Functional Safety of Machinery E-Book

To Laura, Luca and Francesco

Live as if you were to die tomorrow. Learn as if you were to live forever

(Mahatma Gandhi)

Functional Safety of Machinery

How to Apply ISO 13849‐1 and IEC 62061

Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per‐copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750‐8400, fax (978) 750‐4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at http://www.wiley.com/go/permission.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762‐2974, outside the United States at (317) 572‐3993, or fax (317) 572‐4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our website at www.wiley.com.

Library of Congress Cataloging‐in‐Publication Data:Hardback ISBN: 9781119789048

Cover Design: WileyCover Image: © Marco Tacchini

Acknowledgments

This book would not have seen the light without the mindset we have in GT Engineering, the consulting practice on Machinery and Process Safety I have the honour to coach. The team curiosity, openness and thirst for knowledge was fundamental in writing this book. At the time the book was written, here are the colleagues I thank for being part of the team: Claudia Bruno, Alessandro Castelli, Ezio Compagnoni, Andrea Federici, Matteo Guglielmina, Laura Terenghi, Matteo Zilioli and Guido Zotti.

I am also grateful to some experts I had the pleasure to meet in both the Technical Committee ISO TC 199 Working Group 8 (ISO 13849-1) and in the Technical Committee TC 44/MT 62061. I thank them for their openness, patience and technical feedbacks to the questions I asked them over time.

I would like to thank David Felinski, President of B11 Standards Inc. for his support in the writing of chapter on Functional Safety in the USA. I also would like to thank Patrick Gehlen, International Standardization Manager at SIEMENS, for the many informal discussions we had on the subject of Functional Safety and for giving good feedbacks on some parts of the book.

I also would like to thank our customers for giving us the opportunity to put into practice what is written in this book. We learn from them as much as they learn from us. They keep us “feet on the ground” when dealing with Risk Assessment and Functional Safety of Machinery and Process plants.

A special recognition to Loredana Cristaldi, Full professor at Politecnico di Milano, Scuola di Ingegneria Industriale e dell’Informazione, for inviting us every year to discuss the principles of Functional Safety with her students and for the scientific publications done together and Giuseppe Tomasoni, Associate professor at the Department of Mechanical and Industrial Engineering, Brescia University, for inviting us every year to discuss the principles of Functional Safety with his students.

I would not have written this book without the specific support of some colleagues in GT Engineering: Matteo Zilioli did all the drawings, gave good comments on the book and prepared some of the examples. Claudia Bruno contributed with asking good questions and providing some of the answers; she prepared several examples you will find in the book and wrote most of chapter one. The whole Team did the final review of the text, providing excellent feedbacks and improving its readability.

Last but not least, I am grateful to my wife Laura, for having motivated me during the writing of the book, despite the many weekends and evenings spent on it.

About the Author

Marco Tacchini is Technical Director of GT Engineering, a Consulting Company (www.gt‐engineering.it) based in Italy and specialized in CE Marking, Risk Assessment and Risk Reduction of Machinery, according to European Directive 2006/42/EC.

He is a member of several international Technical Committees dealing with Functional Safety, among which ISO/TC 199 Working Group 8 for ISO 13849‐1 and 2, IEC/TC44 Maintenance Team 62061 for IEC 62061. He is also a member of TC 65/SC 65A/MT 61508‐1‐2, TC 65/SC 65A/MT 61511, and TC44/PT 63394.

Before You Start Reading this Book

When you start a journey, you may wonder what lies ahead, what difficulties you may find, and if you will reach the end of it. Since I would like your journey to be successful, I will give you a few tips before you start.

Figure 0.1 EUC, the process control system and safety instrumented system.

What is Functional Safety?

You need the domain of Functional Safety every time you decide to use an Automation System to reduce the risk associated with a Machinery or a Process. The risk is normally reduced by removing all the energies: those can be electrical (a motor that drives a dangerous movement), pneumatic, or hydraulic but also given by process fluids like methane gas for a burner or a pump that increases the pressure in a tank. Every time you decide that, in order to eliminate the risk, you need a pressure sensor that, in case of a high dangerous value, triggers the closure of a valve, that is when Functional Safety plays the key role. The issue is that one of the elements of the so‐called Safety Instrumented System can fail.

Why components fail?

Components fail because of two reasons:

They fail because they are not properly designed, manufactured, installed, used, or subject to correct maintenance. If we take the example of car tyres, if we use a car with the tires badly inflated, they are likely to fail faster than normal. These are

Systematic Failures:

they are failures due to mistakes in the design, manufacturing, installation or maintenance of the component. Systematic Failures are difficult to estimate and can only be reduced by making sure the whole process, from the component design up through the usage and maintenance of the product, is done properly.

That is the reason for the importance of concepts like Systematic Capability or Systematic Safety Integrity of components, or of Safety‐related Control Systems.

Both ISO 13849‐1 and IEC 62061 define good engineering practices to be followed in order to reduce the probability of Systematic Failures: they are called Basic and Well‐tried safety principles. Moreover, both standards require a Functional Safety Plan. You may refer to Annex I in IEC 62061 or annex G in ISO 13849‐1.

Despite the whole process (from design to maintenance) is done according to correct rules and procedures, during their lifetime, components experience

Random Failures:

those are the failures that can be statistically estimated.

Why do you need special components to take care of the safety of a process or a machinery?

Any component can fail, regardless if it is suitable to be used in a Safety system or not.

Therefore, any Process Control system, for example the one that keeps the temperature in a Heat Treatment furnace under control, can fail, and the temperature may increase until it generates a dangerous situation.

If you are not familiar with functional safety, you may think that the occurrence of the event is so unlikely that it can be disregarded and nothing more is needed to be able to declare my furnace safe.

That is not the way Functional Safety reasons. Yes, the event has a low probability to happen, but it can happen!

In order to be able to CE mark the furnace, you need to install a Safety system made with components having a known probability of failure. That allows you to calculate the Reliability of your additional Safety Layer. Its Reliability has to be the higher, the higher is the risk linked to, in our example, the high temperature.

The probability of failure of a component can be given using parameters explained in this book:

The failure rate,

λ

.

The

B

10

.

The Mean time to failure, MTTF

The PFD

avg

The PFH

D

Why is there a distinction between High and Low demand mode of operation?

This is one of the key concepts to understand if you want to be able to get to the end of this journey.

To reach a low probability of failure of a Safety System, the following should be done:

To choose components that have a

low probability of failure

, and

To

regularly test

if each component is still working, before a dangerous situation happens; in other words, before a demand is placed upon the Safety System. A demand can be, for example, a high dangerous pressure.

Both aspects are influenced by how often the Safety System is used. Consider again a new car that is kept in a garage and used once every five years, compared with one that is used daily. If you want to make sure the former works when you turn on the key, you would need to do regular checking, for example to switch on the engine every three months and verify if the mechanics is still in good shape. If the car were a Safety System, it would be defined as working in low‐demand mode.

On the other hand, if you use the car every day, most of the checking is done “automatically” while you drive it. You may hear a strange noise that indicates the gearbox is faulty. This car would be a Safety System working in high‐demand mode.

If you think for a moment to these examples, you understand that, depending upon the usage (high or low demand mode), the car manufacturer should design some components in a different way; think for example to the battery system.

You now understand why a pressure switch or a contactor or a valve used in high or in low‐demand mode:

may have

different failure rates

require different types of testing

. If they work in high demand mode, most of the testing can be done in an automatic way (that is called

Functional Testing,

and it is achieved thanks to what is called the

Diagnostic Coverage

), while if it works in low demand mode, besides functional testing, it also requires off‐line testing, called

Proof Test

.

Why are there so many standards dealing with Functional Safety?

Because there are different industries involved and each industry has tailored the principles stated in IEC 61508 series to its specific situation. In this book, we deal with two Industries:

The process Industry:

they are behind the IEC 61511 series of standards. They see functional safety mainly in low‐demand mode.

The Machinery Industry:

it is the ISO 13849‐1 standard and the IEC 62061 one. They see functional safety mainly in High‐Demand mode.

Chapter 2 is written with the aim of clarifying this aspect.

Why are there so many formulas behind Functional Safety Theory?

Because the standards are written by engineers who love formulas, who love to introduce formulas as soon as they see an opportunity and who think formulas are the only thing they need to design a safe system. The issue is that you may decide to do bungee jumping safely by using the finite element analysis to design the elastic cord (Random Failures), but if you forget to attach the cord before jumping (Systematic Failure), the result will be a failure, even if all calculations were correct.

Before you dive into the formulas, you need to understand the key parameters used. You need to become familiar with the concepts of Failure Rate, Diagnostic Coverage, Safe Failure Fraction, and many others. They are all presented and explained in Chapter 3. You will find the formulas used in ISO 13849‐1 and IEC 62061 in Chapters 6 and 7, respectively.

However, please be aware that standards are not written to explain an approach or a methodology; standards are written to be clear about the required safety aspects. A standard states what needs to be done and not necessarily why it was decided to do that way. That is the reason Chapter 1 was written. It gives you the mathematical background needed to understand where the formulas are coming from and what they really mean. If you struggle to understand it, it is not a problem; you will still be able to run all the number crunching required by the two new standards, without any problem.

Why the validation part in ISO 13849‐2 has been included in ISO 13849‐1?

The normative part of ISO 13849‐2 is now included in part 1 of ISO 13849. Part 2 remains valid for the informative annexes only. That is the meaning of the sentence:

[ISO 13849‐1] Introduction. […]

The requirements of Clause 10 of ISO 13849‐1 supersede the requirements of ISO 13849‐2:2012 (excluding the informative annexes).

That was done to give the Validation process the same importance as the rest of the iterative process for the design of the safety‐related control system.

Why are there two standards dealing with Functional Safety of Machinery?

Probably because, when IEC 61508 series was published and consequently IEC 62061 was designed, there was the willingness to keep the basic approach of Categories of EN 954‐1. IEC 61508 series was designed to make sure electronics could be used in Safety Systems successfully. In machinery, sensors and final elements were mainly electromechanical, and the concept of the categories was considered suitable. For that reason, EN 954‐1 evolved into ISO 13849‐1.

From that moment, manufacturers were confused why two standards were available and which one was the most suitable to assess their application. Some years ago, a Joint Working Group of ISO and IEC was set up with the aim to “merge” both standards as ISO/IEC 17305, but for various reasons they did not complete their assignment.

The main reason why this book was written is to show that the new editions of ISO 13849‐1 and IEC 62061 are very much aligned in the general approach. They still use different terminology, like for example ISO uses the term Safety Related Part of the Control System (SRP/CS), while IEC now uses the term Safety‐related Control System (SCS), but they mean the same concept. IEC uses PFH while ISO uses PFHD, but they mean exactly the same thing: the unreliability of a safety system.

1The Basics of Reliability Engineering

1.1 The Birth of Reliability Engineering

[EN 764‐7] [20] 3 Terms and definitions

3.14 Reliability. Ability of a system or component to perform a required function under specified conditions and for a given period of time without failing.

The first Reliability models appeared during World War I, and they were used in connection with airplane performances: the Reliability was measured as the number of accidents per hour of flight time.

In the 1930s, the Reliability concepts and statistical methods were used for quality control of industrial products and, in the 1940s, to analyze the missile system during World War II. At that time, Robert Lusser, a mathematician, established the so‐called “Product probability law of series components.”

Lusser discovered that the Reliability of a system is equal to the product of the reliabilities of the individual components which make up the system. If the system has many components, the system Reliability may therefore be rather low, even though the individual components have high Reliability values.

After the war, the interest in the United States was concentrated on intercontinental ballistic missiles and space research; this led to the creation of an association for engineers working with Reliability. The first journal on the subject, “IEEE Transactions on Reliability” came out in 1963, and several textbooks on the subject were published in that decade. The famous military standard MIL‐STD‐781 was created at that time. Around that period, also the much‐used predecessor to military handbook 217 was published by RCA, Radio Corporation of America, and was used for the prediction of failure rates of electronic components.

In the following years, more pragmatic approaches were developed and used in the consumer industries. Reliability tools and tasks became more closely tied to the engineering design process.

Today, the study of Reliability engineering permits not only the evaluation of the conformity of a device over time but also to compare different design solutions with the same functional characteristics. It can also identify, inside an apparatus, subsystems or critical elements that could cause a failure or malfunction of the apparatus itself, needing corrective actions. For this reason, Reliability has an important role in modern design and constitutes a competitive element, even in the light of stricter safety requirements.

1.1.1 Safety Critical Systems

A part of the Reliability studies deals with Safety Critical Systems. Those are systems whose failure could result in the loss of lives or significant damage to properties or to the environment [58].

In the 1970s, the design principles of safety‐critical systems, both in Machinery and in the process Industry, were the following:

Single‐channel system

(no redundancy). This architecture would be regarded as a basic design having minimum safety performance.

Dual‐channel system

(redundancy) applicable to sensors, for example pressure switches, logic units, and final elements, like contactors and valves.

2 out of 3 voting systems (2oo3).

Those systems were used originally in the petrochemical industry: they give a good level of both Reliability and of Availability.

Reliability

measures the ability of a system to function correctly, whereas

Availability

measures how often the system is available for use, even though it may not be functioning correctly. For example, a server may run forever and so have ideal Availability, but may be unreliable, with frequent data corruption.

All systems were using the concept of

Fail Safe

: a failure in any part of the system would lead to a safe state of the process or the machinery under control.

In the 1990s, a part of the Reliability of Critical System studies became known as Functional Safety and focussed on Electrical, Electronic, and Programmable Electronic (E/E/PE) systems. The reference standard became the IEC 61508 series.

1.2 Basic Definitions and Concepts of Reliability

According to IEC 60050‐191, Reliability is the ability of the item to remain functional, to perform a required function, the item’s task, under given conditions for a given time interval. The concept of “performing a required function” is complementary to that of a “failure.”

A numerical statement of Reliability must be specified by the definition of the required function, the operating conditions, and the mission duration.

Both the required function and the operating conditions can be time dependent, and this is the reason why it’s important to define a mission profile related to the Reliability of the item’s life. If the Mission Time is considered as a parameter of time, the Reliability function is then defined by the time‐dependent functionR(t).

R(t) is the probability that no failure, at item level, will occur in the interval (0, t].

Reliability is based upon mathematical models, and it can be estimated thanks to the observation of items during their lifetime. That is done thanks to measurements and statistical parameters such as failure rate (λ), mean time to failure (MTTF), and mean time between failures (MTBF), which are presented in the following paragraphs.

1.3 Faults and Failures

One of the first concepts that needs to be clearly understood, for someone approaching the field of Functional Safety, is the difference between a Fault and a Failure.

1.3.1 Definitions

Hereafter are the definitions taken from IEC 61508‐4 [8]:

[IEC 61508‐4] 3.6 Fault, failure and error

3.6.1 Fault. Abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a required function.

In other words, a Fault is the situation where a system cannot perform anymore its required function. Figure 1.1 shows the two statuses where a control system can be: an “OK” state, where it works correctly and a “FAULT” state.

Bottom line, it is important not to confuse the concept of failure (event) with the concept of fault (associated with a particular state of a system).

When the system has a failure, it may stop working properly, and therefore it may move to a FAULT state. Here is the definition of Failure:

[IEC 61508‐4] 3.6 Fault, failure and error

3.6.4 Failure. Termination of the ability of a functional unit to provide a required function or operation of a functional unit in any way other than as required.

Reliability theory classifies failures in various ways [51], among which are Primary Failure (not due to other failures), Secondary Failure, Early life Failure, Random Failure, and Wear out Failure.

This can also be classified in: Total failure (when variations in the characteristics of the element are such to completely compromise its function) or Partial failure (when the variations of one or more characteristics of the element do not impede its complete functioning).

1.3.2 Random and Systematic Failures

In Functional safety, Failures are classified as either random (in hardware) or systematic (in hardware or software).

[IEC 61508‐4] 3.6 Fault, failure and error

3.6.5 Random Hardware Failure. Failure, occurring at a random time, which results from one or more of the possible degradation mechanisms in the hardware.

[IEC 61508‐4] 3.6 Fault, failure and error

3.6.6 Systematic Failure. Failure, related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors.

Figure 1.1 Fault vs failure.

Random Failures