• Author / Uploaded
• RdW992049RdW

Citation preview

Machine Safety Standards

EN954 | ISO13849 | IEC62061

Defining Best Practice in Process & Machine Safety

Philosophy Machine Safety is about the reduction of risk. In the real world there is no such thing as zero risk in technology. So the aim is to reduce risk to a tolerable level. If safety depends on control systems, these must be designed for a low probability of functional failure. If this is not possible then errors that occur shall not lead to the loss of the safety function. To help meet this requirement harmonised standards have been created, and complying with these standards is the simplest way to demonstrate risk reduction so far as reasonably practicable.

ISO 13849-1

2

Defining Best Practice in Process & Machine Safety

IEC 62061

Risk

Inherent Risk Safeguards Residual Risk Tolerable Risk Risk Reduction Required

Scope of Machine Safety Standards EN954-1 has been the dominant standard in Machine Safety EN 954-1 employs a deterministic approach which uses an estimate of risk in terms of Categories, which determine a Class of control to achieve an appropriate system behaviour and performance. With the advent of more complex controls, especially programmable controls, safety can no longer be adequately measured in the simple Category system found in EN 954-1. The probability of failure (failure modes and failure rates) of the more complex safety controls is not addressed in EN 954-1, and requires a probabilistic approach to evaluating performance.

EN 954-1 will be succeeded by ISO 13849-1 on 29 Dec 2009.

Update Jan 2010: EN 954-1 validity to be extended until 31 Dec 2011

3

Defining Best Practice in Process & Machine Safety

Scope of Machine Safety Standards ISO 13849-1 will take the place of EN 954-1 The standard is applied to Safety-Related Parts of Control Systems (SRP/CS) and all types of machinery regardless of the technology and energy employed (electrical, hydraulic, mechanical, pneumatic). There are also special requirements within ISO 13849-1 for SRP/CS using programmable electronic systems.

IEC 62061 is a ‘competing’ standard derived from IEC 61508 The standard defines the requirements and gives recommendations for the design, integration and validation of Safety-Related Electrical, Electronic, and Programmable Electronic control systems (SRECS) for machinery. It does not define requirements for the performance of non-electrical (e.g. hydraulic, mechanical, pneumatic) safety-related control elements for machinery.

4

Defining Best Practice in Process & Machine Safety

Context Context of Current Standards

Process

Machines Safety of Systems and Equipment

IEC 61508 Functional safety of Electrical/Electronic/Programmable Electronic safety-related systems

EN 954-1 Safety related parts of control systems

Software

IEC 61511

5

IEC 61508-3

IEC 62061

ISO 13849-1:2006

Process

Machinery

Machinery

(Electrical, Electronic and Programmable Technology)

(Electrical, Electronic and Programmable Technology)

(All Technologies)

Defining Best Practice in Process & Machine Safety

Overview of ISO 13849-1 Overview of ISO 13849-1 Builds on the familiar Categories from EN 954-1 Goes beyond the qualitative approach of EN 954-1 to include a quantitative assessment of the safety function. It examines complete safety functions, including all the components involved in their design. A (qualitative) risk assessment process produces a performance requirement, called the Performance Level requirement (PLr) for each safety function. This builds on the requirements of Categories, and is based on the designated architecture and designated mission time. Each safety function is divided into subsystems and subsystem elements for a quantitative analysis of safety performance The Performance Level of each safety function must be verified, and examples of calculation are provided in the standard.

6

Defining Best Practice in Process & Machine Safety

Overview of IEC 62061 Overview of IEC 62061 Represents a sector-specific standard under IEC 61508. It is based on a Lifecycle concept, and covers only electric, electronic and programmable electronic control systems on machinery . A (qualitative) risk assessment process produces a performance level requirement, called the Safety Integrity Level (SIL) for each safety function. Each safety function is divided into subsystems and subsystem elements for a quantitative analysis of safety performance The Performance Level of each safety function must be verified, and examples of calculation are provided in the standard.

7

Defining Best Practice in Process & Machine Safety

Choice of Standard Which Standard should I follow? 

In general terms, if you are familiar with the use of the Categories from EN 9541 and use relatively straightforward conventional safety functions then ISO 13849-1 (PLs) is probably the best choice.



If you are specifically required to use SIL, or if your application uses complex multi-conditional safety functionality then IEC 62061 may be the most suitable.



Keep in mind that ISO 13849-1 covers all technologies whereas IEC 62061 only covers electrical and electronic systems.

Holistic Approach 

8

Whichever standard is chosen, a holistic Safety Strategy (risk management process) must be followed to ensure that the performance of the safety functions can be directly linked to the risk reduction requirements determined during Hazard Identification and Risk Assessment activities.

Defining Best Practice in Process & Machine Safety

User Safety Strategy

Risk Assessment

User Safety Strategy: 

Identify all Machines



Determine Machine Limits (each machine)



Identify Tasks (each machine)



Identify Hazards (each task)



Estimate Risk (each hazard)

Risk Control



EN 1050 | ISO 14121 9

Defining Best Practice in Process & Machine Safety





Severity of potential injury



Probability of its occurrence 

Frequency of exposure



Probability of injury

Reduce Risk (each hazard) 

Eliminate or reduce



Install protective equipment



Procedures / training / PPE

Determine the required performance: Cat/PLr/SIL (each safety function)



Design Safety Functions



Evaluation (each safety function)

(vendor|integrator)

Risk Assessment – ISO 13849-1

ISO 13849-1 Risk Assessment Severity of Injury S1

Slight (normally reversible injury)

S2

PLr Serious (normally irreversible) injury including death

Frequency and/or Exposure Time to the Hazard F1

Seldom to less often and/or the exposure time is short

F2

Frequent to continuous and/or the exposure time is long

Possibility of Avoiding the Hazard or Limiting the Harm P1

Possible under specific conditions

P2

Scarcely possible Risk Graph from Annex A of EN ISO 13849-1

+ Verification of Performance Level (PL) required for each safety function

10

Defining Best Practice in Process & Machine Safety

Performance Level Verification ISO 13849-1 Factors to consider when verifying performance (PL) of each safety function:

Element for PLr Consideration

11

Cat

Category (Structure)

MTTFd

Mean Time To Dangerous Failure

DC

Diagnostic Coverage

CCF (β)

Susceptibility to Common Cause Failure

Tm

Mission Time

B10d

For elements that suffer from wear: Mean number of cycles until 10% of components fail dangerously. (To calculate the MTTFd of components)

Defining Best Practice in Process & Machine Safety

Risk Graph from Annex A of EN ISO 13849-1 Severity of Injury S1

Slight (normally reversible injury)

S2

Serious (normally irreversible) injury including death

Frequency and/or Exposure Time to the Hazard F1

Seldom to less often and/or the exposure time is short

F2

Frequent to continuous and/or the exposure time is long

Possibility of Avoiding the Hazard or Limiting the Harm P1

Possible under specific conditions

P2

Scarcely possible

Performance Level Verification PL Verification

Performance Level (PL)

a b c d MTTFd = low MTTFd = medium

e

MTTFd = high

Category B DCavg =0

Category 1 DCavg =0

Category 2 DCavg = low

Category 2 DCavg = medium

Category 3 DCavg = low

Determination of PL from Figure 6 of ISO 13849-1

12

Defining Best Practice in Process & Machine Safety

Category 3 DCavg = medium

Category 4 DCavg = high

Performance Level Verification (simplified) PL Verification (simplified)

Performance Level (PL)

a b c d MTTFd = low MTTFd = medium

e

MTTFd = high

Category B DCavg =0

Category 1 DCavg =0

Category 2 DCavg = low

Category 2 DCavg = medium

Category 3 DCavg = low

Simplified Determination of PL from Table 7 of ISO 13849-1

13

Defining Best Practice in Process & Machine Safety

Category 3 DCavg = medium

Category 4 DCavg = high

Risk Assessment – IEC 62061

IEC 62061 Risk Assessment Frequency & Duration Fr

Prob. of Hazard Event Pr

Avoidance Av

Cl = Fr + Pr + Av

≤ 1 hr

5

Very High

5

> 1 hr ≤ 1 day

5

Likely

4

> 1 day ≤ 2 wk

4

Possible

3

Impossible

5

Consequence

Severity Se

3-4

5-7

8-10

11-13

14-15

> 2 wk ≤ 1 yr

3

Rarely

2

Possible

3

4

SIL 2

SIL 2

SIL 2

SIL 3

SIL 3

> 1 yr

2

Negligible

1

Likely

1

Death, losing an eye or arm Permanent, losing fingers

3

OM

SIL 1

SIL 2

SIL 3

Reversible, medical attention

2

OM

SIL 1

SIL 2

Reversible, first aid

1

OM

SIL 1

Class Cl

Tables from Annex A of IEC 62061

+ Verification of performance required (SIL) for each safety function

14

Defining Best Practice in Process & Machine Safety

Risk Estimation – IEC62061 Risk Assessment Form

15

Defining Best Practice in Process & Machine Safety

Risk Estimation – IEC62061 Estimate the Frequency of Exposure

Table A.2 – Frequency and duration of exposure (Fr) Classification

Frequency and duration of exposure (Fr)

16

Frequency of exposure

Duration > 10min

≤1h

5

> 1 h to ≤ 1 day

5

> 1 day to ≤ 2 weeks

4

> 2 weeks ≤ 1 year

3

> 1 year

2

Defining Best Practice in Process & Machine Safety

Risk Estimation – IEC62061 Estimate the Probability of Occurrence

Table A.3 – Probability (Pr) Classification

Probability (Pr)

17

Probability of Occurrence

Probability (Pr)

Very high

5

Likely

4

Possible

3

Rarely

2

Negligible

1

Defining Best Practice in Process & Machine Safety

Risk Estimation – IEC62061 Estimate the Probability of Avoiding or Limiting Harm

Table A.4 – Probability of avoiding or limiting harm (Av) Classification

Probability of avoiding or limiting harm (Av)

18

Probability of Avoidance

Probability (Av)

Impossible

5

Rarely

3

Probable

1

Defining Best Practice in Process & Machine Safety

Risk Estimation – IEC62061 Estimate the Severity of the Consequence

Table A.1 – Severity (Se) Classification

Severity (Se) Consequences

19

Severity (Se)

Irreversible: death, losing an eye or arm

4

Irreversible: broken limb(s), losing finger(s)

3

Reversible: requiring attention from a medical practitioner

2

Reversible: requiring first aid

1

Defining Best Practice in Process & Machine Safety

Risk Estimation – IEC62061 Determining the SIL Requirement

1

20

1

CRUSHING

3

Defining Best Practice in Process & Machine Safety

5

5

3

13

5 + 5 + 3 = 13

SIL Verification – IEC 62061 IEC 62061 Factors to consider when verifying performance (SIL) of each safety function: Frequency & Duration Fr

Element for SIL Consideration PFHd DC

Diagnostic Coverage

β

Susceptibility to Common Cause Failure

T1

Lifetime

T2

21

Probability of Dangerous Failure per Hour

Diagnostic Test Interval

HFT

Hardware Fault Tolerance

SFF

Safe Failure Fraction

λ B10d

Failure rate ; or For elements suffering from wear

Defining Best Practice in Process & Machine Safety

Prob. of Hazard Event Pr

Avoidance Av

≤ 1 hr

5

Very High

5

> 1 hr ≤ 1 day

5

Likely

4

> 1 day ≤ 2 wk

4

Possible

3

Impossible

5

> 2 wk ≤ 1 yr

3

Rarely

2

Possible

3

> 1 yr

2

Negligible

1

Likely

1

Class Cl

Consequence

Severity Se

3-4

5-7

8-10

11-13

14-15

Death, losing an eye or arm

4

SIL 2

SIL 2

SIL 2

SIL 3

SIL 3

Permanent, losing fingers

3

OM

SIL 1

SIL 2

SIL 3

Reversible, medical attention

2

OM

SIL 1

SIL 2

Reversible, first aid

1

OM

SIL 1

Tables from Annex A of IEC 62061

SIL Verification SIL Verification (simplified)

Safety Instrumented Function (SIF)

Sensor Subsystem

Logic Solver Subsystem

Final Element Subsystem

PFHd(s)

PFHd(ls)

PFHd(fe)

PFHd(sif) = PFHd(s) + PFHd(ls) + PFHd(fe)

PFHd

na

22

10-5

10-6

SIL 1

Defining Best Practice in Process & Machine Safety

10-7

SIL 2

10-8

SIL 3

PL : SIL Relationship Relationship between PL and SIL

PFHd

23

Performance Level ISO 13849-1

Probability of a dangerous failure per hour (PFHd)

Safety Integrity Level IEC 62061

a

10-5 ≤ PFHd < 10-4

na

b

3x10-6 ≤ PFHd < 10-5

1

c

10-6 ≤ PFHd < 3x10-6

1

d

10-7 ≤ PFHd < 10-6

2

e

10-8 ≤ PFHd < 10-7

3

10-4

10-5

SIL

na

Cat

a

Defining Best Practice in Process & Machine Safety

10-6 SIL 1 b

c

10-7

10-8

SIL 2

SIL 3

d

e

Summary ISO 13849-1: 2006 

Simpler methodology



Relatively complex methodology



Builds on Categories



More flexibility



More constraints



Less constraints



System based



Simplified modularity via subsystems



Applies to all technologies



Only applies to electrical technology

Can the system be designed simply using the designated architectures? or Will the system include technologies other than electrical? If the answer to either question is YES, it is probably most appropriate to use ISO 13849-1: 2006

24

IEC 62061

Defining Best Practice in Process & Machine Safety

Are there complex safety functions e.g. depending on logic decisions? or Will the system require complex or programmable electronics to a high level of integrity? If the answer to either question is YES, it is probably most appropriate to use IEC 62061

Benefits of Compliance Compliance with Standards has Benefits: As a Supplier: 

Compliance with relevant machine safety legislation.



Easier entry into overseas markets.

As a Buyer: 

Knowledge that machine is built with an adequate level of safety.



The required safety performance is achieved – not too much (unnecessary cost), and not too little (doubt about safety).



Reduce repair time, fewer unnecessary stoppages.

As a User/Operator:

25



Knowledge that machine is safe to work with, and provides a better operational work environment.



More comfortable with the machine, higher productivity.



Less waste material, and more consistent quality.

Defining Best Practice in Process & Machine Safety

Moving Ahead What should I do now? 

The ideal first step is to read both standards in order to understand their requirements and implications.



Perhaps the most daunting aspect of both standards is the fact that they require calculations based on reliability data that the safety component manufacturers should supply.



Help is available in the form of information booklets and software tools for calculations.



The BGIA in Germany provides a comprehensive calculation tool for EN ISO 13849-1 called SISTEMA. It is available free fom the BGIA website. If you design and build machines and have used EN954-1 as a guidance standard to demonstrate compliance, you will be required to recertify your machine’s safety related control systems to new Functional Safety standards such as EN ISO 13849-1 or directly to the Machinery Directive.

26

Defining Best Practice in Process & Machine Safety

Questions

THANK YOU QUESTIONS? [email protected]

27

Defining Best Practice in Process & Machine Safety