Machinery safety in accordance with EN ISO 13849

As the successor to EN 954-1, EN ISO 13849-1 is the main standard for the design of safety-related control systems in the "machinery safety" sector. The European version of EN ISO 13849-1 (now in its 2008 version) was adopted in 2006.
EN ISO 13849-1 has also been published in the Official Journal of the EU as a harmonised standard under the Machinery Directive. As such, presumption of conformity applies for this standard. 

Die Kernfrage, wer die EN 954-1 noch anwenden sollte oder darf, ist geprägt von zwei Randbedingen. Einerseits ist die EN ISO 13849-1:2009 die direkte Nachfolge-Norm der EN 954-1. Damit wurde mit der EN ISO 13849-1 ein neuer Stand der Technik geschaffen und die EN 954-1 erfüllt somit eine Grundanforderung der Maschinenrichtlinie nicht mehr. Diese Betrachtung wird aber durch den zweiten Sachverhalt relativiert. Für viele Produkt-Normen (C-Normen) existiert bis heute keine aktualisierte Version die auf die EN ISO 13849-1 verweist. Da aber die vorhandenen Verweise auf die EN 954-1 oft nicht vollständig und eindeutig von der EN ISO 13849-1 aufgelöst werden können, ist der Anwender dieser Normen auf die EN 954-1 weiterhin angewiesen und die EN 954-1 muss in diesen Fällen als Stand der Technik angesehen werden. In allen übrigen Fällen ist im Sinne der Rechtssicherheit die Anwendung der EN ISO 13849-1 an zu raten. Es sei aber betont, dass die rechtliche Situation nicht zweifelsfrei geklärt ist und eine Anwendung der EN 954-1 weiterhin denkbar ist.

EN 954-1 has described the design of safety-related control circuits in the machinery safety sector since 1996. It is in use, but specifically contains no adequate requirements for programmable electronic systems. Other criticisms were that the relationship between risk level and category was not always plausible. Also, the general view was that probabilistic considerations ought to be included along with the safety aspects.

A significant revision in EN ISO 13849-1 is the probabilistic approach to the assessment of safety-related control systems. The aim of the revision was to provide EN 954-1 with the probabilistic techniques urgently needed in order to assess modern circuits. The key step was to continue to use the proven categories but to also assess quantitative safety-related features.

Performance levels (PL) have come into use; these are based on the categories and are described by the following parameters:

• Category (structural requirement),
• Mean time to dangerous failure ( MTTF_d )
• Diagnostic coverage (DC) and
• Common cause failure (CCF).
   

The introduction of EN ISO 13849-1 has also resulted in new procedural requirements for machine design. The design of the safety-related parts of a control system is an iterative process which is completed over several steps.

Step 1 - Define the safety function requirements
First of all it's necessary to establish the features required of each safety function. This step is the most important and sometimes the most difficult too. For safety gate guarding on a machine, for example, hazardous movements must be shut down when the safety gate is opened; it must not be possible for the machine to restart while the safety gate is open.

Step 2 - Determine the required performance level PL
The greater the risk, the higher the requirements of the control system.
The contribution of reliability and structure can vary depending on the technology used. The level of each hazardous situation is classified in five stages from "a" to "e". With PL "a" the control function's contribution to risk reduction is low, with PL "e" it's high. The risk graph can be used to determine the required performance level ( PL_r ) for the safety function described above.
 

Severity of injury (S)
S1 = Slight (normally reversible) injury
S2 = Serious (normally irreversible) injury, including death

Frequency and/or exposure to a hazard (F)
F1 = Seldom to less often and/or the exposure time is short
F2 = Frequent to continuous and/or the exposure time is long

Possibility of avoiding the hazard (P)
P1 = Possible under specific conditions
P2 = Scarcely possible
 

Step 3 - Design and technical realisation of the safety functions
The "safety gate interlock" safety function described in Step 1 is realised through control measures. The safety gate interlock can implemented using a coded proximity switch such as the PSENcode. This provides the option to connect several safety gates in series without reducing the effectiveness of the monitoring functions. Coding also provides extensive manipulation protection.
The sensors are evaluated using a multifunctional safety system such as the PNOZmulti. The drive is shut down via two contactors with positive-guided contacts.
 

Step 4 - Determine and evaluate the performance level
The safety function is broken down into three parts to determine the performance level that has been achieved: input, logic and output. Each of these subsystems contributes to the safety function. All the necessary performance data is available for Pilz components. Pilz provides a simple calculation tool (PAScal) for this purpose.
 

Step 5 - Verification
This step determines the extent to which the achieved performance level matches the required performance level. The achieved PL must be greater than or equal to the PL r required by the risk assessment. This means a "green light" for the machine design.