S T S A R C E S
St a n d a r d s f o r Sa f e t y R e la t e d C o m p le x Ele c t r o n ic Sys t e m s
Applicability of IEC 61508 & EN 954
Task 1: A study of the links & divergences between
F i n a l R e p o r t o f W P 4 HEALTH & SAFETY EXECUTIVE E u r o p e a n P r o j e c t S T S A R C E S Contract SMT 4CT97-2191
1. Introduction 2. Overview of existing standards/drafts
3. Idealised requirements 4. Deficiencies/difficulties with existing standards
4.3 Mapping of Category to Safety Integrity Level
5. Proposed application of Draft IEC 61508 to machinery sector
5.1 Determination of Safety Integrity Level
6. Conclusions 7. Recommendations Appendix 1 Mapping schemes Appendix 2 Common requirements & differences Appendix 3 References Appendix 4 Documentation requirements for machinery
1. INTRODUCTION
This report compares the methodologies and requirements of two standards: Draft IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety- related systems)1 and EN 954 (Safety of machinery - Safety related parts of control system)1. The report discusses whether these two standards are likely to set the same or differing requirements when applied to machinery control systems. Both standards propose a structured approach towards the design of safety-related control systems but differ in that EN 954 is designed to address all types of control system technologies whilst DraftIEC 61508 has been primarily (but not exclusively) designed to apply to electrical/electronic/programmable electronic (E/E/PE) based control systems. The standards require that the safety-related functions of the control system are classified; DraftIEC 61508 requires that the control system be allocated a safety integrity level whilst EN 954 uses the concept of safety performance and places the system into one of five categories. There is a significant difference in the way that the safety integrity levels and categories are derived and defined; it is the problems that this difference causes that are discussed in this report especially when the two classifications are compared with a view to developing a strategy to link them. Draft IEC 61508 uses a safety lifecycle approach to ensure that the design of a safety-related control system is systematically carried out. This lifecycle is examined to establish whether it would be suitable for the design of machinery control systems. The report begins with an examination of the two standards with regard to their scope, strategies for the design process and the methodology of their respective safety integrity classification systems. 2. OVERVIEW OF STANDARDS
2.1
EN 954 (Safety of machinery - Safety related parts of control systems)
2.1.1 EN 954-1 (Safety of machinery - Safety related parts of control systems: General principles for design).
1 Note 1. This report is based upon the following versions of the standards: DraftIEC 61508 Version 4.0 05/12/97; EN 954-1 December 1996; and Draft EN 954-2 Revision 11 November 1997.
2.1.1.1 Introduction EN 954-1 is intended to be used during the design of machinery control systems. It applies only to the safety-related parts of that control system but does encompass all technologies; programmable electronic systems are specifically stated as being within its scope. The standard describes a design strategy, a list of characteristics and requirements of safety functions, and a categorising system for the safety related parts together with a section describing the validation requirements. A scheme of five categories of safety-related systems is proposed but these categories are not structured hierarchically in terms of their resistance to faults or their reliability. A category is defined in respect of its resistance to faults and its subsequent behaviour in fault conditions, and it is recommended that they should be used as reference points. DraftIEC 61508 is not called up as a normative standard by EN 954, although it is referred to as guidance in the clause dealing with validation requirements. Also, it is listed at Table 1 amongst standards giving requirements for characteristics of safety functions implemented by programmable electronic systems. 2.1.1.2 Design strategy The standard assumes that a risk assessment has been carried out in accordance with the principles of EN 1050: 1996 ‘Safety of machinery - Principles of risk assessment’, which determines the contribution to risk reduction that each safety related part of the control system shall make. This contribution may be only a subset of the overall risk from the equipment under control. The machinery design lifecycle begins with EN 292-1: 1991 ‘Safety of machinery - Basic concepts, general principles for design. Part 1. Basic terminology, methodology’ where the requirement is to identify the hazards and assess the risk (EN 292-1 clause 5.2) then remove the hazards or limit the risks as much as possible (EN 292-1 clause 5.3), by the suitable choice of design features (EN 292-2 clause 3), such as applying safety principles when designing control systems (EN 292-2 clause 3.7). This leads to EN 954, although it quoted as a normative reference in EN 292-2: 1991 as ‘Safety of machinery - Principles for the design of safety-related control systems’. The design strategy proposed by EN 954 is as follows:
Hazard analysis and risk assess at the machine (as required in EN 292-1 and using EN 1050);
Decide the measures for risk reduction by design and/or the provision of safeguards (as required in EN 292-1 and EN 292-2);
Specify the safety requirements for the safety-related parts of the control system in terms of the characteristics of the safety functions, measures to achieve risk reduction and the selection of category(ies) for each of the safety functions;
Design the safety-related parts of the control system in accordance with the specification developed in Step 3 following a general strategy where emphasis is placed upon fault resistance and verification of the safety-related parts in the context of the specified safety function(s) and category(ies); and
Validate the achieved safety function(s) and category(ies) against the specification developed in Step 3 with re-design as necessary. The validation requirements for programmable electronic safety-related parts of control systems are subject to detailed procedures for tests of fault behaviour - guidance on the assessment of programmable electronic systems includes a reference to Draft IEC 61508.
Having decided the measures to reduce risk, the selection of a category for a particular safety-related part of a machinery control system depends upon: (i)
the reduction in risk to be achieved by safety function to which
the probability of occurrence of a fault in that part;
the risk arising in the case of a fault in that part;
the measures taken to avoid, tolerate or detect a fault in that part.
In general EN 954-1’s design strategy correlates with DraftIEC 61508 lifecycle phases 3 (Hazard and risk analysis) to 13 (Overall safety validation). 2.1.1.3
This section describes the categories and their scope. The authors’ comments on the requirements are in italics. 2.1.1.3.1
As a minimum the safety related parts of the control system shall use basic safety principles that are relevant to the specific application so those parts are able to withstand:
No special measures for safety are applied to parts complying with this category (implies that any component may be used in the safety related system provided it is “suitable for use”). When a fault occurs it can lead to loss of the safety function. 2.1.1.3.2
Category B applies (components suitable for use). In addition the system shall be designed using well-tried components (see Note 1) and well-tried safety principles (see Note 2). NOTE 1: A well-tried component for a safety-related application is defined as a component which has been: -
widely used in the past with successful results in similar applications; or
made and verified using principles which demonstrates its suitability and reliability for safety-related applications.
NOTE 2: Well-tried safety principles include: -
avoidance of certain faults, eg. avoidance of short-circuit by
reducing the probability of faults, eg. over/underrating of components;
by pre-determining the failure mode, eg. components which fail open- circuit
when power should be removed in the event of a fault; -
restrict the consequences of a fault, eg. earthing of equipment.
This category permits certain assessed faults to be excluded because the fault rate is known to be very low. Experience of a part’s operation in one application (ie “well tried”) may not be suitable for another application. The probability of failure in category 1 is lower than in category B and therefore the loss of safety function is less likely. When a fault occurs it can lead to the loss of the safety function and additional measures which are not provided by the safety related parts of the machine control system may be necessary to satisfy the Essential Health and Safety Requirements of the Machinery Directive (see Annex A of EN 292-2). It is noted that single electronic components alone are not normally able to realise category 1 (This is assumed to apply individual electronic components such as transistors, triacs etc). Also, newly developed components and safety principles are considered equivalent to ‘well tried’ if they satisfy the conditions in Notes 1 and 2 above. (This implies that it is only possible to justify a newly developed component as ‘well tried’ by verifying that the principles underlying its design and construction are relevant to the safety-related application). 2.1.1.3.3
Category B (components suitable for use) and the use of well-tried safety principles apply.
In addition, the safety functions of the safety related parts of the control system shall be checked at suitable intervals by the machine control system:-
prior to the initiation of any hazardous situation; and
(iii) periodically during operation if the risk assessment and the kind of
operation indicates that it is necessary.
The initiation of the check may be automatic or manual. If the check detects a fault a safe state shall be maintained until that fault is cleared. The occurrence of a fault may lead to the loss of the safety function between checks but its loss shall be detected at the next check. (This implies that if the check is carried out prior to the hazard being initiated there is a probability that the safety function could then fail during the hazardous event (leading to danger). The failure of the safety function must then be detected at the next check; this may be quite onerous because it requires that any failure or sequence of (accumulated) failures within the safety function shall be detected). 2.1.1.3.4 Category 3 Category B (components suitable for use) and the use of well-tried safety principles apply. In addition, the control system shall be designed so that a single fault does not lead to the loss of the safety functions, taking into account common mode failures. Safety will be maintained in the presence of a single (detected) fault. Whenever reasonably practicable the single fault shall be detected at or before the next demand upon the safety function. The category allows for some faults not to be detected and that an accumulation of faults may lead to a hazard situation at the machine (The standard implies not just loss of the safety function but that the control system could initiate an output that could lead to a hazardous situation). 2.1.1.3.5 Category 4 Category B (components suitable for use) and the use of well-tried safety principles apply. In addition, the control system shall be designed so that:-
(i) a single fault doe not lead to a loss of the safety functions; and (ii) the single fault is detected at or before the next demand upon the
safety functions. If this detection is not possible, then an accumulation of faults shall not lead to a loss of safety functions.
Common mode failures are taken into account. The system behaviour is that when faults occur the safety function is always performed and the faults will be detected in time to prevent the loss of the safety function. (This implies that the control system will never fail to danger and, consequently, must be considered to have a high level of safety integrity).
Table 1 lists the requirements for each of the categories. One or more safety related parts may be used to perform one or more safety functions. If combinations of parts are used which have different categories, the category that may be assigned to the complete system must be established by a new overall analysis of the combination of parts and their fault behaviour. For example, the combined category of a system that used a category 1 part and a category 3 part could be equivalent to category 1, 2 or 3 and may be 4 depending upon their structural configuration at the machine. 2.1.1.4
The standard requires a validation plan and refers the reader to DraftIEC 61508 for guidance (It is not clear whether this refers to all technologies or just E/E/PE). A safety validation report is also required. Generally the same requirements are required from both standards but Draft IEC 61508 is more specific with regard to the information and processes required from this phase. Draft EN 954-2 provides a more comprehensive commentary on the validation process for safety-related parts of control systems which is intended to determine compliance for each part with a safety requirements specification derived from EN 954-1. 2.1.1.5
There is a difference in the approaches taken by EN 954 and Draft IEC 61508 in this phase. EN 954-1 refers to EN 292-2 which calls for maintenance to be documented whilst DraftIEC 61508 calls for a procedure to be developed.
Table 1 Summary of requirements Cat. Basic Safety Well Tried Well Tried Fault Detection Comments Principles Components Safety Principles
Category 1 has a lower failure to danger than category B.
• The check may be manual or automatic
• The occurrence of a fault may lead to the loss of
the safety function between the checking intervals,
the loss of the safety function shall be detected by
the check. It is assumed that the requirement is specified as the check undertaken prior to the initiation of the hazard it is possible for the safety function to be lost whilst the hazard exists.
• at or before the next • The safety function is maintained in the
• Not all faults will be detected and accumulation of faults may cause the loss of the safety function • Under fault conditions the system may issue an unintended output which may lead to a hazardous situation
• at or before the next • The safety function is maintained in the
• Not all faults will be capable of detection but the
accumulation of faults shall not cause the loss of the safety function.
2.1.2 Draft 954-2 (Safety of machinery - Safety-related parts of control systems: Validation). 2.1.2.1
Draft 954-2 specifies the validation process, including analysis and testing techniques, which may be applied to the safety functions and categories for the safety-related parts of control systems given in EN 954-1. The introductory notes make it clear that the safety requirements can be validated by any combination of analysis and testing, but advises that analysis should be performed in parallel with the design process. The draft standard describes a validation process, planning and documentation requirements, and methods applicable to the validation of categories specified in EN 954-1. The requirements and conditions for a range of control system technologies are
environmental and maintenance provisions are also described. DraftIEC 61508 is not called up as a normative reference by Draft 954-2, although it is referred to in guidance notes dealing with documentation relating to software and the validation requirements for categories wherever programmable electronic systems may need to be considered. Also, indirect reference is made to the quantitative analysis techniques described in Draft IEC 61508 through guidance provided on this subject in annex E of EN 954-1. 2.1.2.2 Validation Process Draft 954-2 defines validation as a means by which the safety related parts of a control system can be determined to conform (or not conform) to their specification. In particular, it is assumed that validation should demonstrate that each safety-related part meets the requirements of EN 954-1 with respect to the specified safety characteristics for that part (in accordance with the design rationale) and the selected category. The draft standard calls for the validation process to be executed against a pre-defined plan which identifies and describes the analysis/tests involved for the specified safety functions and categories. It also requires the process to be documented and records to be kept which indicate the extent of compliance achieved. The validation process proposed by Draft 954-2 is as follows:
Step 1. Validation plan Prior to starting the validation process a 'plan' shall be produced which outlines the strategy and describes the requirements for specified safety functions and their categories. Step 2. Analysis (see Notes 1 and 2)
Validation by analysis requires examination of documentation which fully describes the design considerations, including specified safety functions in terms of their assigned performance category, arising from the general strategy for design. This may include details of 'well-tried' components, 'well-tried' safety principles, checking procedures, etc. using the informative guidance provided in annexes A to E, as necessary. The standard accepts that analysis of the deterministic arguments to support the use of complex safety-related control systems requires use of the information from other sources, including Draft IEC 61508 for PE safety-related systems. Step 3. Testing (see Notes 3 and 4) The draft standard states that when validation by analysis is not sufficient to demonstrate that the safety functions satisfy their safety requirements then testing should be carried out in order to complete the validation exercise. These tests should be performed in a systematic manner by producing a test plan and implementing the tests either manually or automatically. Step 4. Validation record (see Note 5) The draft standard requires that validation by analysis and testing should be recorded so that the overall validation process for a machine's safety-related control system is both fully traceable and auditable. This final validation record should cross-reference to all other forms of documentation which, therefore, need to be properly identified. Note: 1. The guidance for electronic/programmable electronic systems at
annex E is incomplete and does not include information on 'well-
components which may exclude the use of this technology in
2. Clause 8.3 of Draft 954-2 describes the validation of category
specifications and correlates these to Draft IEC 61508 as:
This guidance is not supplemented by criteria which supports the
assignment of these relationships and, in practice, it is unlikely that any
such scheme can be fully justified without taking the risk reduction
associated with a safety function into account as required by Draft(Therefore, in the authors opinion, this information is designers, manufacturers, etc. since it may be misinterpreted with regard to the overall safety of a machine's E/PE
3. Draft 954-2 does not assist users of the standard in determining when
validation by analysis is insufficient to demonstrate that the safety
satisfy their safety requirements and that testing should be
4. Automatically applied tests may be made using computer-aided test
(CAT) equipment, computer-aided software engineering (CASE) tools,
etc. However, there is no guidance on what measures should be taken
ensure that this test equipment does not become the cause of apparent defects due to inherent faults in the design of its hardware or software elements.
5. The validation process described in the draft standard is considered
have a significant normative requirement for documentation to be
the 'designer' of the safety-related control system so that the extent of compliance to EN 954-1 can be properly evaluated. The documentation aspects of Draft IEC 61508 have, in the past, received
criticism because of concern that this may be
dutyholders and, consequently, it may be necessary
aspect of the validation scheme recommended by draft 954-2.
Draft IEC 61508 (Functional safety of electrical/electronic/ programmable
electronic safety-related systems). DraftIEC 61508 is primarily concerned with safety-related control systems which incorporate electrical/electronic/programmable electronic (E/E/PE) devices. It does, however, lay down a framework which may be applicable to safety-related systems irrespective of the technology on which those systems are based. It is intended for application across a wide range of industries (eg. process, manufacturing, transportation and medical). The standard is aimed at the achievement of functional safety (that is the ability to carry out safety-related functions correctly) rather than primary safety (such as protection against electric shock). The starting point for the standard is that there is, at least, an outline design for a process or machine and that there is a need to reduce the risks associated with the operation of the process or machine to a tolerable level. This risk reduction is achieved by employing safety-related systems which are seen as being added to the basic equipment or process (which is referred to as the “Equipment Under Control” (EUC)). The methodology is first to identify the hazards and risks associated with the EUC (without the safety-related systems in place). If any of the risks are considered to be intolerable then the risk reduction necessary to achieve an acceptable level of safety must be evaluated. The safety-related functions intended to achieve the necessary risk reduction are then specified. Associated with each safety-related function is a “Safety Integrity Level” (SIL). This is a quantitative measure of the probability of failure to carry out the safety-function as required. 4 SILs are defined in the standard, each level covering a decade range of probability. Having specified the safety functions it is then necessary to decide which functions will be implemented by systems using E/E/PE technology, which will use other (eg. hydraulic) technology and which functions will be implemented by “external risk reduction facilities”. Those functions which are to be implemented using E/E/PE technology are then allocated to specific E/E/PE based safety related systems. Each of these systems is allocated a SIL target based on the highest safety integrity requirement of the safety functions allocated to that system. The SIL target for each E/E/PE safety-related system leads to a set of recommendations, both for hardware and software elements of the system. The recommendations address both the avoidance of failures (by the adoption of certain
procedures and methods) and the control of failures (by the use of certain design techniques). The premise of the standard is that adoption of the recommended measures and techniques will lead to failure probabilities commensurate with the specified SIL. The above process is illustrated in Figure 1. Examples of hazards, safety functions and safety-related systems which may be applicable to machinery are given in Table 2. The requirements of the standard are specified in a framework termed the “safety lifecycle”. This divides the activities considered necessary for the achievement of functional safety into a number of phases. Each phase has specified requirements and defined sets of inputs and outputs. The safety lifecycle encompasses the entire life of the system, from initial concept through to de-commissioning. Much emphasis is placed on the provision of documentation. In all, a total of some 49 different documents are required (in the case of a PE-based safety-related system). The documents are intended to transfer information through the phases of the lifecycle and also to provide information for verification, validation and assessment activities.
Not considered further within Draft IEC 61508
Hardware requirements - part 2Software requirements - part 3
• Emissions of radiation, dust, gases, etc.
• others Overall safety functions • Prevent contact with dangerous moving parts during normal operation
• Prevent contact with dangerous moving parts during set up
• Prevent contact with dangerous moving parts during maintenance
• Prevent contact with live electrical conductors
• others E/E/PES safety-related systems • PLC control of guard interlocks
• others Other technology safety-related systems • Fixed guard
• others External risk reduction factors • Instructions/training
Table 2: Draft IEC 61508 concepts that may be applied to machinery
3. IDEALISED REQUIREMENTS
A quantifiable measure of determining a control system’s safety integrity is desirable because it allows direct comparisons to be made between systems, assuming a common set of assumptions. Unfortunately such a measure can be difficult to estimate so it would be preferable to be able to move from a qualitative assessment of the safety requirements for a control system to a quantitative value of safety integrity. A risk graph or look-up table would be the ideal way of carrying out this process but it could only work if:
(i) control system products were specified in terms of their safety integrity
(both complete and modular based solutions), see Note 1.
(ii) examples of “well-tried” or traditional (usually electromechanical based)
circuits were available that were specified in terms of safety integrity.
(iii) examples were given on how to calculate safety integrity for new
(iv) a mechanism was developed for calculating the overall safety integrity
level from component parts operating in series and/or parallel.
Note 1: It is assumed that complete control systems could be obtained from one
supplier, in which case it would be the responsibility of that supplier to specify the safety integrity. Alternatively, the control system could be a combination of modules (a module here includes a hardwired circuit) where the safety integrity would be specified by each of the module suppliers.
The specification for the safety integrity would describe the limitations of any in-built diagnostic system and include any requirements for proof checking/maintenance intervals. This specification would also recommend configurations or operational parameters that would enable it to achieve a particular safety integrity level. The system designer would then analyze the combination of modules that comprise the system and using the mechanism mentioned in (iv) above, calculate the overall safety integrity level for the safety function. 4. DEFICIENCIES/DIFFICULTIES WITH EXISTING STANDARDS 4.1 EN954-1 4.1.1 Selection of category The development of the category definitions within EN 954-1 would appear to have been driven by the underlying presumption that safety integrity could be linked to the fault behaviour of the system. This is reflected in the risk graph (EN 954-1, Annex B) which indicates that those categories with greater fault detection and fault tolerance
are preferred for application where the consequences (severity of injury) are greater and exposure times are greater. The difficulty with this concept is that other factors, such as component reliability, can play a large, perhaps major, part in determining safety integrity with the result that fault handling characteristics alone may not be a suitable indicator of safety integrity. For example, a system which achieves its safety integrity by the use of simple, but highly reliable mechanical linkages may have no inherent fault detection or fault tolerance and as such may be thought of as belonging to category B or category 1. However, the likely failure rate of the system may be so low, owing to its inherent reliability, that it achieves a high level of safety integrity and it is suitable for application where high levels of risk reduction are required (e.g. a linkage in a power press mechanical guard). This has been recognized in EN 954-1 where it is stated (Annex B) that “component reliability, the technology used in the particular application can indicate a deviation from the expected choice of category”. This has lead to the rather confusing situation that whilst the theoretical choice of category may be related to risk, the most appropriate category, taking all factors into account, may be different. The EN 954-1 category selection process would appear to be to first identify the theoretical, or “reference” category on the basis of risk (by use of the risk graph), then to modify the selection of category according to component reliability, technology used, etc. The second stage of this process is largely empirical; and little guidance is given within the standard. As a result category selection is likely to suffer from either blind adoption of the risk graph, without reference to the modifying factors, or be so subjective in nature that any link with safety integrity is at best tenuous. 4.1.2 Application of the standard On a point of presentation, it is considered difficult to extract the normative requirements of EN 954-1. For example, some of the requirements are hidden within lengthy clauses (e.g. the requirement to state reasons for deviating from preferred category which is contained within Annex B.1). With specific regard to programmable electronic systems there is an informative reference (within Table 1) to Draft IEC 61508. If taken at face value, this implies that all Draft IEC 61508 requirements may be informative to EN 954-1.
Figure 2: EN 954-1 Category selection process
4.2.1 Complexity The comprehensive nature of Draft IEC 61508 has resulted in what is seen by the machinery sector as an extremely complex and difficult to understand standard. 4.2.2 Terminology & culture Much of the terminology relates more closely to the process sector which has had significant influence in the development of Draft IEC 61508. In particular, it is considered that the following terms are not fully understood by the machinery sector: • Proof checking/testing
• Demand mode/continuous mode of operation
• Safety requirements allocation 4.2.3 System considerations (allocation of responsibilities) The overall safety lifecycle described by Draft 61508 covers all phases of an equipment’s life from concept through to decommissioning. Very rarely would one party have responsibility across the entire lifecycle. It is considered that there is a need to delineate responsibilities. This is particularly so in the case of manufacturers who are producing machines or safety components for use in a variety of applications where it may not be practical for the manufacturer to undertake a complete hazard and risk analysis and identify suitable safety functions for all applications at an early stage in the safety lifecycle. In such cases the emphasis must be on the manufacturers to supply sufficient and suitable information (including the Safety Integrity Level) so that users can take proper account of the equipment’s performance characteristics in the final application. 4.2.4 Documentation The extensive documentation requirements of Draft IEC 61508 are seen by the machinery sector to be excessively burdensome. 4.2.5 Architectures The existing draft of IEC 61508, part 2 does not fully address control system architectures appropriate for application to machinery.
4.2.6 Measures and techniques Many of the traditionally accepted measures and techniques used in the machinery sector are not included within the present draft of IEC 61508. Many of these measures and techniques have been developed to protect against failures resulting from intentional mis-use or defeat. It is considered that these elements of systematic safety integrity are not adequately addressed by the current draft of IEC 61508. 4.3
Mapping of Category to Safety Integrity Level
Safety Integrity (from Draft IEC 61508) is defined as: “Probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time”. A Category (from EN954-1) is defined as: “Classification of the safety-related parts of a control system in respect of their resistance to faults and their subsequent behaviour in the fault condition, and which is achieved by the structural arrangements of the parts and/or by their reliability”. Safety integrity is a measure of a system’s ability to perform the required safety function within a stated period of time. The safety integrity calculation (probability of failure on demand) is a function of:
failure rate of the components that comprise the system
Draft IEC 61508 also applies requirements to safety components which are detailed in Annex A (normative) of Part 2. This Annex includes a series of tables, which list requirements of the components for hardware and systematic safety integrity, analogous to the definitions of the categories but include the concepts of proof check interval and diagnostic coverage which do not appear explicitly in EN954-1. It is important to note that there is an assumption in the probability of failure on demand calculation that having carried out a proof test the system is returned to its original “as new”, state. In the machinery sector a machine is often run until the control system breaks or stops functioning; reliance is almost totally based upon the control system’s self diagnostics.
S Severity of injury S1 slight (normally reversible) S2 serious (normally irreversible) injury including death
F Frequency and/or exposure time to hazard
F1 seldom to quite often and/or exposure time is short F2 frequent to continuous and/or exposure time is long
P1 possible under specific conditions P2 scarcely possible
Figure 3 Risk graph for selection of safety integrity levels
The categories of EN954-1 are a function of:
where the contribution of these two elements varies with the technology used; it is stated that a single channel of safety-related parts of high reliability in one technology could provide the same or higher resistance to faults as a fault tolerant structure of lower reliability in a different technology. Generally, the difference between safety integrity levels and the categories is that safety integrity is the probability that the system will fail to provide the safety function within a certain time. It is a quantitative measure of a system’s performance. The categories are a statement upon the systems resistance to faults and its behaviour once one or more faults have occurred and it is a qualitative measure of a system’s behaviour. Attempts made to map safety integrity levels to categories have found that this is not possible without fundamental changes to the definitions of those categories. A number of mapping techniques that have been tried are described in Appendix 1. This inability to define a map between integrity levels and categories mainly floundered because the categories do not provide an hierarchical structure to their fault resistance. 5.
PROPOSED APPLICATION OF DRAFT IEC 61508 TO MACHINERY SECTOR 5.1
It is proposed that a development of the risk graph currently included within EN954-1 (Annex B) could be used for the determination of Safety Integrity Levels. An example of such an approach is given in Figure 3. With reference to Figure 3, the following observations can be made: • It is considered that SIL 3 is appropriate for the highest risk applications in
machinery. This corresponds to a 10-3 probability of dangerous failure per year and therefore aligns with what is commonly regarded (at least within the UK) as the maximum tolerable risk for workers.
• The Safety Integrity Level of the safety function is first determined. It is then
necessary to consider the contribution of the particular safety-related system under consideration to the overall SIL of the safety function. For systems which play a key part in implementing the safety function, then the system SIL may be considered to be the same as the function SIL. For systems which fulfill a lesser role it may be possible to relax the SIL requirements. This reflects the apportionment of risk associated with the Draft IEC 61508.
Draft IEC 61508-6 describes a number of examples of system architectures but only the single controller with single processor and single I/O (1oo1) is likely to be applicable to the machinery sector. Figures 4 and 5 depict typical arrangements for machinery
hardwired/electromechanical circuit or electronic guard/monitor in parallel. For machinery systems it is important that electromechanical examples and tables are produced. Also a mechanism which allows the overall safety integrity level to be calculated from a series and/or parallel combination of components of different safety integrity levels needs to be developed. Finally, example architectures for machinery control systems need to be created. 5.3 Safety Lifecycle The safety lifecycle (Overall, E/E/PE and Software) as defined by Draft IEC 61508 are considered to be sound and it is not thought that they can be simplified significantly in the general case without danger of omitting key phases. In principle, the lifecycle is thought to be appropriate for the machinery sector. 5.4
The documentation requirements of Draft IEC 61508 are extensive and thorough; it addresses complete system designs and encompasses the full lifecycle from conception to de-commissioning. However, a machine usually comprises just one system, the end use of which may not be known by the machine designer and, once sold, control (maintenance) of the machine is often handed over to another party. In addition the manufacturer may have in-house procedures (to ISO 9000) for project management, coding standards, fault reporting and fixing, etc.; some of the documents required by the standard may repeat this work. The designers and manufacturers of safety components, safety systems or sub-systems (eg. CNC controller, drive controller, etc.) may face an even greater problem because they may not know all the end uses for their equipment.
F ig u re 4 : Ty p ic a l P E s y s te m / in te r lo c k a rra n g e m e n t Figure 5: Typical overspeed arrangement
The basic documentation objectives of Draft IEC 61508 could be complied with by machine control system manufacturers but individual documents listed in Part 1 (Annex A) of the standard may not need to be produced because:
only a single E/E/PE controller being developed and not a system.
usually a product is being produced and in-house procedures should
exist to deal with issues such as project management, coding standards, etc.
maintenance and de-commissioning may not be the responsibility of the
control system or machine manufacturers and designers of machinery control systems.
Appendix 4 suggests which documents listed by draft IEC 61508-1 Annex A (informative) should be required of the manufacturers and designers of machinery control systems. 6.
CONCLUSIONS
A linear mapping of the safety integrity levels of Draft IEC 61508 to the
categories of EN954-1 could not be established. This was due to the category definitions in EN954-1 not placing any quantifiable requirements regarding the rate of failure of the safety functions. However, it can be stated that, in a given technology, category 1 is likely to have a higher safety integrity level than category B and category 4 will have the highest safety integrity level. 2.
The qualitative approach of EN 954-1 is a desirable one from the machinery
sector point of view and could be usefully developed and linked to Draft IEC 61508. 3.
The principles of Draft IEC 61508 (safety lifecycle and safety integrity levels)
can be applied to E/E/PE control systems in machinery. Draft IEC 61508 could replace EN 954-1 for E/E/PE systems but a qualitative approach leading to a safety integrity level would have to be developed. If such an approach was developed, there would no longer be the requirement for E/E/PE safety systems to be defined in terms of categories. 4.
The non-hierarchical structure of EN 954-1’s categories is often misinterpreted
into an hierarchical one. This is because the category definitions have to be carefully analysed to understand their full meaning. An informative annex interpreting the categories for different technologies may be useful.
Although the categories are difficult to relate to risk, EN954-1, as a document,
does provides much useful information into the design strategies for safety and the requirements for safety functions. 6.
Draft IEC 61508 covers all phases of an equipment’s life from concept through
to decommissioning. In the machinery sector, very rarely would one party have responsibility across the entire lifecycle. It is considered that there is a need to delineate responsibilities. This is particularly so in the case of manufacturers who are producing machines or safety components for use in a variety of applications where it may not be practical for the manufacturer to undertake a complete hazard and risk analysis and identify suitable safety functions for all applications at an early stage in the Safety Lifecycle. In such cases the emphasis must be on the manufacturers to supply sufficient and suitable information (including the Safety Integrity Level) so that users can take proper account of the equipment’s performance characteristics in the final application. 7.
RECOMMENDATIONS
The category definitions in EN954-1 be reviewed taking into account the
principles for E/E/PE safety-related control systems of Draft IEC 61508. We would suggest that the category definitions should clearly identify the safety performance (or safety integrity) requirements of the safety-related parts of machinery control systems and that such a review should be focused upon reducing the analysis which has to be performed by machinery designers. 2.
The qualitative methodology of EN 954-1 should be revised in the proposed
amendment so that the design strategy properly considers all the factors which affect risk reduction.
Appendix 1 Mapping schemes This appendix lists some of the various strategies considered to try and obtain some correlation between EN 954-1’s categories and Draft IEC 61508’s safety integrity levels. A brief description is given for each approach followed by the main reasons why it was rejected. 1. Examination of EN 954-1’s Categories for implied Safety Integrity Levels.
The descriptions of the categories were assessed to determine whether they inferred a particular safety integrity level or levels. Reason(s) for failure: (i)
Category 4 states that no loss of the safety function can occur, therefore this
could equate to safety integrity level 4. However, for categories B to 3 no such assumption could be made. (ii)
Categories B to 3 assume that the system will fail but the category definitions
do no state the expected frequency of those failures. Thus it is feasible that a category B system could achieve safety integrity level 4 (when considering all technologies, eg. mechanical links). 2. Fault Resistance
Safety integrity uses component failure rate as a variable within its algorithm and categories use component reliability as a determining factor. Reason(s) for failure: (i)
The contribution that component reliability provides towards the safety function
could vary considerably without affecting the category because EN 954-1 allows it to be offset by the system’s structure. (ii)
A safety integrity level assumes a proof check interval.
Safety Integrity level achieved though choice of category and application of a set of techniques.
Any category of safety system could be used for a particular safety integrity level provided that some defined set of additional measures were also implemented. These additional measures would be similar to (and would include) those that appear in Draft IEC 61508 parts 2 and 3. Reason(s) for failure:
Difficulty in deriving these additional measures.
Masks the underlying problem that categories cannot be easily linked to
risk; this approach is effectively re-defining EN 954-1’s categories.
Risk Graphs
Link the categories of EN 954-1 to a risk level and then link the risk level obtained to a safety integrity level. Reason(s) for failure:
The definitions for the categories do not address risk.
These is no hierarchical structure to the categories.
E/E/PES Technology Only Approach
EN954-1 id designed to cover a range of technologies. It was investigated whether applying the categories only in terms of E/E/PE technologies could form a structure that could be mapped to safety integrity levels. Reasons for failure:
(i) Limited in analysis is just E/E/PE technologies did not
change the way the categories were structured. 6. Descriptive/Quantitative Approach
This approach accepted that categories and safety integrity levels were different and examined the viability that a safety system could be marketed in terms of its reliability (SIL) and its fault behaviour (category).
It still required the calculation of safety integrity levels by machine
manufacturers and system builders. It did not simplify the
a machinery control system. It did not remove the problem that, theoretically, any category could achieve any safety
Appendix 2 - Common requirements & differences
The following are considered to be factors in the comparison of EN 954-1 and Draft IEC 61508. General
• EN 954-1 does not take the hierarchical system oriented view which is a strong
• Draft IEC 61508 refers to safety-related systems, which are seen as being
wrapped around the “equipment under control” (EUC) to provide a “level of safety”. EN 954-1 refers to “safety related parts of control systems”.
• Draft IEC 61508 requires the production of documentation at each phase of the
Safety Lifecycle. The only specific documents required by EN 954-1 are the validation plan and validation report.
• Draft IEC 61508 has a strong formal structure with clearly defined objectives and
requirements specified for each phase of the safety lifecycle. EN 954-1 is much less structured and careful examination is necessary to extract the key requirements.
Scope • EN 954-1 applies to safety related parts of control systems, Regardless of the type
of energy used. Draft IEC 61508 is primarily concerned with E/E/PE systems.
• Draft IEC 61508 addresses the entire lifecycle from the concept phase through to
decommissioning. EN 954 is restricted to the design phase.
• Draft IEC 61508 takes account of the entire system comprising EUC, safety-
related system(s) and external risk reduction facilities. EN 954-1 is only concerned with the “safety related parts of control systems”.
Competence of persons
• Addressed by Draft IEC 61508, not by EN 954-1. Safety management
• Addressed by Draft IEC 61508, not by EN 954-1. Concept • Addressed by Draft IEC 61508, not by EN 954-1. Hazard & risk analysis
Both standards require: • carry out a hazard and risk analysis.
• include fault conditions, reasonably foreseeable misuse and human factors
• assess frequencies (or probabilities) of hazards events
• assess risk associated with each hazardous event
• identify the necessary risk reduction, for each hazard. Differences • Draft IEC 61508 refers to “hazardous events of the EUC”. EN 954-1 refers to
• Draft IEC 61508 allows quantitative or qualitative techniques. EN 954-1 emphasis
• Draft IEC 61508 requires a “level of safety” (based on the tolerable risk) to be
identified for each hazard. EN 954-1 simply refers to the “appropriate risk reduction”.
• Draft IEC 61508 requires details to be documented in “Hazard and Risk
Management Description”. EN 954-1 has no documentation requirement.
Specification of safety functions
• Draft IEC 61508 requires specification of all safety functions included in the “total
combination of safety-related systems and external risk reduction facilities”. EN 954-1 only requires specification of the safety functions “to be provided in the control system”.
• Draft IEC 61508 requires both a functional description and specification of Safety
Integrity Level. EN 954-1 only requires a functional description.
• EN 954-1 lists common safety functions and associated characteristics applicable
• Draft IEC 61508 allows for safety functions to be allocated between the safety-
related system sand external risk reduction facilities. EN 954-1 only addresses those safety functions implemented by the “safety-related parts”.
Deviation and specification of performance requirements for control systems
• Draft IEC 61508 specifies a formal process whereby, for each hazard, the
necessary risk reduction is derived from the EUC risk and the level of safety. It is then necessary to specify how the level of safety (and associated risk reduction)
will be achieved. This is done by describing what the safety-related systems will do (ie. the safety functions) and with what probability they will do it as required (ie. the safety integrity). At this stage the safety-related systems can take the form of external facilities or control systems (of any technology). Then the individual safety-related systems should be specified, both in terms of functionality and effectiveness (as relating to a specific technology) so that all the safety functions are implemented with the required level of safety integrity (taking into account the total effect of all the designated safety-related systems). It should be noted that the level of effectiveness of the individual safety-related systems is also measured by the parameter “safety integrity”. Draft IEC 61508 requires that this process of deriving the performance requirements for individual safety related systems has to be documented in a “Safety Requirements Allocation Description”.
• EN 954-1 requires that the measures for risk reduction by control means should
be “decided” and specified in terms of functionality and category. the methodology to translate risk reduction (associated with particularly hazards) to performance requirements of safety related parts of control systems is not specified.
• Draft IEC 61508 requires that the “effectiveness” of the safety-related control
systems be classified according to “safety integrity”. Safety integrity is a quantified measure of the effectiveness of a safety-related control system and encompasses hardware reliability as well as control and avoidance of failures due to systematic faults.
• EN 954-1 requires that safety related parts of control system s be categorised
according to resistance to faults. The performance measures associated with the categories are a description of measures taken to avoid or control failures and are not quantified.
• Draft IEC 61508 requires that overall safety functions and safety integrity
requirements are documented in an “Overall Safety Requirements Specification”. The corresponding requirements for individual E/E/PE safety-related systems are documented in the “E/E/PE Safety Requirements Specifications”.
Design
• Both standards require that the design meets the specified safety requirements,
but Draft IEC 61508 requires that the design documentation should identify and justify the techniques and measures chosen to achieve the Safety Integrity Level. With Draft IEC 61508, extensive tables of recommended techniques and measures (for both hardware and software) are provided. EN 954-1 simply requires a “list of the design features which provide the design rationale for the category achieved”.
• Draft IEC 61508 recommends (under development) specific architectures, EN
954-1 does not address architecture (other than as may be necessary to achieve the fault behaviour according to category).
Behaviour under fault conditions
• Both standards require consideration of behaviour under fault conditions. In Draft
IEC 61508, fault requirements depend on safety integrity level, extent of diagnostic coverage, knowledge of component failure modes, testability of components and knowledge of component reliability. In EN 954-1, fault requirements are dictated solely by choice of category.
Diagnostic coverage
• Draft IEC 61508 makes recommendations regarding the level of diagnostic
coverage provided by the techniques and measures used to control failures. EN 954-1 similarly accepts that not all faults may be detected. In category 3, the required measures for fault detection are required to be graded according to consequence and probability of failure and technology used. In category 4, the inability to detect certain faults leads to the requirement to show that an accumulation of faults does not lead to loss of the safety function.
Proof checking • Draft IEC 61508 requires that proof checks be undertaken so that the probability
of failure on demand remains within the specified safety integrity level. Proof checking is not addressed by EN 954-1.
Integration
• Integration (software, hardware, modules, sensors, actuators) of E/E/PE systems
is addressed by Draft IEC 61508, not by EN 954-1.
Operation & maintenance
• Both standards require information for operation and maintenance. Validation
• Both standards require validation to demonstrate that the safety functions have
been implemented according to specification.
Modification
• Addressed by Draft IEC 61508, not by EN954-1. Verification
• Required by Draft IEC 61508, not by EN 954-1.
Functional safety assessment
• Required by Draft IEC 61508, not by EN 954-1. Decommissioning
• Addressed by Draft IEC 61508, not by EN 954-1.
APPENDIX 3 REFERENCES
1.
BS EN 954-1 Safety related parts of control systems. Part 1: General
Draft 954-2 Safety-related parts of control systems. Part 2: Validation.
CEN/TC114 - CLC/TC44X - JWG 6 N 544 Revision 11 (November 1997).
REFERENCE
Draft IEC 61508-1: Functional Safety - Safety-Related Systems -
Draft IEC 61508-2: Functional Safety - Safety-Related Systems -
Part 2 Requirements for electrical/electronic/ programmable electronic systems.
Draft IEC 61508-3: Functional Safety - Safety-Related Systems -
Draft IEC 61508-4: Functional Safety - Safety-Related Systems -
Draft IEC 61508-5: Functional Safety - Safety-Related Systems -
Part 5 Examples of methods for the determination of safety integrity levels.
Draft IEC 61508-6: Functional Safety - Safety-Related Systems -
Part 6 Guidelines on the application of Parts 2 and 3
Draft IEC 61508-7: Functional Safety - Safety-Related Systems -
Part 7 Overview of techniques and measures.
APPENDIX 4: DOCUMENTATION REQUIREMENTS FOR MACHINE CONTROL SYSTEMS
TABLE 4A: DOCUMENTS RELATED TO THE OVERALL SAFETY LIFECYCLE
Comments with regard to machinery based control
OVERALL SAFETY LIFECYCLE PHASE DOCUMENTS
This depends upon whether the manufacturer of the control system is also responsible for producing the machine as a whole, including all safety aspects (ie. supplying a fully enclosed machine). Generally the manufacturer’s knowledge of the overall concept of the machine may be severely limited and would not be able to produce this document
• Description; {Overall Scope Definition}
• Description; {Hazard and Risk Management
• Specification; {Overall Safety Requirements}
comprising; {Overall Safety Functions & Overall Safety Integrity}
• Description {Safety Requirements Allocation}
Overall Operation and Maintenance Planning
• Plan; {Overall Operation and Maintenance}
The manufacturer may not be responsible for these two phases, the best that may be achievable is a “user manual” detailing the requirements. This document is unlikely to be required.
Overall Installation and Commissioning Planning
The manufacturer may not be responsible for these
phases This document is unlikely to be required
• Realisation of E/E/PE safety-related systems
• Log; {Overall Operation and Maintenance}
These should be in-house procedures (eg. ISO 9000)
TABLE 4A: DOCUMENTS RELATED TO THE OVERALL SAFETY LIFECYCLE
Comments with regard to machinery based control
OVERALL SAFETY LIFECYCLE PHASE DOCUMENTS
• Report; {Overall Modification & Retrofit Impact
• Log; {Overall Modification & Retrofit}
• Report; {Overall Decommissioning Impact
These also should be in-house procedures
• Plan; {Functional Safety Assessment}
• Report; {Functional Safety Assessment}
TABLE 4B: DOCUMENTS RELATED TO THE E/E/PE SAFETY LIFECYCLE Comments with regard to machinery based control systems E/E/PE SAFETY LIFECYCLE PHASE DOCUMENT E/E/PE Safety Requirements
• Specification; {E/E/PE Safety Requirements} comprising;
This is likely to have been completed as part of
{E/E/PE Safety Functions & E/E/PE Safety Integrity
• Description {E/E/PE Architecture Design} comprising
• Specification {PE Integration Tests}
TABLE 4B: DOCUMENTS RELATED TO THE E/E/PE SAFETY LIFECYCLE Comments with regard to machinery based control systems E/E/PE SAFETY LIFECYCLE PHASE DOCUMENT
• Specification {Integration Tests of PE and non PE
• Description; {Architecture Design Hardware}
Unlikely to be required because the control
• Specification; {Hardware Architecture Integration Tests}
system will usually be a single system and
E/E/PE Architecture documents would have
• Specification; {Hardware modules design}
• Specifications; {Hardware modules Tests}
• Report; {Integration test of software onto PE hardware}
• Report; {Integration test of PE and other hardware}
should be produced (within the context of the
• Instruction {Operation and Maintenance}
• Instruction; {E/E/PE Modification Procedures}
These should be in house-procedures (eg. ISO
• Report; {E/E/PE Modification Impact Analysis}
These also should be in-house procedures
• Plan; {E/E/PE Functional Safety Assessment}
TABLE 4B: DOCUMENTS RELATED TO THE E/E/PE SAFETY LIFECYCLE Comments with regard to machinery based control systems E/E/PE SAFETY LIFECYCLE PHASE DOCUMENT
• Report; {E/E/PE Functional Safety Assessment}
Comments with regard to machinery based TABLE 4C: DOCUMENTS RELATED TO THE SOFTWARE SAFETY LIFECYCLE control systems SOFTWARE SAFETY LIFECYCLE PHASE DOCUMENT
• Specification; {Software Safety requirements} comprising; This is likely to have been completed as part of
{Software Safety Functions & Software Safety Integrity
• Description {Software Architecture Design} Specification;
Software architecture description should have
{Software Architecture Integration Tests}
already been completed. Software architecture
• Specification; (PE and Software Integration Tests}
tests unlikely to be required (assuming single
• Instruction; {Development Tools and Coding Manual}
manual should be part of in-house procedures.
• Specification; {Software System Design}
Unlikely to be required (assuming single
• Specification; {Software System Integration Tests}
Comments with regard to machinery based TABLE 4C: DOCUMENTS RELATED TO THE SOFTWARE SAFETY LIFECYCLE control systems SOFTWARE SAFETY LIFECYCLE PHASE DOCUMENT
• Specification; {Software Module Design}
• Specification; {Software Module Tests}
• Report {Software module Integration Test}
Only software module integration test should
• Report; {Software System Integration Test}
• Report; {Software Architecture Integration Test}
• Report; {PE & Software Integration Test}
Software Operation and Maintenance Procedures
• Instruction {Operation and Maintenance}
• Report; {Software Safety Validation}
should be produced (within the context of the equipment being developed)
• Instruction; {Software Modification Procedures}
These should be in-house procedures (eg. ISO
• Report; {Software Modification Impact
These also should be in-house procedures
• Plan; {Software Functional Safety Assessment}
• Report; {Software Functional Safety Assessment}
DEACTIVATOR SYSTEMS: POFF and EOFF T r a n s g e n e S u p p r e s s i o n w i t h A n t i b i o t i c s PolyGene's Pristinamycin- and Erythromycin-inducible expression systems are also available as DEACTIVATORS, i.e. POFF and EOFF, respectively1,2. Mode of Function In their POFF and EOFF versions, the co-expression of two distinct (EFFECTOR and RESPONDER) trans-genes gives the possibi
PROHIBITED FOR TRANSPORT (AS PER IMDG CODE PAR; 1.1.4 AND 3.3) SHIPPING NAME AMMONIUM BROMATEAMMONIUM BROMATE, SOLUTIONAMMONIUM CHLORATEAMMONIUM CHLORATE, SOLUTIONAMMONIUM CHLORITEAMMONIUM HYPOCHLORITEAMMONIUM NITRATE liable to self-heating sufficient to initiate a decompositionAMMONIUM NITRITES and mixtures of an inorganic nitrite with an ammonium saltAMMONIUM PERMANGANATEAMMONIUM PERMANGAN