Machine Safety Standards

7/29/2019 Machine Safety Standards

1/27

Copyright 2009 Rockwell Automation, Inc. All rights reserved.

Machine SafetyStandards

Dr Raymond Wright

EN954 | ISO13849 | IEC62061


2/27

Philosophy

Machine Safety is about the reduction of r isk.

In the real world there is no such thing as zero risk in technology. So the aim

is to reduce risk to a tolerable level.

If safety depends on control systems, these must be designed for a low

probability of functional failure. If this is not possible then errors that occur

shall not lead to the loss of the safety function.

To help meet this requirement harmonised standards have been created, and

complying with these standards is the simplest way to demonstrate risk

reduction so far as reasonably practicable.

2

IEC 62061ISO 13849-1


3/27

Scope of Machine SafetyStandards

EN954-1 has been the dominant standard in Machine Safety

EN 954-1 employs a deterministic approach which uses an estimate of risk in terms of Categories, which

determine a Class of control to achieve an appropriate system behaviour and performance.

With the advent of more complex controls, especially programmable controls, safety can no longer be

adequately measured in the simple Category system found in EN 954-1.

The probability of failure (failure modes and failure rates) of the more complex safety controls is not addressed

in EN 954-1, and requires a probabilistic approach to evaluating performance.

3

Update Jan 2010: EN 954-1 validity to be extended to 31 Dec 2011

EN 954-1 will be succeeded by ISO 13849-1 on 29 Dec 2009.


4/27

Scope of Machine SafetyStandards

ISO 13849-1 will take the place of EN 954-1

The standard is applied to Safety-Related Parts of Control Systems (SRP/CS) and all types of machinery

regardless of the technology and energy employed (electrical, hydraulic, mechanical, pneumatic).

There are also special requirements within ISO 13849-1 for SRP/CS using programmable electronic systems.

IEC 62061 is a competing standard derived from IEC 61508

The standard defines the requirements and gives recommendations for the design, integration and validation of

Safety-Related Electrical, Electronic, and Programmable Electronic control systems (SRECS) for machinery.

It does not define requirements for the performance of non-electrical (e.g. hydraulic, mechanical, pneumatic)

safety-related control elements for machinery.

4


5/27

Relationship

Relationship of Current Standards

5

Process Machines

Safety of Systems and Equipment

IEC 61508

Functional safety of Electrical/Electronic/ProgrammableElectronic safety-related systems

EN 954-1

Safety related parts of controlsystems

Software

IEC 61511 IEC 61508-3 IEC 62061 ISO 13849-1:2006

Process(Electrical, Electronic

and ProgrammableTechnology)

Machinery(Electrical, Electronic and

ProgrammableTechnology)

Machinery(All Technologies)


6/27

Overview of ISO 13849-1

Overview of ISO 13849-1

Builds on the familiar Categories from EN 954-1

Goes beyond the qualitative approach of EN 954-1 to include a quantitative assessment of the safety function.

It examines complete safety functions, including all the components involved in their design.

A (qualitative) risk assessment process produces a performance requirement, called the Performance Levelrequirement (PLr) for each safety function. This builds on the requirements of Categories, and is based on thedesignated architecture and designated mission time.

Each safety function is divided into subsystems and subsystem elements for a quantitative analysis of safety

performance

The Performance Level of each safety function must be verified, and examples of calculation are provided in

the standard.

6


7/27

Overview of IEC 62061

Overview of IEC 62061

Represents a sector-specific standard under IEC 61508.

It is based on a Lifecycle concept, and covers only electric, electronic and programmable electronic control

systems on machinery .

A (qualitative) risk assessment process produces a performance level requirement, called the Safety Integri tyLevel (SIL) for each safety function.

Each safety function is divided into subsystems and subsystem elements for a quantitative analysis of safety

performance

The Performance Level of each safety function must be verified, and examples of calculation are provided in

the standard.

7


8/27

Choice of Standard

Which Standard should I follow?

In general terms, if you are familiar with the use of the Categories from EN 954-1 and use relatively

straightforward conventional safety functions then ISO 13849-1 is probably the best choice.

If you are specifically required to use SIL, or if your application uses complex multi-conditional safety

functionality then IEC 62061 may be the most suitable.

Keep in mind that ISO 13849-1 covers all technologies whereas IEC 62061 only covers electrical and

electronic systems.

Holistic Approach

Whichever standard is chosen, a holistic Safety Strategy (risk management process) must be followed to

ensure that the performance of the safety functions can be directly linked to the risk reduction requirementsdetermined during Hazard Identification and Risk Assessment activities.

8


9/27

User Safety St rategy

User Safety Strategy:

Identify all Machines Determine Machine Limits (each machine)

Identify Tasks (each machine)

Identify Hazards (each task)

Estimate Risk (each hazard)

Severity of potential injury

Probability of its occurrence

Frequency of exposure

Probability of injury

Reduce Risk (each hazard)

Eliminate or reduce

Install protective equipment

Procedures / training / PPE

Determine the required performance: Cat/PLr/SIL(each safety function)

Design Safety Functions (vendor or integrator)

Evaluation (each safety function)

9

RiskAssessment

RiskContro

l

EN 1050 | ISO 14121


10/27

Risk Assessment ISO 13849-1

10

ISO 13849-1 Risk Assessment

PLr

+Verification of Performance Level (PL) required for each safety function

Severity of Injury

S1 Slight (normally reversible injury)

S2 Serious (normally irreversible) injury including death

Frequency and/or Exposure Time to the Hazard

F1 Seldom to less often and/or the exposure time is short

F2 Frequent to continuous and/or the exposure time is long

Possibility of Avoiding the Hazard or Limiting the Harm

P1 Possible under specificconditions

P2 Scarcely possibleRisk Graph from Annex A of EN ISO 13849-1

START

PLrLowRisk

HighRisk

S1

S2

F1

F2

F1

F2

P1

P2

P1

P2

P1

P2

P1

P2

a

b

cd

e


11/27

Performance Level Verif icat ion

ISO 13849-1

Factors to consider when verifying performance (PL) ofeach safety function:

11

Severity of Injury

S1 Slight (normally reversible injury)

S2 Serious (normally irreversible) injury including death

Frequency and/or Exposure Time to the Hazard

F1 Seldom to less often and/or the exposure time is short

F2 Frequent to continuous and/or the exposure time is long

Possibility of Avoiding the Hazard or Limiting the Harm

P1 Possible under specific conditions

P2 Scarcely p ossible

Elements for PLr Consideration

Cat Category (Designated Architecture)

MTTFd Mean Time To Dangerous Failure

DC Diagnostic Coverage

CCF () Susceptibility to Common Cause Failure

Tm Mission Time

B10d For elements that suffer from wear:Mean number of cycles until 10% of components fail

dangerously.

(Used to calculate the MTTFd of components)

START

PLrLowRisk

HighRisk

S1

S2

F1

F2

F1

F2

P1

P2

P1

P2

P1

P2

P1

P2

a

b

c

de


12/27

Performance Level Verif icat ion

PL Verification

12

MTTFd = low

MTTFd = medium

MTTFd = highe

d

c

b

a

PerformanceL

evel(PL)

Category

B

DCavg

= 0

Category

1

DCavg

= 0

Category

2

DCavg

= low

Category

2

DCavg

= medium

Category

3

DCavg

= low

Category

3

DCavg

= medium

Category

4

DCavg

= high

Determination of PL from Figure 6 of ISO 13849-1

P f L l V if i i


13/27

Performance Level Verif icat ion(simplified)

PL Verification (simplified)

13

MTTFd = low

MTTFd = medium

MTTFd = highe

d

c

b

a

PerformanceL

evel(PL)

Category

B

DCavg

= 0

Category

1

DCavg

= 0

Category

2

DCavg

= low

Category

2

DCavg

= medium

Category

3

DCavg

= low

Category

3

DCavg

= medium

Category

4

DCavg

= high

Simplified Determination of PL from Table 7 of ISO 13849-1


14/27

Risk Assessment IEC 62061

14

+Verification of performance required (SIL) for each safety function

ConsequenceSeverity

Se

Class Cl

3-4 5-7 8-10 11-13 14-15

Death, losing an

eye or arm4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3

Permanent, losing

fingers3 OM SIL 1 SIL 2 SIL 3

Reversible, medical

attention2 OM SIL 1 SIL 2

Reversible, first aid 1 OM SIL 1

Frequency & DurationFr

Prob. of Hazard EventPr

AvoidanceAv

1 hr 5 Very High 5

> 1 hr 1 day 5 Likely 4

> 1 day 2 wk 4 Possible 3 Impossible 5

> 2 wk 1 yr 3 Rarely 2 Possible 3

> 1 yr 2 Negligible 1 Likely 1

IEC 62061 Risk Assessment

Tables fromAnnex A of IEC 62061

Cl = Fr + Pr + Av


15/27

Risk Est imation IEC62061

Risk Assessment Form

15


16/27


Estimate the Frequency of Exposure

16

Table A.2 Frequency and duration of exposure (Fr) Classification

Frequency and duration of exposure (Fr)

Frequency of exposure Duration > 10min

1 h 5

> 1 h to 1 day 5

> 1 day to 2 weeks 4

> 2 weeks 1 year 3

> 1 year 2


17/27


Estimate the Probabil ity of Occurrence

17

Table A.3 Probability (Pr) Classification

Probability (Pr)

Probability of Occurrence Probability (Pr)

Very high 5

Likely 4

Possible 3

Rarely 2

Negligible 1


18/27


Estimate the Probability of Avoiding or Limiting Harm

18

Table A.4 Probability of avoiding or limiting harm (Av) Classification

Probability of avoiding or limiting harm (Av)

Probability of Avoidance Probability (Av)

Impossible 5

Rarely 3

Probable 1


19/27


Estimate the Severity of the Consequence

19

Table A.1 Severity (Se) Classification

Severity (Se)

Consequences Severity (Se)

Irreversible: death, losing an eye or arm 4

Irreversible: broken limb(s), losing finger(s) 3

Reversible: requiring attention from a medical practitioner 2

Reversible: requiring first aid 1


20/27


Determining the SIL Requirement

20

1 1 CRUSHING 3 5 5 3 13 5 + 5 + 3 = 13


21/27

SIL Verif icat ion IEC 62061

IEC 62061

Factors to consider when verifying performance (SIL) ofeach safety function:

21

Element for SIL Consideration

PFHd Probabili ty of Dangerous Failure per Hour

DC Diagnostic Coverage

Susceptibility to Common Cause Failure

T1 Lifetime

T2 Diagnostic Test Interval

HFT Hardware Fault Tolerance

SFF Safe Failure Fraction

B10d

Failure rate ; or

For elements suffering from wear

ConsequenceSeverity

Se

Class Cl

3-4 5-7 8-10 11-13 14-15

Death, losing an eye

or arm4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3

Permanent, losing

fingers3 OM SIL 1 SIL 2 SIL 3

Reversible, medicalattention

2 OM SIL 1 SIL 2

Reversible, first aid 1 OM SIL 1

Frequency & DurationFr

Prob. of Hazard EventPr

AvoidanceAv

1 hr 5 Very High 5

> 1 hr 1 day 5 Likely 4

> 1 day 2 wk 4 Possible 3 Impossible 5

> 2 wk 1 yr 3 Rarely 2 Possible 3

> 1 yr 2 Negligible 1 Likely 1

Tables fromAnnex A of IEC 62061


22/27

SIL Verification

SIL Verification (simplified)

22

PFHd 10-5 10-6 10-7 10-8

na SIL 1 SIL 2 SIL 3

Safety Instrumented Function (SIF)

Sensor

Subsystem

Logic Solver

Subsystem

Final Element

Subsystem

PFHd(s) PFHd(ls) PFHd(fe)

PFHd(sif) = PFHd(s) + PFHd(ls) + PFHd(fe)


23/27

PL : SIL Relationship

Relationship between PL and SIL

23

Performance LevelISO 13849-1

Probability of a dangerousfailure per hour (PFHd)

Safety Integri ty LevelIEC 62061

a 10-5 PFHd < 10-4 na

b 3x10-6 PFHd < 10-5 1

c 10-6 PFHd < 3x10-6 1

d 10-7 PFHd < 10-6 2

e 10-8 PFHd < 10-7 3

PFHd 10

-4

10

-5

10

-6

10

-7

10

-8

SIL na SIL 1 SIL 2 SIL 3

PL a b c d e


24/27

Summary

IEC 62061

Relatively complex methodology More flexibility

Less constraints

Simplified modularity via subsystems

Only applies to electrical technology

24

Are there complex safety functions e.g. depending

on logic decisions?

or

Will the system require complex or programmable

electronics to a high level of integrity?

If the answer to either question is YES, it isprobably most appropriate to use IEC 62061

ISO 13849-1: 2006

Simpler methodology Builds on Categories

More constraints

System based

Applies to all technologies

Can the system be designed simply using the

designated architectures?

or

Will the system include technologies other than

electrical?

If the answer to either question is YES, it isprobably most appropriate to use ISO 13849-1:

2006


25/27

Benefits of Compliance

Compliance with Standards has Benefits:

As a Supplier:

Compliance with relevant machine safety legislation.

Easier entry into overseas markets.

As a Buyer:

Knowledge that machine is built with an adequate level of safety.

The required safety performance is achieved not too much (unnecessary cost), and not too little (doubt

about safety).

Reduce repair time, fewer unnecessary stoppages.

As a User/Operator:

Knowledge that machine is safe to work with, and provides a better operational work environment.

More comfortable with the machine, higher productivity.

Less waste material, and more consistent quality.

25


26/27

Moving Ahead

What should I do now?

The ideal first step is to read both standards in order to understandtheir requirements and implications.

Perhaps the most daunting aspect of both standards is the fact that they

require calculations based on reliability data that the safety component

manufacturers should supply.

Help is available in the form of information booklets and software tools

for calculations.

The BGIA in Germany provides a comprehensive calculation tool for EN

ISO 13849-1 called SISTEMA. It is available free from the BGIA website.

26

If you design and build machines and have used EN 954-1 as a guidance standard todemonstrate compliance, you wil l be required to recertify your machines safety relatedcontrol systems to new Functional Safety standards such as ISO 13849-1 or IEC 62061,

or directly to the Machinery Directive.


27/27

Questions

Defining Best Practice in Process & Machine Safety

THANK YOUQUESTIONS?

[email protected]

Safety Management Systems

Safety Management Planning

Safety Lifecycle Templates

Safety Compliance Audits

Safety Case Development

PHA / HAZOP

Risk Assessment

PL/SIL Determination / LOPA

Safety Requirement Specification

PL/SIL Verification

ISA Certif ication Courses

Functional Safety Courses

Safety Lifecycle Courses

PL/SIL Determination / LOPA

PL/SIL Verification

SafetyManagement

RiskManagement

SafetyTraining / Workshops

The FSE Global Advantage

Documents

Machine Safety Standards