Basics

Functional Safety

Automation and safety engineering are closely related. Engineering, installation and operation of complex automation solutions are simplified by safety-related functions and equipment.

Usually, the safety engineering requirements depend on the application. The level of the requirements results from, among other things, the risk and the hazard potential arising from the specific application and from the applicable standards and regulations.

The goal of designing machines safely is to protect people. The risk associated with machines with electrically controlled drives comes chiefly from moving machine parts and electricity itself.

Only you, the user, machine builder, or system integrator can be aware of all the conditions and factors realized in the design of your application for the machine. Therefore, only you can determine the automation equipment and the related safeties and interlocks which can be properly used, and validate such usage.

 WARNING
NON-CONFORMANCE TO SAFETY FUNCTION REQUIREMENTS
  • Specify the requirements and/or measures to be implemented in the risk analysis you perform.
  • Verify that your safety-related application complies to applicable safety regulations and standards.
  • Make certain that appropriate procedures and measures (according to applicable sector standards) have been established to help avoid hazardous situations when operating the machine.
  • Use appropriate safety interlocks where personnel and/or equipment hazards exist.
  • Validate the overall safety-related function and thoroughly test the application.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

Hazard and Risk Analysis

The standard IEC 61508 "Functional safety of electrical/electronic/programmable electronic safety-related systems" defines the safety-related aspects of systems. Instead of a single functional unit of a safety-related system, the standard treats all elements of a function chain as a unit. These elements must meet the requirements of the specific safety integrity level as a whole.

The standard IEC 61800-5-2 "Adjustable speed electrical power drive systems – Safety requirements – Functional" is a product standard that defines the safety-related requirements regarding drives. Among other things, this standard defines the safety-related functions for drives.

Based on the system configuration and utilization, a hazard and risk analysis must be carried out for the system (for example, according to EN ISO 12100 or EN ISO 13849-1). The results of this analysis must be considered when designing the machine, and subsequently applying safety-related equipment and safety-related functions. The results of your analysis may deviate from any application examples contained in the present or related documentation. For example, additional safety components may be required. In principle, the results from the hazard and risk analysis have priority.

 WARNING
UNINTENDED EQUIPMENT OPERATION
  • Perform a hazard and risk analysis to determine the appropriate safety integrity level, and any other safety requirements, for your specific application based on all the applicable standards.
  • Ensure that the hazard and risk analysis is conducted and respected according to EN/ISO 12100 during the design of your machine.
Failure to follow these instructions can result in death, serious injury, or equipment damage.

The EN ISO 13849-1 Safety of machinery - Safety-related parts of control systems - Part 1: General Principles for Design describes an iterative process for the selection and design of safety-related parts of controllers to reduce the risk to the machine to a reasonable degree.

To perform risk assessment and risk minimization according to EN ISO 12100, proceed as follows:

  1. Defining the boundary of the machine.

  2. Identifying risks associated with the machine.

  3. Assessing risks.

  4. Evaluating risks.

  5. Minimizing risks by:

    • The design

    • Protective devices

    • User information (see EN ISO 12100)

  6. Designing safety-related controller parts (SRP/CS, Safety-Related Parts of the Control System) in an interactive process.

To design the safety-related controller parts in an interactive process, proceed as follows:

Step

Action

1

Identify necessary safety functions that are executed via SRP/CS (Safety-Related Parts of the Control System).

2

Determine required properties for each safety function.

3

Determine the required performance level PLr.

4

Identify safety-related parts executing the safety function.

5

Determine the performance level PL of the afore-mentioned safety-related parts.

6

Verify the performance level PL for the safety function (PL ≥ PLr).

7

Verify that all requirements have been met (validation).

Additional information is available on https://www.se.com.

Safety Integrity Level (SIL)

The standard IEC 61508 defines 4 safety integrity levels (Safety Integrity Level (SIL)). Safety integrity level SIL1 is the lowest level, safety integrity level SIL4 is the highest level. The safety integrity level required for a given application is determined on the basis of the hazard potential resulting from the hazard and risk analysis. This is used to decide whether the relevant function chain is to be considered as a safety-related function chain and which hazard potential it must cover.

Average Frequency of a Dangerous Failure per Hour (PFH)

To maintain the function of the safety-related system, the IEC 61508 standard requires various levels of measures for avoiding and controlling faults, depending on the required safety integrity level (Safety Integrity Level (SIL)). All components must be subjected to a probability assessment to evaluate the effectiveness of the measures implemented for controlling faults. This assessment determines the probability of a dangerous failure per hour PFH (Average Frequency of a Dangerous Failure per Hour (PFH)) for a safety-related system. This is the frequency per hour with which a safety-related system fails in a hazardous manner so that it can no longer perform its function correctly. Depending on the SIL, the average frequency of a dangerous failure per hour must not exceed certain values for the entire safety-related system. The individual PFH values of a function chain are added. The result must not exceed the maximum value specified in the standard.

SIL

PFH at high demand or continuous demand

4

≥10-9 ... <10-8

3

≥10-8 ... <10-7

2

≥10-7 ... <10-6

1

≥10-6 ... <10-5

Hardware Fault Tolerance (HFT) and Safe Failure Fraction (SFF)

Depending on the safety integrity level (Safety Integrity Level (SIL)) for the safety-related system, the IEC 61508 standard requires a specific hardware fault tolerance (Hardware Fault Tolerance (HFT)) in connection with a specific safe failure fraction (Safe Failure Fraction (SFF)). The hardware fault tolerance is the ability of a safety-related system to execute the required function even if one or more hardware faults are present. The safe failure fraction of a safety-related system is defined as the ratio of the rate of safe failures to the total failure rate of the safety-related system. As per IEC 61508, the maximum achievable safety integrity level of a safety-related system is partly determined by the hardware fault tolerance and the safe failure fraction of the safety-related system.

IEC 61800-5-2 distinguishes two types of subsystems (type A subsystem, type B subsystem). These types are specified on the basis of criteria which the standard defines for the safety-related components.

SFF

HFT type A subsystem

HFT type B subsystem

0

1

2

0

1

2

<60 %

SIL1

SIL2

SIL3

---

SIL1

SIL2

60 ... <90 %

SIL2

SIL3

SIL4

SIL1

SIL2

SIL3

90 ... <99 %

SIL3

SIL4

SIL4

SIL2

SIL3

SIL4

≥99 %

SIL3

SIL4

SIL4

SIL3

SIL4

SIL4

Fault Avoidance Measures

Systematic errors in the specifications, in the hardware and the software, incorrect usage and maintenance of the safety-related system must be avoided to the maximum degree possible. To meet these requirements, IEC  61508 specifies a number of measures for fault avoidance that must be implemented depending on the required safety integrity level (Safety Integrity Level (SIL)). These measures for fault avoidance must cover the entire life cycle of the safety-related system, i.e. from design to decommissioning of the system.

Data for Maintenance Plan and the Calculations for Functional Safety

The safety function must be tested at regular intervals. The interval depends on the hazard and risk analysis of the total system. The minimum interval is 1 year (high demand mode as per IEC 61508).

Use the following data of the safety function STO for your maintenance plan and for the calculations for functional safety:

Characteristic

Unit

Value

Lifetime of the safety function STO (IEC  61508)

Years

20

See also Lifetime Safety Function STO.

SFF (IEC  61508)

Safe Failure Fraction

%

90

HFT (IEC  61508)

Hardware Fault Tolerance

Type A subsystem

-

1

Safety integrity level IEC 61508

-

SIL3

Safety integrity level IEC 62061

-

SILCL3

PFH (IEC  61508)

Probability of Dangerous Hardware Failure per Hour

1/h

(FIT)

1*10-9

(1)

PL (ISO 13849-1)

Performance Level

-

e (category 3)

MTTFd (ISO 13849-1)

Mean Time to Dangerous Failure

-

High (1400 years)

DC (ISO 13849-1)

Diagnostic Coverage

%

90

Contact your local Schneider Electric representative for additional data, if required.

The data for the safety module eSM can be found in the product manual for the safety module.

0198441114060.03

© 2021

Schneider Electric.

All rights reserved.