Transcript Diapositive 1

Essentials of Machine
& Process Safety
Standards in Perspective
Derrin Drew
Agenda
●
●
●
●
●
●
Why Safety
What is risk based design
Legal Framework
State regulations, national guidelines and standards
Lifecycle Risk Management Process
Risk Assessment
2
Agenda
●
●
●
●
●
Tolerable risk
Safe Design
Definition of Reasonably Practicable
Integrity of a safety system
Approach to the design of safety systems
3
Why Safety?
● Studies indicate 51% of workplace fatalities resulted
from injuries from fixed plant and machinery.
● Failure to adequately guard the machine was a factor in
37% of these cases. 69% of cases studies occurred in
the manufacturing industry.
● WorkSafe Australia processes 47,000 workplace claims
per year for injury from machinery involving 5 or more
days off work.
4
5
6
7
Safety
st
Research commissioned by the National OH&S Commission (replaced by the
Australian Safety and Compensation Council in 2005), examined the
contribution that the design of machinery and equipment has on the incidence
of fatalities and injuries in Australia. The study indicated that:
● Of the 210 identified workplace fatalities, 77 (37%) definitely or probably had
design-related issues involved.
● In another 29 (14%) who identified workplace fatalities, the circumstances were
suggestive that design issues were involved.
● Design contributes to at least 30% of work-related serious non-fatal injuries.
● Design-related issues were most prominent in the ‘machinery and fixed plant’
group, and mobile plant and transport’ group. Similar design problems are involved
in many fatal incidents.
● Design-related issues were definitely or probably involved in at least 50% of the
incidents in the agriculture, trade and mining industries with between 40-50% of the
incidents in construction, manufacturing and transport/storage industries.
Solutions already exist for most of the identified design problems (such as seat
belts, rollover protection and guarding)
8
Protect People and Increase Productivity
● Investing in machine safety
● Health & safety for all personnel
● Cut costs associated with:
●
●
●
●
Physical injuries
Insurance premiums
Lost production, penalties
…
● Increased productivity
due to the prevention of accidents
●
●
●
●
Better failure detection
Worker confident at work
Improving maintenance efficiency
…
9
Machine Safety as Global Concept
● Safety must be taken into
account:
● already in the design phase
● and must be kept in place throughout
all stages of a machine’s life cycle:
> Transportation
> Installation
> Adjustment
> Operation, Production
> Maintenance
> Dismantling
Design and
production
Operation
Installation and
implementation
Maintenance
● Safety is necessary to obtain
CE mark
10
Legal Framework
11
Legal Framework
Occupation
Safety and
Health Act
supported by
Occupation
Safety and
Health
Regulations
•
•
•
•
•
The General Duties
Resolution of Issues
Safety and Health Representatives
Safety and Health Committees
Enforcement of Act and Regulations
• Set minimum requirements for specific hazards and work
practices
• Reference to National Standards developed by NOSH
• Australian Standards developed by Standards Australia
• National Standard of Plant
and
Guidance
Material
• Codes of Practice
• Advisory Standards
• National Codes of Practice and National Standards
developed by the NOHSC
• Australian Standards developed by Standards Australia
12
What are the national OHS laws?
• Safe Work Australia is developing national model OHS laws. By
December 2011, each jurisdiction will be required to enact their own
jurisdictional laws that mirror the national model laws.
• The national OHS laws consist of a model OHS Act and model
regulations, which will be supported by model Codes of Practice.
This package of documents is referred to as model legislation.
13
National Standard of Plant
● Application
● The provisions of this national standard apply to designers,
manufacturers, importers, suppliers, erectors, installers, employers,
self employed persons, and employees with respect to all plant
● Duties & General Requirements
● Hazard Identification, Risk Assessment and the Control of Risk, and
relates to all plant.
● Registration of Plant Design & Items of Plant
● Evidence of Registration
● Notification of Compliance
14
Standardization Institutes
IEC (electrical standards)
ISO (other standards: mechanical parts...)
CEN (mechanical standards)
CENELEC (electrical standards)
CSA
ANSI
UL
SIS
BS
NF DIN
UNE
CEI
GOST
JIS
OSHA
SAA
(PCB making machines)
ISO: International Organization for Standardization
IEC: International Electrotechnical Commission
CEN: Comité Européen de Normalisation
CENELEC: Comité Européen de Normalisation Electrotechnique
15
Standardization Bodies
● All countries use IEC and ISO standards or adapt them locally.
● All the main institutes work jointly with other international
organizations.
16
Australia Standards
AS / IEC 61511
Functional safety
Safety instrumented
systems for the
process industry sector
Process Standards
AS / IEC 61508
Functional safety of Electrical,
Electronic and Programmable Electronic
safety-related systems
AS 3814 / AG501 Industrial and
Commercial Gas Fired Appliances
IEC 60079 series of explosive
atmosphere standards,
FPA / NFPA Refer AS 3000 rather
than NFPA 70
AS / IEC 62061
Safety of machinery
AS/NZS ISO 31000:2009
AS/NZS 4360:2004 has
been superseded by
AS/NZS ISO 31000:2009,
Type A
AS4024
Safety of Machinery
ISO 13849
Safety of machinery
Type B
Machine Standards
AS 1755 Conveyor safety,
AS 1418 Cranes,
AS 1219 Power presses,
AS 2939 Robot Cells
AS 3533 Amusement Rides
Type C
17
Introduction to IEC-61508
● The following image summarizes the existing standards that define the
requirements for functional safety
18
3 Feb. 2010, common sense prevails:
Graeme Kirk (Farmer) vs WorkCover*
● Mr Kirk succeeded in having the decision of the Court of Appeal overturned in
the High Court. The offences with which Mr Kirk and the company were
charged did not identify the acts or omissions which constituted the alleged
offences. Thus no measures which could reasonably practicably have
been taken to obviate the risks could be identified and the defendants
were denied the opportunity to properly defend the charges.
● In making his ruling, Justice John Heydon said ”…it is time for the WorkCover
Authority of New South Wales to finish its sport with Mr Kirk. The applications
in the Industrial Court should be dismissed."
● “This spells the end of what some people have called the reverse onus
approach – guilty until proven innocent approach – to the legislation.
● “It also has potential to be applied to the interpretation of the new national OHS
regime which is due to commence in 2012.
*refer case history in notes below
19
Reasonably Practicable
How WorkSafe applies the law in relation to Reasonably Practicable
WORKSAFE POSITION
A GUIDELINE MADE UNDER SECTION 12 OF THE OCCUPATIONAL HEALTH AND SAFETY ACT
2004 (November 2007)
In applying the concept of reasonably practicable, careful consideration must be given to each of the
matters set out in section 20(2) of the Act. No one matter determines ‘what is (or was at a particular
time) reasonably practicable in relation to ensuring health and safety’. The test involves a careful
weighing up of each of the matters in the context of the circumstances and facts of the particular
case with a clear presumption in favour of safety. Weighing up each of the matters in section 20(2)
should be done in light of the following:
a) Likelihood
b) Degree of Harm
c) What the person knows about the risk and ways of eliminating that risk
d) Availability and suitability of ways to eliminate or reduce the risk
e) Cost of eliminating or reducing the risk
20
Risk assessment process
21
Danger and Risk
● Most people have a misunderstanding between danger / hazard and
risk. A danger is ever present whereas risk is the possibility of that
danger happening.
Consider the following two statements:
● A hungry tiger is dangerous
● A hungry tiger is risky
● A hungry tiger is dangerous, but it is only a risk if it is in your vicinity.
● We can avoid or reduce risk by bounding danger
(tiger is locked in the ZOO, so the risk to be attacked is very low)
Risks are events or conditions that may occur, and whose occurrence,
if the event does take place, has a harmful or negative effect
22
Overall safety life cycle
1
Concept
2
Definition of the
overall scope
3
Hazard and
risk analysis
4
Overall safety
requirements
5
Allocation of
safety requirements
Overall planning
6
Overall
operation and
maintenance
planning
7
Overall
safety
validation
planning
8
Overall Installation
and commissioning
planning
12
13
9
Safety systems:
E/E/PES
10
Safety systems::
other technology
Realisation
11
Realisation
External risk
reduction
Realisation
Overall installation
and commissioning
Back to the appropriate
overall safety life cycle phase
Overall validation
of safety
14
Overall operation,
maintenance and repair
16
Decommissioning
15
Overall modification
and retrofit
23
The Requirement
24
Safety - Acceptable Risk Level
● Risk 0 does not exist but risk must
be reduced to an acceptable level
● Safety is the absence of risks
which could cause injury or
damage the health of persons.
● It’s one of the machine designer
job to reduce all risks to a value
lower than the acceptable risk.
25
Definition of Risk
● The concept of safety is closely linked to that of risk which, in turn, not
only depends on the probability of occurrence but also on the severity
of the event. It is possible to accept a life threatening risk (maximum
severity) if the probability of such an event is minimal.
The level of risk is a function of both severity and probability of occurrence
26
Risk Assessment for Machines
27
Risk Assessment Flow Chart
Analytical
Stage
Design
Stage
28
Design Process
29
AS4024.2006 Safety of Machinery
30
Severity
Severity of injury S1 and S2
In estimating the risk arising from a failure of a safety function only slight
injuries (normally reversible) and serious injuries (normally irreversible)
and death are considered.
To make a decision, the usual consequences of accidents and normal
healing processes should be taken into account in determining S1 or S2.
For example, bruising and/or lacerations without complications would be
classified as S1, whereas amputation or death would be S2.
Taken from: ISO13849-1 Safety of Machinery
S
31
Frequency
Frequency and/or exposure times to hazard, F2 and F2
F
A generally valid time period to be selected for parameter F1 or F2 cannot be specified. However, the
following explanation could facilitate making the right decision where doubt exists.
F2 should be selected if a person is frequently or continuously exposed to the hazard. It is irrelevant whether
the same or different persons are exposed to the hazard on successive exposures, e.g. for the use of lifts.
The frequency parameter should be chosen according to the frequency and duration of access to the hazard.
Where the demand on the safety function is known by the designer, the frequency and duration of this
demand can be chosen instead of the frequency and duration of access to the hazard.
The period of exposure to the hazard should be evaluated on the basis of an average value which can be
seen in relation to the total period of time over which the equipment is used.
For example, if it is necessary to reach regularly between the tools of the machine during cyclic operation in
order to feed and move work pieces, then F2 should be selected. If access is only required from time to time,
then F1 should be selected.
NOTE: In case of no other justification F2 should be chosen if the frequency is higher than once per
hour.
Taken from: ISO13849-1 Safety of Machinery
32
Avoidance
Possibility of avoiding the hazard P1 and P2
P
It is important to know whether a hazardous situation can be recognized and avoided
before leading to an accident. For example, an important consideration is whether the
hazard can be directly identified by its physical characteristics, or recognized only by
technical means, e.g. indicators. Other important aspects which influence the selection of
parameter P include, for example:





operation with or without supervision;
operation by experts or non-professionals;
speed with which the hazard arises (e.g. quickly or slowly);
possibilities for hazard avoidance (e.g. by escaping);
practical safety experiences relating to the process.
When a hazardous situation occurs, P1 should only be selected if there is a
realistic chance of avoiding an accident or of significantly reducing its effect; P2
should be selected if there is almost no chance of avoiding the hazard.
Taken from: ISO13849-1 Safety of Machinery
33
34
Risk Assessment Principles
● Machines are sources of potential risk and
the Machinery Directive requires a risk
assessment to ensure that any potential risk
is reduced to less than the acceptable risk
● Risk assessment consists of a series of logic
steps which make it possible to systematically
analyse and evaluate machinery-related risks
● Risk assessment steps:
● Identification of the potential hazard
● Risk estimation
● Risk evaluation
● EN/ISO 13849-1 => Performance Level (PL)
● EN/IEC 62061 => Safety Integrity Level (SIL)
● Risk reduction
35
Risk Evaluation
● On the basis of the risk assessment, the designer has to define the
safety related control system. To achieve that, the designer will choose
one of the two standards appropriate to the application:
● either standard EN/ISO 13849-1, which defines performance levels (PL)
● or standard EN/IEC 62061, which defines safety integrity levels (SIL)
● The table below gives relations between these two definitions
-
● To select the applicable standard, a common table in both standards
gives indications:
d
(1) For designated architectures only
36
Standard EN/IEC 62061
● Specific to the machine sector within the framework of EN/IEC 61508:
● gives rules for the integration of safety-related electrical, electronic and
electronic programmable control systems (SRECS)
● does not specify the operating requirements of non-electrical control
components in machines (ex.: hydraulic, pneumatic)
● The probability of failure associated with the required SIL (Safety
Integrity Level) depends on the potential frequency of usage of the
safety function to be performed
Safety of Machinery
application
EN/IEC 62061
37
Standard EN/ISO 13849-1
● The Standard gives safety requirements for the design and integration
of safety-related parts of control systems, including software design.
● The Risk Graph helps to determine the required PL (Performance
Level) of each safety function
● S - Severity of injury
> S1 Slight injury (reversible)
> S2 Serious or permanent injury or death
● F - Frequency and / or exposure to a hazard
> F1 Seldom to less often and / or short time
> F2 Frequent to continuous and / or long time
● P - Possibility of avoiding the hazard or limiting the harm
> P1 Possible under specific conditions
> P2 Scarcely possible
38
Relationship Between Different Criteria
● Relationship between Categories, DCavg, MTTFd and PL
*In several application the realisation
of performance level c by category 1
may not be sufficient. In this case a
higher category e.g. 2 or 3 should
be chosen.
39
Basic concepts
● According to the requirements
of standard EN/ISO 12100-1,
the machine designer’s job is to
reduce all risks to a value lower
than the acceptable risk
● It gives guidelines for the selection
and installation of devices which
can be used to protect persons and identifies those measures that are
implemented by the machine designer and those dependent on its user
● This standard recognises two sources of hazardous phenomena:
● moving parts of machines
● moving tools and/or workpieces
40
Safe Design
“It is the control of the design and designassociated activity that leads to a
responsibility as an obligation bearer, not
their classification as a manufacturer,
supplier, etc.”
National Occupational Health and Safety
Commision Safe Design Project Report 2000
41
Principles of Safe Design
Principles of Safe Design (of equal priority)
The key elements that impact on achieving a safe design are:
Principle 1: Persons with Control – persons who make decisions affecting the design of products, facilities or
processes are able to promote health and safety at the source.
Principle 2: Product Lifecycle – safe design applies to every stage in the lifecycle from conception through to disposal.
It involves eliminating hazards or minimising risks as early in the lifecycle as possible.
Principle 3: Systematic Risk Management – the application of hazard identification, risk assessment and risk control
processes to achieve safe design.
Principle 4: Safe Design Knowledge and Capability – should be either demonstrated or acquired by persons with
control over design.
Principle 5: Information Transfer – effective communication and documentation of design and risk control information
between all persons involved in the phases of the lifecycle is essential for the safe design approach.
www.safeworkaustralia.gov.au
42
Making it safe
Hierarchy
of Control
43
44
Reasonably Practicable
How WorkSafe applies the law in relation to Reasonably Practicable
WORKSAFE POSITION
A GUIDELINE MADE UNDER SECTION 12 OF THE OCCUPATIONAL HEALTH AND SAFETY ACT
2004 (November 2007)
In applying the concept of reasonably practicable, careful consideration must be given to each of the
matters set out in section 20(2) of the Act. No one matter determines ‘what is (or was at a particular
time) reasonably practicable in relation to ensuring health and safety’. The test involves a careful
weighing up of each of the matters in the context of the circumstances and facts of the particular
case with a clear presumption in favour of safety. Weighing up each of the matters in section 20(2)
should be done in light of the following:
a)
b)
c)
d)
e)
Likelihood
Degree of Harm
What the person knows about the risk and ways of eliminating that risk
Availability and suitability of ways to eliminate or reduce the risk
Cost of eliminating or reducing the risk
45
Functional Safety
Process and Machine
Advancements in Technology
● Communications
● Integrated Functions
● Complex architectures
2010
1968
47
48
Change of Standards
● The qualitative approach of the EN 954-1 is no longer sufficient for modern
controls based on new technologies (Electronic and Programmable Electronic
systems):
● insufficient requirements for programmable products,
● The reliability of the components is not taken into account,
● too deterministic orientation (designated architectures).
● Standard EN ISO 13849-1 will totally replace the EN 954-1 on 31 December
2011, and will upgrade the qualitative approach by the new quantitative
(probabilistic) approach, which is consistent with modern safety standards.
● At the moment both standards EN 954-1 and EN/ISO 13849-1 are valid
● For complex machines using programmable systems for safety-related control,
the sector specific standard EN/IEC 62061 has to be considered
● EN/IEC 62061 based on EN/IEC 61508
49
Redundancy and Self-monitoring
Redundancy
Self-monitoring
Consists of compensating for the
failure of one component by
correct operation of another,
based on the assumption that
both will not fail simultaneously
Consists of automatically checking
the operation of each of the
components which change state at
each cycle
Qualitative Approach
50
Redundancy and Self-monitoring
Redundancy
Self-monitoring
+
= the risk of not operating safely is hardly reduced down
to an acceptable level compared to the consequences
An initial fault in the safety circuit is detected before a second fault
occurs (next cycle inhibited)
Qualitative Approach
51
AS4024 – A Reminder
52
What is Functional Safety?
Functional safety is part of the overall safety that depends on a system or
equipment operating correctly in response to its inputs.
53
None of these measures are sufficient, however, without implementing a good
safety culture.
Change the work ethic/philosophy from
1. Profit Motive > Production > Maintenance > etc. > Safety
To
2. Profit Motive > Safety > Production > Maintenance > etc.
Choose 1 to have safety grafted on the side of other functions
Choose 2 to have safety integrated within other functions
54
Definition of Functional Safety
● Functional safety is the part of the overall safety that depends on a
system or equipment operating correctly in response to its inputs.
● Functional safety is a subset of safety as shown in the figure below.
● Non-functional safety is the safety achieved by measures reliant on passive
systems (example: insulation on electrical conducting parts).
● Functional safety is the safety achieved by active systems (example:
temperature measurement and de-energization of contactor).
Definition: A system is defined functionally safe if random, systematic and
common cause failures do not lead to malfunctioning of the system and do
not result in injury or death of humans, spills to the environment and loss of
equipment or production.
55
● Two types of requirements are necessary to achieve functional safety:
● safety function requirements (what the function does; its logic) and
● safety integrity requirements (the likelihood of a safety function
performing satisfactorily).
X+Y=Z
56
● Reliability is the ability of a system or component to perform its
required functions under stated conditions for a specified period of
time. It is often reported as a probability.
● Probability is the likelihood or chance that something is the case or
will happen.
57
Definition of Dependability
The dependability of a system is its
ability to deliver specified services to
the end users so that they can
justifiably rely on and trust the
services provided by the system.
58
Definition of Reliability
● Reliability is a measure of the continuous delivery of service. It is
defined as the probability that a device will perform its intended
function during a specified period of time under stated conditions.
● Reliability is often quantified by MTTF – Mean Time To First Failure
expressed as a time in hours or in years.
● The Failure Rate can also be expressed in Failure In Time (FIT). The
Failure In Time (FIT) rate of a device is the number of failures that can be
expected in one billion (109) device-hours of operation.
59
Other Attribute Definitions
● Availability: is a measure of the service delivery with respect to the
alternation of the delivery and interruptions.
● Maintainability: is a measure of the service interruption. It is
usually quantified by MTTR (Mean Time To Repair).
● Safety: is a measure of the time to catastrophic failure.
60
Definition of Threats of Dependability
● The threats of dependability are listed as follows and their relationship
to the system is illustrated in the figure below:
● Fault: defines an abnormal condition that may cause a reduction in, or loss of, capability of a
functional unit to perform a required function. As shown in the figure below, fault is the cause of a
system failure,
● Error: defines a discrepancy between a computed, observed or measured value and condition
and the true, specified or theoretically correct value or condition. An example of an error is the
occurrence of an incorrect bit caused by an equipment malfunction. Error is a system state that
causes failure,
● Failure: defines the terminations of the ability of a system or functional unit to perform a required
function. A failure in sub-system can be fault for higher layer system. The latency time from
fault to system failure is labeled as t1, t2, and t3.
Difference between fault, error and failure
61
Definition of Means
● Four means can be identified in order to prevent the previous threats:
● Fault prevention: or how to prevent fault occurrence or introduction,
● Fault tolerance: or how to provide a service complying to the
specifications in the presence of faults,
● Fault removal: or how to reduce the presence of faults, both
regarding the number and seriousness of faults,
● Fault forecasting: or how to estimate the creation and the consequences
of faults.
62
Definition of Safety loop
● The safety function is always related to a safety loop, not to a
component or device.
● Safety can be carried out by decomposing system functions into:
●
●
●
●
Sensor
Logic unit
Actuator
Communication
● Safety Functions are carried out by Safety Related Parts of the Control
System SRP/CS
● Examples: Safe Stop, Safe Position, Safely Limited Speed
SENSOR / INPUT
Interlocking Switch 1
SW1
LOGIC
Safety PLC
Contactor 1
CON1
Contactor 2
CON2
Interlocking Switch 2
SW2
SRP/CSa
ACTUATOR / OUTPUT
SRP/CSb
SRP/CSc
63
AS/IEC 61508: Overall safety life cycle:
Functional Safety
1
Concept
2
Definition of the
overall scope
3
Hazard and
risk analysis
4
Overall safety
requirements
5
Allocation of
safety requirements
Overall planning
6
Overall
operation and
maintenance
planning
7
Overall
safety
validation
planning
8
Overall Installation
and commissioning
planning
12
13
9
Safety systems:
E/E/PES
10
Safety systems::
other technology
Realisation
11
Realisation
External risk
reduction
Realisation
Overall installation
and commissioning
Back to the appropriate
overall safety life cycle phase
Overall validation
of safety
14
Overall operation,
maintenance and repair
16
Decommissioning
15
Overall modification
and retrofit
64
EN/IEC 61511: Overall safety life cycle for
Safety Instrumented Systems (SIS) Process
1
Hazard and risk
assessment
2
Allocation of safety function
to protection layers
Transducer,
Transmitter
3
Programmable
PES
Equipment of Safety
4
Safety requirements
specification for the
safety instrumented system
Design and engineering
of safety instrumented
system
5
Design and implementation
of other means of risk
reduction
Installation, commissioning,
and validation
6 Operation and maintenance
Actuator,
Valve
7
Modification
8
Decommissioning
65
Basic Control Process System
Action of the Basic
Process Control
System
Alarm Threshold
Basic
Process
Control
System
Failure of the
Basic Process
Control System
66
BPCS + Safety Instrumented System
Action of the Basic
Process Control
System
Reaction of
the Safety
instrumented
System
Safety Threshold
Alarm Threshold
Safety
Instrumented
System
Basic
Process
Control
System
Failure of the
Basic Process
Control System
67
Layers of Protection
● Determine Overall Safety Requirement
Consequence
Necessary Risk Reduction
Machine
Risk
External Risk
Reduction
Facilities
E/E/PES
SRS
Other
Technology
SRS
Tolerable
Risk
Target
Frequency
● A risk may be reduced by one or more ‘Layers of Protection’, eg. Access
restriction, control system trips, barriers, mechanical protection devices.
● Where an electrical/programmable electronic system is used as a
protection layer, this results in a SIL being allocated to that system.
68
Frequency
Protection Layers
Severity
M
I
T
I
G
A
T
I
O
N
Emergency Response
Evacuation procedure & emergency broadcasting
Mitigating Layers
Mechanical mitigation system
Other protective Layers
Mechanical protection system
P
R
E
V
E
N
T
I
O
N
Safety Instrumented Systems
Alarm Layer
Monitoring Systems & Operator Supervision
Process Control Layer
Basic Process Control System
Process Design
69
Principals of SIL Allocation
● The SIL allocated to a safety function is based on a
determination of the risk reduction needed to achieve “tolerable
risk” in terms of your Risk Matrix.
Your Risk
Matrix
‘Tolerable Risk’
Frequency of
Hazardous Event
Increasing
Frequency
Consequence of
Hazardous Event
Increasing
Consequence
Equipment Under Control
Risk level:
No Protective
Features
Required
Risk
Reduction
System
Safety
Integrity
Level
Software
Safety
Integrity
Level
4
4
3
3
2
2
1
1
0
0
Safety Integrity Levels
4 – Very High
3 – High
2 – Medium
1 – Low
0 – Non-Safety
70
Safety Integrity Level
SILs can be determined using several methods
(quantitative or qualitative).
LOPA
Layers of Protection Analysis
Risk Graph
Risk Matrix
71
Example Fault Tree Analysis
72
ISO13849-1 Functional Safety of
Machines
● Applying quantitive measures of
safety to machines
● Applies familiar measures to ease
transition
● Already in force in the EU
● Will replace entirely EN954 by 2012
73
Categories
74
Standard EN/IEC 62061
● Specific to the machine sector within the framework of EN/IEC 61508:
● gives rules for the integration of safety-related electrical, electronic and electronic
programmable control systems (SRECS)
● does not specify the operating requirements of non-electrical control components in
machine (ex.: hydraulic, pneumatic)
● The probability of failure associated to the required SIL (Safety Integrity Level) depends
on the frequency of usage of the safety function to be performed
Safety of Machinery
application
EN/IEC 62061
75
Relationship Between Different Criteria
● Relationship between Categories, DCavg, MTTFd and PL
*In several application the realisation
of performance level c by category 1
may not be sufficient. In this case a
higher category e.g. 2 or 3 should
be chosen.
76
● Select the suitable standard
77
● For complex machines, the international sector specific standard IEC
62061 based on standard IEC 61508, must be used.
IEC 61508
Functional safety of
Electrical / Electronic / Programmable Electronic (E/E/PE) safety-related systems
EN/IEC 62061
Safety of machinery
Functional safety
of E/E/PE control systems
IEC 61511
Functional safety
Safety instrumented
systems for the
process industry sector
IEC 61513
Nuclear power plants
Instrumentation and control
for systems
important to safety
Published on December 31 2005
Harmonized to the Machinery Directive
Restricted to electric, electronic and electronic programmable safety-related control systems
Possible overlap with EN ISO 13849-1
78
● The probability of failure associated to the required SIL level depends on the
frequency of usage of the safety function to be performed:
Safety
Integrity
Level
Low demand mode of operation
(Average probability of failure to
perform its design function on
demand)
High demand (>1/y. or 2 x proofcheck freq.)
or continuous mode of operation
(Probability of a dangerous failure
per hour)
4
≥ 10-5 to < 10-4
≥ 10-9 to < 10-8
3
≥ 10-4 to < 10-3
≥ 10-8 to < 10-7
2
≥ 10-3 to < 10-2
≥ 10-7 to < 10-6
1
≥ 10-2 to < 10-1
≥ 10-6 to < 10-5
Safety of Machinery application
EN IEC 62061
79
EN IEC 62061
Assigning
a SIL level
=> SIL
EN ISO 138491
=> PL
(EN 954-1)
80
● Determination of performance level PL
● In this example the Safety Function is the disconnection of a motor
when the safety guard is open. Without the guard the possible harm is
to loose an arm. With the answers for S2, F2 and P2 the graph leads to
a required performance level of PLr = e.
Required Performance Level
(PLr)
F1
P1
a
Low contribution
to risk reduction
P2
Starting point for the evaluation of
the contribution to the risk reduction
of a safety function
S1
F2
P1
b
P2
F1
P1
c
P2
S2
P1
d
F2
P2
S = Severity of injury
S1 = Slight (normally reversible injury)
S2 = Serious (normally irreversible) injury including death
e
High contribution
to risk reduction
F = Frequency and/or exposure time to the hazard
F1 = Seldom to less often and/or the exposure time is short
F2 = Frequent to continuous and/or the exposure time is long
P = Possibility of avoiding the hazard or limiting the harm
P1 = Possible under specific conditions
P2 = Scarcely possible
81