Introduction to Functional Safety of Control Systems

Introduction

Click to enlarge - IMPORTANT The standards and requirements considered in this section are relatively new. Work is still being conducted by the drafting groups on some aspects especially with regard to clarification and combining some of these standards. Therefore it is possible that there will be some changes to some of the detail given in these pages. For the latest information please refer to the Rockwell Automation safety systems and components website at http://www.ab.com/safety and the Rockwell Automation Safety Solutions website at http://discover.rockwellautomation.com/EN_Safety_Solutions.aspx.
 

What is Functional Safety?

Functional safety is the part of the overall safety that depends on the correct functioning of the process or equipment in response to its inputs. IEC TR 61508-0 provides the following example to help clarify the meaning of functional safety. “For example, an over-temperature protection device, using a thermal sensor in the windings of an electric motor to de-energize the motor before they can overheat, is an instance of functional safety. But providing specialized insulation to withstand high temperatures is not an instance of functional safety (although it is still an instance of safety and could protect against exactly the same hazard).” As another example, compare hard guarding to an interlocked guard. The hard guarding is not considered “functional safety” although it may protect against access to the same hazard as an interlocked door. The interlocked door is an instance of functional safety. When the guard is opened, the interlock serves as an “input” to a system that achieves a safe state. Similarly, personal protective equipment (PPE) is used as a protective measure to help increase safety of personnel. PPE is not considered functional safety.

Functional safety was a term introduced in IEC 61508:1998. Since then, the term has sometimes been associated with only programmable safety systems. This is a misconception. Functional safety covers a broad range of devices that are used to create safety systems. Devices like interlocks, light curtains, safety relays, safety PLCs, safety contactors, and safety drives are interconnected to form a safety system, which performs a specific safety-related function. This is functional safety. Therefore the functional safety of an electrical control system is highly relevant to the control of hazards arising from moving parts of machinery.

Two types of requirements are necessary to achieve functional safety:


Risk assessment plays a key role in developing the functional safety requirements. Task and hazard analysis leads to the function requirements for safety (i.e. the safety function). The risk quantification yields the safety integrity requirements (i.e. the safety integrity or performance level).

Four of the most significant control system functional safety standards for machinery are:

1. IEC/EN 61508 “Functional safety of electrical, electronic and programmable electronic control systems”
This standard contains the requirements and provisions that are applicable to the design of complex electronic and programmable systems and subsystems. The standard is generic so it can be applicable to all industrial sectors.
2. IEC/EN 62061 "Safety of machinery — Functional safety of safety-related electrical, electronic and programmable electronic control systems"
This standard is the machinery specific implementation of IEC/EN 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices. It requires that complex or programmable subsystems should satisfy IEC/EN 61508.
3. EN ISO 13849-1 "Safety of machinery — Safety-related parts of control systems"
This standard is intended to provide a direct transition path from the categories of the previous EN 954-1.
4. IEC 61511 "Functional safety — Safety instrumented systems for the process industry sector"
This standard is the process sector specific implementation of IEC/EN 61508.

The functional safety standards represent a significant step beyond the familiar existing requirements such as Control Reliable and the Categories system of the previous ISO 13849-1:1999 (EN 954-1:1996).

Note: Recent to the time of publication of this text, CEN (European Committee for Standardization) announced that the final date for presumption of conformity of EN 954-1 will be extended to the end of 2011 to facilitate transition to the later standards. This replaces the original date of December 29, 2009.

For the latest information on the use and status of EN 954-1 visit: http://discover.rockwellautomation.com/EN_Safety_Solutions.aspx. In the meantime, it is advised that the extension of the transition period is used to move over to the use of the later standards (EN ISO 13849-1 or IEC/EN 62061) in a timely manner.

Categories will not disappear completely; they are also used in current EN ISO 13849-1 which uses the functional safety concept and has introduced new terminology and requirements. It has significant additions and differences to the old EN 954-1 (ISO 13849-1:1999). In this section we will refer to the current version as EN ISO 13849-1. (EN ISO 13849-1:2008 has the same text as ISO 13849-1:2006).

IEC/EN 62061 and EN ISO 13849-1:2008

IEC/EN 62061 and EN ISO 13849-1 both cover safety-related electrical control systems. It is intended that they will eventually be combined into one standard with common terminology. Both standards produce the same results but use different methods. They are intended to provide users with an option to choose the one most suitable for their situation. A user can choose to use either standard and they are both harmonized under the European Machinery Directive.

The outputs of both standards are comparable levels of safety performance or integrity. The methodologies of each standard have differences that are appropriate for their intended users.

The methodology in IEC/EN 62061 is intended to allow for complex safety functionality which may be implemented by previously unconventional system architectures. The methodology of EN ISO 13849-1 is intended to provide a more direct and less complicated route for more conventional safety functionality implemented by conventional system architectures.

An important distinction between these two standards is the applicability to various technologies. IEC/EN 62061 is limited to electrical systems. EN ISO 13849-1 can be applied to pneumatic, hydraulic, mechanical as well as electrical systems.

Click to enlarge - Fig 8.1 System Design Flow Chart
 
Figure 118: System Design Flow Diagram

Figure 118 provides a simplified flow chart to help the safety system designer determine which of these two standards to use.

Joint Technical Report on IEC/EN 62061 and EN ISO 13849-1

A joint report has been prepared within IEC and ISO to help users of both standards.

It explains the relationship between the two standards and explains how the equivalence can be drawn between PL (Performance level) of EN ISO 13849-1 and SIL (Safety Integrity Level) of IEC.EN 62061 both at system and subsystem level.

In order to show that both standards give equivalent results the report shows an example safety system calculated according to the methodologies of both standards.

The report also clarifies a number of issues that have been subject to different interpretations. Perhaps one of the most significant issues is the aspect of fault exclusion.

In general, where PLe is required for a safety function to be implemented by a safety-related control system it is not normal to rely upon fault exclusions alone to achieve this level of performance. This is dependent upon the technology used and the intended operating environment. Therefore it is essential that the designer takes additional care on the use of fault exclusions as the PL requirement increases.

In general the use of fault exclusions is not applicable to the mechanical aspects of electromechanical position switches and manually operated switches (e.g. an emergency stop device) in order to achieve PLe in the design of a safety-related control system. Those fault exclusions that can be applied to specific mechanical fault conditions (e.g. wear/corrosion, fracture) are described in Table A.4 of ISO 13849-2.

For example, a door interlocking system that has to achieve PLe will need to incorporate a minimum fault tolerance of 1 (e.g. two conventional mechanical position switches) in order to achieve this level of performance since it is not normally justifiable to exclude faults, such as, broken switch actuators. However, it may be acceptable to exclude faults, such as short circuit of wiring within a control panel designed in accordance with relevant standards.

SIL and IEC/EN 62061

IEC/EN 62061 describes both the amount of risk to be reduced and the ability of a control system to reduce that risk in terms of SIL (Safety Integrity Level). There are three SILs used in the machinery sector, SIL 1 is the lowest and SIL 3 is the highest.

Because the term SIL is applied in the same manner in other industrial sectors such as petro-chemicals, power generation and railways, IEC/EN 62061 is very useful when machinery is used within those sectors.

Risks of greater magnitude can occur in other sectors such as the process industry and for that reason IEC 61508 and the process sector specific standard IEC 61511 include SIL 4.

A SIL applies to a safety function. The subsystems that make up the system that implements the safety function must have an appropriate SIL capability. This is sometimes referred to as the SIL Claim Limit (SIL CL).

A full and detailed study of IEC/EN 62061 is required before it can be correctly applied. Some of the most commonly applicable requirements of the standard are summarized later in this text.

PL and EN ISO 13849-1

EN ISO 13849-1 does not use the term SIL; instead it uses the term PL (Performance Level). In many respects PL can be related to SIL. There are five performance levels, PLa is the lowest and PLe is the highest.

Comparison of PL and SIL

Table 8 shows the relationship (in terms of probability of dangerous failure between PL and SIL when applied to typical circuit structures.

PL (Performance Level) PFHD (Probability of Dangerous Failure per Hour) SIL
a ³10–5 to <10–4 None
b ³3 x 10–6 to <10–5 1
c ³10–6 to <3 x 10–6 1
d ³10–7 to <10–6 2
e ³10–8 to <10–7 3
 
Table 8: Approximate correspondence between PL and SIL

Click to enlarge - IMPORTANT Table 8 is for general guidance and must NOT be used for conversion purposes. The full requirements of the standards must be taken into account.