A unified, sub-systematic approach to safe machine controls

Home > View News > A unified, sub-systematic approach to safe machine controls

07 September 2012

A chain is only as strong as its weakest link, so the saying goes. It is true in safety related machine controls, where the weakest link is the "subsystem", below which sit various types of device. A structure for such device types may help the planned merger of the current machine safety control standards, EN ISO 13849-1 and EN 62061.

At some point in the future the functional safety standards EN ISO 13849 (with its performance Levels, PL) and EN 62061 (with its Safety Integrity Levels, SIL) will merge; a joint technical committee ISO/TC 199 - IEC/TC 44 is working on this merger.

At the same time the German Engineering Federation VDMA (Verband Deutscher Maschinen und Anlagenbau) has produced a draft document, “Functional Safety- Universal Database for safety-related values of components or parts of control system”, albeit only in German at time of writing. This document could help the merger of the two standards, and provides much needed clarity on the plethora of safety-related data available to designers of safety functions on machines. VDMA’s proposal is to create a common file structure which is readable by all of the functional safety performance calculation tools (such as IFA Sistema or Pilz PAScal).

A sub-systematic approach

It is important to understand that safety functions are essentially engineered systems, which comprise subsystems, and that quantifying either the Performance Level or Safety Integrity Level of the system requires a sub-systematic analysis. The rationale is that any safety function is akin to a “safety chain” made up of links, or subsystems; a chain is only as strong as the weakest link, so if a subsystem fails, the safety function is lost. When assessing the probability of hardware failure and its potential impact on a safety function, it therefore makes sense to focus attention at the subsystem level. Another term used for subsystem is “safety related part of the control system” or SRP/CS.

Even before the merger of the two standards, it’s clear most engineers tend to favour EN ISO 13849-1. According to this standard, for a safety function to be evaluated each subsystem must be defined in terms of its Category (or structure, either single or dual channel), Diagnostic Coverage “DC” (expressed as percentage of dangerous detected failures over all dangerous failures), average failure rate of all components with the subsystem (Mean Time to Dangerous Failure, MTTFd), and steps taken against common cause failure, “CCF”. Once defined these parameters are then used to determine subsystem performance level (PL) and average probability of dangerous failure per hour (PFHD) from the most useful table in the standard, Table K1 right at the back of EN ISO 13849-1.

For example, a subsystem meeting Category 4, 99% diagnostic coverage, with MTTFd of 100 years and a CCF of 65 has a PL e and a PFHD of 2.47 x 10-8. This is the highest PL and lowest PFHD which users of EN ISO 13849-1 can evaluate in Table K1; lower PFHD values with magnitudes in the order of 10-9 only come from pre-certified components, such as safety relays, which the vendor has evaluated.

When it comes to a whole safety function, the highest achievable PL is limited by the lowest PL of all constituent subsystems (the “weakest link” principle), and the PFHD of the safety function is determined by the addition of the PFHD of all subsystems.

The VDMA file structure for safety-related data for devices used in safety functions

In terms of data available to fulfil the above steps, it’s proposed by VDMA that there will be 3 key device types. There follows an explanation of the VDMA file structure when applied to the current standard EN ISO 13849-1.

Type 1 devices are fully certified safety devices which can be viewed as complete subsystems in their own right. Failure rates are independent of operational frequency, and the vendor states internal PL, SILCL, PFHD, Category, and test interval T1. The vendor has developed the device in accordance with safety standards (e.g. IEC 61508, EN 61496, EN 61800-5-2) and had them certified by an independent Notified Body, to ensure the device can be incorporated into a safety function with the least effort on the user’s part (as per Fig 1). Such devices include safety light curtains, RFID coded switches, safety relays, safety PLCs, and safe drives with drive functions such as safe torque off (STO).

Fig 1.

Type 2 devices
are not necessarily certified like Type 1, however, this does not exclude their use in safety functions provided that vendor’s MTTFd data is available. Since MTTFd is only a part of the story, such devices require the user to do more integration work than with type 1 devices; defining category, diagnostic coverage, and common cause factors . Once the user has defined these parameters, the PL and a PFHD for the subsystem can be determined using Table K.1. in Annex K of EN ISO 13849-1, as per Fig 2. The procedure for evaluating the whole system as per Fig 1 follows.
Such devices include non-safety-related electronics (e.g. phase detection relays, power monitors), pressure sensors, hydraulic valves, and standard variable speed drives.

Fig 2.

Type 3 devices are electromechanical devices, the failure rate of which depend upon operational frequency, where provision of a PL and PDHD, or MTTFd by the vendor is not possible because the device is subject to wear (which is application-related and not known by the vendor). Instead, the vendor supplies B10d data, and if they do not generic data is available in Table C1 of EN ISO 13849-1. As in Type 2, Type 3 devices are not necessarily developed according to safety standards but can be used once the MTTFd has been calculated from the known B10d value, and the user-defined average number of annual cycles (nop). The user must also define the selected category, diagnostic coverage, and CCF. After this, the PL and a PFHD for the subsystem can be determined using Table K.1. in Annex K of EN ISO 13849-1, as per Fig 3. The final evaluation of the whole system in Fig 1 then follows. Such devices include contactors, switches, single piloted valves, solenoid device mechanisms, and command devices.

Fig 3:

The Types 1-3 devices are described also by VDMA for EN 62061, with some common and some slightly different parameters, but exactly the same increasing level of user integration work required when moving from Type 1 to Type 2 and Type 3.

There is a Type 4, constituting devices for which there is a limiting PL but no PFHD, implying that the device acts as a subsystem (like Type 1) and can limit the PL of the safety function (perhaps for internal  Category or Diagnostic Coverage reasons to PL d), but for which there is no dangerous failure rate.


No matter which type of devices you use, which standard you use, or which safety calculation software you use, the structure of safety-related data proposed by VDMA makes it abundantly clear where the responsibility for defining specific parameters lies in the design of machine safety functions; it lies on a sliding scale between the component vendors and those using the components. Opting to use Type 1 devices simplifies matters for the user dramatically, with increasing levels of work involved in Type 2 and Type 3. The author believes this provides the clearest perspective possible, and is one paving stone in the long path to a unified machine-specific functional safety standard for the future.

David Collier
Pilz Automation Technology
Machinery Safety Alliance

Tags: PFHD, PL, MTTFd, B10d, Category, Diagnostic Coverage, DC, CCF, B10d, nop