Safety: Functional safety adds confidence, flexibility, and reliability
Recent wave of revisions enhance machine safety design thinking.
Change is constant. That’s especially true when you’re talking about machinery safety standards. Though safety standards have continued to change throughout manufacturing history, the most recent wave of revisions will enhance our way of thinking when it comes to machine safety designs.
Historically, standards mostly have been prescriptive in nature and have provided guidance on the structure of control systems to ensure that safety requirements are met. By using the principles of redundancy, diversity and diagnostics, levels of safety system “structures” were created to help ensure that the safety function would be performed. But a very important element was missing.
All safety systems are designed with the basic premise that any system has a possibility of failure. Some of those failures may be safe, but some could lead to danger. If you asked machine operators whether they would be more comfortable with a Category 2 (a single channel) safety system or a Category 4 (redundant) safety system, they would most likely answer Category 4. But if you asked again, whether an operator would be more comfortable with a Category 2 system that is likely to fail to danger in 30 years or a Category 4 system that has a mean time to dangerous failure of one year, you might get a different answer. The missing element is time. Essentially, the time element adds a confidence factor that the safety system is going to perform properly today and tomorrow. In other words, we have more information, and therefore more confidence, about the reliability of the safety function.
Applying time to standards
Functional safety builds on the existing safety structure approach by adding a time element. This element is known as the “Probability of Dangerous Failure,” and its inverse, the “Mean Time to Dangerous Failure.” This time element causes more upfront pain for safety component suppliers, but should result in less pain for machine operators and — surprisingly — safety system designers.
Two important standards,: ISO13849-1:2006 and IEC 62061:2005, apply the time element to safety systems for the machinery sector. ISO3849-1:2006 builds on the categories of safety structure, where as IEC 62061 builds on the foundation of the categories. This is called “Hardware Fault Tolerance.” A third element, not new at all, is added to the picture to give the safety system designer more flexibility (and less pain) to achieve the safety requirements. This third element is diagnostics. Putting these three elements together yields a time-sensitive level of integrity in a safety system. IEC 62061 uses the term “safety integrity level” (SIL). Only three SILs apply to machine systems: SIL1, SIL2 and SIL3. ISO13849-1:2006 uses the term “performance level” (PL), and these use the alphabet, PLa through Ple.
Standards overview summary
IEC 61508 is the IEC standard covering functional safety of electrical/electronic/programmable electronic safety-related systems. The main objective of IEC 61508 is to use safety instrumented systems to reduce risk to a tolerable level by following the overall, hardware and software safety life cycle procedures and by maintaining the associated documentation. Issued in 1998 and updated in 2000, it has since come to be used mainly by safety equipment suppliers to show their equipment is suitable for use in SIL-rated systems.
IEC/EN 62061:2005 is the IEC standard covering the functional safety requirements for electrical/electronic/programmable electronic safety-related systems for the machinery sector of the marketplace. Machine suppliers or safety system integrators should either use this standard or ISO13849-1:2006.
ISO EN13849-1:2006 is the ISO standard covering the functional safety requirements for electrical, pneumatic, hydraulic and mechanical safety systems. Machine suppliers or safety system integrators should either use this standard or IEC62061:2005.
Safe Failure Fraction per IEC62061
The risk assessment determines that a SIL2 rating is needed. The table gives three options for achieving SIL2. The trade-off is hardware fault tolerance with diagnostics. With zero fault tolerance, 90-99% of the failures that occur must be safe failures. If a single channel system with appropriate diagnostic is too difficult or expensive to achieve, then a single fault tolerant structure with less diagnostics can be tried. The third alternative is a two-fault tolerant system with little or no diagnostics (less than 60% safe failures).
ISO13849-1 provides multiple ways to reach a given safety category. Source: Rockwell Automation
For example, let’s assume the risk assessment determines that a PLd is required. ISO13849-1 provides four alternatives. A Category 2 (zero fault tolerant) structure with a very high mean time to dangerous failure and low diagnostic coverage may be the least expensive solution. At the other end of the spectrum, a Category 3 (single fault tolerant) system with medium diagnostics may turn out to be the ideal solution. This is what designers need: flexibility to achieve their safety requirements.
Minimizing potential for systematic faults
Functional safety does not stop at random hardware failures. Additional elements must also be taken into consideration, such as common cause failure. This particular element has been discussed in standards going back to at least the 1980s. Functional safety takes the discussion to the next level. Functional safety applies a scoring system that attempts to influence the safety system design to minimize the potential for systematic faults. Certain points are awarded for steps like segregating signal paths, design expertise, environmental compatibility, training, and competence. Adequate protection against systematic failures is considered accomplished when a specific number of points are achieved. The concepts are the same but the scoring values differ between IEC 62016 and ISO13849-1:2006.
Safety component suppliers, on the other hand, share more of the burden of functional safety. Each component in the safety system must have an assigned probability of dangerous failure or mean time to dangerous failure. Currently, this type of information is often unavailable. In fact, many product design standards are being modified to define the criteria for dangerous failure, testing requirements, and statistical tools used to determine the time to dangerous failure. Once this is accomplished, many months of testing are required to confirm the achieved level.
For example, take an electromechanical component whose expected time to dangerous failure is 2 million operations. This is called the B10d value — the number of cycles where 10% of the sample fails to danger. If the test cycle is 2 seconds ON and 2 seconds OFF, it will take at least 92 days to complete. Other statistical methods also are allowed to be employed. Many component suppliers test their products but end the testing when a sufficient number of successful cycles has been achieved (and not necessarily to failure). With this value and the assumption that half the failures will be to danger, the B10d value can be estimated. As a fallback position, ISO13849-2 (notice the dash two), has default values that can be used if no other values are available. The safety system designer does not get off that easily. The designer must gather the functional safety data from the component suppliers, put it together to make a system and work out either the SIL or PL for the system. Although this is not a daunting task, computerized tools will soon be available to simplify this step.
The machine safety world continues to change. The change will provide safer machine control system and more flexibility to achieve the safer designs. This change will take some time to become widely implemented, but, as they say, “The train has left the station.” The change has started. Safety component suppliers are definitely busy. Machine suppliers must now become aware of functional safety and how to take advantage of its benefits.
—Steve Dukich, senior application engineer, and Derek Jones, manager safety business development, Rockwell Automation
— edited by C.G. Masi , senior editor
Control Engineering Machine Control eNewsletter
Register here and scroll down to select your choice of eNewsletters free.
|Search the online Automation Integrator Guide|
Case Study Database
Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.
These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.
Click here to visit the Case Study Database and upload your case study.