Performance Level (PL) of safety-related control systems

Home » Safety of machinery » Performance Level (PL) of safety-related control systems
Sicurezza delle Macchine

What are the Performance Levels of safety-related control systems of machiney?

The machinery directive 2006/42 / EC requires that safety-related control systems of the machines are designed and constructed in order to avoid the occurrence of dangerous situations even in the event of a failure in the hardware or software of the machine control system.

In order to meet this requirement, it is possible to use the UNI EN ISO 13849-1: 2016 standard .

SRP / CS refers to the safety-related part of a control system, i.e. that responds to safety-related input signals and generates safety-related output signals.

The process for the design and implementation of the SRP / CS envisaged by the UNI EN ISO 13849-1: 2016 standard includes the following activities:

  • identification of the safety functions to be performed by the SRP / CS (for example emergency stop, interlocking of movable guards, manual reset, two-hand control, etc.) and definition of the characteristics of each safety function;
  • determination of the PLr (required Performance Level);
  • design and implementation of the SRP / CS;
  • estimate of the PL (Performance Level) for each safety function implemented through the SRP / CS;
  • for each SRP / CS, comparison between PLr and PL; the PL must be greater than or equal to the PLr; if the PL achieved is less than the PLr, the SRP/CS must be modified in order to increase its reliability i.e. the PL.

What is the PLr (required Performance Level)?

The required performance level PLr is the performance level to be reached in order to achieve the required risk reduction for each safety function. The PLr therefore indicates how reliable the SRP / CS should be.

The determination of PLr is the result of the risk assessment and refers to the extent of the risk reduction for the safety-related parts of the control system.

The greater the amount of risk reduction required by the SRP / CS, the higher the PLr must be.

PL Performance Level: the levels

The PL (Performance Level) is the discrete level used to specify the ability of SRPs / CSs to perform a safety function under foreseeable conditions. The PL is expressed through five levels (“a”, “b”, “c”, “d”, “e”) with increasing reliability.

Performance level a

It is the lowest level, it has no equivalent in the SIL estimated in accordance with the CEI EN 62061: 2005 standard.

Performance level b

Control circuits capable of achieving performance level b can be implemented using single channel architectures without monitoring.

Performance level c

Single-channel architectures without monitoring and well-tested components and safety principles can be used to create control circuits capable of achieving performance level c.

Performance level d

To obtain control circuits that are able to reach a performance level d, single channel architectures without monitoring are no longer sufficient, but the principles of monitoring and possibly of redundancy must be adopted.

Performance level e

The performance level e is the highest achievable and can only be achieved by using redundant and monitored circuits.

Performance level (PL) Average probability of a dangerous failure per hour (PFH D ) [1/h]
to 10 -5 ≤ PFH D< 10 -4
b 3 x 10 -6 ≤ PFH D< 10 -5
c 10 -6 ≤ PFH D< 3 x 10 -6
d 10 -7 ≤ PFH D< 10 -6
And 10 -8 ≤ PFH D< 10 -7

How many PLs does a machine have?

As mentioned in the introduction, one of the most difficult requirements of the Machinery Directive to satisfy is that relating to the reliability of safety-related control systems; in essence, this requirement demands that the machine does not behave dangerously even in the presence of faults.

In practice this translates into assessing that the safety-related control systems are sufficiently reliable, therefore that the probability that they fail creating dangerous situations is quite low.

What can be a dangerous situation generated by a failure?

For example, it could happen that by pressing an emergency stop button, a motor does not stop because the remote control switch that controls it does not open the power contacts.

The reliability of the control circuits of a machine can be estimated according to the method described in the UNI EN ISO 13849-1 standard, which allows to determine the level of performance (PL). The PL of a circuit is expressed by a letter from "a" to "e", where "a" is the least performing level and "e" is the most reliable.

However, it is necessary to start with the assessment of the risks of the machine: on the basis of the results of the risk assessment, the manufacturer of the machine will define which protection measures he intends to adopt to reduce the risks present to an acceptable level.

These protective measures may or may not include control circuits:

  • for example, if a dangerous area is protected with a fixed guard, it will not involve control circuits;
  • If, on the other hand, an interlocked movable guard is used, it will be necessary to implement a control circuit that stops the protected dangerous elements when the guard is opened and prevents them from being restarted before the guard is closed: this is a safety function.

Will the number of PLs to be estimated for a machine then correspond to the number of protective devices?

For example, for a simple machine that has an emergency stop button and an interlocked movable guard, it will be necessary to estimate two PLs?

This is not always the case.

In the previous example, it will be necessary to evaluate which and how many dangerous elements must be stopped when the movable guard is opened; in fact, there could be a spindle driven by an electric motor, a pusher driven by a pneumatic cylinder, etc. Each of these elements must be stopped by its own control circuit, therefore it will be necessary to estimate a PL for each of these circuits.

The same interlock sensor of a movable guard could therefore belong to several different control circuits, each of which stops a dangerous part of the machine.

The machinery PL

One thing must be clear: there is no "PL of a machine", but the PL must be estimated for each different safety-related control system.

Only once the risk assessment process has been completed it will be possible to determine what these circuits are and therefore how many PLs should be estimated.

Performance Level d in robotic cells

In the case of safety-related parts of control systems of robotic cells, this is referred to as Performance Level d.

Let's see why.

The UNI EN ISO 10218-2: 2011 standard applies to industrial robotic islands , which defines them as “one or more robotic systems including machinery, equipment, protected space and associated protection measures”.

According to this harmonized type C standard, applying which the manufacturer ensures the presumption of conformity with the machinery directive of the robotic cell, the safety-related parts of the control system must be designed to be compliant (UNI EN ISO 10218-2: 2011, §5.2.2):

  • at Performance Level d with category 3 structure as described in the UNI EN ISO 13849-1: 2016 standard;
  • to SIL 2 with hardware fault tolerance of 1 with a periodic verification interval of not less than 20 years as described in the standard CEI EN 62061: 2005.

Any failure of the safety-related parts of the control system must cause a category 0 or 1 stop in accordance with the standard CEI EN 60204-1: 2018 (UNI EN ISO 10218-2: 2011, §5.2.1).

Interfaces with control circuits having safety functions of other parts of the integrated production system (IMS) must be compliant with what is indicated above (UNI EN ISO 10218-2: 2011, §5.9.3).

The results of an overall risk assessment carried out on the robotic system may determine that different performance of the safety related parts of the control system is justified for the application (UNI EN ISO 10218-2: 2011, §5.2.3).

In these cases the criteria used to define the required performance levels must be specifically identified and adequate limitations and cautions must be indicated in the instructions for use.

Therefore, this type C standard not only requires a Performance Level (Performance Level d) for the safety-related parts of the control system, but also requires that the corresponding circuits be implemented in accordance with the requirements of category 3.

The UNI EN ISO 10218-2: 2011 standard indicates the levels of reliability that must be achieved by various safety functions of robotic cells (except in the case where the risk assessment justifies different criteria), including:

  • the interlocking sensors of movable guards must meet the Performance Level of category 3 of the UNI EN ISO 13849-1: 2016 standard (or SIL 2 with fault tolerance 1 of the CEI EN 62061: 2005 standard);
  • the limited speed monitoring system must meet the Performance Level of category 3 of the UNI EN ISO 13849-1: 2016 standard (or SIL 2 with fault tolerance 1 of the CEI EN 62061: 2005 standard);
  • the methods used to limit the movement of robots must meet the Performance Level of category 3 of the UNI EN ISO 13849-1: 2016 standard (or SIL 2 with fault tolerance 1 of the CEI EN 62061: 2005 standard);
  • the emergency stop function must meet the Performance Level of category 3 of the UNI EN ISO 13849-1: 2016 standard (or SIL 2 with fault tolerance 1 of the CEI EN 62061: 2005 standard).

What to do to increase the PL (Performance Level)?

To increase the PL of the SRP / CS, the following measures are possible which can be applied individually or in combination:

  • reducing the likelihood of dangerous component failures;
  • improvement of the structure of the SRP / CS or modification of its category.

 

If you are a machinery designer, and you think you need qualified technical support for the determination of the PLr or for the estimatation of the achieved PL or advice to increase the PL, you are in the right place.

We can provide you with specialized training on the topic, also through direct coaching, or technical advice for solving problems.

All training, or coaching, can be fully financed with Fondimpresa or other funding organizations.

If, on the other hand, you prefer to do it yourself, you can buy our technical manual on PL published by Sole 24 ORE and read our article on the BLOG .

 

Valutazione rischi per PL

Hai un dubbio, un problema o una domanda?

Possiamo fornirti la consulenza di cui hai bisogno anche DA REMOTO

VEDI IL COSTO DELLA CONSULENZA

VUOI SCARICARE IL CAPITOLO SULLA VALUTAZIONE DEI RISCHI DEL NOSTRO LIBRO SULLA DIRETTIVA MACCHINE?

Inserisci i tuoi dati per ricevere il file e rimanere in contatto con noi 
SCARICA IL FILE  ED ISCRIVITI ALLA NOSTRA NEWSLETTER
A questo link potrai leggere tutte le info su come gestiremo la tua Privacy
Quadrasrl
close-link
Powered by Convert Plus
Scroll to Top