Safe Drive Control including STO

Ed. Note: This article was revised 25-Jul-17 to include information on safe standstill.

Safe Drive Control

Variable Frequency Drive for conveyor speed control [1]

Motor drives are everywhere. From DC variable speed drives and indexing drives, through AC Variable Frequency drives, servo drives and stepper motor drives, the capabilities and the flexibility of these electronic systems has given machine designers unprecedented capabilities when compared to basic relay or contactor-based motor starters. We now have the capability to control mechanisms using motors in ways that would have been hard to imagine at the beginning of the industrial revolution.

Since we are controlling machinery, safety is always a concern. In the 1990’s when I started designing machinery with motor drives, dealing with safety concerns usually meant adding a suitably rated contactor upstream of the drive so that you could interrupt power to the drive in case something went wrong. With early servo drives, interrupting the supply power often meant losing position data or worse, so contactors were placed between the drive and the motor. This occasionally caused the drive stage of the servo controller to blow up if the switch-off happened with the motor running and under high load. Motor drive manufacturers responded by providing contactors and other components built into their drives, creating a feature called Safe Torque Off (STO).

STO describes a state where “The drive is reliably torque-free” [2]. The functions discussed in this article are described in detail in IEC 61800−5−2 [3]. The functions are also listed in [10, Table 5.2]. Note that only Safe Torque Off and Safe Stop 1 can be used for emergency stop functions. Safe Torque Off, Safe Stop 1 and Safe Stop 2 can be used for safety-related stop functions initiated by a safeguarding device.

If you have been a reader of this blog for a while, you may recall that I have discussed stop categories before. This article expands on those concepts in relation to motor drives and their stopping functions specifically. I’ve also talked about Emergency Stop extensively. You might be interested in reading more about the e-stop function in the post “Emergency Stop – What’s so confusing about that?”

Safe Torque Off (STO)

According to Siemens, “The STO function is the most common and basic drive-integrated safety function. It ensures that no torque-generating energy can continue to act upon a motor and prevents unintentional starting.” Risk assessment of the machinery can identify the need for an STO function. The devices used for this application are described in IEC 60204 – 1 in clause 5.4 [4]. The design features for prevention of unexpected starting are covered in more detail in EN 1037 [5] or ISO 14118 [6]. If you are interested in these standards, ISO 14118 is in the process of being revised. A new version should be available within 12 – 18 months.

The STO function operates as shown in Fig.1. The blue line represents the drive speed/velocity, V, on the y-axis, with time, t, on the x-axis.

Graph showing motor drive output over time when the STO function is activated. — Figure 1 – Safe Torque Off function [1]

At the beginning of the stopping process (orange arrow and dotted line), the drive gate pulses are immediately shut off, removing torque from the motor (i.e., zero torque). The speed of the driven equipment will drop at a rate determined by the system friction and inertia until standstill is achieved. The zero torque condition is then maintained until the safety function permits restarting (area outlined with yellow/black zebra stripe). Note that drive standstill may occur if the friction and inertia of the system permit, but it is possible that the driven equipment may coast for some time. You may be able to move the driven equipment by hand or gravity with drive in STO.STO is an uncontrolled stop [4, 3.56]:

STO is an uncontrolled stop [4, 3.56]:

uncontrolled stop

stopping of machine motion by removing electrical power to the machine actuators

NOTE This definition does not imply any other state of other (for example, non-electrical) stopping devices, for example, mechanical or hydraulic brakes that are outside the scope of this standard.

The definition above is important. Uncontrolled stops are the most common form of stopping used in machines of all types and is required as a basic function for all machines. It can be achieved in a number of ways, including the use of a disconnecting device, emergency stop systems, and gate interlocking systems that remove power from machine actuators.

The concept of an uncontrolled stop is embodied in stop category 0 [4, 9.2.2]:

stop category 0 — stopping by immediate removal of power to the machine actuators (i.e., and uncontrolled stop, see 3.56)

Stop category 0 is only appropriate where the machinery has little inertia, or where mechanical friction is high enough that the stopping time is short. It may also be used in cases where the machinery has very high inertia, but only for normal stopping when coasting time is not a factor, not for safety stopping functions where the time to a no-motion state is critical.

There are a few other stopping modes that are often confused with STO:

Safe Stop 1
Safe Stop 2
Safe Operating Stop
Safe Standstill

Let’s explore the differences.

Safe Stop 1 (SS1)

If a defined stopping time is needed, a controlled stopping function will be required followed by entry into STO. This stopping function is called “Safe Stop 1” (SS1).

SS1 is directly related to Stop Category 1 [4, 9.2.2]. As described in [4], Stop Category 1 functions as follows:

stop category 1 — a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;

A “controlled stop” is defined in [4, 3.11]:

controlled stop

stopping of machine motion with electrical power to the machine actuator maintained during the stopping process

Once the controlled stop is completed, i.e., machine motion has stopped, the drive may then be placed into STO (or category 0 stop). The stopping process is shown in Fig. 2 [7].

Graph showing the reduction of drive speed over time following the beginning of a controlled stopping process. — Figure 2 – Safe Stop 1

The stopping process starts where the orange arrow and dotted line are shown. As compared to Fig. 1 where the deceleration curve is gentle and exponential, the active stopping period in Fig. 2 is a linear curve from operating speed to zero speed. At the blue dotted line, the drive enters and stays in STO. The yellow/black zebra striped area of the curve outlines the complete stopping function. This stopping method is typical of many types of machinery, particularly those with servo driven mechanisms.

Safe Stop 2 (SS2)

In some cases, the risk assessment may show that removing power completely from a mechanism will increase the risk. An example might be a vertical axis where the motor drive is used to maintain the position of the tooling. Removing power from the drive with the tool raised would result in the tooling crashing to the bottom of the axis in an uncontrolled way. Definitely NOT the desired way to achieve any kind of stop!

There are a number of ways to prevent this kind of occurrence, but I’m going to limit the discussion here to the Safe Stop 2 function.

Let’s start with the definition [4, 3.11]:

controlled stop

stopping of machine motion with electrical power to the machine actuator maintained during the stopping process

Wait! This is exactly the same as a stop category 1, so what is the difference? For that we need to look to [4, 9.2.2]:

stop category 2 — a controlled stop with power left available to the machine actuators.

The first thing to know about stop category 2 is that this category cannot be used for emergency stop [4, 9.2.5.4.2]. If you have tooling where stop category 2 is the most appropriate stop under normal conditions, you will have to add an another means to prevent the axis from falling during the emergency stop. This could be a spring-set brake that is held released by the emergency stop system and is applied when the e-stop system removes power from the tooling. There are many ways to achieve automatic load-holding besides brakes, but remember, whatever you choose it must be effective in power loss conditions.

As shown in Fig. 3, the operation of Safe Stop 2 differs from Safe Stop 1 in that, instead of entering into STO when motion stops, the system enters Safe Operating Stop (SOS) [8], not STO. SOS is a stop category 2 function. Full torque remains available from the motor to hold the tooling in position. Safe standstill is monitored by the drive or other means.

Graph showing speed reduction to zero, followed by entry into stop category 2. — Figure 3 — Safe Stop 2

Depending on the ISO 13849 – 1 PL_r, or the IEC 62061 SIL_r needed for the application, the drive may not have high enough reliability on its own. In this case, a second channel may be required to ensure that safe standstill monitoring is adequately reliable. This can be achieved by adding another means of standstill detection, like a second encoder, or a standstill monitoring device. An example circuit diagram showing this type of monitoring can be found in Fig. 4 [10, Fig. 8.37], showing a safety PLC and drive used to provide an “inching” or “jog” function.

Circuit diagram for a safe inching mode using a motor drive. Taken from Fig 8.37 in BGIA Report 2/2008e — Figure 4 — Safely limited speed for inching mode – PLd, Cat. 3 [10]

In Fig. 4, the encoders are labelled G1 and G2. Both encoders are connected to the safety PLC to provide two-channel feedback required for Category 3 architecture. G1 is also connected to the motor drive for position and velocity feedback as needed for the application. Note that this particular drive also has a contactor upstream, Q1, to provide one channel of the two required for Category 3. The second channel would be provided by the pulse blocking input on the drive. For more on how this circuit functions and how the functional safety analysis is completed, see [10].

Safe Operating Stop (SOS)

During a safe operating stop (SOS), the motor is brought to a specific position and held there by the drive. Full torque is available to keep the tooling in position. The stop is monitored safely by the drive. The function is shown in Figure 4 [9].

A graph showing a drive maintaining position following a stop — Figure 5 — Safe Operating Stop

In Fig. 5, the y-axis, s, represents the position of the tooling, NOT the velocity, while the x-axis represents time, t. The start of the position holding function is shown by the orange arrow and dashed line. The period following the green dashed line is the SOS period.

SOS cannot be used for the emergency stop function. Under certain conditions it may be used when guard interlocks are opened, i.e., the guard door on a CNC lathe is opened so that the operator can place a new workpiece.

There a quite a few additional “safe” drive functions. For more on these functions and how to implement them, see [2] and application data from your favourite drive manufacturer. Reference is also provided in [9, Table 5.2].

Safe Standstill

Safe standstill is a condition where motion has stopped and is being monitored by a safety-rated device whose output signals are used to control the release of guard locking devices. Safe standstill is not the same as zero-speed because zero-speed can be achieved without the use of safety rated control components and design, while safe standstill requires both suitable components and design.

There are a number of ways to achieve safe standstill. Here are three common approaches [12]:

Rotation sensors
Sensors including proximity sensors, resolvers, and encoders can be used to monitor the motion of the drive components. A safe standstill monitoring device is used to when standstill has occurred. When a machine has an unstable rest position, a proximity sensor should be used to ensure the machine is in a safe condition before the guard locking devices are released.
Back EMF monitoring
Back electromotive force or Back EMF is the voltage created in an electric motor due to the rotation of the armature in the magnetic field in the motor. This voltage opposes the applied voltage and is approximately proportional to the rotational speed of the motor. Back EMF remains after the supply voltage has been removed, allowing monitoring devices to indirectly measure motor speed and standstill.
Failsafe timer
Failsafe timers are time delay relays designed for use in safety functions. Failsafe timers can be used when the stopping performance of the machinery is consistent and known.
Following removal of power from the drive motor, the time delay starts. At the end of the time delay, the relay releases the guard locking devices.
Regular time delay relays cannot be used for this purpose, only fail-safe relays designed to be used in safety functions can be used, along with suitable safety systems design techniques like ISO 13849 or IEC 62061.

Conclusions

As you can see, there are significant differences between STO, SS1, SS2, SOS and Safe Standstill. While these functions may be used together to achieve a particular safety function, some are functions of the implementation of the motor drive, e.g., STO, a function of the design of the motor drive itself, e.g., STO, SS1, SS2, and SOS, or the design of controls external to the motor drive, e.g., safe standstill. The similarities between these various functions can make it easy to confuse them. Care needs to be taken to ensure that the correct technical approach is used when realising the safety function required by the risk assessment.

References

[1] “Variable Frequency Drives – Industrial Wiki – odesie by Tech Transfer”, Myodesie.com, 2017. [Online]. Available: https://www.myodesie.com/wiki/index/returnEntry/id/3040. [Accessed: 19- Jun- 2017].

[2] “Safe Torque Off (STO) – Safety Integrated – Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/pages/safe-torque-off.aspx. [Accessed: 19- Jun- 2017].

[3] Adjustable speed electrical power drive systems – Part 5 – 2: Safety requirements – Functional. IEC Standard 61800−5−2. 2^nd Ed. 2016.

[4] Safety of machinery — Electrical equipment of machines — Part 1: General requirements. IEC Standard 60204 – 1. 2006.

[5] Safety of machinery — Prevention of unexpected start-up. EN Standard 1037+A1. 2008.

[6] Safety of machinery — Prevention of unexpected start-up. ISO Standard 14118. 2000.

[7] “Safe Stop 1 (SS1) – Safety Integrated – Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop1.aspx. [Accessed: 19- Jun- 2017].

[8] “Safe Stop 2 (SS2) – Safety Integrated – Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop2.aspx. [Accessed: 19- Jun- 2017].

[9] “Safe Operating Stop (SOS) – Safety Integrated – Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-operating-stop.aspx. [Accessed: 19- Jun- 2017].

[10] M. Hauke, M. Schaefer, R. Apfeld, T. Boemer, M. Huelke, T. Borowski, K. Büllesbach, M. Dorra, H. Foermer-Schaefer, W. Grigulewitsch, K. Heimann, B. Köhler, M. Krauß, W. Kühlem, O. Lohmaier, K. Meffert, J. Pilger, G. Reuß, U. Schuster, T. Seifen and H. Zilligen, “Functional safety of machine controls – Application of EN ISO 13849 – Report 2/2008e”, BGIA – Institute for Occupational Safety and Health of the German Social Accident Insurance, Sankt Augustin, 2017.

[11] “Glossary”, Schmersalusa.com, 2017. [Online]. Available: http://www.schmersalusa.com/cms17/opencms/html/en/service/glossary.html#S. [Accessed: 25- Jul- 2017].

[12] Schmersal Tech Briefs: Safe Speed & Standstill Monitoring. Schmersal USA, 2014.

Acknowledgements

Special thanks go out to two of my regular readers for suggesting this post: Matt Ernst and controlsgirl, who comments frequently. Thanks for the ideas and the questions that sparked this post!

Acknowledgements: As cited.

Some Rights Reserved

How to do a 13849 – 1 analysis: Complete Reference List

This entry is part 8 of 9 in the series How to do a 13849 – 1 analysis

As promised in previous posts, here is the complete reference list for the series “How to do a 13849 – 1 analysis”! If you have any additional resources you think readers would find helpful, please add them in the comments.

Book List

Here are some books that I think you may find helpful on this journey:

[0] B. Main, Risk Assessment: Basics and Benchmarks, 1^st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1] D. Smith and K. Simpson, Safety critical systems handbook. Amsterdam: Elsevier/Butterworth-Heinemann, 2011.

[0.2] Electromagnetic Compatibility for Functional Safety, 1^st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3] Overview of techniques and measures related to EMC for Functional Safety, 1^st ed. Stevenage, UK: Overview of techniques and measures related to EMC for Functional Safety, 2013.

References

Note: This reference list starts in Part 1 of the series, so “missing” references may show in other parts of the series. Included in the last post of the series is the complete reference list.

[1] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. 3^rd Edition. ISO Standard 13849 – 1. 2015.

[2] Safety of machinery – Safety-related parts of control systems – Part 2: Validation. 2^nd Edition. ISO Standard 13849 – 2. 2012.

[3] Safety of machinery – General principles for design – Risk assessment and risk reduction. ISO Standard 12100. 2010.

[4] Safeguarding of Machinery. 2^nd Edition. CSA Standard Z432. 2004.

[5] Risk Assessment and Risk Reduction- A Guideline to Estimate, Evaluate and Reduce Risks Associated with Machine Tools. ANSI Technical Report B11.TR3. 2000.

[6] Safety of machinery – Emergency stop function – Principles for design. ISO Standard 13850. 2015.

[7] Functional safety of electrical/electronic/programmable electronic safety-related systems. 7 parts. IEC Standard 61508. Edition 2. 2010.

[8] S. Jocelyn, J. Baudoin, Y. Chinniah, and P. Charpentier, “Feasibility study and uncertainties in the validation of an existing safety-related control circuit with the ISO 13849 – 1:2006 design standard,” Reliab. Eng. Syst. Saf., vol. 121, pp. 104 – 112, Jan. 2014.

[9] Guidance on the application of ISO 13849 – 1 and IEC 62061 in the design of safety-related control systems for machinery. IEC Technical Report TR 62061 – 1. 2010.

[10] Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems. IEC Standard 62061. 2005.

[11] Guidance on the application of ISO 13849 – 1 and IEC 62061 in the design of safety-related control systems for machinery. IEC Technical Report 62061 – 1. 2010.

[12] D. S. G. Nix, Y. Chinniah, F. Dosio, M. Fessler, F. Eng, and F. Schrever, “Linking Risk and Reliability — Mapping the output of risk assessment tools to functional safety requirements for safety related control systems,” 2015.

[13] Safety of machinery. Safety related parts of control systems. General principles for design. CEN Standard EN 954 – 1. 1996.

[14] Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems. IEC Standard 61508 – 2. 2010.

[15] Reliability Prediction of Electronic Equipment. Military Handbook MIL-HDBK-217F. 1991.

[16] “IFA – Practical aids: Software-Assistent SISTEMA: Safety Integrity – Software Tool for the Evaluation of Machine Applications”, Dguv.de, 2017. [Online]. Available: http://www.dguv.de/ifa/praxishilfen/practical-solutions-machine-safety/software-sistema/index.jsp. [Accessed: 30- Jan- 2017].

[17] “failure mode”, 192−03−17, International Electrotechnical Vocabulary. IEC International Electrotechnical Commission, Geneva, 2015.

[18] M. Gentile and A. E. Summers, “Common Cause Failure: How Do You Manage Them?,” Process Saf. Prog., vol. 25, no. 4, pp. 331 – 338, 2006.

[19] Out of Control — Why control systems go wrong and how to prevent failure, 2^nd ed. Richmond, Surrey, UK: HSE Health and Safety Executive, 2003.

[20] Safeguarding of Machinery. 3^rd Edition. CSA Standard Z432. 2016.

[21] O. Reg. 851, INDUSTRIAL ESTABLISHMENTS. Ontario, Canada, 1990.

[22] “Field-programmable gate array”, En.wikipedia.org, 2017. [Online]. Available: https://en.wikipedia.org/wiki/Field-programmable_gate_array. [Accessed: 16-Jun-2017].

[23] Analysis techniques for system reliability – Procedure for failure mode and effects analysis (FMEA). 2^nd Ed. IEC Standard 60812. 2006.

[24] “Failure mode and effects analysis”, En.wikipedia.org, 2017. [Online]. Available: https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis. [Accessed: 16-Jun-2017].

Acknowledgements: As cited.

Some Rights Reserved

ISO 13849 – 1 Analysis — Part 8: Fault Exclusion

This entry is part of 9 in the series How to do a 13849 – 1 analysis

Fault Consideration & Fault Exclusion

ISO 13849 – 1, Chapter 7 [1, 7] discusses the need for fault consideration and fault exclusion. Fault consideration is the process of examining the components and sub-systems used in the safety-related part of the control system (SRP/CS) and making a list of all the faults that could occur in each one. This a definitely non-trivial exercise!

Thinking back to some of the earlier articles in this series where I mentioned the different types of faults, you may recall that there are detectable and undetectable faults, and there are safe and dangerous faults, leading us to four kinds of fault:

Safe undetectable faults
Dangerous undetectable faults
Safe detectable faults
Dangerous undetectable faults

For systems where no diagnostics are used, Category B and 1, faults need to be eliminated using inherently safe design techniques. Care needs to be taken when classifying components as “well-tried” versus using a fault exclusion, as components that might normally be considered “well-tried” might not meet those requirements in every application.

For systems where diagnostics are part of the design, i.e., Category 2, 3, and 4, the fault lists are used to evaluate the diagnostic coverage (DC) of the test systems. Depending on the architecture, certain levels of DC are required to meet the relevant PL, see [1, Fig. 5]. The fault lists are starting point for the determination of DC, and are an input into the hardware and software designs. All of the dangerous detectable faults must be covered by the diagnostics, and the DC must be high enough to meet the PL_r. for the safety function.

The fault lists and fault exclusions are used in the Validation portion of this process as well. At the start of the Validation process flow chart [2, Fig. 1], you can see how the fault lists and the criteria used for fault exclusion are used as inputs to the validation plan.

The diagram shows the first few stages in the ISO 13849-2 Validation process. See ISO 13849-2, Figure 1. — Start of ISO 13849 – 2 Fig. 1

Faults that can be excluded do not need to validated, saving time and effort during the system verification and validation (V & V). How is this done?

Fault Consideration

The first step is to develop a list of potential faults that could occur, based on the components and subsystems included in SRP/CS. ISO 13849 – 2 [2] includes lists of typical faults for various technologies. For example, [2, Table A.4] is the fault list for mechanical components.

Mechanical fault list from ISO 13849-2 — Table A.4 — Faults and fault exclusions — Mechanical devices, components and elements
(e.g. cam, follower, chain, clutch, brake, shaft, screw, pin, guide, bearing)

[2] contains tables similar to Table A.4 for:

Pressure-coil springs
Directional control valves
Stop (shut-off) valves/non-return (check) valves/quick-action venting valves/shuttle valves, etc.
Flow valves
Pressure valves
Pipework
Hose assemblies
Connectors
Pressure transmitters and pressure medium transducers
Compressed air treatment — Filters
Compressed-air treatment — Oilers
Compressed air treatment — Silencers
Accumulators and pressure vessels
Sensors
Fluidic Information processing — Logical elements
etc.

As you can see, there are many different types of faults that need to be considered. Keep in mind that I did not give you all of the different fault lists – this post would be a mile long if I did that! The point is that you need to develop a fault list for your system, and then consider the impact of each fault on the operation of the system. If you have components or subsystems that are not listed in the tables, then you need to develop your own fault lists for those items. Using Failure Modes and Effects Analysis (FMEA) techniques are usually the best approach for these components [23], [24].

When considering the faults to be included in the list there are a few things that should be considered [1, 7.2]:

if after the first fault occurs other faults develop due to the first fault, then you can group those faults together as a single fault
two or more single faults with a common cause can be considered as a single fault
multiple faults with different causes but occurring simultaneously is considered improbable and does not need to be considered

Examples

A voltage regulator fails in a system power supply so that the 24 Vdc output rises to an unregulated 36 Vdc (the internal power supply bus voltage), and after some time has passed, two sensors fail, then all three failures can be grouped and considered as a single fault.

If a lightning strike occurs on the power line and the resulting surge voltage on the 400 V mains causes an interposing contactor and the motor drive it controls to fail to danger, then these failures may be grouped and considered as one.

A pneumatic lubricator runs out of lubricant and is not refilled, depriving downstream pneumatic components of lubrication. The spool on the system dump valve sticks open because it is not cycled often enough. Neither of these failures has the same cause, so there is no need to consider them as occurring simultaneously because the probability of both happening concurrently is extremely small. One caution: These two faults MAY have a common cause – poor maintenance. Even if this is true and you decide to consider them to be two faults with a common cause, they could then be grouped as a single fault.

Fault Exclusion

Once you have your well-considered fault lists together, the next question is “Can any of the listed faults be excluded?” This is a tricky question! There are a few points to consider:

Does the system architecture allow for fault exclusion?
Is the fault technically improbable, even if it is possible?
Does experience show that the fault is unlikely to occur?*
Are there technical requirements related to the application and the hazard that might support fault exclusion?

* BE CAREFUL with this one!

Whenever faults are excluded, a detailed justification for the exclusion needs to be included in the system design documentation. Simply deciding that the fault can be excluded is NOT ENOUGH! Consider the risk a person will be exposed to in the event the fault occurs. If the severity is very high, i.e., severe permanent injury or death, you may not want to exclude the fault even if you think you could. Careful consideration of the resulting injury scenario is needed.

Basing a fault exclusion on personal experience is seldom considered adequate, which is why I added the asterisk (*) above. Look for good statistical data to support any decision to use a fault exclusion.

There is much more information available in IEC 61508 – 2 on the subject of fault exclusion, and there is good information in some of the books mentioned below [0.2], [0.3], and [0.4]. If you know of additional resources you would like to share, please post the information in the comments!

Definitions

3.1.3 fault: state of an item characterized by the inability to perform a required function, excluding the inability during preventive maintenance or other planned actions, or due to lack of external resources; Note 1 to entry: A fault is often the result of a failure of the item itself, but may exist without prior failure.; Note 2 to entry: In this part of ISO 13849, “fault” means random fault. [SOURCE: IEC 60050?191:1990, 05 – 01.]

Book List

Here are some books that I think you may find helpful on this journey:

[0] B. Main, Risk Assessment: Basics and Benchmarks, 1^st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1] D. Smith and K. Simpson, Safety critical systems handbook. Amsterdam: Elsevier/Butterworth-Heinemann, 2011.

[0.2] Electromagnetic Compatibility for Functional Safety, 1^st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3] Overview of techniques and measures related to EMC for Functional Safety, 1^st ed. Stevenage, UK: Overview of techniques and measures related to EMC for Functional Safety, 2013.

References

Note: This reference list starts in Part 1 of the series, so “missing” references may show in other parts of the series. Included in the last post of the series is the complete reference list.

[1] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. 3^rd Edition. ISO Standard 13849 – 1. 2015.

[2] Safety of machinery – Safety-related parts of control systems – Part 2: Validation. 2^nd Edition. ISO Standard 13849 – 2. 2012.

[3] Safety of machinery – General principles for design – Risk assessment and risk reduction. ISO Standard 12100. 2010.

[4] Safeguarding of Machinery. 2^nd Edition. CSA Standard Z432. 2004.

[5] Risk Assessment and Risk Reduction- A Guideline to Estimate, Evaluate and Reduce Risks Associated with Machine Tools. ANSI Technical Report B11.TR3. 2000.

[6] Safety of machinery – Emergency stop function – Principles for design. ISO Standard 13850. 2015.

[7] Functional safety of electrical/electronic/programmable electronic safety-related systems. 7 parts. IEC Standard 61508. Edition 2. 2010.

[9] Guidance on the application of ISO 13849 – 1 and IEC 62061 in the design of safety-related control systems for machinery. IEC Technical Report TR 62061 – 1. 2010.

[10] Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems. IEC Standard 62061. 2005.

[11] Guidance on the application of ISO 13849 – 1 and IEC 62061 in the design of safety-related control systems for machinery. IEC Technical Report 62061 – 1. 2010.

[13] Safety of machinery. Safety related parts of control systems. General principles for design. CEN Standard EN 954 – 1. 1996.

[15] Reliability Prediction of Electronic Equipment. Military Handbook MIL-HDBK-217F. 1991.

[17] “failure mode”, 192−03−17, International Electrotechnical Vocabulary. IEC International Electrotechnical Commission, Geneva, 2015.

[18] M. Gentile and A. E. Summers, “Common Cause Failure: How Do You Manage Them?,” Process Saf. Prog., vol. 25, no. 4, pp. 331 – 338, 2006.

[19] Out of Control — Why control systems go wrong and how to prevent failure, 2^nd ed. Richmond, Surrey, UK: HSE Health and Safety Executive, 2003.

[20] Safeguarding of Machinery. 3^rd Edition. CSA Standard Z432. 2016.

[21] O. Reg. 851, INDUSTRIAL ESTABLISHMENTS. Ontario, Canada, 1990.

[22] “Field-programmable gate array”, En.wikipedia.org, 2017. [Online]. Available: https://en.wikipedia.org/wiki/Field-programmable_gate_array. [Accessed: 16-Jun-2017].

[23] Analysis techniques for system reliability – Procedure for failure mode and effects analysis (FMEA). 2^nd Ed. IEC Standard 60812. 2006.

[24] “Failure mode and effects analysis”, En.wikipedia.org, 2017. [Online]. Available: https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis. [Accessed: 16-Jun-2017].

Acknowledgements: As cited.

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/