By Matthias Haynl, TÜV Rheinland
This article by Matthias Haynl, Manager of Functional Safety, TÜV Rheinland, provides the reader with the relevant aspects of functional safety for machinery taken from a basic point of view and addresses the changing requirements of the European Union and the U.S.
In the past, industrial machinery safety functions such as e-stop were hardwired, and the failure modes and failure data of these components, such as relays, were very well known. The applicable standards were EN954-1:1996 (Safety of Machinery—Safety Related Parts of Control Systems) for Europe and NFPA 79:1997 (Electrical Safety for Industrial Machinery) for the U.S. Additionally, complex components such as microcontrollers or microprocessors were not considered or allowed to be involved in the performance of the safety functions.
Prior to the changes in the standards, the number of devices used to implement and perform safety functions was not a factor as long as the particular devices had the same safety category. With technology moving forward and complex components—for example, microcontrollers or microprocessors—becoming integrated in safety systems, the fault behavior becomes more sophisticated. When the failure modes and the failure data are not well defined and the fault conditions can not be determined completely, the incorrect functioning of these new technologies has to be addressed.
Traditional safety assessments such as electrical safety are not sufficient to cover all of the safety-relevant aspects of today's technologies. As a result, functional safety, which is an assessment of the components or systems that impact functional hazards, is a critical item to be addressed.
IEC 61508 was introduced in 1999 as the basic standard for functional safety. It is a comprehensive standard composed of seven parts. Parts 1-4 are normative, and parts 5-7 are informative. See sidebar, IEC 61508—The Basic Standard for Functional Safety.
IEC 61508 is the basic functional safety standard for designers of functional-safety-related devices and system integrators of safety-related systems. The IEC 61508 standard is application-independent but technology-dependent. Under the scope of IEC 61508 are electrical, electronic and programmable electronic (E/E/PE) safety-related systems. The standard is written in such a way that it can be used as a framework for other technologies, as well.
IEC 61508 addresses the functional hazards of new technological advances. One new major feature to this standard considers the possible occurrence of a dangerous failure. Dangerous failures might arise from:
- Incorrect specifications of the system, hardware or software
- Omissions in the safety requirements specification
- Random hardware failure mechanisms
- Systematic hardware failure mechanisms
- Software errors
- Common cause failures
- Human error
- Environmental influences such as electromagnetic, temperature, mechanical phenomena
- Supply system voltage disturbances such as loss of supply, reduced voltages, re-connection of supply.
Standards in Relationship
Overall, there are similarities to the EU and U.S. approaches with regard to the safety loop and the risk-based approach. The following table shows the advantages and weaknesses of the standards discussed in this article.
IEC 61508 contains requirements for preventing failures by avoiding the introduction of faults and for controlling failures by ensuring safety even when faults are present. Additionally, the standard provides new requirements for a product's overall safety lifecycle. This takes into consideration every phase of a product from initial concept to final decommissioning or disposal.
The IEC 61508 standard uses a risk-based approach to determine the safety integrity requirements of safety-related electrical/electronic/programmable electronic systems. The probability approach targets random hardware faults that could be dangerous and, if undetected, result in the loss of the safety function.
IEC 61508 specifies four discrete safety integrity levels (SILs)—levels of safety performance for a safety function. SIL 1 is the lowest level of safety integrity, and SIL 4 is the highest level. Requirements to achieve safety integrity at the higher levels are more meticulous than the lower levels.
One attribute of the SIL classification to note is the dangerous failure probability. System integrators of safety-related functions have to consider all devices and components implemented to perform the safety function and to ensure that the dangerous failure probability corresponds to the targeted SIL. Hence, it is important to know how many devices are used to implement and perform the safety function, and the manufacturer of safety-related devices has to determine the specific safety parameters.
Another focus of IEC 61508 is the overall safety lifecycle, the corresponding E/E/PE system safety lifecycle and the software safety lifecycle. The purpose of this approach is to avoid systematic faults during the design and development, installation and commissioning, operation, maintenance and modification of the safety-related equipment and systems. Systematic faults can occur in either hardware or software designs. Measures and techniques to avoid and control them are specified under IEC 61508-2 and IEC 61508-3. To address the functional safety requirements in reference to the overall safety, E/E/PE system safety and software safety lifecycle IEC61508-1 requires an effective management of functional safety (MFS). The MFS covers responsibilities, procedures and activities with respect to the overall safety, E/E/PE system safety and software safety lifecycle.