Tel: 01223 499488

Email: helpline@granta-automation.co.uk

Functional Safety of Machinery

With the withdrawal of BS EN 954-1, there are two standards open to designers of machines with respect to functional safety. These are BS EN 62061 and BS EN ISO 13849-1. This means that the safety function of all machines is specified as either a SIL (Safety Integrity Level), or a PL (Performance Level). Performance Levels relate to BS EN ISO 13849-1 and SIL ratings are defined by BS EN 62061. It is the choice of the machine builder which standard is used but BS EN 62061 is generally thought to be more comprehensive, whilst BS EN ISO 13849-1 is designed as a more straightforward progression from the original BS EN 954-1

BS EN 62061 requires a Safety Requirements Specification (SRS) to be drawn up. This will define in detail the requirements of the safety function in question. It will also define the probability that the safety function will be performed under the specified conditions of operation (Safety Integrity Specification).

The Safety Integrity Specification should consider both random hardware failures and systematic failures. Systematic failures are the most common, as they result from wrong specification. A systematic failure is a failure that is related to a specific cause, and can only be avoided by removal of the cause.

The Safety Integrity Level (SIL Rating) is then defined by the target failure value for the probability of dangerous failure per house. This is usually calculated from the reliability data for each component and translates as follows.

Safety Integrity Level (SIL) Probability of a dangerous failure per hour PFHd
3 10-8 to <10-7
2 10-7 to <10-6
1 10-6 to <10-5


BS EN ISO 13849-1 uses a combination of three factors to determine the Performance Level (PL) of a system. The PL is categorised as a, b, c, d or e, with e being the highest level of safety. The three factors used are Mean Time To Dangerous Failure (MTTFd), Diagnostic Coverage (DC) and architecture category. They are related together in the following table.

Architecture Category B 1 2 2 3 3 4
DCavg None None Low Medium Low High High
MTTFd Low a Not Covered a b b c Not Covered
MTTFd Medium b Not Covered b c c d Not Covered
MTTFd High Not Covered c c d d d e

The defining factors for performance levels are calculated as follows:

MTTFd LEVELS are defined as Low between 3 years and 10 years, Medium between 10 years and 30 years, and High over 30 years. The MTTFd in years is calculated using the following data, in order of preference.The defining factors for performance levels are calculated as follows:

DIAGNOSTIC COVERAGE is defined as Nil when less than 60%, Low between 60% and 90%, Medium between 90% and 99%, and High greater than 99%. Diagnostic coverage is a measure of how many dangerous failures the diagnostic system will detect.



THE ARCHITECTURE CATEGORY OF SAFETY SYSTEMS is as follows:

CATEGORY B circuits are very basic. They can lead to loss of the safety function under fault conditions.

CATEGORY 1 circuits are the same as Category B, but the probability of a loss in the safety function is less than in a B system.

CATEGORY 2 circuits will detect faults by periodic testing. It is possible to lose the safety function between tests.

CATEGORY 3 circuits are designed so that the safety function is maintained in the case of a single fault. An accumulation of faults will cause loss in the safety function.

CATEGORY 4 circuits maintain the safety function in the case of multiple faults, they use double redundancy on the input and output side, and they also include a feedback loop for monitoring the state of the outputs.

Watch automation videos...

Watch