Structure Hardware Fault Tolerance

Risk graph and evaluation Safety requirements Safety-related Safe controls

Safety classification Comparisons of parameters to standards drive functions and networks

Risk graph according to ISO 13849 Safety structures, HFT Safe drives, motion functions Safe programmable logic controller
XooY:
Low contribution to X: Number of channels 1. Complete system (PLC)
Risk reduction for switch-off
Y: Number of existing STO: Safe Torque Off
channels

1oo1: The drive coasts to a stop without

S: Severity of injury further commutation
S1: reversible injury One-channel structure
S2: irreversible injury HFT = 0 (Cat: B to 2)

F: Frequency 1oo2:
Starting Point
Two-channel structure SS1: Safe Stop 1
F1: rather rarely Safe stopping
F2: often or permanent HFT = 1 (Cat: 3 and 4)

1oo3, 2oo3: The drive is down-regulated

P: Possibility of avoiding and separated from the torque
P1: possible Multi-channel structure
P2: rather impossible HFT > 1
SS2: Safe Stop 2
Safe operating stop

Like SS1, yet with standstill monitoring

High contribution to 2. Safe CPU (1oo2) with switching device

Risk reduction
ext.
SLS: Safely Limited Speed
device
HFT: Hardware Fault Tolerance
Performance Level (PL) according to ISO 13849
Cat: Categories according ISO 13849
Safety comparisons: Switch in the safe state On exceeding the maximum speed
low Voter: Logic that follows the majority the drive is switched off

medium

high

Safety Integrity, Standard Comparison

SDI: Safe Direction
PFH, PFD, Requirements
On deviating from the preset direction of
Safety Integrity (Type B) according to IEC 61508 SIL / PL (ISO 13849) rotation the drive is switched off

HFT

SFF 0 1 2 SIL PL 3. Safe bus systems (Faults/Measures)

Monitoring area: marked orange
< 60% - SIL 1 SIL 2 1 b, c

r
be
Measure

cy
io
um

) n
60% - < 90% SIL 1 SIL 2 SIL 3 2 d

at

se da
y
n

y
ln

ct

rit
io

c
p

on n
Cat B Cat 1 Cat 2 Cat 2 Cat 3 Cat 3 Cat 4

pe

an
eg
tia

at
m

sp du
er
90% - < 99% SIL 2 SIL 3 SIL 4 3 e

m
ta

ex

nd
t
en
DC DC DC DC DC DC DC

(re a re
in
tifi
fir
es

du
- - low medium low medium high

qu

ta
en
on
Monitoring principle:

t
Da

Da
Re
Se

Id
Ti

Ti

C
99% - < 99% SIL 3 SIL 4 SIL 4 4 - Fault
PFH: Average probability of a hazardous failure per hour
MTTFd: Mean Time to Failure (dangerous) Requirement according to IEC 61508, Type B (partly unknown failure performance) Repetition
DC: Diagnostic coverage Comparison SIL / PL (IEC 61508 / ISO 13849)
Loss
MTTFd for each channel DC SIL PFH(d) PFD(d) Critical values (IEC 61508) Insertion
MTTFd (in a) DC in % in 1/h on demand SIL Safety Integrity Level
Wrong sequence
low 3 to < 10 none < 60 1 < 10-5 < 10-1 SFF Safe Failure Fraction
Corruption
medium 10 to < 30 low 60 to < 90  2 < 10-6 < 10-2 PF Failure Probability
Delay
high 30 to < 100 medium 90 to < 99 3 < 10-7 < 10-3 PFH P
 F per hour
Coupling (s/ns)
impossibel 100 or more high 99 or more 4 < 10-8 < 10-4 PFD PF on demand
 Parameters
Terms & Abbreviations Formulas V-Model
Contact Calculations Methods & Organisation

SIL Safety Integrity Level Classification of the safety integrity 1. Failure distribution V Model, Development Life Cycle
according to IEC 61508 und IEC 62061

PL Performance Level Classification of safety-related functions to

Dangerous failures sum
(detected) Spezification
fulfil a safety requirement Software Validation Validated
safety
SRS testing software
Category Classifcation of resistance to faults Requirements
Dangerous failures harmless

SafetyFirst
according and ISO 13849
(undetected) failures
PFH Probability Failure per Hour Dangerous failure rate per hour Safe detected failures
(= λDU, in 1/h) Dangerous failures
(without danger)
Software Integration
Architecture
PFD Probability Failure per Demand Failure probability in relation to the number architecture test (system)
(Low Demand) of demands

λ Failure Rate Indicated in fit

All failures
MTTF Mean Time to Failure Mean time until the occurrence of a fault
System Integration-
The essentials
(=1/λ) s: safe Safe undetected failures
d: dangerous (without danger) design test (module)
fitFailure in Time Failures in 10 hours
9
dd: dangerous detected
DC Diagnostic Coverage Diagnostic coverage (percentage of sd: safe detected
du: dangerous undetected
of safety engineering
detected faults during a test
su: safe undetected
SFF Safe Failure Fraction Fraction of the safe failure rate to the entire (For single channel structure) Module Module
failure rate. Exit design testing

HFT Hardware Failure Tolerance Critieria for immunity from failures 2. Parameters Verification
Risk assessment ■
CCF Common Cause Failure Failures that occur due to a common cause Safe Failure Rate (SDFF), Diagnostic Coverage (C)
Validation Safety classifications ■
 Coding
without diagnosis with diagnosis References between standards ■
SRS: Safety Requirement Specification
Validation: Proof that the requirements are correct. Safety parameters ■
Verification: Proof that the requirements are correct implemented
Maschines ■
MTTF, λ, 1-channel, 2-channel Systems with diagnosis (according to EN 62061)
Methods & Organisation Plants ■
FMEA Failure mode and effects analysis Controls ■
- System-FMEA Analysis of failures within the system
(e.g. using hard or software) Sensors and actuators ■
... reaching your safety goals - Process-FMEA Analysis of failures that occur within the pro-
cess (e.g. production, maintenance or change)
Drive systems ■

Calculation of RPZ Product of 3 rating numbers Bus systems ■
Risk Priority Number (e.g. risk, probability, severity)
innotec GmbH innotec GmbH
Fault Tree Presentation of failure structures failure Definitions ■
Heinrich-Wildung-Weg 3 Salurner Straße 16 (FTA, Fault Tree Analysis) scenarios
D-21224 Rosengarten A-6020 Innsbruck Simulation Examination using a model (also mathematical)
Formulas ■
Tel.: +49 (0)4105-1559182 Tel.: +43 (0)512-583320 to allow a conclusion about the actual situation

Fax: +49 (0)4105-1559183 Mobil: +43 (0)664-73031 881 Calculation Mathematical calculation of the parameters for
(of the parameters) safety classification (e.g. HFT, λ, CCF, DC, PFH
info@innotecsafety.de info@innotecsafety.com
and PFD)
www.innotecsafety.de www.innotecsafety.at
Safety lifecycle Consideration of all phases of a product (e.g.
concept, development, production, testing, du-
CONTROL SYSTEMS · DRIVES · NETWORKS · RAILTECH- ß: Common Cause Failures (CCF) ring service, maintenance, change, after service
T1: Proof testing interval
NOLOGY · MACHINES · PLANTS · ELEVATORS · TRANSPORT- T2: Diagnosis testing interval Safety Assessment Examination of the quality assuring measures
SYSTEMS · Software · Organisation · Documentation S1, S2: Subsystems within an organisation