IEC 62061 introduction

Copyright exida Asia Pacific © 2013
Singapore +65 6222 5160
Shanghai +86 21 5171 7250
Hong Kong +852 2633 7727
Germany +49 89 4900 0547
USA +1 215 453 1720
Switzerland +41 22 364 14 34
Canada +1 403 475 1943
United Kingdom +44 2476 456 195
Netherlands +31 318 414 505
Australia / NZL +64 3 472 7707
Mexico +52 55 5611 9858
South Africa +27 31 267 1564
Exida Contacts
IEC 62061 Introduction
Singapore 2009
Koen Leekens

Copyright exida Asia Pacific © 2013 Koen Leekens +65 9772 9547
Safety is Only as Strong as its Weakest Link
exida

Topics in this Presentation
exida
Safety Regulatory Environment – Situating the IEC 62061
The IEC 62061 Safety Lifecycle Procedures in 8 steps
Summary

Who we are
Founded in 1999 by experts from Manufacturers, End Users,
Engineering Companies and TÜV Product Services
Today: LARGEST Functional Safety and Cyber Security
consultancy and certification body worldwide
“Provide independent Services, Training and Tools to help
Customers comply to any Industry Standards for Functional
Safety, Cyber Security and Alarm Management”
Rainer Faller
Former Head of TÜV Product Services
Chairman German IEC 61508
Global Intervener ISO 26262 / IEC 61508
Author of several Safety Books
Author of IEC 61508 parts
Dr. William Goble
Former Director Moore Industries
Developed FMEDA Technique (PhD)
Author of several Safety Books
Author of several Reliability Books

Where we are

What we do
EXIDA SCOPE
Functional
Safety
Cyber
Security
Alarm
Management
SERVICES
Tools
Training
Consultancy
Certification
Reference
Materials
INDUSTRIES
Process
Industry
Automotive
Machine
Industry
Power
Industry
Rail
End Users
Equipment
Manufacturer
Engineering
Companies
System
Integrators
CUSTOMERS
Reliability

The exida Library
exida publishes analysis
techniques for functional
safety
exida authors ISA
best- sellers for automation
safety and reliability
exida authors
industry data
handbook on
equipment failure
data
www.exida.com

exida Customers (extract from 2000+)

What is Machinery Safety?
It is protecting operators of machines and personnel in the
area from being injured by the machine
Application of a machine’s energy in an unintended fashion
can cause injury, property damage and business interruption
IEC 62061 :
“Assembly of linked parts or components, at least one of which moves,
with the appropriate machine actuators, control and power circuits,
joined together for a specific application, in particular for the processing,
treatment, moving or packaging of a material”
It is NOT guarding the machine from damage!

SRCF: Safety-Related Control Function
Specific single set of actions and the corresponding
equipment needed to identify a single hazard and act to
maintain or bring the system to a safe state
Permissive Protective Mitigating

SRECS: Safety-Related Electrical Control System
Covers the whole loop
Can encompass multiple functions and act in multiple ways
to prevent multiple harmful outcomes
Can hold different safety-related control functions (SRCF)

Safety Regulatory Environment
13
1980 1985 1990 1995 2000 2005 2010
DIN 31000
DIN V 19250
DIN V VDE 0801
EN 954-1
IEC 61508
IEC 61511
IEC 61513
ANSI/ISA S84.01 1996

Safety Regulatory Environment
14
1980 1985 1990 1995 2000 2005 2010
DIN 31000
DIN V 19250
DIN V VDE 0801
EN 954-1
IEC 61508
IEC 61511
ISO 13849-1
IEC 61513
ANSI/ISA S84.01 1996
IEC 62061
Superseded by 2
standards that co-exist

Relationship with Other Standards
ISO 13849-1
Low Complexity SRPCS
IEC 62061
SRECS
IEC 60204
Electrical Equipment
ISO 14121
Principles for Risk Assessment
ISO 12100
Machinery Safety – Basic Concepts
Source ZVEI Flyer “ Safety of Machinery
Certification and CE
IEC 61508
Complex Sub-Systems
EN 954-1
Prescriptive +
Performance Performance
Prescriptive

Prescriptive Standards

The IEC 62061 is Performance based

Recommended: IEC 62061 - EN ISO 13849
Technology implementing
SRCF
ISO 13849-1 IEC 62061
A Non-electrical X -
B Electromechanical Restricted X
C Complex electronics Restricted X
D
Non-electrical and
Electromechanical
Restricted X
E
Complex electronics and
Electromechanical
Restricted X
F
C combined with A, or C
combined with A and B
X X
Source: IEC 62061 - Table 1 - Simplified

Device Manufacturers - Sector Specific Not Available
Which Standard?
IEC 61513
Nuclear
IEC 61511
Process Industry
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
ISO 26262
Road Vehicles
End Users - Systems Integrators
IEC 62061
Machinery

European Machine Safety
EN294
Safety Distances
EN1050/
ISO14121
Risk Assessment
ISO13849
Safety Related Part
Control Systems
EN292
General
Principles
EN60204-1
Electrical
Equipment
EN 61496
Light Curtains
IEC 62061
Functional
Safety of SRECS
EN 1037
Unexpected
Start-up
EN 1088
Interlocking
Devices
EN 60947-5-3
Proximity Devices with
Fault Protection
EN 60947-5-1
Mechanical
Switches
EN 1760
Safety Mats
EN999
The Positioning of
Protective Equipment
EN 574
Two-Hand
Control
EN 953
Guards
EN 418
Emergency
Stop
EN 692
Mechanical
Presses
EN 1762
Food
Processing
MachinesEN 415
Packaging
Machines
EN 693
Hydraulic
PressesEN 972
Tannery
Machines
EN 746
Thermo-processing
Machines
EN 931
Footwear
Manufacturing
Machines
EN 1114-1
Rubber and
Plastics Machines
EN 1525
Driverless trucks

What do accidents teach us?
Buncefield 2005
Bhopal 1984 Flixborough1974
Seveso 1976

US Fatal Work Injuries

Primary Cause of SIS Failures?
What is going wrong?
Are the existing standards Failing?
What are the primary causes?

Primary Cause of Failures?
Specification
Changes after
Commission
Operation and
Maintenance
Design and
Implementation
Installation and
Commission
Source Health, Safety & Environmental Agency

Example Specification
Operator Traps Hand

Example Operate and Maintain
Operator loses Hand

Primary Cause of Failures?
Specification
Changes after
Commission
Operation and
Maintenance
Design and
Implementation
Installation and
Commission
Source Health, Safety & Environmental Agency
The majority of accidents are:
… Preventable if a systematic
Risk-Based Approach is adopted…

Key Aspects of IEC 61508/61511
Safety Integrity Levels (SIL)
– Reliable Hardware with predictable failure rates to protect against
Random Failures (Physical)
Safety Lifecycle
– Safety Management with controlled and systematic processes to
protect against Systematic Failures (Design)

The IEC 62061 General Structure in 8 Steps
Management
of
Functional
Safety
Information on
machine and its use
Risk Assessment
Determine SRCF’s
Write SRECS SRS
SRECS
design & implementation
SRECS integration,
testing & installation
Produce information on
SRECS use and maintenance
SRECS Validation
1
3
2
4
5
6
7
8
Analyze
Realize
Operate
Maintain
Validate
Manage

Management
of
Functional
Safety
Information on
machine and its use
Risk Assessment
Determine SRCF’s
Write SRECS SRS
SRECS
SRECS integration,
SRECS Validation
Manage

Management of Functional Safety
Functional Safety Planning (FSM Plan)
Personnel Competency and Roles
Documentation, Configuration Control
Documented Processes
Safety Verification and Validation plan
Tracking and Auditing

Competency
IEC 61508 Personnel Competency
“…ensuring that applicable parties involved in any of the overall E/E/PE or
software safety lifecycle activities are competent to carry out activities for which
they are accountable.” (IEC 61508, Part 1, Paragraph 6.2.1 (h))
IEC 62061 Personnel Competency
“Identify persons, departments … that are responsible for carrying out the
lifecycle activities…establish a verification plan to include the details of persons,
departments and units who shall carry out…” (IEC 62061, Paragraph 4.2.1)
www.cfse.org

Management
of
Functional
Safety
Information on
machine and its use
Risk Assessment
Determine SRCF’s
Write SRECS SRS
SRECS
SRECS integration,
SRECS Validation
1
3
2
4
Analyze

Step 1: Machine Use Considerations
Machinery phase of life
– New machinery with history of similar types
– Novel design or modification to existing machinery
Machinery limits
– Intended use(s)
– Reasonably foreseeable misuse
Operator type
– Public
– Trainees
– Trained Operators
– In each case, identify and document training records
Exposure to others not operating the machinery
1

Step 2 - Iterative hazard and risk assessment
The IEC 62061, IEC 61508 and
IEC 61511 are
Risk Based Standards
2

Tolerable Risk?
Rigorous and flexible
Consider all relevant forms of harm
Consistent with company and society practice
MoralLegal
Financial
Make plant as safe as
possible, disregard costs
Comply with regulations
as written, regardless of
cost or actual level of
risk
Build the lowest cost
plant, keep operating
budget as small as
possible
2

Examples (Source HSE UK)
0
0.005
0.01
0.015
0.02
Fatalities per Person per Year
Air
Train
Bus
Motorcycle
Chemical Industry
Smoking
2

Singapore Workplace Fatality Rate
39
Source WSHCouncil – National Statistics
2

Identify and Analyze All Possible Hazards
Use a systematic method which proactively identifies hazards
Use a “team” approach where possible
Be consistent with the method used (procedure)
Inductive methods
– Checklists
– What-if?
– Failure Mode and Effect Analysis
– Fault simulation (control systems)
Deductive methods
– Fault Tree Analysis
2

Typical hazards, hazardous situations & events
Mechanical
– Crushing, shearing, cutting/severing, entanglement, drawing-in, impact,
stabbing or puncture, friction or abrasion
Electrical
– Contact with live parts (direct/indirect), electrostatic
Thermal
– Burns, scalds
Noise
– High/Low frequency acoustic noise leading to hearing loss
Vibration
– Hand-held machines leading to neurological and vascular disorders, whole
body vibration (posture)
Radiation
– Low-frequency, radio frequency, microwaves, infra-red, UV, X and gamma
rays, lasers etc.
Air Systems / Fluids / Water - Fire Control - Natural Gas…

Estimate risk for each hazard
Risk is a measure of:
– Severity (Se)
 Reversible injury
 Non-reversible injury
 Death
– Probability of Occurrence
 Frequency and Duration of exposure (Fr)
 Probability of Occurrence (Pr)
 Probability of Avoiding or limiting (Av)
2
Consequence
Likelihood

43
Consequence
Likelihood
2

Hazard MatrixRisk Graph
Source: Screenprint exSILentia
www.exsilentia.com
2

Safeguard selection considerations
2

Likelihood example: LOPA
2

Process Design Changes
Other Safeguards
Estimated Risk (Inherent Risk)
Tolerable Level of Risk
Risk
SRCF: Safety Related Control
function
Step 3: Identify Safety Related Control Functions
(defined by Customer per application)
3

3
Step 3: Identify Safety Related Control Functions
Identify functional requirements
– E.g. Operating modes, response times, operating environment, fault
reaction function etc.
Identify safety integrity requirements
– E.g. If the guard door is open, it shall not be possible to start the
machine – Safety integrity requirement

And Assign SIL
User must specifically accept the residual risk
Qualitative SIL risk ranking matrix
– Use “worst case” assumptions
– Calculate “Class” = Fr + PR + AV
– Decide on Severity
– Look up SIL on intersecting column and row
3-4 5-7 8-10 11-13 14-15
Single Death, Losing a complete limb or eye 4 SIL2 SIL2 SIL2 SIL3 SIL3
<=1 hour
5
Very High
5
Permanent, losing finger(s) 3 OM SIL1 SIL2 SIL3
>1 hour to <=
1day
5
Likely
4
Reversible, medical attention 2 OM SIL1 SIL2
>1day to <= 2
weeks
4
Possible
3
Impossible
5
Reversible, first aid 1 OM SIL1
>2 weeks to <= 1
year
3
Rarely
2
Possible
3
>1 year
2
Negligible
1
Likely
1
Consequences Class
Cl
Severity
Se
Probability of
Hazardous event
Pr
Avoidance
Av
RISK MATRIX
Frequency
Fr
Duration >10min
Note: OM = Other Measures necessary
3

Assign SIL: Risk Matrix
3

Assign SIL: Hazard Matrix
3

Safety Integrity
Level
SIL 3
SIL 2
SIL 1
Probability of Dangerous
failure per hour
(PFHD)
≥10-8 to <10-7
≥10-7 to <10-6
≥ 10-6 to <10-5
IEC 62061 Safety Integrity Levels
Note: SIL 4 is not included in EN IEC 62061
MTTFd
1,140 to
11,400 years
114 to 1,140 years
11 to 114 Years
3

EN ISO 13849 Performance Levels
Links risk and control reliability requirements.
PL Average probability of dangerous failure per hour (1/h)
a ≥ 10-5 to < 10-4
b ≥ 3 x 10-6 to < 10-5
c ≥ 10-6 to < 3 x 10-6
d ≥ 10-7 to < 10-6
e ≥ 10-8 to < 10-7
3

Specification = Communication
How the
Customer
explained it
How it was
Sold
How it was
Designed
How it was
Built
How it was
Tested
What the
Customer
really
needed
How it was
Maintained
How it was
Billed
How it was
Installed
How it was
Documented
4

SRS Requirements
The SRS contains two types of requirements
Functional Requirements
– Description of the functions of the SF
– How it should work
Safety Integrity Requirements
– The risk reduction and reliability requirements
– How well it should work
4

Management
of
Functional
Safety
Information on
machine and its use
Risk Assessment
Determine SRCF’s
Write SRECS SRS
SRECS
SRECS integration,
SRECS Validation
5
6
Realize

Step 5: SRECS Design & Development
2 Main Requirements to be fulfilled:
1. Hardware Safety Integrity (SILPFH)
2. Architectural Constraints (SILAC)
57
5

Step 5: Hardware Safety Integrity SILPFH
Logic Solver
Sensor
Final Control
Element
Sensor
Sensor
Final Control
Element
Safety Related Control System
Subsystems
Subsystems Elements
PFHSERC = Σ PFHSub
Where to find the
Failure Rates?
5

Safety Integrity
Level
SIL 3
SIL 2
SIL 1
Probability of Dangerous
failure per hour
(PFHD)
≥10-8 to <10-7
≥10-7 to <10-6
≥ 10-6 to <10-5
IEC 62061 Safety Integrity Levels
Note: SIL 4 is not included in EN IEC 62061
MTTFd
1,140 to
11,400 years
114 to 1,140 years
11 to 114 Years
5

Safe Failure Fraction Hardware Fault Tolerance
0 1 2
< 60% Not allowed SIL1 SIL2
60% ... < 90% SIL1 SIL2 SIL3
90% ... < 99% SIL2 SIL3 SIL3
>= 99% SIL3 SIL3 SIL3
Fault Tolerance N means N+1 faults could cause a loss of the safety function.
IEC 62061 Architectural constraints
Where to find SFF?
5

IEC 62061 Architectural constraints
Safe Failure Fraction Hardware Fault Tolerance
0 1 2
< 60% Not allowed SIL1 SIL2
60% ... < 90% SIL1 SIL2 SIL3
90% ... < 99% SIL2 SIL3 SIL3
>= 99% SIL3 SIL3 SIL3
Fault Tolerance N means N+1 faults could cause a loss of the safety function.
...Defines The Required
Architecture
5

Trend toward 61508 certified products
IEC 61508 Certification is a measure of design quality.
IEC 61508 Certification provides fully justifiable equipment
selection without safety integrity documentation created
by the end user.
More and more products are getting IEC 61508 Certification
0
5
10
15
20
25
30
1996
1997
1998
1999
2000
2001
200'2
2003
2004
2005
2006
2007
Number of IEC 61508 Certified Sensors
From exida Process
Measurement Instrument
Market report
5

Automatic SRCF Verification
5

6
Step 6: SRECS Integration & Testing
Assemble sub-systems
Test correct operation of each safety function by means of an
integrated test
Document the integration tests
– Version of specification
– Version of system/software
– Acceptance criteria
– Tools, equipment for calibration
– Test results
– Discrepancies
– Changes made due to discrepancies
Install SRECS in accordance with functional safety plan

Management
of
Functional
Safety
Information on
machine and its use
Risk Assessment
Determine SRCF’s
Write SRECS SRS
SRECS
SRECS integration,
SRECS Validation
7 Operate
Maintain

7
Step 7 : Operation and Maintenance
Operator information
– Safeguards implemented
– Procedures for use
Technical Information
– Equipment description
– Overview block diagrams
– Circuit diagrams
– Enable user to develop procedures
Maintenance Information
– Log for maintenance history
– Routine actions and replacements
– Repair procedures for diagnosed faults
– Specification of required tools
– Periodic proof testing requirements

SRECS Modification (IEC 62061)
Develop a procedure for modifications to be dealt with, requiring:
– Description of modification
– Reason(s) for modification
– Authorization
– Development of a modification plan and chronological logbook for
configuration management history purposes
– Analysis of effects
– Impact on functional safety
– Re-visiting the appropriate design stage for hardware and/or
software
– Re-verification and validation activities required
– Log of activities and personnel involved in the change
– Revision of SRECS documentation, including revision levels of all
documents affected
7

Management
of
Functional
Safety
Information on
machine and its use
Risk Assessment
Determine SRCF’s
Write SRECS SRS
SRECS
SRECS integration,
SRECS Validation 8 Validate

Verification & Validation
Verification
– Activity of demonstrating for each phase of the Safety Lifecycle, by
analysis and/or tests, that, for the specific inputs, the deliverables
meet the objectives and requirements set for the specific phase.
Verification answers the question
“Did I complete this activity correctly?”
Validation
– Activity of demonstrating, by tests, that the Safety-Related System,
before or after installation, meets the Safety Requirements
Specification.
Validation answers the question
“Did I build the complete system according to specification?”
8

Summary – IEC 612061
Design and Implementation Requirements for SRECS
Compliance = fulfilling relevant Safety Requirements
Careful consideration when to use
Performance Standard
Risk Based Standard
8 Steps Safety Lifecycle Procedures

Thank You

IEC 62061 introduction

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (17)

Similaire à IEC 62061 introduction

Similaire à IEC 62061 introduction (20)

Dernier

Dernier (20)

IEC 62061 introduction