Making the choice – Which Safety Control Standard?
15 March 2017
In this article, Stewart Robinson of TÜV SÜD Product Service looks at the two different standards for safety related controls, EN 62061 and EN ISO 13849-1 and advises on which should be applied in a particular application.
Safety Control Standards
A safety related control function is one of the measures that makes a contribution to the overall reduction of risk with machinery. Two standards relating to safety related control systems can be followed (EN ISO 13849-1 and EN [IEC] 62061) to demonstrate compliance with the Machinery Directive. While the methods are quite different, the outcomes should be the same (or very similar for any given function). The required integrity levels also manifest themselves differently, with EN 62061 using Safety Integrity Levels (SIL) and EN ISO 13849-1 using Performance Levels (PL) as measures.
Having two different standards for safety related controls, both harmonised to the Machinery Directive, has left many people confused about which should be applied in a particular application. EN 62061 applies to electrical, electronic and programmable electronic control systems, whereas EN ISO 13849-1 is not technology specific, so it can be applied for electrical, pneumatic, hydraulic and mechanical safety systems.
However, EN ISO 13849-1 does not specifically define what risk assessment method should be used to define the performance level, only that it should ultimately be shown as a number. Both EN ISO 13849-1 and EN 62061 contain examples of risk assessment methods to establish the risk reduction that is required from a particular safety function on a machine, so this means either can be used to generate a performance level value.
EN 62061 risk assessment process
The severity of possible harm (Se) is assessed in one of four levels – ‘death, loss of eye or arm’, ‘broken limb(s), loss of finger(s)’, ‘requiring attention from a medical practitioner’ and ‘requires first aid on-site’ – each level receiving points according to the severity.
The frequency and exposure time to a hazard (Fr) displays five further levels, which are given points according to the duration e.g. five points if the duration is less than or equal to one hour, and two points if it is more than one year.
The probability of the hazardous event occurring (Pr) is then assessed by considering three further parameters with a range of point scores, while the final parameter ‘probability of avoiding or limiting the harm’ (Av), requires more careful consideration and the Standard contains some detailed explanations about the various choices.
The sum of the Fr, Pr and Av parameters determines the class of probability (CI) and this value is mapped against the severity score to give a target SIL of 1, 2 or 3. The SIL is then defined as the average probability of a dangerous failure per hour.
ISO 13849 risk assessment process
For the risk assessment process within EN ISO 13849-1, S1 and S2 display the relative severity of the injury i.e. slight or serious, while F1 and F2 reflect the degree of frequency and/or exposure to the hazard. P1 and P2 reflect the likely possibility of avoiding the hazard or limiting harm and the probability of occurrence. The final output of this risk graph will indicate a PL required PLr, which is graded a-to-e. Clearly, the greater the risk of exposure to a hazard, the higher the performance of the safety related control needs to be.
For those people that use both EN ISO 13849-1 and EN 62061, they may also be confused by the different terminology each uses. For example, PLb under EN ISO 13849-1 is roughly equivalent to a low EN 62061 safety integrity level (SIL) of 1. Likewise PLc is equivalent to a high SIL 1, while PLd is SIL 2 and PLe is SIL 3.
Updates to ISO 13849
Because of the confusion in the market place, as two standards can be used to achieve the same goal, the standard organisations had intended to merge them. However, following the collapse of this project, the ISO published a new version of their standard (EN ISO 13849-1:2015). Some of the key changes are highlighted below.
Firstly, when looking for guidance on the choice of which standard to adopt, Table 1 has been removed and replaced by a reference to the technical report ISO/TR 23849.
References have been updated throughout the new standard, mainly to reflect changes in other standards. Some definitions have also been added, including a definition of ‘Proven in use’, and the addition of ‘T10d’ defined as the “Mean time until 10 % of the components fail dangerously”.
Previously the expression 'average probability of a dangerous failure per hour' had been used in full throughout the standard. Now, the abbreviation PFHD is also used, delivering some consistency between EN ISO 13849-1 and other functional safety standards. Likewise, the term 'subsystem' is now included as an alternative term for Safety Related Parts of Control Systems (SRP/CS).
Safety-related controls must function to the required performance levels
The flow chart for the overview of the risk reduction process now includes systematic failures in the list of things to consider when evaluating the Performance Level (PLr). To achieve PLd with Category 2 architectures it is now a normative requirement for the Output of Test Equipment (OTE) to initiate a safe state.
The requirements for Safety Related Embedded Software (SRESW) includes clear restrictions on the use of some Programmable Electronic Systems according to the PLr: For components for which SRESW requirements are not fulfilled (e.g. PLCs without safety rating by the manufacturer), these components may be used under the following alternative conditions:
• the SRP/CS is limited to PL a or b and uses category B, 2 or 3;
• the SRP/CS is limited to PL c or d and may use multiple components for two channels in category 2 or 3. The components of these two channels use diverse technologies.
There is also clarification that the use of the Risk Graph in Annex A is not mandatory, and that other methods to establish PLr of the safety functions can be used instead. The guidance on selecting some of the parameters is expanded, and it is made clear that the selection of P1 or P2 should consider both the possibility to avoid and the probability of occurrence of the hazardous event.
Annex I 'Examples' has been completely revised with example A (single channel) having a PLr of PLc, and example B (dual channel) having a PLr of PLd. More detail is now also given to the reliability data used in the examples to make them more in keeping with actual 'real world' applications.
Validation is vital
An analysis by the Health and Safety Executive (HSE) of incidents connected with safety related parts of control systems revealed that poor design and implementation, together with incorrect specification, accounted for 59 per cent of the causes identified. That represents a significant amount of downtime for factories that rely on machinery to do business effectively, and are exactly the types of problem that a full validation process could have uncovered before the control system went into service. End-users of machinery are therefore increasingly demanding full validation on a machine before they purchase and it is therefore important that they understand what this involves.
Following a process
• the specified safety characteristics of the safety functions provided by that part, as set out in the design rationale, and
• the requirements of the specified performance level (see ISO 13849-1:2006, 4.5):
• Validation should be carried out by persons who are independent of the design of the safety-related part(s).”
As a preliminary step, the engineer designing the machine will have carried out a risk analysis to identify safety performance levels required (PLr) by safety functions that are providing part of the overall risk reduction appropriate to the hazards associated with the machine, a procedure that is covered by EN ISO 13849-1. The engineer will then have designed a control system that is capable of meeting the PLr of the safety functions. This is done by considering the categories within the Standard, carrying out detailed calculations involving the ‘mean time to dangerous failure’ for the chosen components, along with diagnostic coverage and common cause failures.
The validation process must re-examine all of these steps, and it is now clear why independent validation is so important, as engineers validating their own work could all too easily duplicate any mistakes they made at the design stage. However, validation doesn’t finish with re-examining the design, as it must also look at the implementation of the SRP/CS and verify its functionality by testing.
Validation must also take into account the environmental conditions in which the machine will operate, including the effects of shock and vibration, as well as temperature, humidity and the effects of any lubricants and cleaning materials that might be used. Electromagnetic compatibility must also be considered, as should the effects of wear and other forms of deterioration as the machine ages. Finally, the validation process must be fully documented so that the machine manufacturer can produce evidence that validation has been properly carried out.
Carrying out the calculations required by EN ISO 13849-1 and EN 62061 remains a complex task, and while software solutions can help, it still remains a resource-hungry process.
About the author
Stewart Robinson is a member of the Institution of Engineering and Technology, and a member of the Institute of Measurement and Control. He has been a member of the Safety Panel of the InstMC since 2007 and currently chairs that panel. He is also a member of the British Standards Institution committee, which deals with machinery safeguarding (MCE/3), and is listed as a Functional Safety Expert in the TÜV SÜD Certification Programme.