FUNCTIONAL SAFETY for MACHINERY

Safer by design OR a technical Banana Skin?

By Robin J Carver

New Family of Standards

Under the EN 61508 family
Principles for risk assessment

EN 1050
(ISO 14121)

Principles for design

EN ISO 12100

Functional Safety of SRECS for Machinery

Functional Safety of E/E/PE Safety-related Systems

EN 62061

EN 61508
Other Industry sectors

Safety of electrical equipment of machinery

EN 60204-1
Design of safety related parts of machinery control systems

ISO 13849

New Standards for Industry Sectors

EN IEC 61508
Functional Safety
IEC 61513 Nuclear Industry prEN 51056 Furnaces

IEC 61511 Process Industry

EN 50126/7/8 Railways IEC 62061

Machinery Standards in with the new

EN ISO 12100 prEN ISO 14121
General principles for Risk Assessment to replace EN 1050

To provide designers with an overall framework and guidance to enable them to produce machines that are safe. replaced EN 292

EN 60204
Application of electrical & electronic systems to machines to be updated in 2006

EN IEC 62061
Requirements for the design, integration & validation of Safety Related Electrical, Electronic & Programmable Electronic Control Systems for Machines.

prEN ISO 13849

Specifies characteristics & categories required for Safety Related Parts of Control Systems (SRP/CS) all technologies

Machinery Standards out with the old

EN 292
Basic concepts, general principles for design - replaced by EN ISO 12100

EN 1050
General principles for Risk Assessment to be replaced by prEN ISO 14121

EN 60204
Application of electrical & electronic systems to machines to be updated in 2006

EN 954-1
Safety Related Parts of Control Systems may be replaced by prEN ISO 13849

Functional Safety Objectives

Alignment with the strategy for risk reduction Quantitative rather than Qualitative determination of the performance requirements. Integration of SRP/CS with the process control system Better Validation of the SRP/CS Better management of Functional Safety An ISO 9001:2000 for the design of safety systems ???

Safety systems for Machines

Machines can be dangerous! Most machines are controlled by logic
sequential etc.

Most machines have one safe stop condition.

Category 0 or 1 (EN 60204-1)

Better machine systems?

NEW FUNCTIONAL SAFETY CURRENT PERIPHERAL SAFETY ARCHITECTURE ARCHITECTURE

Acceptance of electronic equipment in safety systems. Use of PLCs, Industrial Computers, etc. More complex safety requirements.

STANDARD PLC SAFETY PLC (TO ISO 65108) RELAY

PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL LOOP CONTROL SYSTEM

SAFETY RELATED PART OF THE CONTROL SAFETY SYSTEM SYSTEM (SRP/CS)

MACHINE

Better machine systems?

Example with peripheral safety
SET SPEED

SPEED CONTROLLER START STOP SAFETY CONTACTOR

A machine with high inertia normally controlled by a speed controller with dynamic braking. Braking control lost when guard is opened

C
MOTOR GUARD SWITCH

LOAD

Better machine systems?

Example with functional safety
SET SPEED SPEED CONTROLLER START STOP MOTOR NOT TURNING

MOTOR GUARD LOCK SOLENOID

A machine with high inertia normally controlled by a speed controller with dynamic braking. Guard may not be opened until the motor has stopped
LOAD

The Problem!
I am a control systems engineer with 40 years in the industry working with safety related systems I am a Chartered Safety Practitioner

I have spent many hours, days, even weeks trying to understand the requirements. I have tried to apply the Standards.

Which Standard to apply?

The Banana Skin!

Two Standards:EN 62061 Safety of Machinery Functional safety of E/E/PE Control Systems Scope specifies requirements and makes recommendations for the design, integration & validation of SRECSs for machines. prEN ISO 13841 Safety of Machinery Safety related parts of Control Systems Scope provides safety requirements & guidance on the principals for the design & integration of SRP/CSs including the design of application software.

The Banana Skin!

Two Standards:EN 62061 Safety of Machinery Functional safety of E/E/PE Control Systems Safety requirements based on:SIL Safety Integrity Levels SIL1 (lowest) to SIL3 (highest possible for machinery) prEN ISO 13841 Safety of Machinery Safety related parts of Control Systems Safety requirements based on:PL - Performance Levels PL = a (lowest) to PL = e (highest)

The Banana Skin!

prEN ISO 13849 Safety of Machinery Safety related parts of Control Systems
Lots of new words:PL - Performance Level MTTFd - Mean Time to Dangerous Failure DC - Diagnostic Coverage CCF - Common Cause Failure Category - Defining system architecture (as used in EN 954-1) SFF - Safe failure fraction

The Banana Skin!

Performance Level (PL)
P1 F1 S1 F2 P2 P1 F1 S2 F2 P2 S1 S2 F1 F2 P1 P2 Severity of Injury - Slight Severity of Injury - Serious Frequency of exposure - Seldom Frequency of exposure - Frequent Possibility of avoiding - Possible Possibility of avoiding Scarcely possible P2 P1 P2 P1

a b c d e

Start

The Banana Skin!

Mean Time to Dangerous Failure (MTTFd)
Reliability But what about:Operating Cycle? To make any sense of MTTFd - Mean Time to Dangerous Failure for a safety related part of a control system it must be related to the demand placed upon it!

Some safety relay manufacturers are claming MTTFd of:650 years (on a 7000 uses/year) and 950 years (on a 4000 uses/year)

The Banana Skin!

Diagnostic Coverage (DC)
DC is given in 4 levels:None Low Medium High DC < 60% DC = 60% to <90% DC = 90% to <99% DC >99%

But how do you determine DC%? What is the DC% of a relay with forced driven contacts? What is the DC% of a relay with forced driven contacts with a monitoring contact? What is the DC% of an Emergency Stop Button with redundant contacts? What is the DC of its associated wiring? etc. etc.

The Banana Skin!

Put it all together Determination of required performance and how to achieve it!
Category
PL LOW RISK

B
MTTFd Low Med

1
MTTFd Low MTTFd High Med

2
MTTFd MTTFd Low Med High Med Low

a b c d e
HIGH RISK

MTTFd

Low

Med High High High MTTFd High

DCavg = CCF =

None

None

Low

Med

Low

Med

High

Not relevant

65% or better

The Banana Skin!

Verification of the system design! A few examples of the formulas to be applied to each channel of a SRP/CS

The MTTFd for each channel must be calculated The MTTFd for each system must be calculated

MTTFd = 1 / (nj / MTTFd , j )[ y ]

1 1 1 + MTTF d ,ch1 MTTF d ,ch 2

MTTF

2 = + 3 MTTF d , ch1 MTTF d ,ch 2

The average diagnostic coverage for each system must be calculated

DC

avg

DC = MTTF
1

+
d1

DC MTTF
2

+ ........ +
d 12

MTTF

+
d1

DC MTTF
n

dn

MTTF

+ ........ +
d2

MTTF

dn

The Banana Skin!

but is there a flaw?
Using the formula to determine the average Diagnostic Coverage for a system

DC

avg

DC = MTTF
1

+
d1

DC MTTF
2

+ ........ +
d 12

MTTF

+
d1

DC MTTF
n

dn

MTTF

+ ........ +
d2

MTTF

dn

If we add more diagnostics the average is degraded!

A Category 4 system with more diagnostics can be downgraded to a Category 3 system

And the reaction of most Machine System builders:-

And the result:-

UNSAFE MACHINERY!

The principal of Functional Safety is to be welcomed

The objective is:-

SAFE MACHINERY!
To achieve this the Standards must:9Be clear 9Non-conflicting

but above all:9Workable

Thank you for your attention

Robin J Carver
MIEE MinstMC CMIOSH MIIRSM