MU July / August 2016

76 MACHINERY UPDATE JULY/AUGUST 2016 www.machineryupdate.co.uk
Regulations
Safety standards are
confusing for all
Stewart Robinson
PRINCIPAL ENGINEER AND FUNCTIONAL SAFETY EXPERT AT TÜV SÜD PRODUCT SERVICE
Following the collapse of the project designed to merge the two standards involving safety related
control, the ISO published a completely new version of its standard (EN ISO 13849-1:2015)
in December 2015. Here, we highlight some of the key changes
As two standards
relating to safety
related control systems
can be followed (EN ISO
13849-1 and EN [IEC] 62061)
to demonstrate compliance
with the Machinery Directive,
the standard organisations
had intended to merge them.
However, following the collapse
of this project, the ISO published
a completely new version of its
standard (EN ISO 13849-1:2015)
in December 2015.
There are several key
changes. Firstly, when looking
for guidance on the choice
of which standard to adopt,
Table 1 has been removed and
replaced by a reference to the
technical report ISO/TR 23849.
UPDATED REFERENCES
References have been updated
throughout the new standard,
mainly to reflect changes
in other standards. Some
definitions have also been
added, including a definition
of ‘Proven in use’, and the
addition of ‘T10d’ defined as the
“Mean time until 10 % of the
components fail dangerously”.
Previously the expression
‘average probability of
a dangerous failure per
hour’ had been used in full
throughout the standard.
Now, the abbreviation PFHD
is also used, delivering some
consistency between EN ISO
13849-1 and other functional
safety standards. Likewise,
the term ‘subsystem’ is now
included as an alternative
term for Safety Related Parts
of Control Systems (SRP/CS).
The flow chart (Figure 2)
for the overview of the risk
reduction process now
includes systematic failures
in the list of things to
consider when evaluating the
Performance Level (PLr).
For Category 2 architectures
the ‘assumption’ that the
demand rate should be ≤1/100
test rate now has an added
provision that Category 2 can
also be claimed if testing occurs
immediately upon demand of
the safety function, and safety
times and distances are also
satisfied. To achieve PLd with
Category 2 architectures it is now
a normative requirement for the
Output of Test Equipment (OTE)
to initiate a safe state.
There is a new clause (4.5.5)
regarding the use of nonelectrical
components where
no reliability data is available,
which allows for PFHD
estimations to be made based
on architectures and other
factors.
LIMITATIONS OVERCOME
For Category 4 architectures,
the 100 years Mean Time To
Dangerous Failure (MTTFd)
capping can be increased
to 2,500 years. This is to
overcome the limitations
imposed on the calculated
PFHD that results in an
artificial limit to the number
of subsystems in a series
alignment. Annex K has
therefore been updated to take
account of this.
The requirements for Safety
Related Embedded Software
(SRESW) include clear
restrictions on the use of some
Programmable Electronic
Systems according to the PLr.
For components for
which SRESW requirements
are not fulfilled, these
components may be used
under the following alternative
conditions:
• the SRP/CS is limited to PL
a or b and uses category B,
2 or 3;
• the SRP/CS is limited to PL
Carrying out the calculations
to ensure compliance remains a
resource-hungry process
c or d and may use multiple
components for two
channels in category 2 or 3.
The components of these
two channels use diverse
technologies.
The summing up the PFHD
of each SRP/CS in a series
alignment, to establish the
PFHD of the function, is made
clearer (Clause 6.3).
There is also clarification
that the use of the Risk Graph
in Annex A is not mandatory,
and that other methods to
establish PLr of the safety
functions can be used instead.
The guidance on selecting
some of the parameters is
expanded, and it is made
clear that the selection of P1
or P2 should consider both the
possibility to avoid and the
probability of occurrence of
the hazardous event.
There are some additional
measures against Common
Cause listed in table F.1. For
example, detection of short
circuits by dynamic test
is listed as a measure for
separation/segregation.
SPECIFIC MEASURE
The measure for EMC is now
more specific: “For electrical/
electronic systems, prevention
of contamination and
electromagnetic disturbances
(EMC) to protect against
common cause failures in
accordance with appropriate
standards (e.g. IEC 61326–3-1).”
Annex I ‘Examples’ has
been completely revised with
example A (single channel)
having a PLr of PLc, and
example B (dual channel)
having a PLr of PLd. More
detail is now also given to the
reliability data used in the
examples to make them more
in keeping with actual ‘real
world’ applications.
Despite its update, carrying
out the calculations required
by EN ISO 13849-1 remains
a complex task, and while
software solutions can help, it
still remains a resource-hungry
process for machine builders.
i For more information
contact W www.tuvps.com
TÜV SÜD Product Service
is the PPMA’s technical and
legislative partner