Understanding Risk Assessment

When people dis­cuss ‘Risk’ there are a lot of dif­fer­ent assump­tions made about what that means. For me, the study of risk and risk assess­ment tech­niques star­ted in 1995. As a tech­no­lo­gist and con­trols design­er, I had to some­how wrap my head around the whole concept in ways I’d nev­er con­sidered. If you’re try­ing to fig­ure out risk and risk assess­ment this is a good place to get star­ted!

What is risk?

From a machinery per­spect­ive, ISO 12100:2010 defines risk as:

com­bin­a­tion of the prob­ab­il­ity of occur­rence of harm and the sever­ity of that harm”

Risk can have pos­it­ive or neg­at­ive out­comes, but when con­sid­er­ing safety, we only con­sider neg­at­ive risk, or events that res­ult in neg­at­ive health effects for the people exposed.

The risk rela­tion­ship is illus­trated in ISO 12100:2010 Figure 3:


ISO 12100-2010 Figure 3
ISO 12100 – 2010 Figure 3


Where

R = Risk

S = Severity of Harm

P = Probability of Occurrence of Harm

The Probability of Occurrence of Harm factor is often fur­ther broken down into three sub-​factors:

  • Probability of Exposure to the haz­ard
  • Probability of Occurrence of the Hazardous Event
  • Probability of Limiting or Avoiding the Harm

How is risk measured?

In order to estim­ate risk a scor­ing tool is needed. There is no one ‘cor­rect’ scor­ing tool, and there are flaws in most scales that can res­ult in blind-​spots where risks may be over or under-​estimated.

At the simplest level are ‘screen­ing’ tools. These tools use very simple scales like ‘High, Medium, Low’, or ‘A, B, C’. These tools are often used when doing a shop-​floor inspec­tion and are inten­ded to provide a quick meth­od of cap­tur­ing obser­va­tions and giv­ing a gut-​feel assess­ment of the risk involved. These tools should be used as a way to identi­fy risks that need addi­tion­al, detailed assess­ment. To get an idea of what a good screen­ing tool can look like, have a look at the SOBANE Déparis sys­tem.

Every scor­ing tool requires a scale for each risk para­met­er included in the tool. For instance, con­sider the CSA tool described in CSA Z434:

CSA Z434-03 Table 1As you can see, each para­met­er (Severity, Exposure and Avoidance) has a scale, with two pos­sible selec­tions for each para­met­er.

When con­sid­er­ing selec­tion of a scor­ing tool, it’s import­ant to take some time to really exam­ine the scales for each factor. The scale shown above has a glar­ing hole in one scale. See if you can spot it and I’ll tell you what I think a bit later in this post.

There are more than 350 dif­fer­ent scales and meth­od­o­lo­gies avail­able for assess­ing risk. You can find a good review of some of them in Bruce Main’s text­book “Risk Assessment: Basics and Benchmarks” avail­able from DSE online.

A sim­il­ar, although dif­fer­ent, tool is found in Annex 1 of ISO 13849 – 1. Note that this tool is provided in an Informative Annex. This means that it is not part of the body of the stand­ard and is NOT man­dat­ory. In fact, this tool was provided as an example of how a user could link the out­put of a risk assess­ment tool to the Performance Levels described in the norm­at­ive text (the man­dat­ory part) of the stand­ard.

Consider cre­at­ing your own scales. There is noth­ing wrong with determ­in­ing what char­ac­ter­ist­ics (para­met­ers) you want to include in your risk assess­ment, and then assign­ing each para­met­er a numer­ic scale that you think is suit­able; 1 – 10, 0 – 5, etc. Some scales may be inver­ted to oth­ers, for example: If the Severity scale runs from 0 – 10, the Avoidability scale might run from 10 – 0 (Unavoidable to Entirely Avoidable).

Once the scales in your tool have been defined, doc­u­ment the defin­i­tions as part of your assess­ment.

Who should conduct risk assessments?

Lake YogaIn many organ­iz­a­tions, I find that risk assess­ment has been del­eg­ated to one per­son. This is a major mis­take for a num­ber of reas­ons. Risk assess­ment is not a solo activ­ity for a ‘guru’ in a lonely office some­where!

Risk assess­ment is not a lot of fun to do, and since risk assess­ments can get to be quite involved, it rep­res­ents a sig­ni­fic­ant amount of work to put on one per­son. Also, leav­ing it to one per­son means that the assess­ment will neces­sar­ily be biased to what that per­son knows, and may miss sig­ni­fic­ant haz­ards because the assessor doesn’t know enough about that haz­ard to spot it and assess it prop­erly.

Risk assess­ment requires mul­tiple view­points from par­ti­cipants with var­ied expert­ise. This includes users, design­ers, engin­eers, law­yers and those who may have spe­cial­ized know­ledge of a par­tic­u­lar haz­ard, like a Laser Safety Officer or a Radiation Safety Officer. The var­ied expert­ise of the people involved will allow the com­mit­tee to bal­ance the opin­ion of each haz­ard, and devel­op a more reasoned assess­ment of the risk.

I recom­mend that risk assess­ment com­mit­tees nev­er be less than three mem­bers. Five is fre­quently a good num­ber. Once you get bey­ond five, it becomes increas­ingly dif­fi­cult to obtain con­sensus on each haz­ard. Also, con­sider the cost. As each com­mit­tee mem­ber is added to the team, the cost of the assess­ment can escal­ate expo­nen­tially.

Training in risk assess­ment is cru­cial to suc­cess. Ensure that the indi­vidu­als involved are trained, and that at least one has some pre­vi­ous exper­i­ence in the prac­tice so that they may guide the com­mit­tee as needed.

When should a risk assessment be conducted?


Risk Assessment Lifetime Flow Chart
Risk Assessment in the Lifetime of a Product


Risk assess­ment should begin at the begin­ning of a pro­ject, wheth­er it’s the design of a product, the devel­op­ment of a pro­cess or ser­vice, or the design of a new build­ing. Understanding risk is crit­ic­al to the design pro­cess. Cost for changes made at the begin­ning of a pro­ject are min­im­al com­pared to those that will be incurred to cor­rect prob­lems that might have been fore­seen at the start. Risk assess­ment should start at the concept stage and be included at each sub­sequent stage in the devel­op­ment pro­cess. The accom­pa­ny­ing graph­ic illus­trates this idea.

Essentially, risk assess­ment is nev­er fin­ished until the product, pro­cess or ser­vice ceases to exist.

What tools are available?

As men­tioned earli­er in this post, the book ‘Risk Assessment: Basics and Benchmarks” provides an over­view of roughly 350 dif­fer­ent scor­ing tools. You can search the Internet and turn up quite a few as well. The key thing with all of these sys­tems is that you will need to devel­op any soft­ware based tools your­self. Depending on your com­fort with soft­ware, this might be a spread­sheet format, a word pro­cessing doc­u­ment a data­base, or some oth­er format that works for your applic­a­tion.

There are a num­ber of risk assess­ment soft­ware tools avail­able as well, includ­ing ISI’s CIRSMA™ and DSE’s DesignSafe. As with the scor­ing tools, you need to be care­ful when eval­u­at­ing tools. Some have sig­ni­fic­ant blind spots that may trip you up if you are not aware of their lim­it­a­tions.

Remember too that the out­put from the soft­ware can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assess­ment.

Where can you get training?

There are a few places to get train­ing. Compliance InSight Consulting provides train­ing to cor­por­ate cli­ents and will be launch­ing a series of web-​based train­ing ser­vices in 2011 that will allow indi­vidu­al learners to get train­ing too.

The IEEE PSES oper­ates a Risk Assessment Technical Committee that is open to the pub­lic as well. See the RATC web site.

The Answer to the Scale Question

The Exposure Scale in the CSA tool has a gap between E1 and E2. Looking at the defin­i­tions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Exposures that occur once per hour or less, but more than once per day can­not be scored effect­ively using this scale.

Also, notice the Severity scale: S1 encom­passes injur­ies requir­ing not more than basic first aid. One com­mon ques­tion I get is “Does that include CPR*?”. This ques­tion comes up because most basic first aid courses taught in Canada include CPR as part of the course. There is no clear answer for this in the stand­ard. The S2 factor extends from injur­ies requir­ing more than basic first aid, like a broken fin­ger for instance, all the way to a fatal­ity. Does it make sense to group this broad range of injur­ies togeth­er? This defin­i­tion doesn’t quite match with the Province of Ontario’s defin­i­tion of a Critical Injury found in Regulation 834 either.

All of this points to the need to care­fully assess the scales that you choose before you start the pro­cess. Choosing the wrong tool can skew your res­ults in ways that you may not be very happy about.

*Cardio-​Pulmonary Resuscitation

Missing MTTFd data

Dealing with the huge inform­a­tion void that exists while try­ing to com­plete reas­on­able con­trol reli­ab­il­ity assess­ments is a major chal­lenge for every engin­eer or tech­no­lo­gist tasked with this activ­ity. Here are a few thoughts on what to do now, and where things may be going…

What the heck is MTTFd???

When you first start to work through ISO 13849 – 1, the first thing that will smack you in the head are all the new acronyms. The first one you’ll run into is ‘PL’, of course, since the entire pur­pose of the stand­ard is to aid the design­er in determ­in­ing the reli­ab­il­ity Performance Level of the con­trol sys­tem. Shortly after that you’ll find your­self face to face with MTTFd.

MTTFd, or the Mean Time To Failure (dan­ger­ous), is the name giv­en to the expec­ted fail­ure rate per year for a com­pon­ent used in a sys­tem that is being ana­lyzed. This rate dif­fers from the straight fail­ure rate for the com­pon­ent because it’s lim­ited to the fail­ures that res­ult in a dan­ger­ous fail­ure mode, or that may lead to a haz­ard.

So how do you get this data?

Obtaining MTTFd data for a com­pon­ent should be easy for a design­er. Component man­u­fac­tur­ers who mar­ket com­pon­ents inten­ded for safety applic­a­tions should provide this data in the com­pon­ent spe­cific­a­tions, but there are thou­sands, per­haps mil­lions, of dif­fer­ent com­pon­ents being mar­keted today for use in safety sys­tems. Most of the major man­u­fac­tur­ers are already provid­ing this fig­ure, or a fig­ure that can be used to derive MTTFd, B10d, but for many com­pon­ents, this data is simply not avail­able.

Here are some ran­domly chosen examples of manufacturer’s spe­cific­a­tion sheets that give this data:

Allen-​Bradley Trojan™ T15 Interlock Switch

Pilz PNOZ X2 (pdf data sheet)

Preventa XPS MC Catalog Safety Controller (pdf 2015 Catalog)

B10d is the num­ber of cycles until 10% of the com­pon­ents being tested fail in a dan­ger­ous way. Using fail­ure rate data from the component’s data sheet, it is pos­sible to estim­ate B10d from either B10 or T (the applic­a­tion depend­ent life­time of the com­pon­ent). Check out Annex C of the stand­ard if you want to see how this can be done.

But what do you do if the man­u­fac­turer of your favour­ite con­tact­or doesn’t provide ANY fail­ure data? Some major man­u­fac­tur­ers still don’t provide any fail­ure rate data at all, some provide expec­ted life­times under spe­cif­ic oper­a­tion con­di­tions. Some provide only EN 954 – 1:95 data. In the last case, I think this is one of the reas­ons for the EC Machinery Working Group’s decision late last year to extend the trans­ition peri­od to ISO 13849 – 1:07. Need to know more about that decision?

Now what?

Unless you work for a large organ­iz­a­tion, insti­tut­ing a life test­ing pro­gram is not likely to be an option, since you either need a pro­trac­ted peri­od of time with a few com­pon­ents in test, or thou­sands of samples for a short time.

The stand­ard provides the option to use 10 years as a default where no oth­er data is avail­able. 10 years sounds like a long time at first blush, par­tic­u­larly if the planned life­time of the sys­tem involved is 20 years. Typical MTTFd val­ues for high-​reliability com­pon­ents are in the hun­dreds of years, so by com­par­is­on, 10 years is almost noth­ing. Tables are also provided for some kinds of com­pon­ents, but the tables are neces­sar­ily lim­ited in size, so not every com­pon­ent will be lis­ted.

Your only option is to use the data in the stand­ard, or pick up some of the oth­er pub­lic­a­tions that include com­pon­ent fail­ure data, like MIL-​HDBK-​217F, IEC/​TR 62380 (based on UTE 80810 & RDF 2000), NPRD 95 or IEC 61709 (based on Siemens SN 29500 doc­u­ments). Some of these doc­u­ments may be dif­fi­cult or impossible to obtain.

The res­ult of this lack of object­ive data from the com­pon­ent man­u­fac­tur­ers is:

  • Conservative res­ults based on the min­im­um default MTTFd;
  • Potential over-​design of safety related con­trols;
  • Increased man­u­fac­tur­ing costs for machine build­ers;

The reas­ons for this situ­ation vary by man­u­fac­turer, but ulti­mately it comes down to the cost of life test­ing com­pon­ents mul­ti­plied by num­ber of com­pon­ents built by each man­u­fac­turer. Typical life tests require load sim­u­lat­ors and switch­ing for thou­sands of com­pon­ents, as well as data log­ging to trap fail­ures and record rel­ev­ant data. In the case of flu­id power com­pon­ents (pneu­mat­ics and hydraul­ics), this becomes increas­ingly com­plex. For many com­pon­ent man­u­fac­tur­ers, the cost of the life test­ing is pro­hib­it­ive, even though this data is badly needed by their users.

Will we see an improve­ment in the future? The largest con­trols com­pon­ent man­u­fac­tur­ers are very likely to provide this data as they have it avail­able, mean­ing as they com­plete test­ing. New designs are much more likely to come with this data ini­tially, while it may be a long time before some of the old stand­ard com­pon­ents get time in the life test cell. Until then, lots of com­pon­ents will be assigned ’10 years’.

A big thank you to Wouter Leusden for the idea for this post!

Have a thought to share on this top­ic? Correct an error in the art­icle? Sound off? Leave a com­ment!

IEC/​TR 62061 – 1 Reviewed

Why You Need to Spend More Cash on Yet Another Document

Standards organ­iz­a­tions pub­lish doc­u­ments in a fairly con­tinu­ous stream, so for those of us tasked with stay­ing cur­rent with a large num­ber of stand­ards (say, more than 10), the pub­lic­a­tion of anoth­er new stand­ard or Technical Report isn’t news – it’s busi­ness as usu­al. The ques­tion is always: Do we really need to add this to the lib­rary?

For those who are new to this busi­ness, hav­ing to pay for crit­ic­al design inform­a­tion is a new exper­i­ence. Finding out that it can cost hun­dreds, if not thou­sands, to build the lib­rary you need can be over­whelm­ing.

This review aims to help you decide if you need IEC/​TR 62061 – 1 in your lib­rary.

The Problem

As a machine build­er or a man­u­fac­turer build­ing a product designed to be integ­rated into machinery, how do you choose between ISO 13849 – 1 and IEC 62061?

IEC 62061 – 1 attempts to provide guid­ance on how to make this choice.

History

When CENELEC pub­lished EN 954 – 1 in 1995, machine build­ers were intro­duced to a whole new world of con­trol reli­ab­il­ity require­ments. Prior to its pub­lic­a­tion, most machines were built with very simple inter­locks, and no spe­cif­ic stand­ards for inter­lock­ing devices exis­ted. In the years since then, the EN 954 – 1 Categories have become well known and are applied inside and out­side the EU.

In the inter­ven­ing years, IEC pub­lished IEC 61508. This seven-​part stand­ard intro­duced the idea of ‘Safety Integrity  Levels’ or SILs. This stand­ard is aimed at pro­cess con­trol sys­tems and could be used for com­plex machinery as well.

Why the Confusion?

In 2006, IEC pub­lished a machinery sec­tor spe­cif­ic stand­ard based on IEC 61508, called IEC 62061. This stand­ard offered a sim­pli­fied applic­a­tion of the IEC 61508 meth­od­o­logy inten­ded for machine build­ers. The key prob­lem with this stand­ard is that it did not provide a means to deal with pneu­mat­ic or hydraul­ic con­trol ele­ments, which are covered by ISO 13849 – 1.

ISO adop­ted EN 954 – 1 and reis­sued it as ISO 13849 – 1 in 1999. This edi­tion of the stand­ard was vir­tu­ally identic­al to the stand­ard it replaced from a tech­nic­al require­ments per­spect­ive. EN 954 – 1/​ISO 13849 – 1 did not provide any means to estim­ate the integ­rity of the safety related con­trols, but did define cir­cuit archi­tec­tures (Categories B, 1 – 4) and spoke to the selec­tion of com­pon­ents, intro­du­cing the con­cepts of ‘well-​tried safety prin­ciples’ and ‘well-​tried com­pon­ents’. A second prob­lem had long exis­ted in addi­tion to this – EN 954 – 2, Validation, was nev­er pub­lished by CENELEC except as a com­mit­tee draft, so a key ele­ment in the applic­a­tion of the stand­ard had been miss­ing for five years at the point where ISO 13849 – 1 Edition 1 was pub­lished.

The first cut at guid­ing users in choos­ing an appro­pri­ate stand­ard came with the pub­lic­a­tion of IEC 62061 Edition 1.  Published in 2005, Edition 1 included a table that attemp­ted to provide users with some guid­ance on how to choose between ISO 13849 – 1 or IEC 62061.

…and then came 2007…

In 2007, ISO pub­lished the Second Edition of ISO 13849 – 1, and brought a whole new twist to the dis­cus­sion by intro­du­cing ‘Performance Levels’ or PLs. PLs can be loosely equated to SILs, even though PLs are stated in fail­ures per year and SILs in fail­ures per hour. The same table included in IEC 62061 was included in this edi­tion of ISO 13849 – 1.

Table 1
Recommended application of
IEC 62061 and ISO 13849 – 1(under revision)

(from the Second Edition, 2007)

Technology imple­ment­ing the
safety related con­trol function(s)
ISO
13849 – 1 (under revi­sion)
IEC 62061
A Non elec­tric­al, e.g. hydraul­ics X Not covered
B Electromechanical, e.g. relays, or
non-​complex elec­tron­ics
Restricted to des­ig­nated
archi­tec­tures (see Note 1) and up to PL=e

All archi­tec­tures and up to
SIL 3

C Complex elec­tron­ics, e.g. pro­gram­mable Restricted to des­ig­nated
archi­tec­tures (see Note 1) and up
to PL=d
All archi­tec­tures and up to
SIL 3
D A com­bined with B Restricted to des­ig­nated
archi­tec­tures (see Note 1) and up
to PL=e
X
see Note 3
E C com­bined with B Restricted to des­ig­nated
archi­tec­tures (see Note 1) and up
to PL=d
All archi­tec­tures and up to
SIL 3
F C com­bined with A, or C com­bined with
A and B
X
see Note 2
X
see Note 3

X” indic­ates that this item is dealt with by the stand­ard shown in the column head­ing.

NOTE 1 Designated archi­tec­tures are defined in Annex B of EN ISO 13849 – 1(rev.) to give a sim­pli­fied approach for quan­ti­fic­a­tion of per­form­ance level.

NOTE 2 For com­plex elec­tron­ics: Use of des­ig­nated archi­tec­tures accord­ing to EN ISO 13849 – 1(rev.) up to PL=d or any archi­tec­ture accord­ing to IEC 62061.

NOTE 3 For non-​electrical tech­no­logy use parts accord­ing to EN ISO 13849 – 1(rev.) as sub­sys­tems.

So how is a machine build­er to choose the ‘cor­rect’ stand­ard, if both stand­ards are applic­able and both are cor­rect? Furthermore, how do you assess the reli­ab­il­ity of the safety-​related con­trols when integ­rat­ing equip­ment from vari­ous sup­pli­ers, some of whom rate their equip­ment in PLs and some in SILs? Why are two stand­ards address­ing the same top­ic required? Will ISO 13849 – 1 and IEC 62061 ever be merged?

The Technical Report

In July this year the IEC pub­lished a Technical Report that dis­cusses the selec­tion and applic­a­tion of these two key con­trol reli­ab­il­ity stand­ards for machine build­ers. This guide has long been needed, and pre­cedes a face to face event planned by IEC to bring machine build­ers and stand­ards writers face-​to-​face to dis­cuss these same issues.

The guide, titled IEC/​TR 62061 – 1 — Technical Report — Guidance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-​related con­trol sys­tems for machinery provides dir­ect guid­ance on how to select between these two stand­ards.

Download IEC stand­ards, International Electrotechnical Commission stand­ards.

Merger

In the intro­duc­tion to the report the TC makes it clear that the stand­ards will be merged, although they don’t provide any kind of a time line for the mer­ger. Quoting from the intro­duc­tion:

It is inten­ded that this Technical Report be incor­por­ated into both IEC 62061 and ISO 13849 – 1 by means of cor­ri­genda that ref­er­ence the pub­lished ver­sion of this doc­u­ment. These cor­ri­genda will also remove the inform­a­tion giv­en in Table 1, Recommended applic­a­tion of IEC 62061 and ISO 13849 – 1, provided in the com­mon intro­duc­tion to both stand­ards, which is now recog­nized as being out of date. Subsequently, it is inten­ded to merge ISO 13849 – 1 and IEC 62061 by means of a JWG of ISO/​TC 199 and IEC/​TC 44.

I added the bold face to the para­graph above to high­light the key state­ment regard­ing the even­tu­al mer­ger of the two doc­u­ments.  If you’re not famil­i­ar with the stand­ards acronyms, a ‘JWG’ is a Joint Working Group, and a TC is a Technical Committee. TC’s are formed from volun­teer experts from industry and aca­demia sup­por­ted by their organ­iz­a­tions. So a JWG formed from two TC’s just means that a joint com­mit­tee has been formed to work out the details of the mer­ger. Eventually.

The oth­er key point in this para­graph relates to the replace­ment of Table 1. In the inter­im, IEC/​TR 62061 – 1 will be incor­por­ated into both stand­ards, repla­cing Table 1.

Eventually the con­fu­sion will be cleared up because only one stand­ard will exist in the machinery sec­tor, but until then, machine build­ers will need to fig­ure out which stand­ard best fits their products.

Comparing PL’s and SIL’s

The Technical Report does a good job of dis­cuss­ing the dif­fer­ences between PL and SIL, includ­ing provid­ing an explan­a­tion of how to cov­ert one to the oth­er, very use­ful if you are try­ing to integ­rate an SIL rated device into a PL ana­lys­is or vice-​versa.

Selecting a Standard

Clause 2.5 gives some sol­id advice on select­ing between the two stand­ards based on the tech­no­lo­gies employed in the design and your own com­fort level in using the ana­lyt­ic­al tech­niques in the two stand­ards.

Another key point is that EITHER stand­ard can be used to ana­lyze com­plex OR simple con­trol sys­tems. Some fans of IEC 62061 have been known to put ISO 13849 – 1 down as use­ful exclus­ively for simple hard­wired con­trol sys­tems. Clause 3.3 makes it clear that this is not the case. Pick the one you like or know the best and go with that. As an addi­tion­al thought, con­sider which stand­ard your com­pet­it­ors are using, and also which your cus­tom­ers are using. For example, if your cus­tom­ers use ISO 13849 – 1 primar­ily, qual­i­fy­ing your product under IEC 62061 might seem like a good idea, but may drive your cus­tom­ers to a com­pet­it­or who makes their life easi­er by using ISO 13849 – 1. If your com­pet­it­ors are using a dif­fer­ent stand­ard, try to under­stand the choice before climb­ing on the band­wag­on. There may be a com­pet­it­ive advant­age lurk­ing in being dif­fer­ent.

Risk Assessment

Clause 4 speaks dir­ectly to the indis­pens­able need to con­duct a meth­od­ic­al risk assess­ment, and to use that to guide the design of the con­trols.

In my prac­tice, many cli­ents decide that they would prefer to choose a con­trol reli­ab­il­ity level that they feel will be more than good enough for any of their designs, and then to ‘stand­ard­ize’ on that design for all their products, thereby elim­in­at­ing the need to thought­fully decide on the appro­pri­ate design for the applic­a­tion. In oth­er cases, end-​users may choose to use a ‘stand­ard’ design through­out their facil­ity to assist main­ten­ance per­son­nel by lim­it­ing their need to become tech­nic­ally famil­i­ar with a vari­ety of designs. This is done to speed troubleshoot­ing and reduce down time and spares stocks.

The prob­lem with this approach can be that some man­agers believe this approach can elim­in­ate the need to con­duct risk assess­ments, see­ing this as a fruit­less, expens­ive and often futile exer­cise. This is emphat­ic­ally NOT the case. Risk assess­ments address much more than the selec­tion of con­trol reli­ab­il­ity require­ments and need to be done to ensure that all haz­ards that can­not be elim­in­ated or sub­sti­tuted are safe­guarded. A miss­ing or badly done risk assess­ment may inval­id­ate your claim to a CE mark, or be the land­mine that ends a liab­il­ity case – with you on the los­ing end.

Safety Requirement Specification (SRS)

Each safety func­tion needs to be defined in detail in a Safety Requirement Specification (SRS). A reli­ab­il­ity assess­ment needs to be com­pleted for each safety func­tion defined in the SRS. This point is dis­cussed in detail in IEC 62061, but is not dealt with in any detail in ISO 13849 – 1, so IEC/​TR 62061 – 1 once again bridges the gap by provid­ing an import­ant detail that is miss­ing in one of the two stand­ards.

If you are unfa­mil­i­ar with the concept of an SRS, each safety func­tion needs to be described with a cer­tain min­im­um amount of inform­a­tion, includ­ing:

  • The name of safety func­tion;
  • A descrip­tion of the func­tion;
  • The required level of per­form­ance based on the risk assess­ment and accord­ing to either ISO 13849 – 1 (PLr a to e) or the required safety integ­rity accord­ing to IEC 62061 (SIL 1 to 3)

Once the safety func­tions are defined and ana­lyzed, each safety func­tion must be imple­men­ted by a con­trol cir­cuit. The selec­ted PL will drive the design to one or two of the defined ISO 13849 – 1 archi­tec­tures, and then the com­pon­ent selec­tions and oth­er design details will drive the final fail­ure rate and PL. Alternatively, the SRS will drive the selec­tion of IEC 62061 archi­tec­ture (1oo1, 1oo2, 2oo2, etc.) and the rest of the design details will lead to the final fail­ure rate and SIL.

Table 1 in the Technical Report com­pares the levels.

Table 1 – Relationship between PLs and SILs based on the average probability
of dangerous failure per hour

Performance Level (PL) Average prob­ab­il­ity of a dan­ger­ous
fail­ure per hour (1/​h)
Safety integ­rity level (SIL)
a >= 10-5 to < 10-4 No spe­cial safety require­ments
b >= 3 x 10-6 to < 10-5 1
c >= 10-6 to < 3 x 10-6 1
d >= 10-7 to < 10-6 2
e >= 10-8 to < 10-7 3

This table com­bines ISO 13849 – 1 2007, Tables 3 & 4. No sim­il­ar tables exist in IEC 62061 2005.

Combining Equipment with PLs and SILs

Section 7 of the report speaks to the chal­lenge of integ­rat­ing equip­ment with rat­ings in a mix of PLs and SILs. Until the stand­ards merge and a single sys­tem for describ­ing reli­ab­il­ity cat­egor­ies is agreed on, this prob­lem will be with us.

When design­ing sys­tems using either sys­tem the design­er has to determ­ine the approx­im­ate rate of dan­ger­ous fail­ures. In ISO 13849 – 1, MTTFd is the com­pon­ent fail­ure rate para­met­er, while in IEC 62061, PFHd is the sub­sys­tem fail­ure rate para­met­er. MTTFd does not con­sider dia­gnostics or archi­tec­ture, only the com­pon­ent fail­ure rate per year, while PFHd does include dia­gnostics and archti­tec­ture, and it speaks to the sys­tem fail­ure rate per hour. To com­pare these rates, ISO 13849 – 1 Annex K describes the rela­tion­ship between MTTFd and PFHd for dif­fer­ent archi­tec­tures.

In the design pro­cess only one meth­od can be used, so where equip­ment with dif­fer­ent rat­ings must be com­bined the fail­ure rates must be con­ver­ted to either MTTFd or to PFHd, depend­ing on the sys­tem being used to com­plete the ana­lys­is. Mixing require­ments with­in the design of a sub­sys­tem is not per­mit­ted (See Clause 7.3.3).

Fault Exclusions

Fault exclu­sions are per­mit­ted under both stand­ards with some lim­it­a­tions: up to IEC 62061 SIL 2. No fault exclu­sions are per­mit­ted in SIL 3. Properly jus­ti­fied fault exclu­sions can be used up to PLe. “Properly jus­ti­fied” fault exclu­sions are those that can be shown to be val­id through the life­time of the SRP/​CS.

In gen­er­al, fault exclu­sions for mech­an­ic­al fail­ures of elec­tromech­an­ic­al devices such as inter­lock devices or emer­gency stop devices are not per­mit­ted, with a few excep­tions giv­en in ISO 13849 – 2, (See Clauses 7.2.2.4 and 7.2.2.5).

This approach is con­sist­ent with the cur­rent approach taken in Canada, as described in CSA Z432 & Z434. Fault exclu­sions are gen­er­ally not per­mit­ted under ANSI stand­ards.

Worked Examples

Section 8 of the Technical Report gives a couple of worked examples, one done under ISO 13849 – 1, and one under IEC 62061. For someone look­ing for a good example of what a prop­erly com­pleted ana­lys­is should look like, this sec­tion is the gold at the end of the rain­bow. Section 8.2 provides a good, clear example of the applic­a­tion of the stand­ards along with a nice, simple example of what a safety require­ment spe­cific­a­tion might look like.

Understanding the Differences

One area where pro­ponents of the two stand­ards often dis­agree is on the ‘accur­acy’ of the ana­lyt­ic­al pro­ced­ures giv­en in the two stand­ards. The Technical Report provides a detailed explan­a­tion of why the two tech­niques provide slightly dif­fer­ent res­ults and provides the rationale explain­ing why this vari­ation should be con­sidered accept­able.

To Buy or Not to Buy…

At the end of the day, the ques­tion that needs to be answered is wheth­er to buy this doc­u­ment or not. If you use either of these stand­ards, I strongly recom­mend that you spend the money to get this Technical Report, if for noth­ing more than the worked examples. Until the two stand­ards are merged, and that could be a few years, you will need to be able to effect­ively apply these approaches to PL and SIL rated equip­ment. This Technical Report will be an invalu­able aid.

It also provides some guid­ance on the dir­ec­tion that the new merged stand­ard will take. Some old argu­ments can be settled, or at least re-​directed, by this doc­u­ment.

Finally, since the TR is to be incor­por­ated in both stand­ards and con­tains mater­i­al repla­cing that in the cur­rent edi­tions of the stand­ard, you must buy a copy to remain cur­rent.

For all of these reas­ons, I would spend the money to acquire this doc­u­ment, read and apply it.

Download IEC stand­ards, International Electrotechnical Commission stand­ards.

Download ISO Standards

If you’ve bought the report and would like to add your thoughts, please add a com­ment below. Got ques­tions? Contact me!