Safety: Functional safety adds confidence, flexibility, and reliability

Recent wave of revisions enhance machine safety design thinking.


Change is constant. That’s especially true when you’re talking about machinery safety standards. Though safety standards have continued to change throughout manufacturing history, the most recent wave of revisions will enhance our way of thinking when it comes to machine safety designs.
Historically, standards mostly have been prescriptive in nature and have provided guidance on the structure of control systems to ensure that safety requirements are met. By using the principles of redundancy, diversity and diagnostics, levels of safety system “structures” were created to help ensure that the safety function would be performed. But a very important element was missing.
All safety systems are designed with the basic premise that any system has a possibility of failure. Some of those failures may be safe, but some could lead to danger. If you asked machine operators whether they would be more comfortable with a Category 2 (a single channel) safety system or a Category 4 (redundant) safety system, they would most likely answer Category 4. But if you asked again, whether an operator would be more comfortable with a Category 2 system that is likely to fail to danger in 30 years or a Category 4 system that has a mean time to dangerous failure of one year, you might get a different answer. The missing element is time. Essentially, the time element adds a confidence factor that the safety system is going to perform properly today and tomorrow. In other words, we have more information, and therefore more confidence, about the reliability of the safety function.
Applying time to standards
Functional safety builds on the existing safety structure approach by adding a time element. This element is known as the “Probability of Dangerous Failure,” and its inverse, the “Mean Time to Dangerous Failure.” This time element causes more upfront pain for safety component suppliers, but should result in less pain for machine operators and — surprisingly — safety system designers.
Two important standards,: ISO13849-1:2006 and IEC 62061:2005, apply the time element to safety systems for the machinery sector. ISO3849-1:2006 builds on the categories of safety structure, where as IEC 62061 builds on the foundation of the categories. This is called “Hardware Fault Tolerance.” A third element, not new at all, is added to the picture to give the safety system designer more flexibility (and less pain) to achieve the safety requirements. This third element is diagnostics. Putting these three elements together yields a time-sensitive level of integrity in a safety system. IEC 62061 uses the term “safety integrity level” (SIL). Only three SILs apply to machine systems: SIL1, SIL2 and SIL3. ISO13849-1:2006 uses the term “performance level” (PL), and these use the alphabet, PLa through Ple.
Standards overview summary
IEC 61508 is the IEC standard covering functional safety of electrical/electronic/programmable electronic safety-related systems. The main objective of IEC 61508 is to use safety instrumented systems to reduce risk to a tolerable level by following the overall, hardware and software safety life cycle procedures and by maintaining the associated documentation. Issued in 1998 and updated in 2000, it has since come to be used mainly by safety equipment suppliers to show their equipment is suitable for use in SIL-rated systems.
IEC/EN 62061:2005 is the IEC standard covering the functional safety requirements for electrical/electronic/programmable electronic safety-related systems for the machinery sector of the marketplace. Machine suppliers or safety system integrators should either use this standard or ISO13849-1:2006.
ISO EN13849-1:2006 is the ISO standard covering the functional safety requirements for electrical, pneumatic, hydraulic and mechanical safety systems. Machine suppliers or safety system integrators should either use this standard or IEC62061:2005.

Safe Failure Fraction per IEC62061

The risk assessment determines that a SIL2 rating is needed. The table gives three options for achieving SIL2. The trade-off is hardware fault tolerance with diagnostics. With zero fault tolerance, 90-99% of the failures that occur must be safe failures. If a single channel system with appropriate diagnostic is too difficult or expensive to achieve, then a single fault tolerant structure with less diagnostics can be tried. The third alternative is a two-fault tolerant system with little or no diagnostics (less than 60% safe failures).

ISO13849-1 provides multiple ways to reach a given safety category. Source: Rockwell Automation

For example, let’s assume the risk assessment determines that a PLd is required. ISO13849-1 provides four alternatives. A Category 2 (zero fault tolerant) structure with a very high mean time to dangerous failure and low diagnostic coverage may be the least expensive solution. At the other end of the spectrum, a Category 3 (single fault tolerant) system with medium diagnostics may turn out to be the ideal solution. This is what designers need: flexibility to achieve their safety requirements.
Minimizing potential for systematic faults
Functional safety does not stop at random hardware failures. Additional elements must also be taken into consideration, such as common cause failure. This particular element has been discussed in standards going back to at least the 1980s. Functional safety takes the discussion to the next level. Functional safety applies a scoring system that attempts to influence the safety system design to minimize the potential for systematic faults. Certain points are awarded for steps like segregating signal paths, design expertise, environmental compatibility, training, and competence. Adequate protection against systematic failures is considered accomplished when a specific number of points are achieved. The concepts are the same but the scoring values differ between IEC 62016 and ISO13849-1:2006.
Safety component suppliers, on the other hand, share more of the burden of functional safety. Each component in the safety system must have an assigned probability of dangerous failure or mean time to dangerous failure. Currently, this type of information is often unavailable. In fact, many product design standards are being modified to define the criteria for dangerous failure, testing requirements, and statistical tools used to determine the time to dangerous failure. Once this is accomplished, many months of testing are required to confirm the achieved level.
For example, take an electromechanical component whose expected time to dangerous failure is 2 million operations. This is called the B10d value — the number of cycles where 10% of the sample fails to danger. If the test cycle is 2 seconds ON and 2 seconds OFF, it will take at least 92 days to complete. Other statistical methods also are allowed to be employed. Many component suppliers test their products but end the testing when a sufficient number of successful cycles has been achieved (and not necessarily to failure). With this value and the assumption that half the failures will be to danger, the B10d value can be estimated. As a fallback position, ISO13849-2 (notice the dash two), has default values that can be used if no other values are available. The safety system designer does not get off that easily. The designer must gather the functional safety data from the component suppliers, put it together to make a system and work out either the SIL or PL for the system. Although this is not a daunting task, computerized tools will soon be available to simplify this step.
The machine safety world continues to change. The change will provide safer machine control system and more flexibility to achieve the safer designs. This change will take some time to become widely implemented, but, as they say, “The train has left the station.” The change has started. Safety component suppliers are definitely busy. Machine suppliers must now become aware of functional safety and how to take advantage of its benefits.
—Steve Dukich, senior application engineer, and Derek Jones, manager safety business development, Rockwell Automation

edited by C.G. Masi , senior editor
Control Engineering Machine Control eNewsletter
Register here and scroll down to select your choice of eNewsletters free.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Choosing controllers: PLCs, PACs, IPCs, DCS? What's best for your application?; Wireless trends; Design, integration; Manufacturing Day; Product Exclusive
Variable speed drives: Smooth, efficient, electrically quite motion control; Process control upgrades; Mobile intelligence; Product finalists: Vote now; Product Exclusives
Machine design tips: Pneumatic or electric; Software upgrades; Ethernet advantages; Additive manufacturing; Engineering Leaders; Product exclusives: PLC, HMI, IO
This article collection contains the 5 most referenced articles on improving the use of PID.
Learn how Industry 4.0 adds supply chain efficiency, optimizes pricing, improves quality, and more.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security