Functional safety for machine controls
By Gary Milburn, Product Manager, Industrial Safety Systems, SICK Pty Ltd
Monday, 07 August, 2017
When implementing technical protective measures, each risk reduction measure will be associated with a safety function or combination of safety functions. In order for these safety functions to be designed and installed to a degree of reliability commensurate with the risk level of the associated hazard(s), the concepts of functional safety must be applied.
Functional safety is a part of the process used to design, test and prove that the safety-relevant components and circuits of a machine’s control system meet the intended reliability and risk reduction capability as determined by a risk assessment. As part of the overall risk reduction strategy for industrial machinery, it is typical to apply safeguards employing one or more safety functions (as described below) to achieve some measure of risk reduction. Parts of machinery control systems that are assigned to provide safety functions are called ‘safety-related parts of control systems’ (SRP/CS). These can consist of hardware or software and can either be separate from the machine control system or an integral part of it. In addition to providing safety functions, SRP/CS can also provide operational functions, such as initiation of machine motion under safe conditions.
‘Functional safety’ is the term used to refer to the portions of the safety of the machine and the machine control system that depend on the correct functioning of the SRP/CS. To best implement functional safety, safety functions must first be defined. Once identified, the required safety level must also be determined and then implemented with the correct components necessary to achieve acceptable risk reduction. To confirm that the minimum requirements have been met (if not exceeded), subsequent verification must be performed and documented.
To look at it from another aspect, functional safety is an engineering approach to quantify the performance level of the SRP/CS to a level commensurate with the associated risk for a given technical protective measure. This includes the verification and validation aspects of the safety functions that have direct interaction with the machine control system, as represented in Figure 1.
Safety functions define how risks are reduced by engineering controls, and must be defined for each hazard that has not been eliminated through design measures. At its core, a ‘safety function’ is any element of the protective system whose failure leads to an immediate increase of risk. The risk assessment process will have established the minimum requirements for the reliability of safety functions, including mechanical, electrical, hydraulic and pneumatic control system integrity. This level of reliability and integrity of the control portion of a safety function is referred to as ‘functional safety’.
In order to accurately design, implement and validate safety functions to achieve the required level of risk reduction, it is necessary to provide a precise description of each safety function. The type and number of components required for the function are derived from the definition of the safety function. Many different safety functions are possible, and some applications may require more than one function in order to adequately reduce risk. Likewise, it is also possible for a single protective measure (safeguarding component) to play a part in more than one safety function simultaneously.
It is worth noting that not all safety functions have functional safety requirements, as is the case for the use of fixed barriers to permanently prevent access or to retain hazards. Permanent separation of individuals from hazards is clearly a safety function, as is evident by the number of machines on the market with permanently fixed guards or shields in place. While these components of the overall safety system have specific requirements pertaining to proper design and use, these elements do not have functional safety considerations because there is no interface to the SRP/CS. The level of risk reduction provided by these measures can be reliably maintained through proper installation, inspection and maintenance protocols.
Why apply functional safety?
Safety technology continues to advance beyond simple electrical and electromechanical components (such as interlocking devices and relays) toward more complex electrical systems using electronics and software-based components. With more basic elements, their behaviour in the event of a component failure can be determined to a high degree of certainty because each component can be completely defined. The failure modes of more complex systems, on the other hand, are more difficult to define and in some cases can only be estimated.
Many industrial controls engineers were just beginning to grasp the idea of circuit architecture, referred to as ‘categories’, under EN 954-1 or previous versions of AS 4024.1. The introduction of functional safety does not diminish the importance of the circuit design, but rather builds on the concept to account for the greater number of possible failure modes inherent with more complex control systems. Essentially, the benefit of functional safety is to provide a means to ‘give credit’ for additional design aspects, over and above the circuit architecture. Older standards didn’t address these design measures, such as oversizing contactors, selecting more robust and reliable components for use in the circuit, providing higher levels of diagnostics, or addressing common cause failures through the process or implementation.
Essentially, the same reliability concerns exist when designing and evaluating SRP/CS — whether the control system is associated with simpler components or more complex elements. In order to consistently determine the overall reliability of these systems, various safety standards have been developed to outline the key elements. These elements must be considered to determine the overall reliability of the safety-critical control functions. Standards that address these elements include:
- EN ISO 13849-1 – Safety of machinery – Safety-related parts of control systems
- IEC 62061 – Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems
- IEC 61508 – Functional safety of electrical/electronic/programmable electronic safety-related systems
- IEC 61511 – Functional safety – Safety instrumented systems for the process industry sector
- AS/NZS 4024.1 – Safety of Machinery
The primary principle behind these standards is that the overall reliability of a safety function can be qualitatively estimated. In terms of safety, the most important concern is to determine the probability that the system will fail to a dangerous condition. In terms of the standards, the reliability of the SRP/CS is estimated as the probability of a dangerous failure per hour (PFHd).
There are currently two primary methodologies to determine the likelihood of a dangerous failure: performance level (PL), as outlined in EN ISO 13849-1, and safety integrity level (SIL), as addressed in IEC 62061. Figure 2 illustrates these methodologies in terms of probability of failures per hour, to a dangerous condition.
What are the elements of functional safety?
The SRP/CS is the part of a control system that responds to safety-related input signals and generates safety-related output signals. These are parts of machinery control systems that are assigned to provide safety functions. The combined elements start at the point where the safety-related input signals are initiated (for example, obstruction of an optical beam of the safety light curtain) and end at the output of the power control elements (for example, the main contacts of a contactor). In some cases, the final element (such as the motor) is not included. It is also important to note that individual components of the safety system may play a role in multiple safety functions, with each safety function possibly requiring different levels of functional safety — again emphasising the importance of precisely describing each safety function.
Primary considerations of functional safety
The central pillars supporting the functional safety concept are exhaustively outlined in a number of sources, including the standards listed previously. As an overview, the primary considerations for determining the performance level for a subsystem are:
- Structure and behaviour of the safety function under fault conditions (category): This is the same circuit architecture concerns addressed previously in EN 954-1 and older versions of AS 4024.1, utilising the same category ratings (B, 1, 2, 3 and 4).
- Reliability of individual components defined by mean time to a dangerous failure (MTTFd) values: This value represents a theoretical parameter expressing the probability of a dangerous failure of a component (not the entire subsystem) within the service life of that component.
- Diagnostic coverage (DC): The level of safety can be increased if fault detection is implemented in the subsystem. The diagnostic coverage (DC) is a measure of capability to detect dangerous faults.
- Common cause failure (CCF): External influencing factors (eg, voltage level, overtemperature) can render identical components unusable regardless of how rarely they fail or how well they are tested. These common cause failures must always be prevented.
- Process: The process for the correct implementation of safety-relevant topics is a management task and includes appropriate quality management, including thorough testing and counterchecking, as well as version and change history documentation.
Achieving functional safety
Through the combination of the considerations above, the PL achieved can be probabilistically determined to be a specific level. Figure 3 represents how the combination of component selection (MTTFd), diagnostic coverage (DC) and circuit architecture (category) combine together to achieve various PL outcomes, with consideration for CCF.
Validation of functional safety
As with any risk reduction measure, it is essential to verify that the PL achieved is at least as high as the PL required (PLr). This can be easily represented as PL ≥ PLr.
The confirmation that adequate PL has been achieved is covered in the overall process applied to the design of SRP/CS. The primary features include:
- Organisation and competence
- Rules governing design (eg, specification templates, coding guidelines)
- Test concept and test criteria
- Documentation and configuration management
All life cycle activities of safety-related embedded or application software must primarily consider the avoidance of faults introduced during the software life cycle. The main objective is to have readable, understandable, testable and maintainable software. The EN ISO 13849-1 standard outlines a V-model as shown in Figure 4, which has proven particularly effective in practice for software design.
In common language (outside of safety standards), there is little difference between the terms ‘verification’ and ‘validation’. In essence, the goal is to test and check that the overall reliability of each subsystem of the SRP/CS is adequate for the associated risk, and that accurate documentation is collected for future revalidation throughout the entire life cycle of the machine.
Confirmation of functional safety
Over the past 10–15 years, industry has been progressively adopting the concepts of evaluating risks based on a systematic methodology and reducing identified risks through the application of multiple layers of protective measures from an orderly list of options based on their effectiveness. The next step to further advance safety is the concept of confirming that the established goals have been achieved. As such, after risk reduction measures have been implemented, their effectiveness must be confirmed.
When dealing with simple SRP/CS composed solely of electrical and electromechanical components, the confirmation is based on review of the circuit design. However, when the SRP/CS utilises more complex subsystems using software-based components, the confirmation must account for the other four pillars of functional safety as discussed above.
The process developed in Europe for conducting the necessary confirmation takes a mathematical approach to determine the reliability of the SRP/CS in terms of probability of a dangerous failure per hour (PFHd). The Institute for Occupational Safety and Health (IFA) in Germany has developed a tool to perform the mathematical calculations to apply the concepts of EN ISO 13849-1. This tool, called Safety Integrity Software Tool for the Evaluation of Machine Applications (SISTEMA), is available for free online.
SISTEMA accounts for the fact that safety-related parts of a control system are engineered from subsystems, blocks and elements using components for industrial use which can generally be purchased commercially. When calculating the PLr of a system, the system designer must enter various values and information. Component manufacturers typically provide this data in data sheets or in catalogues, but many also make the information available to SISTEMA users in the form of libraries. This collaboration within the safety market allows designers to import the necessary data from a library directly into a SISTEMA project quickly and accurately.
Achieving an acceptable or tolerable level of residual risk is possible through application of the hazard control hierarchy. However, to confirm that the desired degree of risk reduction is achieved, one must test and check that all safety functions are performing to the desired level of reliability. When the safety functions are directly interacting with the machine control systems, these portions of the control become SRP/CS and in turn must be validated. Functional safety is an approach based on probabilistic evaluation of component data to validate the overall reliability of those safety functions as a necessary step to determine that minimum performance requirements have been achieved.
If the ideas of functional safety appear complex and intimidating, rest assured that you do not stand alone. As is the case with most new philosophies, change is often difficult to implement and even harder to accept. Do not hesitate to request assistance from outside resources to provide support as necessary.
When implementing technical protective measures, each risk reduction measure will be associated...
Once considered to be a dangerous practice, integrated safety is now becoming accepted for the...
With the release of IEC 61511 Edition 2, Australian companies in the process industries will be...