av

In scoring the dierent consequences of a specic hazard, a clearly dened operational limit is vital
along with a sound understanding of the operator/machine interaction.

The severity of the hazard has already been dened at the end of the harm sequence.

Se
Consequences (severity)

Class of probability of harm

3 - 4 5 - 7 8 - 10 11 - 13 14 - 15

Probability

of harm

P301 578

Death, losing eye or arm 4 SIL2 SIL2 SIL2 SIL3 SIL3

Permanent, losing ngers 3 SIL1 SIL2 SIL3

Reversible, medical attention 2 SIL1 SIL2

Reversible, rst aid 1 SIL1

P301 579

L1326395 • Rev AA • Oct 2013 11

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

When having the SIL class, this must be translated into a SIL level which is the measurable
requirement that the chosen solution must be compared against.

SIL level

achieved

SIL level

required

Conformity

to IEC
61508

P301 580

L1326395 • Rev AA • Oct 201312

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

SRP/CS architecture

Having a tangible requirement of the safety function, the next step is to build on these creating
requirements that it must fulll. These are the architecture on a block diagram level together with the
level of self-diagnostics and the permissible failure rate.

The category heading in this section is used from the standard ISO 13849. The EN 62061 standard has
similar headings comparable to the one used here. The range of categories according to EN 62061 is A
to D corresponding to category 1 to 4 respectively. Category B is not allowed according to EN 62061.

PLa PLb PLc PLd PLe

Category B/1

I O L

Category 2

L

I

TE

Category 3

I1 O1 L1

I2 O2 L2

Category 4

O

OTE

MTTFd = Low

DC = None

MTTFd = Low

DC = Low

MTTFd = Low
DC = Medium

MTTFd = Medium

DC = None

MTTFd = Medium

DC = Low

MTTFd = Medium

MTTFd = Low

DC = Low

MTTFd = Low
DC = Medium

DC = Medium

MTTFd = Medium

DC = Low

MTTFd = High

DC = None

MTTFd = High

DC = Low

MTTFd = Medium

DC = Medium

MTTFd = High
DC = Medium

MTTFd = High

DC = Low

MTTFd = High

DC = Medium

I1 O1L1

I2 O2 L2

PFHd
> 10

-5

to < 10-4

PFHd
> 3x10-6 to < 10-5

PFHd
> 10-6 to < 3x10-6

PFHd
> 10-7 to < 10-6

MTTFd = High

DC = High

PFHd
> 10-8 to < 10-7

P301 581

Category B

The category B architecture is recognized by the use of basic safety principles like e.g. the
de-energization principle. With this category, a single fault may lead to the loss of the safety function.

Category B

Input Output

Logic

im

i

m

P301 582

Category 1

The category 1 architecture is recognized by the use of basic safety principles like in the category B as
well as the use of well-tried components. These components are usually applied in similar
applications in the same manor. With this category, a single fault may lead to the loss of the safety
function but it is less likely than with category B.

Category 1

Input Output

Logic

im

i

m

P301 583

L1326395 • Rev AA • Oct 2013 13

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

Category 2

The category 2 architecture is recognized by the test equipment (TE). This part of the machine control
will verify the safety function in suitable intervals. With this category, the occurrence of a fault
between the verications may lead to a loss of the safety function. Losing the safety function will be
detected by the verication by the test equipment.

Category 2

Input Logic Output

im

i

m

m

im

Test equipment

Output TE

P301 584

Category 3

The category 3 architecture is recognized by a single fault in any of the three elements (Input, Logic
and Output) and cannot lead to the loss of the safety function. It is also recognized by the possibility
of the control system to detect faults in the individual elements whenever practical. Accumulated
faults can lead to the loss of the safety function.

Category 3

im

i

m

Input 1 Logic 1 Output 1

m

m

im

im

Input 2

Logic 2

m

Output 2

P301 585

Category 4

The category 4 architecture is recognized by a single fault in any of the elements which cannot lead
to the loss of the safety function. Furthermore, if fault is not detected, the accumulation of faults can
never lead to the loss of the safety function as they are detected in due time.

Category 4

im

i

m

Input 1 Logic 1 Output 1

m

m

im

m

Output 2

P301 586

Input 2

im

Logic 2

L1326395 • Rev AA • Oct 201314

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

System mapping

With the requirements for the implementation of the dened safety functions in hand, the physical
representation of the safety function and its components must be constructed. Looking at a
complete machine, it will often be dicult to imagine the architecture of the category found earlier
on. A breakdown of the system into chucks will enable a system mapping giving a relationship
between architecture and physical components. This must be done for all specic safety functions.

In order to describe the system mapping, an example of a man lift will be used. The example will not
feature any specic data or PL/SIL. The intention is to only represent the process. The safety function
dened for this example is: “unable to move basket in vertical direction unless an operator is present
in the basket.”

Looking at the complete application, two types of wiring are relevant for the system mapping. There
is the electrical wiring represented by blue lines and the hydraulic piping represented by the red
lines. Both wirings are relevant with respect to the safety function. The sensing of operator presence
is done by electronics and the movement of the cylinder, and in turn the arm, is done by the
hydraulics.

Identifying the components that are activly performing operations that the safety function must act
on will simplify the system dramatically as it removes components not in scope for this specic
investigation, such as a propel system for the wheels. Keeping the interaction between the
components will give a natural structure to the block diagram.

HIC HIC HIC valve

P301 594

L1326395 • Rev AA • Oct 2013 15

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

The dierent architectures are all sorted in the way of input, logic and output. As the aim is to have a
direct relation between the architecture and the components, they too, should be ordered in input
elements, logic elements and output elements. Again, it is helpful to keep not only the interaction
between the elements but also the direction meaning input or output.

HIC HIC HIC valve

P301 595

The relationship between architecture and system will then be comparable. The result of this
example for the specic safety function dened is: Input element consists of three joysticks. The logic
element consists of two controllers, one as logic and one as test equipment. The output consists of
one valve (section) and a cut-o valve as test equipment output.

Category 2

Input Logic Output

im

m

Test equipment

i

im

m

Output TE

HIC HIC HIC valve

P301 595

P301 584

L1326395 • Rev AA • Oct 201316

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

Selecting the components

The process so far has identied the requirements that the safety function has to fulll to claim
conformity to the Machinery Directive. This is expressed in the PLr or required SIL level. The process
has also dened the architecture of the system in order to fulll the safety function.
Based on these requirements, components must be selected to fulll the requirements. Before
selecting the components, the machine builder faces a choice. Is the safety function going to be
fullled by using individual components or by using sub-systems? This choice has a great impact on
the next step in the process as it determines the level of needed calculations for the machine builder
and also what the supplier can be expected to oer.

PL/PHFd

Category

Category

DC

System PL

PL/PHFd

Category

Safety Functions

DC

System PL

P301 587

SRP/CS

Components

Sub-systems

Supplier

Electronis

Machine builder System PL

Supplier MTTFd/PFHd

Hydraulics

Machine builder

Supplier

Electro-hydraulic

solutions

Machine builder

WARNING

The manufacturer has sole responsibility for the machine design and implementation of the safety
function

Both components and sub-systems can have a SIL certicate. If choosing such a component, it is the
responsibility of the manufacturer of the device to document that the component has a PFHd
equivalent to the certied SIL level. Just one part being SIL certied does not make the complete
system certied.

Selecting the right components are not a matter of selecting the ones with the highest MTTFd
number or SIL certication. Other considerations might be caused by machine specic type C
standards. One example is on cranes. Of course the economic perspective must also be evaluated.
Achieving a high performance level or safety integrity level sets high demands to the design and
construction of the components.

L1326395 • Rev AA • Oct 2013 17

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

Validation of the system

The nal step in the process is to verify the system and prove conformity to the Machinery Directive.
This is the step where the requirements to the safety functions found is evaluated against the
components or sub-systems used to implement them in the physical machine.

Validating the system is dependent on the standard applied as the ISO 13849 and the EN 62061
although comparable is using two dierent ways and expressions.

Applying ISO 13849

The rst step is to verify the system setup. This is done by looking at the common cause failure and
the susceptibility of the system.

This in only valid for CAT2 andCAT3 systems

A common cause failure or CCF is when one failure leads to more than one part of the safety function
to fail.

Channel

1

Channel

2

P301 588

A scoring card is used to evaluate the CCF. The total score must be higher than 65 in order to proceed
with claiming conformity to the Machinery Directive.

No Measure against CCF Score

1 Separation/Segregation

Physical separation between signal paths:
separation in wiring/piping
Sucient clerance and creep age distance on PCB

2 Diversity

Diernet technologies/design are used:
rst channel progrmammable electronic and second channel hardwired
kind of initiation
pressure and temperature
Measuring of distance and pressure:
digital and analogue

3 Design/application/experience

3.1 Over-voltage, over-pressure, over-current etc. protection 15

3.2 Components used are well-tried 5

4 Assesment/analysis

Are results of FMEA taken into account t

5 Compentance/training

Has designers/maintainers been trained in the understanding of CCF 5

6 Environmental

6.1 Prevencion of contamination and EMC according tp appropriate standards
Fluid systems: ltration of pressure source according to manufacturer requirements
Electric systems: Check for electromagnetic immunity by relevant standards

6.2 Other inuences
Have immunity to all relevant environmental inuences e.g. temperature, shock, etc. been considered

o avoid CCF in design 5

15

20

25

10

P301 589

L1326395 • Rev AA • Oct 201318

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

When having achieved a CCF over 65, the achieved performance level must be found. The PL is found
by evaluating the category which has been dened earlier, the MTTFd of the system and the average
diagnostic coverage of the system.

The MTTFd is found by looking at the dierent elements in the architecture.

1/MTTFd

input

1/MTTFd

logic

1/MTTFd

output

1/MTTFd

system

P301 590

As several measures of fault detection can be used in dierent parts of a SRP/CS, there could be many
dierent DC. Therefore an average DC for the system is used for the verication process.

DC1
MTTFd1

1
MTTFd1

DC2
MTTFd2

1
MTTFd2

DC3
MTTFd3

DCavg

1
MTTFd3

P301 591

Having the category, MTTFd and DCavg, the performance level can be found by using the table.

PLa PLb PLc PLd PLe

Category B/1

I O L

Category 2

L

I

TE

Category 3

I1 O1 L1

I2 O2 L2

Category 4

I1 O1L1

I2 O2 L2

O

OTE

MTTFd = Low

DC = None

MTTFd = Low

DC = Low

MTTFd = Low
DC = Medium

MTTFd = Medium

DC = None

MTTFd = Medium

DC = Low

MTTFd = Medium

MTTFd = Low

DC = Low

MTTFd = Low
DC = Medium

DC = Medium

MTTFd = Medium

DC = Low

MTTFd = High

DC = None

MTTFd = High

DC = Low

MTTFd = Medium

DC = Medium

MTTFd = High
DC = Medium

MTTFd = High

DC = Low

MTTFd = High

DC = Medium

MTTFd = High

DC = High

PFHd
> 10

-5

to < 10-4

PFHd
> 3x10-6 to < 10-5

PFHd
> 10-6 to < 3x10-6

PFHd
> 10-7 to < 10-6

PFHd
> 10-8 to < 10-7

P301 581

L1326395 • Rev AA • Oct 2013 19

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

Looking back at the step determining the safety requirement, a required performance level was
dened. Based on achieved performance level and the required performance level, conformity to the
Machinery Directive can now be proven. This must be done for each safety function.

PL

achieved

PLr

Conformity

ISO 13849

P301 576

This document only covers the functional safety part of the Machinery Directive. Conformity to the
functional safety part does not mean conformity to the complete Machinery Directive. Other
standards may apply.

When proving the conformity, it is very important to remember that this is not a verbal process
performed at meetings. All steps in the process, thoughts, prerequisites, considerations and choices
must be carefully documented.

Applying EN 62061

The rst step is to nd the Safety Integrity Level Claim Limit or SILCL. The SILCL is equivalent to the
lowest safety integrity level of the three sub-systems or elements in the category. If the system is
made up of an input element with SIL 2 and logic – and output elements with SIL 3 the overall system
cannot be claimed to have a higher SIL than SIL 2.

SIL PFHd

-6

-8

PFHd of

output

elements

-5

P301 592

System

PFHd

P301 593

SIL 1 ≥ 3 x10-6up to < 10

SIL 2 ≥ 10-7up to < 10

SIL 3 ≥ 10-7up to < 10

The next step is to calculate the probability of a dangerous failure in the system per hour. This is
achieved by adding the PFHd values for each element or sub-system together.

PFHd of

input

elements

The achieved PFHd will give the achieved SIL level of the system according to the table.

PFHd of

logic

elements

L1326395 • Rev AA • Oct 201320

Technical Information Functional Safety - An overview

Designing a safe machine

(continued)

SIL PFHd

SIL 1 ≥ 3 x10-6up to < 10

SIL 2 ≥ 10-7up to < 10

SIL 3 ≥ 10-7up to < 10

Looking back at the step determining the safety requirement, a required SIL level was dened. Based
on achieved SIL level and the required SIL level, conformity to the Machinery Directive can now be
proven. This must be done for each safety function.

SIL level

achieved

When proving the conformity, it is very important to remember that this is not a verbal process
performed at meetings. All steps in the process, thoughts, prerequisites, considerations and choices
must be carefully documented.

SIL level

required

-5

-6

-8

P301 592

Conformity

to IEC
61508

P301 580

This document only covers the functional safety part of the Machinery Directive. Conformity to the
functional safety part does not mean conformity to the complete Machinery Directive. Other
standards may apply.

L1326395 • Rev AA • Oct 2013 21

Technical Information Functional Safety - An overview

Speaking functional safety

There are a lot of abbreviations, terms etc. when speaking about functional safety that are not usually
encountered in everyday jargon. Getting to speak the same language involvs a common
understanding and denition of the terms and words in use. This glossary gives an overview of some
of the expressions used.

2006/42/EC Machinery Directive: European legislation superseding the old Machinery Directive98/37/EC.

The Machinery Directive applies to EEA plus Iceland, Norway and
Lichtenstein. The Machinery Directive addresses “an assembly, tted with
or intended to be tted with a drive system other than direct applied
human or animal eort consisting of linked parts or components, at least
one of which moves, and which are joined together for a specic purpose.”

Category Block diagram architecture of the safety related part of the control system.

CCF Common Cause Failure. Failure of dierent items derived from a single

event.

Dangerous Failure A failure that potentially will put the SRP/CS in a hazardous state or failure

mode in which it does not function.

DC Diagnostic Coverage. Measure of the eectiveness of self-diagnostics.

EN 62061 Safety of machinery – Functional safety of safety-related electrical,

electronic and programmable electronic control systems.

Functional safety Part of the overall safety depending on a system or application to operate

correctly.

Harm Physical injury or damage to health of person(s)

Hazard Potential source of harm

ISO 1384 9 Safety on Machinery – SRP/CS

MTTFd Mean Time To dangerous Failure. The mean time between failures

classied as dangerous of a subjects measured in years.

PFHd Probability of dangerous Failure per Hour: The calculated number of

failures classied as dangerous that will occur within one hour.

PL Performance level. Discrete level used to specify the ability of the

safety-related part of the the control system to perform specic safety
function under foreseeable conditions.

PLr Required performance level. Required performance level to be applied in

order to achieve the required risk reduction for each safety function.

Risk The probability of harm occurrence and resulting severity of that harm.

Safety function Functionality increasing machine safety and not part of normal machinery

operation. A failure in the safety function will result in an immediate
increase in risk(s)

SIL Safety Integrity Level: Relative measure of the performance of a safety

function in order to reduce risk.

SILCL Safety Integrity Level Claim Limit. The highest safety integrity level that

can be claimed for a safety function. The SILCL is dependent on the
sub-systems used to realize the safety function.

SRP/CS Safety Related Part of Control System. Part of a control system that

responds to safety related inputs with a safety related output.

L1326395 • Rev AA • Oct 201322

Technical Information Functional Safety - An overview

Notes

L1326395 • Rev AA • Oct 2013 23

Products we o er:

 Bent Axis Motors

 Closed Circuit Axial Piston

Pumps and Motors

 Displays

 Electrohydraulic Power

Steering

 Electrohydraulics

 Hydraulic Power Steering

 Integrated Systems

 Joysticks and Control

Handles

 Microcontrollers and

Software

 Open Circuit Axial Piston

Pumps

 Orbital Motors

 PLU S +1® GUIDE

 Proportional Valves

 Sensors

 Steering

 Transit Mixer Drives

Danfoss Power Solutions is a global manufacturer and supplier of high-quality hydraulic and
electronic components. We specialize in providing state-of-the-art technology and solutions that
excel in the harsh operating conditions of the mobile o -highway market. Building on our extensive
applications expertise, we work closely with our customers to ensure exceptional performance for a
broad range of o -highway vehicles.

We help OEMs around the world speed up system development, reduce costs and bring vehicles to
market faster.
Danfoss – Your Strongest Partner in Mobile Hydraulics.

Go to www.powersolutions.danfoss.com for further product information.

Wherever o -highway vehicles are at work, so is Danfoss.

We o er expert worldwide support for our customers, ensuring the best possible solutions for
outstanding performance. And with an extensive network of Global Service Partners, we also provide
comprehensive global service for all of our components.

Please contact the Danfoss Power Solution representative nearest you.

Comatrol

www.comatrol.com

Schwarzmüller-Inverter

www.schwarzmueller-

Local address:

inverter.com

Turolla

www.turollaocg.com

Valmova

www.valmova.com

Hydro-Gear

www.hydro-gear.com

Daikin-Sauer-Danfoss

www.daikin-sauer-danfoss.com

Danfoss
Power Solutions US Company

2800 East 13th Street
Ames, IA 50010, USA
Phone: +1 515 239 6000

Danfoss can accept no responsibility for possible errors in catalogues, brochures and other printed material. Danfoss reserves the right to alter its products without notice. This also applies to products
already on order provided that such alterations can be made without subsequential changes being necessary in specifications already agreed.
All trademarks in this material are property of the respective companies. Danfoss and the Danfoss logotype are trademarks of Danfoss A/S. All rights reserved.

L1326395 • Rev AA • Oct 2013 www.danfoss.com © Danfoss A/S, 2013-10

Danfoss
Power Solutions GmbH & Co. OHG

Krokamp 35
D-24539 Neumünster, Germany
Phone: +49 4321 871 0

Danfoss
Power Solutions ApS

Nordborgvej 81
DK-6430 Nordborg, Denmark
Phone: +45 7488 2222

Danfoss
Power Solutions

22F, Block C, Yishan Rd
Shanghai 200233, China
Phone: +86 21 3418 5200