Robin Carver, a machinery safety consultant and BSI committee member*, explains why he thinks that EN ISO 13849-1:2008 is confusing, contains errors and is of little practical use.
First, please do not get the impression that I am a Luddite; I am not a champion for EN 954-1, I applaud the principles of seamless risk assessment throughout a machine design and I appreciate the need to quantify reliability with "black box" type technology - but, as far as EN ISO 13849-1:2008 is concerned, I am concerned that we are wasting an opportunity to improve machinery safety. I meet many, many SMEs (small and medium-sized enterprises) and they are ALL very confused by this standard and an attitude towards it is developing that will result in the basic sound principles of safety integration - which I and many others like me have spent a long time instigating - being forgotten and people therefore getting hurt (or worse).
EN 954-1 called for the use of "well-tried components and well-tried safety principles" which it defined loosely as "widely used in the past with successful results in similar applications; or made and verified using principles which demonstrate its suitability and reliability for safety-related applications." This could have given rise to a range of 'Safety Rated' components but it did not. EN ISO 13849 puts the onus on the already overstretched systems designer to prove and quantify the reliability of the safety products in a system using reliability data that are sometimes so long that all credibility is lost.
An analysis of 'Diagnostic Coverage' and 'Common Cause Failure'
'Diagnostic Coverage' is the measure of the effectiveness of diagnostics that is possessed, to one degree or another, by components in order to detect their failure. The standard does little to explain that this quality is useless unless it is communicated and acted upon correctly by the system as a whole - a failure that even the authors have made in their illustrative examples. Incredibly, Common Cause Failure, which is system failures resulting from a single event, is quantified using a 'weakest link' style scoring process; score under 65 out of 100 and the system is rejected. However, arguably the most effective method of analysing Common Cause Failure - by using FMEA (failure modes and effects analysis) - only rates 5.
Categories and Architecture
Fortunately the authors did not dispense with the concept of Categories. Now called Architecture and acknowledged by the standard as a key characteristic, it does little to unite the relationship and effectiveness of fault-detection to Diagnostic Coverage and, notably, the term 'well-tried components and principles' is reused. Interestingly, the standard notes that complex electronic components (such as PLCs, microprocessors, or application-specific integrated circuits) cannot be considered as equivalent to 'well tried' - which is a pity, as these newer technologies offer considerable benefits in many respects, so their use should be encouraged!
The trouble with 'Fault Exclusion'
Safety components do fail, mostly to a safe condition, but sometimes they fail in an unsafe way. Clearly, the standard assumes that component manufacturers are kept informed about failures and, moreover, acknowledges them. But, in reality many failures are discarded, with little more than a verbal complaint to the sales representative during his or her next visit. Some of these are unsafe failures that could have had tragic consequences. Nevertheless, component manufacturers enjoy something called "fault exclusion," which includes what the component manufacturer may consider as the technical improbability of occurrence of some faults. Based on such potentially unreliable feedback, many such improbabilities may be ill-judged. I know of at least one style of safety interlock, common to several manufacturers, which can - and does - fail to an unsafe condition, yet some manufacturers describe these as rare batch failures and invoke 'fault exclusion' status.
Too much maths?
Suffice it to say that Professor Stephen Hawking was warned that for every equation in his book, A Brief History of Time, the readership would be halved. The authors of EN ISO 13849-1 would have done well to heed this advice, as the quantity of maths required makes it far less likely that users will be rigorous in applying the standard.
A bad example
Now for a word of caution: Example B in Annex I of the standard is fundamentally wrong! It declares a Category 3 definition yet shows the classic mistakes made by a designer who has failed to comprehend the basics. It demonstrates what can be called 'stupid redundancy' in that a fault in the redundant circuit will go undetected because the redundancy masks the effectiveness of the diagnostic function - which is a common mistake in category 3 and 4 systems.
Who benefits from EN ISO 13849-1?
Organisations such as the IFA (the German equivalent of the UK's health and Safety Executive, HSE) have found it necessary to develop a software utility called SISTEMA to ease the application of EN ISO 13849 and individual companies have followed suit with their own products. Marketing teams working for manufacturers of safety components have produced component data libraries in such a way as to 'lock' system designers into using their products. It could be argued, therefore, that manufacturers of safety components stand to gain more from the standard than those who need to be guided by it or, indeed, those who should be protected by it.
Will EN ISO 13849-1 make for a safer industry? I think not. In fact I think it may do the opposite. What is needed is guidance on the design fundamentals of safety-related parts of control systems that practical engineers can follow and apply correctly. If the authors of EN ISO 13849-1 made mistakes in the basics, what chance do system designers have?
While I agree that EN ISO 13849-1:2008 outperforms its predecessor, EN 954-1, it has the effect of allowing a 'tick box' mentality to prevail, where good engineering principles are discarded in favour of mathematics, formulas and lookup tables in order to satisfy the academic clauses of a standard.
It must be remembered that, arguably, 90 per cent of safety system designers are SMEs principally concerned with the design of the machine process. Like or not, the safety systems take second place to the machine's ability to perform its function. In order that safety system designs are effective in protecting people, their principles and their associated guidelines for use must be readily understood and practicable. It is my opinion that EN ISO 13849-1 in its present form does not achieve this.
About the author
Robin Carver MIET MIntMC CMIOSH MIIRSM is the principal of Health & Safety Compliance Engineering, a safety systems design engineer, and a Chartered Health and Safety Practitioner with over 40 years' experience in the design and assessment of industrial machines. He provides machinery safety training courses, assists companies with the compliance and safety of machinery (CE Marking, and PUWER 98) and helps with the design, verification and validation of safety-related control systems. He is also a member of the BSI Safety of Machinery MCE/003 committee, assisting and contributing to the development of EN, ISO and IEC Standards.