Reliability is Required: New Safety Standard for Machine Control Systems
The safety of machine control systems is now evaluated according to reliability, so the new European Machinery Directive 2006/42/EC refers to a new standard – EN ISO 13849. This replaces the traditional standard for machine safety EN 954, bringing a new perspective to control system design. Inside Machines, October 2010.
Dr. Alexandre Orth, Dr. Jürgen Barg, Bosch Rexroth AG
The European Machinery Directive 2006/42/EC came into effect on December 29, 2009. As a result of its introduction, all manufacturers worldwide that market their machines in the European Economic Area are obliged to fulfill additional safety requirements. This directive is also accompanied and supported by an array of harmonized standards (Fig 1). In addition to following the directive itself, manufacturers marketing their machines in Europe have to align themselves according to machine-specific product standards (Type-C standards), which in turn refer to the requirements of basis (Type-A) and generic safety (Type-B) standards.
The result of these new rules is that the safety of machine control systems is now evaluated according to reliability, and now refers to a new standard: EN ISO 13849. This brings a whole new perspective to control system design.
In accordance with the European Machinery Directive (EMD), a risk assessment must be carried out on every machine based on EN ISO 14121. If relevant risks are detected, measures must be taken to minimize these risks. For risk reduction, the following sequence must be applied:
1. Avoidance by intrinsic design;
2. Avoidance by safeguards;
3. Avoidance by information for use.
If a measure depends on a control system, then it performs a safety function. To ensure compliance with safety requirements by design of control systems, the EMD refers, in this case, to the EN ISO 13849. This standard deals with the design and integration of safety-related parts of control systems (SRP/CS) independently from the technology used — as opposed to IEC 62061 (which is applicable for electro-electronic control systems). If a machine manufacturer does not use this harmonized standard, and damage occurs, the manufacturer must be able to prove that its machine control systems at least comply with the requirements of the EMD.
The EN ISO 13849 is already valid and replaces the EN 954. Although the EMD still allows the application of the EN 954 in some special cases until December 31, 2011 (e.g. for turn-key systems without machine specific standards), from the point of view of product liability, it is recommended to apply the EN ISO 13849. Furthermore, in cases where a Type-C standard already refers to EN ISO 13849, the new standard has to be applied.
New procedure for control system design
The new standard introduces a new procedure for designing safety-relevant control systems. It provides statistical approaches that promote a new mentality among design engineers: The interoperability of different components from a control system now has to be considered from various safety engineering points of view.
On one hand, for machines with established safety technologies, quantitative evidence will be generated with this new approach, demonstrating the safety levels reached. On the other hand, for machines with safety weak points, it provides clear recommendations showing how to improve these weaknesses. Therefore, this standard provides guidelines for systematically improving the machine safety. These guidelines also help to optimize the machine availability, by reducing lifecycle costs.
The safety requirements for every identified safety function are described in EN ISO 13849 in the form of the required performance levels (PLr). If these are not already specified in a machine-specific standard, the designer uses the risk graph of the EN ISO 13849. Based on questions about the impact, frequency, duration and also the possibility to prevent risks, the PLr can be assessed on a scale of “a” to “e”, with “a” representing low risk and “e” representing high risk.
The performance level (PL) is the characteristic used for safety-related design, and the evaluation of control systems in accordance with the EN ISO 13849. It describes the contribution of the control system to risk reduction and it is defined in terms of the average probability of a dangerous failure per hour (PFHd). This means that the safety of a control system is now evaluated according to its probability of failure (or reliability).
For the design of control systems, EN ISO 13849 incorporated the system architecture from EN 954, which is now directly related to the PL (Fig. 2). The control categories differ according to whether they are single-channel or dual-channel, whether they have been designed with or without monitoring, whether they are resistant to systematic errors, and also in terms of their reliability values.
Basically, EN ISO 13849 offers design engineers greater freedom to find out the most cost-effective solution for achieving the PLr. In accordance with the selected category, a circuit is designed and modeled within a safety block diagram. This safety model determines the way in which the individual components are considered in the PL calculation. This modeling means a whole new point of view with respectively work packages, particularly for designers of complex systems with fluid power technology.
In addition to the control category, component reliability plays an important role in the PL calculation. In order to apply a component in a safety function, EN ISO 13849 requests a pre-condition that specific safety design principles are observed.
For example, in accordance to the de-energization principle, the components must assume a safe state by a shutting off the power supply and maintaining this position by all the approved operating conditions (vibration, temperature, etc.; see product data sheet). If a product does not fulfill these safety principles, it is not suitable for safety functions based on EN ISO 13849.
Depending on the technology, different reliability characteristics must be provided by the supplier, such as mean time to dangerous failure (MTTFd) for hydraulic components, the B10 value for pneumatic components or PL (PFHd) for electronic subsystems. These are statistically expected values, which depend heavily on the determination method and the operating conditions.
Generally, there are three main methods for determining the required reliability characteristics: lifetime calculations, lifetime tests and lifetime-from-field data.
Lifetime calculations may be made according to the parts-count or parts-stress methods. These approaches are used to calculate the reliability of components, particularly electronic components, based on the lifetime characteristics (MTTF) of each part (such as resistors, capacitors etc.).
Environmental conditions such as temperature play an important role with lifetime calculations. EN ISO 13849 recommends an MTTFd of 150 years for hydraulic components when the safety principles and the requirements of EN 982 have been fulfilled. However, in the case of products that integrate more than one hydraulic component, the MTTFd has to be calculated using the parts-count method according to EN ISO 13849. For example, for a combination of a pilot and a main valve, one would get a MTTFd of 75 years instead of 150 years.
Lifetime tests can be used to determine B10 reliability characteristics, such as those for of pneumatic components. B10 is an expected value for the number of cycles that occur until 10% of the components have exceeded specified limits (response time, leakage, switching pressure, etc.) under defined conditions. This statistical evidence relies heavily on the test conditions and the number of samples.
If a sufficiently large database about the application of products in the field exists, the MTTF can be obtained from this field data. This lifetime characteristic represents an average of overall applications in the field. To ensure significant statistical evidence, it is very important to collect and evaluate the data carefully.
EN ISO 13849 takes only dangerous failure into account (meaning, failures that are dangerous for the machine safety). As the percentage of dangerous failure often cannot be identified directly, this standard assumes that 50% of all failures are dangerous: MTTFd = 2 x MTTF, or B10d = 2 x B10. The MTTFd for the safety function of a machine is calculated using the parts-count procedure (Fig. 3). The German Association of Machinery and Plant Construction (VDMA), recommends applying the software Sistema from the Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA, which participated in the elaboration of this standard).
Diagnostics coverage, common cause failures
The diagnostics coverage (DC) is another factor affecting the PL. This specifies the proportion of dangerous failures that can be detected.
In order to identify this diagnostic characteristic for a component, the user needs to know all types of dangerous failures, as well as the probability of their occurrence and their detection. This calculation is performed for special products. For standard components, EN ISO 13849 provides a list of measures with typical DC values, such as DC = 99% for valves with direct position monitoring.
However, it is very important that the position signal is processed appropriately in a higher-level control system. Finally, it is extremely difficult to specify a DC for components, as their measures rely on the complete processing of the diagnostic signals.
Common cause failures (CCFs) are also taken into account in EN ISO 13849. These denote failures on redundant units as a result of common events, such as high temperature. For this reason, specific requirements surrounding the resistance against CCFs must be observed for dual-channel control systems. The measures against CCFs (such as protection against overpressure/overvoltage) are evaluated using a table with different points for each applied measure, in which at least 65 out of 100 points must be achieved.
Finally, EN ISO 13849 requires that measures for the control and avoidance of systematic failures are taken into consideration. That means any software that has been created specifically must also satisfy the corresponding requirements. It must also be ensured that the basic and well-tried safety principles are also fulfilled in the design of the whole control system.
Once the machine design is finished, the EN ISO 13849-2 prescribes a validation procedure to check that the planned safety functions have correctly been implemented and documented. This process includes examining the error lists: Can the assumptions regarding fault exclusions be confirmed? The assumed categories must also be confirmed: Does the existing circuit actually represent the category for which the calculations were performed?
- Dr. Alexandre Orth coordinates the topic of “Reliability & Maintainability” in the Quality Methods department at Bosch Rexroth AG, Wurzburg, Germany. He is a member of several working groups on functional safety and reliability at the VDMA (The German Association of Machinery and Plant Construction) and ZVEI (The German Electrical and Electronics Industry).
- Dr. Jürgen Barg is head of the electro-hydraulic drives sector in the Application Center at Bosch Rexroth AG, Lohr, Germany. He plays an active role on various standards committees and VDMA working groups about the European Machinery Directive.