Two standards governing functional safety were drawn up simultaneously in the past at European and international level. Whereas European standard EN 954, "Safety-related parts of control systems. Part 1: General principles for design" contains qualitative requirements for safety-related parts of control systems, international standard IEC 61508, "Functional safety of electrical/electronic/programmable electronic safety-related systems" defines quantitative targets for the required reduction in risk for safety functions. Correlation between the "categories" of EN 954 and the safety integrity levels of IEC 61508 is urgently required, as complex electronic systems in particular can only be assessed by the supplementary application of IEC 61508. The objective of the project was to quantify typical complex electronic safety equipment, such as that employed for machine safeguarding, and thereby to correlate it to the safety integrity levels. The influence of various parameters, such as reliability of the components, diagnostic coverages, test times, and common-mode failures, was to be investigated systematically in terms of the probability of a dangerous failure per hour.
The project studies one-, two- and three-channel structures with various fault detection mechanisms. A Markov model was generated for each structure and simplified systematically by the use of fault trees. The Markov models were employed for systematic simulation of a number of input parameters. The results yield general conclusions for the assessment of complex electronic systems within the area of machine safeguarding. The conclusions were to be verified by way of actual circuit examples.
Markov models were generated in order to determine the safety integrity level in accordance with IEC 61508 in consideration of hardware structures specific to particular categories, the efficacy of software-based automatic checking and the test cycle times in complex electronic systems (including microprocessors) for machinery. All models were generated for a 10-year life cycle. The demand rate for the safety function was integrated into all models. It was shown that self-tests in single-channel systems must run some 100 times faster than the safety function demand in order for the cycle time of these tests to have no influence upon determining of the safety integrity level. The cycle time in multi-channel systems must be correspondingly short in comparison to the "mean time to failure" (MTTF) of a channel.
consultancy, planningType of hazard:
machine safetyDescription, key words:
Safety equipment, machine safeguarding, fault-tree analysis, Markov model, quantification, categories, safety integrity level, IEC 61508, EN 954