Machine Safety Standards

EN954 | ISO13849 | IEC62061

Defining Best Practice in Process & Machine Safety

 Philosophy

Machine Safety is about the reduction of risk.

In the real world there is no such thing as zero risk in

technology. So the aim is to reduce risk to a tolerable level. Risk

If safety depends on control systems, these must be Inherent Risk

designed for a low probability of functional failure. If this is
not possible then errors that occur shall not lead to the loss Safeguards
of the safety function.
Residual Risk
To help meet this requirement harmonised standards have
Tolerable Risk
been created, and complying with these standards is the
simplest way to demonstrate risk reduction so far as Risk Reduction
Required
reasonably practicable.

ISO 13849-1 IEC 62061

2 Defining Best Practice in Process & Machine Safety

 Scope of Machine Safety Standards

EN954-1 has been the dominant standard in Machine Safety

EN 954-1 employs a deterministic approach which uses an estimate of risk in terms

of Categories, which determine a Class of control to achieve an appropriate
system behaviour and performance.

With the advent of more complex controls, especially programmable controls,

safety can no longer be adequately measured in the simple Category system
found in EN 954-1.

The probability of failure (failure modes and failure rates) of the more complex
safety controls is not addressed in EN 954-1, and requires a probabilistic approach
to evaluating performance.

EN 954-1 will be succeeded by ISO 13849-1 on 29 Dec 2009.

Update Jan 2010: EN 954-1 validity to be extended until 31 Dec 2011

3 Defining Best Practice in Process & Machine Safety

 Scope of Machine Safety Standards

ISO 13849-1 will take the place of EN 954-1

The standard is applied to Safety-Related Parts of Control Systems (SRP/CS) and all
types of machinery regardless of the technology and energy employed
(electrical, hydraulic, mechanical, pneumatic).

There are also special requirements within ISO 13849-1 for SRP/CS using
programmable electronic systems.

IEC 62061 is a ‘competing’ standard derived from IEC 61508

The standard defines the requirements and gives recommendations for the
design, integration and validation of Safety-Related Electrical, Electronic, and
Programmable Electronic control systems (SRECS) for machinery.

It does not define requirements for the performance of non-electrical (e.g.

hydraulic, mechanical, pneumatic) safety-related control elements for
machinery.

4 Defining Best Practice in Process & Machine Safety

 Context

Context of Current Standards

Process Machines

Safety of Systems and Equipment

IEC 61508 EN 954-1

Functional safety of Electrical/Electronic/Programmable Safety related parts of control
Electronic safety-related systems systems

Software

IEC 61511 IEC 61508-3 IEC 62061 ISO 13849-1:2006

Process Machinery Machinery

(Electrical, Electronic (Electrical, Electronic (All Technologies)
and Programmable and Programmable
Technology) Technology)

5 Defining Best Practice in Process & Machine Safety

 Overview of ISO 13849-1

Overview of ISO 13849-1

Builds on the familiar Categories from EN 954-1

Goes beyond the qualitative approach of EN 954-1 to include a quantitative

assessment of the safety function.

It examines complete safety functions, including all the components involved in

their design.

A (qualitative) risk assessment process produces a performance requirement,

called the Performance Level requirement (PLr) for each safety function. This
builds on the requirements of Categories, and is based on the designated
architecture and designated mission time.

Each safety function is divided into subsystems and subsystem elements for a
quantitative analysis of safety performance

The Performance Level of each safety function must be verified, and examples of
calculation are provided in the standard.

6 Defining Best Practice in Process & Machine Safety

 Overview of IEC 62061

Overview of IEC 62061

Represents a sector-specific standard under IEC 61508.

It is based on a Lifecycle concept, and covers only electric, electronic and

programmable electronic control systems on machinery .

A (qualitative) risk assessment process produces a performance level

requirement, called the Safety Integrity Level (SIL) for each safety function.

Each safety function is divided into subsystems and subsystem elements for a
quantitative analysis of safety performance

The Performance Level of each safety function must be verified, and examples of
calculation are provided in the standard.

7 Defining Best Practice in Process & Machine Safety

 Choice of Standard

Which Standard should I follow?

 In general terms, if you are familiar with the use of the Categories from EN 954-
1 and use relatively straightforward conventional safety functions then ISO
13849-1 (PLs) is probably the best choice.

 If you are specifically required to use SIL, or if your application uses complex
multi-conditional safety functionality then IEC 62061 may be the most suitable.

 Keep in mind that ISO 13849-1 covers all technologies whereas IEC 62061 only
covers electrical and electronic systems.

Holistic Approach

 Whichever standard is chosen, a holistic Safety Strategy (risk management

process) must be followed to ensure that the performance of the safety
functions can be directly linked to the risk reduction requirements determined
during Hazard Identification and Risk Assessment activities.

8 Defining Best Practice in Process & Machine Safety

 User Safety Strategy

User Safety Strategy:

 Identify all Machines
 Determine Machine Limits (each machine)
 Identify Tasks (each machine)

Risk Assessment
 Identify Hazards (each task)
 Estimate Risk (each hazard)
 Severity of potential injury
 Probability of its occurrence
 Frequency of exposure
 Probability of injury
 Reduce Risk (each hazard)
 Eliminate or reduce
 Install protective equipment
Risk Control

 Procedures / training / PPE

 Determine the required performance:
Cat/PLr/SIL (each safety function)
 Design Safety Functions (vendor|integrator)

 Evaluation (each safety function)

EN 1050 | ISO 14121
9 Defining Best Practice in Process & Machine Safety
 Risk Assessment – ISO 13849-1

ISO 13849-1 Risk Assessment

Severity of Injury

S1 Slight (normally reversible injury)

PLr
S2 Serious (normally irreversible) injury including death
Frequency and/or Exposure Time to the Hazard

F1 Seldom to less often and/or the exposure time is short

F2 Frequent to continuous and/or the exposure time is long

Possibility of Avoiding the Hazard or Limiting the Harm

P1 Possible under specific conditions

P2 Scarcely possible
Risk Graph from Annex A of EN ISO 13849-1

+
Verification of Performance Level (PL) required for each safety function

10 Defining Best Practice in Process & Machine Safety

 Performance Level Verification

ISO 13849-1
Factors to consider when verifying
performance (PL) of each safety function:

Element for PLr Consideration

Cat Category (Structure)

MTTFd Mean Time To Dangerous Failure

DC Diagnostic Coverage Risk Graph from Annex A of EN ISO 13849-1

CCF (β) Susceptibility to Common Cause Failure Severity of Injury

S1 Slight (normally reversible injury)

S2 Serious (normally irreversible) injury including death

Tm Mission Time Frequency and/or Exposure Time to the Hazard

B10d For elements that suffer from wear: F1 Seldom to less often and/or the exposure time is
short
Mean number of cycles until 10% of
F2 Frequent to continuous and/or the exposure time is
components fail dangerously. long
(To calculate the MTTFd of components)
Possibility of Avoiding the Hazard or Limiting the Harm

P1 Possible under specific conditions

P2 Scarcely possible

11 Defining Best Practice in Process & Machine Safety

 Performance Level Verification

PL Verification

a
Performance Level (PL)

d
MTTFd = low
MTTFd = medium
e MTTFd = high

Category Category Category Category Category Category Category

B 1 2 2 3 3 4
DCavg DCavg DCavg DCavg DCavg DCavg DCavg
=0 =0 = low = medium = low = medium = high

Determination of PL from Figure 6 of ISO 13849-1

12 Defining Best Practice in Process & Machine Safety

 Performance Level Verification (simplified)

PL Verification (simplified)

a
Performance Level (PL)

d
MTTFd = low
MTTFd = medium
e MTTFd = high

Category Category Category Category Category Category Category

B 1 2 2 3 3 4
DCavg DCavg DCavg DCavg DCavg DCavg DCavg
=0 =0 = low = medium = low = medium = high

Simplified Determination of PL from Table 7 of ISO 13849-1

13 Defining Best Practice in Process & Machine Safety

 Risk Assessment – IEC 62061

IEC 62061 Risk Assessment

Frequency & Prob. of Hazard

Avoidance
Duration Event
Av
Fr Pr Cl = Fr + Pr + Av
≤ 1 hr 5 Very High 5
> 1 hr ≤ 1 day 5 Likely 4
Severity Class Cl
> 1 day ≤ 2 wk 4 Possible 3 Impossible 5 Consequence
Se 3-4 5-7 8-10 11-13 14-15
> 2 wk ≤ 1 yr 3 Rarely 2 Possible 3 Death, losing an
4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3
eye or arm
> 1 yr 2 Negligible 1 Likely 1
Permanent,
3 OM SIL 1 SIL 2 SIL 3
losing fingers
Reversible,
medical 2 OM SIL 1 SIL 2
attention
Reversible, first
1 OM SIL 1
aid

Tables from Annex A of IEC 62061

+
Verification of performance required (SIL) for each safety function

14 Defining Best Practice in Process & Machine Safety

 Risk Estimation – IEC62061

Risk Assessment Form

15 Defining Best Practice in Process & Machine Safety

 Risk Estimation – IEC62061

Estimate the Frequency of Exposure

Table A.2 – Frequency and duration of exposure (Fr) Classification

Frequency and duration of exposure (Fr)

Frequency of exposure Duration > 10min
≤1h 5
> 1 h to ≤ 1 day 5
> 1 day to ≤ 2 weeks 4
> 2 weeks ≤ 1 year 3
> 1 year 2

16 Defining Best Practice in Process & Machine Safety

 Risk Estimation – IEC62061

Estimate the Probability of Occurrence

Table A.3 – Probability (Pr) Classification

Probability (Pr)
Probability of Occurrence Probability (Pr)
Very high 5
Likely 4
Possible 3
Rarely 2
Negligible 1
17 Defining Best Practice in Process & Machine Safety
 Risk Estimation – IEC62061

Estimate the Probability of Avoiding or Limiting Harm

Table A.4 – Probability of avoiding or limiting harm (Av) Classification

Probability of avoiding or limiting harm (Av)

Probability of Avoidance Probability (Av)
Impossible 5
Rarely 3
Probable 1

18 Defining Best Practice in Process & Machine Safety

 Risk Estimation – IEC62061

Estimate the Severity of the Consequence

Table A.1 – Severity (Se) Classification

Severity (Se)
Consequences Severity (Se)
Irreversible: death, losing an eye or arm 4
Irreversible: broken limb(s), losing finger(s) 3
Reversible: requiring attention from a medical practitioner 2
Reversible: requiring first aid 1

19 Defining Best Practice in Process & Machine Safety

 Risk Estimation – IEC62061

Determining the SIL Requirement

1 1 CRUSHING 3 5 5 3 13 5 + 5 + 3 = 13

20 Defining Best Practice in Process & Machine Safety

 SIL Verification – IEC 62061

IEC 62061
Factors to consider when verifying
performance (SIL) of each safety function: Prob. of Hazard
Frequency & Duration Avoidance
Event
Fr Av
Pr

≤ 1 hr 5 Very High 5
Element for SIL Consideration > 1 hr ≤ 1 day 5 Likely 4
> 1 day ≤ 2 wk 4 Possible 3 Impossible 5
PFHd Probability of Dangerous Failure per Hour
> 2 wk ≤ 1 yr 3 Rarely 2 Possible 3

DC Diagnostic Coverage > 1 yr 2 Negligible 1 Likely 1

β Susceptibility to Common Cause Failure

Severity Class Cl
Consequence
T1 Lifetime Se 3-4 5-7 8-10 11-13 14-15
Death, losing an
4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3
eye or arm
Permanent,
3 OM SIL 1 SIL 2 SIL 3
losing fingers
T2 Diagnostic Test Interval
Reversible,
2 OM SIL 1 SIL 2
medical attention
HFT Hardware Fault Tolerance
Reversible, first
1 OM SIL 1
SFF Safe Failure Fraction aid

λ Failure rate ; or Tables from Annex A of IEC 62061

B10d For elements suffering from wear

21 Defining Best Practice in Process & Machine Safety

 SIL Verification

SIL Verification (simplified)

Safety Instrumented Function (SIF)

Sensor Logic Solver Final Element

Subsystem Subsystem Subsystem

PFHd(s) PFHd(ls) PFHd(fe)

PFHd(sif) = PFHd(s) + PFHd(ls) + PFHd(fe)

PFHd 10-5 10-6 10-7 10-8

na SIL 1 SIL 2 SIL 3

22 Defining Best Practice in Process & Machine Safety

 PL : SIL Relationship

Relationship between PL and SIL

Probability of a
Performance Level Safety Integrity Level
dangerous failure per
ISO 13849-1 IEC 62061
hour (PFHd)
a 10-5 ≤ PFHd < 10-4 na

b 3x10-6 ≤ PFHd < 10-5 1

c 10-6 ≤ PFHd < 3x10-6 1

d 10-7 ≤ PFHd < 10-6 2

e 10-8 ≤ PFHd < 10-7 3

PFHd 10-4 10-5 10-6 10-7 10-8

SIL na SIL 1 SIL 2 SIL 3

Cat a b c d e

23 Defining Best Practice in Process & Machine Safety

 Summary

ISO 13849-1: 2006 IEC 62061

 Simpler methodology  Relatively complex methodology
 Builds on Categories  More flexibility
 More constraints  Less constraints
 System based  Simplified modularity via subsystems
 Applies to all technologies  Only applies to electrical
technology

Can the system be designed simply Are there complex safety functions
using the designated architectures? e.g. depending on logic decisions?
or
or
Will the system require complex or
Will the system include technologies programmable electronics to a high
other than electrical? level of integrity?
If the answer to either question is YES,
If the answer to either question is YES, it is probably most appropriate to use
it is probably most appropriate to use IEC 62061
ISO 13849-1: 2006

24 Defining Best Practice in Process & Machine Safety

 Benefits of Compliance

Compliance with Standards has Benefits:

As a Supplier:
 Compliance with relevant machine safety legislation.
 Easier entry into overseas markets.

As a Buyer:
 Knowledge that machine is built with an adequate level of safety.
 The required safety performance is achieved – not too much (unnecessary
cost), and not too little (doubt about safety).
 Reduce repair time, fewer unnecessary stoppages.

As a User/Operator:
 Knowledge that machine is safe to work with, and provides a better
operational work environment.
 More comfortable with the machine, higher productivity.
 Less waste material, and more consistent quality.

25 Defining Best Practice in Process & Machine Safety

 Moving Ahead

What should I do now?

 The ideal first step is to read both standards in order
to understand their requirements and implications.
 Perhaps the most daunting aspect of both standards
is the fact that they require calculations based on
reliability data that the safety component
manufacturers should supply.
 Help is available in the form of information booklets
and software tools for calculations.
 The BGIA in Germany provides a comprehensive
calculation tool for EN ISO 13849-1 called SISTEMA. It
is available free fom the BGIA website.

If you design and build machines and have used EN954-1 as a guidance standard to
demonstrate compliance, you will be required to recertify your machine’s safety
related control systems to new Functional Safety standards such as EN ISO 13849-1
or directly to the Machinery Directive.

26 Defining Best Practice in Process & Machine Safety

 Questions

THANK YOU
QUESTIONS?
ray.wright@fse-global.com

27 Defining Best Practice in Process & Machine Safety