What Goes Into Your Machinery’s CE Mark?
Directive 2006/42/EC is a revised version of the Machinery Directive, the first version of which was adopted in 1989. The new Machinery Directive has been applicable since December 29, 2009. The Directive has the dual aim of harmonizing the health and safety requirements applicable to machinery on the basis of a high level of protection of health and safety while ensuring the free circulation of machinery on the European Union (EU) market. “Functional safety has been around for some time, but it has been really substantiated in the new Machinery Directive,” says Joseph Lenner, senior functional safety engineer at TÛV Rheinland of North America.
The Directive is a legal document and a national law in all member states of the EU. In order to place equipment on the EU market, it must be CE-marked, a Declaration of Conformity (DOC) must be drafted, and the DOC must include the Machinery Directive. “Put simply, the Directive provides the essential requirements that must be followed to establish safety for the environment, equipment, operators, and maintenance personnel,” says Lenner.
The CE marking is a mandatory conformity indication for products placed on the market in the European Economic Area. With it, the manufacturer declares that the product conforms to the essential requirements of the applicable EC directives. Legally, the CE marking is not considered a quality mark.
According to Lenner, the easiest way to show conformity to the mark and compliance with the Machinery Directive is to follow standards that are harmonized with against the Directive. Many international standards are applied to industry, and only some are harmonized. Harmonized standards are those on the same subject approved by different standardizing bodies that establish interchangeability of products, processes, and services, or that have a mutual understanding of test results or information provided according to these standards.
The three principal functional safety standards are IEC 61508, EN-ISO 13849 and EN 62061. “If you’re trying to show compliance with the Machinery Directive, using IEC 61508, which is the core functional safety standard, is not necessarily the prime way to do it,” says Lenner. That standard is not harmonized for the Machinery Directive; EN-ISO 13949 and EN 62061 are.
Both of the latter standards are targeted at manufacturers and integrators. EN 62061 is focused on programmable electronic systems and electrical systems. EN-ISO 13849 has a much broader scope that includes mechanical, hydraulic and pneumatic systems, as well as electrical and electronic systems. “If you are designing a product, IEC 61508 is a good standard to start with, as it can be mapped to the other two, or even into process industry standards if needed,” says Lenner.
IEC 61508-4 defines functional safety as part of the overall safety relating to the equipment under control (EUC). The EUC control system depends on the correct functioning of the electrical, electronic, and programmable electronic (E/E/PES) safety-related systems, other technology safety-related systems, and external risk reduction facilities. Though the scope of IEC 61508 is E/E/PES systems, its horizontal range can be applied to a host of applications, not just industrial ones.
A system is considered functionally safe if its random, systematic, and common cause faults do not lead to a malfunctioning of the safety system and do not result in injury or death of humans, pollution of the environment, or loss of equipment or production. “System” refers to the overall device; for example, a sensor, logic and actuator. Subsystems include elements such as two sensors wired in parallel.
“Essentially, functional safety ensures that the safety function of a device or control system is guaranteed both under normal conditions and in the presence of faults,” explains Lenner. “Key here is the safety function, which is the function of a safety-related system designed to reduce the risk in an application with the objective of achieving or keeping a safe state. The safety function is always related to a safety loop (e.g., sensor-logic-actuator), not to a component or device. It is always a complete function; it is never just a portion of the function.”
IEC 61508: The Core Safety Standard
IEC 61508 is the international standard for electrical, electronic and programmable electronics safety-related systems. It sets out the requirements for ensuring that systems are designed, implemented, operated, and maintained to provide the required safety integrity level (SIL). Four SILs are defined according to the risks involved in the system application, with SIL4 being used to protect against the highest risks. The standard specifies a process that can be followed by all links in the supply chain so that information about the system can be communicated using common terminology and system parameters. The standard is:
- A basic standard
- Valid and usable for safety-related components and complex systems (predominantly systems, but it can also be adapted to components such as combustible gas detectors)
- Referenced by different application standards, including EN-ISO 13849 and EN 62061
- Application independent
- Risk oriented
- Focused on measures for safety avoidance
- A bearer of complete documentation of applied quality management (QM) measures
- Lifecycle oriented
Requirements of the standard include avoidance of systemic faults, control of systemic faults and effects (e.g., through diversity and redundancy), and control of random faults. It has quantitative requirements regarding the probability of dangerous failure, and is considered state-of-the-art in good engineering practice concerning fault avoidance, control of faults, and documentation for products and systems.
The standard has seven parts; the first four are normative (General Requirements, Hardware Requirements for E/E/PES, Software Requirements, and Definitions and Abbreviations), while the final three are informative (Examples of Methods for the Determination of SIL, Guidelines on the Application of Parts 2 and 3 of the Standard, and Overview of Techniques and Measures). It employs the V-model of development to simplify the understanding of complexity associated with developing systems and to define a uniform procedure for product or project development.
The “V” represents the sequence of steps in a project life cycle development. It describes the activities to be performed and the results that have to be produced during product development. The left side of the V represents the decomposition of requirement, and creation of system specifications. The right side of the V represents integration of parts and their validation. “This isn’t a waterfall model,” notes Lenner. “There are design controls and validation at each step, assuring that what was implemented is what was tested.”
A key metric used in IEC 61508 is the safe failure fraction (SFF), which is the sum of all detected faults divided by the sum of all faults. “This is extremely important because it is one of the drivers for hardware fault tolerance,” says Lenner. Hardware fault tolerance can be derived from the SFF or one can choose a hardware fault tolerance and try to meet it. This will depend on the safety integrity level being designed to.
Other key metrics include the probability of dangerous failure per hour (PFH) and average probability of dangerous failure on demand (PFDAV). PFH is used in high demand or continuous mode of operation applications. High demand occurs when the safety function is only performed on demand. This may happen when transferring the EUC into a specified safe state or when the frequency of demands is greater than one per year. For example, in automated machinery, the demand may be hourly.
PFDAV is used in low demand mode. This occurs when the safety function is only performed on demand and the frequency of demands is no greater than one per year. For example, a reactor in a process plant may not require the safety function to be exercised in a year. According to IEC 61508, the PFDAV must be guaranteed over the life of the system.
EN 62061 and EN-ISO 13849
EN 62061 is basically a specialization of IEC 61508. According to Lenner, it is much the same as this standard. It specifies requirements and makes recommendations for the design, integration, and validation of safety-related electrical, electronic, and programmable electronic control systems for machines. It is applicable to control systems used (either singly or in combination) to carry out safety-related control functions on machines that are not portable by hand while working, including a group of machines working together in a coordinated manner.
In EN 62061, safety integrity level 4 is not considered. Rather, it defines a mapping to EN-ISO 13849 and also gives environmental requirements for industrial applications. “EN 62061 is compatible with EN-ISO 13849, and like that standard it provides a path to compliance for the Machinery Directive,” says Lenner. “It covers complex programmable electronics and complex software, and provides fault models for electronic components.”
EN-ISO 13849 is the broad functional safety standard. Lenner emphasizes three points about it:
- It is applicable for safety-related controls and safeguarding devices for all kinds of machines, independent from the used technology and energy.
- For products with embedded software or programmable logic, it is referred to 61508; therefore, it is not applicable for safety products with complex and programmable logic.
- It is only applicable if the architecture corresponds to one of the designated architectures in the standard.
Rather than SILs, EN-ISO 13849 has performance levels (PL). These can be mapped to SILs, but they are not identical. Those designing with this standard must conduct risk analysis to determine the safety functions. For each safety function, the PL must be determined to design the safety-related process control system.
“EN-ISO 13849 replaces the old standard EN 954,” says Lenner. “You cannot use EN 954 for compliance with the Machinery Directive, but the PLs defined in EN 954 live on in the new standard.”
PLB is the lowest level and PL4 is the highest. The ratings are defined as follows:
PLB: compliant to standard, employs use of basic safety principles, provides specified function under specified conditions, is not fail-safe.
- PL1: as with above, plus employs use of well-tried components and safety principles, is not fail-safe.
- PL2: as with above, plus employs use of well-tried safety principles, test after power on and within suitable time intervals.
- PL3: as with above, plus is safe at single faults and provides fault detection.
- PL4: as with above, plus is safe at two faults in combination.
“EN-ISO 13849 added the acknowledgement of quality over time,” says Lenner. With this, mean time to dangerous failure (MTTFd) is the key metric. MTTFd is the average value of the operating time without dangerous failure in one channel. It is a statistical value only, and provides no guaranteed lifetime.
While ISO 61508 is assuredly a good standard to begin design with, the key standards for compliance with the Machinery Directive are EN 62061 and EN-ISO 13849, because they have been harmonized. “Being harmonized to European standards is a significant advantage in meeting the requirements of the Machinery Directive,” says Lenner.Have an Inquiry for Siemens about this article? Click Here >>