7/29/2019 Machine Safety Standards
1/27
Copyright 2009 Rockwell Automation, Inc. All rights reserved.
Machine SafetyStandards
Dr Raymond Wright
EN954 | ISO13849 | IEC62061
7/29/2019 Machine Safety Standards
2/27
Philosophy
Machine Safety is about the reduction of r isk.
In the real world there is no such thing as zero risk in technology. So the aim
is to reduce risk to a tolerable level.
If safety depends on control systems, these must be designed for a low
probability of functional failure. If this is not possible then errors that occur
shall not lead to the loss of the safety function.
To help meet this requirement harmonised standards have been created, and
complying with these standards is the simplest way to demonstrate risk
reduction so far as reasonably practicable.
2
IEC 62061ISO 13849-1
7/29/2019 Machine Safety Standards
3/27
Scope of Machine SafetyStandards
EN954-1 has been the dominant standard in Machine Safety
EN 954-1 employs a deterministic approach which uses an estimate of risk in terms of Categories, which
determine a Class of control to achieve an appropriate system behaviour and performance.
With the advent of more complex controls, especially programmable controls, safety can no longer be
adequately measured in the simple Category system found in EN 954-1.
The probability of failure (failure modes and failure rates) of the more complex safety controls is not addressed
in EN 954-1, and requires a probabilistic approach to evaluating performance.
3
Update Jan 2010: EN 954-1 validity to be extended to 31 Dec 2011
EN 954-1 will be succeeded by ISO 13849-1 on 29 Dec 2009.
7/29/2019 Machine Safety Standards
4/27
Scope of Machine SafetyStandards
ISO 13849-1 will take the place of EN 954-1
The standard is applied to Safety-Related Parts of Control Systems (SRP/CS) and all types of machinery
regardless of the technology and energy employed (electrical, hydraulic, mechanical, pneumatic).
There are also special requirements within ISO 13849-1 for SRP/CS using programmable electronic systems.
IEC 62061 is a competing standard derived from IEC 61508
The standard defines the requirements and gives recommendations for the design, integration and validation of
Safety-Related Electrical, Electronic, and Programmable Electronic control systems (SRECS) for machinery.
It does not define requirements for the performance of non-electrical (e.g. hydraulic, mechanical, pneumatic)
safety-related control elements for machinery.
4
7/29/2019 Machine Safety Standards
5/27
Relationship
Relationship of Current Standards
5
Process Machines
Safety of Systems and Equipment
IEC 61508
Functional safety of Electrical/Electronic/ProgrammableElectronic safety-related systems
EN 954-1
Safety related parts of controlsystems
Software
IEC 61511 IEC 61508-3 IEC 62061 ISO 13849-1:2006
Process(Electrical, Electronic
and ProgrammableTechnology)
Machinery(Electrical, Electronic and
ProgrammableTechnology)
Machinery(All Technologies)
7/29/2019 Machine Safety Standards
6/27
Overview of ISO 13849-1
Overview of ISO 13849-1
Builds on the familiar Categories from EN 954-1
Goes beyond the qualitative approach of EN 954-1 to include a quantitative assessment of the safety function.
It examines complete safety functions, including all the components involved in their design.
A (qualitative) risk assessment process produces a performance requirement, called the Performance Levelrequirement (PLr) for each safety function. This builds on the requirements of Categories, and is based on thedesignated architecture and designated mission time.
Each safety function is divided into subsystems and subsystem elements for a quantitative analysis of safety
performance
The Performance Level of each safety function must be verified, and examples of calculation are provided in
the standard.
6
7/29/2019 Machine Safety Standards
7/27
Overview of IEC 62061
Overview of IEC 62061
Represents a sector-specific standard under IEC 61508.
It is based on a Lifecycle concept, and covers only electric, electronic and programmable electronic control
systems on machinery .
A (qualitative) risk assessment process produces a performance level requirement, called the Safety Integri tyLevel (SIL) for each safety function.
Each safety function is divided into subsystems and subsystem elements for a quantitative analysis of safety
performance
The Performance Level of each safety function must be verified, and examples of calculation are provided in
the standard.
7
7/29/2019 Machine Safety Standards
8/27
Choice of Standard
Which Standard should I follow?
In general terms, if you are familiar with the use of the Categories from EN 954-1 and use relatively
straightforward conventional safety functions then ISO 13849-1 is probably the best choice.
If you are specifically required to use SIL, or if your application uses complex multi-conditional safety
functionality then IEC 62061 may be the most suitable.
Keep in mind that ISO 13849-1 covers all technologies whereas IEC 62061 only covers electrical and
electronic systems.
Holistic Approach
Whichever standard is chosen, a holistic Safety Strategy (risk management process) must be followed to
ensure that the performance of the safety functions can be directly linked to the risk reduction requirementsdetermined during Hazard Identification and Risk Assessment activities.
8
7/29/2019 Machine Safety Standards
9/27
User Safety St rategy
User Safety Strategy:
Identify all Machines Determine Machine Limits (each machine)
Identify Tasks (each machine)
Identify Hazards (each task)
Estimate Risk (each hazard)
Severity of potential injury
Probability of its occurrence
Frequency of exposure
Probability of injury
Reduce Risk (each hazard)
Eliminate or reduce
Install protective equipment
Procedures / training / PPE
Determine the required performance: Cat/PLr/SIL(each safety function)
Design Safety Functions (vendor or integrator)
Evaluation (each safety function)
9
RiskAssessment
RiskContro
l
EN 1050 | ISO 14121
7/29/2019 Machine Safety Standards
10/27
Risk Assessment ISO 13849-1
10
ISO 13849-1 Risk Assessment
PLr
+Verification of Performance Level (PL) required for each safety function
Severity of Injury
S1 Slight (normally reversible injury)
S2 Serious (normally irreversible) injury including death
Frequency and/or Exposure Time to the Hazard
F1 Seldom to less often and/or the exposure time is short
F2 Frequent to continuous and/or the exposure time is long
Possibility of Avoiding the Hazard or Limiting the Harm
P1 Possible under specificconditions
P2 Scarcely possibleRisk Graph from Annex A of EN ISO 13849-1
START
PLrLowRisk
HighRisk
S1
S2
F1
F2
F1
F2
P1
P2
P1
P2
P1
P2
P1
P2
a
b
cd
e
7/29/2019 Machine Safety Standards
11/27
Performance Level Verif icat ion
ISO 13849-1
Factors to consider when verifying performance (PL) ofeach safety function:
11
Severity of Injury
S1 Slight (normally reversible injury)
S2 Serious (normally irreversible) injury including death
Frequency and/or Exposure Time to the Hazard
F1 Seldom to less often and/or the exposure time is short
F2 Frequent to continuous and/or the exposure time is long
Possibility of Avoiding the Hazard or Limiting the Harm
P1 Possible under specific conditions
P2 Scarcely p ossible
Elements for PLr Consideration
Cat Category (Designated Architecture)
MTTFd Mean Time To Dangerous Failure
DC Diagnostic Coverage
CCF () Susceptibility to Common Cause Failure
Tm Mission Time
B10d For elements that suffer from wear:Mean number of cycles until 10% of components fail
dangerously.
(Used to calculate the MTTFd of components)
START
PLrLowRisk
HighRisk
S1
S2
F1
F2
F1
F2
P1
P2
P1
P2
P1
P2
P1
P2
a
b
c
de
7/29/2019 Machine Safety Standards
12/27
Performance Level Verif icat ion
PL Verification
12
MTTFd = low
MTTFd = medium
MTTFd = highe
d
c
b
a
PerformanceL
evel(PL)
Category
B
DCavg
= 0
Category
1
DCavg
= 0
Category
2
DCavg
= low
Category
2
DCavg
= medium
Category
3
DCavg
= low
Category
3
DCavg
= medium
Category
4
DCavg
= high
Determination of PL from Figure 6 of ISO 13849-1
P f L l V if i i
7/29/2019 Machine Safety Standards
13/27
Performance Level Verif icat ion(simplified)
PL Verification (simplified)
13
MTTFd = low
MTTFd = medium
MTTFd = highe
d
c
b
a
PerformanceL
evel(PL)
Category
B
DCavg
= 0
Category
1
DCavg
= 0
Category
2
DCavg
= low
Category
2
DCavg
= medium
Category
3
DCavg
= low
Category
3
DCavg
= medium
Category
4
DCavg
= high
Simplified Determination of PL from Table 7 of ISO 13849-1
7/29/2019 Machine Safety Standards
14/27
Risk Assessment IEC 62061
14
+Verification of performance required (SIL) for each safety function
ConsequenceSeverity
Se
Class Cl
3-4 5-7 8-10 11-13 14-15
Death, losing an
eye or arm4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3
Permanent, losing
fingers3 OM SIL 1 SIL 2 SIL 3
Reversible, medical
attention2 OM SIL 1 SIL 2
Reversible, first aid 1 OM SIL 1
Frequency & DurationFr
Prob. of Hazard EventPr
AvoidanceAv
1 hr 5 Very High 5
> 1 hr 1 day 5 Likely 4
> 1 day 2 wk 4 Possible 3 Impossible 5
> 2 wk 1 yr 3 Rarely 2 Possible 3
> 1 yr 2 Negligible 1 Likely 1
IEC 62061 Risk Assessment
Tables fromAnnex A of IEC 62061
Cl = Fr + Pr + Av
7/29/2019 Machine Safety Standards
15/27
Risk Est imation IEC62061
Risk Assessment Form
15
7/29/2019 Machine Safety Standards
16/27
Risk Est imation IEC62061
Estimate the Frequency of Exposure
16
Table A.2 Frequency and duration of exposure (Fr) Classification
Frequency and duration of exposure (Fr)
Frequency of exposure Duration > 10min
1 h 5
> 1 h to 1 day 5
> 1 day to 2 weeks 4
> 2 weeks 1 year 3
> 1 year 2
7/29/2019 Machine Safety Standards
17/27
Risk Est imation IEC62061
Estimate the Probabil ity of Occurrence
17
Table A.3 Probability (Pr) Classification
Probability (Pr)
Probability of Occurrence Probability (Pr)
Very high 5
Likely 4
Possible 3
Rarely 2
Negligible 1
7/29/2019 Machine Safety Standards
18/27
Risk Est imation IEC62061
Estimate the Probability of Avoiding or Limiting Harm
18
Table A.4 Probability of avoiding or limiting harm (Av) Classification
Probability of avoiding or limiting harm (Av)
Probability of Avoidance Probability (Av)
Impossible 5
Rarely 3
Probable 1
7/29/2019 Machine Safety Standards
19/27
Risk Est imation IEC62061
Estimate the Severity of the Consequence
19
Table A.1 Severity (Se) Classification
Severity (Se)
Consequences Severity (Se)
Irreversible: death, losing an eye or arm 4
Irreversible: broken limb(s), losing finger(s) 3
Reversible: requiring attention from a medical practitioner 2
Reversible: requiring first aid 1
7/29/2019 Machine Safety Standards
20/27
Risk Est imation IEC62061
Determining the SIL Requirement
20
1 1 CRUSHING 3 5 5 3 13 5 + 5 + 3 = 13
7/29/2019 Machine Safety Standards
21/27
SIL Verif icat ion IEC 62061
IEC 62061
Factors to consider when verifying performance (SIL) ofeach safety function:
21
Element for SIL Consideration
PFHd Probabili ty of Dangerous Failure per Hour
DC Diagnostic Coverage
Susceptibility to Common Cause Failure
T1 Lifetime
T2 Diagnostic Test Interval
HFT Hardware Fault Tolerance
SFF Safe Failure Fraction
B10d
Failure rate ; or
For elements suffering from wear
ConsequenceSeverity
Se
Class Cl
3-4 5-7 8-10 11-13 14-15
Death, losing an eye
or arm4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3
Permanent, losing
fingers3 OM SIL 1 SIL 2 SIL 3
Reversible, medicalattention
2 OM SIL 1 SIL 2
Reversible, first aid 1 OM SIL 1
Frequency & DurationFr
Prob. of Hazard EventPr
AvoidanceAv
1 hr 5 Very High 5
> 1 hr 1 day 5 Likely 4
> 1 day 2 wk 4 Possible 3 Impossible 5
> 2 wk 1 yr 3 Rarely 2 Possible 3
> 1 yr 2 Negligible 1 Likely 1
Tables fromAnnex A of IEC 62061
7/29/2019 Machine Safety Standards
22/27
SIL Verification
SIL Verification (simplified)
22
PFHd 10-5 10-6 10-7 10-8
na SIL 1 SIL 2 SIL 3
Safety Instrumented Function (SIF)
Sensor
Subsystem
Logic Solver
Subsystem
Final Element
Subsystem
PFHd(s) PFHd(ls) PFHd(fe)
PFHd(sif) = PFHd(s) + PFHd(ls) + PFHd(fe)
7/29/2019 Machine Safety Standards
23/27
PL : SIL Relationship
Relationship between PL and SIL
23
Performance LevelISO 13849-1
Probability of a dangerousfailure per hour (PFHd)
Safety Integri ty LevelIEC 62061
a 10-5 PFHd < 10-4 na
b 3x10-6 PFHd < 10-5 1
c 10-6 PFHd < 3x10-6 1
d 10-7 PFHd < 10-6 2
e 10-8 PFHd < 10-7 3
PFHd 10
-4
10
-5
10
-6
10
-7
10
-8
SIL na SIL 1 SIL 2 SIL 3
PL a b c d e
7/29/2019 Machine Safety Standards
24/27
Summary
IEC 62061
Relatively complex methodology More flexibility
Less constraints
Simplified modularity via subsystems
Only applies to electrical technology
24
Are there complex safety functions e.g. depending
on logic decisions?
or
Will the system require complex or programmable
electronics to a high level of integrity?
If the answer to either question is YES, it isprobably most appropriate to use IEC 62061
ISO 13849-1: 2006
Simpler methodology Builds on Categories
More constraints
System based
Applies to all technologies
Can the system be designed simply using the
designated architectures?
or
Will the system include technologies other than
electrical?
If the answer to either question is YES, it isprobably most appropriate to use ISO 13849-1:
2006
7/29/2019 Machine Safety Standards
25/27
Benefits of Compliance
Compliance with Standards has Benefits:
As a Supplier:
Compliance with relevant machine safety legislation.
Easier entry into overseas markets.
As a Buyer:
Knowledge that machine is built with an adequate level of safety.
The required safety performance is achieved not too much (unnecessary cost), and not too little (doubt
about safety).
Reduce repair time, fewer unnecessary stoppages.
As a User/Operator:
Knowledge that machine is safe to work with, and provides a better operational work environment.
More comfortable with the machine, higher productivity.
Less waste material, and more consistent quality.
25
7/29/2019 Machine Safety Standards
26/27
Moving Ahead
What should I do now?
The ideal first step is to read both standards in order to understandtheir requirements and implications.
Perhaps the most daunting aspect of both standards is the fact that they
require calculations based on reliability data that the safety component
manufacturers should supply.
Help is available in the form of information booklets and software tools
for calculations.
The BGIA in Germany provides a comprehensive calculation tool for EN
ISO 13849-1 called SISTEMA. It is available free from the BGIA website.
26
If you design and build machines and have used EN 954-1 as a guidance standard todemonstrate compliance, you wil l be required to recertify your machines safety relatedcontrol systems to new Functional Safety standards such as ISO 13849-1 or IEC 62061,
or directly to the Machinery Directive.
7/29/2019 Machine Safety Standards
27/27
Questions
Defining Best Practice in Process & Machine Safety
THANK YOUQUESTIONS?
Safety Management Systems
Safety Management Planning
Safety Lifecycle Templates
Safety Compliance Audits
Safety Case Development
PHA / HAZOP
Risk Assessment
PL/SIL Determination / LOPA
Safety Requirement Specification
PL/SIL Verification
ISA Certif ication Courses
Functional Safety Courses
Safety Lifecycle Courses
PL/SIL Determination / LOPA
PL/SIL Verification
SafetyManagement
RiskManagement
SafetyTraining / Workshops
The FSE Global Advantage