Functional safety is more than certified safety components

Written by: Mikael Peltonen, CMSE® Certified Machinery Safety Expert, HSE Engineer, Process Industries Finland

Before starting the design of safety-related systems, tolerable risk level and applicable risk assessment methods and standards need to be defined, in accordance with the company’s safety policy. The roles and responsibilities of different parties should be defined, covering the entire system lifecycle, especially in multistakeholder projects.

It all begins from the risk assessment

Risks can be mitigated with various protective measures, such as inherent safe design measures, passive and active technical protective measures, and safe working practices. To achieve a tolerable level of risk, often a combination of these methods is required. Safety-related systems mitigate identified risks by implementing safety functions, designed to maintain and/or bring the machine or process to a safe state if the system detects a hazardous event. The risk assessment must also evaluate whether the implementation of the safety function poses other hazards.

As an example, safety function can be a stop function triggered by an interlocked movable guard. If the guard is opened during hazardous operation, the safety function sends a stop command to the motor, so that the hazardous functions can be stopped before a person can reach the hazardous area. The risk assessment should specify the relevant characteristics of the required functionality, including but not necessarily limited to:

• Triggering event
• Safety-related reaction
• Dangerous part of the machine
• Applicable operating mode, where applicable

Once the need for a safety function with its characteristics has been identified in the risk assessment, the level of risk reduction required for the function must be determined. Functional safety is often associated with concepts called performance level (PL) and safety integrity level (SIL). Both are indeed relevant in the world of functional safety: safety functions provide risk reduction at a PL or SIL. These are discrete levels that describe the ability of safety-related parts to perform a safety function. The risk assessment must determine either a PL or SIL requirement for the safety function. The higher the PL or SIL requirement, the greater the risk reduction required from the system.

From the risk assessment to the realisation of safety functions

After the risk assessment requirement is complete, the safety function design process starts from the creation of a specification document. This document serves as a framework, where the characteristics of the safety function are described in detail. The identified parts of the system implementing the safety function are also documented. In the safety function example mentioned earlier, the architecture of the safety function could look like the figure below:

In order for a safety function to meet its risk reduction objectives, it is essential to address both quantitative and qualitative aspects. Therefore, the safety function design process must consider both the occasional hardware failures and systematic and safety-related software failures. This is essential even if the components performing the safety function are already PL or SIL certified by manufacturers. The high reliability value of the limit switch alone is not sufficient if the component does not tolerate the conditions of the installation environment. A two-channel solution may require diverse hardware, where one channel uses a different technology than the other. Safety-related software development lifecycle must be plan-driven, highlighting the relevance of documentation. The importance of qualitative aspects should not be underestimated.

In addition to the design, great importance must be given to verification and validation of safety functions, which are carried out by persons independent of the design. Verification procedures shall be performed on every phase of the functional safety lifecycle. Verification verifies that the safety functions meet the PL or SIL requirements as well as other objectives set for the specific lifecycle phase. Validation is performed to demonstrate that the safety functions have been implemented in accordance with safety requirements specification and are suitable for their intended use. Suitable methods for conducting verification and validation activities include i.a. documentation reviews and testing.

Guidance for the design of safety functions

Both the machinery safety sector and the process safety sector have functional safety standards which can be followed to meet the safety-related system requirements. Either EN ISO 13849 parts 1 and 2 or IEC 62061 can be used at the machinery safety sector, while IEC 61511 is the primary functional safety standard for the process safety. As illustrated in the figure below, both IEC 61511 and IEC 62061 are sector specific implementations of IEC 61508, which is a generic standard related to functional safety.

Functional safety is part of the overall safety

It is important to remember that functional safety is one part of overall safety of a machine or process. Thus, it is essential to bear in mind the connection between functional safety and risk assessment. The safety-related management systems must include among other things, change management process, strive for continuous improvement, and procedures for selecting a competent organisation and persons. Like safety management in general, also functional safety requires a top-down approach, with top management taking responsibility for the process and encouraging commitment at all levels of the organisation.

Our Functional Safety Services

Our certified safety experts with a technical background understand the features and functionalities of the industrial processes, machinery and sites that ensures the best competence in safety related services. With the help of AFRY’s functional safety experts you can ensure the suitability and effectiveness of safety functions, and that functional safety processes comply with relevant standards, considering the whole functional safety lifecycle.

• Functional safety strategies and management plans
• Functional safety compliance and documentation
• Process and machinery safety risk assessments
• Design and development of other means of risk reduction
• Implementation procedures for safety related systems (SRS)
• Safety integrity level (SIL) assessment (IEC 61508 / IEC 61511 / IEC 62061) and performance level (PL) determination (EN ISO 13849)
• Allocation of safety functions
• Safety requirement specification for the safety instrumented system (SIS)
• Design and engineering of safety instrumented system (SIS)
• Verification
• Functional safety management in operations and maintenance

Contact our experts to find out more how we can help you guarantee that functional safety processes comply with relevant standards and ensure the suitability and effectiveness of safety functions.