EN ISO 13849-1:2015Safety of machinery - Safety­ related parts of control systems

Annex B
(informative)

Block method and safety-related block diagram

B.1 Block method

The simplified approach requires a block-oriented logical representation of the SRP/CS. The SRP/CS should be separated into a small number of blocks according to the following:
- blocks should represent logical units of the SRP/SC related to the execution of the safety function﹔

- different channels performing the safety function should be separated into different blocks -if one block is no longer able to perform its function, the execution of the safety function through the blocks of the other channel should not be affected﹔

- each channel may consist of one or several blocks-three blocks per channel in the designated architectures, input, logic and output, is not an obligatory  number, but simply an example for a logical separation inside each channel﹔

- each hardware unit of the SRP/CS should belong to exactly one block, thus allowing for the calculation of the MTTFo of the block based on the MTTFo of the hardware units belonging to the block (e.g. by failure mode and effects analysis or the parts count method, see D.1)﹔

- hardware units only used for diagnostics (e.g. test equipment) and which do not affect the execution of the safety function in the different channels when they fail dangerously, may be separated from hardware units necessary for the execution of the safety function in the different channels.

NOTE       For the purposes of this part of ISO 13849,“blocks’, do not correspond to functional blocks or reliability blocks.

B.2 Safety-related block diagram

The blocks defined by the block method may be used to graphically represent the logical structure of the SRP/CS in a safety-related block diagram. For such a graphical representation, the following may be of guidance:

- the failure of one block in a series alignment of blocks leads to the failure of the whole channel (e.g. if one hardware unit in one channel of the SRP/CS fails dangerously the whole channel might not be able to execute the safety function any longer〕﹔

- only the dangerous fail ure of all channels in a parallel alignment leads to the  loss  of  the  safety function   (e.g.  a  safety  function  performed   by  several  channels  is executed  as long as at least  one channel has no failure)﹔

- blocks used only for testing purposes and which do not affect the execution of the  safety function in the different channels when they fail dangerously may be separated from blocks in the  different  channels.

See Figure B.1 for an example.

figB1