Safety Related Parts of Control Systems, Part 1:
General principles for design.
In Europe only, safety-related parts of the machine control system designed according to Std. EN 954-1 shall be acceptable until December 31st, 2011. As from January 1st 2012, compliance with Std. ISO 13849-1:2006 or IEC 62061:2005 will be mandatory.
Internationally, machine builders must already comply with the two new standards ISO 13849-1:2006 and IEC 62061:2005, because ISO 13849-1:1999 has been withdrawn .
Standard EN 954-1 is harmonized since 1996. The safety-related control system is classified in five Categories.
For different parts of the machine the risk evaluation may lead to different levels. Therefore, the degree (category) of safety actions to be taken shall depend on the actual risk involved in each part.
To select the optimum category in relation to actual risk, use shall be made of the well-known risk graph.
Selection of the Categories
S Severity of injury
S1 Slight injury (usually reversible).
S2 Serious injury (usually irreversible) or death.
F Frequency and duration of exposure to hazard
F1 Seldom to more often and/or short exposure.
F2 Frequent to continuous and/or long exposure duration.
P Possibility of Avoiding hazard
P1 Possible under certain conditions (escape or action by others).
P2 Hazard almost unavoidable (occurs quickly).
For Cat. B and Cat.1 the ability to resist failure is due to robustness of components (avoid failures as far as possible).
For Cat. 2,3,4 the ability to resist failure is due to the system structure (control of the failure).
Failure is controlled through cycle monitoring for Cat.2, redundancy for Cat.3 , redundancy plus monitoring for Cat.4.
Operational requirements are specified for each Category.
The failure modes of the electric components are defined and listed.
The relationship among Categories and the safety performance of the control system in case of failure is well defined (deterministic approach).
Note: Categories are not necessarily totally hierarchical.
|B||Devices designed, manufactured and combined
in compliance with the reference Standards so
as to be able to cope
with foreseeable events.
|A fault may result in the loss
of the safety functions.
|Use of selected components.|
|1||Same requirements as for category B, but
with the use of reliable and well-tested safety principles and components.
|A fault may result in the loss of the safety
functions, but with lower probability than in
|2||The requirements of category 1 apply.
Moreover: the safety function of the device is based on cyclic control managed by the control system of the machine
|A fault may result in the momentary loss of
the safety function. The fault is detected when
performing the test before starting the next
working cycle, and the start of a new machine
cycle is disabled.
|Use of structures and safety
circuits able to detect the fault
and stop the machine.
|3||The requirements of category 1 apply.
Moreover: a single fault shall not lead to the
loss of the safety function. Whenever possible, the individual fault must be detected.
|Not all faults can be detected. When an individual fault occurs, the safety function is always active. The build up of undetected faults may result in the loss of the safety function.|
|4||The requirements of category 1 apply.
Moreover: a single fault shall not result in the loss of the safety function. An individual fault is detected before or at the time of the request for the safety function. If this is not possible, the build up of faults shall not lead to the loss of the safety function.
|Fault detection shall occur in time to prevent
the loss of the safety function.
Restricted use of EN 954-1
System behavior upon failure cannot be the only way to assess the performance of the safety-related control system.
Other factors, such as component reliability, may have an important, even crucial, role.
Such concept is recognized in Std. EN 954-1 stating that (Annex B) “component reliability and the technology used in the application concerned may
result in deviation from the Category envisaged.”
The Category selection process should be as follows:
• Identify the nominal or reference Category based on risk analysis (through risk graph)
• Modify selection of Category based on component reliability, technology used, etc.
Phase two of the process is mainly empirical, and little information is given in the Standard.
Category is almost invariably selected referring to the risk graph disregarding changes due to other factors, or the changes introduced are subjective to the point where proving system safety becomes difficult.
Also, the extensive use of programmable electronics in the field of machine control systems has further highlighted the shortcomings of the deterministic model, impracticable for complex control systems, i.e. systems which use PLCs, communication lines, variable-speed actuators and programmable sensors.
To evaluate the safety-related performance of a complex system it is better to estimate its probability of being able to provide protection when needed. Or, in other words, estimate the probability of occurrence of a dangerous failure in a given period of time considering component reliability.
The new Standards
To offset the applicability limitations of Std. EN 954-1 two new standards were adopted, namely ISO 13849-1:2006 and IEC 62061:2005 which combine probability and known deterministic concepts to cope with technological progress in the field of industrial machinery.
Both these standards are harmonized to Directive 98/37/EC regarding the following mandatory safety requirement:
Annex I : 1.2 Controls
The same will apply as regards new Machinery Directive 2006/42/EC (Annex I: 1.2 Control systems).
The two Standards exhibit a number of differences and overlaps, especially as regards the application criteria.
ISO 13849-1 may be used regardless of the type of technology and power used, i.e. mechanical, hydraulic, pneumatic, electric. It applies only to the five designated architectures.
IEC 62061 applies only to electric powered control systems.
Subsystem reliability calculation formulas are given only for the four types of architecture specified therein and considered typical of industrial machinery, but may be applied also to other architectures.
It allows the integration of subsystem designs in line with the requirements of ISO 13849-1: 1999 (EN 954-1).