Safety standard puts premium on good design

IEC62061 can only improve safety provision in the small electrical control sector, especially as it places a premium on good design.

The first reaction of many system designers and small control systems builders when confronted with the new draft safety standard IEC62061, is one of: "Oh no, not another standard".

On closer examination, however, this reaction becomes muted because IEC62061 is not just another standard.

Rather it is a facilitator that enables manufacturers of small control systems to achieve optimum safety solutions using a standardised methodology.

As such, IEC62061 can only improve safety provision in the small electrical control sector, especially as it places a premium on good design.

IEC62061 is being introduced to adapt the requirements in IEC61508, with its vastness, complexity - but plenty of detail, and EN954, with its useful advice - but ambiguities - for the machinery sector.

IEC62061 is not a design standard, but gives a methodology for enabling manufacturers to check the final designs of small control systems to ensure that they meet target requirements.

The methodology provided by IEC62061 is designed to provide a common thread right down the supply line from the safety equipment manufacturer to the customer, the control system builder, and finally the system user.

It will also enable bodies like the HSE to make safety assessment (and enforcement) a more transparent and certain process.

The introduction of IEC62061 is an answer to the problems of achieving functional safety in the machinery sector.

Functional safety is part of the overall safety of machines.

It depends on the correct functioning of safety related electrical control systems (SRECS), other technology related systems and external risk reduction facilities.

At present, of all the incidences of failure in SRECS, more than 60% can be attributed to such factors as specification, design and implementation and installation and commissioning.

By providing greater transparency and standardised methodology, IEC62061, it is envisaged, will greatly reduce this incidence of failure and contribute substantially to improved overall safety on machines.

Although naturally detailed, IEC62061 has three clauses; 4, 5 and 6 that are really the crux of the standard for machinery control system designers and system integrators.

Clause 4 is essentially a statement that good project management is essential to ensure proper provision of functional safety.

It also stresses that safety is not owned by one person but is the right combination of inputs from the component supplier, OEM system builder and user.

Following on from this, Clause 5 states that designers must have a safety specification to which to work.

This is where IEC62061 starts to put a premium on good design.

In the past, perfectly good safety devices could have been used on a machine but with a specification that did not suit the machine operation, hence problems.

In the same way, a machine operating in an arduous environment may have been fitted with plastic bodied safety devices, where metal bodied ones would have been more appropriate - and reliable.

IEC62061 forces designers to consider these issues and to ask such questions as: "what function do devices such as safety interlock switches need to perform? And how good must the devices be at performing these functions?".

At the conclusion of Clause 5 the designer should be equipped with a robust safety specification that can withstand the validation process in Clause 6.

Essentially, Clause 6 is a methodology, an outline and structure designed to take the safety specification from concept through to realisation.

The way this is achieved is through a process known as functional decomposition.

Functional decomposition enables the safety related control functions to be broken up into function blocks.

This is the top-level decomposition, where a failure in any one function block will result in the failure of the safety related control function.

The function blocks are combined to create an architecture for the safety related control system, then the safety requirements for each individual function block are detailed.

Once this has been achieved, the function blocks are further decomposed into safety related subsystems.

The benefit of using subsystems is that it makes the function blocks easier to implement.

In addition, it enables elements such as safety PLCs to be imported from other standards (IEC61508) and used as subsystems in their own right.

The subsystems are now broken down into elements, these being the devices or components required to provide the function and integrity requirements allocated to each safety related function.

No two applications are the same, but if a safety switch performs a major function on its own, then it is, in itself, a subsystem.

If it is only a part of a subsystem, however (eg one of two safety switches combined with diagnostics), then the requirements on it are not so great, enabling a lower integrity safety device to be employed.

With the aid of functional decomposition and risk assessment the designer derives a safety integrity level (SIL) for each subsystem on his machine.

A safety integrity level (SIL) is defined in IEC61508, Part 4, as "a discrete level for specifying the safety integrity requirements of safety functions".

Whereas a safety integrity level is derived from an assessment of risk, it is not a measure of risk.

Rather it is a measure of the intended reliability of a system or function.

The rationale for deriving a SIL is generally this: the greater the risk reduction required the more reliable the safety related control system, so the higher is its SIL.

Helpfully, IEC62061 includes an annexe for users with suggestions how to arrive at SIL levels.

What is important is to ensure that the safety device is doing the right job with the appropriate SIL.

For example: a light curtain may stop a machine but not quickly enough to prevent an operator coming into contact with the moving parts of the machine.

Arriving at the appropriate SIL level under IEC62061 also takes into account the structure and the probability of dangerous failure of the devices used.

This is a realisation that in the real world things - even safety devices - can fail.

Therefore, IEC62061 forces the designer to consider this issue when arriving at appropriate SIL levels for each subsystem in a machine.

Here, once again IEC62061 provides help in the form of tables, which equate SIL levels with probability of dangerous failure.

At the conclusion of this process the system designer must determine a SIL level that can be claimed for the SRECS overall.

This must be less than or equal to the lowest value of the SIL claim limits of any of the subsystems for hardware safety integrity and architectural constraints.

Once this has been determined the way is open for the "as designed" system structure to be documented, followed by the implementation of the SRECS itself.

The date for the implementation of IEC62061 is the end of 2004.

However, the facilities and methodologies provided within the draft standard mean that it is likely to create interest before that date.

This can only be welcomed as IEC62061 promises to deliver standardised levels of safety provision that will benefit workers at large and also industry, generally, through reduced time lost to accidents.

Back to top