Tag Archives: EN 954-1 - Page 2

Machinery Safety 101

Tag Archives: EN 954-1 - Page 2

Interlock Architectures – Pt. 4: Category 3 — Control Reliable

Definition

Breaking it down

The Block Diagram

Circuit Diagram

Understanding Risk Assessment

What is risk?

How is risk measured?

Who should conduct risk assessments?

When should a risk assessment be conducted?

What tools are available?

Where can you get training?

IEC/TR 62061–1 Reviewed

Why You Need to Spend More Cash on Yet Another Document

The Problem

History

Why the Confusion?

…and then came 2007…

The Technical Report

Safe designs for safe workplaces

Interlock Architectures – Pt. 4: Category 3 — Control Reliable

Definition

Breaking it down

The Block Diagram

Circuit Diagram

Understanding Risk Assessment

What is risk?

How is risk measured?

Who should con­duct risk assessments?

When should a risk assess­ment be conducted?

What tools are available?

Where can you get training?

IEC/​TR 62061–1 Reviewed

Why You Need to Spend More Cash on Yet Another Document

The Problem

History

Why the Confusion?

…and then came 2007…

The Technical Report

Who should conduct risk assessments?

When should a risk assessment be conducted?

IEC/TR 62061–1 Reviewed

The Notes

Emergency Stop Subsystem

Gate Interlock Subsystem

Safety Mat Subsystem

Component Selection

The Answer to the Scale Question

Merger

Comparing PL’s and SIL’s

Selecting a Standard

Risk Assessment

Safety Requirement Specification (SRS)

Combining Equipment with PLs and SILs

Fault Exclusions

Worked Examples

Understanding the Differences

To Buy or Not to Buy…

6.2.6 Category 3

The Notes

Emergency Stop Subsystem

Gate Interlock Subsystem

Safety Mat Subsystem

Component Selection

The Answer to the Scale Question

Table 1 Recommended appli­ca­tion of IEC 62061 and ISO 13849–1(under revision)

Merger

Comparing PL’s and SIL’s

Selecting a Standard

Risk Assessment

Safety Requirement Specification (SRS)

Combining Equipment with PLs and SILs

Fault Exclusions

Worked Examples

Understanding the Differences

To Buy or Not to Buy…

Compliance InSight Links

Sign Up For Our Newsletter!

Coming Events

Polls

Popular Posts

Recent Posts

Series

Categories

Tags

Countries Visiting Us:

Table 1
Recommended application of
IEC 62061 and ISO 13849–1(under revision)

Table 1 – Relationship between PLs and SILs based on the aver­age prob­a­bil­ity of dan­ger­ous fail­ure per hour

Table 1 – Relationship between PLs and SILs based on the average probability
of dangerous failure per hour

This entry is part 4 of 8 in the series Circuit Architectures Explored

Category 3 system architecture is the first category that could be considered to have similarity to “Control Reliable” circuits or systems as defined in the North American standards. It is not the same as Control Reliable, but we’ll get to in a following post. If you haven’t read the first three posts in this series, you may want to go back and review them as the concepts in those articles are the basis for the discussion in this post.

So what is “Control Reliable” anyway? This term was coined by the ANSI RIA R15.06 technical committee when they were developing their definitions for control system reliability, first published in the 1999 edition of the standard. No mention of the concept of control reliability appears in the 1994 edition of CSA Z434 or the preceding edition of RIA R15.06.

Essentially, the term “Control Reliable” means that the control system is designed with some degree of fault tolerance. Depending on the definitions that you read, this could be single– or multiple-fault-tolerance.

There are a number of design techniques that can be used to increase the fault tolerance of a control system. The older approaches, such as those given in ANSI RIA R15.06–1999, CSA Z434-03 or EN 954–1:95, rely primarily on the structure or architecture of the circuit, and the characteristics of the components selected for use. ISO 13849–1 uses the same basic architectures defined by EN 954–1:95, and extends them to include diagnostic coverage, common cause failure resistance and an understanding of the failure rate of the components to determine the degree of fault tolerance and reliability provided by the design.

OK, enough background for now! Let’s look at the definition for Category 3 systems. Remember that “SRP/CS” means “Safety Related Parts of the Control System”.

6.2.6 Category 3
For category 3, the same requirements as those according to 6.2.3 for category B shall apply. “Well-tried safety principles” according to 6.2.4 shall also be followed. In addition, the following applies. SRP/CS of category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function. Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.
The diagnostic coverage (DC_avg) of the total SRP/CS including fault-detection shall be low. The MTTF_d of each of the redundant channels shall be low-to-high, depending on the PL_r. Measures against CCF shall be applied (see Annex F).
NOTE 1 The requirement of single-fault detection does not mean that all faults will be detected. Consequently, the accumulation of undetected faults can lead to an unintended output and a hazardous situation at the machine. Typical examples of practicable measures for fault detection are use of the feedback of mechanically guided relay contacts and monitoring of redundant electrical outputs.
NOTE 2 If necessary because of technology and application, type-C standard makers need to give further details on the detection of faults.
NOTE 3 Category 3 system behaviour allows that
when the single fault occurs the safety function is always performed,
some but not all faults will be detected,
accumulation of undetected faults can lead to the loss of the safety function.
NOTE 4 The technology used will influence the possibilities for the implementation of fault detection.

5% Discount on ISO and IEC Standards with code: CC2011

Let’s take the definition apart and look at the components that make it up.

For category 3, the same requirements as those according to 6.2.3 for category B shall apply. “Well-tried safety principles” according to 6.2.4 shall also be followed.

The first couple of lines remind the designer of two key points:

The components selected must be suitable for the application, i.e. correctly specified for voltage, current, environmental conditions, etc.; and
“well-tried safety principles” must be used in the design.

It’s important to note here that we are talking about “well tried safety principles” and NOT “well-tried components”. The requirement to use components designed for safety applications comes from other standards, like EN 1088 and ISO 13850. The requirements from these standards, such as the use of “direct-drive” contacts improves the fault tolerance of the component, and so benefits the design in the end. These improvements are generally reflected in the B10_d or MTTF_d of the component, and are points that inspectors will commonly look for, since they are easy to spot in the field, since “safety-rated components” often use red or yellow caps to identify them clearly in the control panel.

In addition, the following applies. SRP/CS of category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function.

This sentence makes the requirement for single-fault tolerance. This means that the failure of any single component in the functional channel cannot result in the loss of the safety function. To meet this requirement, redundancy is needed. With redundant systems, one complete channel can fail without losing the ability to stop the machinery. It is possible to lose the function of the monitoring system from a single component failure, but as long as the system continues to provide the safety function this may be acceptable. The system should not permit itself to be reset if the monitoring system is not working.

One more “gotcha” from this sentence: In order to meet the requirement that any single component failure can be detected, the design will require two separate sensors to detect the position of a gate, for example. This permits the system to detect a failure in either sensor, including mechanical failures like broken keys or attempts to defeat the safety system. You can clearly see this in both the block diagram, which does not show any monitoring connection to the input devices, and in the circuit diagram. Both of these diagrams are shown later in this post. The only way out of the requirement to have redundant sensors is to select a gate switch that is robust enough that mechanical faults can reasonably be excepted. I’ll get into fault exceptions later in this article.

Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.

This sentence can be a bit sticky. The phrase “Whenever reasonably practicable” means that your design needs to be able to detect single faults unless it would be “unreasonable” to do so. What constitutes an unreasonable degree of effort? This is for you to decide. I will say that if there is a common, off the shelf component (COTS) available that will do the job, and you choose not to use it, you will have a difficult time convincing a court that you took every reasonably practicable means to detect the fault.

Following the comma, the rest of the sentence provides the designer with the basic requirement for the test system: it must be able to detect a single component failure at the moment of demand (this is usually how it’s done, since this is typically the simplest way) or before it occurs, which can happen if your test equipment has a means to detect a change in some critical characteristic of the monitored component(s).

The diagnostic coverage (DC_avg) of the total SRP/CS including fault-detection shall be low.

This sentence tells you that your design must meet the requirements for LOW Diagnostic Coverage. To get to LOW DC_avg, we need to look first at Table 6:

ISO 13849–1:06 Table 6
Diagnostic Coverage (DC)
Denotation	Range
None	DC < 60%
Low	60% ? DC < 90%
Medium	90% ? DC < 99%
High	99% ? DC
NOTE 1 For SRP/CS consisting of several parts an average value DC_avg for DC is used in Figure 5, Clause 6 and E.2. NOTE 2 The choice of the DC ranges is based on the key values 60 %, 90 % and 99 % also established in other standards (e.g. IEC 61508) dealing with diagnostic coverage of tests. Investigations show that (1 — DC) rather than DC itself is a characteristic measure for the effectiveness of the test. (1 — DC) for the key values 60 %, 90 % and 99 % forms a kind of logarithmic scale fitting to the logarithmic PL-scale. A DC-value less than 60 % has only slight effect on the reliability of the tested system and is therefore called “none”. A DC-value greater than 99 % for complex systems is very hard to achieve. To be practicable, the number of ranges was restricted to four. The indicated borders of this table are assumed within an accuracy of 5 %.

Based on Table 6, the DC_avg must be between 60% and 90%, all components considered. To score this, we must go to Annex E and look at Table E1. Using the factors in Table E1, score the design. If you end up in the desired range between 60% and 90% DC coverage, you can move on. If not, the design will require modification to bring it into this range.

The MTTF_d of each of the redundant channels shall be low-to-high, depending on the PL_r.

This sentence reminds you that your component selections matter. Depending on the PL_r you are trying to achieve, you will need to choose components with suitable MTTF_d ratings. Remember that just because you are using a Category 3 architecture, you have not automatically achieved the highest levels of reliability. If you refer to Figure 5 in the standard, you can see that a Category 3 architecture can meet a range of PL’s, all the way from PL_a through PL_e!

ISO 13849–1 Figure 5

If you want, or need, to know the numeric boundaries of each of the bands in the diagram above, look at Annex K of the standard. The full numeric representation of Figure 5 is provided in that Annex.

Measures against CCF shall be applied (see Annex F).

In order for the architecture of your design to meet Category 3 architecture, CCF measures are required. I’ve discussed Common Cause Failures elsewhere on the blog, but as a reminder, a Common Cause Failure is one where a single event, like a lightning strike on the power line, or a cable being cut, results in the failure of the system. This is not the same as a Common Mode Failure, where similar or different components fail in the same way. For instance, if both output contactors were to weld closed either simultaneously or at different time due to overloading because they were undersized, this could be considered to be a Common Mode Failure. If they both weld closed due to a lightning strike, that is a Common Cause Failure.

Annex F provides a checklist that is used to score the CCF of the design. The design must meet at least 65 points to be considered to meet the minimum level of CCF protection, and more is better of course! Score your design and see where you come out. Less than 65 and you need to do more. 65 or more and you are good to go.

The notes given in the definition are also important. Note 1 reminds the designer that not all faults will be detected, and an accumulation of undetected faults can lead to the loss of the safety function. Be aware that it is up to you as the designer to minimize the kinds of failures that can accumulate undetected.

Note 2 speaks to the possibility that a Type-C product standard, like EN 201 for injection moulding machines for example, may impose a minimum PL_r on the design. Make sure that you get a copy of any Type-C standard that is relevant for your product and market. Note that the designation “Type-C” comes from ISO. If you go looking for this terminology in ANSI or CSA standards, you won’t find it used because the concept doesn’t exist in the same way in these National standards.

Note 3 gives you the basic performance parameters for the design. If your design can do these things, then you’re halfway there.

Finally, Note 4 is a reminder that different kinds of technology have greater or lesser capability to detect failures. More sophisticated technology may be required to achieve the PL level you need.

Let’s have a look at the functional block diagram for this Category.

By looking at the diagram you can see clearly the two independent channels and the cross-monitoring connection between the channels. Input devices are not monitored, but output devices are monitored. This is another significant reason requiring the use of two physically separate input devices to sense the guard position or whatever other safeguarding device is integrated into the system. The only way that a failure in the input devices can be detected is if one channel changes state and one does not.

If you want to learn more about applying the block diagramming method to you design, there is a good explanation of the method in the SISTEMA Cookbook 1, published by the IFA in Germany. You can download the English version from the link above, or get the document directly from the IFA web site.

By now you probably get the idea that there are as many ways to configure a Category 3 circuit as there are applications. Below is a typical circuit diagram borrowed from Rockwell Allen-Bradley, showing the application of typical safety relays in a complete system that includes the emergency stop system, a gate interlock and a safety mat. You can meet the requirements for Category 3 architecture in other ways, so don’t feel that you must use a COTS safety relay. It just may be the most straightforward way in many cases.

This is not a plug for A-B products. Neither Machinery Safety 101, nor I, have any relationship with Rockwell Allen-Bradley.

From Rockwell Automation publication SAFETY-WD001A-EN-P – June 2011, p.6.

If you’re interested in obtaining the source document containing this diagram, you can download it directly from the Rockwell Automation web site.

The emergency stop circuit uses the 440R-512R2 relay on the left side of the diagram. This particular system uses Category 3 architecture in the e-stop system, which may be more than is required. A risk assessment and a start-stop analysis is required to determine what performance level is needed for this subsystem. Get more information on emergency stop.

The gate interlock circuit is located in the center of the diagram, and uses the 440R-D22R2 relay. As you can see, there are two physically separate gate interlock switches. Only one contact from each switch is used, so one switch is connected to Channel 1, and the other to Channel 2. Notice that there is no other monitoring of these devices (i.e. no second connection to either switch). The secondary contacts on these switches could be connected to the PLC for annunciation purposes. This would allow the PLC to display the open/closed status of the gate on the machine HMI.

The output contactors, K3 and K4, are monitored by the reset loop connected to S34 and the +V rail.

One more interesting point — did you notice that there is a “zone e-stop” included in the gate interlock? If you look immediately below the central safety relay and a little to the left you will find an emergency stop device. This device is wired in series with the gate interlock, so activating it will drop out K3 and K4 but not disturb the operation of the rest of the machine. The safety relay can’t distinguish between the e-stop button and the gate interlocks, so if annunciation is needed, you may want to use a third contact on the e-stop device to connect to a PLC input for this purpose.

The safety mat subsystem is located on the right side of the diagram and uses a second 440R-D22R2 relay. Safety mats can be either single or dual channel in design. The mat show in this drawing is a dual-channel type. Stepping on the mat causes the conductive layers in the mat to touch, shorting Channel 1 to Channel 2. This creates an input fault that will be detected by the 440R relay. The fault condition will cause the output of the relay to open, stopping the machine.

Safety mats can be damaged reasonably easily, and the circuit design shown will detect shorts or opens within the mat and will prevent the hazardous motion from starting or continuing.

The output contactors, K5 and K6 are monitored by the relay reset loop connected to S34 and the +V rail.

This circuit also includes a conventional start-stop circuit that doesn’t rely on the safety relay.

One more thing — just like the gate interlock circuit, this circuit also includes a “zone e-stop”. Look below and to the left of the safety mat relay. As with the gate interlock, pressing this button will drop out K5 and K6, stopping the same motions protected by the safety mat. Since the relay can’t tell the difference between the e-stop button and the mat being activated, you may want to use the same approach and add a third contact to the e-stop button, connecting it to the PLC for annunciation.

The components used in the circuit are critical to the final PL rating of the design. The final PL of the design depends on the MTTF_d of the components used in each channel. No knowledge of the internal construction of the safety relays is needed, because the relays come with a PL rating from the manufacturer. They can be treated as a subsystem unto themselves. The selection of the input and output devices is then the significant factor. Component data sheets can be downloaded from the Rockwell site if you want to dig a bit deeper.

What did you think about this article? What questions came to mind that weren’t answered for you? I look forward to hearing your thoughts and questions!

Acknowledgements: ISO for excerpts from ISO 13849–1 and more…

Some Rights Reserved

Posted by Doug Nix on January 31, 2011 10 comments

When people discuss ‘Risk’ there are a lot of different assumptions made about what that means. For me, the study of risk and risk assessment techniques started in 1995. As a technologist and controls designer, I had to somehow wrap my head around the whole concept in ways I’d never considered. If you’re trying to figure out risk and risk assessment this is a good place to get started!

From a machinery perspective, ISO 12100:2010 defines risk as:

“combination of the probability of occurrence of harm and the severity of that harm”

Risk can have positive or negative outcomes, but when considering safety, we only consider negative risk, or events that result in negative health effects for the people exposed.

The risk relationship is illustrated in ISO 12100:2010 Figure 3:

ISO 12100–2010 Figure 3

Where

R = Risk

S = Severity of Harm

P = Probability of Occurrence of Harm

The Probability of Occurrence of Harm factor is often further broken down into three sub-factors:

Probability of Exposure to the hazard
Probability of Occurrence of the Hazardous Event
Probability of Limiting or Avoiding the Harm

In order to estimate risk a scoring tool is needed. There is no one ‘correct’ scoring tool, and there are flaws in most scales that can result in blind-spots where risks may be over or under-estimated.

At the simplest level are ‘screening’ tools. These tools use very simple scales like ‘High, Medium, Low’, or ‘A, B, C’. These tools are often used when doing a shop-floor inspection and are intended to provide a quick method of capturing observations and giving a gut-feel assessment of the risk involved. These tools should be used as a way to identify risks that need additional, detailed assessment. To get an idea of what a good screening tool can look like, have a look at the SOBANE Déparis system.

Every scoring tool requires a scale for each risk parameter included in the tool. For instance, consider the CSA tool described in CSA Z434:

As you can see, each parameter (Severity, Exposure and Avoidance) has a scale, with two possible selections for each parameter.

When considering selection of a scoring tool, it’s important to take some time to really examine the scales for each factor. The scale shown above has a glaring hole in one scale. See if you can spot it and I’ll tell you what I think a bit later in this post.

There are more than 350 different scales and methodologies available for assessing risk. You can find a good review of some of them in Bruce Main’s textbook “Risk Assessment: Basics and Benchmarks” available from DSE online.

A similar, although different, tool is found in Annex 1 of ISO 13849–1. Note that this tool is provided in an Informative Annex. This means that it is not part of the body of the standard and is NOT mandatory. In fact, this tool was provided as an example of how a user could link the output of a risk assessment tool to the Performance Levels described in the normative text (the mandatory part) of the standard.

Consider creating your own scales. There is nothing wrong with determining what characteristics (parameters) you want to include in your risk assessment, and then assigning each parameter a numeric scale that you think is suitable; 1–10, 0–5, etc. Some scales may be inverted to others, for example: If the Severity scale runs from 0–10, the Avoidability scale might run from 10–0 (Unavoidable to Entirely Avoidable).

Once the scales in your tool have been defined, document the definitions as part of your assessment.

In many organizations, I find that risk assessment has been delegated to one person. This is a major mistake for a number of reasons. Risk assessment is not a solo activity for a ‘guru’ in a lonely office somewhere!

Risk assessment is not a lot of fun to do, and since risk assessments can get to be quite involved, it represents a significant amount of work to put on one person. Also, leaving it to one person means that the assessment will necessarily be biased to what that person knows, and may miss significant hazards because the assessor doesn’t know enough about that hazard to spot it and assess it properly.

Risk assessment requires multiple viewpoints from participants with varied expertise. This includes users, designers, engineers, lawyers and those who may have specialized knowledge of a particular hazard, like a Laser Safety Officer or a Radiation Safety Officer. The varied expertise of the people involved will allow the committee to balance the opinion of each hazard, and develop a more reasoned assessment of the risk.

I recommend that risk assessment committees never be less than three members. Five is frequently a good number. Once you get beyond five, it becomes increasingly difficult to obtain consensus on each hazard. Also, consider the cost. As each committee member is added to the team, the cost of the assessment can escalate exponentially.

Training in risk assessment is crucial to success. Ensure that the individuals involved are trained, and that at least one has some previous experience in the practice so that they may guide the committee as needed.

Risk Assessment in the Lifetime of a Product

Risk assessment should begin at the beginning of a project, whether it’s the design of a product, the development of a process or service, or the design of a new building. Understanding risk is critical to the design process. Cost for changes made at the beginning of a project are minimal compared to those that will be incurred to correct problems that might have been foreseen at the start. Risk assessment should start at the concept stage and be included at each subsequent stage in the development process. The accompanying graphic illustrates this idea.

Essentially, risk assessment is never finished until the product, process or service ceases to exist.

As mentioned earlier in this post, the book ‘Risk Assessment: Basics and Benchmarks” provides an overview of roughly 350 different scoring tools. You can search the Internet and turn up quite a few as well. The key thing with all of these systems is that you will need to develop any software based tools yourself. Depending on your comfort with software, this might be a spreadsheet format, a word processing document a database, or some other format that works for your application.

There are a number of risk assessment software tools available as well, including ISI’s CIRSMA™ and DSE’s DesignSafe. As with the scoring tools, you need to be careful when evaluating tools. Some have significant blind spots that may trip you up if you are not aware of their limitations.

Remember too that the output from the software can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assessment.

There are a few places to get training. Compliance InSight Consulting provides training to corporate clients and will be launching a series of web-based training services in 2011 that will allow individual learners to get training too.

The IEEE PSES operates a Risk Assessment Technical Committee that is open to the public as well. See the RATC web site.

The Exposure Scale in the CSA tool has a gap between E1 and E2. Looking at the definitions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Exposures that occur once per hour or less, but more than once per day cannot be scored effectively using this scale.

Also, notice the Severity scale: S1 encompasses injuries requiring not more than basic first aid. One common question I get is “Does that include CPR*?”. This question comes up because most basic first aid courses taught in Canada include CPR as part of the course. There is no clear answer for this in the standard. The S2 factor extends from injuries requiring more than basic first aid, like a broken finger for instance, all the way to a fatality. Does it make sense to group this broad range of injuries together? This definition doesn’t quite match with the Province of Ontario’s definition of a Critical Injury found in Regulation 834 either.

All of this points to the need to carefully assess the scales that you choose before you start the process. Choosing the wrong tool can skew your results in ways that you may not be very happy about.

*Cardio-Pulmonary Resuscitation

Posted by Doug Nix on September 8, 2010 7 comments

This entry is part 2 of 2 in the series IEC/TR 62061–1

Standards organizations publish documents in a fairly continuous stream, so for those of us tasked with staying current with a large number of standards (say, more than 10), the publication of another new standard or Technical Report isn’t news — it’s business as usual. The question is always: Do we really need to add this to the library?

For those who are new to this business, having to pay for critical design information is a new experience. Finding out that it can cost hundreds, if not thousands, to build the library you need can be overwhelming.

This review aims to help you decide if you need IEC/TR 62061–1 in your library.

As a machine builder or a manufacturer building a product designed to be integrated into machinery, how do you choose between ISO 13849–1 and IEC 62061?

IEC 62061–1 attempts to provide guidance on how to make this choice.

When CENELEC published EN 954–1 in 1995, machine builders were introduced to a whole new world of control reliability requirements. Prior to its publication, most machines were built with very simple interlocks, and no specific standards for interlocking devices existed. In the years since then, the EN 954–1 Categories have become well known and are applied inside and outside the EU.

In the intervening years, IEC published IEC 61508. This seven-part standard introduced the idea of ‘Safety Integrity Levels’ or SILs. This standard is aimed at process control systems and could be used for complex machinery as well.

In 2006, IEC published a machinery sector specific standard based on IEC 61508, called IEC 62061. This standard offered a simplified application of the IEC 61508 methodology intended for machine builders. The key problem with this standard is that it did not provide a means to deal with pneumatic or hydraulic control elements, which are covered by ISO 13849–1.

ISO adopted EN 954–1 and reissued it as ISO 13849–1 in 1999. This edition of the standard was virtually identical to the standard it replaced from a technical requirements perspective. EN 954–1/ISO 13849–1 did not provide any means to estimate the integrity of the safety related controls, but did define circuit architectures (Categories B, 1–4) and spoke to the selection of components, introducing the concepts of ‘well-tried safety principles’ and ‘well-tried components’. A second problem had long existed in addition to this — EN 954–2, Validation, was never published by CENELEC except as a committee draft, so a key element in the application of the standard had been missing for five years at the point where ISO 13849–1 Edition 1 was published.

The first cut at guiding users in choosing an appropriate standard came with the publication of IEC 62061 Edition 1. Published in 2005, Edition 1 included a table that attempted to provide users with some guidance on how to choose between ISO 13849–1 or IEC 62061.

In 2007, ISO published the Second Edition of ISO 13849–1, and brought a whole new twist to the discussion by introducing ‘Performance Levels’ or PLs. PLs can be loosely equated to SILs, even though PLs are stated in failures per year and SILs in failures per hour. The same table included in IEC 62061 was included in this edition of ISO 13849–1.

Table 1
Recommended application of
IEC 62061 and ISO 13849–1(under revision)
(from the Second Edition, 2007)
Technology implementing the
safety related control function(s) ISO
13849–1 (under revision) IEC 62061
A Non electrical, e.g. hydraulics X Not covered
B Electromechanical, e.g. relays, or
non-complex electronics Restricted to designated
architectures (see Note 1) and up to PL=e
All architectures and up to
SIL 3
C Complex electronics, e.g. programmable Restricted to designated
architectures (see Note 1) and up
to PL=d All architectures and up to
SIL 3
D A combined with B Restricted to designated
architectures (see Note 1) and up
to PL=e X
see Note 3
E C combined with B Restricted to designated
architectures (see Note 1) and up
to PL=d All architectures and up to
SIL 3
F C combined with A, or C combined with
A and B X
see Note 2 X
see Note 3
“X” indicates that this item is dealt with by the standard shown in the column heading.
NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849–1(rev.) to give a simplified approach for quantification of performance level.
NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849–1(rev.) up to PL=d or any architecture according to IEC 62061.
NOTE 3 For non-electrical technology use parts according to EN ISO 13849–1(rev.) as subsystems.

So how is a machine builder to choose the ‘correct’ standard, if both standards are applicable and both are correct? Furthermore, how do you assess the reliability of the safety-related controls when integrating equipment from various suppliers, some of whom rate their equipment in PLs and some in SILs? Why are two standards addressing the same topic required? Will ISO 13849–1 and IEC 62061 ever be merged?

In July this year the IEC published a Technical Report that discusses the selection and application of these two key control reliability standards for machine builders. This guide has long been needed, and precedes a face to face event planned by IEC to bring machine builders and standards writers face-to-face to discuss these same issues.

The guide, titled IEC/TR 62061–1 — Technical Report — Guidance on the application of ISO 13849–1 and IEC 62061 in the design of safety-related control systems for machinery provides direct guidance on how to select between these two standards.

Download IEC standards, International Electrotechnical Commission standards.

In the introduction to the report the TC makes it clear that the standards will be merged, although they don’t provide any kind of a time line for the merger. Quoting from the introduction:

It is intended that this Technical Report be incorporated into both IEC 62061 and ISO 13849–1 by means of corrigenda that reference the published version of this document. These corrigenda will also remove the information given in Table 1, Recommended application of IEC 62061 and ISO 13849–1, provided in the common introduction to both standards, which is now recognized as being out of date. Subsequently, it is intended to merge ISO 13849–1 and IEC 62061 by means of a JWG of ISO/TC 199 and IEC/TC 44.

I added the bold face to the paragraph above to highlight the key statement regarding the eventual merger of the two documents. If you’re not familiar with the standards acronyms, a ‘JWG’ is a Joint Working Group, and a TC is a Technical Committee. TC’s are formed from volunteer experts from industry and academia supported by their organizations. So a JWG formed from two TC’s just means that a joint committee has been formed to work out the details of the merger. Eventually.

The other key point in this paragraph relates to the replacement of Table 1. In the interim, IEC/TR 62061–1 will be incorporated into both standards, replacing Table 1.

Eventually the confusion will be cleared up because only one standard will exist in the machinery sector, but until then, machine builders will need to figure out which standard best fits their products.

The Technical Report does a good job of discussing the differences between PL and SIL, including providing an explanation of how to covert one to the other, very useful if you are trying to integrate an SIL rated device into a PL analysis or vice-versa.

Clause 2.5 gives some solid advice on selecting between the two standards based on the technologies employed in the design and your own comfort level in using the analytical techniques in the two standards.

Another key point is that EITHER standard can be used to analyze complex OR simple control systems. Some fans of IEC 62061 have been known to put ISO 13849–1 down as useful exclusively for simple hardwired control systems. Clause 3.3 makes it clear that this is not the case. Pick the one you like or know the best and go with that. As an additional thought, consider which standard your competitors are using, and also which your customers are using. For example, if your customers use ISO 13849–1 primarily, qualifying your product under IEC 62061 might seem like a good idea, but may drive your customers to a competitor who makes their life easier by using ISO 13849–1. If your competitors are using a different standard, try to understand the choice before climbing on the bandwagon. There may be a competitive advantage lurking in being different.

Clause 4 speaks directly to the indispensable need to conduct a methodical risk assessment, and to use that to guide the design of the controls.

In my practice, many clients decide that they would prefer to choose a control reliability level that they feel will be more than good enough for any of their designs, and then to ‘standardize’ on that design for all their products, thereby eliminating the need to thoughtfully decide on the appropriate design for the application. In other cases, end-users may choose to use a ‘standard’ design throughout their facility to assist maintenance personnel by limiting their need to become technically familiar with a variety of designs. This is done to speed troubleshooting and reduce down time and spares stocks.

The problem with this approach can be that some managers believe this approach can eliminate the need to conduct risk assessments, seeing this as a fruitless, expensive and often futile exercise. This is emphatically NOT the case. Risk assessments address much more than the selection of control reliability requirements and need to be done to ensure that all hazards that cannot be eliminated or substituted are safeguarded. A missing or badly done risk assessment may invalidate your claim to a CE mark, or be the landmine that ends a liability case — with you on the losing end.

Each safety function needs to be defined in detail in a Safety Requirement Specification (SRS). A reliability assessment needs to be completed for each safety function defined in the SRS. This point is discussed in detail in IEC 62061, but is not dealt with in any detail in ISO 13849–1, so IEC/TR 62061–1 once again bridges the gap by providing an important detail that is missing in one of the two standards.

If you are unfamiliar with the concept of an SRS, each safety function needs to be described with a certain minimum amount of information, including:

The name of safety function;
A description of the function;
The required level of performance based on the risk assessment and according to either ISO 13849–1 (PL_r a to e) or the required safety integrity according to IEC 62061 (SIL 1 to 3)

Once the safety functions are defined and analyzed, each safety function must be implemented by a control circuit. The selected PL will drive the design to one or two of the defined ISO 13849–1 architectures, and then the component selections and other design details will drive the final failure rate and PL. Alternatively, the SRS will drive the selection of IEC 62061 architecture (1oo1, 1oo2, 2oo2, etc.) and the rest of the design details will lead to the final failure rate and SIL.

Table 1 in the Technical Report compares the levels.

Table 1 – Relationship between PLs and SILs based on the average probability
of dangerous failure per hour
Performance Level (PL) Average probability of a dangerous
failure per hour (1/h) Safety integrity level (SIL)
a >= 10^–5 to < 10^–4 No special safety requirements
b >= 3 x 10^–6 to < 10^–5 1
c >= 10^–6 to < 3 x 10^–6 1
d >= 10^–7 to < 10^–6 2
e >= 10^–8 to < 10^–7 3

This table combines ISO 13849–1 2007, Tables 3 & 4. No similar tables exist in IEC 62061 2005.

Section 7 of the report speaks to the challenge of integrating equipment with ratings in a mix of PLs and SILs. Until the standards merge and a single system for describing reliability categories is agreed on, this problem will be with us.

When designing systems using either system the designer has to determine the approximate rate of dangerous failures. In ISO 13849–1, MTTF_d is the component failure rate parameter, while in IEC 62061, PFH_d is the subsystem failure rate parameter. MTTF_d does not consider diagnostics or architecture, only the component failure rate per year, while PFH_d does include diagnostics and archtitecture, and it speaks to the system failure rate per hour. To compare these rates, ISO 13849–1 Annex K describes the relationship between MTTF_d and PFH_d for different architectures.

In the design process only one method can be used, so where equipment with different ratings must be combined the failure rates must be converted to either MTTF_dor to PFH_d, depending on the system being used to complete the analysis. Mixing requirements within the design of a subsystem is not permitted (See Clause 7.3.3).

Fault exclusions are permitted under both standards with some limitations: up to IEC 62061 SIL 2. No fault exclusions are permitted in SIL 3. Properly justified fault exclusions can be used up to PL_e. “Properly justified” fault exclusions are those that can be shown to be valid through the lifetime of the SRP/CS.

In general, fault exclusions for mechanical failures of electromechanical devices such as interlock devices or emergency stop devices are not permitted, with a few exceptions given in ISO 13849–2, (See Clauses 7.2.2.4 and 7.2.2.5).

This approach is consistent with the current approach taken in Canada, as described in CSA Z432 & Z434. Fault exclusions are generally not permitted under ANSI standards.

Section 8 of the Technical Report gives a couple of worked examples, one done under ISO 13849–1, and one under IEC 62061. For someone looking for a good example of what a properly completed analysis should look like, this section is the gold at the end of the rainbow. Section 8.2 provides a good, clear example of the application of the standards along with a nice, simple example of what a safety requirement specification might look like.

One area where proponents of the two standards often disagree is on the ‘accuracy’ of the analytical procedures given in the two standards. The Technical Report provides a detailed explanation of why the two techniques provide slightly different results and provides the rationale explaining why this variation should be considered acceptable.

At the end of the day, the question that needs to be answered is whether to buy this document or not. If you use either of these standards, I strongly recommend that you spend the money to get this Technical Report, if for nothing more than the worked examples. Until the two standards are merged, and that could be a few years, you will need to be able to effectively apply these approaches to PL and SIL rated equipment. This Technical Report will be an invaluable aid.

It also provides some guidance on the direction that the new merged standard will take. Some old arguments can be settled, or at least re-directed, by this document.

Finally, since the TR is to be incorporated in both standards and contains material replacing that in the current editions of the standard, you must buy a copy to remain current.

For all of these reasons, I would spend the money to acquire this document, read and apply it.

Download IEC standards, International Electrotechnical Commission standards.

Download ISO Standards

If you’ve bought the report and would like to add your thoughts, please add a comment below. Got questions? Contact me!

« Previous page | Next page »

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/

	Technology implementing the safety related control function(s)	ISO 13849–1 (under revision)	IEC 62061
A	Non electrical, e.g. hydraulics	X	Not covered
B	Electromechanical, e.g. relays, or non-complex electronics	Restricted to designated architectures (see Note 1) and up to PL=e	All architectures and up to SIL 3
C	Complex electronics, e.g. programmable	Restricted to designated architectures (see Note 1) and up to PL=d	All architectures and up to SIL 3
D	A combined with B	Restricted to designated architectures (see Note 1) and up to PL=e	X see Note 3
E	C combined with B	Restricted to designated architectures (see Note 1) and up to PL=d	All architectures and up to SIL 3
F	C combined with A, or C combined with A and B	X see Note 2	X see Note 3
“X” indicates that this item is dealt with by the standard shown in the column heading. NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849–1(rev.) to give a simplified approach for quantification of performance level. NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849–1(rev.) up to PL=d or any architecture according to IEC 62061. NOTE 3 For non-electrical technology use parts according to EN ISO 13849–1(rev.) as subsystems.

Performance Level (PL)	Average probability of a dangerous failure per hour (1/h)	Safety integrity level (SIL)
a	>= 10^–5 to < 10^–4	No special safety requirements
b	>= 3 x 10^–6 to < 10^–5	1
c	>= 10^–6 to < 3 x 10^–6	1
d	>= 10^–7 to < 10^–6	2
e	>= 10^–8 to < 10^–7	3

17 Events on February 17, 2012 Toronto Engineering & Human Environment ExCom More details