STSARCES project - final report - part 4

4.                  APPLICABILITY OF EN 954 AND IEC 61508 TO THE MACHINERY SECTOR

4.1.            Introduction

Work-package 4 (WP4) had as its objective a comparison of the methodologies and requirements of two standards, namely, IEC 61508 ‘Functional safety of electrical/electronic/programmable electronic safety-related systems’ and EN 954 ‘Safety of machinery - Safety related parts of control systems’. This study was performed in order to establish whether these two standards are likely to set the same or differing requirements when applied to machinery control systems.

Both standards propose a structured approach towards the design of safety-related control systems but differ in that EN 954 is designed to address all types of control system technologies whilst IEC 61508 has been primarily (but not exclusively) designed to apply to electrical/electronic/programmable electronic (E/E/PE) based control systems. The standards require that the safety-related functions of the control system are classified ; IEC 61508 requires that the control system be allocated a safety integrity level (SIL) whilst EN 954 uses a concept of safety performance and places the system into one of five categories. There is a significant difference in the way that SILs and categories are derived and defined. It is the problems that this difference causes that were the basis for the tasks performed in WP4, especially when the two classifications are compared with a view to developing a strategy to link them.

IEC 61508 uses a safety lifecycle approach to ensure that the design of an CES safety-related control system is systematically carried out. This lifecycle, as a technical framework, was examined to assess its suitability for the design of machinery control systems.

WP4 comprised three principal tasks that were focussed upon an examination of the IEC 61508 and EN 954 standards from the perspective of their practical implementation at a machines safety-related control system. This work included identifying the common requirements and differences, mapping schemes to link SILs and categories, and performing a machine validation exercise to consider the application (albeit retrospectively) of these standards to an existing machine in relation to specific hazardous events.

Additionally, Annex 3, Annex 4, Annex 5, Annex 6 and Annex 7 provided information on this subject.

4.2.            Common requirements & differences between EN 954-1 and IEC 61508

The following are considered to be factors in the comparison of EN 954-1 and IEC 61508 using the safety lifecycle model as a technical framework.

General

·       EN 954-1 does not take the hierarchical system oriented view that is a strong feature of IEC 61508.

·       IEC 61508 refers to safety-related systems, which are seen as being wrapped around the “equipment under control” (EUC) to provide a “level of safety”. EN 954-1 refers to “safety related parts of control systems”.

·       IEC 61508 requires the production of documentation at each phase of the Safety Lifecycle. The only specific documents required by EN 954-1 are the validation plan and validation report.

·       IEC 61508 has a strong formal structure with clearly defined objectives and requirements specified for each phase of the safety lifecycle. EN 954-1 is much less structured and careful examination is necessary to extract the key requirements.

Scope

·       EN 954-1 applies to safety related parts of control systems, regardless of the type of technology used. IEC 61508 is primarily concerned with CES systems.

·       IEC 61508 addresses the entire lifecycle from the concept phase through to decommissioning. EN 954 is restricted to the design phase.

·       IEC 61508 takes account of the entire system comprising EUC, safety-related system(s) and external risk reduction facilities. EN 954-1 is only concerned with the “safety related parts of control systems”.

Competence of persons

·       Addressed by IEC 61508, not by EN 954-1.

Safety management

·       Addressed by IEC 61508, not by EN 954-1.

Concept

·       Addressed by IEC 61508, not by EN 954-1.

Hazard & risk analysis

Both standards require :

·       carry out a hazard and risk analysis ;

·       consider elimination of hazards ;

·       include fault conditions, reasonably foreseeable misuse and human factors ;

·       identify events leading to hazards ;

·       assess frequencies (or probabilities) of hazards events ;

·       identify potential consequences ;

·       assess risk associated with each hazardous event ; and

·       identify the necessary risk reduction, for each hazard.

Differences

·       IEC 61508 refers to “hazardous events of the EUC”. EN 954-1 refers to time/frequency of exposure to hazard.

·       IEC 61508 allows quantitative or qualitative techniques. EN 954-1 emphasis is on qualitative/empirical techniques.

·       IEC 61508 requires a “level of safety” (based on the tolerable risk) to be identified for each hazard. EN 954-1 simply refers to the “appropriate risk reduction”.

·       IEC 61508 requires the information and results from the hazard and risk analysis to be documented. EN 954-1 has no documentation requirement.

Specification of safety functions

·       IEC 61508 requires specification of all safety functions included in the “total combination of safety-related systems and external risk reduction facilities”. EN 954-1 only requires specification of the safety functions “to be provided in the control system”.

·       IEC 61508 requires both a functional description and specification of SIL. EN 954-1 only requires a functional description.

·       EN 954-1 lists common safety functions and associated characteristics applicable to machinery.

·       IEC 61508 allows for safety functions to be allocated between the safety-related systems and external risk reduction facilities. EN 954-1 only addresses those safety functions implemented by the “safety-related parts”.

Derivation and specification of performance requirements for control systems

·       IEC 61508 specifies a formal process whereby, for each hazard, the necessary risk reduction is derived from the EUC risk and the level of safety. It is then necessary to specify how the level of safety (and associated risk reduction) will be achieved. This is done by describing what the safety-related systems will do (i.e. the safety functions) and with what probability they will do it as required (i.e. the safety integrity). At this stage the safety-related systems can take the form of external facilities or control systems (of any technology). Then the individual safety-related systems should be specified, both in terms of functionality and effectiveness (as relating to a specific technology) so that all the safety functions are implemented with the required level of safety integrity (taking into account the total effect of all the designated safety-related systems). It should be noted that the level of effectiveness of the individual safety-related systems is also measured by the parameter “safety integrity”. IEC 61508 requires that the information and results of the safety requirements allocation process shall be documented.

·       EN 954-1 requires that the measures for risk reduction by control means should be “decided” and specified in terms of functionality and category. The methodology to translate risk reduction (associated with particularly hazards) to performance requirements of safety related parts of control systems is not specified.

·       IEC 61508 requires that the “effectiveness” of the safety-related control systems be classified according to “safety integrity”. Safety integrity is a quantified measure of the effectiveness of a safety-related control system and encompasses hardware reliability as well as control/avoidance of failures due to systematic faults.

·       EN 954-1 requires that safety related parts of control systems be categorised according to resistance to faults. The performance measures associated with the categories are a description of measures taken to avoid or control failures and are not quantified.

·       IEC 61508 requires that overall safety functions and safety integrity requirements are documented in an “Overall Safety Requirements Specification”. The corresponding requirements for individual CES safety-related systems are documented in the “CES Safety Requirements Specifications”.

Design

·       Both standards require that the design meets the specified safety requirements, but IEC 61508 requires that the design documentation should identify and justify the techniques and measures chosen to achieve the SIL. With IEC 61508, extensive tables of recommended techniques and measures (for both hardware and software) are provided. EN 954-1 simply requires a “list of the design features which provide the design rationale for the category achieved”.

·       IEC 61508 recommends architectural constraints, EN 954-1 does not address architecture (other than as may be necessary to achieve the fault behaviour according to category).

Behaviour under fault conditions

·       Both standards require consideration of behaviour under fault conditions.  In IEC 61508, fault requirements depend on SIL, the extent of diagnostic coverage, knowledge of component failure modes, testability of components and knowledge of component reliability. In EN 954-1, fault requirements are dictated solely by choice of category.

Diagnostic coverage

·       IEC 61508 makes recommendations regarding the level of diagnostic coverage provided by the techniques and measures used to control failures.  EN 954-1 similarly accepts that not all faults may be detected.  In category 3, the required measures for fault detection are required to be graded according to consequence and probability of failure and technology used.  In category 4, the inability to detect certain faults leads to the requirement to show that an accumulation of faults does not lead to loss of the safety function.

Proof checking

·       IEC 61508 requires that proof checks be undertaken so that the probability of failure on demand remains within the specified safety integrity level. Proof checking is not addressed by EN 954-1.

Integration

·       Integration (software, hardware, modules, sensors, actuators) of CES systems is addressed by IEC 61508, not by EN 954-1.

Operation & maintenance

·       Both standards require information for operation and maintenance.

Validation

·       Both standards require validation to demonstrate that the safety functions have been implemented according to specification.

Modification

·       Addressed by IEC 61508, not by EN954-1.

Verification

·       Required by IEC 61508, not by EN 954-1.

Functional safety assessment

·       Required by IEC 61508, not by EN 954-1.

Decommissioning

·       Addressed by IEC 61508, not by EN 954-1.

4.3.            Practical difficulties encountered during machine validation using the EN 954-1 & IEC 61508 standards

Task 2 of WP 4 was to examine the retrospective application of the EN 954-1 and IEC 61508 standards to existing machinery as part of a machine control system validation exercise.

The fundamental aim of this exercise was neither to assess, nor test, the machine, but to identify the differences between the approaches taken by the two standards. Therefore, the exercise was not carried out in unnecessary detail where this would not have been beneficial towards the aims of the STSARCES Project. For example, where EN 954-1 and IEC 61508 make normative reference to other standards, the requirements of each reference were only considered in the context of the validation exercise. Consequently, the validation methodology described in the WP4 Task 2 report should not be used as the basis for other assessments.

Useful hints arising are given in the following sub clauses.

4.3.1.      Selection of the machine and safety-related control system to be validated

The requirements for the safety-related control system were :

·       it has sufficient technical complexity in the configuration of its control system(s) to allow sufficient application of either standard ;

·       it should include a programmable electronic system ;

·       it is a practical application within an existing machine ;

·       the manufacturer, or its designer, should be readily contactable, if necessary, to elucidate design criteria or details of its operation ; and

·       the manufacturer should be willing to co-operate with the project and to provide the necessary technical material to allow validation to be effected.

It was decided that a suitable machine for this exercise would be a hydraulic press manufactured in the UK. Technical details of the machine under examination were as follows :

·       Multi-axis direct numerical control (DNC) controller ;

·       Hydraulic operation with individual servo control of the position of each end of the beam together with hydraulic pressure control ;

·       Sizes from 30 to 3000 tonnes, specifically 100 tonnes on the machine examined ; and

·       Photoelectric curtain allowing normal photoelectric guarding[5] or guarding in association with single- or double-break stroke initiation.

4.3.2.      Hazardous events considered

A full examination of the control system of the machine would neither have been cost-effective or capable of yielding results additional to those obtained by a limited analysis. Therefore :

·       to avoid repetition in the analysis, the operation of the machine was considered only in manual mode (i.e., neither single- nor double-break modes of initiation were considered.) ; and

·       the most important hazards associated with the machine were determined in order to define the scope of the assessment.

The hazardous events identified as being within the scope of the examination were :

[1]          Aberrant stroke : An uninitiated stroke occurs, which cannot be prevented by obscuring the photoelectric guard (referred to as an unguarded stroke).

[2]          Incorrect mute : The muting position aberrantly changes so that muting of the photoelectric guard occurs with the tool more than 6mm above the workpiece or the guard fails in a dangerous mode.

[3]          Failure of the rear-gate interlock : If this interlock were to fail, access could be obtained to the rear of the working parts of the machine.

The validation exercise was carried out separately for each standard with the intention of minimizing the "cross-talk" between the respective examinations.

In order to make the exercise as realistic as possible, it was decided to adopt an approach which would, as nearly as could be envisaged, follow that expected to be taken by a machinery designer faced with the use of the standards in a working environment (i.e. not necessarily as the designers of the standards would have intended).

4.3.3.      Matters arising from the application of EN 954-1

[1]          The standard is intended to be applied during the design of a control system and not during a validation exercise. As a result, some of the steps in the methodology were inappropriate. To achieve adequate safety using EN954 advice on validation should be given.

[2]          Where the standard does not give guidance for the validation other approaches have to be taken into account to follow the validation process from start to finish. There are a large number of minor requirements and 'give aways'. For example, the fundamental requirements of the various categories are simple to follow and relate to fault tolerance.

However, having established the requirements for Category 3, one finds that it is not necessary to detect ALL single faults but only SOME (see Table 2 ‘Summary of requirements for categories’ EN 954-1:1996). A subjective decision must be taken as to which faults need, or do not need, to be detected.

In addition to the standard the results of Clause 3.5 give useful advice.

[3]          EN 954-1 has been designed as a standard with a practical means of assessment and implementation. Unfortunately, what appears at first sight to be a very practicable method (i.e., based on a simple analysis of fault tolerance) becomes very subjective when applied practically.

Annex B of EN 954-1 is the only way of determining the required Category for a system, other then by examining an existing system (which itself may not have been categorized correctly). Because of the subjective nature of Annex B, different assessors may come to different conclusions when determining the category as there is no absolute means of objectively determining the category required for any particular system.

More detailed advice could have been given to users of this annex. For example, research could have established the probability of the operator avoiding hazards in a variety of industrial applications and under varying conditions (e.g., approach speed) and the data tabulated in the standard.

To achieve a given risk reduction a closer consideration should be made of systematic failures/faults,of the MTTFd, Diagnostic coverage and of Common Cause Failures. See clause 3.3.3 for further advice.

[4]          The principles of EN 954-1 are based on single/multiple component failures leading to a hazard being realised. This, at first sight, seems to be a very simple way of defining the integrity of the safety functions. However, the examination of the control system indicated that there are many component failures which, in combination, could lead to the hazard. However, many of these failures are considered to be unlikely, highly unlikely or even incredible and could be very different when using different technologies. Because the decision to exclude such failures from the analysis can be a subjective task, it is recommended, where known, to consider failure rates from databases or field experience. This will help minimise subjectivity in validation.

[5]          EN 954-1 gives no means of assessing or ensuring the integrity of software. Clauses 3.3.4, 3.3.5 and 3.5.3 give advice on the integrity requirements for software.

[6]          To justify that the press has been designed using the principles of EN 954-1 and validated to its safety specification; a validation report (as described at Clause 8.5 of EN 954-1) and the technical construction file should be available to the assessor.

[7]          EN 954-1 mentions maintenance but does so very weakly. In any safety-related protection system (which may be called to operate only infrequently), regular manual proof testing (in the absence of automatic diagnostics) is an important factor in maintaining the integrity, which will vary approximately linearly with the frequency of the manual proof checks. In the machinery sector at the present such an approach is not often followed.

[8]          EN 954-1 is a design standard so does not give advice on the manufacture of the system being designed. A well-designed system that is poorly manufactured could have a reduced integrity. For example, a multi-channel system, whose wiring has been segregated in order to avoid common-cause failures, could have the wiring strapped together as a single loom leading to a potential for common-cause failures. It was noted that the validation stage, i.e. type testing, couldn’t account for variations between manufactured items resulting from, for example, a poorly specified manufacturing stage. It is essential that the quality system of the manufacture assures no deviations from the approved test sample.

[9]          By assuming that subsystems are single components and applying the fault exclusion principle, it is possible to determine a Category without the need for complex calculation. However, the failure rate of a complex subsystem may be considerably higher than that of a single component. Therefore, the Category of a dual-channel subsystem cannot be considered equivalent to a dual-channel system at the component level, e.g., an interlock based on 2 relays cannot be compared with one based on two complex programmable logic controllers (PLCs), even if both interlocks achieve Category 3. Hence, two systems, each having the same Category, may be considered to be equivalent only if they use the same technology and a comparable number of components.

[10]      A number of factors will considerably distort the hierarchy of Categories[6]. For example :

·       the standard is based on system behaviour in the presence of faults. Modern technology allows the incorporation of sophisticated automatic diagnostics with a coverage approaching 100%. A single-channel system with sophisticated diagnostics may have a higher integrity than a crude multi-channel system. Although the standard allows faults to be excluded, it does not give advice on how this problem should be addressed.

·       a highly reliable system, based on simple technology (e.g., a mechanical blocking bar) which because of its single-channel status would be assigned a Category of 1, may in practice have an integrity comparable, or even higher than, that of a Category 4 system employing a complex and, therefore, difficult to validate technology.

The possibility of making a misleading assessment can be minimised by considering probabilistic aspects to estimate the real amount of risk reduction (see clause 3.3.1 – 3.3.3).

4.3.4.      Matters arising from the application of IEC 61508

  1. The first, and probably the most important, obstacle in using IEC 61508 involved the determination of what is an acceptable level of risk. This may require an iterative process in order to obtain an acceptable value, which will depend on a number of factors, such as :

·       what may have been established as custom and accepted engineering practice in the industry concerned ;

·       the cost effectiveness of improving safety beyond any particular level (e.g., the "law of diminishing returns") ; and

·       what competitors and other organizations using similar types of equipment have deemed to be practicable.

Existing accident rates involving presses, (obtained from internal HSE sources), although not comprehensive, were used in  this validation exercise to establish an acceptable level of risk. Such information will not be easy to obtain by designers and validators in the field of machinery and other methods may be more appropriate.

Additionally, it may be unwise in some circumstances to quote acceptable or tolerable rates of a particular level of injury. Therefore, it may prove necessary for target SILs to be determined by opaque means, possibly qualitative, for the various sectors of industry. The determination of target SILs is a critical and not necessarily easy task that would be helped considerably by the availability of a suitable, possibly industry-specific, methodology for dealing with it. It may be necessary, in the first allocation of an SIL, to consider the full bandwidth of possible SILs.

[2]          IEC 61508 appears to have been conceived with the process industries in mind. As a result, the determination of SILs depends on the risk reduction provided by safety-related protection systems, which operate in parallel with the control system of the EUC and put the EUC into a safe state if a failure of the control system occurs. A safe state may therefore be the continuation of the process, while in the machinery sector the safe state commonly is the shut down of the hazardous movements.

Many machinery control systems have traditionally been based on relay technology, and since machines are mostly cyclic in their operation, it is possible to test most, if not all, of the individual components in the control system at every cycle of the machine and employ redundancy. This leads to a fault tolerance of 1, or more, with a short interval between tests and consequently control systems have a high integrity.

Therefore, in the case of many machinery safety functions, the concept of risk reduction, as used in IEC 61508, is inappropriate and a SIL must be calculated from the failure rate of the control system.

[3]          Because IEC 61508 is new (not published in its final form at the time of this assessment), few, if any, manufacturers have used it. Thus, it was difficult for the manufacturer of the pressbrake under examination to deliver the documentation prepared to show compliance with IEC 61508. This was especially true with respect to the quality procedures used in the design of the machine. This documentation is necessary; otherwise it is not possible to determine whether the quality requirements have been satisfied in the design. It is important to carry out all assessments during all stages of the lifecycle (see clause 3.1).

It is recommended that the formal and detailed documentation for installation, commissioning, operation and maintenance is delivered by the manufacturer. Documents relating to design procedures, e.g., quality assurance, should be available to the assessor for the validation. This is necessary for all systems regardless of their origin (inside or outside of the EU).

[6]          For a quantitative assessment, good failure-rate data is required. Data is available on the most frequently encountered modes of failure of most of the components, e.g. a relay failing to energise. However, in safety-related systems, many components are automatically tested to ensure that the  frequently encountered modes of failure are revealed. Therefore, the remaining modes of failure, on which there is likely to be insufficient data (e.g., the failure of a single relay contact or a relay spontaneously changing from the de-energised to energised states as a result of, for example, a spring breaking), are the ones which cause difficulty. It may help to use the experience of applications in other sectors to achieve more representative estimates of these data.

[7]          In order to determine the probability of injury if the relevant safety function were to fail a number of assumptions had to be made. For example, in the case of Hazardous Event 1, it was assumed that the operator places his/her hands in the press once per minute. A different assumption would change the target SIL and the validation. An ideal design would be that the operator's hands are NEVER placed in the press, but this is often not possible.

[8]          Because the outcome of the quantitative analysis using IEC 61508 is likely to depend on a number of highly subjective assumptions, it will be possible to tailor the outcome of the analysis to suit one's particular needs. Some of these assumptions will be difficult to challenge. The use of the experience of applications in other sectors may improve these assumptions.

[9]          Clause 7.4.4.3 of Part 2 of IEC 61508 requires that "Any failure-rate data used shall have a statistical confidence level of at least 70%". This level of confidence is unlikely to be realized in practice, for the reasons described in the previous paragraph. In practice, the use of the best available data is better than not carrying out a quantitative reliability assessment; if necessary, worst-case assumptions could be made.

[10]      The proof-test intervals used in the validation exercise were based on the manufacturer's recommendations. This important information should always be available, perhaps by being directly labelled on the machinery.

[11]      At first sight, the documentation requirement of IEC 61508 does appear to be burdensome. However, this need not be the case. What the standard is, in fact, requiring is that the development, etc., is broken down into discrete stages (i.e., the lifecycle), careful thought is given to each of these stages, and the results of this are put onto paper for use in later stages and for demonstrating the adequacy of the system. Looked at in this way, the IEC 61508 lifecycle is no different from any other well-organized process.

Clearly the documentation requirements will increase with the complexity of the system.

[12]      The application of quantified risk analysis to machinery is more complex compared to its application to process control systems due to the synchronous interactions between the persons at risk, the control system and the cyclic nature of operation of the machine. In such situations, a calculation (e.g., of probability of failure on demand) involving steady-state conditions, as would be applicable to the control system of a process plant, is unlikely to be realistic. Instead, the timing of the automatic tests and periods of high risk in relation to the machine cycle must be considered in detail in the calculations.

[13]      A complete understanding of the operation of the system is required for validation to be meaningful. This is true of an assessment being carried out using either EN 954-1 or IEC 61508 ; however, in the case of the latter, where a quantitative analysis is carried out, large variations in the calculated failure rate could result from minor mistakes in determining functionality.

[14]      At first sight, the use of the architectural constraints on the hardware safety integrity appeared to have a number of failings, for example :

·       the diagnostic coverage (fail-safe fraction) is used as a parameter to determine the SIL ceiling ; however, in the case of automatic diagnostics, the rate at which the diagnostics are carried out is ignored ;

·       the diagnostic coverage may be irrelevant in calculating the architectural constraint. In reality, what may be most important, for example, is whether the PES output used by the function is monitored ;

·       no account is taken of the fact that some single-channel systems may inherently be reliable and so perform as well as a multi-channel system ;

·       the fail-safe fraction for a single component (e.g., such as a mechanical scotch) may be even more difficult to determine than the diagnostic coverage of a computer-based system ;

·       all that the diagnostic coverage could lead to (assuming an appropriate repetition frequency) is an effective reduction in failure rate. Therefore, a system with a failure rate of l and no diagnostics is effectively no different to a system with a failure rate of 1ool and a diagnostic coverage of 99%; however, the former would be severely penalized by the architectural constraint ; and

·       no account is taken of manual proof checking.

However, the architectural constraints should be viewed as a means of ensuring that the quantified analysis is not abused or used in error. For example, in the case of the calculations for this press :

·       a number of assumptions have been made ;

·       the calculations are inexorably linked to the architecture, self monitoring and cyclic operation of the press ; and

·       the manual for the press indicates that a daily check should be carried out on the rear-gate interlock. The frequency of this check will have a considerable impact on the integrity of the interlock. If no checks were carried out in practice, the actual (as opposed to the calculated) integrity of the interlock would be considerably reduced.

The architectural constraints are intended to put a ceiling on the SIL that can be assigned to any particular system in order to prevent either inadvertent (or deliberate) misuse of the quantitative analysis. As a result, the architectural constraints will ensure that the integrity level cannot be inflated significantly beyond the actual level achievable for any particular system. This will prevent inflated SILs being claimed and, as a result, ensure that an appropriate level of safety is maintained.

[17]      The use of Tables 2 and 3 of Part 2 of IEC 61508 used to combine the architectural constraints of several subsystems, require clarification as to their use.

4.4.            Conclusions from machine safety-related control system validation exercise

[1]          Today machinery safety systems are not developed from scratch using a life-cycle approach. Instead, as a new machine is developed, the experience gained from previous machines is modified slightly in order to make improvements to the overall design. Hence, safety requirements are unlikely to be developed for any particular machine. Instead, the safety systems of new machines will be designed to be no worse than those of existing machines. The use of IEC 61508 will require a radical change to the machinery design/development process in that safety must be addressed using an absolute, rather than relative, approach.

[2]          IEC 61508 uses quantitative calculation of the overall failure rate as well as qualitative techniques, where insufficient information is available for a quantitative determination (for systematic failures), for determining safety integrity. EN 954-1 attempts to avoid the need for a quantitative calculation by using a simple methodology - the risk graph. Unfortunately, the application of the methodology is not straightforward in other than the simplest of systems, and requires a subjective application of engineering knowledge.

[3]          IEC 61508 covers all stages of the lifecycle of a system. EN 954-1 considers only the design (and validation of the design).

[4]          The greatest problem in using a quantitative approach to risk assessment, as described in IEC 61508, is the availability of suitable data. Two types of data are required :

·       Failure rate data for the components and subsystems: It may be necessary to use data from generic components, or for outdated components ; however, data can be obtained (or estimated) for most components, although it is likely that some assumptions may be necessary.

·       Levels of acceptable risk: The level of acceptable risk is a societal parameter and is difficult to determine, being dependent on perceived, rather than actual, risk. The guidance in IEC 61508 uses the ALARP value but gives no help in determining what that value should be. The author made an assumption that existing hazard rates were acceptable but this assumption need not be valid in all cases. The author considers that this problem may present the most difficulty in using IEC 61508 until industry-specific guidance documents, based on IEC 61508, provide guidance in this area. However, the publication of such guidance could give alarm to those at risk.

[5]          A number of assumptions had to be made in order to carry out the quantitative analysis described in IEC 61508. These were subjective had a significant effect on the SILs. There may be a high dependence on basic (and possibly subjective) assumptions in the quantitative analyses of many other systems. Some of these assumptions will be difficult to challenge and could lead to failure-rate predictions being distorted to meet the needs of other agendas.

[6]          If a methodology, that will enable target SILs to be determined without significant subjectivity is not available, the uncertainty in the outcome of the quantitative analysis used in IEC 61508 may be large. In the author's opinion, the production of such a methodology should be given a very high priority otherwise it will not be possible to fully exploit the guidance in provided by IEC 61508.

[7]          Generally, existing safety-related electrical control systems at machinery have not been designed using the guidance contained in IEC 61508 (of which all parts were not published at the time of writing of this report) and, as a consequence, suitable documentation, required in order to verify the various safety lifecycle stages, is not likely to be available. Documentation, in a form suitable for assessment purposes, will become available only when IEC 61508 gains credibility in machinery manufacture. Until this time, it will be difficult to carry out assessments of safety-related electrical control systems at machinery, especially in relation to the quantitative analysis.

[8]          IEC 61508 enforces the manufacturer of a SRCPES to plan the overall lifecycle in a structured way by requiring an adequate documentation. At first sight, the documentation requirements for a simple machinery-control system appear to be excessive.

[9]          Because shortage/incompatibility of documentation may prevent an adequate determination of the qualitative measures when a retrospective examination is carried out on a machine designed prior to the publication of IEC 61508, it will not be possible to determine whether (or not) suitable measures have been put in place to deal with systematic failures. Therefore, a retrospective quantitative assessment using IEC 61508, may prove to be inaccurate as the actual failure rate may be dominated by systematic failures, which are unlikely to be predictable quantitatively. Unfortunately, this will lead to an underestimate of the failure rate, i.e., the estimate will indicate that a system will be safer than it actually is.

[10]      IEC 61508 takes a scientific approach by matching system integrity to risk. Also, wherever possible, it uses quantification, but acknowledges that qualitative measures may be followed where quantitative measures cannot be used. However, the qualitative measures have been determined (using engineering judgement) to be appropriate to the SIL. This should be compared with the approach taken by EN 954-1, which is based on fault tolerance.

[11]      The principles of IEC 61508 require that a methodology is followed which encompasses all of the phases in the lifecycle of a system, e.g., concept, design, implementation, etc. If the methodology has not been used by the manufacturer, subsequent assessment using IEC 61508 will inevitably be difficult because of missing information. However, if IEC 61508 had been followed from the outset, the relevant information would have been available, facilitating validation.

4.5.            Techniques & measures for machine validation

The findings and conclusions outlined above from the research undertaken in Annex 3, Annex 6, Annex 7, Annex 11, Annex 12 and Annex 13 indicate how to solve some of the practical difficulties that may be encountered when using the EN 954 and IEC 61508 standards. These problems, derived from the divergences that exist between EN 954 and IEC 61508, require that in order to establish a sound basis for the validation of safety-related control systems at machinery consideration should be given to :

·       A linear mapping of the safety integrity levels of IEC 61508 to the categories of EN954-1 could not be established. This was primarily due to the category definitions in EN954-1 not placing any quantifiable requirements regarding the rate of failure of the safety functions. If the work outlined in clause 3.3.3 is further developed and standardised it may be possible to create some non linear mapping.

However, it can be stated that, in a given technology, category 1 is likely to have a higher safety integrity level than category B and category 4 will have the highest safety integrity level.

·       The qualitative approach of EN 954-1 is a desirable one from the machinery sector point of view and could be usefully developed and linked to IEC 61508.

·       The principles of IEC 61508 (safety lifecycle and safety integrity levels) can be applied to E/E/PE control systems in machinery. IEC 61508 could complement EN 954-1 for E/E/PE systems but a qualitative approach leading to a safety integrity level would have to be developed.

·       The non-hierarchical structure of EN 954-1’s categories is often misinterpreted into a hierarchical one. This is because the category definitions have to be carefully analysed to understand their full meaning. An informative annex interpreting the categories for different technologies may be useful.

·       Although the categories are difficult to relate to risk, EN 954-1, as a document, does provides much useful information into the design strategies for safety and the requirements for safety functions.

·       IEC 61508 covers all phases of equipment’s life from concept through to decommissioning. In the machinery sector, very rarely would one party have responsibility across the entire lifecycle. It is considered that there is a need to delineate responsibilities. This is particularly so in the case of manufacturers who are producing machines or safety components for use in a variety of applications where it may not be practical for the manufacturer to undertake a complete hazard and risk analysis and identify suitable safety functions for all applications at an early stage in the safety lifecycle. In such cases the emphasis must be on the manufacturers to supply sufficient and suitable information (including the SIL) so users can take proper account of the equipment’s performance characteristics in the final application.

·       The developer and validator should have a deeper consideration of the systematic aspect of the machinery control system (see clause 3.1, 3.2 and 3.4).

English