By Ellen Fussell Policastro
In the global world of certification, standards committees are changing their philosophy. They don’t want to reinvent the wheel anymore, so they’re referencing parent standards to make general points in industry-specific child standards.
So, if you’re designing a product, shoot for the International Electrotechnical Commission (IEC) standards.
That was the message from Paul Silva, team leader at TUV Rheinland of North America, Inc., in Wednesday’s Siemens-hosted webinar, “Designing a safety control system: which standards to look for to achieve compliance in Europe and North America.” As an expert in functional safety in hazardous locations, Silva advises clients about how to navigate the regulatory world, and he stresses the importance of understanding how functional safety ties into the standards. It’s crucial to bring functional safety in at the beginning of a design and not wait until the end, he said.
“With today’s complex systems, more people are looking at the system as a whole and thinking about how to reduce risk of the complete system and not just the pieces. Today we’re using some standards to follow as a general reference, as in a parent-child relationship.” One such standard is IEC-61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES).
Single-point vs. complete system standards
In the past most safety standards were written as single-point standards — written for single applications, such as interlocking and controllers. They were not reviewed overall as a complete safety system. The automotive industry is one that followed single-point standards with no interaction between them; they were specific for the markets to which they were being applied, Silva said. “If your PLC was going into a hazardous location, all you needed were barriers. You just needed to keep that energy in the location. That’s great when it’s low-complex systems and components. But over time, the systems have grown more complex.” So if you’re using microcontrollers and diagnostics, take a more quantitative approach and contemplate overall risk, Silva said. Think about how to reduce that risk so the product doesn’t fail dangerous. The automotive standards give you specific requirements, and the general requirements reference IEC-61508.
Another example is the machinery standards — ISO-13849, Safety of Machinery, or in the U.S., NFPA-79, Electrical Standard for Industrial Machinery. It’s the same with hazardous locations (gas detectors and performance), which are referenced in IEC-60079-29-1, Explosive atmospheres – Part 29-1: Gas detectors – Performance requirements of detectors for flammable gases. They all go back to IEC-61508 ultimately. “This is important when you’re designing the product; you need to understand the requirements so you’re not surprised when it doesn’t pass certification,” he said.
The one issue you must remember with IEC-61508 is it’s not harmonized worldwide. “So certifying to IEC-61508 on its own does not show compliance to any European directives. “The child standard that refers to IEC-61508 is part of the directive structure that allows you to show proof of compliance,” he said. “If you’re going into the industrial machinery world, you must certify to ISO-13489. It’s the same with other industries. You need to understand that relationship so you can be legally compliant.”
Functional safety is an overview of the complete safety of a piece of equipment. “So when you look at the design of a product, you take into consideration the complete safety function. With EN-954 for the industrial machinery industry, when you designed that product, you designed it based on components. If everything was a Category 4, then everything was Category 4 with IEC-61508,” Silva said.
That’s not the case when you’re designing a safety function; you design around the whole safety loop, but the problem comes when you look at SIL levels; those levels are all dictated for the safety function. “The SIL is not a measure of how safe you are. It’s about how many times your product will fail dangerous per hour,” he said. “So even if you go to a bigger piece of machinery, it doesn’t matter if you have 100 or 1,000 sensors, that SIL 3 band does not change. You need to be cognizant of that when designing the system up front.”
These are all features of the IEC-61508 parent-child relationship. “As such the standard is application-independent,” he said. “The children standards that tie into IEC-61508 are what make it industry-specific.”
“When you do an assessment of IEC-61508, you do it from beginning to end, looking at it as a product designer and thinking, ‘What do I need to put into this?’ You have to design IEC-61508 into your product; you can’t add it as pieces later.” The requirements of SIL are to design your product with a functional safety system. It’s having a quality management system in place. “Failing to do this will place a big burden on your company.”
Quality measures represent the biggest portion of system failures. “People don’t understand what they’re supposed to do. So they misinterpret test data that cause the product to fail in the field,” he said. The objective is to close that loop so you can control the failures and install systems to deal with random failures only.
Since IEC-61508 is not specific to an industry or technology, you can adapt it to the state of the art of what’s out there today. “It’s a risk-based system – a complete lifecycle model, and it reduces delays during development and product launch.”
If you understand IEC-61508, you understand all other standards. “If there’s an application and a microprocessor involved, almost every industry-specific standard calls out IEC-61508 — gas detectors, pressure transmitters, PLCs, SCADA computers, valves — anything that has a complex system, this would be relative to it.”
In a certification process, when you’re doing an IEC-61508 assessment, or it’s included in one of the children assessments, you have to do it as early as possible, Silva said.
Phase 1 includes concept and gap assessments, which are basically the same thing, except “in the concept assessment, you’re dealing with a brand new product. A gap assessment deals with a legacy product. During this assessment, there’s a review of quality and the product’s architecture — whether the product will meet requirements,” he said.
“In the main assessment, we review everything — manuals, hardware and actual implementation, the safety function, the design, failure modes and effects, and the calculation of a safety parameter.” And based on all of that comes the full-concession test, which determines if the measures you implemented actually do what they’re supposed to do. “If you tell us there will be diagnostic, we’ll assess that,” he said. “On the software side, we’ll review your code at the code level. We’ll review your test results and your integration testing. And in the final step, you’ll get a certification.”
“In a certification, we’ll review from the concept level all the way down,” he said. That’s why it’s so important to get the team involved as early as possible. Don’t bring them in at the end and find out you haven’t met diagnostics or you have the wrong structure in place. “It’s not pleasant when you’re designing a transmitter or robot, and you find out, oh, by the way, have to put a second safety sensor in.”
Ellen Fussell Policastro is a freelance writer based in Raleigh, NC.