People often speak of there being "three" sides to every story: one side, the opposite side and the truth, which usually falls somewhere in the middle. In the case of international safety standard ISO 13849-1 (Safety of Machinery – Safety-Related Parts of Control Systems – Part 1: General Principles for Design), there is the good, the bad and the ugly.
The standard uses statistical analysis to make a probabilistic determination as to the reliability of the components, devices and circuitry used in the safety-related part of the control system(s) of industrial machinery. This determination represents the probability of a failure to danger over time and is represented by a performance level (PL).
The ISO 13849-1 methodology uses the category of circuit structure/architecture, mean time to dangerous failure (MTTFd), number of cycles with which 10 percent of components have a failure to danger (B10d), diagnostic coverage (DC) and common cause failure (CCF) to determine the PL of a control system.
This information then can be used in a risk assessment (e.g. ISO 12100, ANSI B11.0, etc.) to evaluate and ensure the appropriate risk reduction has been achieved by implementing safeguarding devices, proper interfacing, control logic and machine actuators.
After being postponed for 3 years – due mostly to pushback from European manufacturers – ISO 13849-1 predecessor EN 954-1 was withdrawn, and EN ISO 13849-1 was recognized as the primary means to provide presumption of conformity to the Machinery Directive 2006/42/EC for the safety-related parts of control systems. This has reduced confusion by providing a single standard to follow for the CE mark.
A big ISO 13849-1 advantage is that it allows designers to "fine-tune" safety circuits according to the level of risk, potentially resulting in lower installed costs. Furthermore, designers are better able to document and justify the component choices used in their application. This can be crucial if questions are raised about how the safety system was implemented.
ISO 13849-1 does an excellent job highlighting design considerations that make a "safe" control circuit (especially ones that often are overlooked). The methodology removes some gray area that historically has existed in determining the "level of safety" a circuit/system can provide. Additionally, it can be applied to fluid power and electromechanical devices for a complete system evaluation.
While the calculations can be overwhelming, free Sistema software and tutorials are available from the IFA, an institute for research and testing of the German Social Accident Insurance. Well-supported by safety device suppliers, the standard has the ISO credibility with the EU "stamp of approval."
For those complying with U.S. Control Reliability requirements, two important American safety standards, ANSI B11.19 (2010) covering safeguarding and ANSI/RIA R15.06 (2012) addressing robot safety, have provided guidance for correlating categories and PLs. ANSI B11.19 states, "While the requirements of control reliability are not directly comparable to the requirements of ISO 13849-1 … complying with Category 3 or 4 and/or Performance Level "d" or "e," at a minimum, will satisfy the requirements of control reliability."
The methodology is based on statistics used in the process industry for years under IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety; Part 1 through 7). Every component affecting the safety-related part of the control system needs to be included in the calculations. This includes the sensors, safeguarding devices, control logic and the actuators that actually cause the hazards.
Difficulty in implementation was one reason for postponing the EN954-1withdrawal for 3 years. A letter dated July 30, 2009 from the CEN working group to the European Commission stated, "Compared to EN 954-1 (following a deterministic approach), EN ISO 13849-1 [is] based on a probabilistic approach and is therefore much more complex."
The writers of ISO 13849-1 realized the statistical analysis could become overly burdensome, and they incorporated a simplified approach. The problem with the "simplified approach" is it generally results in conservative output and somewhat negates the advantage of being able to fine-tune safety circuits.
"Breaking out safety functions is a huge advantage and allows a holistic approach to the entire system," says Alan Metelsky (chief controls engineer at the Gleason Works). He not only has applied ISO 13849-1 to his company's machines, but also provides training to less-experienced manufacturers,
He goes on to say, "Unfortunately, this also creates significant difficulties. Analyzing sub-functions becomes problematic and quickly branches into complex calculations that even the Sistema and other third-party software have trouble supporting." The issues are compounded, he adds, when addressing mechanical elements of the system: "There is no simple way to evaluate the MTTFd of a coupling or bracket, and a fault-exclusion ‘hand wave' to dismiss the issue is unacceptable."
One of the often-stated ISO 13849-1 concerns is that U.S. companies will experience an undue economic burden, especially companies not required to comply with ISO/IEC or CE requirements. The time, resources and legal ramifications may result in many "mom & pop" shops closing their doors if they are forced to implement this methodology.
Alan Metelsky says his most recent experience applying ISO 13849-1 to a fairly complex machine required more than 90 hours of documentation and analysis, yet resulted in no significant changes to the machine's current safety system. The effort to streamline the documentation required by ISO 13849-1has cost his company hundreds of thousands of dollars. Small businesses cannot absorb those costs with no or little return on investment "just to prove that what we are already doing is okay," he says.
Acquiring the data required to fully implement ISO13849-1 also is difficult because it either does not exist, is incomplete or is somewhat confusing. With the assumptions needed to complete the analysis, inaccurate data amplifies the accuracy problems; junk-in equals junk-out. As with all statistical analysis, inputs determine the output; if the input is incorrect – or worse, manipulated – appropriate levels of risk reduction will not be achieved. While this situation is improving, designers are forced to use the conservative estimates within ISO13849-1&-2.
The advantage of eliminating EN954-1, and thus following one standard, is tenuous at best. The possibility of merging ISO 13849-1 and IEC 62061 (Functional Safety of Safety–Related Electrical, Electronic and Programmable Electronic Control Systems) is causing confusion about what the near future may hold. ISO/IEC Joint Working Group 1 is dealing with the merger and is charged to have a determination (or possibly a new standard) by a 2016 target date.
As with any situation involving change, there will be confusion and the opportunity for some to take advantage. Beware of false statements such as, "ISO 13849-1 is mandated."
Generally in the United States, OSHA regulations and ANSI-recognized safety standards like ANSI B11.0 (General Requirements and Risk Assessment) and ANSI B11.19 (Performance Criteria for Safeguarding) have the greatest impact on machine safety. Even if ISO 13849-1 is adopted as an ANSI standard, its use would not be mandated.
Even in countries governed by the machinery directive requiring the CE mark, ISO 13849-1 is not the only means to prove conformity to the essential health and safety requirements. Other standards exist, such as IEC 61508 and IEC 62061. The machinery directive even allows for other "technical solutions."
As stated on the European Commission's web site, "…The use of harmonised standards remains voluntary and manufacturers can choose whether or not to follow a harmonised standard to manufacture their products. Manufacturers may thus use other technical solutions providing for an equivalent level of safety. In that case, they must be able to prove that their products are in conformity with the mandatory essential health and safety requirements, taking due account of the state of the art."
A Possible Alternate Solution
ISO 13849-1 attempts to mitigate the impact of increasingly complex safety devices and safety solutions within the factory automation environment. There is another possible "solution" that uses technology to reduce the complexity and the number of calculations: safety controllers and safety PLCs.
While the ISO 13849-1 "good" elements, such as the holistic approach and the design considerations, should not be overlooked, safety controller manufacturers will provide guidance on the category and performance level of the each type of input and output hookup. This potentially allows the designer to short-cut the ISO 13849-1 statistical analysis by declaring this "technical solution" meets the required risk reduction by simply following the technical documentation of the safety controller.
If there are problems with control circuit reliability, ISO 13849-1 can help solve them and can be used to achieve CE requirements. However, a big-picture understanding of resources required and return on investment is recommended before undertaking ISO 13849-1 implementation. While it can be a powerful risk assessment tool, too much time and effort spent trying to manage its complexity may limit the time and effort spent focusing on properly safeguarding hazards.
Mike Carlson is safety products marketing manager for Banner Engineering.