The latest 2015 edition is now harmonised to the Machinery Directive. David Collier of Pilz UK shares his observations of the impact these changes will have.
16 Nov 2016
Update to BS EN ISO 13849-1, third edition 2015 - standard for safety related controls on machines
The planned merger of EN ISO 13849-1 and EN 62061 into IEC/ISO 17305 by the Joint Working Group JWG1 did not eventually come to pass, however, during the attempt an official request was made to alter the existing version of EN ISO 13849-1 which did take place in December 2015. The latest 2015 edition is now harmonised to the Machinery Directive. David Collier of Pilz UK shares his observations of the impact these changes will have.
The modifications are in some cases purely editorial (such as the suffix “d” used in MTTFd , B10d and elsewhere being replaced by “D”), however, some important clarifications and shifts have been included, and it is now the case that EN ISO 13849-1:2015 is the go-to standard for safety-related controls on machines since the previous edition is no longer harmonised to the Machinery Directive 2006/42/EC.
In section 1 the table comparing the recommended application of EN ISO 13849-1 and EN 62061 has been removed, but EN 62061 is still mentioned. In section 2 normative references to other standards have been updated, such as ISO 12100:2010 for risk assessment and risk reduction.
In section 3 (terms and definitions) one addition is the mention of “proven in use” which means demonstration, based upon operation experience for a specific configuration of a component that a likelihood of a dangerous failure is low enough not to impact the Performance Level of all safety functions incorporating that component. Later in the standard it becomes clear in 4.5.5 that this is only “allowed” for mechanical, hydraulic and pneumatic elements where omission of MTTFD is to be justified, and proven in use would need to be stated by the manufacturer of the component.
Quite a lot of change has happened in section 4 Design Considerations. In section 4.5.2 the limitation of MTTFD to 100 years (capping) was previously applicable to all subsystems regardless of category, which had the undesirable effect of limiting the number of category 4 subsystems which could be combined without a drop in Performance Level from PL e to PL d. This was thought to be too conservative, therefore, for category 4 subsystems the capping limit has been raised to 2500 years which means later in the informative annex K the table K1 now covers this extended range instead of 100 years. This higher value is justified because in Category 4 other quantifiable aspects (structure and Diagnostic Coverage) are at their maximum point. As a result of this there is no longer a need to combine input and actuator elements as one subsystem in some cases, which was previously sometimes needed especially for hydraulic and pneumatic components.
In section 4.5.4 the assumption made for Category 2 that the demand rate must be less than 1/100 of the test rate has been changed to “the demand rate is less than or equal to 1/100 test rate; or testing occurs immediately upon demand of the safety function and the overall time to detect the fault and to bring the machine to a non-hazardous condition (usually to stop the machine) is shorter than the time to reach the hazard (see also ISO 13855)”. The added possibility to test “on demand” allows a dual channel category 2 design with one active channel and one monitoring channel, the latter recognising and appropriately responding to demand placed on the former but only actively getting involved in the case that the first channel fails. This could be useful for retrofit applications (second channel as an add-on to the existing first channel), if timing constraints are met to ensure that for safety distances are maintained with respect to stopping times (see also EN ISO 13855).
Up until the change, Table 5 in section 4 was used to select the optimum category / DC / MTTFD combination to achieve a desired PL. This is now supplemented by another table in 4.5.5 Description of the outputs part of the SRP/CS by category, which refers to actuators (such as power drives) or mechanical, hydraulic or pneumatic components (or components comprising a mixture of technologies) where no application-specific reliability data is available. The machine builder has scope to evaluate the PL without any reference to MTTFD calculation, and use only Category, Diagnostic Coverage and steps against Common Cause Failure (CCF). Table 8 shows recommended and optional categories which can be used to achieve the desired PL in a subsystem comprising such components, providing that they are “proven in use” or “well tried” (regardless of Category) which means in practise usability will be limited. However, it may be used where calculation of the PL of the final actuator subsystem in a safety function is not possible.
Section 4.6 covers software and a new statement is made about non-failsafe PLCs whose manufacturer-developed embedded firmware does not meet the requirements of SRESW (safety related embedded software needs to be developed in accordance with IEC 61508-3 which is a very detailed task only ever conducted by safety PLC / controller manufacturers). The requirement is that for standard PLCs to be used in safety functions the PL must be limited to PL a or b when in Category B, 2 or 3, and for PL c or d to be achieved two diverse PLCs must be used in two channel architecture. In practise such as structure would not be used due to installation and maintenance efforts (two different PLCs running together) and probably also space and cost. Therefore, for PL c and above and above the obvious choice is to use safety PLCs.
In section 6.2.2 reference is still made to the fact that the structure (Category) is the key characteristic having the greatest influence on the PL. The statement that it is admissible to design according to a machine-specific C-standard specifying just a Category (as was in EN 954-1) and not the PL (hence obviating the need to consider MTTFD, DC and CCF) has been removed. It is the view of the author that one should always use state of the art when defining a safety function and working with the full requirements of EN ISO 13849-1 is better than using the superseded EN 954-1 and just the Category.
The informative Annexes have undergone some significant changes.
Annex A concerns the risk analysis used to determine the required PL. It must be pointed out that the risk graph method is not mandatory, and it assumes the worst case (probability of occurrence is 100%). It is also possible to deduce the PLr by other methods, or refer to a PL stated in a machine-specific C-standard. The terms S (severity), F (frequency) and P (possibility of avoidance) remain. The term F is now better clarified as F1 seldom being accumulated exposure time being less than 1/20 of the overall operating time and the frequency not higher than once per 15 minutes – the aim of this is make sure that duration is better defined, which is very relevant to relating a safety function to a task such as maintenance and not just the number of times persons are exposed to hazards.
Now consideration can also be given to the additional term probability of occurrence (which is a parameter considered in EN 62061 when determining a target SIL, but note previously considered in EN ISO 13849-1). Rather than assuming 100% there is now a statement that “where the probability of occurrence of the hazardous event can be justified as low, the PLr may be reduced by one level”. This means that after considering severity (e.g. S2 irreversible injury), frequency of exposure (e.g. F2 twice a shift) and possibility of avoidance (e.g. P2 unavoidable) the PLr would be PL e, but by using the argument that it’s actually not likely to happen you could instead select PL d. This is not a massive stretch, however, a drop from PL d to PL c is a big step, because the design requirement could change from requiring dual channel architecture such as Category 3 with Diagnostic Coverage of 60% to single channel Category 1 without any Diagnostic Coverage. This is dramatic and even more so if taking the reduction from PL c (which at a minimum requires Category 1 and the use of well-tried components) to PL b (which would remove the need to use even well tried components). It is the view of the author that the use of such a reduction could be used if a safety solution is being designed on-top of an existing control solution, but it should not be used to rectify an existing poorly designed safety function. More importantly, extreme caution should be used when applying the reduction if one has already reduced the PL r by selecting P1. Note the option to do this appears in both Sistema and PAScal software, with the warning about applying the reduction of PLr where P1 has been selected. It is probably worthy of note that anyone buying a machine should be asking the machine supplier about this, as there may be a temptation to reduce the cost of the safety-related controls and this should not be at the expense of safety!
There are many other changes but the above are some of the most significant. The fact that this new edition is harmonised means that software tools, such as PAScal v1.8 have been updated to reflect these changes.