Standards Functional Safety and Risk Assessment

EN ISO 12100, EN ISO 13849 and IEC 62061

EN ISO 12100 1 EN ISO 12100

Risk assessment and risk reduction Risk assessment based on the following risk parameters for each danger zone

Risk assessment For more information on Probability of occurrence

Clause 5 laws and standards:
Frequency and duration
Webcode:
START of exposure to the hazard
web8428611
Risk is Severity
The following versions of the
www.pilz.com
with regard
to the hazard
a function of the possible injury
that results from the hazard
+ Likelihood
of the hazard occurring
Risk analysis
standards have been quoted:
EN ISO 12100 2010
to be considered of to be considered

EN ISO 13849-1 2015 Avoidability

IEC 62061 2021 or limit
Determination of the limits of machinery
space, time, environmental conditions, use
Clause 5.3

EN ISO 13849-1 IEC 62061

Hazard and task identification
for all lifecycles and operating modes
Yes
Clause 5.4 and Annex B

Safety of machinery – Safety-related parts of control systems: Safety of machinery – Functional safety of
Separate
for each risk
Applicable for electrical, electronic, programmable electronic, safety-related control systems
hydraulic, pneumatic, mechanical systems

Risk estimation
Severity, possibility of avoidance, frequency, duration
Clause 5.5 2 PL and SIL determination for each safety function
1 Determination of the required performance level (PLr) Determination of the required Safety Integrity Level (SIL)
• S – Severity of injury Frequency and Fr Fr Probability of Pr Avoidance Av
Risk evaluation S1 = Slight (normally reversible injury) duration > 10 min ≤ 10 min hazardous event
in accordance with C standards or risk estimation S2 = Serious (normally irreversible injury including death) ≥ 1 per h 5 5 Very high 5
< 1 per h to
Clause 5.6 5 4 Likely 4
• F – Frequency and/or duration of exposure to a hazard ≥ 1 per day
F1 = Seldom to quite often and/or the exposure time is short < 1 per day to
4 3 Possible 3 Impossible 5
F2 = Frequent to continuous and/or the exposure time is long ≥ 1 per 2 weeks
No
< 1 per 2 weeks to
3 2 Rarely 2 Possible 3
• P – Possibility of avoiding the hazard ≥ 1 per year
P1 = Possible under specific conditions < 1 per year 2 1 Negligible 1 Likely 1
Has the risk
Documentation P2 = Scarcely possible
been adequately reduced? Yes Clause 7 Consequences Severity Class Cl = Fr + Pr + Av
Clause 6
• Probability of occurrence of the hazardous event Se 3 4 5 6 7 8 9 10 11 12 13 14 15
A low probability can reduce the PLr by one level Death, SIL 1 SIL 2 SIL 2 SIL 3 SIL 3
losing an eye 4
PLr b PLr c
PLr d
PLr d
PLr e
PLr e
No
END or arm
Low contribution to risk reduction Permanent injury,
OM SIL 1 SIL 2 SIL 3
losing fingers 3
PLr a PLr b PLr c
PLr d
PLr e
Assess measures independently
and consecutively Reversible injury,
OM SIL 1 SIL 2
No SIL (or PL)
medical attention 2
Required required PLr a PLr b PLr c
PLr d
Risk reduction performance level Reversible injury, OM SIL 1
Clause 6.2-6.4 Starting point (PLr) first aid 1 OM: Other Measures
Are other PLr a PLr b PLr c
hazards for
Can generated? risk assessment
Example for calculating the class Cl:
the hazard Yes
For a specific hazard with an 'Se' assigned as 3, an 'Fr' as 4, a 'Pr' as 3
be removed?
High contribution to risk reduction and an 'Av' as 5 then: Cl = Fr + Pr + Av = 5 + 4 + 3 = 12
No
Risk reduction by Is the
inherently safe design measures intended
Yes
risk reduction
Clause 6.2
achieved?
Can
the risk be
reduced by inherently safe
design measures?
Yes
3 Calculation of the safety function (e.g. with PAScal®)

No Necessary safety performance data

No
EN ISO 13849-1 Unit type EN/IEC 62061

Data provided Data provided Data provided Data provided

by the manufacturer by the user by the manufacturer by the user

No PFH, PL - Units with internal diagnostics Safety control, PFH -

Category, TM safety relay SIL
TM

Risk reduction
2 MTTFD DC, CCF,
Category
Units
without
internal
No
wearing
components
Sensors MTTFD
λd
λs
DC, CCF,
Subsystem type

B10d DC, CCF, diagnostics With EMERGENCY STOPs, relays, B10d DC, CCF,
Can by technical protective Does the
the risk be protective Is the Category, nop wearing switches, valves λd Subsystem type,
measures Integration
components λs nop
reduced by guards and Yes Implementation of measure depend Yes of EN 13849 / intended risk reduction Yes
other safeguards? complementary on a control EN 62061 achieved?
protective measures system?
Clause 6.3

No
3 PAScal® calculation tool

Yes
No From the machine … … to the safety function … … to their assessment in PAScal.

Risk reduction by Is the

Can the
No information for use intended risk reduction
limits be specified again? 1 PSEN 2.1p Contactor
Clause 6.4 achieved?
B1
L PNOZ s4

B2
No

Yes 2
L L 000001 1.0

Definition K1
Modelling
of the safety Q1 in PAScal
functions
Q2
M
3 PSEN 2.1p Contactor
S1
Q1 Q2 Q1 Q2

Glossary of terms 3

• Architecture • Diagnostic coverage (DC) • λ • Performance level, • Safety Integrity Level (SIL) that responds to safety- Risk assessment in accordance Implementation of safety functions Validation of safety functions in PAScal
Specific configuration of Measure for the effective- Average probability of failure required (PLr) Discrete level (one out of a related input signals and with EN ISO 12100
hardware and software ness of diagnostics, may be Performance level (PL) in possible three) for describing generates safety-related
elements in a safety-related determined as the ratio of • λD order to achieve the required the capability to perform a output signals
control system (SCS) the failure rate of detected Dangerous failure rate risk reduction for each safety safety function where SIL 3
dangerous failures and the function has the highest level of safety • Subsystem
• B10d failure rate of total dangerous • λS integrity and SIL 1 has the Entity of the top-level architec-
Number of cycles of products failures Safe failure rate • PFH / PFHD lowest tural design of a safety-related Specification of categories – examples of solutions
before 10% of the product Probability of dangerous system where a dangerous
range fails “dangerously” • DCavg • Mission time failure per hour • Safety validation failure of the subsystem
Category B,1 Category 2 Category 3 Category 4
Average diagnostic coverage Period of time covering the Confirmation by examina- results in dangerous failure of
• Category (CAT) intended use of the SRP/CS • Risk tion and by provision of a a safety function instan­
Classification of the safety- • Fault Combination of the probability certificate stating that special taneous
related parts of a control State of an item character- • MTTFD of occurrence of harm and the requirements for a specific • Verification OSSD1
system in respect of their ized by inability to perform a Mean time to dangerous severity of that harm intended use are met Confirmation by examina-
resistance to faults and their required function, excluding failure tion and by provision of
000001 1.0

OSSD2 delayed
subsequent behaviour in the the inability during preventive • Safety function • Safety-related control a certificate stating that
fault condition, and which is maintenance or other planned • nop Function of the machine system (SCS) the requirements of the
achieved by the structural actions, or due to lack of Mean frequency of operation whose failure can result in Part of the control system of specification are met
arrangement of the parts, external resources per annum an immediate increase of a machine which implements
The solutions illustrated here are provided purely by way of example.
fault detection and/or by the risk(s) a safety function by one or
their reliability • Performance level (PL) more “subsystems”
Discrete level to specify the
• CCF ability of safety-related parts • SRP/CS – Safety-Related
Common cause failure of control systems to perform Part of a Control System Probability of a dangerous failure per hour – comparison PL / SIL
a safety function under Part of a control system
foreseeable conditions
Performance Level (PL) in accordance with EN ISO 13849-1 Safety Integrity Level (SIL) in accordance
Relationship between the categories DC, MTTFD and PL
with IEC 62061
PFHD
10-4 Safety Integrity Level. Probability of a dangerous failure per hour (PFH)
a Performance Level
8-8-en-3-125, 2021-04, Printed in Germany © Pilz GmbH & Co. KG, 2021

The measures outlined on this sheet are simplified descriptions and are intended to provide an overview of the standards EN ISO 12100, EN ISO 13849-1 and IEC 62061.
10-5
Detailed understanding and correct application of all relevant standards and directives are needed for validation of safety circuits. As a result, we cannot accept any liability for omissions
b 3 years
or incomplete information. 3 10-8 ≤ PFH < 10-7
3x10-6
c 10 years
10-6
2 10-7 ≤ PFH < 10-6
d 30 years
10-7
e ■ MTTFD = low, ■ MTTFD = medium, ■ MTTFD = high 100
years 1 10-6 ≤ PFH < 10-5
10-8
Range of plant and PAScal Safety Calculator – Calculation software for
® Cat. B Cat. 1 Cat. 2 Cat. 2 Cat. 3 Cat. 3 Cat. 4*
DCavg DCavg DCavg DCavg DCavg DCavg DCavg
machinery lifecycle services verifying functional safety = none = none = low = med. = low = med. = high
We support you in the optimum global application Determine the safety levels of safety functions with ease - with the Safety Calculator PAScal
Achieved PL ≥ PLr?
of safety strategies. Benefit from consulting and you have a handy calculation tool to verify functional safety in accordance with Achieved SIL ≥ required SIL?
engineering: from risk assessment through to EN ISO 13849-1 and EN / IEC 62061.
* In Cat. 4, MTTFD up to 2,500 years is possible
the declaration of conformity. Our international
qualification programme guarantees enhanced
success through professional development. Webcode:
web150431

Download the current version: www.pilz.com

International hotline +49 711 3409-444