Chapter 2 - What is Functional Safety

Last edit: 30/06/2023

Chapter 2 contains a brief history of Functional Safety. EN 954-1 was the first European machinery safety standard dealing with Safety-related Control Systems. Soon later, IEC 61508 was published as the Functional Safety reference Standard. IEC 61511-1, for the Process Industry, came few years later and IEC 62061 for the Machinery Sector was published in 2005.

High and low demand mode of operation concepts are introduced. What is a Safety Control System is explained as well; where it begins and it ends, since there is still confusion, for example, if a pneumatic cylinder is part of a Safety Control System or not.

 

Hereafter some excerpts from the chapter.

2.1 A Brief History of Functional Safety Standards

In machinery, one of the first safety standards was BS 5304 “Code of Practice for Safety of Machinery,” first published in 1975. Design features in this code of practice were essentially qualitative.
The guide existed, with various revisions, until well into the 1990s, where such guidance was then provided by the European Standard EN 954-1:1996 “Safety of machinery – Safety related parts
of control systems. General principles for design” [2]: the safety of Machinery Control Systems was formally born.
At that time, the world of programmable electronics, despite already heavily used in process safety, was kept out of Machinery standards. Here is what the 1998 version of IEC 60204-1 was
stating about emergency stops:

[IEC 60204-1: 1997] 9.2.5.4 Emergency operations (emergency stop, emergency switching off )
9.2.5.4.2 Emergency Stop. […] Where a Category 0 stop is used for the emergency stop function, it shall have only hardwired electromechanical components. In addition, its operation shall not depend on electronic logic (hardware or software) or on the transmission of commands over a communications network or link. Where a Category 1 stop is used for the emergency stop function, final removal of power to the machine actuators shall be ensured and carried out by means of electromechanical components.

The reason for the skepticism towards Electronics was that an Electromechanical component has clearly defined failure modes. For example, a power contactor (§ 4.12.2) can fail open or fail closed.
EN 954-1 had, what was later called, a Deterministic Approach. Safety components were accepted only if electromechanical or made with simple electronics. Safety was relying mainly
on the so-called “Architectures”: Single or Double channels. In case of need for a low-risk reduction, a single interlocking device and a single contactor that stops the motor would be enough.
In case the motor were moving a high-risk element, like a saw, two contactors with monitoring function (Fault Detection) would be needed to stop the same motor. […]

[…]

2.1.1.2 Safety Integrity Levels
According to IEC 61508, failures can be classified as either random hardware failures or systematic failures. The challenge to anyone designing a complex system, such as a programmable
electronic system, is to determine how much confidence is necessary for the specified safety level.
IEC 61508 tackles this on the following basis:

  • that it is possible to quantify the random hardware failures;
  • that is not usually possible to quantify systematic failures.

IEC 61508 series specifies four levels of safety performance for a safety function. These are called safety integrity levels. Safety integrity level 1 (SIL 1) is the lowest level, and safety integrity level 4 (SIL 4) is the highest level. The standard details the requirements necessary to achieve each safety integrity level. These requirements are more rigorous at higher levels of safety integrity in order to achieve the required lower likelihood of dangerous failures.
An E/E/PE safety-related system will usually implement more than one safety function. If the safety integrity requirements for these safety functions differ, unless there is sufficient independence
of implementation between them, the requirements applicable to the highest relevant safety integrity level shall apply to the entire E/E/PE safety-related system.
If a single E/E/PE system is capable of providing all the required safety functions and the required safety integrity is less than that specified for SIL 1, then IEC 61508 does not apply. […]