Health

Healthand
andSafety
Safety
Executive
Executive

PABIAC
Safety-related Control Systems Workshop
KEY STANDARDS FOR
ELECTRICAL & FUNCTIONAL
SAFETY OF PAPERMAKING
MACHINES: APPLICATION &
USE
Steve Frost
HM Principal Electrical Inspector
Northern Specialist Group

What Ill cover

f Background & introduction

f An overview of key standards
f Methodology & key principles
f Relationship between BS EN 954-1 & BS EN 62061
f Way forward

BACKGROUND & INTRODUCTION

Traditionally interlocking schemes based on
electromechanical technologies have been used to
eliminate hazards at machinery;
Advances in machinery and control systems design
have led to the widespread introduction of complex
electronics - to facilitate increased automation and
implement safety functions;
Important to deal effectively with functional safety of
complex electrotechnical control systems technical
framework set out in IEC 61508/EN 61508.

Functional safety applicable across the wide

range of machinery used throughout
Manufacturing Industry

Legal requirement for

machinery to be SAFE use of
appropriate standards can help
to provide a presumption of
conformity

AN OVERVIEW OF KEY STANDARDS:

ELECTRICAL SAFETY

4
0
02 ER
6
EN ARLI
S
F B ED E
O
5 ISH
N
IO UBL
T
I
ED 06 P
0
R
2
:
A
1
E
Y
S
I
TH

BS EN 60204-1 (Ed 5)
New edition published
in mid-2006
Retained status as a
harmonised standard
under the Machinery
Directive
Largely unchanged
from 1997 (4th) edition
But.there are
some changes that will
have significance

AN OVERVIEW OF KEY STANDARDS:

ELECTRICAL SAFETY
Some of these are:
Machine isolating (disconnecting) device can be any
device that conforms with isolation requirements set
out in IEC 60947-1/BS EN 60947-1;
Changes to measures that can be applied for
protection against electric shock;
More detail on protective bonding circuit;
Introduction of requirements for functional bonding
protection against earth leakage currents;
Emergency stop at Cat. 0 or 1 can be performed by
electrical and/or electronic means need to satisfy
requirements of sub-clause 9.4 (Control functions in the
event of failure).

AN OVERVIEW OF KEY STANDARDS:

FUNCTIONAL SAFETY

Functional safety of control systems has been an important development

EHSRs specifically cover this subject for machinery safety;

EbyNgroups,
S
Issue complicated by differing standards and their application
B
d
n
a
rd
7
such as Notified Bodies and 3 party assessors;
1:199
-1
4
f
5
o
9
o
s
t
u
N
t
e
l
a
E
t
b
Presently the following B
standards
can behapplicable:
s
a
S
e
e
r
y
t
a
l
n
d
d
o
e
n
n
a
e
i
c
a
s
i
t
t
t
d
c
nBS
(aka ISO 13849-1:1999)
t
ar
n
ea
d
a
v
n
v
a
a
e
I praEN 954-1:1997
t
h
l
s
e
5
r
d
0
o
e
0
t
s
2
i
)
:
y
n
t
C
1
i
6BS
EN
ISO
13849-2:2004
o
6
E
m
/
0
m
r
7
2
3
fo
ar
/
n
h
8
o
9
d
c
(
e
f
s
e
o
o
v
i
t
n
p
c
tBS
EN
62061:2005
s
o
i
e
t
n
r
i
p
ra
D
m
u
y
r
s
e
e
r
n
i
p
h
a
c
a
BS
EN
61508
series
e
M
giv
e
h
t
f
o13849-1 (incorrectly)
s
R
S
prEN
ISO
EH

AN OVERVIEW OF KEY STANDARDS:

FUNCTIONAL SAFETY

BS EN 62061
Published as a European
Standard in May 2005
Harmonised under the
Machinery Directive
Sector implementation of
IEC/EN 61508
Simplification of some aspects
of IEC/EN 61508 for
application to machinery and
industrial automation
Performance of safety-related
E/E/PE control systems
described in terms of SILs
(only up to SIL3)

AN OVERVIEW OF KEY STANDARDS:

FUNCTIONAL SAFETY

Objectives of the 62061 development:

9

To provide an unambiguous method for a meaningful

quantitative/qualitative assessment of safety related
electrical control systems on machines;

To add to the existing structural approach (BS EN 954-1

categories) by including RELIABILITY and SYSTEMATIC
measures;

To provide flexibility of functionality and technology to

optimise safety AND productivity.

Introduce concept of Safety Integrity Levels (SILs) and

functional safety management into the Machinery Sector for
the specification, design and integration of safety-related
electrical control systems.

AN OVERVIEW OF KEY STANDARDS:

FUNCTIONAL SAFETY

BS EN 954-1 (aka ISO 138491:1999)

Introduced in 1997 based on
principles of earlier German
national standards
Based on parts of control
systems
Methodology uses fault
resistance, architecture and
reliability of components
Performance of safety related
parts described in in terms of
Categories (B,1,2,3,4)
Presently undergoing extensive
revision

AN OVERVIEW OF KEY STANDARDS:

FUNCTIONAL SAFETY
BS EN 954-1 (Advantages & limitations)
9Applicable to safety-related parts of control systems
based on all operating media - electrical*, mechanical,
pneumatic, hydraulic;
9 Designated Categories
Qualitative
B, 1, 2, 3, 4
non-hierarchical
described in terms of:
component reliability fault avoidance
system structure
fault tolerance (redundancy)
& fault detection (monitoring)

AN OVERVIEW OF KEY STANDARDS:

FUNCTIONAL SAFETY
BS EN 954-1 (Advantages & limitations) contd.
Some limitations are:
Categories not a comprehensive measure of safety integrity
Not suitable for complex control systems such as those based on
programmable electronic technology
Emphasis on satisfying category requirements rather than achieving
safety
Lack of guidance on management of functional safety
Considered most applicable to low complexity systems, in which the
failure modes of components are well defined and the behaviour of the
system under fault conditions can be completely determined.
Also see EN 954-2 (validation) & PD CR 954-100 (Guidance)

AN OVERVIEW OF KEY STANDARDS:

FUNCTIONAL SAFETY

-1
4
5
9
N
E
S
B
E
E
L
C
A
A
PL IMESC
E
R
L
WIL OUGH T LEAR
C
H
N
T
U
L
A
NS
I
A
REM

Revision of BS EN 954-1 (prEN

ISO 13849-1)
Substantial revision of the
existing standard
Categories remain but are
defined in terms of
designated architectures
Software development
included that refers in part
to BS EN 61508
Performance of safety
related parts described in in
terms of Performance
Levels (a,b,c,d,e)

METHODOLOGY & KEY PRINCIPLES

Both BS EN 954-1 and BS EN 62061 start from a
similar point:1. Risk assessment using EN 1050/ISO 14121
No need
Y
T
No
E
F
A
to use key
S
T
A
D
E
H
T
T
A
E
L
standards
S
E
I
R
N
G
Y
O
T
E
C
F
E
A
R
S
O
Yes
O
T
T
T
AN
I ES
T
L
P
R
P
O
A
P
T for safety
E
IM
N
3. RiskAassessment
performance
G
O
R
I
T
T
C
E (Category OtoLBS
N 954-1 or SIL to BS
C
U
N
F
target
EN
A
M
CONTR EN 62061)
PERFOR
2. Risk reduction by safety-related control
function?

4. Develop and validate safety

requirements specification
5. Design of safety-related control system
using appropriate standard(s)

BS EN 954-1 Risk graph

BS EN 62061 SIL Assignment

Document No.:

Risk assessment and safety measures

Product:
Issued by:
Date:

Black area = Safety measures required

Grey area = Safety measures recommended

Consequences
Death, losing an eye or arm
Permanent, losing fingers
Reversible, medical attention
Reversible, first aid

Ser. Hzd.
No. No.

Comments

Hazard

Severity
Se
4
3
2
1

3-4
SIL 2

Se

5-7
SIL 2
OM

Fr

Part of:
Pre risk assessment
Intermediate risk assessment
Follow up risk assessment

Frequency and Probability of hzd.

Class Cl
event, Pr
8 - 10 11 - 13 14 - 15
duration, Fr
5
Common
5
SIL 2
SIL 3
SIL 3
<= 1 hour
Likely
4
SIL 1
SIL 2
SIL 3 > 1 h - <=day 5
SIL 1
SIL 2 >1day - <= 2wks 4
Possible
3
OM
OM
SIL 1 > 2wks - <= 1 yr 3
Rarely
2
2
Negligible
1
> 1 yr
Pr

Av

Cl

Safety measure

Avoidance
Av

Impossible
Possible
Likely
Safe

5
3
1

CORRELATION BETWEEN REQUIRED

CATEGORIES AND SILS: MPS PART 6
(EDITION 2:2005)
As an approximation, the relationship between the required Categories
and SILs assigned to safety-related control functions to be implemented by
electrical, electronic or programmable electronic safety-related control
systems at a typical machine may be considered .
Category of safety-related
Target failure measure for
control function in accordance safety-related control function
with BS EN 954-1
in accordance with BS EN
61508/BS EN 62061

1 or 2

SIL 1

SIL 2

SIL 3

SELECTION OF STANDARDS

Mechanical
Pneumatic
Hydraulic

Electrical/Electronic/
Programmable Electronic
Systems

Low complexity
systems*

Systems of higher
complexity

Select
Standard

* "Low complexity"
systems are those in
which failure modes of
components are
well defined and the
behaviour of the system
under fault conditions
can be completely
determined.

Design using
BS EN 954-1

Design using
BS EN 62061

Hardware

Software

Validation

BS EN 62061: METHODOLOGY & KEY

PRINCIPLES
Subsystem element

System

INPUT

LOGIC
SOLVING

OUTPUT

Subsystem
an element in the top-level architectural design of the SRECS
where a failure of any subsystem will result in a failure of the
safety-related control function

BS EN 62061: METHODOLOGY & KEY

PRINCIPLES
What is involved in designing to achieve a SIL?
At system level
1) Requirements to achieve SYSTEMATIC INTEGRITY
2) Probability of RANDOM HARDWARE FAILURE (PFHD)
3) ARCHITECTURAL CONSTRAINTS
4) Requirements for BEHAVIOUR ON DETECTION OF A
FAULT
INPUT

LOGIC
SOLVING

OUTPUT

BS EN 62061: METHODOLOGY & KEY

PRINCIPLES (EXAMPLE FOR PFHD )
Probability of DANGEROUS RANDOM HARDWARE
FAILURE (PFHD)
Example for SIL 2

System PFHD requirements = <10-7 to >10-6

(Using data provided by subsystem manufacturers)

Subsystem 1

Subsystem 2

Subsystem 3

Subsystem 4

PFHD = 1x10-7

PFHD = 2x10-7

PFHD = 1x10-7

PFHD = 2x10-7

(1x10-7) + (2x10-7) + (1x10-7) + (2x10-7) = 6 x 10-7

BS EN 62061: METHODOLOGY & KEY

PRINCIPLES
ARCHITECTURAL CONSTRAINTS
6.6.3.3 Arch itectu ral con strain ts
T he S IL achiev ed by the SRE CS according to the architectural constraints is less than or
equal to the lowest SILCL of any subsystem (see 6.7.6) inv olv ed in the perf orm ance of the
S RCF.
Hardware fault tolerance (see note 1)
Safe failure fraction
0

< 60 %

Not allowed (see note 3)

SIL1

SIL2

60 % - < 90 %

SIL1

SIL2

SIL3

90 % - < 99 %

SIL2

SIL3

SIL3 (see note 2)

SIL3 (see note 2)

SIL3 (see note 2)

99 %

SIL3
Provided
by
subsystem
manufacturer

NOTE 1 A hardware fault tolerance of N means that N+1 faults could cause a loss of the safety function.
NOTE 2 A SIL 4 claim limit is not considered in this standard . For SIL 4 see IEC 61508.
NOTE 3 Exception see 6.7.7.

RELATIONSHIP BETWEEN BS EN 954-1

& BS EN 62061
BS EN 954-1
BS EN 62061

BS EN 61508

Category

Hardware fault tolerance

DC

It is assumed that subsystems with the stated category

have the characteristics given below.

PDF threshold (per hour) that

can be claimed for the
subsystem
PDF(MTTFsubsystem, Ttest, DC)1

0%

To be provided by
supplier or use generic
data (see Annex E)

60 ... 90 %

105

60 ... 90 %

106

>1
1

60 ... 90 %

107

> 90%

107

WAY FORWARD

BS EN 62061 provides a complete explanation of

functional safety rationale and has been developed to
take account of BS EN 954-1.
Structured and systematic design approach from
concept to reality has to be applied regardless of
standard selected.
System designers/integrators should look for
subsystems packaged for functional safety.
Not just logic solvers also input sensors and output
actuators.

WAY FORWARD

Links to other existing and developing standards.

Essential guidance on issues related to safety-related
control systems at papermaking machinery provided in
PABIAC publication Making paper safely Part 6:
Managing safety in the papermaking process (Edition
2:2005).
Liaison established between 62061 and 13849-1 to
align approaches to facilitate possible future integration
of both standards into a single publication (more on
this later).

BEFORE FINISHING IF TIME

ALLOWS. A QUICK WORD ON SIL
ASSIGNMENT

PRACTICAL EXAMPLE OF SIL ASSIGNMENT

METHODOLOGY FROM ANNEX A OF BS EN 62061

Consider the following situation at a papermaking

machine

PRACTICAL EXAMPLE OF SIL ASSIGNMENT

METHODOLOGY FROM ANNEX A OF BS EN 62061

Description of hazard:
Trapping/entanglement in the event of
unexpected start-up whilst personnel attempting
to remove broken paper
Description of SRCF:
If the guard door is open, the speed of shaft rotation
shall not be higher than specified

PRACTICAL EXAMPLE OF SIL ASSIGNMENT

METHODOLOGY FROM ANNEX A OF BS EN 62061

Risk estimation:
Severity (Se)
Se = death/loss of limb = 4

Frequency and duration of exposure (Fr)

Fr = > 1 day to 2 weeks = 4
Probability (Pr)
Pr = possible = 3
Probability of avoiding or limiting harm (Av)
Av = rarely = 3

PRACTICAL EXAMPLE OF SIL ASSIGNMENT

METHODOLOGY FROM ANNEX A OF BS EN 62061

SIL assignment
Probability of occurrence of harm

Cl = Fr + Pr + Av
Cl = 4 + 3 + 3 = 10

PRACTICAL EXAMPLE OF SIL ASSIGNMENT

METHODOLOGY FROM ANNEX A OF BS EN 62061

SIL assignment
Severity
(Se)
4
3
2
1

Class (Cl)
34

57

8 10

11 13

14 - 15

SIL 2

SIL 2

SIL 2

SIL 3

SIL 3

SIL 1

SIL 2

SIL 3

SIL 1

SIL 2
SIL 1

PRACTICAL EXAMPLE OF SIL ASSIGNMENT

METHODOLOGY FROM ANNEX A OF BS EN 62061

SIL assignment
Probability of occurrence of harm

Cl = Fr + Pr + Av
Cl = 4 + 3 + 3 = 10

If the guard door is open, the speed of shaft

rotation shall not be higher than specified

Safety integrity requirement: SIL 2

PRACTICAL EXAMPLE OF SIL ASSIGNMENT

METHODOLOGY FROM ANNEX A OF BS EN 62061

What next?

Risk estimation is an iterative process, this means

that the process will need to be carried out more
than once. This should ensure that residual risk is
effectively minimised.

h
T

u
o
y
k
an

..ANY
QUESTIONS??