Last edit: 10/03/2024
THE DOUBT : What does it mean that a Safety Control Systems is operating in High or in Low Demand and why is it important to know it?
CONSIDERATIONS: Using an analogy with urban mobility, the characteristics of a car that is used every day should be different from those of a car used once every four years. In both cases we are looking for a reliable car; if we do not specify that we want to use the car every four years it will be likely that when we enter the car after it was parked in our garage for four years and try to start it, it fails, for example, because the battery is flat.
That is the reasons safety systems are divided into 2 main categories:
- Safety Systems in High Demand
- Safety Systems in Low demand
In Process Safety the majority of the Safety Instrumented Systems (SIS) are in Low Demand. Consider for example a high pressure sensor of a tank that will close the inlet gas. You normally have a control system that keeps the pressure within a certain range. Normally, alarms are generated before the High pressure threshold is reached. If the process runs continuously, that pressure switch may never trigger, or, if it does, it may operate once every, let’s say, four years. What guarantees we have, that after four years, that switch is going to work?
In Machinery, when we deal with gate interlocks that are opened, for example, every day, we are in the domain of the High Demand Safety Control Systems (SCS). The fact of activating the safety interlock every day is in itself a confirmation that the component is still working properly. In case we use 2 interlocks on the same gate, we can assume one failure ONLY between two activations (one today and the other tomorrow), since accumulation of failures is unlikely in such a short timeframe. That is not the case of our high pressure switch triggered every four years!
That is, in essence, the reason why the “two worlds” run in parallel and have quite different approaches.
The reference standard for Low Demand Applications is IEC 61511:
IEC 61511-1: 2016. Functional safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and application programming requirements
IEC 61511-2: 2016. Functional safety – Safety instrumented systems for the process industry sector – Part 2: Guidelines for the application of IEC 61511-1:2016
IEC 61511-3: 2016. Functional safety – Safety instrumented systems for the process industry sector – Part 3: Guidance for the determination of the required safety integrity levels
While, for high demand, there are 2 standards: IEC 62061 and ISO 13849-1:
IEC 62061: 2021. Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems
ISO 13849-1:2023 – Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
ISO 13849-2:2012 – Safety of machinery — Safety-related parts of control systems — Part 2: Validation
Last year, we published a book on the High demand Safety Standards.
ISO 13849-1 only deals, with High Demand Safety Related Parts of the control system (SRP/CS).
In the technical team that writes IEC 62061 (where GT Engineering participates at international level) there is the willingness to consider low demand applications as well; not because we want to “compete” with IEC 61511, but because, in Machinery, the manufacturer may find situations where the machine has both High and Low Demand safety Systems.
Imagine a Heat Treatment Furnace having high temperature thermocouples that protect the chamber in case the temperature goes above the design one. That Safety Subsystem is definitely working in Low Demand and you cannot simply use the ISO 13849-1 rules: other methodologies should be used or additional considerations should be made.
In this respect, a new Technical Standard was published in 2023:
IEC TS 63394: 2023 – Safety of machinery – Guidelines on functional safety of safety-related control system
In the Annex J, it is shown a way to tackle safety systems with both High and Low demand Loops.
CONCLUSIONS:
The distinction between High and Low Demand Safety Applications is important, especially for Machineries. When analysing each safety loop, always think about how often it will most likely be used or triggered. If it is at least once a week, you can reason in terms of High Demand and you do not need to make other considerations. For frequency less than that, you need to think about additional maintenance and verifications. For frequencies less than once per year, you need to use the approach of IEC 61511.