Essentials of Machine & Process SafetyStandards in Perspective

Derrin Drew

2

Agenda

● Why Safety● What is risk based design● Legal Framework ● State regulations, national guidelines and standards● Lifecycle Risk Management Process● Risk Assessment

3

Agenda

● Tolerable risk● Safe Design● Definition of Reasonably Practicable● Integrity of a safety system● Approach to the design of safety systems

4

Why Safety?

●Studies indicate 51% of workplace fatalities resulted from injuries from fixed plant and machinery.

●Failure to adequately guard the machine was a factor in 37% of these cases. 69% of cases studies occurred in the manufacturing industry.

●WorkSafe Australia processes 47,000 workplace claims per year for injury from machinery involving 5 or more days off work.

5

6

7

8

Safety st

Research commissioned by the National OH&S Commission (replaced by the Australian Safety and Compensation Council in 2005), examined the contribution that the design of machinery and equipment has on the incidence of fatalities and injuries in Australia. The study indicated that:

● Of the 210 identified workplace fatalities, 77 (37%) definitely or probably had design-related issues involved.

● In another 29 (14%) who identified workplace fatalities, the circumstances were suggestive that design issues were involved.

● Design contributes to at least 30% of work-related serious non-fatal injuries. ● Design-related issues were most prominent in the ‘machinery and fixed plant’

group, and mobile plant and transport’ group. Similar design problems are involved in many fatal incidents.

● Design-related issues were definitely or probably involved in at least 50% of the incidents in the agriculture, trade and mining industries with between 40-50% of the incidents in construction, manufacturing and transport/storage industries.

Solutions already exist for most of the identified design problems (such as seat belts, rollover protection and guarding)

9

● Investing in machine safety● Health & safety for all personnel

●Cut costs associated with:● Physical injuries● Insurance premiums● Lost production, penalties ● …

● Increased productivitydue to the prevention of accidents● Better failure detection● Worker confident at work● Improving maintenance efficiency● …

Protect People and Increase Productivity

10

Machine Safety as Global Concept

●Safety must be taken into account:● already in the design phase● and must be kept in place throughout

all stages of a machine’s life cycle:> Transportation> Installation> Adjustment> Operation, Production> Maintenance> Dismantling

●Safety is necessary to obtain CE mark

Maintenance

Design and production

Installation and implementation

Operation

11

Legal Framework

12

supported by

and

Legal Framework

• The General Duties• Resolution of Issues• Safety and Health Representatives• Safety and Health Committees• Enforcement of Act and Regulations

• Set minimum requirements for specific hazards and work practices

• Reference to National Standards developed by NOSH• Australian Standards developed by Standards Australia• National Standard of Plant

• Codes of Practice • Advisory Standards • National Codes of Practice and National Standards

developed by the NOHSC • Australian Standards developed by Standards Australia

Occupation Safety and Health Act

Occupation Safety and

Health Regulations

GuidanceMaterial

13

What are the national OHS laws?

• Safe Work Australia is developing national model OHS laws. By December 2011, each jurisdiction will be required to enact their own jurisdictional laws that mirror the national model laws.

• The national OHS laws consist of a model OHS Act and model regulations, which will be supported by model Codes of Practice. This package of documents is referred to as model legislation.

14

National Standard of Plant●Application

● The provisions of this national standard apply to designers, manufacturers, importers, suppliers, erectors, installers, employers, self employed persons, and employees with respect to all plant

●Duties & General Requirements● Hazard Identification, Risk Assessment and the Control of Risk, and

relates to all plant.

●Registration of Plant Design & Items of Plant● Evidence of Registration● Notification of Compliance

15

Standardization Institutes

OSHA

ANSI

IEC (electrical standards)

ISO (other standards: mechanical parts...)

CEN (mechanical standards)

CENELEC (electrical standards)

JIS

BSDIN

CEI

SAA

UNE

GOST

NFCSA

UL

SIS

ISO: International Organization for StandardizationIEC: International Electrotechnical Commission CEN: Comité Européen de NormalisationCENELEC: Comité Européen de Normalisation Electrotechnique

(PCB making machines)

16

Standardization Bodies

● All countries use IEC and ISO standards or adapt them locally. ● All the main institutes work jointly with other international organizations.

17

Australia Standards

AS/NZS ISO 31000:2009AS/NZS 4360:2004 has been superseded by AS/NZS ISO 31000:2009,

Type A Type B Type C

Process StandardsAS 3814 / AG501 Industrial andCommercial Gas Fired AppliancesIEC 60079 series of explosive atmosphere standards,FPA / NFPA Refer AS 3000 rather than NFPA 70

Machine Standards AS 1755 Conveyor safety, AS 1418 Cranes, AS 1219 Power presses,AS 2939 Robot CellsAS 3533 Amusement Rides

AS / IEC 61508Functional safety of Electrical,

Electronic and Programmable Electronic safety-related systems

AS / IEC 61511Functional safety

Safety instrumentedsystems for the

process industry sector

AS / IEC 62061Safety of machinery

AS4024Safety of Machinery

ISO 13849Safety of machinery

18

Introduction to IEC-61508● The following image summarizes the existing standards that define the

requirements for functional safety

19

3 Feb. 2010, common sense prevails: Graeme Kirk (Farmer) vs WorkCover* ● Mr Kirk succeeded in having the decision of the Court of Appeal overturned in

the High Court. The offences with which Mr Kirk and the company were charged did not identify the acts or omissions which constituted the alleged offences. Thus no measures which could reasonably practicably have been taken to obviate the risks could be identified and the defendants were denied the opportunity to properly defend the charges.

● In making his ruling, Justice John Heydon said ”…it is time for the WorkCover Authority of New South Wales to finish its sport with Mr Kirk. The applications in the Industrial Court should be dismissed."

● “This spells the end of what some people have called the reverse onus approach – guilty until proven innocent approach – to the legislation.

● “It also has potential to be applied to the interpretation of the new national OHS regime which is due to commence in 2012.

*refer case history in notes below

20

Reasonably Practicable

How WorkSafe applies the law in relation to Reasonably Practicable

WORKSAFE POSITION

A GUIDELINE MADE UNDER SECTION 12 OF THE OCCUPATIONAL HEALTH AND SAFETY ACT 2004 (November 2007)

In applying the concept of reasonably practicable, careful consideration must be given to each of the matters set out in section 20(2) of the Act. No one matter determines ‘what is (or was at a particular time) reasonably practicable in relation to ensuring health and safety’. The test involves a careful weighing up of each of the matters in the context of the circumstances and facts of the particular case with a clear presumption in favour of safety. Weighing up each of the matters in section 20(2) should be done in light of the following:

a) Likelihood

b) Degree of Harm

c) What the person knows about the risk and ways of eliminating that risk

d) Availability and suitability of ways to eliminate or reduce the risk

e) Cost of eliminating or reducing the risk

21

Risk assessment process

22

Danger and Risk

● Most people have a misunderstanding between danger / hazard and risk. A danger is ever present whereas risk is the possibility of that danger happening.

Consider the following two statements: ● A hungry tiger is dangerous● A hungry tiger is risky

● A hungry tiger is dangerous, but it is only a risk if it is in your vicinity.● We can avoid or reduce risk by bounding danger

(tiger is locked in the ZOO, so the risk to be attacked is very low)

ZOO

Risks are events or conditions that may occur, and whose occurrence, if the event does take place, has a harmful or negative effect

23

Overall safety life cycle

Concept

Definition of theoverall scope

Hazard andrisk analysis

Overall safetyrequirements

Allocation ofsafety requirements

Safety systems:E/E/PES

Realisation

Overall installationand commissioning

Overall validationof safety

Overall operation, maintenance and repair

Decommissioning

Overall planning

9

5

4

3

2

1

12

13

14

16

Overall modificationand retrofit15

876

Back to the appropriate overall safety life cycle phase

Overall Installationand commissioning

planning

Overall safety

validationplanning

Overall operation andmaintenance

planning

Safety systems::other technology

Realisation

10

External riskreduction

Realisation

11

24

The Requirement

25

Safety - Acceptable Risk Level

●Risk 0 does not exist but risk must be reduced to an acceptable level

●Safety is the absence of risks which could cause injury or damage the health of persons.

●It’s one of the machine designer job to reduce all risks to a value lower than the acceptable risk.

26

Definition of Risk ● The concept of safety is closely linked to that of risk which, in turn, not

only depends on the probability of occurrence but also on the severity of the event. It is possible to accept a life threatening risk (maximum severity) if the probability of such an event is minimal.

The level of risk is a function of both severity and probability of occurrence

27

Risk Assessment for Machines

28

Risk Assessment Flow Chart

AnalyticalStage

DesignStage

29

Design Process

30

AS4024.2006 Safety of Machinery

31

Severity

Severity of injury S1 and S2

In estimating the risk arising from a failure of a safety function only slight injuries (normally reversible) and serious injuries (normally irreversible) and death are considered.

To make a decision, the usual consequences of accidents and normal healing processes should be taken into account in determining S1 or S2.

For example, bruising and/or lacerations without complications would be classified as S1, whereas amputation or death would be S2.

STaken from: ISO13849-1 Safety of Machinery

32

Frequency

Frequency and/or exposure times to hazard, F2 and F2

A generally valid time period to be selected for parameter F1 or F2 cannot be specified. However, the following explanation could facilitate making the right decision where doubt exists.

F2 should be selected if a person is frequently or continuously exposed to the hazard. It is irrelevant whether the same or different persons are exposed to the hazard on successive exposures, e.g. for the use of lifts. The frequency parameter should be chosen according to the frequency and duration of access to the hazard.

Where the demand on the safety function is known by the designer, the frequency and duration of this demand can be chosen instead of the frequency and duration of access to the hazard.

The period of exposure to the hazard should be evaluated on the basis of an average value which can be seen in relation to the total period of time over which the equipment is used.

For example, if it is necessary to reach regularly between the tools of the machine during cyclic operation in order to feed and move work pieces, then F2 should be selected. If access is only required from time to time, then F1 should be selected.

NOTE: In case of no other justification F2 should be chosen if the frequency is higher than once per hour.

F

Taken from: ISO13849-1 Safety of Machinery

33

Avoidance

Possibility of avoiding the hazard P1 and P2

It is important to know whether a hazardous situation can be recognized and avoided before leading to an accident. For example, an important consideration is whether the hazard can be directly identified by its physical characteristics, or recognized only by technical means, e.g. indicators. Other important aspects which influence the selection of parameter P include, for example:

operation with or without supervision; operation by experts or non-professionals; speed with which the hazard arises (e.g. quickly or slowly); possibilities for hazard avoidance (e.g. by escaping); practical safety experiences relating to the process.

When a hazardous situation occurs, P1 should only be selected if there is a realistic chance of avoiding an accident or of significantly reducing its effect; P2 should be selected if there is almost no chance of avoiding the hazard.

P

Taken from: ISO13849-1 Safety of Machinery

34

35

● Machines are sources of potential risk and the Machinery Directive requires a risk assessment to ensure that any potential risk is reduced to less than the acceptable risk

● Risk assessment consists of a series of logic steps which make it possible to systematically analyse and evaluate machinery-related risks

● Risk assessment steps:● Identification of the potential hazard● Risk estimation● Risk evaluation

● EN/ISO 13849-1 => Performance Level (PL)● EN/IEC 62061 => Safety Integrity Level (SIL)

● Risk reduction

Risk Assessment Principles

36

Risk Evaluation

● On the basis of the risk assessment, the designer has to define the safety related control system. To achieve that, the designer will choose one of the two standards appropriate to the application:● either standard EN/ISO 13849-1, which defines performance levels (PL)● or standard EN/IEC 62061, which defines safety integrity levels (SIL)

● The table below gives relations between these two definitions

● To select the applicable standard, a common table in both standards gives indications:

-

(1) For designated architectures only

d

37

Standard EN/IEC 62061

● Specific to the machine sector within the framework of EN/IEC 61508:● gives rules for the integration of safety-related electrical, electronic and

electronic programmable control systems (SRECS)● does not specify the operating requirements of non-electrical control

components in machines (ex.: hydraulic, pneumatic)

● The probability of failure associated with the required SIL (Safety Integrity Level) depends on the potential frequency of usage of the safety function to be performed

Safety of Machineryapplication

EN/IEC 62061

38

Standard EN/ISO 13849-1

● The Standard gives safety requirements for the design and integration of safety-related parts of control systems, including software design.

● The Risk Graph helps to determine the required PL (Performance Level) of each safety function● S - Severity of injury

> S1 Slight injury (reversible)

> S2 Serious or permanent injury or death● F - Frequency and / or exposure to a hazard

> F1 Seldom to less often and / or short time

> F2 Frequent to continuous and / or long time● P - Possibility of avoiding the hazard or limiting the harm

> P1 Possible under specific conditions

> P2 Scarcely possible

39

Relationship Between Different Criteria

● Relationship between Categories, DCavg, MTTFd and PL

*In several application the realisation

of performance level c by category 1

may not be sufficient. In this case a

higher category e.g. 2 or 3 should

be chosen.

40

Basic concepts

● According to the requirements of standard EN/ISO 12100-1, the machine designer’s job is to reduce all risks to a value lower than the acceptable risk

● It gives guidelines for the selection and installation of devices which

can be used to protect persons and identifies those measures that are implemented by the machine designer and those dependent on its user

●This standard recognises two sources of hazardous phenomena:● moving parts of machines● moving tools and/or workpieces

41

“It is the control of the design and design-associated activity that leads to a

responsibility as an obligation bearer, not their classification as a manufacturer,

supplier, etc.”

National Occupational Health and Safety Commision -

Safe Design Project Report 2000

Safe Design

42

Principles of Safe DesignPrinciples of Safe Design (of equal priority)

The key elements that impact on achieving a safe design are:

Principle 1: Persons with Control – persons who make decisions affecting the design of products, facilities or processes are able to promote health and safety at the source.

Principle 2: Product Lifecycle – safe design applies to every stage in the lifecycle from conception through to disposal. It involves eliminating hazards or minimising risks as early in the lifecycle as possible.

Principle 3: Systematic Risk Management – the application of hazard identification, risk assessment and risk control processes to achieve safe design.

Principle 4: Safe Design Knowledge and Capability – should be either demonstrated or acquired by persons with control over design.

Principle 5: Information Transfer – effective communication and documentation of design and risk control information between all persons involved in the phases of the lifecycle is essential for the safe design approach.

www.safeworkaustralia.gov.au

43

Hierarchy of Control

Making it safe

44

45

Reasonably Practicable

How WorkSafe applies the law in relation to Reasonably Practicable

WORKSAFE POSITION

A GUIDELINE MADE UNDER SECTION 12 OF THE OCCUPATIONAL HEALTH AND SAFETY ACT 2004 (November 2007)

In applying the concept of reasonably practicable, careful consideration must be given to each of the matters set out in section 20(2) of the Act. No one matter determines ‘what is (or was at a particular time) reasonably practicable in relation to ensuring health and safety’. The test involves a careful weighing up of each of the matters in the context of the circumstances and facts of the particular case with a clear presumption in favour of safety. Weighing up each of the matters in section 20(2) should be done in light of the following: a) Likelihood

b) Degree of Harm

c) What the person knows about the risk and ways of eliminating that risk

d) Availability and suitability of ways to eliminate or reduce the risk

e) Cost of eliminating or reducing the risk

Functional Safety

Process and Machine

47

Advancements in Technology

●Communications●Integrated Functions●Complex architectures

19682010

48

49

Change of Standards

●The qualitative approach of the EN 954-1 is no longer sufficient for modern controls based on new technologies (Electronic and Programmable Electronic systems):

●insufficient requirements for programmable products,●The reliability of the components is not taken into account,●too deterministic orientation (designated architectures).

●Standard EN ISO 13849-1 will totally replace the EN 954-1 on 31 December 2011, and will upgrade the qualitative approach by the new quantitative (probabilistic) approach, which is consistent with modern safety standards.

●At the moment both standards EN 954-1 and EN/ISO 13849-1 are valid

●For complex machines using programmable systems for safety-related control, the sector specific standard EN/IEC 62061 has to be considered

●EN/IEC 62061 based on EN/IEC 61508

50

Redundancy and Self-monitoring

Consists of compensating for the failure of one component by correct operation of another, based on the assumption that

both will not fail simultaneously

Consists of automatically checking the operation of each of the components which change state at each cycle

Redundancy Self-monitoring

Qualitative Approach

51

Redundancy and Self-monitoring

= the risk of not operating safely is hardly reduced down to an acceptable level compared to the consequences

An initial fault in the safety circuit is detected before a second fault occurs (next cycle inhibited)

Redundancy Self-monitoring

+

Qualitative Approach

52

AS4024 – A Reminder

53

What is Functional Safety?

Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.

54

None of these measures are sufficient, however, without implementing a good safety culture.

 

Change the work ethic/philosophy from

 

1. Profit Motive > Production > Maintenance > etc. > Safety

To

2. Profit Motive > Safety > Production > Maintenance > etc.

 

Choose 1 to have safety grafted on the side of other functions

Choose 2 to have safety integrated within other functions

55

Definition of Functional Safety● Functional safety is the part of the overall safety that depends on a

system or equipment operating correctly in response to its inputs. ● Functional safety is a subset of safety as shown in the figure below.

● Non-functional safety is the safety achieved by measures reliant on passive systems (example: insulation on electrical conducting parts).

● Functional safety is the safety achieved by active systems (example: temperature measurement and de-energization of contactor).

Definition: A system is defined functionally safe if random, systematic and common cause failures do not lead to malfunctioning of the system and do not result in injury or death of humans, spills to the environment and loss of equipment or production.

56

● Two types of requirements are necessary to achieve functional safety: ● safety function requirements (what the function does; its logic) and ● safety integrity requirements (the likelihood of a safety function

performing satisfactorily).

X+Y=Z

57

● Reliability is the ability of a system or component to perform its required functions under stated conditions for a specified period of time. It is often reported as a probability.

● Probability is the likelihood or chance that something is the case or will happen.

58

Definition of Dependability

The dependability of a system is its ability to deliver specified services to the end users so that they can justifiably rely on and trust the services provided by the system.

59

Definition of Reliability

● Reliability is a measure of the continuous delivery of service. It is defined as the probability that a device will perform its intended function during a specified period of time under stated conditions. ● Reliability is often quantified by MTTF – Mean Time To First Failure

expressed as a time in hours or in years.● The Failure Rate can also be expressed in Failure In Time (FIT). The

Failure In Time (FIT) rate of a device is the number of failures that can be expected in one billion (109) device-hours of operation.

60

Other Attribute Definitions● Availability: is a measure of the service delivery with respect to the

alternation of the delivery and interruptions. ● Maintainability: is a measure of the service interruption. It is

usually quantified by MTTR (Mean Time To Repair). ● Safety: is a measure of the time to catastrophic failure.

61

Definition of Threats of Dependability● The threats of dependability are listed as follows and their relationship

to the system is illustrated in the figure below: ● Fault: defines an abnormal condition that may cause a reduction in, or loss of, capability of a

functional unit to perform a required function. As shown in the figure below, fault is the cause of a system failure,

● Error: defines a discrepancy between a computed, observed or measured value and condition and the true, specified or theoretically correct value or condition. An example of an error is the occurrence of an incorrect bit caused by an equipment malfunction. Error is a system state that causes failure,

● Failure: defines the terminations of the ability of a system or functional unit to perform a required function. A failure in sub-system can be fault for higher layer system. The latency time from fault to system failure is labeled as t1, t2, and t3.

Difference between fault, error and failure

62

Definition of Means

● Four means can be identified in order to prevent the previous threats: ● Fault prevention: or how to prevent fault occurrence or introduction, ● Fault tolerance: or how to provide a service complying to the

specifications in the presence of faults, ● Fault removal: or how to reduce the presence of faults, both

regarding the number and seriousness of faults, ● Fault forecasting: or how to estimate the creation and the consequences

of faults.

63

Definition of Safety loop ● The safety function is always related to a safety loop, not to a

component or device. ● Safety can be carried out by decomposing system functions into:

● Sensor ● Logic unit ● Actuator ● Communication

● Safety Functions are carried out by Safety Related Parts of the Control System SRP/CS● Examples: Safe Stop, Safe Position, Safely Limited Speed

LOGIC

SRP/CSb

ACTUATOR / OUTPUT

SRP/CSc

SENSOR / INPUT

SRP/CSa

Interlocking Switch 1SW1

Interlocking Switch 2SW2

Safety PLC

Contactor 1CON1

Contactor 2CON2

64

AS/IEC 61508: Overall safety life cycle: Functional Safety

Concept

Definition of theoverall scope

Hazard andrisk analysis

Overall safetyrequirements

Allocation ofsafety requirements

Safety systems:E/E/PES

Realisation

Overall installationand commissioning

Overall validationof safety

Overall operation, maintenance and repair

Decommissioning

Overall planning

9

5

4

3

2

1

12

13

14

16

Overall modificationand retrofit15

876

Back to the appropriate overall safety life cycle phase

Overall Installationand commissioning

planning

Overall safety

validationplanning

Overall operation andmaintenance

planning

Safety systems::other technology

Realisation

10

External riskreduction

Realisation

11

65

EN/IEC 61511: Overall safety life cycle for Safety Instrumented Systems (SIS) Process

Hazard and risk assessment

Allocation of safety function to protection layers

Safety requirementsspecification for the

safety instrumented system

Design and engineering of safety instrumented

system

Design and implementationof other means of risk

reduction

Installation, commissioning,and validation

Operation and maintenance

Modification

Decommissioning

1

2

3

4

5

6

7

8

Transducer, Transmitter

Actuator, Valve

PESPESProgrammable

Equipment of Safety

66

Basic Control Process System

BasicProcessControlSystem

Failure of the Basic Process Control System

Action of the Basic Process Control

System

Alarm Threshold

67

BPCS + Safety Instrumented System

Reaction of the Safety

instrumented System

BasicProcessControlSystem

Failure of the Basic Process Control System

Action of the Basic Process Control

System

SafetyInstrumented

System

Alarm Threshold

Safety Threshold

68

● Determine Overall Safety Requirement

● A risk may be reduced by one or more ‘Layers of Protection’, eg. Access restriction, control system trips, barriers, mechanical protection devices.

● Where an electrical/programmable electronic system is used as a protection layer, this results in a SIL being allocated to that system.

Layers of Protection

External Risk ReductionFacilities

E/E/PESSRS

MachineRisk

Frequency

Consequence

OtherTechnology

SRS

TolerableRisk

Target

Necessary Risk Reduction

69

Emergency ResponseEvacuation procedure & emergency broadcasting

Mitigating LayersMechanical mitigation system

Protection Layers

Other protective LayersMechanical protection system

Safety Instrumented Systems

Alarm LayerMonitoring Systems & Operator Supervision

Process Control LayerBasic Process Control System

Process Design

PREVENTION

MITIGATION

Frequency

Severity

70

Principals of SIL Allocation● The SIL allocated to a safety function is based on a

determination of the risk reduction needed to achieve “tolerable risk” in terms of your Risk Matrix.

Equipment Under Control

Increasing Consequence

Increasing Frequency

Frequency of Hazardous Event

Consequence of Hazardous Event

Risk level:No Protective

Features

RequiredRisk

Reduction

Your RiskMatrix

‘Tolerable Risk’

4

3

2

1

0

4

3

2

1

0

SystemSafety

IntegrityLevel

SoftwareSafety

IntegrityLevel

Safety Integrity Levels 4 – Very High 3 – High 2 – Medium 1 – Low 0 – Non-Safety

71

Safety Integrity Level

SILs can be determined using several methods

(quantitative or qualitative).

Risk Graph Risk MatrixLOPALayers of Protection Analysis

72

Example Fault Tree Analysis

73

ISO13849-1 Functional Safety of Machines

● Applying quantitive measures of safety to machines

● Applies familiar measures to ease transition

● Already in force in the EU● Will replace entirely EN954 by 2012

74

Categories

75

Standard EN/IEC 62061

●Specific to the machine sector within the framework of EN/IEC 61508:●gives rules for the integration of safety-related electrical, electronic and electronic

programmable control systems (SRECS)●does not specify the operating requirements of non-electrical control components in

machine (ex.: hydraulic, pneumatic)

●The probability of failure associated to the required SIL (Safety Integrity Level) depends on the frequency of usage of the safety function to be performed

Safety of Machineryapplication

EN/IEC 62061

76

Relationship Between Different Criteria

●Relationship between Categories, DCavg, MTTFd and PL

*In several application the realisation

of performance level c by category 1

may not be sufficient. In this case a

higher category e.g. 2 or 3 should

be chosen.

77

● Select the suitable standard

78

● For complex machines, the international sector specific standard IEC 62061 based on standard IEC 61508, must be used.

Published on December 31 2005 Harmonized to the Machinery DirectiveRestricted to electric, electronic and electronic programmable safety-related control systemsPossible overlap with EN ISO 13849-1

IEC 61513IEC 61513Nuclear power plants

Instrumentation and controlfor systems

important to safety

IEC 61508 IEC 61508

Functional safety ofElectrical / Electronic / Programmable Electronic (E/E/PE) safety-related systems

EN/IEC 62061EN/IEC 62061Safety of machinery

Functional safetyof E/E/PE control systems

IEC 61511IEC 61511Functional safety

Safety instrumentedsystems for the

process industry sector

79

●The probability of failure associated to the required SIL level depends on the frequency of usage of the safety function to be performed:

SafetyIntegrity

Level

Low demand mode of operation(Average probability of failure to perform its design function on

demand)

High demand (>1/y. or 2 x proof-check freq.)

or continuous mode of operation(Probability of a dangerous failure

per hour)

4 ≥ 10-5 to < 10-4 ≥ 10-9 to < 10-8

3 ≥ 10-4 to < 10-3 ≥ 10-8 to < 10-7

2 ≥ 10-3 to < 10-2 ≥ 10-7 to < 10-6

1 ≥ 10-2 to < 10-1 ≥ 10-6 to < 10-5

Safety of Machinery applicationEN IEC 62061

80

EN IEC 62061EN IEC 62061

EN ISO 13849-EN ISO 13849-11

(EN 954-1)(EN 954-1)

=> PL

=> SIL

Assigning a SIL level

81

● Determination of performance level PL

● In this example the Safety Function is the disconnection of a motor when the safety guard is open. Without the guard the possible harm is to loose an arm. With the answers for S2, F2 and P2 the graph leads to a required performance level of PLr = e.

S = Severity of injuryS1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death

F = Frequency and/or exposure time to the hazardF1 = Seldom to less often and/or the exposure time is shortF2 = Frequent to continuous and/or the exposure time is long

P = Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible

Starting point for the evaluation ofthe contribution to the risk reduction

of a safety function

Required Performance Level(PLr)

Low contributionto risk reduction

High contributionto risk reduction

b

c

d

e

a

S1

S2

F1

F2

F1

F2

P1

P1

P1

P1

P2

P2

P2

P2S = Severity of injury

S1 = Slight (normally reversible injury)S2 = Serious (normally irreversible) injury including death

F = Frequency and/or exposure time to the hazardF1 = Seldom to less often and/or the exposure time is shortF2 = Frequent to continuous and/or the exposure time is long

P = Possibility of avoiding the hazard or limiting the harmP1 = Possible under specific conditionsP2 = Scarcely possible

Starting point for the evaluation ofthe contribution to the risk reduction

of a safety function

Required Performance Level(PLr)

Low contributionto risk reduction

High contributionto risk reduction

b

c

d

e

a

S1

S2

F1

F2

F1

F2

P1

P1

P1

P1

P2

P2

P2

P2