control,systems,category,function,related,requirements,exposure,probability,electronic,possible,machinery,components,machine,detected,severity,designed,performance,assessment,functions,avoiding,classification,frequency,functional,electrical,irreversible,normally,principles,occurrence,failure,following,reversible,appropriate,defined,accordance,dangerous,constructed,measures,categories,hazardous,relevant
Functional Safety
The safety of machines, plants and systems employed in industry depends more than ever before on the correct functioning of electronic control systems. Malfunctioning of control systems can lead to unaccaptable risk, jeopardising both capital investments and people. To eliminate such risks as far as possible, the relevant control systems must meet exacting requirements in terms of functional safety.
For example we talk about "functional safety" when safety depends on the correct function of an electrical (E), electronic (E) and programmable electronic (PE) system (in short: E/E/PE systems). The following standards are used in this area.
EN 954-1 Safety of machinery - Safety-related parts of control systems
The EN 954-1 gives a practical guide to determining the control features that need to be incorporated into machinery to eliminate or reduce risks according to EN1050. The standard advocates a five step process of:
- Hazard analysis and risk assessment
- determining the requirements to reduce risk to the required level of safety
- specifying the safety requirements to be provided by the control
- design
- validation
Typical characteristics of safety functions, control modes and interfaces are defined and explained. To simplify the requirements for control of machines a risk assessment method is given which allows the safety requirements of the control to be determined into five categories of safety performance. The safety related parts of the machine control can then be designed in accordance with one or more of the category requirements.
The risk graph and corresponding risk parameters can be used to estimate the potential risk for danger zones on machinery. The category is then established without the use of risk-reducing measures.
| S | Severity of injury |
|---|---|
| 1 | Slight (normally reversible) injury |
| 2 | Serious (normally irreversible) injury, including death |
| F | Frequency and/or exposure to the hazard |
|---|---|
| 1 | Seldom to quite often and/or exposure time is short |
| 2 | Frequent to continuous and/or exposure time is long |
| P | Possibility of avoiding the hazard |
|---|---|
| 1 | Possible under specific conditions |
| 2 | Scarcely possible |
The control system requirements derived from the risk graph are specified as follows:
Category B (basic category)
The safety-related parts of machine control systems and/or their safety devices and components shall be designed, constructed, selected, assembled and combined in accordance with the relevant standards so that they can withstand the expected influences.
Category 1
Safety-related parts shall be designed and constructed using well-tried components and well-tried safety principles. Well-tried means that the components have been widely used in the past with successful results in similar applications, or they have been manufactured using principles that demonstrate their suitability and reliability for safety-related applications.
Well-tried safety principles are circuits that are constructed in such a way that certain faults can be avoided by the appropriate arrangement or layout of components.
Note: The occurrence of a fault can lead to the loss of the safety function.
Category 2
Safety-related parts of control systems must be designed so that their safety function(s) are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be performed: (a) at the machine start-up and prior to the initiation of any hazardous situation, and (b) periodically during operation, if the risk assessment and the kind of operation show that it is necessary.
The initiation of this check may be automatic or manual. Automatically, for example, the check may be initiated by a signal generated from a control system at suitable intervals. The automatic test should be provided by preference.
The decision about the type of test depends on the risk assessment and the judgement of the end user or machine builder.
The result of the test shall allow operation if no fault has been detected, or shall generate an output to initiate an appropriate control action if a fault has been detected. A second, independent shutdown route is required for this.
Notes: In some cases Category 2 is not applicable because the checking of the safety function cannot be applied to all components and devices. Moreover, the cost involved in implementing Category 2 correctly may be considerable, so that it may make better economic sense to implement a different category. In general Category 2 can be realised with electronic techniques. The system behaviour allows that: the occurrence of a fault can lead to the loss of the safety function between checks; the loss of the safety function is detected by the check.
Category 3
Safety-related parts of control systems must be designed so that a single fault in any of these parts does not lead to the loss of the safety function. Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function. This does not mean that all faults will be detected. The accumulation of undetected faults can lead to an unintended output signal and a hazardous situation at the machine.
Category 4
Safety-related parts of control systems must be designed so that a single fault in any of these parts does not lead to a loss of the safety function; the single fault must be detected at or before the next demand upon the safety functions (e.g. immediately at switch on, at the end of a machine operating cycle). If this detection is not possible, then an accumulation of faults shall not lead to a loss of the safety function.
EN/IEC 62061 Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems.
The recent move towards functional safety has been recognised in EN 61508 (a basic safety publication in IEC) that has a 'systems' based approach where greater emphasis is placed upon the correct specification and implementation of safety functions, using a reliability-based methodology.
The integrity of safety functions is classified into one of four safety integrity levels (SILs). These SILs can be considered to define a performance target for electrical, electronic and/or programmable electronic systems that perform safety functions.
EN 62061 is a harmonised standard for the machinery sector and implements the principles of EN 61508. Significantly for control systems designers and systems integrators, EN 62061 provides the basis for the successful integration of suystems/parts that comply with EN 954-1-1 and IEC/EN 61508 into safety-related electrical control systems (SRECS) in a logical manner that satisfies key requirements for functional safety.
What is risk assessment like in accordance with EN 62061? Risk estimation is an iterative process. This means it may be necessary to go through the process more than once. The risk must be estimated and the SIL defined for each hazard on which the risk is to be reduced through control measures.
The risk is estimated through consideration
| Se | The severity of the injury |
| Fr | The frequency and duration of exposure to the hazard |
| Pr | The probability of occurrence of a hazardous event |
| Av | The probability of avoiding or limiting harm |
1 Severity (Se) classification:
| Consequence | Severity (Se) |
|---|---|
| Irreversible: death, losing an eye or arm | 4 |
| Irreversible: broken limb(s), losing a finger(s) | 3 |
| Reversible: requiring attention from a medical practitioner | 2 |
| Reversible: requiring first aid | 1 |
2 Frequency and duration of exposure classification:
| Frequency of exposure | Duration (Fr) > 10 m |
|---|---|
| <= 1 h | 5 |
| > 1 h to <= 1 day | 5 |
| > 1 day to <= 2 weeks | 4 |
| > 2 weeks to <= 1 year | 3 |
| > 1 year | 2 |
3 Probability classification:
| Probability of occurrence | Probability (Pr) |
|---|---|
| Very high | 5 |
| Likely | 4 |
| Possible | 3 |
| Rarely | 2 |
| Negligible | 1 |
4 Probability of avoiding or limiting harm classification:
| Probability of avoiding or limiting harm | Avoidance and limitation |
|---|---|
| Impossible | 5 |
| Rarely | 3 |
| Probable | 1 |
SIL assignment matrix
| Severity (Se) | Class 3 - 4 | Class 5 - 7 | Class 8 - 10 | Class 11 - 13 | Class 14 - 15 |
|---|---|---|---|---|---|
| 4 | SIL 2 | SIL 2 | SIL 2 | SIL 3 | SIL 3 |
| 3 | (OM) | SIL 1 | SIL 2 | SIL 3 | |
| 2 | (OM) | SIL 1 | SIL 2 | ||
| 1 | (OM) | SIL 1 |
The following minimum requirements need to considered
The selection or design of the relevant safety function must always meet the following minimum requirements:
1. Architectural constraints for hardware safety integrity
| Safe failure fraction (SFF) | HTF 0 | HFT 1 | HFT 2 |
|---|---|---|---|
| < 60 % | Not permitted | SIL 1 | SIL 2 |
| 60 % to < 90 % | SIL 1 | SIL 2 | SIL 3 |
| 90 % to < 99 % | SIL 2 | SIL 3 | SIL 3 |
| >= 99 % | SIL 3 | SIL 3 | SIL 3 |
2. Requirements for the probability of dangerous random hardware failures
| SIL level | PFHD |
|---|---|
| SIL 3 | >= 10 E-8 to < 10 E-7 |
| SIL 2 | >= 10 E-7 to < 10 E-6 |
| SIL 1 | >= 10 E-6 to < 10 E-5 |
EN ISO 13849-1 Safety of machinery - Safety-related parts of control systems
The classification into categories of safety related parts of control systems will soon be a thing of the past. In the future, the well known control categories from the EN 954-1-1 will be replaced with the Performance Levels from the EN 13849-1-1
These Performance Levels (from "a" to "e"), reflecting the different residual risks (image 2) and expressed as the probability of dangerous failure per hour or PFHd (..). This is where the probabilistic approach makes its entry.
For every Performance Level the following items must be individually defined. In this way, the probabilistic factors are integrated in the calculation of the Performance Level.
- The MTTFd mean time to dangerous failure
- The DC Diagnostic Coverage
- The CCF Common Cause Failure management
These values are indicated in the product specifications of the safety switching appliances. The mechanical engineer therefore can choose the appropriate components. As the safety chain consists of several components (sensors, control, actuators) he must add the values to obtain a total PL and then compare this "actual" PL to the required PLr. If the calculated PL is equal or higher than the PLr, the safety circuit is standard- compliant.
The risk graph and corresponding risk parameters of the EN 13849-1-1 can be used to estimate the potential risk for danger zones on machinery. The category is then established without the use of risk-reducing measures.
| S | Severity of injury |
|---|---|
| S1 | Slight (normally reversible) injury |
| S2 | Serious (normally irreversible) injury, including death |
| F | Frequency and/or exposure to a hazard |
|---|---|
| F1 | Seldom to less often and/or the exposure time is short |
| F2 | Frequent to continuous and/or the exposure time is long |
| P | Possibility of avoiding the hazard |
|---|---|
| P1 | Possible under specific conditions |
| P2 | Scarcely possible |
Download(s)
EN 954-1 Cat. 4 amGard explanation |
|
EN 954-1 Cat. 4 mGard explanation |
|
EN/ISO13849-1, EN/IEC 62061 statement |
|
Functional safety calculator |
Winner Queens Award for Enterprise