Tag Archives: IEC 62061

31-​​Dec-​​2011 — Are YOU ready?

Posted by on December 30, 2011 2 comments
This entry is part 8 of 8 in the series Circuit Architectures Explored

31-​​December-​​2011 marks a key mile­stone for machine builders mar­ket­ing their prod­ucts in the European Union, the EEA and many of the Candidate States. Functional Safety takes a pos­i­tive step for­ward with the manda­tory appli­ca­tion of EN ISO 13849–1 and –2. As of 1-​​January-​​2012, the safety–related parts of the con­trol sys­tems on all machin­ery bear­ing a CE Mark will be required to meet these standards.

This change started six years ago, when these stan­dards were first har­mo­nized under the Machinery Directive. The EC Machinery Committee gave machine builders an addi­tional three years to make the tran­si­tion to these stan­dards, after much oppo­si­tion to the orig­i­nal manda­tory imple­men­ta­tion date of 31-​​Dec-​​08 was announced.

If you aren’t aware of these stan­dards, or if you aren’t famil­iar with the con­cept of func­tional safety, you need to get up to speed, and fast.

Under EN 954–1:1995 and the 1st Edition of ISO 13849–1, pub­lished in 1999, a designer needed to select a design Category or archi­tec­ture, that would pro­vide the degree of fault tol­er­ance and reli­a­bil­ity needed based on the out­come of the risk assess­ment for the machin­ery. The Categories, B, 1–4, remain unchanged in the 2nd Edition. I’ve talked about the Categories in detail in other posts, so I won’t spend any time on them here.

The 2nd Edition brings Mean Time to Failure into the pic­ture, along with Diagnostic Coverage and Common Cause Failures. These new con­cepts require design­ers to use more ana­lyt­i­cal tech­niques in devel­op­ing their designs, and also require addi­tional doc­u­men­ta­tion (as usual!).

One of the main fail­ings with EN 954–1 was Validation. This topic was sup­posed to have been cov­ered by EN 954–2, but this stan­dard was never pub­lished. This has led machine builders to make design deci­sions with­out keep­ing the nec­es­sary design doc­u­men­ta­tion trail, and fur­ther­more, to skip the Validation step entirely in many cases.

The miss­ing Validation stan­dard was finally pub­lished in 2003 as ISO 13849–2:2003, and sub­se­quently adopted and har­mo­nized in 2009 as EN ISO 13849–2:2003. While no manda­tory imple­men­ta­tion date for this stan­dard is given in the cur­rent list of stan­dards har­mo­nized under 2006/​42/​EC-​​Machinery, use of Part 1 of the stan­dard man­dates use of Part 2, so this stan­dard is effec­tively manda­tory at the same time.

Part 2 brings a num­ber of key annexes that are nec­es­sary for the imple­men­ta­tion of Part 1, and also out­lines the com­plete doc­u­men­ta­tion trail needed for val­i­da­tion, and coin­ci­den­tally, audit. Notified bpdies will be look­ing for this infor­ma­tion when eval­u­at­ing the con­tent of Technical Files used in CE Marking.

From a North American per­spec­tive, these two stan­dards gain access through ANSI’s adop­tion of ISO 10218 for Industrial Robots. Part 1 of this stan­dard, cov­er­ing the robot itself, was adopted last year. Part 2 of the stan­dard will be adopted in 2012, and RIA R15.06 will be with­drawn. At the same time, CSA will be adopt­ing the ISO stan­dards and with­draw­ing CSA Z434.

These changes will finally bring North America, the International Community and the EU onto the same foot­ing when it comes to Functional Safety in indus­trial machin­ery appli­ca­tions. The days of “SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL-​​MONITORED and CONTROL RELIABLE” are numbered.

Are you ready?

Compliance InSight Consulting will be offer­ing a series of train­ing events in 2012 on this topic. For more infor­ma­tion, con­tact Doug Nix.

Understanding Risk Assessment

Posted by on January 31, 2011 10 comments

When peo­ple dis­cuss ‘Risk’ there are a lot of dif­fer­ent assump­tions made about what that means. For me, the study of risk and risk assess­ment tech­niques started in 1995. As a tech­nol­o­gist and con­trols designer, I had to some­how wrap my head around the whole con­cept in ways I’d never con­sid­ered. If you’re try­ing to fig­ure out risk and risk assess­ment this is a good place to get started!

What is risk?

From a machin­ery per­spec­tive, ISO 12100:2010 defines risk as:

com­bi­na­tion of the prob­a­bil­ity of occur­rence of harm and the sever­ity of that harm”

Risk can have pos­i­tive or neg­a­tive out­comes, but when con­sid­er­ing safety, we only con­sider neg­a­tive risk, or events that result in neg­a­tive health effects for the peo­ple exposed.

The risk rela­tion­ship is illus­trated in ISO 12100:2010 Figure 3:


ISO 12100-2010 Figure 3

ISO 12100–2010 Figure 3


Where

R = Risk

S = Severity of Harm

P = Probability of Occurrence of Harm

The Probability of Occurrence of Harm fac­tor is often fur­ther bro­ken down into three sub-​​factors:

  • Probability of Exposure to the haz­ard
  • Probability of Occurrence of the Hazardous Event
  • Probability of Limiting or Avoiding the Harm

How is risk measured?

In order to esti­mate risk a scor­ing tool is needed. There is no one ‘cor­rect’ scor­ing tool, and there are flaws in most scales that can result in blind-​​spots where risks may be over or under-​​estimated.

At the sim­plest level are ‘screen­ing’ tools. These tools use very sim­ple scales like ‘High, Medium, Low’, or ‘A, B, C’. These tools are often used when doing a shop-​​floor inspec­tion and are intended to pro­vide a quick method of cap­tur­ing obser­va­tions and giv­ing a gut-​​feel assess­ment of the risk involved. These tools should be used as a way to iden­tify risks that need addi­tional, detailed assess­ment. To get an idea of what a good screen­ing tool can look like, have a look at the SOBANE Déparis sys­tem.

Every scor­ing tool requires a scale for each risk para­me­ter included in the tool. For instance, con­sider the CSA tool described in CSA Z434:

CSA Z434-03 Table 1As you can see, each para­me­ter (Severity, Exposure and Avoidance) has a scale, with two pos­si­ble selec­tions for each parameter.

When con­sid­er­ing selec­tion of a scor­ing tool, it’s impor­tant to take some time to really exam­ine the scales for each fac­tor. The scale shown above has a glar­ing hole in one scale. See if you can spot it and I’ll tell you what I think a bit later in this post.

There are more than 350 dif­fer­ent scales and method­olo­gies avail­able for assess­ing risk. You can find a good review of some of them in Bruce Main’s text­book “Risk Assessment: Basics and Benchmarks” avail­able from DSE online.

A sim­i­lar, although dif­fer­ent, tool is found in Annex 1 of ISO 13849–1. Note that this tool is pro­vided in an Informative Annex. This means that it is not part of the body of the stan­dard and is NOT manda­tory. In fact, this tool was pro­vided as an exam­ple of how a user could link the out­put of a risk assess­ment tool to the Performance Levels described in the nor­ma­tive text (the manda­tory part) of the standard.

Consider cre­at­ing your own scales. There is noth­ing wrong with deter­min­ing what char­ac­ter­is­tics (para­me­ters) you want to include in your risk assess­ment, and then assign­ing each para­me­ter a numeric scale that you think is suit­able; 1–10, 0–5, etc. Some scales may be inverted to oth­ers, for exam­ple: If the Severity scale runs from 0–10, the Avoidability scale might run from 10–0 (Unavoidable to Entirely Avoidable).

Once the scales in your tool have been defined, doc­u­ment the def­i­n­i­tions as part of your assessment.

Who should con­duct risk assessments?

Lake YogaIn many orga­ni­za­tions, I find that risk assess­ment has been del­e­gated to one per­son. This is a major mis­take for a num­ber of rea­sons. Risk assess­ment is not a solo activ­ity for a ‘guru’ in a lonely office somewhere!

Risk assess­ment is not a lot of fun to do, and since risk assess­ments can get to be quite involved, it rep­re­sents a sig­nif­i­cant amount of work to put on one per­son. Also, leav­ing it to one per­son means that the assess­ment will nec­es­sar­ily be biased to what that per­son knows, and may miss sig­nif­i­cant haz­ards because the asses­sor doesn’t know enough about that haz­ard to spot it and assess it properly.

Risk assess­ment requires mul­ti­ple view­points from par­tic­i­pants with var­ied exper­tise. This includes users, design­ers, engi­neers, lawyers and those who may have spe­cial­ized knowl­edge of a par­tic­u­lar haz­ard, like a Laser Safety Officer or a Radiation Safety Officer. The var­ied exper­tise of the peo­ple involved will allow the com­mit­tee to bal­ance the opin­ion of each haz­ard, and develop a more rea­soned assess­ment of the risk.

I rec­om­mend that risk assess­ment com­mit­tees never be less than three mem­bers. Five is fre­quently a good num­ber. Once you get beyond five, it becomes increas­ingly dif­fi­cult to obtain con­sen­sus on each haz­ard. Also, con­sider the cost. As each com­mit­tee mem­ber is added to the team, the cost of the assess­ment can esca­late exponentially.

Training in risk assess­ment is cru­cial to suc­cess. Ensure that the indi­vid­u­als involved are trained, and that at least one has some pre­vi­ous expe­ri­ence in the prac­tice so that they may guide the com­mit­tee as needed.

When should a risk assess­ment be conducted?


Risk Assessment Lifetime Flow Chart

Risk Assessment in the Lifetime of a Product


Risk assess­ment should begin at the begin­ning of a project, whether it’s the design of a prod­uct, the devel­op­ment of a process or ser­vice, or the design of a new build­ing. Understanding risk is crit­i­cal to the design process. Cost for changes made at the begin­ning of a project are min­i­mal com­pared to those that will be incurred to cor­rect prob­lems that might have been fore­seen at the start. Risk assess­ment should start at the con­cept stage and be included at each sub­se­quent stage in the devel­op­ment process. The accom­pa­ny­ing graphic illus­trates this idea.

Essentially, risk assess­ment is never fin­ished until the prod­uct, process or ser­vice ceases to exist.

What tools are available?

As men­tioned ear­lier in this post, the book ‘Risk Assessment: Basics and Benchmarks” pro­vides an overview of roughly 350 dif­fer­ent scor­ing tools. You can search the Internet and turn up quite a few as well. The key thing with all of these sys­tems is that you will need to develop any soft­ware based tools your­self. Depending on your com­fort with soft­ware, this might be a spread­sheet for­mat, a word pro­cess­ing doc­u­ment a data­base, or some other for­mat that works for your application.

There are a num­ber of risk assess­ment soft­ware tools avail­able as well, includ­ing ISI’s CIRSMA and DSE’s DesignSafe. As with the scor­ing tools, you need to be care­ful when eval­u­at­ing tools. Some have sig­nif­i­cant blind spots that may trip you up if you are not aware of their limitations.

Remember too that the out­put from the soft­ware can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assessment.

Where can you get training?

There are a few places to get train­ing. Compliance InSight Consulting pro­vides train­ing to cor­po­rate clients and will be launch­ing a series of web-​​based train­ing ser­vices in 2011 that will allow indi­vid­ual learn­ers to get train­ing too.

The IEEE PSES oper­ates a Risk Assessment Technical Committee that is open to the pub­lic as well. See the RATC web site.

The Answer to the Scale Question

The Exposure Scale in the CSA tool has a gap between E1 and E2. Looking at the def­i­n­i­tions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Exposures that occur once per hour or less, but more than once per day can­not be scored effec­tively using this scale.

Also, notice the Severity scale: S1 encom­passes injuries requir­ing not more than basic first aid. One com­mon ques­tion I get is “Does that include CPR*?”. This ques­tion comes up because most basic first aid courses taught in Canada include CPR as part of the course. There is no clear answer for this in the stan­dard. The S2 fac­tor extends from injuries requir­ing more than basic first aid, like a bro­ken fin­ger for instance, all the way to a fatal­ity. Does it make sense to group this broad range of injuries together? This def­i­n­i­tion doesn’t quite match with the Province of Ontario’s def­i­n­i­tion of a Critical Injury found in Regulation 834 either.

All of this points to the need to care­fully assess the scales that you choose before you start the process. Choosing the wrong tool can skew your results in ways that you may not be very happy about.

*Cardio-​​Pulmonary Resuscitation

Missing MTTFd data

Posted by on September 13, 2010 Comments Off

What the heck is MTTFd???

When you first start to work through ISO 13849–1, the first thing that will smack you in the head is the plethora of new acronyms. The first one you’ll run into is ‘PL’, of course, since the entire pur­pose of the stan­dard is to aid the designer in deter­min­ing the reli­a­bil­ity Performance Level of the con­trol sys­tem. Shortly after that you’ll find your­self face to face with MTTFd.

MTTFd, or the Mean Time To Failure (dan­ger­ous), is the name given to the expected fail­ure rate per year for a com­po­nent used in a sys­tem that is being ana­lyzed. This rate dif­fers from the straight fail­ure rate for the com­po­nent because it’s lim­ited to the fail­ures that result in a dan­ger­ous fail­ure mode, or that may lead to a haz­ard.

So how do you get this data?

Obtaining MTTFd data for a com­po­nent should be easy for a designer. Component man­u­fac­tur­ers who mar­ket com­po­nents intended for safety appli­ca­tions should pro­vide this data in the com­po­nent spec­i­fi­ca­tions, but there are thou­sands, per­haps mil­lions, of dif­fer­ent com­po­nents being mar­keted today for use in safety sys­tems. Most of the major man­u­fac­tur­ers are already pro­vid­ing this fig­ure, or a fig­ure that can be used to derive MTTFd, B10d, but for many com­po­nents, this data is sim­ply not available.

Here are some ran­domly cho­sen exam­ples of manufacturer’s spec­i­fi­ca­tion sheets that give this data:

Allen-​​Bradley Trojan™ T15 Interlock Switch

Pilz PNOZ X2 (pdf data sheet)

Telemecanique XPS MP Safety Controller (pdf data sheet)

B10d is the num­ber of cycles until 10% of the com­po­nents being tested fail in a dan­ger­ous way. Using fail­ure rate data from the component’s data sheet, it is pos­si­ble to esti­mate B10d from either B10 or T (the appli­ca­tion depen­dent life­time of the com­po­nent). Check out Annex C of the stan­dard if you want to see how this can be done.

But what do you do if the man­u­fac­turer of your favourite con­tac­tor doesn’t pro­vide ANY fail­ure data? Some major man­u­fac­tur­ers still don’t pro­vide any fail­ure rate data at all, some pro­vide expected life­times under spe­cific oper­a­tion con­di­tions. Some pro­vide only EN 954–1:95 data. In the last case, I think this is one of the rea­sons for the EC Machinery Working Group’s deci­sion late last year to extend the tran­si­tion period to ISO 13849–1:07. Need to know more about that decision?

Now what?

Unless you work for a large orga­ni­za­tion, insti­tut­ing a life test­ing pro­gram is not likely to be an option, since you either need a pro­tracted period of time with a few com­po­nents in test, or thou­sands of sam­ples for a short time.

The stan­dard pro­vides the option to use 10 years as a default where no other data is avail­able. 10 years sounds like a long time at first blush, par­tic­u­larly if the planned life­time of the sys­tem involved is 20 years. Typical MTTFd val­ues for high-​​reliability com­po­nents are in the hun­dreds of years, so by com­par­i­son, 10 years is almost noth­ing. Tables are also pro­vided for some kinds of com­po­nents, but the tables are nec­es­sar­ily lim­ited in size, so not every com­po­nent will be listed.

Your only option is to use the data in the stan­dard, or pick up some of the other pub­li­ca­tions that include com­po­nent fail­ure data, like MIL-​​HDBK-​​217F, IEC/​TR 62380 (based on UTE 80810 & RDF 2000), NPRD 95 or IEC 61709 (based on Siemens SN 29500 doc­u­ments). Some of these doc­u­ments may be dif­fi­cult or impos­si­ble to obtain.

The result of this lack of objec­tive data from the com­po­nent man­u­fac­tur­ers is:

  • Conservative results based on the min­i­mum default MTTFd;
  • Potential over-​​design of safety related controls;
  • Increased man­u­fac­tur­ing costs for machine builders;

The rea­sons for this sit­u­a­tion vary by man­u­fac­turer, but ulti­mately it comes down to the cost of life test­ing com­po­nents mul­ti­plied by num­ber of com­po­nents built by each man­u­fac­turer. Typical life tests require load sim­u­la­tors and switch­ing for thou­sands of com­po­nents, as well as data log­ging to trap fail­ures and record rel­e­vant data. In the case of fluid power com­po­nents (pneu­mat­ics and hydraulics), this becomes increas­ingly com­plex. For many com­po­nent man­u­fac­tur­ers, the cost of the life test­ing is pro­hib­i­tive, even though this data is badly needed by their users.

Will we see an improve­ment in the future? The largest con­trols com­po­nent man­u­fac­tur­ers are very likely to pro­vide this data as they have it avail­able, mean­ing as they com­plete test­ing. New designs are much more likely to come with this data ini­tially, while it may be a long time before some of the old stan­dard com­po­nents get time in the life test cell. Until then, lots of com­po­nents will be assigned ’10 years’.

A big thank you to Wouter Leusden for the idea for this post!

Have a thought to share on this topic? Correct an error in the arti­cle? Sound off? Leave a comment!

All original content on these pages is fingerprinted and certified by Digiprove
Performance Optimization WordPress Plugins by W3 EDGE