The declared objective is to construct and operate machines in such a way that, when used as intended, no injuries or harm will be caused. Accident statistics show that a hazard present at a machine will cause harm or injury sooner or later if no protective measures are taken. Protective measures are a combination of measures taken by the designer and those implemented by the user. They include measures that can already be implemented during the design phase, that are to be given priority over the measures performed by the user and that are generally more effective than such measures.
The international standard ISO 12100 "Safety of machinery – General principles for design – Risk assessment and risk reduction" provides detailed help with the identification of hazards, describes the risks to be taken into account by the designer, contains principles for design and a method for safe construction and risk reduction. ISO 12100 "Safety of machinery – General principles for design – Risk assessment and risk reduction" describes an iterative method for risk analysis, risk assessment and risk reduction for achieving the required machine safety. Existing machine-specific standards, such as type C EN standards, are to be given priority.
Risk assessment and risk reduction in accordance with ISO12100
Iterative process for risk reduction in accordance with ISO 12100 (source ISO 12100, figure 1)
ISO 12100 recommends the machine designer use the following step-by-step procedure for risk reduction:
- Specify the limits and intended use of the machine
- Identify possible hazards and hazardous situations in all life phases of the machine
- Assess the risk of every identified hazard and every hazardous situation. Here also consider foreseeable malpractice or erroneous operation by operating personnel.
- Evaluate each individual risk and decide whether or not risk reduction is necessary
- Attempt to eliminate or reduce the risk through constructive measures (inherently safe design). If this is not successful, then
- Reduce the risk through the use of technical protective devices (guards such as hard guards or covers or using electro-sensitive protective equipment, e.g. safety light curtains)
- Inform and warn the machine operator regarding the residual risk present at the machine through warning notices on the machine and in the operating instructions
The first four steps describe the risk analysis and risk assessment. Important here is that the risk analysis and risk assessment be performed methodically and documented in an understandable way. In addition to these protective measures selected by the machine designer, it may be necessary for the operating company or machine operator to take additional protective measures to reduce the residual risk. These include:
- Organizational measures (e.g., safe work processes, regular inspections)
- Personal protective devices
- Training and instructing the operating personnel
Risk estimation in accordance with ISO 13849-1
(Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design)
ISO 13849-1 uses a probability-based approach to describe determination of the failure probability of a safety function SF from the characteristic values of the used components.
The previous standard EN 954-1 pursued a qualitative approach with a purely structural description of the category (1 or 2-channel, with or without diagnosis) of a safety function. In ISO 13849-1, this is supplemented by a quantitative assessment of a failure probability for each channel of the safety function. The failure and residual error probability of a safety function is specified as the PFHD (probability of dangerous failures per hour) and – divided into probability ranges – represented as the performance level PL:
|Performance Level (PL)||Average probability of a |
failure to danger per hour (1/h)
|a||> 10-5 up to < 10-4|
|b||> 3 x 10-6 up to < 10-5|
|c||> 10-6 up to 3 x < 10-6|
|d||> 10-7 up to < 10-6|
|e||> 10-8 up to < 10-7|
Performance Level (PL) in accordance with ISO 13849-1
From the level of risk of the hazard(s), which is/are to be reduced by the safety function SF, the required performance level PLr is determined with the help of the risk graph for this safety function (see figure 1). After calculation of the performance level PL achieved with the used components, it is possible by means of comparison to determine whether the achieved value is sufficient. Here, the achieved PL of the safety function must be at least the same as the determined PLr.
A safety function is thereby the reaction to a certain safety-relevant action. For example, when a safety door is opened, the hazardous movements behind the door are to stop and reliably remain switched off. The safety function includes all sensory input elements (e.g. safety light curtain), information transmission and processing units (e.g. safe control) and all control actuators for interrupting the power flow (e.g. contactors), but not drives.
Safety-related characteristic values are required for the individual components. Each of these parts is an element of the safety-related chain and constitutes a separate subsystem.
The following characteristic values of the components and of the safety-related control system play a role in calculating the PL:
Characteristic parameters of ISO 13849-1
Describes the structure (1 or 2-channel) and diagnostic capability (none, low, medium or high).
Mean Time To Dangerous Failure describes the safety-related reliability of a wear-free, safety-related channel of a subsystem and is specified in years.
Equivalent of MTTFD for wearing components such as electrical contacts or valves: specifies the number of switching cycles after which 10% of a statistically relevant quantity of these components are subject to a dangerous failure.
Diagnostic coverage describes the estimated proportion of detected failures relative to the total quantity of possible failures in a subsystem (see ISO 13849-1, Appendix E)
Common Cause Failures describe the independency of the channels and therefore the resilience against systematic design errors (see ISO 13849-1, Appendix F)
Mission time. The maximum mission time of electronic safety components is 20 years because a defined failure behavior occurs within this time period. The actual manufacturer specifications must be observed.
Apart from the probability-based assessments, so-called fundamental and proven safety principles must also be adhered to. If this is not the case, it cannot be assumed that the implemented measures (e.g. sensors and actuators) are appropriate and reduce the risk. This would then mean that evaluation of the residual error probability of the hardware – i.e. the PL – is also pointless. The fundamental and proven safety principles include, for example:
- Quiescent current principle
- Use of proven components
- Start/restart interlocks
- Error lock
- Observance of minimum distances
- Adequate diagnosis
Determining the required performance level PLr
To define the required performance level PLr for each safety function of the safety-relevant control system, a risk assessment must be performed and documented. The informative Appendix A of the standard ISO 13849-1 shows a qualitative procedure for assessing the risk and for determining the PLr.
Figure 1: Risk graph for determining PLr in accordance with ISO 13849-1, Appendix A.
Determining the achieved Performance Level PL
To determine the performance level PL of a safety function, the safety-related characteristic parameters described above are required. The PFHD value of each of the subsystems involved is determined separately. Addition of the PFHD values of the individual subsystems gives the PFHD value of the safety function, from which the PL of the safety function is derived.
Note: The SISTEMA software can be used to calculate the PFHD value of the safety function. SISTEMA was developed by the Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA) and is used for calculating and evaluating the functional safety of control systems in accordance with ISO 13849-1. It is available as freeware under https://www.dguv.de/ifa/praxishilfen/praxishilfen-maschinenschutz/software-sistema/index.jsp. Many component manufacturers provide component libraries which in turn can be integrated in SISTEMA. Leuze's component library can be downloaded free of charge here <<link: https://www.leuze.com/en/US/contact-support/downloads/software/>>.
In our range of machine safety services, we also offer calculation of the performance level using SISTEMA.
The figure below shows a simplified method for determining the achieved PL. It is a graphical method for estimating the PL based on the stated safety-related characteristic parameters of the components. The procedure is as follows: First, the appropriate column is selected. This is determined from the combination of category and DCavg (average of the DC values in the case of multiple components). Then, the associated color range of the bar in the column is determined depending on the MTTFD value of each channel. The resulting PL can now be read off on the left on the vertical axis.
Relation between the categories, DCavg, MTTFd of each channel and the resulting value ranges of DCavg and MTTFD for assignment in the figure
Performance Levels (source: ISO 13849-1)
Risk estimation in accordance with IEC 62061
(Safety of machines - Functional safety of electrical, electronic and programmable electronic safety-related control systems)
This standard contains requirements and recommendations for drafting, integrating and validating safety-related electrical, electronic and programmable control systems (SRECS) for machinery. In contrast to ISO 13849-1, it does not define any requirements for the performance of non-electrical (e.g. hydraulic, pneumatic, electro-mechanical) safety-related control elements for machines. Within the full scope of ISO 12100 it is used as an alternative to ISO 13849-1 for specifying the safety-related performance of safety-related electrical control systems that are required for risk reduction. As a sector-specific standard that falls within the scope of IEC 61508 for the application area of machines, IEC 62061 incorporates the entire SRECS lifecycle, from the concept phase until taking out of operation. The safety-related capacity is described by the Safety Integrity Level (SIL).
SIL risk assessment and definition
The informative Annex A of IEC 62061 includes an example of a procedure for qualitative risk assessment and definition of the SIL. This procedure must be implemented for each hazard, for which an appropriate risk minimization is to be achieved with the help of an SRECS. It is based on the method presented in ISO 12100 and is used for evaluating the risk parameters.
For this purpose, the following risk parameters are considered for each hazard:
- S (Severity): extent of damage - severity of possible injury
- F (Frequency): frequency and duration of exposure
- W (Probability): probability of a hazard occurring
- P (Probability): probability of avoiding or limiting the harm
Each of the parameters is assigned a number according to the criteria in the following table:
The class of the probability of harm K is calculated by adding the numbers for the frequency of the exposure F, the probability of occurrence W and the possibility of avoidance P (K = F + W + P). Based on the following table, the two parameters S and K then determine the associated SIL nominal value or the type of action needed:
Matrix for defining the SIL (source: IEC 62061, Annex A):
|SIL 1 - 3: SIL reference value for the safety-related control function |
(AM): Recommendation of application of other measures
-: No need for action
Draft and integration of an SRECS in accordance with IEC 62061
The necessity of safety functions as measures for risk minimization emerges on the basis of the risk analysis and risk assessment in accordance with ISO 12100. Safety functions that are implemented with SRECSs are divided into sub-safety functions to design the system architecture. These virtual sub-safety functions are then assigned real sub-system elements.
These are either finished developed devices, such as sensors, control units and actuators or complex new components to be designed in accordance with the existing specifications in accordance with IEC 61508 and consisting of hardware with embedded software or application software. In accordance with the system design the achieved safety integrity level (SILCL) is determined and verifies whether or not the SIL has been achieved. The achieved SIL of the overall safety function is always less than or equal to the lowest value of the SILCLs of one of the subsystems.
SRECS architecture consisting of sub-systems and sub-system elements (source: ZVEI "Safety of machinery")
The following characteristic parameters of subsystems and their subsystem elements play a role in calculating the SIL of an SRECS architecture:
Risk estimation in accordance with HaRMONY
The risk graph of ISO 13849-1 is frequently used for assessing the risk at points of operation. This is easy to use, but with the restriction that only two paths are available. Furthermore, it can only be used for control measures and not e.g. for organizing measures. Moreover, it is not possible to perform a final evaluation after a measure has been applied. The same also applies to SIL classification according to IEC 62061.
These were the main reasons why at Leuze an alternative method with the name HaRMONY (Hazard Rating for Machinery and prOcess iNdustrY) was developed and has been used for many years. It is based on the simple, mathematical approach of the HRN method, but includes additions so that the method can be used for all areas of machine safety before and after measures. Furthermore, the risk assessment and the value ranges of the risk parameters were adapted to the standards ISO 13849-1 and IEC 62061, making a separate evaluation in accordance with these standards unnecessary.
The same risk parameters as those from the methods defined in the respective standards are used:
- S (Severity): extent of damage - severity of possible injury
- E (Exposure): presence and duration of presence of persons
- O (Occurrence): probability of a hazard occurring
- A (Avoidance): possibility of avoiding the hazard or of limiting the damage
Each of these parameters is assigned a numerical value in four to eight levels. To determine the risk, these are simply multiplied by each other:
R (Risk): evaluation of the risk R = S x E x O x A
By using HaRMONY before and after the measures, it is extremely easy to verify whether the measures enable sufficient risk reduction.
The parameters with the respective subdivisions are listed below:
The value ranges of the risk parameters were adapted to the parameters of the standards ISO 13849-1 and IEC 62061. From the result of the risk assessment according to HaRMONY, it is thus possible to represent the requirements with respect to control-related safety functions additionally as PL and SIL.