By Matthias Haynl, TÜV Rheinland
This article by Matthias Haynl, Manager of Functional Safety, TÜV Rheinland, provides the reader with the relevant aspects of functional safety for machinery taken from a basic point of view and addresses the changing requirements of the European Union and the U.S.
In the past, industrial machinery safety functions such as e-stop were hardwired, and the failure modes and failure data of these components, such as relays, were very well known. The applicable standards were EN954-1:1996 (Safety of Machinery—Safety Related Parts of Control Systems) for Europe and NFPA 79:1997 (Electrical Safety for Industrial Machinery) for the U.S. Additionally, complex components such as microcontrollers or microprocessors were not considered or allowed to be involved in the performance of the safety functions.
Prior to the changes in the standards, the number of devices used to implement and perform safety functions was not a factor as long as the particular devices had the same safety category. With technology moving forward and complex components—for example, microcontrollers or microprocessors—becoming integrated in safety systems, the fault behavior becomes more sophisticated. When the failure modes and the failure data are not well defined and the fault conditions can not be determined completely, the incorrect functioning of these new technologies has to be addressed.
Traditional safety assessments such as electrical safety are not sufficient to cover all of the safety-relevant aspects of today's technologies. As a result, functional safety, which is an assessment of the components or systems that impact functional hazards, is a critical item to be addressed.
IEC 61508 was introduced in 1999 as the basic standard for functional safety. It is a comprehensive standard composed of seven parts. Parts 1-4 are normative, and parts 5-7 are informative. See sidebar, IEC 61508—The Basic Standard for Functional Safety.
IEC 61508 is the basic functional safety standard for designers of functional-safety-related devices and system integrators of safety-related systems. The IEC 61508 standard is application-independent but technology-dependent. Under the scope of IEC 61508 are electrical, electronic and programmable electronic (E/E/PE) safety-related systems. The standard is written in such a way that it can be used as a framework for other technologies, as well.
IEC 61508 addresses the functional hazards of new technological advances. One new major feature to this standard considers the possible occurrence of a dangerous failure. Dangerous failures might arise from:
- Incorrect specifications of the system, hardware or software
- Omissions in the safety requirements specification
- Random hardware failure mechanisms
- Systematic hardware failure mechanisms
- Software errors
- Common cause failures
- Human error
- Environmental influences such as electromagnetic, temperature, mechanical phenomena
- Supply system voltage disturbances such as loss of supply, reduced voltages, re-connection of supply.
Standards in Relationship
Overall, there are similarities to the EU and U.S. approaches with regard to the safety loop and the risk-based approach. The following table shows the advantages and weaknesses of the standards discussed in this article.
IEC 61508 contains requirements for preventing failures by avoiding the introduction of faults and for controlling failures by ensuring safety even when faults are present. Additionally, the standard provides new requirements for a product's overall safety lifecycle. This takes into consideration every phase of a product from initial concept to final decommissioning or disposal.
The IEC 61508 standard uses a risk-based approach to determine the safety integrity requirements of safety-related electrical/electronic/programmable electronic systems. The probability approach targets random hardware faults that could be dangerous and, if undetected, result in the loss of the safety function.
IEC 61508 specifies four discrete safety integrity levels (SILs)—levels of safety performance for a safety function. SIL 1 is the lowest level of safety integrity, and SIL 4 is the highest level. Requirements to achieve safety integrity at the higher levels are more meticulous than the lower levels.
One attribute of the SIL classification to note is the dangerous failure probability. System integrators of safety-related functions have to consider all devices and components implemented to perform the safety function and to ensure that the dangerous failure probability corresponds to the targeted SIL. Hence, it is important to know how many devices are used to implement and perform the safety function, and the manufacturer of safety-related devices has to determine the specific safety parameters.
Another focus of IEC 61508 is the overall safety lifecycle, the corresponding E/E/PE system safety lifecycle and the software safety lifecycle. The purpose of this approach is to avoid systematic faults during the design and development, installation and commissioning, operation, maintenance and modification of the safety-related equipment and systems. Systematic faults can occur in either hardware or software designs. Measures and techniques to avoid and control them are specified under IEC 61508-2 and IEC 61508-3. To address the functional safety requirements in reference to the overall safety, E/E/PE system safety and software safety lifecycle IEC61508-1 requires an effective management of functional safety (MFS). The MFS covers responsibilities, procedures and activities with respect to the overall safety, E/E/PE system safety and software safety lifecycle.
Functional Safety Requirements for Industrial Machinery in Europe
The basic functional safety standard IEC 61508, or EN 61508, is not a harmonized European standard. That means it cannot be used exclusively as proof of CE conformity. To comply with the machinery directive's requirements, the harmonized standards EN 62061:2005 and EN ISO 13849-1:2008 are the most relevant from the functional safety point of view.
The harmonized European standard EN 62061:2005 (Safety of machinery—Functional safety of safety-related electrical, electronic and programmable electronic control systems) is driven by IEC 61508 and makes recommendations for the design, integration and validation of safety-related E/E/PE systems for industrial machines. EN 62061:2005 has the same safety classifications—SILs—as IEC 61508, except that SIL 4 is not considered as relevant to the risk reduction requirements normally associated with machinery. The main focus of the EN 62061:2005 is the safety function—from specification to validation. The standard requires a complete functional safety assessment in reference to IEC 61508 for complex systems or sub-systems.
It is also important to note that the application-dependent standard EN 62061:2005 also specifies increased severity levels for EMC testing. The standard makes references to general electrical safety requirements for machinery, for example, protection against electric shock, EN 60204-1.
The harmonized European standard EN ISO 13849-1:2008 (Safety of machinery—Safety-related parts of control systems) combines the complex probability method from IEC 61508 and the deterministic category approach from EN 954-1 on the basis of the risk assessment. The safety classifications of EN ISO 13849-1:2008 are performance levels (PLs), where PL a is the lowest level and PL e the highest. The simplified procedure under EN ISO 13849-1:2008 considers the relevant parameters and architectures to provide a practical assessment solution for machinery safety. The simplified procedures could be used only for the designated architectures described in the standard.
The requirements of EN ISO 13849-1:2008 and EN 62061:2005 are to some extent identical and complementary. A review of the scope or introduction to the standards will determine which of the two are best applicable. Any ambiguity can be clarified with the test institute.
Functional Safety Requirements for Industrial Machinery in the U.S.
In the U.S., the mandatory requirements for certification and validation of safety systems designed for machinery safety are specified under the Code of Federal Regulations (CFR), available by the Occupational Safety and Health Administration (OSHA). The 29 CFR 1910, Subpart O, specifies the minimum requirements for machinery and machine guarding—for example, 29 CFR 1910.217 for presence-sensing devices or 29 CFR 1910.212 for machine guarding.
Requirements can be found in 29 CFR 1910.217 for safe conditions in the event of any single failure. In addition, the term "control reliability" is specified and drives requirements regarding the design, validation and certification of safety-related systems. Of note is a requirement that an OSHA-recognized third-party validation organization shall be used to validate whether:
- The design of components, subsystems, software and assemblies meets OSHA performance requirements and are ready for the intended use
- The performance of combined subsystems meets OSHA's operational requirements.
Typical analysis methods like failure mode and effect analysis (FMEA) are referenced, as well as the general approach to perform a risk evaluation and a hazard analysis. The probability approach—for example, under EN ISO 13849-1:2008 or EN 62061:2005—is not considered or required under the OSHA requirements at this point in time; however the deterministic approach regarding the system architecture and behavior are similar to the EN 954-1:1996 requirements. Application-dependent standards for the U.S. would be ANSI B11.19:2003 (Performance criteria for Safeguarding) or NFPA 79:2007 (Electrical Standard for Industrial Machinery).
It is clear that machinery components and safety functions will become more complex and sophisticated. In the future, we will see the use of intelligent and distributed control logic to perform safety functions such as an intelligent safety area around hazardous areas or objects. We also will see new communication media such as wireless technology in the safety loop, simply to reduce wiring and provide more mobility and flexibility. The implementation of safety communication buses is de facto a standard today, even for simple sensors or actuators.
Functional safety requirements are mandatory for machinery safety in Europe. Yet, it also is wise to consider these requirements for machinery in North America. It is likely that updates to related standards are going to cover new approaches and technological advancements to address overall functional safety hazards.
Matthias Haynl, manager of functional safety, has been working with TÜV Rheinland's Functional Safety Division since 2003. He has experience in the testing and assessment of safety-related systems of power plants, nuclear power plants, processing machinery and industrial machinery. Haynl has led workshops and training seminars in both German and English on hardware and software design according to IEC 61508. He can be reached at email@example.com.