Machine Safety Standards

Dr Raymond Wright EN954 | ISO13849 | IEC62061

Copyright 2009 Rockwell Automation, Inc. All rights reserved.

Philosophy
Machine Safety is about the reduction of risk.
In the real world there is no such thing as zero risk in technology. So the aim is to reduce risk to a tolerable level. If safety depends on control systems, these must be designed for a low probability of functional failure. If this is not possible then errors that occur shall not lead to the loss of the safety function. To help meet this requirement harmonised standards have been created, and complying with these standards is the simplest way to demonstrate risk reduction so far as reasonably practicable.
Risk

Inherent Risk Safeguards Residual Risk Tolerable Risk Risk Reduction Required

ISO 13849-1

IEC 62061

Scope of Machine Safety Standards

EN954-1 has been the dominant standard in Machine Safety
EN 954-1 employs a deterministic approach which uses an estimate of risk in terms of Categories, which determine a Class of control to achieve an appropriate system behaviour and performance. With the advent of more complex controls, especially programmable controls, safety can no longer be adequately measured in the simple Category system found in EN 954-1. The probability of failure (failure modes and failure rates) of the more complex safety controls is not addressed in EN 954-1, and requires a probabilistic approach to evaluating performance.

EN 954-1 will be succeeded by ISO 13849-1 on 29 Dec 2009. Update Jan 2010: EN 954-1 validity to be extended to 31 Dec 2011
3

Scope of Machine Safety Standards

ISO 13849-1 will take the place of EN 954-1
The standard is applied to Safety-Related Parts of Control Systems (SRP/CS) and all types of machinery regardless of the technology and energy employed (electrical, hydraulic, mechanical, pneumatic). There are also special requirements within ISO 13849-1 for SRP/CS using programmable electronic systems.

IEC 62061 is a competing standard derived from IEC 61508

The standard defines the requirements and gives recommendations for the design, integration and validation of Safety-Related Electrical, Electronic, and Programmable Electronic control systems (SRECS) for machinery. It does not define requirements for the performance of non-electrical (e.g. hydraulic, mechanical, pneumatic) safety-related control elements for machinery.

Relationship
Relationship of Current Standards

Process

Machines Safety of Systems and Equipment

IEC 61508 Functional safety of Electrical/Electronic/Programmable Electronic safety-related systems Software

EN 954-1 Safety related parts of control systems

IEC 61511

IEC 61508-3

IEC 62061

ISO 13849-1:2006

(Electrical, Electronic and Programmable Technology)

Process

(Electrical, Electronic and Programmable Technology)

Machinery

(All Technologies)

Machinery

Overview of ISO 13849-1

Overview of ISO 13849-1
Builds on the familiar Categories from EN 954-1 Goes beyond the qualitative approach of EN 954-1 to include a quantitative assessment of the safety function. It examines complete safety functions, including all the components involved in their design. A (qualitative) risk assessment process produces a performance requirement, called the Performance Level requirement (PLr) for each safety function. This builds on the requirements of Categories, and is based on the designated architecture and designated mission time. Each safety function is divided into subsystems and subsystem elements for a quantitative analysis of safety performance The Performance Level of each safety function must be verified, and examples of calculation are provided in the standard.

Overview of IEC 62061

Overview of IEC 62061
Represents a sector-specific standard under IEC 61508. It is based on a Lifecycle concept, and covers only electric, electronic and programmable electronic control systems on machinery . A (qualitative) risk assessment process produces a performance level requirement, called the Safety Integrity Level (SIL) for each safety function. Each safety function is divided into subsystems and subsystem elements for a quantitative analysis of safety performance The Performance Level of each safety function must be verified, and examples of calculation are provided in the standard.

Choice of Standard
Which Standard should I follow?
In general terms, if you are familiar with the use of the Categories from EN 954-1 and use relatively straightforward conventional safety functions then ISO 13849-1 is probably the best choice. If you are specifically required to use SIL, or if your application uses complex multi-conditional safety functionality then IEC 62061 may be the most suitable. Keep in mind that ISO 13849-1 covers all technologies whereas IEC 62061 only covers electrical and electronic systems.

Holistic Approach
Whichever standard is chosen, a holistic Safety Strategy (risk management process) must be followed to ensure that the performance of the safety functions can be directly linked to the risk reduction requirements determined during Hazard Identification and Risk Assessment activities.

User Safety Strategy

User Safety Strategy:
Identify all Machines Determine Machine Limits (each machine) Identify Tasks (each machine) Identify Hazards (each task) Estimate Risk (each hazard)
Severity of potential injury Probability of its occurrence Frequency of exposure Probability of injury

Risk Assessment

Reduce Risk (each hazard)

Eliminate or reduce Install protective equipment Procedures / training / PPE

Risk Control

Determine the required performance: Cat/PLr/SIL

(each safety function)

Design Safety Functions (vendor or integrator) Evaluation (each safety function)

EN 1050 | ISO 14121

9

Risk Assessment ISO 13849-1

ISO 13849-1 Risk Assessment
Severity of Injury S1 S2 Slight (normally reversible injury) PLr Serious (normally irreversible) injury including death
START
F1 S2 F2 P1 P2 P1 P2 Low Risk F1 S1 F2 P1 P2

PLr

a b c d e
High Risk

Frequency and/or Exposure Time to the Hazard F1 F2 Seldom to less often and/or the exposure time is short Frequent to continuous and/or the exposure time is long

Possibility of Avoiding the Hazard or Limiting the Harm P1 P2 Possible under specific conditions Scarcely possible

P1 P2

Risk Graph from Annex A of EN ISO 13849-1

Verification of Performance Level (PL) required for each safety function

10

Performance Level Verification

ISO 13849-1
Factors to consider when verifying performance (PL) of each safety function:
Elements for PLr Consideration Cat MTTFd DC CCF () Category (Designated Architecture) Mean Time To Dangerous Failure Diagnostic Coverage Susceptibility to Common Cause Failure
Severity of Injury S1 S2 Slight (normally reversible injury) Serious (normally irreversible) injury including death F1 S1 F2 Low Risk P1 P2 P1 P2

PLr

a b c d e
High Risk

START
F1 S2 F2

P1 P2

P1 P2

Tm B10d

Mission Time For elements that suffer from wear: Mean number of cycles until 10% of components fail dangerously. (Used to calculate the MTTFd of components)

Frequency and/or Exposure Time to the Hazard F1 F2 Seldom to less often and/or the exposure time is short Frequent to continuous and/or the exposure time is long

Possibility of Avoiding the Hazard or Limiting the Harm P1 P2 Possible under specific conditions Scarcely possible

11

Performance Level Verification

PL Verification

Performance Level (PL)

a b c d e
MTTFd = low MTTFd = medium MTTFd = high
Category B DCavg =0 Category 1 DCavg =0 Category 2 DCavg = low Category 2 DCavg = medium Category 3 DCavg = low Category 3 DCavg = medium Category 4 DCavg = high

Determination of PL from Figure 6 of ISO 13849-1

12

Performance Level Verification (simplified)

PL Verification (simplified)

Performance Level (PL)

a b c d e
MTTFd = low MTTFd = medium MTTFd = high
Category B DCavg =0 Category 1 DCavg =0 Category 2 DCavg = low Category 2 DCavg = medium Category 3 DCavg = low Category 3 DCavg = medium Category 4 DCavg = high

Simplified Determination of PL from Table 7 of ISO 13849-1

13

Risk Assessment IEC 62061

IEC 62061 Risk Assessment
Frequency & Duration Fr 1 hr > 1 hr 1 day > 1 day 2 wk > 2 wk 1 yr > 1 yr 5 5 4 3 2 Prob. of Hazard Event Pr Very High Likely Possible Rarely Negligible 5 4 3 2 1 Impossible Possible Likely 5 3 1
Consequence Death, losing an eye or arm Permanent, losing fingers Reversible, medical attention Reversible, first aid

Avoidance Av

Cl = Fr + Pr + Av
Severity Se 4 3 2 1
Tables from Annex A of IEC 62061

Class Cl 3-4 SIL 2 5-7 SIL 2 OM 8-10 SIL 2 SIL 1 OM 11-13 SIL 3 SIL 2 SIL 1 OM 14-15 SIL 3 SIL 3 SIL 2 SIL 1

Verification of performance required (SIL) for each safety function

14

Risk Estimation IEC62061

Risk Assessment Form

15

Risk Estimation IEC62061

Estimate the Frequency of Exposure

Table A.2 Frequency and duration of exposure (Fr) Classification

Frequency and duration of exposure (Fr) Frequency of exposure 1h > 1 h to 1 day > 1 day to 2 weeks > 2 weeks 1 year > 1 year
16

Duration > 10min 5 5 4 3 2

Risk Estimation IEC62061

Estimate the Probability of Occurrence

Table A.3 Probability (Pr) Classification

Probability (Pr) Probability of Occurrence Very high Likely Possible Rarely Negligible
17

Probability (Pr) 5 4 3 2

Risk Estimation IEC62061

Estimate the Probability of Avoiding or Limiting Harm

Table A.4 Probability of avoiding or limiting harm (Av) Classification

Probability of avoiding or limiting harm (Av) Probability of Avoidance Impossible Rarely Probable Probability (Av) 5 3 1

18

Risk Estimation IEC62061

Estimate the Severity of the Consequence

Table A.1 Severity (Se) Classification

Severity (Se) Consequences Irreversible: death, losing an eye or arm Irreversible: broken limb(s), losing finger(s) Reversible: requiring attention from a medical practitioner Reversible: requiring first aid
19

Severity (Se) 4 3 2 1

Risk Estimation IEC62061

Determining the SIL Requirement

CRUSHING

13

5 + 5 + 3 = 13

20

SIL Verification IEC 62061

IEC 62061
Factors to consider when verifying performance (SIL) of each safety function:
Element for SIL Consideration PFHd DC T1 Probability of Dangerous Failure per Hour Diagnostic Coverage Susceptibility to Common Cause Failure Lifetime
Frequency & Duration Fr 1 hr > 1 hr 1 day > 1 day 2 wk > 2 wk 1 yr > 1 yr 5 5 4 3 2 Prob. of Hazard Event Pr Very High Likely Possible Rarely Negligible 5 4 3 2 1 Impossible Possible Likely 5 3 1 Avoidance Av

Consequence Death, losing an eye or arm

Severity Se 4 3 2 1

Class Cl 3-4 SIL 2 5-7 SIL 2 OM 8-10 SIL 2 SIL 1 OM 11-13 SIL 3 SIL 2 SIL 1 OM 14-15 SIL 3 SIL 3 SIL 2 SIL 1

T2 HFT SFF B10d

Diagnostic Test Interval Hardware Fault Tolerance Safe Failure Fraction Failure rate ; or For elements suffering from wear

Permanent, losing fingers Reversible, medical attention Reversible, first aid

Tables from Annex A of IEC 62061

21

SIL Verification
SIL Verification (simplified)

Safety Instrumented Function (SIF)

Sensor Subsystem PFHd(s) Logic Solver Subsystem PFHd(ls) Final Element Subsystem PFHd(fe)

PFHd(sif) = PFHd(s) + PFHd(ls) + PFHd(fe)

PFHd 10-5 10-6 10-7 10-8

na

SIL 1

SIL 2

SIL 3

22

PL : SIL Relationship
Relationship between PL and SIL
Performance Level ISO 13849-1 a b c d e Probability of a dangerous failure per hour (PFHd) 10-5 PFHd < 10-4 3x10-6 PFHd < 10-5 10-6 PFHd < 3x10-6 10-7 PFHd < 10-6 10-8 PFHd < 10-7 Safety Integrity Level IEC 62061 na 1 1 2 3

PFHd SIL PL

10-4 na a

10-5 SIL 1 b c

10-6 SIL 2 d

10-7 SIL 3 e

10-8

23

Summary
ISO 13849-1: 2006
Simpler methodology Builds on Categories More constraints System based Applies to all technologies

IEC 62061
Relatively complex methodology More flexibility Less constraints Simplified modularity via subsystems Only applies to electrical technology

Can the system be designed simply using the designated architectures? or Will the system include technologies other than electrical? If the answer to either question is YES, it is probably most appropriate to use ISO 13849-1: 2006

Are there complex safety functions e.g. depending on logic decisions? or Will the system require complex or programmable electronics to a high level of integrity? If the answer to either question is YES, it is probably most appropriate to use IEC 62061

24

Benefits of Compliance
Compliance with Standards has Benefits: As a Supplier:
Compliance with relevant machine safety legislation. Easier entry into overseas markets. Knowledge that machine is built with an adequate level of safety. The required safety performance is achieved not too much (unnecessary cost), and not too little (doubt about safety). Reduce repair time, fewer unnecessary stoppages. Knowledge that machine is safe to work with, and provides a better operational work environment. More comfortable with the machine, higher productivity. Less waste material, and more consistent quality.

As a Buyer:

As a User/Operator:

25

Moving Ahead
What should I do now? The ideal first step is to read both standards in order to understand their requirements and implications. Perhaps the most daunting aspect of both standards is the fact that they require calculations based on reliability data that the safety component manufacturers should supply. Help is available in the form of information booklets and software tools for calculations. The BGIA in Germany provides a comprehensive calculation tool for EN ISO 13849-1 called SISTEMA. It is available free from the BGIA website.

If you design and build machines and have used EN 954-1 as a guidance standard to demonstrate compliance, you will be required to recertify your machines safety related control systems to new Functional Safety standards such as ISO 13849-1 or IEC 62061, or directly to the Machinery Directive.

26

Questions

THANK YOU
QUESTIONS?
[email protected] The FSE Global Advantage
Safety Management Risk Management
PHA / HAZOP Risk Assessment PL/SIL Determination / LOPA Safety Requirement Specification PL/SIL Verification

Safety Training / Workshops

ISA Certification Courses Functional Safety Courses Safety Lifecycle Courses PL/SIL Determination / LOPA PL/SIL Verification

Safety Management Systems Safety Management Planning Safety Lifecycle Templates Safety Compliance Audits Safety Case Development

Defining Best Practice in Process & Machine Safety

27