Build on your safety structure with functional safety

Functional safety builds on the existing safety structure approach by adding a time element: probability of dangerous failure. Its inverse is the mean-time-to-dangerous-failure. This time element causes more upfront pain for safety component suppliers, but should result in less pain for machine operators and safety system designers.

By Steve Dukich and Derek Jones

1 of 2 < 1 | 2 View on one page

Change is constant. That’s especially true when you’re talking about machinery safety standards. Though safety standards have continued to change throughout manufacturing history, the most recent wave of revisions enhance our way of thinking when it comes to machine safety designs.

Historically, most standards have been prescriptive in nature and have provided guidance about the structure of control systems to ensure they meet the safety requirements. By using the principles of redundancy, diversity and diagnostics, levels of safety system “structures” were conceived to help ensure that the safety function would be performed. But an important element was missing.

Every safety system uses the basic premise that there exists a finite possibility of failure. Some of those failures might be safe, but some could lead to danger. If you asked machine operators whether they would be more comfortable with a Category 2 (a single-channel) safety system or a Category 4 (redundant) safety system, they’d most likely answer Category 4. But, if you asked again whether an operator would be more comfortable with a Category 2 system that is likely to fail to danger once in 30 years or a Category 4 system that has a mean-time-to-dangerous-failure of only one year, you might get a different answer. The missing element is time. Essentially, the time element adds a confidence factor that the safety system is going to perform properly today and tomorrow. In other words, we have more information and, therefore, more confidence about the safety function’s reliability.

Safety by IEC
  Hardware fault tolerance
Safe failure fraction
    0     1    2
<60% ---- SIL1 SIL2
60% - <90% SIL1  SIL2  SIL3
90% - < 99% SIL2  SIL3  SIL3
≥99% SIL3  SIL3  SIL3
Table 1. The safety integrity level (SIL) is a function of fault tolerance and failure rates.

Applying time to standards

Functional safety builds on the existing safety structure approach by adding a time element. This element is known as the probability of dangerous failure, and its inverse is called the mean-time-to-dangerous-failure. This time element causes more upfront pain for safety component suppliers, but should result in less pain for machine operators and — surprisingly — safety system designers.

Before we get into this, we must discuss two important standards: ISO13849-1:2006 and IEC62061:2005. Both apply the time element to machinery safety systems. ISO3849-1:2006 builds on the “categories” of safety structure, whereas IEC62061 builds on the foundation of the categories. This is called hardware fault tolerance. A third element, not new at all, has been added to the picture to give safety system designers more flexible, less painful ways to meet the safety requirements. This third element is diagnostics. Putting these three elements together yields a time-sensitive level of integrity in a safety system. IEC62061 uses the term safety integrity level (SIL). Only three SILs apply to machine systems: SIL1, SIL2 and SIL3. ISO13849-1:2006 uses the term performance level (PL), and these use the alphabet, PLa through PLe.

How it all comes together

Starting with IEC62061, the secret is given away in Table 1.


Safety by ISO
Figure 1. The performance level is a function of the mean-time-to-dangerous-failure and the diagnostic coverage.



Suppose the risk assessment determines that a SIL2 rating is needed. Table 1 gives three options for achieving SIL2. The trade-off is hardware fault tolerance with diagnostics. With zero fault tolerance, 90-99% of the failures that occur must be safe failures. If a single-channel system with appropriate diagnostic is too difficult or expensive to achieve, then a single fault-tolerant structure with less diagnostics can be tried. The third alternative is a two fault-tolerant system with little or no diagnostics (less than 60% safe failures). Similarly, ISO13849-1 reveals similar relationships in Figure 1.

For example, let’s assume the risk assessment demands a performance level D. Figure 1 reveals four alternatives. A Category 2 (zero fault tolerant) structure with a very high mean-time-to-dangerous-failure and low diagnostic coverage might be the least-expensive solution. At the other end of the spectrum, a Category 3 (single fault-tolerant) system with medium diagnostics might turn out to be the ideal solution. This gives designers what they need: flexibility to achieve their safety requirements.

Minimizing potential for systematic faults

Functional safety doesn’t stop at random hardware failures. Additional elements also must be taken into consideration, such as common-cause failure. This particular element has been discussed in standards going back to at least the 1980s. Functional safety takes the discussion to the next level. Functional safety applies a scoring system that attempts to influence the safety system design to minimize the potential for systematic faults. A certain point value is awarded for steps such as segregating signal paths, having design expertise, considering environmental compatibility and the designer’s training and competence. Accumulating a specific number of points is considered as having achieved adequate protection against systemic failures. The concepts are the same, but the scoring values differ between IEC62061 and ISO13849-1:2006.

1 of 2 < 1 | 2 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments