Assess Risk

"Just tell me how I'm supposed to build the stuff to comply with current safety requirements and avoid injuries, fines, and litigation." That's what engineers want to know. Yet most recent safety regulations add flexibility, especially for discrete manufacturing applications, where applying the Safety Integrity Level (SIL) concept is relatively new.

By Mark T. Hoske January 1, 2006
  • Safety integrity levels for discrete manufacturing

  • Assess, analyze, mitigate, repeat

  • Changes? Examine again

  • Safest way should be the most efficient

Tools help apply SIL to discrete manufacturing
Areas of risk

‘Just tell me how I’m supposed to build the stuff to comply with current safety requirements and avoid injuries, fines, and litigation.’ That’s what engineers want to know.
Yet most recent safety regulations add flexibility, especially for discrete manufacturing applications, where applying the Safety Integrity Level (SIL) concept is relatively new. (Prior Control Engineering articles have explained SIL use for process applications.) SIL uses statistics to represent the reliability of a safety instrumented system for a process that occurs through the requirement of the system. As with safety Categories 0 through 4, the higher the SIL level, the more reliable controls.

Regulatory flexibility can liberate some engineers and confound others. Addressing risks should be part of any design process, continuing whenever people, processes, or machinery and manufacturing lines change. As regulations target performance, those designing, integrating, and applying systems get to match the design to the desired risk. While some application-specific regulations still apply, in other applications no one prescribes a specific design, which offers tremendous flexibility to optimize costs.

The advantage, and the challenge, is that you get to do the engineering.

Life-long learning

International Electrotechnical Commission standards related to risk assessment include IEC 61508 and, more recently, IEC 60204-1 and functional safety standard IEC 62061 (BS EN 62061:2005). After gaining some understanding of these standards—which can require frequent, some say life-long, learning—it’s time to apply them or to employ tools and experts within or outside your company to help. (See ‘Tools help apply SIL’ sidebar.)

To apply safety standards, experts recommend a cyclical review and analysis of the steps you’ve selected to take, as well as the application of risk reduction devices and training. (See ‘Risk assessment…’ graphic.)

Following are descriptions of the top-level risk assessment steps to use at any facility embarking on a risk reduction program.

Determine an acceptable level of risk by selecting a SIL- or category-level rating that the assessment should meet.

SIL ratings (1, 2, 3, and 4) offer probability of a dangerous failure over time and can be used to measure range of risk reduction afforded by a piece of equipment. SIL selection determines how much risk reduction is needed. Risk reduction with SIL safety measure is:

  • Level 1—between 10 and 100 times;

  • Level 2—between 100 and 1,000 times; and

  • Level 3—achieves a risk reduction of 1,000 to 10,000 times.

SIL 3 is considered the highest risk reduction level achievable using one programmable electronic system. (See ‘Safety integrity levels…’ table and ‘SIL selection…’ graphic.) Risk reduction is the difference between current level of risk and the risk level sought.

SIL is a similar concept to safety category levels 0-4 (EN 954), which are perhaps more common to discrete manufacturers. However, for plants that blend process and discrete manufacturing, using a Process Hazard Analysis (incorporating SIL or categories), can be easier than using SIL and categories. This type of analysis might be the preferred option for a beverage plant that also bottles and crates the product, or for a metal-drawing process that then stamps pieces.

Get started by choosing who will look for hazards . Cross-functional teams can offer perspectives beyond one person’s view. A control engineer, operator, maintenance technician, and custodian all may have insights into risks and risk avoidance in varied circumstances. (See ‘Areas of risk’ image.)

Who, where, when…

Look for what areas will be assessed : a device, a machine design, general area, or full manufacturing line or system.

In general, a safety instrumented system is the system of sensors, logic solvers, and final control elements (actuators) designed so that when safe conditions are violated, the system allows safe operations/shutdown to mitigate further danger. Regulations allow integration of safety and controls, permitting one system, where separate safety mechanisms and controls previously were required.

Selected timing for when an assessment is performed for a process makes a difference in effort, time, and expense. The earlier it is done in the design process, the better. Making safety changes in design or simulation stages can be much less costly and more effective than after equipment is in place.

List the hazards , examining each situation from multiple perspectives and circumstances. Ensure clear delineations between commissioning, operations, and maintenance modes; look at each and the transitions between them. Ensure all designed and installed safety equipment becomes a documented part of training for anyone able to get near the area.

A robotic cell can be locked up tightly, but maintenance and setup may require close proximity of personnel with the robot to step through or teach a program.

A transfer line might be safe during normal operations, until materials back up in a precarious way or a violent jam occurs.

Team diversity also can improve the effort. Operators may be able to offer insight about potentially hazardous events that may be rare, seasonal, or only occurring with a particular setup or when a certain job is run (but still merit design changes). Maintenance personnel might point out potential failures (and solutions) if one piece of maintenance is missed.

Application matters

Applications make a difference. A design with redundant controllers can deliver far less-than-expected safety, for instance, if the power source has a single point of failure.

As a further example, using a Category 2-type light-curtain in an application calling for protection with a Category 4 light-curtain creates unnecessary risk.

And if something ‘requires’ an unofficial work-around, the design definitely needs to be revisited.

Analyze risks according to severity and probability. Evaluation and probabilistic analysis is based on failure rate and failure mode data. For any potential source of harm, figure out how bad risks are, how often they could occur, and combine the two.

Typically for a protective function, a machine often will have more than one means of protection, perhaps a primary-perimeter- or electronic-guard, such as light curtains. How bad would it be if they fail; how often could they fail?

A person walking, then falling onto most floors, for instance, would sustain little or no injury. It’s very rare just falling from vertical to horizontal could be life threatening, so it’s low risk. If low risk is acceptable, then no modification is required. In certain areas, however, a fall might cause great harm, so some changes may be required.

List safety functions and assign a SIL rating to each. Then the machinery designer or system integrator needs to design the protection function to meet SIL rating (and/or category).

Mitigate risks , if needed.

In the walking example, railings can decrease risk in a location where a stumble could cause great harm.

Some machine-based risk reductions might require an over-temperature shutdown, speed limit, or safety shutdown of the machine. For each, there’s need to identify and specify how much reduction is need with each SIL rating.

A shrink-wrap machine could present pinching- or mechanical-hazards. A guard or isolation with other protective device might stop injury.

Over-temperature protection or a flame detector guard might be used if a flame or heater was involved.

For some, design changes may be needed; there’s not a piece of safety equipment that can mitigate every hazard. Fortunately, most things in life require no safety function at the end of the discussion.

Even so, there’s rule writing, checking, and testing to do. Probabilistic failure analysis for equipment should line up with SIL requirements for each. Apply a safety function for each, do a risk assessment, then recheck the design. Printouts, reports, and documentation are required. Layer of protection analysis (LOPA) studies, said to allow likelihood estimation with-out excessive effort or complicated procedures, can be done for various hazards.

If the consequences and likelihood of injury exceed the calculated level of risk chosen for the equipment, then the designer, integrator, or end-user has to pick better equipment, add more safety/redundancy, or test more frequently—the three ways for making the protection function safer.

From that point on, usual engineering processes follow. The only thing new is probabilistic evaluation of risk.

Don’t over do it; do it again

Over-engineering safety can defeat the purpose; the best design should ensure that the fastest, most efficient, means of operation also is the safest and most practical. The process needs to remain active. Offer training and re-examine risk whenever there’s a change in person, process, equipment, or in the regulations.

Safety integrity levels (SIL) can help reduce risk

SIL Target risk-reduction factor & safety availability Target average probability of failure on-demand
NOTE: Need for SIL-4-rated applications are rare (such as some areas of a nuclear-power generating plant); standards caution that one programmable safety system shouldn’t be used to meet SIL 4 requirements.
Source : Control Engineering with data from IEC 61511-1 Table 3
1 (90-99%) 10 to 100 0.1 to 0.01
2 (99-99.9%) 100 to 1,000 0.01 to 0.001
3 (99.9-99.99% 1,000 to 10,000 0.001 to 0.0001
4 (>99.99%) >10,000 0.0001

Related resources from Control Engineering include:

  • “ Open Systems Reliability ”

  • Machine Retrofits and Safety

  • “ Reach for Machine Safety ”

Other resources include:

  • ANSI (American National Standards Institute)

  • EN (European Norm)

  • International Electrotechnical Commission

  • ISA (The Instrumentation, Systems, and Automation Society)

  • NFPA (National Fire Protection Association)

  • OSHA (Occupational Safety and Health Administration)

  • RIA (Robotics Industries Association)

  • UL (Underwriters Laboratories, Inc.)

Author Information
Dr. William Goble, co-founder and president of

Tools help apply SIL to discrete manufacturing

Reading one regulation is never enough for assessing a safe design because of liberal cross-references to other ‘standards.’ Consultants, system integrators, and software vendors can help apply safety integrity levels to reduce risk in discrete manufacturing applications. How safety applies can vary by industry, equipment, and continent.

Regulatory knowledge helps.
October 2005 was release date for IEC 60204-1 {Ed.5.0} Safety of machinery – Electrical equipment of machines – Part 1: General requirements, which ‘applies to the application of electrical, electronic, and programmable electronic equipment and systems to machines not portable by hand while working, including a group of machines working together in a coordinated manner.’ (NFPA 70 is related.)
July 2005 was the release date for ‘IEC 62061 Corr.1 {Ed.1.0} Bilingual, Corrigendum 1 – Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems.’ See
Others include ANSI RIA 15.06 safety requirements for robots, ANSI B11.19 performance criteria for safeguarding, ANSI B11.20 safeguarding requirements of cells, and ISO 13849-1 and 13849-2.

Take a class. A recent search at

In the Control Engineering Automation Integrator Guide at, safety expertise may be found under the following ‘Engineering Specialties’: machine build/retrofit; machine design/control; machine tools; manufacturing engineering; manufacturing planning; regulatory compliance; and safety/security, among others.


Use risk assessment software to help follow regulations. Built-in checklists, databases, documentation, equipment lists, graphs, matrix, targets, tables, and documentation can help. For examples, see:

Read this article online at

Areas of risk

Where should you look to assess safety? Locations to consider are as numerous as types of machines.

While no one would consider turning a child loose in a manufacturing setting, thinking outside your experience can help uncover risks. If you didn’t know what you know about the machine, what might you do that could cause potential injury?

On a recent machine examined by RWD, areas of risk included:

Flywheel guarding;

Clutch guarding;

Point of operation;

Air control;

Main press electrical panel; and

Main operator control panel (within sight distance of point of operation).