Product category:
Machine Safety Monitoring and Control
News Release from: Pilz Automation Technology | Subject: Safety of machinery course
Edited by the Engineeringtalk Editorial
Team on 02 October 2006
Standard brings subtle differences to
directive
What are the implications of BS EN62061 being harmonised to the Machinery Directive?
Although it is all but identical to IEC62061, BS EN62061 (Safety of machinery, Functional safety of safety-related electrical, electronic and programmable electronic control systems) is now harmonised to the Machinery Directive, which makes a subtle but important difference This article explains the implications for machine builders and those modifying machinery, and looks in detail at what the standard contains
This article was originally published on Engineeringtalk on 4 Aug 2008 at 8.00am (UK)
Related stories
Safety systems are put to the test
Pilz has developed a structured method for inspecting the safety-critical elements of plant and machinery to enable the suitability of the safety measures to be validated.
Courses cover safety standards and products
Having sold out many of its training courses during the first half of the year, Pilz Automation Technology has now published its course timetable for July to December 2008.
Although there is a fair chance that you might have read something about IEC62061 in the last year or two, it is almost certain that you will not have seen anything about BS EN62061:2005 (Safety of machinery, Functional safety of safety-related electrical, electronic and programmable electronic control systems).
Although the two standards' numbers, names and texts are the same, there is a subtle difference that machine builders - and those modifying machinery - should be aware of.
It is widely appreciated today that new machinery for placing on the market in the European Union, and machinery that has been modified, needs to be CE marked.
The key legal requirement for this is that the machinery must meet the essential health and safety requirements (EHSRs) of the Machinery Directive.
Compliance with harmonised standards (ie Euronorms, or standards prefixed with EN) is not a legal requirement, but harmonised standards are considered to be "best advice" documents and therefore offer machine builders an "approved route" to meeting the EHSRs.
Further reading
Monitoring relays allow easy setup
Menu-driven parameter setting is easy, quick and error-proof thanks to the plain text display and a turn-and-click encoder.
Configurator upgrade provides new control options
Status is indicated via LEDs on the front of the analogue input module and, if installed, via the PVIS intelligent diagnostics system and a suitable Pilz display.
Safety consultancy handles varied needs
Pilz' competence management system means that it always knows exactly which of its engineers and consultants have the necessary skills.
If machinery is not constructed in accordance with the harmonised standards, it may be difficult (though not impossible) to demonstrate compliance with the EHSRs, should the need arise.
IEC62061 was published in early 2005 and some machine builders started working with it almost immediately.
However, in January 2006, the standard was harmonised as EN62061 (and BS EN62061 in the UK), with the result that machine builders are now strongly encouraged to comply with its requirements where appropriate.
However, instead of it being viewed as a burden, this standard should be seen as a golden opportunity, as it means machine builders can now be more confident that their machines will meet the EHSRs of the Machinery Directive, as BS EN954-1 (the standard to which they probably worked previously) has no advice to offer when programmable or software-configurable are used within safety-related electrical control systems, other than to say that single-channel programmable systems cannot be used above category B.
BS EN62061 is a sector standard (or "daughter" standard) to the seven-part standard IEC/EN61508: "Functional safety of electrical/electronic/programmable electronic safety-related systems", written specifically for the machinery sector.
It therefore takes a quantitative risk-based approach similar to that found in EN61508, which requires rather more work than the qualitative "risk graph" of EN954-1.
However, it can also be argued that the requirement for a more methodical approach will lead to machinery being built with better, more predictable performance, greater reliability and availability, and capable of delivering an improved return on investment.
In the event of a machine failure or a requirement to modify or upgrade, the improved documentation will also be highly beneficial.
BS EN62061 is primarily aimed at developers and manufacturers of complex plant and machinery utilising programmable controllers and fieldbus networks for safety functions, plus developers of relevant application software and users of complex programmable safety systems that have been developed in accordance with EN61508.
One of the most important clauses in EN62061 is clause 4: "The management of functional safety", which calls for a functional safety plan.
This should describe a policy and strategy for fulfilling the functional safety requirements, as well as identifying persons, departments and other resources that are responsible for carrying out and reviewing each of the activities.
Procedures should be produced and resources provided to record and maintain the information.
Verification and validation plans should also be established.
It must be stressed that all of this requires adequate competence if it is to be completed correctly.
Clause 5: "Requirements for the specification of safety related control functions (SRCFs)", explains how the functional requirements specification and safety integrity requirements for each SRCF should be compiled to create a safety requirements specification (SRS).
Furthermore, the three safety integrity levels (SIL 1, SIL 2 and SIL 3) require that the probability of dangerous failures per hour (PFHd) must fall between certain target values as follows: SIL 1 - 1 failure in 100kh; SIL 2 - or 1 failure in 1Mh; and SIL 3 - 1 failure in 10Mh.
Of course the next step in the process is to design the SRECS, which is covered in Clause 6: "Design and integration of the safety related electrical control system (SRECS)".
This clause specifies the requirements for the selection or design of the SRECS to meet the functional and safety integrity requirements specified in the safety requirements specification (SRS).
Clause 6 gives examples of how the SRECS should be broken down into function blocks that are then detailed in terms of their structure, safety requirements and inputs and outputs.
These function blocks are then allocated to subsystems that make up the complete SRECS.
Also covered in Clause 6 are the identification of the probability of dangerous failures (PFHd), estimation of safe failure fractions (SSF), common cause failures (CCF) and diagnostic functions.
Both hardware and software design are discussed, plus development, implementation and testing.
Documentation is a very important aspect of EN62061.
As well as the documentation that will generated as part of the design process, Clause 7: "Information for use of the safety related electrical control system (SRECS)", explains what information relating to the SRECS should be provided to the user to enable procedures to be developed to ensure the system safety functions are maintained during the use and maintenance aspects of the machine.
Further information is also contained in Clause 10: "Documentation".
It has already been mentioned that a validation plan is required, and the validation process requirements are described in Clause 8: "Validation of the SRECS".
This details how the process should be applied - which depends on the complexity of the SRECS and the assigned SIL.
During installation and commissioning it is often the case that modifications will be found to be necessary.
BS EN62061 Clause 9: "Modification", details the procedure to adopt when modifications are required during the design integration and validation phases of the project.
Modifications must be carried out correctly documented, with adequate configuration management procedures and documentation; the process must be controlled including action plans.
In terms of a design procedure, BS EN62061 gives a six-stage process: identify the danger zones on the machine; define the risk parameters Se, Fr, Pr, Av (in accordance with Annex A); identify the required Safety Integrity Level (SIL) (in accordance with Annex A); design and implement the necessary safety functions; determine the SILs (by establishing the residual error probability (PFH) and the safe failure fraction (SFF)); and compare the achieved SIL with the required SIL.
The risk parameters are as follows: Se (severity of harm); Fr (frequency and exposure time to the hazard); Pr (probability of occurrence of hazardous event); and Av (possibility to avoid or limit the harm).
Because the standard takes a quantitative approach, all of these parameters can be quantified.
For example, the severity of harm (Se) carries 4 points for an irreversible injury (death, loss of eye or arm), down to 1 point for a reversible injury that requires on-site first aid.
Similarly points are scored for the other risk parameters, with the probability of occurrence of harm (Cl) being the sum of the points scored for Fr + Pr + Av.
The standard contains a look-up table that shows what SIL is required for a given combination of Se and Cl.
It will be appreciated that various factors can affect the residual error probability (PFH), as follows: architecture of control system; failure/error rate of the individual components; quality of error management (diagnostic coverage); test interval; inspection interval or service life; and common cause failures.
All these are covered in detail within BS EN62061, but it is important to note that the required calculations - such as for the failure rate - require data to be collected from suppliers for specific components or, alternatively, generic data may be used.
BS EN62061 gives scores that can be applied to various common cause failures to give an estimation of the common cause factor (beta - expressed as a percentage).
If you are not familiar with some of the terminology introduced here, it probably all sounds complicated.
And when you see the calculations written down, these can also appear daunting at first sight.
But the standard and its annexes are well written and include examples, so users will most likely get to grips with the principles, terminology and calculations relatively quickly.
Nevertheless, given the potential seriousness of getting any of the procedure wrong - such as an injury to an operative - it is vital to seek assistance from an expert in the event of any difficulty being encountered.
Finally, it should be noted that BS EN954-1 may soon be replaced by a new BS EN13849-1 (currently available as pr EN ISO13849-1), which also uses a quantitative approach to risk assessment and calculations of PFH (residual error probability), though the new standard refers to performance levels rather than the SILs of BS EN62061.
However, because the two standards cover similar ground, it is likely that the next step in the standards development process would be to move towards combining these into one.
Pilz offers a one-day training course, known as the "Introduction to EN62061 and pr EN ISO13849-1 safety of machinery course", which is suitable for designers, engineering managers and others involved in the design, specification or selection of safety-related control systems for machinery, whether they are working on new projects or modifications to existing machinery.
The course goes into far more detail than is possible in an article such as this.
• Pilz Automation Technology: contact details and other news
• Email this article to a colleague
• Register for the free Engineeringtalk email newsletter
• Engineeringtalk Home Page
Search the Pro-Talk network of sites
