Functional safety adds to reliability of safety systems

Derek Jones, Rockwell Automation; Steve Dukich, Rockwell Automation
Tags: workplace safety

Change is constant. That’s especially true when you’re talking about machinery safety standards. Though safety standards have continued to change throughout manufacturing history, the most recent wave of revisions will enhance our way of thinking when it comes to machine safety designs.

Historically, standards mostly have been prescriptive in nature and have provided guidance on the structure of control systems to ensure that the safety requirements are met. By using the principles of redundancy, diversity and diagnostics, levels of safety system “structures” were created to help ensure that the safety function would be performed. But a very important element was missing.

All safety systems are designed with the basic premise that any system has a possibility of failure. Some of those failures may be safe, but some could lead to danger. If you asked machine operators whether they would be more comfortable with a Category 2 (a single channel) safety system or a Category 4 (redundant) safety system, they would most likely answer Category 4. But if you asked again, whether an operator would be more comfortable with a Category 2 system that is likely to fail to danger in 30 years or a Category 4 system that has a mean time to dangerous failure of one year, you might get a different answer. The missing element is time. Essentially, the time element adds a confidence factor that the safety system is going to perform properly today and tomorrow. In other words, we have more information, and therefore more confidence, about the reliability of the safety function.

Applying time to standards

Functional safety builds on the existing safety structure approach by adding a time element. This element is known as the Probability of Dangerous Failure, and its inverse, the Mean Time to Dangerous Failure. This “time” element causes more upfront pain for safety component suppliers, but should result in less pain for machine operators and – surprisingly – safety system designers.

Before we get into this, we must discuss two important standards: ISO13849-1:2006 and IEC62061:2005. Both apply the time element to safety systems for the machinery sector. ISO3849-1:2006 builds on the “categories” of safety structure, where as IEC62061 builds on the foundation of the categories. This is called “Hardware Fault Tolerance.” A third element, not new at all, is added to the picture to give the safety system designer more flexibility (i.e., less pain) to achieve the safety requirements. This third element is diagnostics. Putting these three elements together yields a time-sensitive level of integrity in a safety system. IEC62061 uses the term “safety integrity level” (SIL). Only three SILs apply to machine systems: SIL1, SIL2 and SIL3. ISO13849-1:2006 uses the term “performance level” (PL), and these use the alphabet, PLa through Ple.

Let’s see how it all comes together:

Starting with IEC62061, the secret is given away in table shown below.


Safe Failure Fraction (Diagnostics)

Hardware Fault Tolerance

0

1

2

<60%

----

SIL1

SIL2

60% - <90%

SIL1

SIL2

SIL3

90% - < 99%

SIL2

SIL3

SIL3

≥99%

SIL3

SIL3

SIL3

The risk assessment determines that a SIL2 rating is needed. Table 5 gives three options for achieving SIL2. The trade-off is hardware fault tolerance with diagnostics. With zero fault tolerance, 90 to 99 percent of the failures that occur must be safe failures. If a single channel system with appropriate diagnostic is too difficult or expensive to achieve, then a single fault tolerant structure with less diagnostics can be tried. The third alternative is a two fault tolerant system with little or no diagnostics (less than 60 percent safe failures).

Similarly, ISO13849-1 divulges similar relationships in figure shown below).

For example, let’s assume the risk assessment determines that a Performance Level d is required. Figure 5 reveals four alternatives. A Category 2 (zero fault tolerant) structure with a very high mean time to dangerous failure and low diagnostic coverage may be the least expensive solution. At the other end of the spectrum, a Category 3 (single fault tolerant) system with medium diagnostics may turn out to be the ideal solution. This is what designers need: flexibility to achieve their safety requirements.

Minimizing potential for systematic faults

Functional safety does not stop at random hardware failures. Additional elements must also be taken into consideration, such as common cause failure. This particular element has been discussed in standards going back to at least the 1980s. Functional safety takes the discussion to the next level. Functional safety applies a scoring system that attempts to influence the safety system design to minimize the potential for systematic faults. Certain points are awarded for steps like segregating signal paths, design expertise, environmental compatibility, training and competence. Adequate protection against systematic failures is considered accomplished when a specific number of points are achieved. The concepts are the same but the scoring values differ between IEC62016 and ISO13849-1:2006.

Safety component suppliers, on the other hand, share more of the burden of functional safety. Each component in the safety system must have an assigned probability of dangerous failure or mean time to dangerous failure. Currently, this type of information is often unavailable. In fact, many product design standards are being modified to define the criteria for dangerous failure, testing requirements, and statistical tools used to determine the time to dangerous failure. Once this is accomplished, many months of testing are required to confirm the achieved level.

For example, take an electromechanical component whose expected time to dangerous failure is two million operations. This is called the B10d value – the number of cycles where 10 percent of the sample fails to danger. If the test cycle is two seconds ON and two seconds OFF, it will take at least 92 days to complete. Other statistical methods also are allowed to be employed. Many component suppliers test their products but end the testing when a sufficient number of successful cycles has been achieved (and not necessarily to failure). With this value and the assumption that half the failures will be to danger, the B10d value can be estimated. As a fallback position, ISO13849-2 (notice the dash two), has default values that can be used if no other values are available.

The safety system designer does not get off that easy. The designer must gather the functional safety data from the component suppliers, put it together to make a system and come out with either the Safety Integrity Level or Performance Level for the system. Although this is not a daunting task, computerized tools will soon be available to simplify this step.

The machine safety world continues to change. The change will provide safer machine control system and more flexibility to achieve the safer designs. This change will take some time to become widely implemented, but, as they say, “The train has left the station.” The change has started. Safety component suppliers are definitely busy. Machine suppliers must now become aware of functional safety and how to take advantage of its benefits.

SIDEBAR

Standards overview summary

IEC 61508 is the IEC standard covering functional safety of electrical/electronic/programmable electronic safety-related systems. The main objective of IEC 61508 is to use safety instrumented systems to reduce risk to a tolerable level by following the overall, hardware and software safety life cycle procedures and by maintaining the associated documentation. Issued in 1998 and then updated in 2000, it has since come to be used mainly by safety equipment suppliers to show their equipment is suitable for use in SIL-rated systems.

IEC/EN 62061:2005 is the IEC standard covering the functional safety requirements for electrical/electronic/programmable electronic safety-related systems for the machinery sector of the marketplace. Machine suppliers or safety system integrators should either use this standard or ISO13849-1:2006.

ISO EN13849-1:2006 is the ISO standard covering the functional safety requirements for electrical, pneumatic, hydraulic and mechanical safety systems. Machine suppliers or safety system integrators should either use this standard or IEC62061:2005.