Functional Safety and Control Reliability
Engineering controls are the second level in the Risk Reduction Hierarchy, immediately following Elimination or Substitution of the hazard. Some engineering controls, such as barrier guards, fixed, and movable guards do not, on their own, need to have a reliability analysis done – as long as the basic design requirements have been met.
Movable guards are required to have interlocks by all modern machinery standards. Safeguarding devices including light curtains, safety mats, area scanners, and similar presence-sensing equipment must also be connected to the control system of the machinery. Since these devices are all required to work automatically to protect workers when they may not be aware of a potential danger, these systems must be reliable. The question is...how reliable?
Control reliability requirements are also applied to Emergency Stop systems.
Emergency Stop and Safeguarding systems are not the same, and may have differing levels of reliability requirements, with safeguarding typically requiring higher levels of reliability.
In North America, CSA and ANSI have been including control reliability information in thsir standards. In Canada, CSA Z432 and CSA Z434 include some basic definitions for control reliability that are similar to the definitions developed in Europe in the mid-1990's. In the USA, AMT is the secretariate for developement of the ANSI B11 family of Machine Tool standards, and the RIA is the secretariat for industrial robots and the development of RIA 15.06 and the newly adopted ANSI/RIA/ISO 10218-1.
These standards all use the same basic hierarchy for describing control reliability:
- SINGLE CHANNEL
- SINGLE CHANNEL, MONITORED
- CONTROL RELIABLE
These descriptions speak to the architecture of the circuits or systems, and in a general way to the selection of the components used, but do not apply the concepts of functional safety beyond this basic level.
North America is slowly harmonizing with the International community and Europe by adopting International Standards (ISO & IEC). The recent US adoption of ISO 10218-1 for industrial robots* signals the coming end of the old definitions for control reliability, and the coming adoption of the ISO and IEC definitions in ISO 13849-1 and IEC 62061.
*Update: The USA has now adopted ISO 10218-1 & -2 as ANSI RIA R15.06-2012. CSA has also updated CSA Z434 following ANSI's lead. The new version of this standard replaceing the 2003 edition will be published in 2014.
Europe & International
In the mid-1990's, CEN, the European Committee for Standardization, published a standard called EN 954-1 – Safety of Machinery - Safety Related Parts of Control Systems - Part 1: General Principles for Design. The scope of this this standard dealt primarily with hard-wired controls, and touched briefly on the idea of programmable electronic controls. This standard introduced the idea that the reliability of the safety-related parts of the control system should be driven by the risk reduction requirements of the application.
EN 954-1 also introduced the concepts of reliability categories - the now familiar Category B, 1, 2, 3 and 4. These categories and the related circuit architecture should be a basic part of your circuit design library. If these categories aren't already part of your circuit design library, we need to talk!
During the period that EN 954-1 became commonly known, the IEC introduced a new standard that dealt specifically with the reliability requirements of programmable electric and electronic systems, IEC 61508. This multi-part standard brought in a new set of categories, or more properly, Safety Integrity Levels (SILs). There are four SIL levels, SIL 1 to SIL 4, that are based on failure rates as opposed to circuit architectures. This standard brought the idea of Functional Safety into the standards world, but it also introduced a lot of confusion for machine builders.
In an effort to address the specific needs of machine builders using programmable equipment in their safety systems, IEC developed a product family standard, IEC 62061 – Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems. This standard is built on the foundation created by the IEC 61508 family.
Development on EN 954-1 became an ISO project and the standard was renumbered as ISO 13849-1. Two other documents were also included, ISO 13849-2 – Validation, which was never published as a full CENELEC standard, and ISO/TR 13849-100, a Technical Report developed by the US TAG to ISO TC 199 that provides some excellent guidance on the application of the standard.
In 2006 a new edition of ISO 13849-1 was published, and again, this one threatens to give machine builders some significant headaches. The standard introduces the idea of Performance Levels, or PL. There are five Performance Levels, PLa through PLe. The performance levels are increasingly more reliable as you go from PLa to e, and are based on failure rates similar to those found in IEC 61508. The standard keeps the familiar Category B through 4 architectures and adds additional factors.
As of 28-December-2009, EN 954-1 has another two-years to run before it no longer provides a presumption of conformity in the EU under the Machinery Directive. EN ISO 13849-1 and EN IEC 62061 are set to replace EN 954-1 on 29-Dec-2012. As a machine designer and bullder you need to be ready.