Functional safety in control systems

The main task of broadly understood control systems is to properly control executive devices in order to carry out a specific process. In particular, people who are just starting work in the field of industrial automation may not be aware that designing automation systems requires not only meeting process requirements, but also proper preparation of the machine in the event of situations that are dangerous to the life and health of operators.

With the increasing automation of production, the awareness of the safety of automatic processes also increased. In the early stages of automation of production processes , when control was mainly based on relay logic systems, machine safety was mainly limited to central power switches or process shutdown buttons. However, it turned out that such protection measures were not effective enough, which led to the need for new solutions in the field of machine safety.

Further development of the machine industry, the increasing number of automatic control systems, the introduction of programmable systems and the need to protect users have shown the need to systematize and separate topics related to machine safety. The following article presents the basics of functional safety and its implementation.

What is functional safety?

The combination of these two words should suggest a reference to functions that are to ensure safety right from the start. Safety functions control the operation of dangerous elements and are designed to keep the machine in a safe state when safe operation is not possible. Developing this idea, Functional safety is a term referring to ensuring the safety of users in relation to a properly functioning control system. In this case, the control system should be understood as: a properly functioning electrical system, programmable electronic systems as well as external devices that ensure a reduction in the risk occurring within the controlled process.

Maintaining functional safety with a CMMS system

Maintenance management systems (CMMS)  help maintain proper safety of machines and devices. Through centralized management of machine data, such as repair history, parts replacement and inspection results, CMMS enables effective planning of inspections and maintenance. This allows to prevent failures that could lead to dangerous situations. CMMS also allows automatic generation of notifications about the need to perform service activities related to safety. In this way, CMMS contributes to maintaining the required level of functional safety and increasing machine reliability.  

Legal basis

The basic goal of functional safety is to limit the possibility of a dangerous situation occurring. The final effect is to reduce the risk to an acceptable level. There are a number of legal regulations worldwide to ensure the protection of machine users. The basic statutory requirement for machines and devices introduced to the market in the European Economic Area is to mark the machine with the CE mark. This is confirmation that the product meets all the European directives that apply to it.

The most important document addressed to manufacturers and distributors of machines is the Machinery Directive 2006/42/EC . It contains a number of regulations and recommendations to ensure safety and health protection. The following standards can be used to assess and validate safety functions: PN-EN ISO 13849 and PN-EN 62061. All actions should be preceded by a key risk analysis in the entire process based on the PN-EN ISO 12100 standard.

Design of safety functions based on PN-EN ISO 13849

The PN-EN ISO 13849 standard applies to all technologies: electrical, pneumatic, hydraulic and mechanical. Designing an appropriate safety function requires the designer to use the required protection technology.

The PN-EN ISO 13849 standard introduces the term of the level of safety assurance – PL ( Performance Level ). This level is defined on a five-level letter scale from a to e, where a is the lowest risk, while e is the highest risk. To determine the required level of safety, a risk graph is used according to the illustration below, which shows an example path of risk assessment. In the next steps, it allows for the design of a safety function adequate to the threat.

Risk graph, estimated required security assurance level PL-c (S ₂ , F ₁ , P ₁ )

In the first step, the degree of possible injury should be assessed, then the frequency and/or duration of the hazard, and finally the possibility of avoiding the hazard. In this context, it should be emphasized that each of the selection thresholds is two-stage. In practice, for some cases, it is problematic to objectively choose one of the two extreme possibilities. Analyzing one of the practical examples, in the case of the linear movement of the cylinder piston rod, it is difficult to assess whether it is possible to avoid the event (choice P1) or whether it is almost impossible (choice P2).

After assessing the level of safety assurance, a safety function must be implemented that meets a specific level of safety assurance – PL. Each safety function consists of an input, a logic system and an output. The input in this system can be any detection device (e.g. a light curtain, an emergency stop button, a two-handed button), which is connected to a logic system (e.g. a safety relay or a safety PLC controller ), which, depending on the level of advancement, implements control of safety devices, diagnostics and testing. The logic system controls the output (e.g. contactors that disconnect the device from the power supply).

To achieve the required level of safety assurance, the appropriate safety category must be selected. There are 5 categories, in order from lower to highest: B, 1, 2, 3, 4. As the category increases, the degree of fault tolerance of the system increases, e.g. by using a dual-channel control structure, feedback signals, redundancy in the implementation of logic, testing, etc.

The practical implementation of the expected level of safety assurance is not limited to the selection of the control architecture and is a subject requiring appropriate knowledge and experience. It requires the safety system designer to use not only the appropriate safety category, but also reference to other components such as: data on the reliability of the system or components – MTTFd ( Mean Time To Failure), diagnostic coverage DCavg ( Diagnostic Coverage ) and the possibility of avoiding failures caused by a common cause – CCF ( Common Cause Failure ). Analyzing the graph below, the level of safety assurance PL-c can be realized in categories 1, 2 and 3 depending on the other parameters of the system achieved.

Determining the level of safety performance required,
source: Omron, Machinery Safety Guide 2012/2013

In addition, the entire system (safety function) implements the same level of safety assurance as the element with the lowest level of safety assurance. This is particularly difficult for electromechanical devices (e.g. buttons, contactors), where determining the service life of the elements requires knowledge of the expected number of operations over a period of time. Dedicated software for validating safety functions, such as SISTEMA, comes to the rescue.

Selecting a device to implement a safety function

Many people working in the industrial automation industry associate machine safety with specific colors (yellow is often used by manufacturers to mark safety-related elements), components, and even manufacturers. Few people realize, however, that none of the safety categories defines how such a system is to be implemented. In theory, even the most complex safety functions could be implemented based on proprietary devices.

In practice, it is very difficult to achieve even a relatively low safety category without using dedicated logic control modules. They offer continuous testing functions, monitoring connected signals and have a certified and predetermined by the manufacturer level of safety assurance. The most commonly used include safety relays, programmable/configurable safety relays and PLC controllers with safety functions.

The choice of the right solution depends largely on the complexity of the application. The number of logical connections of input elements and the number of safety functions performed by the system are key. When choosing a solution, attention should also be paid to the logic functions that the system is to perform. For a small number of safety functions, a safety relay or a group of several safety relays is usually sufficient. When it is necessary to use advanced functions, such as monitoring the movement of the drive, the use of classic safety relays is insufficient. Also, with the increase in the number of safety functions performed for non-programmable systems, complex dependencies between elements and complicated wiring become problematic. Additionally, diagnostics are difficult.

Implementation of safety functions on dedicated safety relays

It should be emphasized here, however, that when choosing a programmable device, the responsibility for a correctly functioning system also lies with the safety controller programmer. Unlike errors in process applications, errors in safety programs can affect the health or life of machine users. For this reason, it is worth spending extra time during machine commissioning to thoroughly test and validate the safety functions.

However, the programming of safety functions has been deliberately reduced to the most basic blocks and data types in order to limit the possibility of making an error. Manufacturers of programmable safety devices use dedicated libraries for implementing basic safety functions in order to reduce untested parts of the program to a minimum.

Summary: CMMS system and security

Machinery safety is a very broad topic. Practical implementation of safety functions with a specific level of safety assurance requires specialist knowledge. The above text has omitted many very important issues such as risk analysis, application of technical measures and residual risk. In the context of the discussed issue, it is worth emphasizing that on January 20, 2027, the EU Machinery Regulation 2023/1230 will enter into force, which will replace the currently applicable Machinery Directive 2006/42/EC. The change will take place without a transitional period allowing the use of both documents.

In order to ensure and maintain the expected level of safety, it is crucial to maintain efficient and working automation devices. A system such as CMMS allows for prevention, reporting faults and managing the parts warehouse. These activities contribute to maintaining continuity of work and in the context of machine safety allow for planning the replacement of faulty or worn-out elements of automation systems, the improper operation of which may affect the lower level of safety.