But more severe failure poses a safety hazard to personnel. When products or applications are used for safety functions—for example a light curtain, a safety programmable logic controller (PLC), a safety network, a fire detection system or an Emergency Off (EMO) safety circuit—a failure to function can expose people and the surrounding environment to tremendous risks.

Programmable safety applications are now entering automation fields that had been previously reserved solely for conventional electromechanical technology. Enabling technologies, such as application specific integrated circuits (ASICs), microprocessors and intelligent sensors, transmitters and actuators, are increasingly being integrated into products and systems.

Does this mean an EMO shut down circuit or safety interlocks could now run through a Microsoft Windows 2000 operating system? The answer is: “Definitely not.”

The international standard IEC 61508, promulgated by the International Electrotechnical Commission, defines types of programmable safety applications and describes all the necessary and essential design requirements. IEC 61508 covers functional safety of safety-related systems that use electrical and/or electronic and/or programmable electronic (E/E/PE) technologies. The standard applies to these systems irrespective of their application. An E/E/PE safety-related system covers all parts of the system that are necessary to carry out the safety function—from sensor, through control logic and communication systems, to final actuator, including any critical actions of a human operator. The standard is generic, and applies to any safety-related control system and component.

Safety Integrity Level (SIL)

Safety function requirements are derived from the hazard analysis, and the safety integrity requirements are derived from a risk assessment. The higher the level of safety integrity, the lower the likelihood of a dangerous failure. The concept of Safety Integrity Levels (SIL), introduced in IEC 61508, is a concept of classes of safety requirements for components, modules, subsystems or functions. The SIL indicates target failure measures for the safety function of an E/E/PE system. This method obtains Markov models for probabilistic calculations that make it possible to determine the accurate SIL level.

In North America, the U.S. Occupational Safety and Health Administration (OSHA) is about to endorse the new ANSI/ISA-84.00.01:2004, Application of Safety Instrumented Systems for the Process Industries, as a “national consensus standard” for the application of safety instrumented systems (SIS) for process industries. Formerly known as ANSI/ISA S84.01:96, ANSI/ISA 84.00.01:2004 covers electrical, electronic, and programmable electronic technology, and follows the Safety Life Cycle, similar to IEC 61511. The standard, adopted jointly by the American National Standards Institute and the Instrumentation, Systems and Automation Society, is intended for those who are involved with design and manufacture, installation, commissioning, and pre-startup acceptance testing of SIS products, as well as their operation, maintenance, documentation and testing.

Safety in programmable applications, if designed and implemented in the right way, could be more reliable than traditional hard-wired safety circuits. And IEC 61508 is the tool to guide you through the essential requirements. Benefits such as reduced wiring, comprehensive diagnostic possibilities, increased flexibility and a higher lever of safety from the use of standard logic controls can now also be applied for safety related applications.

Andreas Eberhard, aeberhard@us.tuv.com, is Head of the Automation Division at TUV Rheinland of North America, in Pleasanton, Calif.