The document provides an introduction to functional safety standards ISO 13849 and EN 62061. It discusses the EU Machinery Directive and how compliance with European harmonized standards ensures compliance with the directive. It describes the terminology and standards used in functional safety, including performance levels, safety integrity levels, and design categories. It also discusses how to select the appropriate standard, assess risk, design safety functions, and validate safety control system designs.

1. Introduction to Functional Safety ISO 13849 and EN 62061
Module T3
A specialist technical Training module from the Machine Safety training series
27.9.13 Replaces None Created by S.Steele

2. Why are we doing this?
The EU Machinery Directive (98/42/EC),
As a European law, defines the targeted levels of Machine Safety.
Compliance with machinery directive is necessary
to get the CE mark, and to Allow the free circulation of machinery
within the European Union.
A new version will be effective at the end of 2009
The European harmonised standards
Established technical specifications which comply with the
requirements of the related directives.
Compliance with European Harmonised standard give compliance
with the related directive
Comply with the European harmonized Standards is the simplest
way to comply with the Machinery Directive
European legislation and the standards

3. Why are we doing this?
European legislation and the standards
If you are creating a complex assembly by interlinking a
series of existing machines you are in effect creating
something new.
• Therefore who ever is carrying out the work must ensure
that the whole assembly complies with the Directive.
• Regardless of the age of the machines.
• If you are altering the function or performance of a
machine or complex assembly you are again creating
something new and must ensure that the Directive is
complied with.

4. Before we begin The Terminology
Standard types: A-B1-B2-C
Design architecture categories: B-1-2-3-4
(PL) Performance level: A-B-C-D-E
(SIL ) safety integrity level : 1-2-3-4
(CCF) Common cause failure
failures of different items, resulting from a single event, where these failures are not
consequences of each
other
(SRP/CS) Safety-related part of a control system
part of a control system that responds to safety-related input signals and generates safety-
related output
Signals
(MTTFd ) Mean time to dangerous failure
expectation of the mean time to dangerous failure
(DC) Diagnostic coverage
measure of the effectiveness of diagnostics

5. Standards overview Safety circuit design
On the basis of the risk assessment, the designer has to define the safety
related control system. To achieve that, the designer will chose one of the
two standards appropriate to the application:
either standard EN/ISO 13849-1, which defines performance levels
(PL)
or standard EN/IEC 62061, which defines safety integrity levels (SIL)
The table below gives relations between these two definitions
To select the applicable standard, a common table in both standards gives
indications:
-
d

6. Standard EN/ISO 13849-1
• The Standard gives safety requirements for the design and integration of safety-
related parts of control systems, including software design.
• The Risk Graph helps to determine the required PL (Performance Level) of each
safety function
– S - Severity of injury
> S1 Slight injury
> S2 Serious or permanent injury or death
– F - Frequency and / or exposure to a hazard
> F1 Seldom to less often and / or short time
> F2 Frequent to continuous and / or long time
– P - Possibility of avoiding the hazard or limiting the harm
> P1 Possible under specific conditions
> P2 Scarcely possible

7. Standard EN/IEC 62061
• Specific to the machine sector within the framework of EN/IEC 61508:
– gives rules for the integration of safety-related electrical, electronic and electronic programmable control
systems (SRECS)
– does not specify the operating requirements of non-electrical control components in machine (ex.: hydraulic,
pneumatic)
• The probability of failure associated to the required SIL (Safety
Integrity Level) depends on the frequency of usage of the safety
function to be performed
Safety of Machinery
application
EN/IEC 62061

8. Introduction to Functional Safety
The standard EN ISO 13849
A basic std
EN ISO 12100
Fundamental notions,
Design main principles
EN 693
hydraulic Presses
EN 692
Mechanical presses
C specific class of machines
EN 1088
Locking devices
EN 953
Fixed and mobile protectors
EN/ISO 13850:2006
Emergency
Stop equipment
EN 574
Bi-manual
command devices
B2 safety devices
EN 1050 = EN/ISO 14121
Risk assessment
EN 954-1 = ISO 13849-1:1999
 EN ISO 13849
Safety of machinery
Safety-related part of ctrl sys
EN 60 204-1
Machines electrical
equipment
EN 294 and 999
Safety distances
B1 specific safety aspect

9. The 13849 standard
Parts of machinery control systems that are assigned to provide safety functions are called safety-related
parts of control systems (SRP/CS) and these can consist of hardware and software and can either be
separate from the machine control system or an integral part of it. In addition to providing safety functions,
SRP/CS can also provide operational functions (e.g. two-handed controls as a means of process initiation).
The ability of safety-related parts of control systems to perform a safety function under foreseeable
conditions
They are allocated one of five levels, called performance levels (PL). These performance levels are defined
in terms of probability of dangerous failure per hour .
The probability of dangerous failure of the safety function depends on several factors, including hardware
and software structure, the extent of fault detection mechanisms [diagnostic coverage (DC)], reliability of
components [mean time to dangerous failure (MTTFd), common cause failure (CCF)], design process,
operating stress, environmental conditions and operation procedures.

10. Safety Control function

11. Working example

12. Who is the designer who is the
manufacturer?
We are as we are upgrading the control
system
Is this a significant change to line 2 filler as defined in the directive?
No as we are not changing the functionality technically but we are
improving the existing controls .
So re-CE Marking is not required

13. Working example Electrical control system
upgrade
Note: Under PUWER assessment the electrical control system does not comply
with BS EN 60204 Ref: General electrical requirements
(Enacted in 17th
edition).

14. Integrity assessment First step

15. Integrity assessment First step
Alternative PL Tools
SISTEMA Software PL Calculation Tool
SISTEMA is a software tool for the implementation of EN ISO 13849-1. Its
use will greatly simplify the implementation of the standard.
SISTEMA stands for "Safety Integrity Software Tool for the Evaluation of
Machine Applications" It was developed by the BGIA in Germany and is free
for use.

16. Second step
SAFETY FUNCTION DESIGN
Performance Level Data:
When configured correctly, the safety system can achieve a safety rating of PLd, Cat. 3
according to EN ISO 13849.1 2008.
When modeled in SISTEMA, each safety E-stop string is treated as an individual safety
function and can be modeled as follows. This diagram shows a single E-stop safety
function.
Calculations are based on 1 operation of the E-stop per month, with 12 operations per
year; therefore 36 operations of contactors per year. The Diagnostic Coverage (Dcavg)
is reduced to 60% for the E-stops because they are connected in series.
SISTEMA File:

17. Second step
SAFETY FUNCTION DIAGRAM
Process stop
other equipment

18. Third step
PL FUNCTION VALIDATION OF DESIGN FOR THE
SAFETY CONTROL SYSTEM

19. Function design Validation
(Refer to training module T2 for EOL Tool kit to undertake assessments and validation of circuit designs)
First part Identifies the control systems required and their PL requirement

20. Each section is taken individual and circuit function generated to achieve PL
requirement

21. Working example
electrical drawings Emergency stop
PONZ S4
PONZ S7

22. Working example
electrical drawings main drive inverter
Safety
Relay
activation

23. Working example
Drive inverter Technical details

24. Working example
Drive inverter Technical details

26. Working example

27. Working example

28. Old machinery in this context are machines which were placed on the market before the
Machinery Directive came into force. The requirements of the directive were not applied to these
machines. However, its application may become necessary should machines be extended,
modified, modernized, etc. In such cases, assess- ment must be made for whether an essential
change has occurred. Should this be the case, the requirements of the EC Machinery Directive
apply to “old” machines in the same way as to new machinery. These requirements include the
application of EN ISO 13849.
Treatment of old machinery

29. Design categories
Architecture Overview

30. Design architecture and PL Overview
PL

31. Relationship Between Different
Criteria
• Relationship between Categories,
DCavg, MTTFd and PL
*In several application the realisation
of performance level c by category 1
may not be sufficient. In this case a
higher category e.g. 2 or 3 should
be chosen.

32. Working example
Example 1: Emergency stop Safe Stop - Category B, PL b

33. Design categories example Cat 2 Architecture
EMERGENCY STOP, Category 2
single-channel,with feedback circuit

34. Working example
Example 2: Emergency stop with Safe Stop using safety relay -
Category 3, PL d

35. Design category example CAT 3 architecture
EMERGENCY STOP, 2-channel,
Category 3

36. Working example
Example 3:Emergency Stop of frequency converter with Safe Stop, Safety
Relay and output contactor - Category 4, PL e

37. Safety Chain Principle for Design
Use devices that
comply with safety
standards
Monitor & analyze
the information
Safety-oriented signal
processing
Catch the
information
Safeguarding to protect
people from hazard
Initializing & control
of hazardous machine
Emergency stop
operations
Stop the dangerous
machine
Signalling
Disconnection
and locking
power supply
Safe drive
technology
Safe signal transmission
Safe connection & communication of functional units or segments

38. Functional Safety Life Cycle
Safety LifeSafety Life
CycleCycle
STEP 5STEP 5
MAINTAIN & IMPROVE
SAFETY SYSTEM
STEP 1STEP 1
RISK OR HAZARD
ASSESSMENT
STEP 4STEP 4
SAFETY SYSTEM
INSTALLATION &
VALIDATION
STEP 2STEP 2
SAFETY SYSTEM
FUNCTIONAL
REQUIREMENTS
(Conf
STEP 3STEP 3
SAFETY SYSTEM
DESIGN & VERIFICATION

39. Other Modules in the S.Steele specialist technical Training module series
T1 Introduction to EU Directive & Harmonization standards
T2 EHSR Compliance & EOL Tool kit
T3 Functional safety of control system design
T4 Guarding fixed and movable
T5 Electrical systems
T6 EMC
T7 Robots
T8 Hydraulic
T9 Pneumatic
T10 HP Air systems
T11 EC Marking Equipment
END