No automation professional wants to see a production facility engulfed in flames or reduced to rubble. To avoid seeing such scenes on television, most take great care to ensure that their facilities remain safe. Even so, many confess that they are behind in implementing the latest safety standards. The profusion of these standards and their revisions over the last decade has left them a bit bewildered about where to start.
Perhaps the best place to embark upon this journey is IEC 61508, a safety standard promulgated by the International Electrotechnical Commission in Geneva. When Automation World asked experts for help in making sense of the important safety standards, just about all of them started here. Their reasoning was that it is the generic functional safety standard that provides the framework for building the other industry-specific functional standards that have been proliferating.
IEC 61508 can seem confusing at first, because its underlying philosophy is new for safety standards. Older, more conventional safety standards were prescriptive, meaning that they stipulated specific rules and specifications for making processes safe. IEC 61508 and its derivative standards, however, departed from this prescriptive approach and are more functional, or performance-based.
The standard exploits two fundamental principles, safety lifecycles and probabilistic failure analysis. Unlike previous standards that purported to cover the entire lifecycle of a project, IEC 61508 actually does—from project conception to maintenance to decommissioning, according to Bill Goble, managing director of exida.com LLC, a safety-consulting firm based in Sellersville, Pa.
Even so, Goble thinks that the term “safety lifecycle” is a misnomer. “It’s really a detailed engineering process created to prevent mistakes in design,” he says. “It’s complex, but it provides the detail and flexibility that people really need.”
An example of this detail is the process for software engineering. “It describes conceptually the various steps and their requirements in terms of documentation, testing and reviews,” says Goble. Besides probably being the most detailed part of the standard, it represents another change in thinking from the days when safety meant hardwired systems.
This change in thinking reflects the realities of today’s processes. Industrial automation contains a level of embedded systems that was unexpected even a decade ago, adding complexity to the base of control code in today’s automation. “Systems developers needed more guidance on what measures and techniques are appropriate,” notes Tom Erkkinen, product manager for certification products at software supplier MathWorks, in Natick, Mass. For this reason, his company’s tools for designing embedded software support the process specified in IEC 61508.
May 2009 , Related Feature – Changing Safety Standards Complicate Life for Manufacturers
To read the feature article, visit http://www.automationworld.com/feature-5488
The other fundamental principle, probabilistic analysis, relies on the empirically predetermined chance that each component in a safety system either will or will not perform its function. Users then apply probabilistic models to these failure rates to generate a set of metrics for a system. These metrics focus the attention of safety engineers on the weak links to bring them to the appropriate safety integrity level (SIL).
Principles pay premiums
These principles offer a number of advantages. First is that users can design whatever safety systems they want, as long as they can prove that the design works. “The standard defines how to measure risk and determine the effectiveness of the particular risk-reduction scheme that you are choosing to use,” explains Luis Duran, business development manager for safety systems for automation supplier ABB Inc., in Houston. The approach is also independent of technology, and therefore does not become obsolete as technology evolves.
Another advantage of the approach is that it is not merely theoretical. “These standards have arisen from lessons learned from industrial incidents and accidents,” says Duran. “They are based in practice and should be recognized as best practices.” He also notes that this best practice includes promoting a lifecycle approach, and stressing that safety is not a one-time event. For these reasons, he advocates embedding the practices into the culture of a company by ensuring that qualified people are implementing the various predefined tasks that need to be done in a functional safety management system.
Building this culture and instituting the support mechanisms are crucial for making good decisions and managing risk. “Some organizations place too much importance on personal safety metrics that have very little to do with process safety,” says Mike Boudreaux, DeltaV SIS product manager at Emerson Process Management, the Austin, Texas-based automation supplier. “A key lesson from recent process-industry incidents is the importance of monitoring process safety metrics based on leading and lagging indicators.” (The American Institute of Chemical Engineers’ Center for Chemical Process Safety in New York publishes guidelines on these metrics.)
In the end, stresses Erkkinen at MathWorks, the process stipulated by IEC 61508 does not guarantee that the resulting equipment or process will be safe. Rather, it merely establishes a discipline that is conducive to generating safer designs and building safer processes. “In other words, the standard helps to set the bar and provide the checklist that a company must go through,” he says. Not only do the uniform procedures ensure that appropriate experts within a company contribute to projects, but they also make it easy for outside auditors and governmental agencies to follow the process.
Process industry standards
When the IEC 61508 committee eventually embraced this kind of analysis, various standards bodies began developing derivative standards for assessing risk in specific applications. The IEC, for example, issued IEC 61513 for the nuclear industry and IEC 61511 for the process industries, the latter of which is defined as those industries basing their safety systems upon instrumentation. The goal of safety-system design in IEC 61511 is for the process to go to a safe state whenever a process parameter exceeds preset limits.
In the United States, most users follow the most recent version of ISA84 and get nearly identical results. The reason is that the International Society of Automation (ISA) in Research Triangle Park, N.C., incorporated the principles in IEC 61508 when it released the original version in 1996. In 2004, the ISA then harmonized ISA84 with IEC 61511 shortly after the IEC released its standard in 2003.
Even so, the standards still contain differences, most of which are small. The most substantial difference is ISA84’s grandfather clause that exempts safety systems that had been complying with the American standard before the harmonization took place, as long as their operators continue maintaining them. “Since then, there have been additions and changes to ISA84 that add other functional characteristics like fire and gas,” says Scott Hillman, global solutions director, at Phoenix-based supplier Honeywell Process Solutions.
Despite the rise of functional standards such as IEC 61511 and ISA84 in the process industry, the old prescriptive standards have not gone away. They still exist as repositories of the wisdom accumulated by the industry for burner management, fire-and-gas security, high-integrity pressure protection and other safety systems. For example, the National Fire Protection Association, in Quincy, Mass., issued NFPA 72 and 85 for fire and gas. “In the U.S., the challenge is that fire-and-gas standards tend to vary with local building codes,” says Hillman. Because the Europeans use European Norm (EN) 54, their standards tend to be a little more uniform.
Standards for machinery
The process industries are not alone in benefiting from the principles laid out by IEC 61508. The discrete-parts manufacturing sector has been enjoying their benefits, too. The Geneva-based International Organization for Standardization (ISO), for example, is working on ISO 26262, a derivative functional safety standard for the automobile industry. Meanwhile, the IEC has already released a derivative standard, called IEC 62061, for machinery with electrical, electronic and programmable control systems.
The latter standard specifies a procedure for calculating failure rates for all relevant components. “For the first time, one standard covered the entire safety chain, from the sensor to the actuator,” says John D’Silva, business development manager for safety integration at Siemens Industry Inc., an automation vendor in Alpharetta, Ga.
Another important safety standard incorporating quantitative assessment is the two-part ISO 13849 standard governing the safety functions in the control of machinery. Like IEC 62061, this standard also covers all devices and software in the chain executing these functions, but it covers a wider range of machinery. “Its advantage is that it applies to all safety-related parts of control systems on all types of machinery, irrespective of the kind of energy being used—be it electrical, hydraulic, pneumatic or mechanical,” says D’Silva.
Part one gives general design principles, and part two describes validation procedures. ISO 13849-1 replaces the EN 954-1, which is scheduled to expire at the end of this year. Initially, EN 954-1 was supposed to expire in 2009, but the standards organization granted a two-year extension at the request of machinery builders and users.
Risk assessment is also part of the new ANSI B11.0 safety standard for all powered machinery, not just for the machine tools normally covered by the B11 family of standards. Released in December by the American National Standards Institute, in Washington, D.C., the standard contains procedures for quantifying risk so that designers and users know where to focus their efforts. In the past, companies would often install safeguards based on how dangerous a machine looked. “They didn’t know whether they really needed them or not,” notes Chris Soranno, Cleveland-based safety compliance manager for the Machinery Services Div. of Omron STI, an automation supplier headquartered in Fremont, Calf.
The assessment assigns levels of risk to three factors: severity of potential injury, frequency of exposure to a hazard and the probability that an injury will occur. “If the worst case is a minor wound, the frequency is once a year, and the probability is next to zero, then you know that you don’t need to spend much to safeguard that risk,” offers Soranno. “For a press, on the other hand, the severity of injury is death or amputation, the frequency is high (every cycle for hand loading), and the probability of an injury is probable.” In these cases, users must invest much in safeguards that prevent exposure to the hazard.
This risk assessment is based upon a process promulgated by ANSI and the Packaging Machinery Manufacturers Institute for the 2006 revision of ANSI/PMMI B155.1 for packaging-machine safety. The 2010 revision of ANSI B11.0 broadened the assessment to make it applicable to any power-driven machinery. Right now, ANSI B11.0 is probably the most up-to-date safety standard for machinery, using much more recent information on technology and best practices than even the 2010 revision of the international ISO 12100 machinery safety standard.
Far from being an isolated event, the harmonization that occurred between IEC 61511 and ISA84 is indicative of yet another trend. Driven by the increasing globalization over the last few decades, this trend entails making the various national and international standards look alike as much as possible, even to the point of being identical.
“The goal of harmonizing standards is to improve them—to make them easier to use, and to embrace new technology that will make the workplace safer than it was before,” says Roberta Nelson Shea, president of Safety Compliance Services LLC, a robotic-safety consulting firm in Northville, Mich.
Because the robotics industry has taken harmonization to heart, its safety standards have been interrelated for many years. Right now, the Canadian CSA-Z434-03 standard published in 2003 by the Canadian Standards Association, of Mississauga, Ontario, is the nearly the same as the U.S. ANSI/RIA R15.06 standard of 1999, almost word for word, according to Nelson Shea. Both are undergoing further revision, and Nelson Shea expects the revisions to be harmonized, and to add user requirements not found in the ISO 10218 standard that is currently under development for equipment manufacturers.
In other industries, the trend is continued technical maintenance to ensure that the standards remain relevant, as technology evolves and new hazards come to light. ANSI, for example, strives to review its standards regularly. “An ANSI standard is supposed to be affirmed, withdrawn or revised every five years,” explains Soranno, who co-chairs the B11.3 committee on press brakes.
His committee, for example, is rewriting its own standard to account for newer drive and safeguarding technologies that have come on the market since the standard was last rewritten in 2002 and reaffirmed in 2007. The revisions should also bring about some harmonization with the standard’s counterparts, CSA Z142 in Canada and EN 12622 in Europe.
Because of this constant attention, these and other industry standards tend to be decades ahead of safety laws and regulations enforced by the U.S. Occupational Safety and Health Administration (OSHA) in Washington, D.C. “OSHA regulations were not written from scratch,” explains Soranno. “Regulators went into industry, found consensus standards or industry norms, and made them law.” Changing or updating these laws and regulations requires either an act of Congress or a lengthy bureaucratic administrative process.
For this reason, Soranno emphasizes that OSHA regulations are merely minimum legal requirements, not sound practice. He recommends adhering to the standards set by industry groups, not only because they provide much better safety, but also because courts often rely on them for judgments in lawsuits. “Even though standards set by consensus bodies like ANSI don’t have the force of law, it’s difficult to explain to a jury why you didn’t follow a current industry standard that is considered to be best practice,” he notes.
Studies, moreover, show that, for every dollar that users invest in safety, they will save between $3 and $6 on the total costs of any injury that might occur. If you add the pain and suffering that the investment prevents, it’s easy to see how navigating the chaotic seas of standards is well worth the trouble.
April 2011, Related Feature – A Prescription for Personal Protection
To read the feature article, visit http://www.automationworld.com/feature-8581