iec 62061 introduction

Copyright exida Asia Pacific © 2013

Singapore +65 6222 5160 Shanghai +86 21 5171 7250Hong Kong +852 2633 7727Germany +49 89 4900 0547USA +1 215 453 1720Switzerland +41 22 364 14 34

Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505Australia / NZL +64 3 472 7707Mexico +52 55 5611 9858South Africa +27 31 267 1564

Exida Contacts

IEC 62061 IntroductionSingapore 2009Koen Leekens

mailto:[email protected]

Copyright exida Asia Pacific © 2013 Koen Leekens +65 9772 9547

Safety is Only as Strong as its Weakest Link

exida


Topics in this Presentation

exidaSafety Regulatory Environment – Situating the IEC 62061The IEC 62061 Safety Lifecycle Procedures in 8 stepsSummary


Who we are

Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV Product ServicesToday: LARGEST Functional Safety and Cyber Security consultancy and certification body worldwide

“Provide independent Services, Training and Tools to help Customers comply to any Industry Standards for Functional

Safety, Cyber Security and Alarm Management”

Rainer FallerFormer Head of TÜV Product ServicesChairman German IEC 61508Global Intervener ISO 26262 / IEC 61508Author of several Safety BooksAuthor of IEC 61508 parts

Dr. William GobleFormer Director Moore IndustriesDeveloped FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books


Where we are


What we do

EXIDA SCOPE

Functional Safety

Cyber Security

Alarm Management

SERVICES Tools

Training

Consultancy

Certification

Reference Materials

INDUSTRIESProcess Industry

Automotive

Machine Industry

Power Industry

Rail

End Users

Equipment Manufacturer

Engineering Companies

System Integrators

CUSTOMERS

Reliability


The exida Library

exida publishes analysistechniques for functional safetyexida authors ISA best- sellers for automationsafety and reliabilityexida authorsindustry data handbook onequipment failuredata

www.exida.com


exida Customers (extract from 2000+)

http://coop.cs.umanitoba.ca/Documents/1694/Shell%20Canada%20logo.jpg

http://www.dsm.com/

http://www.solvay.com/


What is Machinery Safety?

It is protecting operators of machines and personnel in the area from being injured by the machineApplication of a machine’s energy in an unintended fashion can cause injury, property damage and business interruption

IEC 62061 : “Assembly of linked parts or components, at least one of which moves, with the appropriate machine actuators, control and power circuits, joined together for a specific application, in particular for the processing, treatment, moving or packaging of a material”

It is NOT guarding the machine from damage!


SRCF: Safety-Related Control Function

Specific single set of actions and the corresponding equipment needed to identify a single hazard and act to maintain or bring the system to a safe state

Permissive Protective Mitigating


SRECS: Safety-Related Electrical Control System

Covers the whole loopCan encompass multiple functions and act in multiple ways to prevent multiple harmful outcomesCan hold different safety-related control functions (SRCF)


Safety Regulatory Environment

13

1980 1985 1990 1995 2000 2005 2010

DIN 31000

DIN V 19250

DIN V VDE 0801

EN 954-1

IEC 61508

IEC 61511

IEC 61513

ANSI/ISA S84.01 1996


Safety Regulatory Environment

14

1980 1985 1990 1995 2000 2005 2010

DIN 31000

DIN V 19250

DIN V VDE 0801

EN 954-1

IEC 61508

IEC 61511

ISO 13849-1

IEC 61513

ANSI/ISA S84.01 1996

IEC 62061

Superseded by 2 standards that co-exist


Relationship with Other Standards

ISO 13849-1Low Complexity SRPCS

IEC 62061 SRECS

IEC 60204Electrical Equipment

ISO 14121Principles for Risk Assessment

ISO 12100Machinery Safety – Basic Concepts

Source ZVEI Flyer “ Safety of Machinery

Certification and CE

IEC 61508Complex Sub-Systems

EN 954-1

Obsolete

Prescriptive + Performance Performance

Prescriptive


Prescriptive Standards


The IEC 62061 is Performance based


Recommended: IEC 62061 - EN ISO 13849

Technology implementing SRCF ISO 13849-1 IEC 62061

A Non-electrical X -B Electromechanical Restricted X

C Complex electronics Restricted X

D Non-electrical andElectromechanical Restricted X

E Complex electronics andElectromechanical Restricted X

F C combined with A, or Ccombined with A and B X X

Source: IEC 62061 - Table 1 - Simplified


Device Manufacturers - Sector Specific Not Available

Which Standard?

IEC 61513Nuclear

IEC 61511Process Industry

IEC 61508Functional Safety for E/E/PES Safety Related Systems

ISO 26262Road Vehicles

End Users - Systems Integrators

IEC 62061Machinery


European Machine Safety

EN294Safety Distances

EN1050/ISO14121Risk AssessmentISO13849

Safety Related Part Control Systems

EN292 General Principles

EN60204-1Electrical Equipment

EN 61496Light Curtains

IEC 62061 Functional Safety of SRECS

EN 1037Unexpected Start-up

EN 1088Interlocking Devices

EN 60947-5-3Proximity Devices with Fault Protection

EN 60947-5-1Mechanical Switches

EN 1760Safety Mats

EN999The Positioning of Protective Equipment

EN 574Two-Hand Control

EN 953Guards

EN 418Emergency Stop

EN 692Mechanical Presses

EN 1762Food Processing MachinesEN 415

Packaging Machines

EN 693Hydraulic PressesEN 972

Tannery Machines

EN 746Thermo-processing Machines

EN 931Footwear Manufacturing Machines

EN 1114-1Rubber and Plastics Machines

EN 1525Driverless trucks


What do accidents teach us?

Buncefield 2005

Bhopal 1984 Flixborough 1974

Seveso 1976


US Fatal Work Injuries


Primary Cause of SIS Failures?

What is going wrong?Are the existing standards Failing?What are the primary causes?


Primary Cause of Failures?

Specification

Changes after Com-mission

Operation and Main-tenance

Design and Implemen-tation

Installation and Commission

Source Health, Safety & Environmental Agency


Example Specification

Operator Traps Hand


Example Operate and Maintain

Operator loses Hand


Primary Cause of Failures?

Specification

Changes after Com-mission

Operation and Main-tenance

Design and Implemen-tation

Installation and Commission

Source Health, Safety & Environmental Agency

The majority of accidents are:… Preventable if a systematic

Risk-Based Approach is adopted…


Key Aspects of IEC 61508/61511

Safety Integrity Levels (SIL)– Reliable Hardware with predictable failure rates to protect against

Random Failures (Physical)

Safety Lifecycle – Safety Management with controlled and systematic processes to

protect against Systematic Failures (Design)


The IEC 62061 General Structure in 8 Steps

Management of

Functional Safety

Information on machine and its use

Risk Assessment

Determine SRCF’s

Write SRECS SRS

SRECS design & implementation

SRECS integration, testing & installation

Produce information on SRECS use and maintenance

SRECS Validation

1

32

45678

Analyze

Realize

Operate Maintain

Validate

Manage



Management of

Functional Safety


Risk Assessment

Determine SRCF’s

Write SRECS SRS




SRECS Validation

Manage


Management of Functional Safety

Functional Safety Planning (FSM Plan)

Personnel Competency and Roles

Documentation, Configuration Control

Documented Processes

Safety Verification and Validation plan

Tracking and Auditing


Competency

IEC 61508 Personnel Competency“…ensuring that applicable parties involved in any of the overall E/E/PE or software safety lifecycle activities are competent to carry out activities for which they are accountable.” (IEC 61508, Part 1, Paragraph 6.2.1 (h))

IEC 62061 Personnel Competency“Identify persons, departments … that are responsible for carrying out the lifecycle activities…establish a verification plan to include the details of persons, departments and units who shall carry out…” (IEC 62061, Paragraph 4.2.1)

www.cfse.org

http://www.cfse.org/

mailto:www.cfse.org



Management of

Functional Safety


Risk Assessment

Determine SRCF’s

Write SRECS SRS




SRECS Validation

1

32

4

Analyze


Step 1: Machine Use Considerations

Machinery phase of life– New machinery with history of similar types– Novel design or modification to existing machinery

Machinery limits– Intended use(s)– Reasonably foreseeable misuse

Operator type– Public– Trainees– Trained Operators– In each case, identify and document training records

Exposure to others not operating the machinery

1


Step 2 - Iterative hazard and risk assessment

The IEC 62061, IEC 61508 and IEC 61511 are

Risk Based Standards

2


Tolerable Risk?

Rigorous and flexibleConsider all relevant forms of harmConsistent with company and society practice

MoralLegal

Financial

Make plant as safe as possible, disregard costs

Comply with regulations as written, regardless of

cost or actual level of risk

Build the lowest cost plant, keep operating

budget as small as possible

2


Examples (Source HSE UK)

0

0.002

0.004

0.006

0.008

0.01

0.012

0.014

0.016

0.018

0.02

Fatalities per Person per Year

AirTrainBusMotorcycleChemical IndustrySmoking

2


Singapore Workplace Fatality Rate

39

Source WSHCouncil – National Statistics

2


Identify and Analyze All Possible Hazards

Use a systematic method which proactively identifies hazardsUse a “team” approach where possibleBe consistent with the method used (procedure)Inductive methods

– Checklists– What-if?– Failure Mode and Effect Analysis– Fault simulation (control systems)

Deductive methods– Fault Tree Analysis

2


Typical hazards, hazardous situations & events

Mechanical– Crushing, shearing, cutting/severing, entanglement, drawing-in, impact,

stabbing or puncture, friction or abrasionElectrical

– Contact with live parts (direct/indirect), electrostaticThermal

– Burns, scaldsNoise

– High/Low frequency acoustic noise leading to hearing lossVibration

– Hand-held machines leading to neurological and vascular disorders, whole body vibration (posture)

Radiation– Low-frequency, radio frequency, microwaves, infra-red, UV, X and gamma

rays, lasers etc.

Air Systems / Fluids / Water - Fire Control - Natural Gas…


Estimate risk for each hazard

Risk is a measure of:– Severity (Se)

Reversible injury Non-reversible injury Death

– Probability of Occurrence Frequency and Duration of exposure (Fr) Probability of Occurrence (Pr) Probability of Avoiding or limiting (Av)

2

Consequence

Likelihood



43

Consequence

Likelihood

2



Hazard MatrixRisk Graph

Source: Screenprint exSILentiawww.exsilentia.com

2


Safeguard selection considerations

2


Likelihood example: LOPA2


Process Design Changes

Other Safeguards

Estimated Risk (Inherent Risk)

Tolerable Level of Risk

Risk

SRCF: Safety Related Control function

Step 3: Identify Safety Related Control Functions

(defined by Customer per application)

3


3Step 3: Identify Safety Related Control Functions

Identify functional requirements– E.g. Operating modes, response times, operating environment, fault

reaction function etc.

Identify safety integrity requirements– E.g. If the guard door is open, it shall not be possible to start the

machine – Safety integrity requirement


And Assign SIL

User must specifically accept the residual riskQualitative SIL risk ranking matrix– Use “worst case” assumptions– Calculate “Class” = Fr + PR + AV– Decide on Severity– Look up SIL on intersecting column and row

3-4 5-7 8-10 11-13 14-15

Single Death, Losing a complete limb or eye 4 SIL2 SIL2 SIL2 SIL3 SIL3<=1 hour

5Very High

5

Permanent, losing finger(s) 3 OM SIL1 SIL2 SIL3>1 hour to <=

1day5

Likely4

Reversible, medical attention 2 OM SIL1 SIL2>1day to <= 2

weeks4

Possible3

Impossible5

Reversible, first aid 1 OM SIL1>2 weeks to <= 1

year3

Rarely2

Possible3

>1 year2

Negligible1

Likely1

Consequences ClassCl

SeveritySe

Probability of Hazardous event

Pr

AvoidanceAv

RISK MATRIXFrequency

FrDuration >10min

Note: OM = Other Measures necessary

3


Assign SIL: Risk Matrix

3


Assign SIL: Hazard Matrix

3


Safety Integrity Level

SIL 3

SIL 2

SIL 1

Probability of Dangerous failure per hour

(PFHD)

≥10-8 to <10-7

≥10-7 to <10-6

≥ 10-6 to <10-5

IEC 62061 Safety Integrity Levels

Note: SIL 4 is not included in EN IEC 62061

MTTFd

1,140 to11,400 years

114 to 1,140 years

11 to 114 Years

3


EN ISO 13849 Performance Levels

Links risk and control reliability requirements.

PL Average probability of dangerous failure per hour (1/h)

a ≥ 10-5 to < 10-4

b ≥ 3 x 10-6 to < 10-5

c ≥ 10-6 to < 3 x 10-6

d ≥ 10-7 to < 10-6

e ≥ 10-8 to < 10-7

3


Specification = Communication

How the Customer explained it

How it was Sold

How it was Designed

How it was Built

How it was Tested

What the Customer really needed

How it was Maintained

How it was Billed

How it was Installed

How it was Documented

4


SRS Requirements

The SRS contains two types of requirementsFunctional Requirements– Description of the functions of the SF– How it should work

Safety Integrity Requirements– The risk reduction and reliability requirements– How well it should work

4



Management of

Functional Safety


Risk Assessment

Determine SRCF’s

Write SRECS SRS




SRECS Validation

56

Realize


Step 5: SRECS Design & Development

2 Main Requirements to be fulfilled:

1. Hardware Safety Integrity (SILPFH)2. Architectural Constraints (SILAC)

57

5


Step 5: Hardware Safety Integrity SILPFH

Logic Solver

Sensor

Final Control Element

SensorSensor

Final Control Element

Safety Related Control System

Subsystems

Subsystems Elements

PFHSERC = Σ PFHSub

Where to find the Failure Rates?

5


Safety Integrity Level

SIL 3

SIL 2

SIL 1

Probability of Dangerous failure per hour

(PFHD)

≥10-8 to <10-7

≥10-7 to <10-6

≥ 10-6 to <10-5

IEC 62061 Safety Integrity Levels

Note: SIL 4 is not included in EN IEC 62061

MTTFd

1,140 to11,400 years

114 to 1,140 years

11 to 114 Years

5


Safe Failure Fraction Hardware Fault Tolerance

0 1 2

< 60% Not allowed SIL1 SIL2

60% ... < 90% SIL1 SIL2 SIL3

90% ... < 99% SIL2 SIL3 SIL3

>= 99% SIL3 SIL3 SIL3

Fault Tolerance N means N+1 faults could cause a loss of the safety function.

IEC 62061 Architectural constraints

Where to find SFF?

5


IEC 62061 Architectural constraints

Safe Failure Fraction Hardware Fault Tolerance

0 1 2

< 60% Not allowed SIL1 SIL2

60% ... < 90% SIL1 SIL2 SIL3

90% ... < 99% SIL2 SIL3 SIL3

>= 99% SIL3 SIL3 SIL3

Fault Tolerance N means N+1 faults could cause a loss of the safety function.

...Defines The Required Architecture

5


Trend toward 61508 certified products

IEC 61508 Certification is a measure of design quality.IEC 61508 Certification provides fully justifiable equipment selection without safety integrity documentation created by the end user. More and more products are getting IEC 61508 Certification

0

5

10

15

20

25

30

1996

1997

1998

1999

2000

2001

200'2

2003

2004

2005

2006

2007

Number of IEC 61508 Certified Sensors

From exida Process Measurement Instrument Market report

5


Automatic SRCF Verification5


6Step 6: SRECS Integration & Testing

Assemble sub-systemsTest correct operation of each safety function by means of an integrated testDocument the integration tests

– Version of specification– Version of system/software– Acceptance criteria– Tools, equipment for calibration– Test results– Discrepancies– Changes made due to discrepancies

Install SRECS in accordance with functional safety plan



Management of

Functional Safety


Risk Assessment

Determine SRCF’s

Write SRECS SRS




SRECS Validation

7 Operate Maintain


7Step 7 : Operation and Maintenance

Operator information– Safeguards implemented– Procedures for use

Technical Information– Equipment description– Overview block diagrams– Circuit diagrams– Enable user to develop procedures

Maintenance Information– Log for maintenance history– Routine actions and replacements– Repair procedures for diagnosed faults– Specification of required tools– Periodic proof testing requirements


SRECS Modification (IEC 62061)

Develop a procedure for modifications to be dealt with, requiring:– Description of modification– Reason(s) for modification– Authorization – Development of a modification plan and chronological logbook for

configuration management history purposes– Analysis of effects – Impact on functional safety– Re-visiting the appropriate design stage for hardware and/or

software– Re-verification and validation activities required– Log of activities and personnel involved in the change– Revision of SRECS documentation, including revision levels of all

documents affected

7



Management of

Functional Safety


Risk Assessment

Determine SRCF’s

Write SRECS SRS




SRECS Validation 8 Validate


Verification & Validation

Verification– Activity of demonstrating for each phase of the Safety Lifecycle, by

analysis and/or tests, that, for the specific inputs, the deliverables meet the objectives and requirements set for the specific phase. Verification answers the question “Did I complete this activity correctly?”

Validation– Activity of demonstrating, by tests, that the Safety-Related System,

before or after installation, meets the Safety Requirements Specification. Validation answers the question “Did I build the complete system according to specification?”

8



Management of

Functional Safety


Risk Assessment

Determine SRCF’s

Write SRECS SRS




SRECS Validation

1

32

45678

Analyze

Realize

Operate Maintain

Validate

Manage


Summary – IEC 612061

Design and Implementation Requirements for SRECSCompliance = fulfilling relevant Safety RequirementsCareful consideration when to usePerformance StandardRisk Based Standard8 Steps Safety Lifecycle Procedures


Safety is Only as Strong as its Weakest Link

exida


Thank You

iec 62061 introduction

Technology

total power

software failures

software failures

source health

functional

testing amp

safety amp

individual