FUNCTIONAL SAFETYfor MACHINERY

ByRobin J Carver

Safer by design

OR

a technical Banana Skin?

New Family of Standards• Under the EN 61508 family

Safety of electricalequipment of

machineryEN 60204-1

Design of safetyrelated parts of

machinery controlsystems

ISO 13849

Principlesfor designEN ISO12100

Functional Safetyof SRECS for

Machinery

EN 62061

Principles for riskassessmentEN 1050

(ISO 14121)

Functional Safety of E/E/PESafety-related Systems

EN 61508

OtherIndustrysectors

New Standardsfor Industry Sectors

IEC 61511ProcessIndustry

IEC 61513Nuclear Industry

prEN 51056Furnaces

EN 50126/7/8Railways

IEC 62061Machinery

EN IEC 61508Functional Safety

Machinery Standards– in with the new

• EN ISO 12100– To provide designers with an overall framework and guidance to

enable them to produce machines that are safe. – replaced EN 292• prEN ISO 14121

– General principles for Risk Assessment – to replace EN 1050• EN 60204

– Application of electrical & electronic systems to machines – to beupdated in 2006

• EN IEC 62061– Requirements for the design, integration & validation of Safety

Related Electrical, Electronic & Programmable Electronic ControlSystems for Machines.

• prEN ISO 13849– Specifies characteristics & categories required for Safety Related

Parts of Control Systems (SRP/CS) – all technologies

Machinery Standards– out with the old

• EN 292– Basic concepts, general principles for design

- replaced by EN ISO 12100

• EN 1050– General principles for Risk Assessment

– to be replaced by prEN ISO 14121

• EN 60204– Application of electrical & electronic systems to machines

– to be updated in 2006

• EN 954-1– Safety Related Parts of Control Systems

– may be replaced by prEN ISO 13849

Functional SafetyObjectives

• Alignment with the strategy for risk reduction• Quantitative rather than Qualitative determination

of the performance requirements.• Integration of SRP/CS with the process control

system• Better Validation of the SRP/CS• Better management of Functional Safety

An ISO 9001:2000 for the design of safetysystems ???

Safety systems forMachines

• Machines can be dangerous!• Most machines are controlled by logic

• sequential etc.

• Most machines have one safe stop condition.• Category 0 or 1 (EN 60204-1)

Better machine systems?

• Acceptance of electronicequipment in safetysystems.

• Use of PLC’s, IndustrialComputers, etc.

• More complex safetyrequirements.

CURRENT “PERIPHERAL” SAFETYARCHITECTURE

SAFETY SYSTEM

STANDARD PLC

SAFETYRELAY

MACHINE

PROCESS PARTOF THE

CONTROLSYSTEM

MACHINE

NEW “FUNCTIONAL SAFETY”ARCHITECTURE

PROCESS(FUNCTIONAL)

CONTROL LOOP

PLC (TO ISO 65108)

SAFETYRELATED PART

OF THECONTROLSYSTEM(SRP/CS)

Better machine systems?Example with peripheral safety

• A machine with high inertianormally controlled by a speedcontroller with dynamic braking.

• Braking control lost when guard isopened

C

SET SPEED

START

STOP

SPEEDCONTROLLER

MOTOR

LOAD

GUARD SWITCH

SAFETYCONTACTOR

Better machine systems?Example with functional safety

• A machine with high inertianormally controlled by a speedcontroller with dynamic braking.

• Guard may not be opened until themotor has stopped

SET SPEED

START

STOP

SPEEDCONTROLLER

MOTOR

LOAD

GUARD LOCKSOLENOID

MOTOR NOT TURNING

The Problem!

I am a control systems engineer with 40years in the industry working with safetyrelated systems

I am a Chartered Safety Practitioner

I have spent many hours, days, even weekstrying to understand the requirements.

I have tried to apply the Standards.

The Banana Skin!Which Standard to apply?

Two Standards:-EN 62061Safety of Machinery – Functional safety of E/E/PE Control SystemsScope – … specifies requirements and makes recommendations for the design,

integration & validation of SRECS’s for machines….

prEN ISO 13841Safety of Machinery – Safety related parts of Control SystemsScope – … provides safety requirements & guidance on the principals for the design &

integration of SRP/CS’s including the design of application software….

The Banana Skin!

Two Standards:-EN 62061Safety of Machinery – Functional safety of E/E/PE Control SystemsSafety requirements based on:-

SIL – Safety Integrity LevelsSIL1 (lowest) to SIL3 (highest possible for machinery)

prEN ISO 13841Safety of Machinery – Safety related parts of Control SystemsSafety requirements based on:-

PL - Performance LevelsPL = a (lowest) to PL = e (highest)

The Banana Skin!

prEN ISO 13849Safety of Machinery – Safety related parts of Control Systems

Lots of new words:-

PL - Performance LevelMTTFd - Mean Time to Dangerous FailureDC - Diagnostic CoverageCCF - Common Cause Failure

Category - Defining system architecture (as used in EN 954-1)SFF - Safe failure fraction

The Banana Skin!Performance Level (PL)

e

d

c

b

a

Possibility of avoiding – Scarcely possibleP2

Possibility of avoiding - PossibleP1

Frequency of exposure - FrequentF2

Frequency of exposure - SeldomF1

Severity of Injury - SeriousS2

Severity of Injury - SlightS1

P1

P2P1

P2

P1

P2P1

P2

F1

F2

F1

F2

S1

S2

Start

The Banana Skin!

But what about:-

Operating Cycle?To make any sense of MTTFd - Mean Time to Dangerous Failure – for asafety related part of a control system it must be related to the demandplaced upon it!

Mean Time to Dangerous Failure (MTTFd)Reliability

Some safety relay manufacturers are claming MTTFd of:-650 years (on a 7000 uses/year) and 950 years (on a 4000 uses/year)

The Banana Skin!

DC is given in 4 levels:-None - DC < 60%Low - DC = 60% to <90%Medium - DC = 90% to <99%High - DC >99%

Diagnostic Coverage (DC)

But how do you determine DC%?• What is the DC% of a relay with forced driven contacts?• What is the DC% of a relay with forced driven contacts with a

monitoring contact?• What is the DC% of an Emergency Stop Button with redundant

contacts?• What is the DC of its associated wiring?• etc. etc.

The Banana Skin!Put it all together -Determination of required performance and how to achieve it!

PL

a

b

c

d

e

Category

BLOW RISK

HIGH RISK

1 2 3 4

HighMed

Low

High Med

Low

High

Med

Low

HighMed

Low

HighHigh

None None Low Med Low Med HighDCavg =

Med

LowMTTFd

MTTFd

MTTFd

MTTFd

MTTFd

MTTFd

MTTFd

Not relevant 65% or betterCCF =

The Banana Skin!Verification of the system design!

A few examples of the formulas to be applied to each channel ofa SRP/CS

])[/(/1 , yMTTFnMTTF jdjd ∑=

+−+=

MTTFMTTFMTTFMTTFMTTF

chdchd

chdchdd

2,1,

2,1, 111

32

MTTF

MTTFDC

MTTF

MTTFDC

MTTF

MTTFDC

DCdn

dn

n

d

d

d

davg 1........1

........

1

2

12

2

1

1

1

++

++

+

+

=

The MTTFd for each channelmust be calculated

The MTTFd foreach systemmust becalculated

The average diagnosticcoverage for each systemmust be calculated

The Banana Skin!but is there a flaw?

Using the formula to determine the average Diagnostic Coveragefor a system

If we add more diagnostics the average is degraded!

A Category 4 system with more diagnostics canbe downgraded to a Category 3 system

MTTF

MTTFDC

MTTF

MTTFDC

MTTF

MTTFDC

DCdn

dn

n

d

d

d

davg 1........1

........

1

2

12

2

1

1

1

++

++

+

+

=

And the reaction of mostMachine System builders:-

And the result:-

UNSAFE MACHINERY!

The principal of FunctionalSafety is to be welcomed

To achieve this the Standards must:-Be clearNon-conflicting

but above all:-Workable

SAFE MACHINERY!The objective is:-

Thank you for yourattention

Robin J CarverMIEE MinstMC CMIOSH MIIRSM