Safety Functions
1.Risk and Safety Category Assessments
(1) Ensure Safety
The responsible machine or process designer no longer considers the production requirements and adds safety systems later, but addresses the two issues as a whole. Legislation demands that the machine or process design meets the necessary safety standards and regulations - it is a legal requirement.
Different types of machines will have different levels of associated risk. These risk levels need to be addressed for the whole machine life span. In particular the requirements at commissioning, application/usage and decommissioning of the machine must be considered.
Risk assessment according to ISO14121 is a series of logical steps that enables designers and safety engineers to examine in a systematic way the hazards arising from the use of machinery so that appropriate safety measures can be selected.
(2) Risk Assessment
ISO14121 - Safety of Machinery - Principles for Risk Assessment The main objective is to describe a systematic procedure for risk assessment so that adequate and constant safety measures can be adopted. These are appropriate during the design, construction, modification, use and decommissioning of the machine.
The safety of machines can be determined in 5 steps.
Documentation of the risk assessment process must be kept.
● Step 1- Determination of the limits of machinery
Defining machine limits requires the following points to be considered when assessing risk.
Determining requirements for all phases of the machine's life
Defining the intended use and operation and the foreseeable misuse and malfunction
Defining the machine's range of use as limited by factors such as the operator's gender, age, dominant hand, and physical abilities (e.g., impaired eyesight or hearing, size, and strength)
Expected user training, experience, and competence
Possibility that people may be exposed to machine hazards
Possibility that people may be exposed to machine hazards if a foreseeable machine hazard occurs
● Step 2- Hazard Identification
Hazard identification means checking for all the hazardous conditions and hazardous events associated with the machine. This involves predicting hazards that may be caused by the machine, such as the following:
Mechanical hazards: Severing, entanglement, crushing, etc.
Electrical hazards: Contact with live parts, static electricity, etc.
Thermal hazards: Health disorders due to contact with high-temperature parts or working in a high-temperature or low-temperature environment
Methods for clarifying hazards include the following:
Check lists
Hazard and Operability Study (HAZOP)
Failure Mode and Effect Analysis (FMEA)
Fault Tree Analysis (FTA)
"What-if" method
● Step 3- Risk Estimation
After checking for hazardous conditions and hazardous events, the risk factors are determined and the risks are estimated from the degree or possible harm and the probability of the hazard occurring.
● Step 4- Risk Evaluation
After estimating the risk, the risks are evaluated to determine whether the level of risk must be reduced. If the level of risk must be reduced, safety measures, such as changing the design or providing safeguards, are taken.
● Step 5- Risk Reduction
The following actions are taken.
Eliminate or reduce exposure to hazard as far as practical.
Reduce the probability and severity.
Use safeguards and safety devices.
Determine that the performance and functional characteristics of the safety measures are suitable for the machine and its use.
● Risk Reduction under ISO12100
ISO 12100 (-1/-2) has been formed into JIS standard JISB9700 (-1/-2).
The main purpose of this standard is to set out a framework and directions for general machine safety, so that designers can design safe machines.
The introduction of ISO12100-1:2003 states that "The concept of safety of machinery considers the ability of a machine to perform its intended function(s) during its lifecycle where risk has been adequately reduced". The 3-step method, which is an expression of this risk reduction methodology, has been further implemented into the "Risk Reduction Process", but it does not yet seem to have been fully recognized in actual applications. ISO12100-2 sets out examples of various measures, a sample of which are shown below.
What is Inherently Safe Design? (ISO12100-1: 2003, para. 4)
Remove dangers and reduce exposure frequency (4.1 General)
Maintain visibility, and avoid dangerous projections and parts (4.2.1 Geometric Elements)
Employ alternative materials with few dangers that reduce noise and radiation levels (4.2.2 Physical Elements)
Select appropriate materials (Material quality, stresses, corrosiveness etc.) (4.3 General Technical Information on Machine Design)
Employ inherently safe design measures in the below control system (4.11)
Perform automatic surveillance of safety functions implemented under safeguarding measures (4.11.6)
Employ diagnostic system to support fault detection (4.11.12)
Employ redundant systems for components and sub systems (4.12.3)
Automatically limit exposure to sources of danger (4.14)
What is Safeguarding? (ISO12100-2: 2003 para. 5)
Employ Sensitive Protective Equipment (Light Curtain, Scanner etc.) (5.2.5)
Employ fixed guards (5.3.2.2)
Employ movable guards (guards with interlocks) (5.3.2.3)
What are Complimentary Protective Measures? (ISO12100-2: 2003 para. 5)
Emergency stop function designed to be clearly identified and quickly applied (5.5.2)
Employ an isolation device that can be locked (5.5.4)
What is Information for use? (ISO12100-2: 2003 para. 6)
Supplementary documentation or labels should notify of remaining risks, and necessary training, protective equipment, and additional protective devices (6.1.1)
Emit an audiovisual warning (6.3)
Display manufacturer, model, and specifications of the machine (6.4)
Supplementary documentation to include storage conditions, mass, dimensions, and installation and disposal methods (6.5.1)
Risk Reduction Processes from the Designer’s Perspective
(3) Safety Category Assessment
ISO13849-1 : 1999 (EN954-1)
(4) Categories
ISO 13849-1 Safety of Machinery — Safety-related Parts of Control Systems
Describes risk reduction, which is necessary when designing and constructing safety-related parts of control systems and devices. The categories represent a classification of the control system with respect to their ability to withstand faults and their behavior in the event of a fault.
Category | Overview of requirements | Basis for assuring safety |
B | The safety-related parts of control systems shall, as a minimum, be designed, constructed, selected, assembled, and combined, in accordance with the relevant standards, using basic safety principles for the specific application so that they can withstand: | Depends mainly on the selection of components. |
1 | The requirements of category B and of this subclause shall apply. Safety-related parts of control systems to category 1 shall be designed and constructed using well-tried components and well-tried safety principles. | |
2 | The requirements of category B, the use of well-tried safety principles and the requirements in this subclause shall apply. Safety-related parts of control systems to category 2 shall be designed so that their function(s) are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be performed. | Mainly depends on configuration |
3 | The requirements of category B, the use of well-tried safety principles and the requirements in this subclause shall apply. Safety-related parts of control systems to category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function. Common mode faults shall be taken into account when the probability of such a fault occurring is significant. Whenever reasonably practicable the single fault shall be detected at or before the next demand upon the safety function. | |
4 | The requirements of category B, the use of well-tried safety principles and the requirements in this subclause shall apply. Safety-related parts of control systems to category 4 shall be designed so that: |
(5) Validation
The safety category of safety-related parts is selected based on ISO 13849-1 to attempt to check and reduce the occurrence of hazards associated with the entire machine based on ISO 14121.
Next, analysis and testing is performed to confirm that the safety-related parts conform to the requirements for the safety of the entire machine.
Although the analysis is performed using a list of foreseeable faults based on ISO 13849-2 and design criteria based on ISO 13849-1, as an example, the following faults are excluded as examples of 'fault exception items'.
1.The NC contact of a safety switch with a direct opening/positive opening mechanism does not open.
2.The forcibly guided NC and NO contacts of a safety relay contacts are closed at the same time.
3.A secured cable reliably protected with a cable duct or other means causes a short circuit between wiring due to an external shock.
4.A short circuit occurs in adjacent terminals whose connections are reliably covered with an insulating tube or other means.
(6) Documentation
A technical file containing the following information should be recorded:
Drawings, control circuit drawings, calculations, test results
List of necessary safety requirements for ISO 12100, plus other relevant standards and technical specifications used
Details of the methods used to eliminate hazards, risk assessment data
A test report/certificate from a competent body if required
A copy of the instructions
Series manufacture details of internal measures and QA systems
Items that are required to be documented are shown below, by category (extracted from ISO 13849-2 Table 2)
Items Requiring Documentation | Category | ||||
B | 1 | 2 | 3 | 4 | |
Basic Safety Principles | ○ | ○ | ○ | ○ | ○ |
Expected operating stresses | ○ | ○ | ○ | ○ | ○ |
Influences of processed material | ○ | ○ | ○ | ○ | ○ |
Performance during other relevant external influences | ○ | ○ | ○ | ○ | ○ |
Well-tried Components | --- | ○ | --- | --- | --- |
Well-tried Safety Principles | --- | ○ | ○ | ○ | ○ |
The check procedure of the safety function(s) | --- | --- | ○ | --- | --- |
Checking intervals, when specified | --- | --- | ○ | --- | --- |
Foreseeable, single faults considered in the design and the detection method used | --- | --- | ○ | ○ | ○ |
The common mode failures identified and how prevented | --- | --- | --- | ○ | ○ |
The foreseeable, single faults excluded | --- | --- | --- | ○ | ○ |
The faults to be detected | --- | --- | ○ | ○ | ○ |
The variety of accumulations of faults considered in the design | --- | --- | --- | --- | ○ |
How the safety function is maintained in the case of each of the fault(s) | --- | --- | --- | ○ | ○ |
How the safety function is maintained for each of the combination(s) of faults | --- | --- | --- | --- | ○ |
(7) What is ISO13849-1: 2006 (PL)
● Background of ISO 13849-1 Revision
Until now, the 'category', i.e. the classification of the architecture (structure) of a safety control system, has been a deterministic theory focused on the composition of hardware.
But as technology advances, electronic components such as transistors, integrated circuits and software based components such as microprocessors were adopted as core elements of safety related control systems.
Since year 2000, work has been underway to define the performance of machine safety control systems in terms of function and reliability rather than component failure modes. This is the concept of "functional safety." IEC61508, the international standard for safety related electrical and electronic control systems, provides definitions of safety of complicated controls, down to the constituent components level such as designing reliability including life (until a loss of safety function) and programs based upon probability theory.
IEC61508 has a very wide scope of application, so a new standard specifically designed for the machine control systems, IEC62061, was developed to provide for mechanical safety. However, because this standard basically assumes complicated controls, it assumes many safety control system architectures, and individual architecture requires complicated calculation of probability. This is the reason why IEC62061 was not familiar among machine designers who are accustomed to the relatively easy-to-follow definitions of "Categories."
The latest version of ISO13849-1: 2006 combines the straight forward deterministic features of EN954-1's Categories with IEC62061's probabilistic and systematic design considerations (a reliability model). In other words, the revised version of ISO13849-1 selects the architecture models in IEC62061 that match the definitions of the Categories, and applies those reliability models.
This version can be called a functional safety standard in its simplified version. 
● Main Changes
Changes in Risk Estimation Methods
Both methods require estimating risk of hazards at the risk assessment stages.
In estimating risks, EN954-1 evaluated and classified the results of its risk estimations into the risk levels of I to IV.
But the evaluation process did not encompass any notion of targeted performance that safety measures to reduce risks should reach. As a result, safety control system's structure Categories B to 4 are generally determined directly from the risk graph. When trying to establish a common parameter between persons who perform risk assessment (for example, users) and persons who implement risk reduction (for example, machine designers), the users may not understand the functional differences of safety control system structures from the designer's viewpoint, and the designer in turnfinds it difficult to understand user requirements. Also, the overwhelming majority of risks at actual working sites are minor damage such as suspension of operation for several days, while EN954-1's risk graph gave more stress for risk estimations to serious damage, and the previous standard did not accurately reflect this aspect.
The latest revision in ISO 13849-1: 2006 allows users to determine risk estimations homogeneously and uniquely, and makes risk assessment easier for persons responsible for implementing it.
Change in Definitions of Safety Control System's Performance
How should designers reduce risks?
If designers are required to satisfy Category requirements only, once determined safety control system structure will maintain the same level of safety performance.
The question is whether or not this is a correct concept considering that every machine can fail at some future time. The components comprising the safety control system also will deteriorate and can fail at some future time. It is important to figure out in what mode the system will encounter a failure at such times. When a machine experiences a failure that causes the expected safety function to fail during a period expected by its users, and if the failure is not detected, it is equal to non performance of safety functions. But, definitions only based upon deterministic theory cannot cover such time related elements.
To improve this aspect, the latest revision includes additional features to the previous structure definitions with two-layer structure definitions that enable users to probabilistically evaluate a safety control system's reliability, including mean time to dangerous failure at the component level and the level of detecting dangerous failure. This allows users to make quantitative evaluation according to how they actually use the machine. This is the core component of the 2006 revision.
Common Indicator Criteria
The revised standard establishes indicators of a safety control system performance level that can be clearly communicated between a person who implements risk assessment and a person who designs a machine.
These indicators are called Performance Level (hereinafter abbreviated as "PL"), and are evaluated using five levels from "a" to "e." Required performance levels as seen from the standpoint of a person who implements risk assessment are specifically called PLr.
PL, the achieved performance level of a safety control system after risk reduction has been implemented, must be equal to or greater than required Performance Level (PLr).
● How to Determine Performance Level
Required Performance Level: PLr
As with the risk graph in EN954-1, a required performance level is evaluated in terms of severity of injury (S), frequency and/or exposure to hazard (F) and possibility of avoiding hazard or limiting harm (P). As a result, the required performance level (PLr) ranging from "a" to "e" is determined depending on the scale of the risk.
<Meaning of Symbols>
S1: slight (normally reversible injury)
S2: serious (normally irreversible injury or death)
F1: seldom-to-less-often and/or exposure time is short
F2: frequent-to-continuous and/or exposure time is long
P1: possible under specific conditions
P2: scarcely possible
Method to Evaluate Performance Level (PL)
Four parameters are used to evaluate a safety related control system's performance level (PL).
1.Category
2.MTTFd (Mean Time To Dangerous Failure)
3.DCavg (Average Diagnostic Coverage)
4.CCF (Common Cause Failure)
The Categories refer to the architecture of a safety related control system, and are classified into five categories as defined in the previous version of EN954-1.
MTTFd refers to an average life before the dangerous failure of a component. DC refers to the certainty of detecting failures in the entire system including software. CCF refers to the protection of the entire system from failing due to a common cause. As parameters for reliability, MTTFd and DCavg are determined by formulas, and CCF is determined with a checklist method.
Each of the parameters is classified into levels using standard values: three levels for MTTFd, three levels for DC and two levels for CCF. Performance Levels are evaluated comprehensively in terms of these four parameters.
The following sections show how each of the parameters is calculated.
● How to Evaluate Performance Level
As described above, when the four parameters are calculated, the PL can be determined from the following graph:
Category (the five categories of B, 1, 2, 3, and 4)
MTTFd (the three levels of High, Medium, and Low)
DCavg (the four levels of High, Medium, Low, and None)
CCF (the two levels of 65 or more points and less than 65 points)
For example, with "Category 4, MTTFd=High, DCavg=High, CCF of 65 points or higher," then the PL is evaluated as "e". However, the thresholds in the above graph for MTTFd determination are not easy to locate therefore the below table is provided to give a more simplified view. Either the graph or the table may be used.
Category | B | 1 | 2 | 2 | 3 | 3 | 4 | |
DCavg | None | None | Low | Medium | Low | Medium | High | |
MTTFd of each channel | ||||||||
Low | a | --- | a | b | b | c | --- | |
Medium | b | --- | b | c | c | d | --- | |
High | --- | c | c | d | d | d | e | |
*Notice that in both the graph and the table methods some combinations of parameters are not allowed. For example, combining Category 4 with medium reliability and low diagnostic coverage is not considered.