Changes of Technical requirements of EN 13849-1 standard 2015 edition

 

Changes ISO 13849-1:2008 – ISO 13849-1:2015

This third edition cancels and replaces the second edition (ISO 13849‑1:2006), which has been technically revised. It also incorporates Technical Corrigendum ISO 13849‑1:2006/Cor 1:2009. Changes from the previous edition include:

*      deletion of the former Table 1 from the Introduction,

*      updating and addition of normative references,

*      modification of the definitions of terms hazardous situation and high demand or continuous mode,

*      addition of a new term and definition, proven in use,

*      editorial, but not technical, modification of Figure 1,

*      a new subclause, 4.5.5, as well as modifications to existing sections including the annexes, substantial modification of Annex C and an entirely new Annex I.

 

2008 edition

2015 edition

Deleted and replaced

Information on the recommended application of IEC 62061 and this part of ISO 13849

IEC 62061 and this part of ISO 13849 specify requirements for the design and implementation of safetyrelated control systems of machinery. The use of either of these International Standards, in accordance with their scopes, can be presumed to fulfil the relevant essential safety requirements. The following table summarizes the scopes of IEC 62061 and this part of ISO 13849.

 

  1. Information on the recommended application of IEC 62061 and this part of ISO 13849
  2. IEC 62061 and this part of ISO 13849 specify requirements for the design and implementation of safetyrelated control systems of machinery. The use of either of these International Standards, in accordance with their scopes, can be presumed to fulfil the relevant essential safety requirements. ISO/TR 23849 gives guidance on the application of this part of ISO 13849 and IEC 62061 in the design of safety-related control systems for machinery.
  3. As with ISO/TR 23849, ISO/TR 22100‑2 has been added to the list of normative references given in Clause 2 — the latter owing to its importance for an understanding of the relationship between this part of ISO 13849 and ISO 12100.

 

2 Normative references

Addition of

IEC 62061:2012, Safety of machinery — Functional safety of safety–related electrical, electronic and programmable electronic control systems

SO/TR 22100‑2:2013, Safety of machinery — Relationship with ISO 12100 — Part 2: How ISO 12100 relates to ISO 13849‑1

ISO/TR 23849, Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems for machinery

Deleted from 4.5.4

NOTE When blocks of each channel cannot be separated, the following can be applied: MTTFd of the summarized test channel (TE, OTE) larger then half MTTFd of the summarized functional channel (I, L, O).

 

Addition in Figure 3 of  systematic failures annex G

Addition on chapter 4.5.2

For each SRP/CS (subsystem) according to Table 5, the maximum value of MTTFD for each channel is 100 years. For Category 4 SRP/CS (subsystems) the maximum value of MTTFD for each channel is increased to 2 500 years.

NOTE This higher value is justified because in Category 4 the other quantifiable aspects, structure and DC, are at their maximum point and this allows the series combination of more than 3 subsystems (SRP/CS) with Category 4 and achieve PL e in accordance with 6.3.

Addition  on chapter 4.5.4

— for category 2, demand rate ≤ 1/100 test rate (see also Note in Annex K); or testing occurs immediately upon demand of the safety function and the overall time to detect the fault and to bring the machine to a non-hazardous condition (usually to stop the machine) is shorter than the time to reach the hazard (see also ISO 13855);

— for category 2, MTTFD of the testing channel is greater than one half of MTTFD of the functional channel.

Addition of  chapter 4.5.5 Description of the output part of the SRP/CS by category

If for mechanical, hydraulic or pneumatic components (or components comprising a mixture of technologies) no application–specific reliability data are available, the machine manufacturer may evaluate the quantifiable aspects of the PL without any MTTFD-calculation.

For such cases, the safety-related performance level (PL) is implemented by the architecture, the diagnostic and the measures against CCF.

Table 7 shows the relationship between achievable PL (corresponding to Figure 5) and categories. PL a and PL b can be implemented with Cat. B. PL c can be implemented with Cat. 1 or Cat. 2, if well-tried components and well-tried safety principles are used.

When implementing an PL c safety function with Cat.1, the T10d values of safety-relevant components that are not monitored in the process, are determined. This T10d values can be determined based on proven in use data by machine manufacturer.

The MTTFD of the test channel in Cat. 2 shall at least be 10 years.

PL d can be implemented with Cat. 3, if well-tried components and well-tried safety principles are used.

 

  •  

Addition of  chapter 4.5.5 Description of the output part of the SRP/CS by category

If for mechanical, hydraulic or pneumatic components (or components comprising a mixture of technologies) no application–specific reliability data are available, the machine manufacturer may evaluate the quantifiable aspects of the PL without any MTTFD-calculation.

For such cases, the safety-related performance level (PL) is implemented by the architecture, the diagnostic and the measures against CCF.

Table 7 shows the relationship between achievable PL (corresponding to Figure 5) and categories. PL a and PL b can be implemented with Cat. B. PL c can be implemented with Cat. 1 or Cat. 2, if well-tried components and well-tried safety principles are used.

When implementing an PL c safety function with Cat.1, the T10d values of safety-relevant components that are not monitored in the process, are determined. This T10d values can be determined based on proven in use data by machine manufacturer.

The MTTFD of the test channel in Cat. 2 shall at least be 10 years.

  •  

Addition of  chapter 4.5.5 Description of the output part of the SRP/CS by category

PL d can be implemented with Cat. 3, if well-tried components and well-tried safety principles are used.

PL e can be implemented with Cat. 4, if well-tried components and well-tried safety principles are used.PL e can be implemented with Cat. 4, if well-tried components and well-tried safety principles are used.

Basically: In the implementation of the safety function with Cat. 2, Cat. 3 or Cat. 4 common-cause failures (CCF) and a sufficient diagnostic coverage (DC) have to be considered (low, medium for Cat. 2 and 3, high for Cat. 4).

In this case the calculation of the DCavg is reduced to the arithmetic mean value of all components individuals DCs in the functional channel.

Table 7 — PL and PFHD as worst case estimation based on category, DCavg, and use of welltried components

 

 

 

4.6.2 Safety-related embedded software (SRESW)

Errors : no update of references

SRESW for components with PLr = e shall comply with IEC 61508‑3:1998, Clause 7, appropriate for SIL 3. When using diversity in specification, design and coding, for the two channels used in SRP/CS with category 3 or 4, PLr = e can be achieved with the above-mentioned measures for PLr of c or d.

NOTE 1 For a detailed description of such measures, see, e.g. IEC 61508–7:2000.

Addition of

For components for which SRESW requirements are not fulfilled, e.g. PLCs without safety rating by the manufacturer, these components may be used under the following alternative conditions:

— the SRP/CS is limited to PL a or b and uses category B, 2 or 3;

— the SRP/CS is limited to PL c or d and may use multiple components for two channels in category 2 or 3. The components of these two channels use diverse technologies.

 

 

Addition

in 5.1 Specification of safety functions

f) the behaviour of the machine on the loss of power (see also 5.2.8);

NOTE In some cases it can be necessary to consider the behaviour of the machine on loss of power for example when it is necessary to hold a vertical axis to prevent a fall under gravity. This can require two separate safety functions: with power available and without power available.

Deleted :

6.2.2 Designated architectures

NOTE In some cases arising from a specific technical solution or determined by a type-C standard, the safety-related performance of the SRP/CS can be required only by a category without additional PLr. For such specific cases, safety is provided particularly by the architecture, and the requirements for MTTF, DC and CCF do not apply

6.2.5 Category 2

When it is not possible to initiate a safe state (e.g. welding of the contact in the final switching device) the output shall provide a warning of the hazard.

Change

in  6.2.5 Category 2

NOTE 4 For applying the simplified approach based on designated architectures, refer to the assumptions in 4.5.4.

Replaced in 6.2.6 Category 3

NOTE 3 Category 3 system behaviour allows that

when the single fault occurs the safety function is always performed,

some but not all faults will be detected,

accumulation of undetected faults can lead to the loss of the safety function.

 

Change

In 6.2.6 Category 3

NOTE 3 Category 3 system behaviour is characterized by

— continued performance of the safety function in the presence of a single fault,

— detection of some, but not all, faults,

— possible loss of the safety function due to accumulation of undetected faults.

Modification:

in 6.3 Combination of SRP/CS to achieve overall PL

According to 6.2, the combined safety-related parts of a control system start at the points where the safety-related signals are initiated and end at the output of the power control elements. But the combined SRP/CS could consist of several parts connected in a linear (series alignment) or redundant (parallel alignment) way. To avoid a new complex estimation of the performance level (PL) achieved by the combined SRP/CS where the separate PLs of all parts are already calculated, the following estimations are presented for a series alignment of SRP/CS.

 

in 6.3 Combination of SRP/CS to achieve overall PL

According to 6.2, the combined safety-related parts of a control system start at the points where the safety-related signals are initiated and end at the output of the power control elements. But the combined SRP/CS could consist of several parts connected in a linear (series alignment) or redundant (parallel alignment) way. To avoid a new complex estimation of the performance level (PL) achieved by the combined SRP/CS where the separate PLs of all parts are already calculated, the following estimations are presented for a series combination of SRP/CS.

Addition

If the PFHD values of all SRP/CSi are k nown, t hen t he PFHD of the combined SRP/CS is the sum of all PFHD values of the N individual SRP/CSi. The PL of the combined SRP/CS is limited by:

— the lowest PL of any individual SRP/CSi involved in performing the safety function (because the PL is determined also by non-quantifiable aspects) and

— the PL corresponding to the PFHD of the combined SRP/CS according to Table 2.

NOTE See Annex H and ISO/TR 23849, 8.2.6 for an example of this method.

Addition

If the PFHD values of all individual SRP/CSi are not known, then as a worst case alternative to the above method, the PL of the whole combined SRP/CS performing the safety function may be calculated using Table 11 as follows:

In 7.3 Fault exclusion

Fault exclusion is a compromise between technical safety requirements and the theoretical possibility of occurrence of a fault.

 

The other changes in the annexes are informative and not normative so the changes in the requirements are not mandatory

 

English