FUNCTIONAL SAFETY

for MACHINERY
Safer by design
OR
a technical Banana Skin?

By
Robin J Carver
New Family of Standards
• Under the EN 61508 family Principles for risk
assessment
EN 1050
(ISO 14121)

Principles
for design
EN ISO
12100
Functional Safety
of SRECS for Functional Safety of E/E/PE
Machinery Safety-related Systems
EN 61508
EN 62061
Other
Industry
sectors
Safety of electrical
equipment of
machinery
EN 60204-1
Design of safety
related parts of
machinery control
systems
ISO 13849
 New Standards
for Industry Sectors

EN IEC 61508
Functional Safety

prEN 51056
IEC 61513 Furnaces
Nuclear Industry

EN 50126/7/8
Railways
IEC 61511
Process
Industry IEC 62061
Machinery
 Machinery Standards
– in with the new
• EN ISO 12100
– To provide designers with an overall framework and guidance to
enable them to produce machines that are safe. – replaced EN 292
• prEN ISO 14121
– General principles for Risk Assessment – to replace EN 1050
• EN 60204
– Application of electrical & electronic systems to machines – to be
updated in 2006
• EN IEC 62061
– Requirements for the design, integration & validation of Safety
Related Electrical, Electronic & Programmable Electronic Control
Systems for Machines.
• prEN ISO 13849
– Specifies characteristics & categories required for Safety Related
Parts of Control Systems (SRP/CS) – all technologies
 Machinery Standards
– out with the old
• EN 292
– Basic concepts, general principles for design
- replaced by EN ISO 12100
• EN 1050
– General principles for Risk Assessment
– to be replaced by prEN ISO 14121
• EN 60204
– Application of electrical & electronic systems to machines
– to be updated in 2006
• EN 954-1
– Safety Related Parts of Control Systems
– may be replaced by prEN ISO 13849
 Functional Safety
Objectives
• Alignment with the strategy for risk reduction
• Quantitative rather than Qualitative determination
of the performance requirements.
• Integration of SRP/CS with the process control
system
• Better Validation of the SRP/CS
• Better management of Functional Safety

An ISO 9001:2000 for the design of safety

systems ???
 Safety systems for
Machines
• Machines can be dangerous!
• Most machines are controlled by logic
• sequential etc.
• Most machines have one safe stop condition.
• Category 0 or 1 (EN 60204-1)
 Better machine systems?
NEW “FUNCTIONAL
CURRENT SAFETY”
“PERIPHERAL” SAFETY
ARCHITECTURE
ARCHITECTURE

• Acceptance of electronic
equipment in safety STANDARD PLC

systems. SAFETY
PLC (TO ISO 65108)
RELAY

• Use of PLC’s, Industrial SAFETY

Computers, etc. PROCESS
PROCESS PART
(FUNCTIONAL)
OF THE
RELATED PART
OF THE
CONTROL LOOP
CONTROL CONTROL
• More complex safety SYSTEM SAFETY SYSTEM
SYSTEM
(SRP/CS)
requirements.

MACHINE
Better machine systems?
Example with peripheral safety
SET SPEED
• A machine with high inertia
normally controlled by a speed
SPEED
CONTROLLER controller with dynamic braking.
• Braking control lost when guard is
START
opened
STOP

SAFETY
CONTACTOR
C

MOTOR

GUARD SWITCH

LOAD
 Better machine systems?
Example with functional safety
SET SPEED

SPEED
CONTROLLER

START
MOTOR NOT TURNING

STOP

MOTOR

GUARD LOCK
SOLENOID
• A machine with high inertia
normally controlled by a speed
controller with dynamic braking.
• Guard may not be opened until the
motor has stopped
LOAD
The Problem!

I am a control systems engineer with 40

years in the industry working with safety
related systems
I am a Chartered Safety Practitioner
I have spent many hours, days, even weeks
trying to understand the requirements.
I have tried to apply the Standards.
 The Banana Skin!
Which Standard to apply?

Two Standards:-
EN 62061
Safety of Machinery – Functional safety of E/E/PE Control Systems
Scope –
… specifies requirements and makes recommendations for the design,
integration & validation of SRECS’s for machines….

prEN ISO 13841

Safety of Machinery – Safety related parts of Control Systems
Scope –
… provides safety requirements & guidance on the principals for the design &
integration of SRP/CS’s including the design of application software….
 The Banana Skin!

Two Standards:-
EN 62061
Safety of Machinery – Functional safety of E/E/PE Control Systems
Safety requirements based on:-
SIL – Safety Integrity Levels
SIL1 (lowest) to SIL3 (highest possible for machinery)

prEN ISO 13841

Safety of Machinery – Safety related parts of Control Systems
Safety requirements based on:-
PL - Performance Levels
PL = a (lowest) to PL = e (highest)
 The Banana Skin!

prEN ISO 13849

Safety of Machinery – Safety related parts of Control Systems

Lots of new words:-

PL - Performance Level
MTTFd - Mean Time to Dangerous Failure
DC - Diagnostic Coverage
CCF - Common Cause Failure
Category - Defining system architecture (as used in EN 954-1)
SFF - Safe failure fraction
 The Banana Skin!
Performance Level (PL)
P1 a
F1
P2
S1
P1 b
Start F2
P2
P1 c
F1

S2 P2
P1 d
F2

P2
S1 Severity of Injury - Slight
e
S2 Severity of Injury - Serious
F1 Frequency of exposure - Seldom
F2 Frequency of exposure - Frequent
P1 Possibility of avoiding - Possible
P2 Possibility of avoiding – Scarcely possible
 The Banana Skin!
Mean Time to Dangerous Failure (MTTFd)
Reliability

But what about:-

Operating Cycle?
To make any sense of MTTFd - Mean Time to Dangerous Failure – for a
safety related part of a control system it must be related to the demand
placed upon it!

Some safety relay manufacturers are claming MTTFd of:-

650 years (on a 7000 uses/year) and 950 years (on a 4000 uses/year)
 The Banana Skin!
Diagnostic Coverage (DC)
DC is given in 4 levels:-
None - DC < 60%
Low - DC = 60% to <90%
Medium - DC = 90% to <99%
High - DC >99%

But how do you determine DC%?

• What is the DC% of a relay with forced driven contacts?
• What is the DC% of a relay with forced driven contacts with a
monitoring contact?
• What is the DC% of an Emergency Stop Button with redundant
contacts?
• What is the DC of its associated wiring?
• etc. etc.
 The Banana Skin!
Put it all together -
Determination of required performance and how to achieve it!
Category

PL B 1 2 3 4
LOW RISK
MTTFd
a Low MTTFd
MTTFd
Low
Med MTTFd
b MTTFd
MTTFd Low

Med
High Low Low
c Med
High Med
Med
d High High
MTTFd
High
e High
HIGH RISK

DCavg = None None Low Med Low Med High

CCF = Not relevant 65% or better

 The Banana Skin!
Verification of the system design!
A few examples of the formulas to be applied to each channel of
a SRP/CS

The MTTFd for each channel

must be calculated
MTTFd = 1 / ∑ (nj / MTTFd , j )[ y ]

The MTTFd for  

 
each system 2 1 
must be
MTTF d
=
3  MTTF d , ch1
+ MTTF d ,ch 2 −
1 1 
 +
calculated  MTTF d ,ch1 MTTF d ,ch 2 

The average diagnostic DC 1

+ DC 2
+ ........ + DC n

coverage for each system

DC = MTTF d1 MTTF d 12 MTTF dn

must be calculated avg 1 1 1

+ + ........ +
MTTF d1 MTTF d2 MTTF dn
 The Banana Skin!
but is there a flaw?
Using the formula to determine the average Diagnostic Coverage
for a system

DC 1
+ DC 2
+ ........ + DC n

DC = MTTF d1 MTTF d 12 MTTF dn

avg 1 1 1
+ + ........ +
MTTF d1 MTTF d2 MTTF dn

If we add more diagnostics the average is degraded!

A Category 4 system with more diagnostics can

be downgraded to a Category 3 system
 And the reaction of most
Machine System builders:-

And the result:-

UNSAFE MACHINERY!
The principal of Functional
Safety is to be welcomed
The objective is:-

SAFE MACHINERY!
To achieve this the Standards must:-
9Be clear
9Non-conflicting
but above all:-
9Workable
Thank you for your
attention

Robin J Carver
MIEE MinstMC CMIOSH MIIRSM