While there is a fair chance that you might have read something about IEC 62061 in the last year or two, it is almost certain that you will not have seen anything about BS EN 62061:2005 (Safety of machinery, Functional safety of safety-related electrical, electronic and programmable electronic control systems). While the two standards' numbers, names and texts are the same, there is a subtle difference that machine builders - and those modifying machinery - should be aware of.
It is widely appreciated today that new machinery for placing on the market in the European Union, and machinery that has been modified, needs to be CE marked. The key legal requirement for this is that the machinery must meet the essential health and safety requirements (EHSRs) of the Machinery Directive. Compliance with harmonised standards (ie Euronorms, or standards prefixed with EN) is not a legal requirement, but harmonised standards are considered to be 'best advice' documents and therefore offer machine builders an 'approved route' to meeting the EHSRs. If machinery is not constructed in accordance with the harmonised standards, it may be difficult (though not impossible) to demonstrate compliance with the EHSRs, should the need arise.
IEC 62061 was published in early 2005 and some machine builders started working with it almost immediately. However, in January 2006, the standard was harmonised as EN 62061 (and BS EN 62061 in the UK), with the result that machine builders are now strongly encouraged to comply with its requirements where appropriate.
However, instead of it being viewed as a burden, this standard should be seen as a golden opportunity, as it means machine builders can now be more confident that their machines will meet the EHSRs of the Machinery Directive, as BS EN 954-1 (the standard to which they probably worked previously) has no advice to offer when programmable or software-configurable are used within safety-related electrical control systems, other than to say that single-channel programmable systems cannot be used above category B.
BS EN 62061 is a sector standard (or 'daughter' standard) to the seven-part standard IEC/EN 61508, 'Functional safety of electrical/electronic/programmable electronic safety-related systems', written specifically for the machinery sector. It therefore takes a quantitative risk-based approach similar to that found in EN 61508, which requires rather more work than the qualitative 'risk graph' of EN 954-1.
However, it can also be argued that the requirement for a more methodical approach will lead to machinery being built with better, more predictable performance, greater reliability and availability, and capable of delivering an improved return on investment. In the event of a machine failure or a requirement to modify or upgrade, the improved documentation will also be highly beneficial.
BS EN 62061 is primarily aimed at developers and manufacturers of complex plant and machinery utilising programmable controllers and fieldbus networks for safety functions, plus developers of relevant application software and users of complex programmable safety systems that have been developed in accordance with EN 61508.
One of the most important clauses in EN 62061 is clause 4, the management of functional safety, which calls for a functional safety plan. This should describe a policy and strategy for fulfilling the functional safety requirements, as well as identifying persons, departments and other resources that are responsible for carrying out and reviewing each of the activities. Procedures should be produced and resources provided to record and maintain the information. Verification and validation plans should also be established. It must be stressed that all of this requires adequate competence if it is to be completed correctly.
Clause 5, Requirements for the specification of Safety Related Control Functions (SRCFs), explains how the functional requirements specification and safety integrity requirements for each SRCF should be compiled to create a safety requirements specification (SRS). Furthermore, the three safety integrity levels (SIL 1, SIL 2 and SIL 3) require that the probability of dangerous failures per hour (PFHd) must fall between certain target values as follows:
SIL 1 ≥10-6 to < 10-5 (or 1 failure in 100,000 h)
SIL 2 ≥10-7 to < 10-6 (or 1 failure in 1,000,000 h)
SIL 3 ≥10-8 to < 10-7 (or 1 failure in 10,000,000 h)
Of course the next step in the process is to design the SRECS, which is covered in Clause 6, Design and Integration of the safety related electrical control system (SRECS). This clause specifies the requirements for the selection or design of the SRECS to meet the functional and safety integrity requirements specified in the safety requirements specification (SRS). Clause 6 gives examples of how the SRECS should be broken down into function blocks that are then detailed in terms of their structure, safety requirements and inputs and outputs. These function blocks are then allocated to subsystems that make up the complete SRECS.
Also covered in Clause 6 are the identification of the Probability of Dangerous failures (PFHd), estimation of Safe Failure Fractions (SSF), Common Cause Failures (CCF) and diagnostic functions. Both hardware and software design are discussed, plus development, implementation and testing.
Documentation is a very important aspect of EN 62061. As well as the documentation that will generated as part of the design process, Clause 7, Information for use of the Safety Related Electrical Control System (SRECS), explains what information relating to the SRECS should be provided to the user to enable procedures to be developed to ensure the system safety functions are maintained during the use and maintenance aspects of the machine. Further information is also contained in Clause 10, Documentation.
It has already been mentioned that a validation plan is required, and the validation process requirements are described in Clause 8, Validation of the SRECS. This details how the process should be applied - which depends on the complexity of the SRECS and the assigned SIL.
During installation and commissioning it is often the case that modifications will be found to be necessary. BS EN 62061 Clause 9, Modification, details the procedure to adopt when modifications are required during the design integration and validation phases of the project. Modifications must be carried out correctly documented, with adequate configuration management procedures and documentation; the process must be controlled including action plans.
In terms of a design procedure, BS EN 62061 gives a six-stage process: identify the danger zones on the machine; define the risk parameters Se, Fr, Pr, Av (in accordance with Annex A); identify the required Safety Integrity Level (SIL) (in accordance with Annex A); design and implement the necessary safety functions; determine the SILs (by establishing the residual error probability (PFH) and the Safe Failure Fraction (SFF)); and compare the achieved SIL with the required SIL.
The risk parameters are as follows: Se (severity of harm); Fr (frequency and exposure time to the hazard); Pr (probability of occurrence of hazardous event); and Av (possibility to avoid or limit the harm). Because the standard takes a quantitative approach, all of these parameters can be quantified. For example, the Severity of harm (Se) carries 4 points for an irreversible injury (death, loss of eye or arm), down to 1 point for a reversible injury that requires on-site first aid. Similarly points are scored for the other risk parameters, with the probability of occurrence of harm (Cl) being the sum of the points scored for Fr + Pr + Av. The standard contains a look-up table that shows what SIL is required for a given combination of Se and Cl.
It will be appreciated that various factors can affect the residual error probability (PFH), as follows: architecture of control system; failure/error rate of the individual components; quality of error management (diagnostic coverage); test interval; inspection interval or service life; and common cause failures. All of these are covered in detail within BS EN 62061, but it is important to note that the required calculations - such as for the failure rate - require data to be collected from suppliers for specific components or, alternatively, generic data may be used. BS EN 62061 gives scores that can be applied to various common cause failures to give an estimation of the common cause factor (Beta - expressed as a percentage).
If you are not familiar with some of the terminology introduced here, it probably all sounds complicated. And when you see the calculations written down, these can also appear daunting at first sight. But the standard and its annexes are well written and include examples, so users will most likely get to grips with the principles, terminology and calculations relatively quickly. Nevertheless, given the potential seriousness of getting any of the procedure wrong - such as an injury to an operative - it is vital to seek assistance from an expert in the event of any difficulty being encountered.
Finally, it should be noted that BS EN 954-1 may soon be replaced by a new BS EN 13849-1 (currently available as pr EN ISO 13849-1), which also uses a quantitative approach to risk assessment and calculations of PFH (residual error probability), though the new standard refers to performance levels rather than the SILs of BS EN 62061. However, because the two standards cover similar ground, it is likely that the next step in the standards development process would be to move towards combining these into one.
Pilz offers a one-day training course, known as the 'Introduction to EN 62061 and pr EN ISO 13849-1 Safety of Machinery Course', which is suitable for designers, engineering managers and others involved in the design, specification or selection of safety-related control systems for machinery, whether they are working on new projects or modifications to existing machinery. The course goes into far more detail than is possible in an article such as this.