You are on page 1of 23

FUNCTIONAL SAFETY for MACHINERY

Safer by design OR a technical Banana Skin?

By Robin J Carver

New Family of Standards
• Under the EN 61508 family
Principles for risk assessment

EN 1050
(ISO 14121)

Principles for design

EN ISO 12100

Functional Safety of SRECS for Machinery

Functional Safety of E/E/PE Safety-related Systems

EN 62061

EN 61508
Other Industry sectors

Safety of electrical equipment of machinery

EN 60204-1
Design of safety related parts of machinery control systems

ISO 13849

New Standards for Industry Sectors EN IEC 61508 Functional Safety IEC 61513 Nuclear Industry prEN 51056 Furnaces IEC 61511 Process Industry EN 50126/7/8 Railways IEC 62061 .

Machinery Standards – in with the new • EN ISO 12100 • prEN ISO 14121 – General principles for Risk Assessment – to replace EN 1050 – To provide designers with an overall framework and guidance to enable them to produce machines that are safe. – replaced EN 292 • EN 60204 – Application of electrical & electronic systems to machines – to be updated in 2006 • EN IEC 62061 – Requirements for the design. • prEN ISO 13849 – Specifies characteristics & categories required for Safety Related Parts of Control Systems (SRP/CS) – all technologies . integration & validation of Safety Related Electrical. Electronic & Programmable Electronic Control Systems for Machines.

Machinery Standards – out with the old • EN 292 – Basic concepts. general principles for design .replaced by EN ISO 12100 • EN 1050 – General principles for Risk Assessment – to be replaced by prEN ISO 14121 • EN 60204 – Application of electrical & electronic systems to machines – to be updated in 2006 • EN 954-1 – Safety Related Parts of Control Systems – may be replaced by prEN ISO 13849 .

Functional Safety Objectives • Alignment with the strategy for risk reduction • Quantitative rather than Qualitative determination of the performance requirements. • Integration of SRP/CS with the process control system • Better Validation of the SRP/CS • Better management of Functional Safety An ISO 9001:2000 for the design of safety systems ??? .

• Most machines have one safe stop condition. • Category 0 or 1 (EN 60204-1) .Safety systems for Machines • Machines can be dangerous! • Most machines are controlled by logic • sequential etc.

• Use of PLC’s.Better machine systems? NEW “FUNCTIONAL SAFETY” CURRENT “PERIPHERAL” SAFETY ARCHITECTURE ARCHITECTURE • Acceptance of electronic equipment in safety systems. STANDARD PLC SAFETY PLC (TO ISO 65108) RELAY PROCESS PROCESS PART (FUNCTIONAL) OF THE CONTROL LOOP CONTROL SYSTEM SAFETY RELATED PART OF THE CONTROL SAFETY SYSTEM SYSTEM (SRP/CS) MACHINE . Industrial Computers. etc. • More complex safety requirements.

Better machine systems? Example with peripheral safety SET SPEED • SPEED CONTROLLER START STOP SAFETY CONTACTOR • A machine with high inertia normally controlled by a speed controller with dynamic braking. Braking control lost when guard is opened C MOTOR GUARD SWITCH LOAD .

Guard may not be opened until the motor has stopped LOAD .Better machine systems? Example with functional safety SET SPEED SPEED CONTROLLER START STOP MOTOR NOT TURNING MOTOR GUARD LOCK SOLENOID • • A machine with high inertia normally controlled by a speed controller with dynamic braking.

even weeks trying to understand the requirements.The Problem! I am a control systems engineer with 40 years in the industry working with safety related systems I am a Chartered Safety Practitioner I have spent many hours. . I have tried to apply the Standards. days.

Which Standard to apply? The Banana Skin! Two Standards:EN 62061 Safety of Machinery – Functional safety of E/E/PE Control Systems Scope – … specifies requirements and makes recommendations for the design. prEN ISO 13841 Safety of Machinery – Safety related parts of Control Systems Scope – … provides safety requirements & guidance on the principals for the design & integration of SRP/CS’s including the design of application software…. integration & validation of SRECS’s for machines…. .

The Banana Skin! Two Standards:EN 62061 Safety of Machinery – Functional safety of E/E/PE Control Systems Safety requirements based on:SIL – Safety Integrity Levels SIL1 (lowest) to SIL3 (highest possible for machinery) prEN ISO 13841 Safety of Machinery – Safety related parts of Control Systems Safety requirements based on:PL .Performance Levels PL = a (lowest) to PL = e (highest) .

The Banana Skin! prEN ISO 13849 Safety of Machinery – Safety related parts of Control Systems Lots of new words:PL .Diagnostic Coverage CCF .Mean Time to Dangerous Failure DC .Common Cause Failure Category .Safe failure fraction .Performance Level MTTFd .Defining system architecture (as used in EN 954-1) SFF .

Possible Possibility of avoiding – Scarcely possible P2 P1 P2 P1 a b c d e Start .Slight Severity of Injury .The Banana Skin! Performance Level (PL) P1 F1 S1 F2 P2 P1 F1 S2 F2 P2 S1 S2 F1 F2 P1 P2 Severity of Injury .Serious Frequency of exposure .Frequent Possibility of avoiding .Seldom Frequency of exposure .

Mean Time to Dangerous Failure – for a safety related part of a control system it must be related to the demand placed upon it! Some safety relay manufacturers are claming MTTFd of:650 years (on a 7000 uses/year) and 950 years (on a 4000 uses/year) .The Banana Skin! Mean Time to Dangerous Failure (MTTFd) Reliability But what about:Operating Cycle? To make any sense of MTTFd .

etc. .The Banana Skin! Diagnostic Coverage (DC) DC is given in 4 levels:None Low Medium High DC < 60% DC = 60% to <90% DC = 90% to <99% DC >99% But how do you determine DC%? • What is the DC% of a relay with forced driven contacts? • What is the DC% of a relay with forced driven contacts with a monitoring contact? • What is the DC% of an Emergency Stop Button with redundant contacts? • What is the DC of its associated wiring? • etc.

The Banana Skin! Put it all together Determination of required performance and how to achieve it! Category PL LOW RISK B MTTFd Low Med 1 MTTFd Low MTTFd High Med 2 MTTFd MTTFd Low Med High Med Low 3 4 a b c d e HIGH RISK MTTFd Low Med High High High MTTFd High DCavg = CCF = None None Low Med Low Med High Not relevant 65% or better .

..ch1 MTTF d .. + d2 1 MTTF dn ..ch 2   MTTF d   2 = + − 3  MTTF d .The Banana Skin! Verification of the system design! A few examples of the formulas to be applied to each channel of a SRP/CS The MTTFd for each channel must be calculated The MTTFd for each system must be calculated MTTFd = 1 / ∑ (nj / MTTFd .ch 2   The average diagnostic coverage for each system must be calculated DC avg DC = MTTF 1 + d1 1 DC MTTF 2 + ... ch1 MTTF d ... + d 12 MTTF + d1 1 DC MTTF n dn MTTF + ...... j )[ y ]   1  1 1  + MTTF d ..

... + d2 1 MTTF dn If we add more diagnostics the average is degraded! A Category 4 system with more diagnostics can be downgraded to a Category 3 system . + d 12 MTTF + d1 1 DC MTTF n dn MTTF + ...........The Banana Skin! but is there a flaw? Using the formula to determine the average Diagnostic Coverage for a system DC avg DC = MTTF 1 + d1 1 DC MTTF 2 + ..

And the reaction of most Machine System builders:- And the result:- UNSAFE MACHINERY! .

The principal of Functional Safety is to be welcomed The objective is:- SAFE MACHINERY! To achieve this the Standards must:9Be clear 9Non-conflicting but above all:9Workable .

Thank you for your attention Robin J Carver MIEE MinstMC CMIOSH MIIRSM .