Safety-related PLCs, safety bus, actuators, safety light curtains and in general all complex safety-related devices with integral programmable logics and embedded software, if used to build a SRECS, shall comply with the requirements of the appropriate Product Standards (if applicable) and with IEC 61508 as regards functional safety.
Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control system.
IEC 62061 is derived from IEC 61508 – Functional safety of safety-related electric/electronic/programmable electronic control systems.
IEC 61508 is the international reference standard on functional safety of electric, electronic and programmable electronic systems. The Standard consists of seven sections. The first three sections specify the safety requirements for hardware and software, the rest are of an informative nature and offer support for the correct application of the former.
IEC 62061 retains the features of IEC 61508, but simplifies safety requirements (of both hardware and software) adapting them to the specific needs of industrial machinery.
Safety requirements are considered only for “high demand mode”, i.e. request of the safety function more than once per year.
The standard is based on two basic concepts:
- Management of Operational Safety.
- Safety Integrity Level.
Management of Operational Safety
Specifies all design aspects needed to attain the required level of functional safety, from assignment of safety requirements to documentation, design management up to validation.
Each design shall have its own Functional Safety Plan properly written, documented and duly updated as necessary.
The Functional Safety Plan shall identify people, functions and resources needed for design and implementation of the safety system.
Safety Integrity Level (SIL )
Methodology and requirements is given for:
- specifying functional requirements of each safety-related function to be implemented.
- assigning the Safety Integrity Level (SIL) for each safety-related function envisaged.
- allow the design of a SRECS suitable for the safety-related function to be implemented.
- validating the SRECS.
For SIL assignment use the method of Annex A (although the Standard also accepts the techniques of IEC 61508-5).
For each risk identified the following must be assessed:
- Degree of severity (Se) of possible damage.
- Frequency and time (Fr) of exposure to danger.
- Probability of dangerous event (Pr) linked to machine operating mode.
- Avoidability (Av) of danger. The more difficult to avoid danger the higher the number representing avoidability.
The following table, extracted from the form in Figure A.3 of the Standard IEC 62061, will help in obtaining the SIL to be assigned to the safety–related function.
OM (Other Measures) = The use of other parameters is recommended.
The sum of marks obtained for attributes of frequency, probability and avoidability provides the probability class of danger:
Cl = Fr + Pr + Av
To obtain the SIL align actual Cl to level of severity (Se) identified.
This is an iterative process. In fact, depending on the protective action undertaken, some parameters might change, e.g. Fr or Pr, in which case the SIL assignment process will have to be repeated using new values for changed parameters.
Three levels are envisaged: SIL 1, SIL 2, SIL 3.
Average probability of serious failure per hour (PFHd)
Tabella 3 di IEC 62061
Thus, the SIL represents the safety level to be assigned to a SRECS for attainment of its safety integrity in the operating conditions and all the way through the time specified.
The parameter used to define the SIL (Safety Integrity Level) is the probability of dangerous failure/hour (PFHd).
The higher the SIL, the lower the probability of the SRECS not performing as safely as expected.
The SIL must be defined for each safety-related function resulting from risk analysis.
Development and design process
Each safety-related function identified through risk analysis shall be described in terms of:
- Operational requirements (mode of operation, cycle time, environmental conditions, response time, type of interface with other components or items, EMC level, etc.).
- Safety requirements (SIL).
Each safety-related function shall be broken down into functional blocks, e.g. functional block of input data, functional block of logic data processing, functional block of output data.
A subsystem is associated with each functional block.
In turn, subsystems will consist of electrical components interconnected with one another. Electrical components are known as subsystem elements.
Implementation of the SRECS technique will result in a typical architecture as shown (in this instance access control through photoelectric curtain).
For SRECS to comply with identified operational and safety requirements, the following requirements shall be met:
Each subsystem shall consist of electrical circuits suited to attain the required SIL.
The maximum SIL attainable by a subsystem is identified as SILCL (SIL claim).
Subsystem SILCLs depend on PFHd, architecture constraints, performance under failure conditions and on the ability to control and avoid systematic failure.
For software design, the code must be developed as per reference standards depending on the type of software in question as follows:
|The probability aspect is only one of the elements contributing to assignment of SIL.
To claim a specific SIL applicants must prove and document having:
Calculation of subsystem PFHd
To calculate subsystem PFHd select first the type of architecture (structure). The Standard suggests four pre-defined architectures, providing a different simplified formula for each of them.
This calculation requires the use of the following parameters:
λd = Dangerous failure rate of each subsystem element. Obtained from its known failure rate λ, percent distribution of failure rate for all failure modes and analysis of subsystem performance after failure (Dangerous Failure = λd or Non-dangerous Failure = λs).
T1 = Proof Test. Proof test interval (external inspection and repair returning the system to as-new condition) for industrial machinery usually coincides with life time (20 years).
T2 = Test interval of the diagnostic functions. Depending on design or devices used the diagnostic functions can be executed by internal circuitry of the same SRECS or by other SRECSs.
DC = Diagnostic Coverage:
Parameter representing the percent of dangerous failures detected out of all possible dangerous failures.
DC depends on self-diagnostic techniques implemented.
Assuming that failure is always possible (otherwise there would be no point in defining λ), that mechanisms for detecting failures are not necessarily all equally effective and responsive (depending on type of failure some may take longer), that it is impossible to detect all failures, that suitable circuitry architectures and effective testing may permit detection of most dangerous failures, a DC parameter may be defined for estimating the effectiveness of implemented self-diagnostic techniques.
IEC 62061 does not provide data for obtaining DC in relation to implemented diagnostic techniques. However, data of IEC 61508-2 Annex A may be used.
β = Common cause failure factor. Provides a measure of the degree of independence of operation of redundant channel systems.
Having calculated subsystem PFHd by means of the formulas from the IEC 62061, it is important to ensure that the associated SILCL obtained from Table 3 of IEC 62061 is compatible with the constraints imposed by the architecture as the maximum SILCL attainable by a given subsystem is restricted by the hardware fault tolerance of the architecture and by SFF as listed in the following table
|Safe failure fraction (SFF)||Hardware fault tolerance|
|SFF < 60%||Not allowed||SIL 1||SIL 2|
|60% ≤ SFF < 90%||SIL 1||SIL 2||SIL 3|
|90% ≤ SFF < 99%||SIL 2||SIL 3||SIL 3|
|SFF ≥ 99%||SIL 3||SIL 3||SIL 3|
|(Table 5 of IEC 62061)|
Subsystem safety failure fraction (SFF) is, by definition, the fraction of overall failure rate not involving dangerous failure
λdd (failure rate of detectable dangerous failures) and λdu (failure rate of undetectable dangerous failures) are obtained from known effectiveness of implemented diagnostic techniques.
If PFHd and SILCL of each subsystem are known, it will be possible to calculate the overall SIL of SRECS.
The overall probability of dangerous failure/hour of SRECS will equal the sum of the probabilities of dangerous failure/hour of all subsytems involved and shall include, if necessary, also the probability of dangerous failure per hour (PTE) of any safety-related communication lines:
Known the PFHd, the resulting SIL of the SRECS is obtained from Table 3.
The SIL shall than be compared to the SILCL of each subsystem, as the SIL that can be claimed for the SRECS shall be less or equal to the lowest value of the SILCL of any of the subsystems.
Where a subsystem involves two or more safety-related functions requiring different SILs, the highest SIL shall apply.
The procedures specified in ISO 13849-1:2006 simplify the estimation of Average Probability of Dangerous Failure per Hour compared to IEC 61508, offering a pragmatic approach more in line with the needs of the machine tool industry.
By retaining Categories and other basic concepts, such as safety-related function and risk graph, seamless continuity with EN 954: 1996 is assured.
Maintaining a closely linear approach with EN 954-1:1996 however, shows the limits of ISO 13849-1:2006. Where the adoption of complex technology is anticipated , e.g. programmable electronics, safety-related bus applications, different architectures, etc., it will be more appropriate to design to IEC 62061.
Where devices and/or subsystems designed in accordance with ISO EN 13849-1:1999 are used, Std. IEC 62061 shows how to integrate them in SRECS.
A precise bi-univocal equivalence between PL and SIL cannot be identified.
However, the probabilistic side of PL and SIL can be compared as they use the same concept, namely the Average Probability of Dangerous Failure per Hour, to define the extent to failure resistance.
Also, although the probability concept used in the two Standards is the same, the result may differ as the rigor of calculation is not the same.
In fact, for evaluating PFHd, IEC 62061 specifies a procedure based on formulas derived from the system reliability theory. The results may in some cases, e.g. reduced number of components, high-efficiency of self-diagnostic techniques implemented, turn out to be very low, i.e. very good.
To simplify and speed up evaluation of Probability of Dangerous Failure per Hour, ISO 13849-1 uses approximation tables which must necessarily consider worst case scenarios, with consequently higher results, i.e. inferior to, than those calculated using IEC 62061.
Next ... EN ISO 14119