Last edit: 11/08/2023
If you intend to buy the book, hereafter a few considerations:
1) What is Functional Safety?
You need the domain of Functional Safety every time you decide to use an Automation System to reduce the risk associated with a Machinery or a Process. The risk is normally reduced by removing all energies: those can be electrical (a motor that drives a dangerous movement), pneumatic, hydraulic but also given by process fluids like methane gas for a burner or a pump that increases the pressure in a tank. Every time you decide that, in order to eliminate the risk, you need a pressure sensor that, in case of a high dangerous value, triggers the closure of a valve, that is when Functional Safety plays the key role. The issue is that one of the elements of the so called Safety Instrumented System can fail.
2) Why components fail?
Components fail because of 2 reasons:
– They fail because they are not properly designed, manufactured, installed, used or subject to correct maintenance. If we take the example of car tyres, if we use a car with the tires badly inflated, they are likely to fail faster than normal. Those are Systematic Failures: they are failures due to mistakes in the design, manufacturing, installation or maintenance of the component. Systematic Failures are difficult to estimate and can only be reduced by making sure the whole process, from the component design up through the usage and maintenance of the product, is done properly.
That is the reason for the importance of concepts like Systematic Capability or Systematic Safety Integrity of components, or of Safety-related Control Systems.
Both ISO 13849-1 and IEC 62061 define good engineering practices to be followed, in order to reduce the probability of Systematic Failures: they are called Basic and Well-tried safety principles. Moreover, both standards require a Functional Safety Plan. You may refer to Annex I in IEC 62061 or Annex G in ISO 13849-1.
– Despite the whole process (from design to maintenance) is done according to correct rules and procedures, during their lifetime, components experience Random Failures, those are the failures that can be statistically estimated.
3) Why do you need special components to take care of the safety a process or a machinery?
Any component can fail, regardless if it is suitable to be used in a Safety system or not.
Therefore, any Process Control system, for example the one that keeps the temperature in a Heat Treatment furnace under control, can fail and the temperature may increase until it generates a dangerous situation.
If you are not familiar with functional safety, you may think that the occurrence of the event is so unlikely that it can be disregarded and nothing more is needed to be able to declare my furnace safe.
That is not the way Functional Safety reasons. Yes, the event has a low probability to happen but it can happen!
In order to be able to CE mark the furnace, you need to install a Safety system made with components having a known probability of failure. That allows you to calculate the Reliability of your additional Safety Layer. Its Reliability has to be the higher, the higher is the risk linked to, in our example, the high temperature.
The probability of failure of a component can be given using parameters explained in this book:
– The failure rate, λ.
– The B10.
– The Mean time to failure, MTTF
– The PFDavg
– The PFHD
4) Why is there a distinction between High and Low demand mode of operation?
This is one of the key concepts to understand if you want to be able to get to the end of this journey.
To reach a low probability of failure of a Safety System, the following should be done:
– To choose components that have a low probability of failure, and
– To regularly test if each component is still working, before a dangerous situation happens; in other words, before a demand is placed upon the Safety System. A demand can be, for example, a high dangerous pressure.
Both aspects are influenced by how often the Safety System is used. Consider again a new car that is kept in a garage and used once every five years, compared with one that is used daily. If you want to make sure the former works when you turn on the key, you would need to do regular checking, for example to switch on the engine every three months and verify if the mechanics is still in good shape. If the car were a Safety System, it would be defined as working in low demand mode.
On the other hand, if you use the car every day, most of the checking is done “automatically” while you drive it. You may hear a strange noise that indicates the gearbox is faulty. This car would be a Safety System working in high demand mode.
If you think for a moment to these examples, you understand that, depending upon the usage (high or low demand mode), the car manufacturer should design some components in a different way; think for example to the battery system.
You now understand why a pressure switch or a contactor or a valve used in high or in low demand mode:
– may have different failure rates;
– require different types of testing. If they work in high demand mode, most of the testing can be done in an automatic way (that is called Functional Testing and it is achieved thanks to what is called the Diagnostic Coverage), while if it works in low demand mode, besides functional testing, it also requires off line testing, called “Proof Test“.