Functional safety requirements for industrial machineryFollow article
Understanding the functional safety requirements for industrial machinery
Functional safety in practice
The basic concepts of functional safety have been in place for a long time. The principles of functional safety protect users of any form of equipment from harm or injury during its use. The scope of functional safety is wide and varied, from industrial machinery, domestic appliances, autonomous vehicles, and cranes. As consumers, we perhaps take safety for granted in our homes. Electro-mechanical appliances such as washing machines, touch-controlled induction hobs, and gas central heating boilers all have aspects of their operation that could create potential hazards resulting in injury or harm. The same can be said for electronically controlled and electro-mechanically operated functions in a semi or fully automated vehicle.
Functional safety standards exist to provide the necessary regulations and compliance testing requirements for a wide variety of different equipment. Human operators and users are protected at all times from hazards associated with potential failure, unexpected equipment behaviour, or equipment misuse.
Functional safety in the industrial manufacturing environment
With the increasing emphasis on industrial operational effectiveness improvement through initiatives such as Industry 4.0, smart factories, and the Industrial Internet of Things (IIoT), automated systems and machinery form a significant part of any industrial manufacturing process. Industrial robots have typically operated inside metal cages that significantly reduce potential safety hazards for human workers. However, the increasing adoption of collaborative robots, also known as cobots, dramatically increases the risks and hazards as they work alongside skilled human counterparts. Functional safety protects workers from equipment hazards by using a formal, comprehensive and holistic approach to identifying and analysing dangerous conditions that may occur and the consequences for operator safety. Overall, functional safety is a measure of the confidence that a machine or system will immediately implement safety and operator protection measures when needed.
Functional safety standards for industrial machinery
The primary functional safety standard for electrical, electronic and electro-mechanical equipment is IEC 61508. First published in 1998, its principles have formed the basis for sector-specific safety standards ranging from ISO 26262 for automotive systems and IEC 60601 for medical appliances. Figure 1 highlights some of the safety standards iterated from IEC 61508.
Figure 1 - Functional safety standards adapted from IEC 61508
Within the industry domain, the functional safety standards of interest include IEC 62061 for machinery, IEC 61800-5-2 for variable speed drives, IEC 61131-6 for programmable logic controllers, and IEC 61511 for process control applications. ISO 13849 is another relevant standard that covers the safety of machinery operation. Unlike the other industrial sector standards, it is not derived from IEC 61508. It covers the operation of safety-related functions of industrial control equipment. It has a broader technology-agnostic remit to include non-electrically implemented safety functions such as mechanical, hydraulic, and pneumatic. IEC 62061 relates to the machinery specific adaptation of IEC 61508 and applies to all types and aspects of safety functions provides by electrical control systems. The ISO 10218 standard, initially ratified in 2011, covers industrial automation robots and cobots' safety requirements.
A planned merger of the ISO 13849 and IEC 62601 standards into a single harmonized industrial functional safety specification, IEC 17305, has now been cancelled due to the complexities involved.
The decision to seek compliance against IEC 62061 or ISO 13849 is not clear-cut but is primarily based on the application. IEC 62061, with its focus on electrical and electronic systems, is suited to more complex and sophisticated machinery. For non-electrical simple safety functions, ISO 13849 is recommended.
Across the standards, there are two fundamental concepts involved: safety functions and safety integrity levels.
A safety function involves any action or operation required to ensure the safe running of the equipment. This function typically involves some form of sensor, a control circuit, and a mechanism to maintain safety integrity. For example, a Hall-effect sensor detects whether a safety cage or barrier surrounds the press workspace for a hydraulically operated press. Should the operator attempt to actuate the press without the safety cage in place, the control system prevents the press from operating. The hazardous, unsafe state of the press operating without the safety barrier in place is made a safe state by the control system preventing the press from operating. These actions define the primary safety function; however, the timing between these interrelated actions is crucial, particularly if separate controllers are used for the sensing and the control actions. The sensor on the safety barrier needs to prevent the press from operating if instructed. The confidence that the safety function will always be invoked every time an unsafe state is detected is also paramount. The degree of confidence that the safety functions will operate as planned and the degree of risk involved is manifested within IEC 61508 and derivatives as safety integrity levels (SIL), and safety performance levels (PL) within ISO 13849.
Within the IEC 61508 derived standards, four safety integrity levels define the degree of risk reduction required to reduce the risks involved to an acceptable level. For the industrial domain, where the context of risk is usually limited to a single person, typically a machinery operator, the first three SIL apply; SIL1, SIL2, and SIL3. For ISO 13849 the safety performance levels (PL) A, B, C, D and E are referenced, and with each, there is a loose correlation to the respective SIL levels. See Table 1.
|4||Potential for fatalities large scale|
|3||Potential for fatalities multiple|
|2||Potential for injuries or fatalities on-site|
|1||Potential for minor injuries on-site|
Table 1 - Safety Integrity Levels as defined by IEC 61508
Within a safety function, all the parts, including the sensors, control system, and actuators, are collectively examined to determine the probability and frequency of failure. For example, the safety barrier sensor failing indicates the degree of risk involved with a failure's consequences. If the sensor fails in our hydraulic press example, the consequences will result in the permanent loss of an operator's arm or fingers. The probability this might occur daily increases the SIL compared to if it might happen only once every couple of years. SILs are assigned based on the probability of such dangerous failures per hour (PFH) and the severity of the risk. SIL 1, for example, has a defined range as > 10-6 to 10-5 PFH, or one failure in 100,000 hours or 11.4 years. SIL 3 is > 10-8 to < 10-7 PFH or one failure per 10,000,000 hours.
Safety function failures in hardware and software
From programmable logic controllers to sophisticated cobots, today's industrial control systems employ embedded systems to implement operating functionality and safety functions. Microprocessors and microcontrollers and their associated software provide the core processing elements in such systems. Together, the hardware circuitry and the software design of control systems need careful review. Each has multiple failure points that require independent verification and assessment.
Functional safety and hardware design
Microprocessors and microcontrollers, together with various sensors; from MEMS accelerometers, environmental sensors, and video cameras, make up any control system's primary components. For functional safety compliance, using complex ICs such as microprocessors and sensors that incorporate internal functional safety elements in their design dramatically simplifies the development process. Most major semiconductor companies now supply ICs that have been designed to comply with IEC 61508 and include an independent design verification certificate and safety manual. Likewise, many sensor ICs have been developed with functional safety, an intrinsic part of the design. For the semiconductor vendor, this can involve a significant investment in development time and costs. However, despite a premium price for the IC, the benefit to the cobot designer, for example, offers the opportunity to save considerable design effort and additional circuitry to monitor the IC’s operation.
In practice, this means the functional safety compliant IC devices monitor themselves and highlight the associated embedded software to failure conditions that could cause unexpected conditions resulting in potentially dangerous and unplanned behaviour.
A variety of IC design techniques are employed by semiconductor manufacturers to implement functional safety features in their devices. These can include using two separate processor cores on a single die, each comparing the other's behaviour, redundant processor cores operating in parallel, and on-chip diagnostic functions that oversee device operation.
Embedded software design for functional safety
IEC 61508 Part 3 stipulates the use of formal software design architectures, validation and testing as a core part of implementing functional safety. Figure 2 indicates the IEC 61508 software life cycle process for validating software and the system design.
Figure 2 - IEC 61508 - Part 3 Software life cycle process
The Part 3 section of the standard also defines programming languages, code implementation, and software development tools. IEC 61508 mandates the use of a formal coding standard but falls short of recommending which. The only exception across this standard and its variants are for automotive applications and is covered by ISO 26262 which recommends using the MISRA-C/C++ coding standard.
Developed by the Motor Industry Software Reliability Association (MISRA), the standard defines specific rule-based coding methods for C and C++ developments. It has found widespread adoption outside the automotive industry and is ideal for implementing functional safety compliant systems. MISRA C/C++ has an emphasis on reducing bugs and achieving consistent and predictable software behaviour.
In addition to software development tools, combined embedded software and hardware techniques include separation kernels and safety-compliant real-time operating systems.
Safer manufacturing equipment makes for a safer working environment.
With the increasing deployment of industrial automation machinery that operates alongside human co-workers, the need for functional safety is paramount. Adherence to the functional safety standards highlighted in this article is a critical success factor for industrial equipment manufacturers.
Read more on Function Safety over Networks in this post from Dr. Martin Kidman