ISO 13849–1 Analysis — Part 8: Fault Exclusion

This entry is part 9 of 9 in the series How to do a 13849–1 analy­sis

Fault Consideration & Fault Exclusion

ISO 13849–1, Chap­ter 7 [1, 7] dis­cuss­es the need for fault con­sid­er­a­tion and fault exclu­sion. Fault con­sid­er­a­tion is the process of exam­in­ing the com­po­nents and sub-sys­tems used in the safe­ty-relat­ed part of the con­trol sys­tem (SRP/CS) and mak­ing a list of all the faults that could occur in each one. This a def­i­nite­ly non-triv­ial exer­cise!

Think­ing back to some of the ear­li­er arti­cles in this series where I men­tioned the dif­fer­ent types of faults, you may recall that there are detectable and unde­tectable faults, and there are safe and dan­ger­ous faults, lead­ing us to four kinds of fault:

  • Safe unde­tectable faults
  • Dan­ger­ous unde­tectable faults
  • Safe detectable faults
  • Dan­ger­ous detectable faults

For sys­tems where no diag­nos­tics are used, Cat­e­go­ry B and 1, faults need to be elim­i­nat­ed using inher­ent­ly safe design tech­niques. Care needs to be tak­en when clas­si­fy­ing com­po­nents as “well-tried” ver­sus using a fault exclu­sion, as com­po­nents that might nor­mal­ly be con­sid­ered “well-tried” might not meet those require­ments in every appli­ca­tion. [2, Annex A], Val­i­da­tion tools for mechan­i­cal sys­tems, dis­cuss­es the con­cepts of “Basic Safe­ty Prin­ci­ples”, “Well-Tried Safe­ty Prin­ci­ples”, and “Well-tried com­po­nents”.  [2, Annex A] also pro­vides exam­ples of faults and rel­e­vant fault exclu­sion cri­te­ria. There are sim­i­lar Annex­es that cov­er pneu­mat­ic sys­tems [2, Annex B], hydraulic sys­tems [2, Annex C], and elec­tri­cal sys­tems [2, Annex D].

For sys­tems where diag­nos­tics are part of the design, i.e., Cat­e­go­ry 2, 3, and 4, the fault lists are used to eval­u­ate the diag­nos­tic cov­er­age (DC) of the test sys­tems. Depend­ing on the archi­tec­ture, cer­tain lev­els of DC are required to meet the rel­e­vant PL, see [1, Fig. 5]. The fault lists are start­ing point for the deter­mi­na­tion of DC, and are an input into the hard­ware and soft­ware designs. All of the dan­ger­ous detectable faults must be cov­ered by the diag­nos­tics, and the DC must be high enough to meet the PLr for the safe­ty func­tion.

The fault lists and fault exclu­sions are used in the Val­i­da­tion por­tion of this process as well. At the start of the Val­i­da­tion process flow­chart [2, Fig. 1], you can see how the fault lists and the cri­te­ria used for fault exclu­sion are used as inputs to the val­i­da­tion plan.

The diagram shows the first few stages in the ISO 13849-2 Validation process. See ISO 13849-2, Figure 1.
Start of ISO 13849–2 Fig. 1

Faults that can be exclud­ed do not need to val­i­dat­ed, sav­ing time and effort dur­ing the sys­tem ver­i­fi­ca­tion and val­i­da­tion (V & V). How is this done?

Fault Consideration

The first step is to devel­op a list of poten­tial faults that could occur, based on the com­po­nents and sub­sys­tems includ­ed in SRP/CS. ISO 13849–2 [2] includes lists of typ­i­cal faults for var­i­ous tech­nolo­gies. For exam­ple, [2, Table A.4] is the fault list for mechan­i­cal com­po­nents.

Mechanical fault list from ISO 13849-2
Table A.4 — Faults and fault exclu­sions — Mechan­i­cal devices, com­po­nents and ele­ments
(e.g. cam, fol­low­er, chain, clutch, brake, shaft, screw, pin, guide, bear­ing)

[2] con­tains tables sim­i­lar to Table A.4 for:

  • Pres­sure-coil springs
  • Direc­tion­al con­trol valves
  • Stop (shut-off) valves/non-return (check) valves/quick-action vent­ing valves/shuttle valves, etc.
  • Flow valves
  • Pres­sure valves
  • Pipework
  • Hose assem­blies
  • Con­nec­tors
  • Pres­sure trans­mit­ters and pres­sure medi­um trans­duc­ers
  • Com­pressed air treat­ment — Fil­ters
  • Com­pressed-air treat­ment — Oil­ers
  • Com­pressed air treat­ment — Silencers
  • Accu­mu­la­tors and pres­sure ves­sels
  • Sen­sors
  • Flu­idic Infor­ma­tion pro­cess­ing — Log­i­cal ele­ments
  • etc.

As you can see, there are many dif­fer­ent types of faults that need to be con­sid­ered. Keep in mind that I did not give you all of the dif­fer­ent fault lists — this post would be a mile long if I did that! The point is that you need to devel­op a fault list for your sys­tem, and then con­sid­er the impact of each fault on the oper­a­tion of the sys­tem. If you have com­po­nents or sub­sys­tems that are not list­ed in the tables, then you need to devel­op your own fault lists for those items. Fail­ure Modes and Effects Analy­sis (FMEA) is usu­al­ly the best approach for devel­op­ing fault lists for these com­po­nents [23], [24].

When con­sid­er­ing the faults to be includ­ed in the list there are a few things that should be con­sid­ered [1, 7.2]:

  • if after the first fault occurs oth­er faults devel­op due to the first fault, then you can group those faults togeth­er as a sin­gle fault
  • two or more sin­gle faults with a com­mon cause can be con­sid­ered as a sin­gle fault
  • mul­ti­ple faults with dif­fer­ent caus­es but occur­ring simul­ta­ne­ous­ly is con­sid­ered improb­a­ble and does not need to be con­sid­ered

Examples

#1 — Voltage Regulator

A volt­age reg­u­la­tor fails in a sys­tem pow­er sup­ply so that the 24 Vdc out­put ris­es to an unreg­u­lat­ed 36 Vdc (the inter­nal pow­er sup­ply bus volt­age), and after some time has passed, two sen­sors fail. All three fail­ures can be grouped and con­sid­ered as a sin­gle fault because they orig­i­nate in a sin­gle fail­ure in the volt­age reg­u­la­tor.

#2 — Lightning Strike

If a light­ning strike occurs on the pow­er line and the result­ing surge volt­age on the 400 V mains caus­es an inter­pos­ing con­tac­tor and the motor dri­ve it con­trols to fail to dan­ger, then these fail­ures may be grouped and con­sid­ered as one. Again, a sin­gle event caus­es all of the sub­se­quent fail­ures.

#3 — Pneumatic System Lubrication

3a — A pneu­mat­ic lubri­ca­tor runs out of lubri­cant and is not refilled, depriv­ing down­stream pneu­mat­ic com­po­nents of lubri­ca­tion.

3b — The spool on the sys­tem dump valve sticks open because it is not cycled often enough.

Nei­ther of these fail­ures has the same cause, so there is no need to con­sid­er them as occur­ring simul­ta­ne­ous­ly because the prob­a­bil­i­ty of both hap­pen­ing con­cur­rent­ly is extreme­ly small. One cau­tion: These two faults MAY have a com­mon cause — poor main­te­nance. If this is true and you decide to con­sid­er them to be two faults with a com­mon cause, they could then be grouped as a sin­gle fault.

Fault Exclusion

Once you have your well-con­sid­ered fault lists togeth­er, the next ques­tion is “Can any of the list­ed faults be exclud­ed?” This is a tricky ques­tion! There are a few points to con­sid­er:

  • Does the sys­tem archi­tec­ture allow for fault exclu­sion?
  • Is the fault tech­ni­cal­ly improb­a­ble, even if it is pos­si­ble?
  • Does expe­ri­ence show that the fault is unlike­ly to occur?*
  • Are there tech­ni­cal require­ments relat­ed to the appli­ca­tion and the haz­ard that might sup­port fault exclu­sion?

BE CAREFUL with this one!

When­ev­er faults are exclud­ed, a detailed jus­ti­fi­ca­tion for the exclu­sion needs to be includ­ed in the sys­tem design doc­u­men­ta­tion. Sim­ply decid­ing that the fault can be exclud­ed is NOT ENOUGH! Con­sid­er the risk a per­son will be exposed to in the event the fault occurs. If the sever­i­ty is very high, i.e., severe per­ma­nent injury or death, you may not want to exclude the fault even if you think you could. Care­ful con­sid­er­a­tion of the result­ing injury sce­nario is need­ed.

Bas­ing a fault exclu­sion on per­son­al expe­ri­ence is sel­dom con­sid­ered ade­quate, which is why I added the aster­isk (*) above. Look for good sta­tis­ti­cal data to sup­port any deci­sion to use a fault exclu­sion.

There is much more infor­ma­tion avail­able in IEC 61508–2 on the sub­ject of fault exclu­sion, and there is good infor­ma­tion in some of the books men­tioned below [0.1], [0.2], and [0.3]. If you know of addi­tion­al resources you would like to share, please post the infor­ma­tion in the com­ments!

Definitions

3.1.3 fault
state of an item char­ac­ter­ized by the inabil­i­ty to per­form a required func­tion, exclud­ing the inabil­i­ty dur­ing pre­ven­tive main­te­nance or oth­er planned actions, or due to lack of exter­nal resources
Note 1 to entry: A fault is often the result of a fail­ure of the item itself, but may exist with­out pri­or fail­ure.
Note 2 to entry: In this part of ISO 13849, “fault” means ran­dom fault. [SOURCE: IEC 60050?191:1990, 05–01.]

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assess­ment: Basics and Bench­marks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simp­son, Safe­ty crit­i­cal sys­tems hand­book. Ams­ter­dam: Else­vier/But­ter­worth-Heine­mann, 2011.

[0.2]  Elec­tro­mag­net­ic Com­pat­i­bil­i­ty for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: The Insti­tu­tion of Engi­neer­ing and Tech­nol­o­gy, 2008.

[0.3]  Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 2013.

References

Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Includ­ed in the last post of the series is the com­plete ref­er­ence list.

[1]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. 3rd Edi­tion. ISO Stan­dard 13849–1. 2015.

[2]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion. 2nd Edi­tion. ISO Stan­dard 13849–2. 2012.

[3]      Safe­ty of machin­ery — Gen­er­al prin­ci­ples for design — Risk assess­ment and risk reduc­tion. ISO Stan­dard 12100. 2010.

[4]     Safe­guard­ing of Machin­ery. 2nd Edi­tion. CSA Stan­dard Z432. 2004.

[5]     Risk Assess­ment and Risk Reduc­tion- A Guide­line to Esti­mate, Eval­u­ate and Reduce Risks Asso­ci­at­ed with Machine Tools. ANSI Tech­ni­cal Report B11.TR3. 2000.

[6]    Safe­ty of machin­ery — Emer­gency stop func­tion — Prin­ci­ples for design. ISO Stan­dard 13850. 2015.

[7]     Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. 7 parts. IEC Stan­dard 61508. Edi­tion 2. 2010.

[8]     S. Joce­lyn, J. Bau­doin, Y. Chin­ni­ah, and P. Char­p­en­tier, “Fea­si­bil­i­ty study and uncer­tain­ties in the val­i­da­tion of an exist­ing safe­ty-relat­ed con­trol cir­cuit with the ISO 13849–1:2006 design stan­dard,” Reliab. Eng. Syst. Saf., vol. 121, pp. 104–112, Jan. 2014.

[9]    Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery. IEC Tech­ni­cal Report TR 62061–1. 2010.

[10]     Safe­ty of machin­ery — Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems. IEC Stan­dard 62061. 2005.

[11]    Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery. IEC Tech­ni­cal Report 62061–1. 2010.

[12]    D. S. G. Nix, Y. Chin­ni­ah, F. Dosio, M. Fessler, F. Eng, and F. Schr­ev­er, “Link­ing Risk and Reliability—Mapping the out­put of risk assess­ment tools to func­tion­al safe­ty require­ments for safe­ty relat­ed con­trol sys­tems,” 2015.

[13]    Safe­ty of machin­ery. Safe­ty relat­ed parts of con­trol sys­tems. Gen­er­al prin­ci­ples for design. CEN Stan­dard EN 954–1. 1996.

[14]   Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems — Part 2: Require­ments for electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. IEC Stan­dard 61508–2. 2010.

[15]     Reli­a­bil­i­ty Pre­dic­tion of Elec­tron­ic Equip­ment. Mil­i­tary Hand­book MIL-HDBK-217F. 1991.

[16]     “IFA — Prac­ti­cal aids: Soft­ware-Assis­tent SISTEMA: Safe­ty Integri­ty — Soft­ware Tool for the Eval­u­a­tion of Machine Appli­ca­tions”, Dguv.de, 2017. [Online]. Avail­able: http://www.dguv.de/ifa/praxishilfen/practical-solutions-machine-safety/software-sistema/index.jsp. [Accessed: 30- Jan- 2017].

[17]      “fail­ure mode”, 192–03-17, Inter­na­tion­al Elec­trotech­ni­cal Vocab­u­lary. IEC Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion, Gene­va, 2015.

[18]      M. Gen­tile and A. E. Sum­mers, “Com­mon Cause Fail­ure: How Do You Man­age Them?,” Process Saf. Prog., vol. 25, no. 4, pp. 331–338, 2006.

[19]     Out of Control—Why con­trol sys­tems go wrong and how to pre­vent fail­ure, 2nd ed. Rich­mond, Sur­rey, UK: HSE Health and Safe­ty Exec­u­tive, 2003.

[20]     Safe­guard­ing of Machin­ery. 3rd Edi­tion. CSA Stan­dard Z432. 2016.

[21]     O. Reg. 851, INDUSTRIAL ESTABLISHMENTS. Ontario, Cana­da, 1990.

[22]     “Field-pro­gram­ma­ble gate array”, En.wikipedia.org, 2017. [Online]. Avail­able: https://en.wikipedia.org/wiki/Field-programmable_gate_array. [Accessed: 16-Jun-2017].

[23]     Analy­sis tech­niques for sys­tem reli­a­bil­i­ty – Pro­ce­dure for fail­ure mode and effects analy­sis (FMEA). 2nd Ed. IEC Stan­dard 60812. 2006.

[24]     “Fail­ure mode and effects analy­sis”, En.wikipedia.org, 2017. [Online]. Avail­able: https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis. [Accessed: 16-Jun-2017].

Do you use ISO 13849 or IEC 62061? We need to hear from you! UPDATED

Do you use ISO 13849–1 or IEC 62061 to define and ana­lyze the safe­ty relat­ed parts of the con­trol sys­tems used on your machin­ery? Have you been frus­trat­ed by try­ing to apply these stan­dards? Good news! ISO and IEC are work­ing on merg­ing these doc­u­ments, but the com­mit­tee work­ing on the merg­er needs some guid­ance from users. Here’s your chance to be heard!

Be Heard

Survey graphicIn May this year, ISO TC199 launched an online sur­vey ask­ing for input from machine builders and any­one else that uses ISO 13849 or IEC 62061. The sur­vey probes ways that the stan­dards are used , the kinds of prob­lems they encounter when try­ing to apply them, and how the use of these stan­dards affects their prod­ucts and busi­ness­es. The sur­vey, titled “Design of safe­ty relat­ed controls/control sys­tems for machin­ery – Expe­ri­ences with gener­ic stan­dards (in par­tic­u­lar ISO 13849–1 and IEC 62061)” asks a num­ber of impor­tant ques­tions that will guide the Joint Work­ing Group 1 (JWG1) as work pro­ceeds on merg­ing ISO 13849 and IEC 62061.

The sur­vey cov­ers:

  • The gener­ic and machine-spe­cif­ic stan­dards used in your com­pa­ny;
  • The types of con­trol tech­nolo­gies used in your prod­ucts;
  • Chal­lenges with get­ting com­po­nent reli­a­bil­i­ty data;
  • Use of ‘well-tried com­po­nents’, and the meth­ods to qual­i­fy­ing com­po­nents as ‘well-tried’;
  • Chal­lenges relat­ed to inte­grat­ing mechan­i­cal, pneu­mat­ic or hydraulic com­po­nents in the design of the safe­ty relat­ed con­trols, and the spe­cif­ic chal­lenges you have with this, as well as the means you have devel­oped to over­come these chal­lenges;
  • The sources you use for fail­ure rate data;
  • The influ­ence of accident/incident his­to­ry on your designs;
  • Meth­ods used to deter­mine PLs or SILs;
  • The use of des­ig­nat­ed archi­tec­tures in your designs;
  • The use of diag­nos­tics;
  • Ver­i­fi­ca­tion and val­i­da­tion pro­ce­dures;
  • Use of Com­mon Cause fac­tors; and
  • The use of design soft­ware tools like SISTEMA, Pas­CAL or SET

As you can see, it’s pret­ty wide-rang­ing. If you have a few min­utes and would like to con­tribute to the future devel­op­ment of these stan­dards, the Joint Work­ing Group would like to hear from you! 

The sur­vey clos­es 31-Aug-12 30-Nov-12. Take a minute now to com­plete it.

Eng­lish Sur­vey

French Sur­vey

Ger­man Sur­vey

31-Dec-2011 — Are YOU ready?

This entry is part 8 of 8 in the series Cir­cuit Archi­tec­tures Explored

31-Decem­ber-2011 marks a key mile­stone for machine builders mar­ket­ing their prod­ucts in the Euro­pean Union, the EEA and many of the Can­di­date States. Func­tion­al Safe­ty takes a pos­i­tive step for­ward with the manda­to­ry appli­ca­tion of EN ISO 13849–1 and -2. As of 1-Jan­u­ary-2012, the safe­ty-relat­ed parts of the con­trol sys­tems on all machin­ery bear­ing a CE Mark will be required to meet these stan­dards.

This change start­ed six years ago, when these stan­dards were first har­mo­nized under the Machin­ery Direc­tive. The EC Machin­ery Com­mit­tee gave machine builders an addi­tion­al three years to make the tran­si­tion to these stan­dards, after much oppo­si­tion to the orig­i­nal manda­to­ry imple­men­ta­tion date of 31-Dec-08 was announced.

If you aren’t aware of these stan­dards, or if you aren’t famil­iar with the con­cept of func­tion­al safe­ty, you need to get up to speed, and fast.

Under EN 954–1:1995 and the 1st Edi­tion of ISO 13849–1, pub­lished in 1999, a design­er need­ed to select a design Cat­e­go­ry or archi­tec­ture, that would pro­vide the degree of fault tol­er­ance and reli­a­bil­i­ty need­ed based on the out­come of the risk assess­ment for the machin­ery. The Cat­e­gories, B, 1–4, remain unchanged in the 2nd Edi­tion. I’ve talked about the Cat­e­gories in detail in oth­er posts, so I won’t spend any time on them here.

The 2nd Edi­tion brings Mean Time to Fail­ure into the pic­ture, along with Diag­nos­tic Cov­er­age and Com­mon Cause Fail­ures. These new con­cepts require design­ers to use more ana­lyt­i­cal tech­niques in devel­op­ing their designs, and also require addi­tion­al doc­u­men­ta­tion (as usu­al!).

One of the main fail­ings with EN 954–1 was Val­i­da­tion. This top­ic was sup­posed to have been cov­ered by EN 954–2, but this stan­dard was nev­er pub­lished. This has led machine builders to make design deci­sions with­out keep­ing the nec­es­sary design doc­u­men­ta­tion trail, and fur­ther­more, to skip the Val­i­da­tion step entire­ly in many cas­es.

The miss­ing Val­i­da­tion stan­dard was final­ly pub­lished in 2003 as ISO 13849–2:2003, and sub­se­quent­ly adopt­ed and har­mo­nized in 2009 as EN ISO 13849–2:2003. While no manda­to­ry imple­men­ta­tion date for this stan­dard is giv­en in the cur­rent list of stan­dards har­mo­nized under 2006/42/EC-Machin­ery, use of Part 1 of the stan­dard man­dates use of Part 2, so this stan­dard is effec­tive­ly manda­to­ry at the same time.

Part 2 brings a num­ber of key annex­es that are nec­es­sary for the imple­men­ta­tion of Part 1, and also out­lines the com­plete doc­u­men­ta­tion trail need­ed for val­i­da­tion, and coin­ci­den­tal­ly, audit. Noti­fied bpdies will be look­ing for this infor­ma­tion when eval­u­at­ing the con­tent of Tech­ni­cal Files used in CE Mark­ing.

From a North Amer­i­can per­spec­tive, these two stan­dards gain access through ANSI’s adop­tion of ISO 10218 for Indus­tri­al Robots. Part 1 of this stan­dard, cov­er­ing the robot itself, was adopt­ed last year. Part 2 of the stan­dard will be adopt­ed in 2012, and RIA R15.06 will be with­drawn. At the same time, CSA will be adopt­ing the ISO stan­dards and with­draw­ing CSA Z434.

These changes will final­ly bring North Amer­i­ca, the Inter­na­tion­al Com­mu­ni­ty and the EU onto the same foot­ing when it comes to Func­tion­al Safe­ty in indus­tri­al machin­ery appli­ca­tions. The days of “SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL-MONITORED and CONTROL RELIABLE” are num­bered.

Are you ready?

Com­pli­ance InSight Con­sult­ing will be offer­ing a series of train­ing events in 2012 on this top­ic. For more infor­ma­tion, con­tact Doug Nix.