Functional Safety

DM6011 Automated System Design

Dr Eoin Hinchy
(Some!) Standards for safety
• IEC 61058 - Functional Safety Of Electrical/Electronic/Programmable Electronic Safety-
Related Systems

• ISO13849 – Safety of machinery — Safety-related parts of control systems

• IEC 62061 - Safety of machinery – Functional safety of safety-related control systems

• ISO 12100:2010 – Safety of Machinery - Risk assessment and risk reduction.

• ISO 13850:2015 Safety of machinery — Emergency stop function — Principles for design

• ISO 13855:2010: Safety of machinery — Positioning of safeguards with respect to the

approach speeds of parts of the human body

• ISO 13857:2019: Safety of machinery — Safety distances to prevent hazard zones being
reached by upper and lower limbs
Dr Eoin Hinchy
Introduction: Machine Directive 2006/42/EC
• According to the machinery directive a machine is:

“An assembly, fitted with or intended to be fitted with

a drive system other than directly applied human or
animal effort, consisting of linked parts or
components, at least one of which moves, and which
are joined together for a specific application”

• IEC 61508-4:2010 discusses functional safety

Dr Eoin Hinchy
 CE Marking

A CE Mark is a symbol that must be affixed to many

products before they can be sold on the European
market. The mark indicates that a product:
• Fulfils the requirements of relevant European product
directives
• Meets all the requirements of the relevant recognized
European harmonized performance and safety
standards
• Is fit for its purpose and will not endanger lives or
property

Dr Eoin Hinchy
• A sensor, something to decide it is a finger rather than wood and an output actuator => a safety function

Dr Eoin Hinchy
Functional Safety Of Electrical/Electronic/Programmable Electronic Safety-Related
Systems

IEC 61508

6
 IEC 61508

• IEC 61508-0 introduces the idea of Functional Safety

• What is safety?

Dr Eoin Hinchy
 IEC 61508

• IEC 61508-0 introduces the idea of Functional Safety

• What is safety?

This is freedom from unacceptable risk of physical injury or of damage to

the health of people, either directly, or indirectly as a result of damage to
property or to the environment.

Dr Eoin Hinchy
 IEC 61508

• IEC 61508-0 introduces the idea of Functional Safety

• What is Functional Safety?

Dr Eoin Hinchy
 IEC 61508

• IEC 61508-0 introduces the idea of Functional Safety

• What is Functional Safety?

Functional safety is part of the overall safety that depends on a system or

equipment operating correctly in response to its inputs.

e.g. an overtemperature protection device in a motor which de-energises

the motor before it overheats (functional safety)

Dr Eoin Hinchy
 IEC 61508

• “Safety related” describes systems that must perform a function to ensure

risks are kept at an acceptable level

• Such functions are called safety functions

• For functional safety, there are two types of requirements:

1. Safety function requirement (Hazard analysis)
• i.e. What the function does
2. Safety integrity requirements (risk assessment)
• i.e. The likelihood of the function being performed satisfactorily

Dr Eoin Hinchy
IEC 61508: Safety Integrity

• Safety Integrity is defined as “The probability of a Safety Instrumented Function

(SIF) satisfactorily performing the required safety functions under all stated
conditions within a stated period of time”.

• Safety Instrumented Function (SIF) is typically defined as function to be

implemented “which is intended to achieve or maintain a safe state for the
Equipment under Control (EUC), in respect of a specific hazardous event”.

• A Safety Instrumented System (SIS) is designed to prevent or mitigate hazardous

events by taking a process to a safe state when predetermined conditions are
violated. Dr Eoin Hinchy
IEC 61508: Safety Integrity

• Safety Integrity is defined as “The probability of a Safety Instrumented Function

(SIF) satisfactorily performing the required safety functions under all stated
conditions within a stated period of time”.

• Safety Instrumented Function (SIF) is typically defined as function to be

implemented “which is intended to achieve or maintain a safe state for the
Equipment under Control (EUC), in respect of a specific hazardous event”.

• A Safety Instrumented System (SIS) is designed to prevent or mitigate hazardous

events by taking a process to a safe state when predetermined conditions are
violated. Dr Eoin Hinchy
 IEC 61508: Scenario

• Machine with a blade spinning, covered by protective cover

• The blade needs to be cleaned by lifting the protective

• The cover is interlocked so that when lifted the blade motor is de-
energised and applies brake

Interlocked? !

Dr Eoin Hinchy
Interlocks
• An interlock is a device that is connected to another device to prevent
unintended actions.

Dr Eoin Hinchy
 IEC 61508: Scenario

• Machine with a blade spinning, covered by protective cover

• The blade needs to be cleaned by lifting the protective

• The cover is interlocked so that when lifted the blade motor is de-
energised and applies brake

Dr Eoin Hinchy
 IEC 61508: Scenario

• Hazard Analysis: Cleaning the blade

• How much can the cover be lifted before blade stops?

• What is the stopping time when cover lifted?

• Risk Assessment: Cleaning the blade

!
• Aim to ensure the safety integrity of the
safety function is sufficient to ensure the
no person is exposed to unacceptable risk

Dr Eoin Hinchy
 IEC 61508: E/E/PE Safety

• E/E/PE = Electrical and/or Electronic and/or Programmable Electronic

safety
• E/E/PE safety related examples include:

• emergency shut-down system in a hazardous chemical process plant;

• crane safe load indicator;

• railway signalling system;

• guard interlocking and emergency stopping systems for machinery;

• fly-by-wire operation of aircraft flight control surfaces;

Dr Eoin Hinchy
Safety Integrity Levels (SIL)

19
IEC 61508: Safety Integrity Levels (SIL)

• There are different levels of safety performance for a safety function called
Safety Integrity Levels (SIL)

• Safety Systems use a classification level based on risk and probability

• There are 4 levels of SIL

SIL1 SIL2 SIL3 SIL4

Dr Eoin Hinchy
Safety Integrity Level 1 (SIL 1)
• Integrity required to avoid minor incidents

SIL1

Safety Integrity Level 2 (SIL 2)

• Integrity required to avoid more serious but limited
incidents SIL2
• Some may result in serious injury (or death)

Dr Eoin Hinchy
Safety Integrity Level 3 (SIL 3)
• Integrity required to avoid very serious
incidents SIL3
• Some may result in a number of fatalities
and or serious injuries

Safety Integrity Level 4 (SIL 4)

• SIL 4 is dedicated to catastrophic events
possible in the process industry SIL4

Dr Eoin Hinchy
 Probability of Risk Reduction
Failure on Demand Factor

SIL4 10-5 ≥ PofD <10-4 100,000 to 10,000

SIL3 10-4 ≥ PofD <10-3 10,000 to 1,000

SIL2 10-3 ≥ PofD <10-2 1000 to 100

SIL1 10-2 ≥ PofD <10-1 100 to 10

The higher the SIL, the lowerDrprobability

Eoin Hinchy of safety system failing
 Lets look at some Safety Devices: RS Online
• Sick S3000 Series Laser Scanner A yellow and black device

Description automatically generated

• Banner SLL Series Light Curtain, 23 mm A close-up of several electronic devices

Description automatically generated

• Sick S300 Series Laser Scanner

A black and yellow device with a black round lid

Description automatically generated

• Pilz Dual-Channel Safety Switch
A yellow electronic device with black text

Description automatically generated

Dr Eoin Hinchy
Why not just specify everything at SIL4?

Dr Eoin Hinchy
Specifying everything SIL4?
• SICK SIL1 Light Curtain, 30mm • Banner SIL3 Light Curtain, 23 mm
A close-up of several electronic devices

Description automatically generated

SIL1
COST! SIL3

•€5,560
•€235 Dr Eoin Hinchy
Determining Safety Integrity Level
• When designing a safety system, the required level of safety needs to be appropriate

• A Safety Matrix is used to determine the appropriate safety integrity level.

• This matrix will look at each of the risks, and attach a probability and consequence to
each to determine SIL.

Dr Eoin Hinchy
 IEC 61508: Scenario

• When the hinged cover is lifted by 5 mm or more,

the motor shall be de-energised and the brake
activated so that the blade is stopped within 1 s.
The safety integrity level of this safety function shall
be SIL2.

• In this example, the E/E/PE safety-related system

includes the guard interlock switch, the electrical !

circuit, contactors, the motor and the brake

E/E/PE = electrical and/or electronic and/or programmable

electronic
Dr Eoin Hinchy
Determining Safety Integrity Level (IEC 61508-5)
Risk Classification: Table C2
Consequence
Frequency
Catastrophic Critical Marginal Negligible
Frequent I I I II
Probable I I II III
Occasional I II III III
Remote II III III IV
Improbable III III IV IV
Incredible IV IV IV IV

Risk Interpretation
Class I Intolerable risk
Class II Undesirable risk, and tolerable only if risk reduction is impracticable or if the
costs are grossly disproportionate to the improvement gained
Class III Tolerable risk if the cost of risk reduction would exceed the improvement
gained
Class IV Dr Eoin Hinchy Negligible
(Some!) Standards for safety
• IEC 61058 - Functional Safety Of Electrical/Electronic/Programmable Electronic Safety-
Related Systems

• ISO13849 – Safety of machinery — Safety-related parts of control systems

• IEC 62061 - Safety of machinery – Functional safety of safety-related control systems

• ISO 12100:2010 – Safety of Machinery - Risk assessment and risk reduction.

• ISO 13850:2015 Safety of machinery — Emergency stop function — Principles for design

• ISO 13855:2010: Safety of machinery — Positioning of safeguards with respect to the

approach speeds of parts of the human body

• ISO 13857:2019: Safety of machinery — Safety distances to prevent hazard zones being
reached by upper and lower limbs
Dr Eoin Hinchy
Safety of machinery — Safety-related parts of control systems

ISO 13849
Scope:
ISO 13849 provides safety requirements and guidance on the principles for the design
and integration of safety-related parts of control systems (SRP/CS), including the
design of software. For these parts of SRP/CS, it specifies characteristics that include the
performance level required for carrying out safety functions.

31
ISO 13849
RISK reduction
• Determine limits of the machine
By Design
• Identify Hazards

• Risk estimation

• Risk evaluation By Safeguarding

• Risk reduction as per ISO 12100

By Information

Dr Eoin Hinchy
ISO 13849
RISK reduction

By Design

By Safeguarding

By Information

Dr Eoin Hinchy
ISO 13849: Performance Levels (PL)

Average probability of
PL
dangerous failures per hour Higher
≥ 10−5 to < 10−4 Prob.
a
〈0.001% to 0.01%〉
≥ 3 × 10−6 To < 10−5
b
〈0.0003% to 0.001%〉
≥ 10−6 To < 3 × 10−6
c
〈0.0001% to 0.0003%〉
≥ 10−7 To < 10−6
d Lower
〈0.00001% to 0.0001%〉
Prob.
≥ 10−8 to < 10−7
e
〈0.000001%
Dr Eoin Hinchy to 0.00001%〉
ISO 13849: Performance Levels (PL)
• The performance level (PL) is a value used to define the ability of
safety-related parts of control systems to perform a safety
function under foreseeable conditions.

• On the other hand, the required performance level (PLr) is used

to achieve the required risk reduction for each safety function.

• Therefore, the performance level (PL) of safety-related parts of a

control system must be equal to or higher than the required
performance level (PLr).

Dr Eoin Hinchy
ISO 13849: Required Performance Levels (PLr)
Average probability of Scenario 1:
PLr dangerous failures Safety limit switch fails,
resulting in snapping of
per hour cutting tool and damage to
a 〈0.001% to 0.01%〉 part. No injury to persons
b 〈0.0003% to 0.001%〉
c 〈0.0001% to 0.0003%〉 Scenario 2:
Safety valve fails, resulting
d 〈0.00001% to 0.0001%〉 in overheating of reactor,
e 〈0.000001% to 0.00001%〉 plant melt down, widescale
serious injury and
environmental damage

Dr Eoin Hinchy
 ISO 13849: Determining Required Performance Levels
(PLr)

1. Severity of injury (S1, S2)

1. Slight
2. Severe (irreversible injury and
death)
2. Frequency (F1, F2)
1. Seldom, sell often
2. Frequent to continuous
3. Possibility of avoiding hazard (P1, P2)
1. Possible under specific conditions
2. Scarcely possible

Dr Eoin Hinchy
ISO 13849: Performance Levels (PLr) and SIL

PL SIL
ISO 13849 IEC 61508-1
a No Correspondence
b 1
c 1
d 2
e 3

• SIL 4 is dedicated to catastrophic events possible in the process industry,

not relevant to risk at machines
Dr Eoin Hinchy
ISO 13849: MTTFD

• Mean tine to dangerous failure of a channel

(MTTFD)

• Its an expectation of the mean time to

dangerous failure on the whole or part of a
safety-related system.

• The MTTFD is given for each channel, such as

“I” (Input device), “L” (Logic), and “O” (output
device). The three denotations shown in the
table to the right are provided in ISO 13849-1.

Dr Eoin Hinchy
(Some!) Standards for safety
• IEC 61058 - Functional Safety Of Electrical/Electronic/Programmable Electronic Safety-
Related Systems

• ISO13849 – Safety of machinery — Safety-related parts of control systems

• IEC 62061 - Safety of machinery – Functional safety of safety-related control systems

• ISO 12100:2010 – Safety of Machinery - Risk assessment and risk reduction.

• ISO 13850:2015 Safety of machinery — Emergency stop function — Principles for design

• ISO 13855:2010: Safety of machinery — Positioning of safeguards with respect to the

approach speeds of parts of the human body

• ISO 13857:2019: Safety of machinery — Safety distances to prevent hazard zones being
reached by upper and lower limbs
Dr Eoin Hinchy
Safety of machinery – Functional safety of safety-related control systems

IEC 62061

41
 Characteristics of IEC 62061
• More suitable for programmable systems than ISO 13849
but not as simple to apply as ISO 13849
• A similar development flow and terminology to IEC 61508
• Uses SIL terminology and same the same HFT ( Hardware
fault tolerance ) metrics as IEC 61508
• What this achieves
• Allows developers of a power drive system to know
that all the requirements of IEC 61508 that a
necessary for a power drive system have been met
• For a user it facilitates the incorporation of a power
drive system into a safety related control system
according to IEC 61508

Dr Eoin Hinchy
Risk graph approach of IEC 62061

Dr Eoin Hinchy
(Some!) Standards for safety
• IEC 61058 - Functional Safety Of Electrical/Electronic/Programmable Electronic Safety-
Related Systems

• ISO13849 – Safety of machinery — Safety-related parts of control systems

• IEC 62061 - Safety of machinery – Functional safety of safety-related control systems

• ISO 12100:2010 – Safety of Machinery - Risk assessment and risk reduction.

• ISO 13850:2015 Safety of machinery — Emergency stop function — Principles for design

• ISO 13855:2010: Safety of machinery — Positioning of safeguards with respect to the

approach speeds of parts of the human body

• ISO 13857:2019: Safety of machinery — Safety distances to prevent hazard zones being
reached by upper and lower limbs
Dr Eoin Hinchy
Safety of machinery — General principles for design — Risk assessment and risk
reduction

ISO 12100

45
ISO 12100

Strategy for risk assessments:

1. Determine limits of machinery and potential misuse
2. Identify hazards and hazardous situations
3. Estimate risk for each hazard
4. Evaluate the risk and take decisions about risk reduction
5. Eliminate hazard using protective measures

1-4 related to risk assessment

5. is related to risk reduction

Dr Eoin Hinchy
ISO 12100

Probability of
occurrence
Severity
RISK Exposure of
of Harm person to hazard
Is a
Related to function and
That can The occurrence of
the hazard of result from hazardous event
the hazard
Possibility to
avoid/limit harm

Dr Eoin Hinchy
ISO 12100

Slight
Severity
of Harm Serious

That can
result from Death
the hazard

Dr Eoin Hinchy
Hazards and Risks
Hazard is present, but Hazard is present, and
not chance of harming there is a chance of harm

Dr Eoin Hinchy
ISO 12100: Exposure to hazards
The exposure of a person to a hazard influences the possibility
of occurrence of harm. Factors to be included when estimating
exposure include:

Dr Eoin Hinchy
ISO 12100: Exposure to hazards
The exposure of a person to a hazard influences the possibility
of occurrence of harm. Factors to be included when estimating
exposure include:
• Need for access
• Nature of access (manual
feeding of materials)
• Time spent in hazard zone
• Number of persons requiring
access
• Frequency of access

Dr Eoin Hinchy
ISO 12100: Occurrence of hazardous event
The occurrence of a hazardous event influences the probability of
occurrence of harm. Factors to be taken into account when
estimating the occurrence of a hazardous event are, among others:

Dr Eoin Hinchy
ISO 12100: Occurrence of hazardous event
The occurrence of a hazardous event influences the probability of
occurrence of harm. Factors to be taken into account when
estimating the occurrence of a hazardous event are, among others:
• Reliability and statistical data
• Accident history
• History of damage to health
• Comparison of risks

Dr Eoin Hinchy
ISO 12100: Possibility of avoiding or limiting harm
How can we avoid or limit harm?

• Persons exposure:
• Skilled vs unskilled
• How quickly harm can
happen:
• Suddenly
• Quickly
• Slowly
• Awareness of risk:
• Direct observation
• Warning signs or devices
• Operator experience
Dr Eoin Hinchy
ISO 12100: Table B.2 Examples of hazards

Dr Eoin Hinchy
ISO 12100: Table B.2 Examples of hazards

Dr Eoin Hinchy
ISO 12100: Examples of hazardous situations

• Some examples of hazardous situations are:

a) work near moving parts,
b) exposure to ejection of parts,
c) work underneath a load,
d) work near objects or materials at extreme temperatures, and
e) exposure of the worker to hazards generated by noise.

Dr Eoin Hinchy
(Some!) Standards for safety
• IEC 61058 - Functional Safety Of Electrical/Electronic/Programmable Electronic Safety-
Related Systems

• ISO13849 – Safety of machinery — Safety-related parts of control systems

• IEC 62061 - Safety of machinery – Functional safety of safety-related control systems

• ISO 12100:2010 – Safety of Machinery - Risk assessment and risk reduction.

• ISO 13850:2015 Safety of machinery — Emergency stop function — Principles for design

• ISO 13855:2010: Safety of machinery — Positioning of safeguards with respect to the

approach speeds of parts of the human body

• ISO 13857:2019: Safety of machinery — Safety distances to prevent hazard zones being
reached by upper and lower limbs
Dr Eoin Hinchy
ISO 13850:2015
Safety of machinery — Emergency stop function —
Principles for design

Dr Eoin Hinchy
ISO 13850:2015
Safety of machinery — Emergency stop function —
Principles for design
• According to ISO 13850:2015, and emergency stop (e-stop)
is a manually actuated control device used to initiate an
emergency stop function.
• Its purpose is to avert actual or impending emergency
situations from the unexpected hazardous events
• When activated:
• Estops shall be maintained until manually reset
• It shall not be possible to restart machine while estop
is active
• The estop has to be reset by a Human

Dr Eoin Hinchy
ISO 13850:2015
Safety of machinery — Emergency stop function —
Principles for design

• Estops are a complementary protective measure

• Not a substitute for other safe guarding

• Estops shall not impair effectiveness of other safety functions

• What “other” safety functions?

• E.g. continuous operation of:

• Magnetic chucks
• Braking devices

Dr Eoin Hinchy
ISO 13850:2015
Safety of machinery — Emergency stop function —
Stop Categories

• Stop category 0:

• Immediate removal of power using safety relays

• Blocking fluid power supply to hydraulics/pneumatics

• Stop category 1:

• Deceleration of motion, then removal of power once

motion has ceased

Dr Eoin Hinchy
ISO 13850:2015
Safety of machinery — Emergency stop function —
Restarting
• Restarting:
• Disengagement (unlatching) of Estop can only be done
by a human
• Unlatching will not restart machine, but allow for the
restart function to be initiated by a human

Dr Eoin Hinchy
ISO 13850:2015
Safety of machinery — Emergency stop function —
Hardware
• Estop hardware can include:
• Push buttons
• Wires, ropes, bars
• Handles
• Foot-pedals without protective cover

Dr Eoin Hinchy
(Some!) Standards for safety
• IEC 61058 - Functional Safety Of Electrical/Electronic/Programmable Electronic Safety-
Related Systems

• ISO13849 – Safety of machinery — Safety-related parts of control systems

• IEC 62061 - Safety of machinery – Functional safety of safety-related control systems

• ISO 12100:2010 – Safety of Machinery - Risk assessment and risk reduction.

• ISO 13850:2015 Safety of machinery — Emergency stop function — Principles for design

• ISO 13855:2010: Safety of machinery — Positioning of safeguards with respect to the

approach speeds of parts of the human body

• ISO 13857:2019: Safety of machinery — Safety distances to prevent hazard zones being
reached by upper and lower limbs
Dr Eoin Hinchy
ISO 13855:2010: Safety of machinery — Positioning of
safeguards with respect to the approach speeds of
parts of the human body
• ISO 13855 establishes the positioning of safeguards
with respect to the approach speeds of parts of the
human body.

• Parameters specified are based on values for

approach speeds of parts of the human body

• It provides a methodology to determine the minimum

distances to a hazard zone from the detection zone or
from actuating devices of safeguards.
Dr Eoin Hinchy
ISO 13855:2010: Safety of machinery — Positioning of
safeguards with respect to the approach speeds of
parts of the human body
• The values for approach speeds (walking speed and upper limb movement) in
this International Standard are time tested and proven in practical experience.

• Other types of approach, for example running, jumping or falling, are not
considered in this International Standard.

T
• T = stopping performance
Overall System Stopping Performance
• t1 = time between safeguard trigger
and off signal
t1 t2
• t2 = stopping time of system
Dr Eoin Hinchy
ISO 13855:2010: Safety of machinery — Positioning of
safeguards with respect to the approach speeds of
parts of the human body
Safeguards considered in this International Standard include:
a) Electro-sensitive protective equipment [see IEC 61496 (all parts)], including:
• light curtains and light grids (AOPDs);
• laser scanners (AOPDDRs) and two-dimensional vision systems;
b) pressure-sensitive protective equipment (see ISO 13856-1, ISO 13856-2 and ISO
13856-3), especially pressure-sensitive mats;
c) two-hand control devices (see ISO 13851);
d) interlocking guards without guard locking (see ISO 14119).

Note: AOPDs: active opto-electronic protective devices

AOPDDRs active opto-electronic protective devices responsive to diffuse reflection

Dr Eoin Hinchy
ISO 13855:2010: Safety of machinery — Positioning of
safeguards with respect to the approach speeds of
parts of the human body
Minimum distance to hazard zone:
S = (K x T) + C
S = minimum distance in mm
K = Parameter derived from data on approach speeds of the body or parts of the
body (mm / s)
T = overall system stopping performance (s)
C = is intrusion distance (mm)

Note: Intrusion Distance: distance that a part of the

body (usually a hand) can move past the safeguard
towards the hazard zone prior to actuation of the
safeguard
Dr Eoin Hinchy
 ISO 13857:2019: Safety of machinery — Safety
distances to prevent hazard zones being reached by
upper and lower limbs
• ISO 13857 establishes values for safety distances in
both industrial and non-industrial environments to
prevent machinery hazard zones being reached.

• The safety distances are appropriate for protective

structures.

• It covers people of 14 years and older (the 5th percentile

stature of 14-year-olds is approximately 1 400 mm).

Dr Eoin Hinchy
 ISO 13857:2019: Safety of machinery — Safety
distances to prevent hazard zones being reached by
upper and lower limbs
• In addition, for upper limbs only, it provides information
for children older than 3 years (5th percentile stature of
3-year-olds is approximately 900 mm) where reaching
through openings needs to be addressed.

• NOTE 1 It is not practical to specify safety distances for

all persons. Therefore, the values presented are
intended to cover the 95th percentile of the population.

• Data for preventing lower limb access for children is not

considered.
Dr Eoin Hinchy
ISO 13857:2019:
• 1 area of upper limb reach

• 2 area outside of upper limb reach

(hazard zone)

• hh height of the point of the hazard zone

which is nearest to the area of upper
limb reach

• hps height of protective structure

• sh horizontal safety distance of the point

of the hazard zone which is nearest to
the area of upper limb reach

Dr Eoin Hinchy
ISO 13857:2019:

Dr Eoin Hinchy
Summary:
SIL1 SIL2 SIL3 SIL4
• IEC 61058

• ISO13849

• ISO 12100:2010

• ISO 13850:2015

Dr Eoin Hinchy