Always on the Safe Side with Rexroth:

10 Steps to Performance Level

The Drive & Control Company

This Brochure is a helpful accessory for the design of a control system based on the standard
ISO 13849-1and ISO 13849-2. It has no claim of completeness. The statements in this document
have been done carefully, but without guarantee. Only the original text from the relevant standards
and directives are obligatory.
 3

Your Guideline
for More Safety
Clear Rules 4
Focus on Safety-Related Parts of a Control System (SRP/CS) 6
Functional Safety (ISO 13849) 7
Everything from a Single Source 8
At a Glance: The Systematics for Safety 10
Risk Assessment based on ISO 14121 12
Identification of the Safety Functions 13
Specification of the required Performance Level (PLr) 14
Choice of the System Architecture (Category) 15
Analysis of the Circuit to Create the Block Diagram 16
Modeling the Circuit as a Block Diagram 17
Selection of Appro­priated Components (MTTFd, B10 , PL, PFHd) 18
Evaluation of the System Monitoring (DC) 19
Evaluation of the System Robustness (CCF) 20
Check the Safety Principles and Software Requirements 21
Verification and Validation of the reached
Performance Level (PL ≥ PLr) 22
The same Language – Glossary 23
4

Clear Rules
The European Machinery Directive
2006/42/EC and the Machinery
Safety Standards ISO 13849 and
IEC 62061 provide the framework:
in an extensive evaluation with
statistical parameters, machine
manufacturers must proof protection
of personnel under consideration of
all components and systems installed
into the machine or production
system.
 Machinery Safety
C standards
EN ...
EN
474
EN 693
Electronic
1010
ISO IEC control
23125 61508*
IEC Electric
Risk ISO
60204 equipment
assessment 14121
Rexroth supports machine and
production system manufacturers IEC Electric
with know-how and individual 61800-5-2 drives
consulting. The guideline
Machinery Directive
“10 Steps to Performance Level”
supports you by the evaluation of
IEC A
risks syste­matically and according Ba sta
62061 sis nda
to standards, by designing and sta rds:
nda ISO Design
implementing the corresponding rds
12100 basic laws
safety measures. ISO
13849
We gladly support you personally – Bs
Machinery Ge tanda
n r EN 982
please contact us. Control sta eric s ds: EN 983
nda af (ISO 4413)
Systems rds ety (ISO 4414)

Hydraulics
Pneumatics
* IEC 61508 is not a
harmonized standard
Cs
t
according to the Pro andards
Machinery Directive, duct :
sta
but it serves as basis nda safety
rds
for other European
harmonized standards.
6

Focus on Safety-Related Parts of a Control System (SRP/CS)

Control system: Interoperation of several subsystems

Hydraulic/pneumatic drive

Danger!

Optoelectronics Electronics Hydraulics/pneumatics

A B
PES
P T
Optoelectronic barrier Safety control (PLC) Valve control

SRP/CSa subsystem SRP/CSb subsystem SRP/CSc subsystem

Focus of the I Input

standard 1 iab ibc 2 L Logic
SRP/CSa SRP/CSb SRP/CS c
O Output
1 Initiation event
I L O (request/trigger)
2 Machine actuator
 7

Functional Safety (ISO 13849)

The ISO 13849 shows the way to The focus is on the parts of the called “Functional Safety” with
fulfill the safety requirements of control system which are relevant special requirements on the avail-
the European Machinery Directive to the safety of the machine. ability of the Safety Function.
for control systems. This standard As soon as the safety of a machine
considers the design and integra- depends on a correct function of
tion of safety-related parts of a the control system, it is therefore
control system (SRP/CS), regard-
less of the applied technology, such
as electrical, hydraulic, mechanical
or pneumatic. Furthermore, IEC
62061 regulates the specifications
specifically for electronic control
systems.

Additional information can be found under: www.boschrexroth.com/safety

8
During all working steps of this
guideline, specialists from
Rexroth are available as know-
how partners for all drive and
control technologies: From the
design up to the implementation
of the safety functions.
Everything from a Single Source
The new design criteria and
probabilistic calculations cover
safety engineering classifications
of components and systems for
nearly all stationary and mo-
bile machines. For this purpose,
suppliers must provide informa-
tion about the reliability of all
involved electrical, hydraulic,
mechanical and pneumatic
components.
Rexroth provides these data with
all necessary additional infor­
mation.
Because of our product know-how
and worldwide application experi-
ence, we know the interactions
and interdependency between the
different technologies applied for
mechatronic systems. Take advan-
tage from our knowledge.
9
10
At a Glance: The Systematics for Safety
Dividing the complex regulations
into clearly defined working packages:
This guideline shows the way from
the risk assessment up to finally
implementation and evaluation of the
reached safety level.
This systematics supports you in
implementing the current state of the
art of safety engineering for personnel
protection in an econo­mical and well
documented way.
Bosch Rexroth AG is one of the
leading specialists worldwide in drive
and control technology.
Using the brand name of Rexroth,
tailor-made solutions for driving,
controlling and moving machines and
systems are created for more than
500,000 customers. The global
player is represented in more than
80 countries.
 11

Risk assessment Verification and

1 Validation of the
based on ISO 14121 10
Reached Performance
(PL ≥ PL r)

Identification of the
2 Check the Safety
Safety Functions
9 Principles and Software
Requirements

Specification of
the required Evaluation of the
3 8 System Robustness
Performance Level
(PL r) (CCF)

Choice of the Modeling the System Selection of Appro­ Evaluation of the

4 System Architecture 5 (Circuit) with 6 priated Components 7 System Monitoring
(Category) Block Diagram (MTTFd, B10 , PL, PFHd) (DC)
12

1 Risk Assessment based on ISO 14121

Is there a C standard for this machine? If yes, use it as a template.

Start Determination of the limits of the machinery

Risk assessment (ISO 14121)

Risk analysis
Hazard identification

Risk estimation

Risk evaluation

Is the machinery safe? Yes! End

No

Measures for risk reduction

 13

2 Identification of the Safety Functions

Measures for risk reduction

according to ISO 12100

Avoidance by intrinsic design

Avoidance by safeguards

Avoidance by information for use

Everything done?

Does the measure

No!
depend on a control system?

Yes Safe Torque Off (STO)

Safe Torque Off
Safety function (SRP/CS) Stop category 0 in accordance
based on ISO 13849 with IEC 60204-1:
Safe drive torque cut off

Rest risks (new hazards)? Example: An unexpected startup must be avoided

by opened protective door!
Assessment based on ISO 14121
14

3 Specification of the required Performance Level (PLr)

Performance Level PL: a measure for the safety level

Risk Severity of injury [S]

P1 low
a S1 slight (normally reversible injury)
F1
P2 S2 serious (normally irreversible injury
b or death)
S1
P1
b
F2 Frequency and/or exposure to hazard [F]
P2
c F1 seldom-to-less-often and/or exposure
time is short
P1
c F2 frequent-to-continuous and/or exposure
F1 time is long
Example: A failure of P2
the function can lead to
d
S2
a deadly accident. The
opera­tor requires access P1 Possibility of avoiding hazard or limiting harm [P]
d
to the machine less than F2 P1 possible under specific conditions
once per shift. In case of
a fault, the operator is not P2 Risk
e P2 scarcely possible
able to avoid the danger. high
 15

4 Choice of the System Architecture (Category)

MTTFd
l ≥ 3 to < 10 years Category B Category 1 Category 2 Category 3 Category 4
low
MTTFd
≥ 10 to < 30 years
medium m I L O I L O I L O I1 L1 O1 I1 L1 O1
MTTFd
H ≥ 30 to < 100 years
high
TE OTE I2 L2 O2 I2 L2 O2

Performance Level a
PFHd: ≥ 10 -5 to < 10 -4 [h-1]
Performance Level b
≥ 3 * 10 -6 to < 10 -5 [h-1]
Performance Level c
≥ 10 -6 to < 3 * 10 -6 [h-1]
Performance Level d
≥ 10 -7 to < 10 -6 [h-1]
Performance Level e
≥ 10 -8 to < 10 -7 [h-1]

PFHd: Probability of a DC: none none low medium low medium high
dangerous failure per
(operating) hour Information about DC values under step 7
16

5a Analysis of the Circuit to Create the Block Diagram

Which elements are relevant
Laser scanner
to the safety function? S1 1a Dangerous
F1 Movement
Start
Which hazards (dangerous
movements) do exist?
Cylinder!
1S3 1V5
a b
Which elements prevent it
K1 K1
(stop the movement)? K1
Valves! Inputs
K1

1S3 1V4 1V3

Safety G
What controls these elements? PLC
Safety PLC!
Outputs
K1
What triggers this function?
Sensor!
1V5a 1V2 1Z2

1V5b
What tests this function,
how and how often? 1V3
1V1
Position monitoring!
1S1 1S2 1Z1

What supports this function

m
(safety principles)? 1M 3~ 1P
Environmental conditions:
temperature, level, pressure, filter!
Source: With courtesy from BGIA Report 2/2008
 17

5b Modeling the Circuit as a Block Diagram

Connecting the blocks with each other
(reverse analysis):
What does this element depend on?
Serial connection (dependency)
If this element fails,
what takes over its function?
Parallel connection (redundancy)
Channel 1 safe holding with
valve combination 1V3 and 1V4
Channel 2 safe holding with 1V5
both channels are controlled by PLC K1 which
receives the request of the safety function
from sensor F1.
with tests: monitoring by 1S3

F1 K1 1V3 1V4 Channel 1

SRP/CS a (PL, PFHd) SRP/CSb (PL, PFHd)
(e.g. optoelectronic (safety control)
barrier)
1V5 Channel 2

1S3 Tests
SRP/CS c
18

6 Selection of Appro­priated Components (MTTFd, B10, PL, PFHd)

The right parameters for different technologies

Hydraulic Pneumatic Hydraulic Electronic

components components subsystems subsystems

Supplier: Supplier: Supplier: Supplier:

1 (certified product)
• MTTFd • B10 (MTTFd) • PL (PFHd)
• Category • PL (PFHd)
• Category

Machine builder: Machine builder: Machine builder: Machine builder:

1 To calculate the MTTFd
from the B10 value, see • Category • Category • DC • PL of the system2
ISO 13849-1.
• DC • DC • CCF
2 Calculation of PL by • CCF • CCF • PL of the system
adding the PFHd values. • PL of the system • PL of the system
 19

7 Evaluation of the System Monitoring (DC)

Diagnostic coverage (DC): Proportion of the faults that can be detected

none: DC < 60 %
⅄d,u ⅄d,d

Denotation
60 % ≤ DC < 90 %

DC range
low:

medium: 90 % ≤ DC < 99 %

high: 99 % ≤ DC

Examples of design possibilities:

Measure Technology DC

Process (cyclic test) Fluid technology 0 % ≤ DC < 99 %

DC: Measure of the effec-
tiveness of diagnostics,
Cross monitoring between 2 channels Electronics DC = 99 %
which may be determined
90 % ≤ DC < 99 %
as the ratio between the
Indirect monitoring (e.g. pressure) Fluid technology
failure rate of detected
dangerous failures (⅄d,d)
Direct position monitoring Fluid technology DC = 99 %
and the failure rate of total
90 % ≤ DC ≤ 99 %
dangerous failures (⅄d).
Integrated self-monitoring Safety on board
⅄d = ⅄d,u + ⅄d,d
20

8 Evaluation of the System Robustness (CCF)

CCF: Common Cause Failure

Ful-
Measure against CCF Fluid technology Electronics Points
filled?
Clearances and creep age
Separation between
Separation in piping distances on printed-circuit 15
signal paths
boards.
Diversity e.g. different valves e.g. different processors 20

Protection against  Assembly acc. to EN 982   rotection against over-voltage

P
over-voltage, or EN 983 (e.g. contactors, power supply 15
over-pressure ... (pressure-relief valve) unit) 

Components used are

System designer 5
well-tried
FMEA in 
FMEA in the design of the system 5
development
Competency/training Qualification measure 5

CCF: Failures of different Protection against

items, resulting from a single
event, where these failures
are not consequences
of each other (i.e. failures
of redundant units due to
a common event, e.g. high
temperature).
Fluid quality EMC test 25
contaminants and EMC
Fulfillment of EN 982 Fulfillment of the environmental
Other influences
or EN 983 and conditions acc. to 10
(incl. temperature, shock)
product specification product specification
CCF total Total number of points (65 ≤ CCF ≤ 100):
 21

9 Check the Safety Principles and Software Requirements

9.a Measures for control and avoidance systematic failures

see the list of measures in the ISO standard 13849-1, Appendix G

9.b Was a specific software created for this application?

Check the requirement on the application software

9.c Safety principles: Check list for machine builders (ISO 13849-2, example)

Basic safety principles Well-tried safety principles

■ De-energisation principle ■ Overdimensioning/safety factor
■ Pressure limitation ■ Safe position
■ Speed limitation ■ Speed limitation
■ Avoidance of contamination ■ Force limitation
■ Proper range of switching time ■ Appropriate range of
■ Protection against unexpected startup working conditions
■ Proper temperature range ■ Monitoring of the condition
■ Separation of the fluid
... ...
 Verification and
10
Validation of the reached Performance Level (PL ≥ PL r)

10.a Verification of the reached performance level (PL ≥ PLr)

Evaluation of the design

Requirement: PLr (steps 1 to 3)

Design of the control system (steps 4 to 9)

PL

No PL ≥ PLr

Yes
Safety on board with IndraDrive:
Next safety function Worldwide first safe braking
and holding system

10.b Validation of the reached performance level (machine manufacturer)

Have these • Validation procedure acc. to ISO 13849-2
requirements • Check of implemented safety function
been met? • Creation of technical documentation

The same Language
The functional safety standards define clearly a set of terms and parameters. The most important ones:
PL (Performance Level): Discrete level used to specify the
ability of safety-related parts of control systems to
perform a safety function under foreseeable conditions
PLr: Required Performance Level
SIL (Safety Integrity Level): Safety Integrity Level
(appropriated only for electronic control systems,
see PL and IEC 62061)
MTTF (Mean Time To Failure): Statistic expected value
of the mean time to failure
MTTFd (Mean Time To dangerous Failure): Statistic
expected value of the mean time to dangerous failure
FIT (Failure In Time): Unit used to measure the failure rate
of electronic components (1 FIT=1x10 -9/h)
PFHd (Probability of Dangerous Failure per Hour):
Probability of dangerous failure per hour (reference
value for PL and SIL)
23
B10: Statistic expected value of the number of cycles until
10% of the components have exceeded specified limits
(response time, leakage, switching pressure, …) under
defined conditions
B10d: Expected number of cycles until 10% of the compo­
nents fail dangerously
T10d: Expected value of the mean time until 10% of the
components fail dangerously (maximal service time
of a component).
TM (Mission Time): Service life
DC: Diagnostic Coverage
CCF: Common Cause Failure
SRP/CS: Safety-Related Parts of a Control System
Dangerous failure: Failure which has the potential to
put the SRP/CS in a hazardous or fail-to-function
state
Bosch Rexroth AG
97816 Lohr am Main
Germany
[email protected]
www.boschrexroth.com/
safety

Printed in Germany
RE 08511/08.09
substitutes RE 08511/04.09