Functional Safety of Machinery
How to Apply ISO 13849-1 and IEC 62061
1. Auflage März 2023
352 Seiten, Hardcover
Wiley & Sons Ltd
ISBN:
978-1-119-78904-8
John Wiley & Sons
Weitere Versionen
FUNCTIONAL SAFETY OF MACHINERY
Enables readers to understand ISO 13849-1 and IEC 62061 standards and provides a practical approach to functional safety in machinery design
Functional Safety of Machinery: How to Apply ISO 13849-1 and IEC 62061 introduces functional safety of machinery as a single unified approach, despite the existence of two standards. Aligning with the latest updates of ISO 13849-1 and IEC 62061, the book explains the intent behind the standards and the mathematical basis on which they are written, details the differences between the two standards, and prescribes ways to put them into practice.
To aid in seamless reader comprehension, detailed examples are included throughout the book which walk readers through concepts like Random and Systematic Failures, High and Low demand mode of operation, Diagnostic Coverage, and Safe Failure Fraction. Other sample topics covered within the book include:
* Basics of reliability engineering and functional safety
* Roles of the standards in the design and evaluation of safety functions
* Description of the Main Parameters used in the two standards
* How to deal with Low Demand Safety Systems
* The Categories of ISO 13849-1 and the Basic Subsystem Architectures of IEC 62061
* How Categories and Architectures can be validated
Machinery design engineers, machinery manufacturers, and professionals in system and industrial safety fields can use this book as a one-stop resource to understand the specifics and applications of ISO 13849-1 and IEC 62061.
Preface xv
Acknowledgments xix
About the Author xxi
Before You Start Reading this Book xxiii
1 The Basics of Reliability Engineering 1
1.1 The Birth of Reliability Engineering 1
1.1.1 Safety Critical Systems 2
1.2 Basic Definitions and Concepts of Reliability 2
1.3 Faults and Failures 2
1.3.1 Definitions 3
1.3.2 Random and Systematic Failures 3
1.3.2.1 How Random is a Random Failure? 4
1.4 Probability Elements Beyond Reliability Concepts 5
1.4.1 The Discrete Probability Distribution 5
1.4.1.1 Example: 10 Colored Balls 6
1.4.1.2 Example: 2 Dice 7
1.4.2 The Probability Density Function f (x) 7
1.4.2.1 Example 8
1.4.3 The Cumulative Distribution Function F(x) 9
1.4.4 The Reliability Function R(t) 10
1.5 Failure Rate lambda 11
1.5.1 The Maclaurin Series 14
1.5.2 The Failure in Time or FIT 14
1.5.2.1 Example 14
1.6 Mean Time to Failure 14
1.6.1 Example of a Non-Constant Failure Rate 15
1.6.2 The Importance of the MTTF 16
1.6.3 The Median Life 16
1.6.4 The Mode 16
1.6.4.1 Example 17
1.6.4.2 Example 17
1.7 Mean Time Between Failures 18
1.8 Frequency Approach Example 19
1.8.1 Initial Data 19
1.8.2 Empirical Definition of Reliability and Unreliability 20
1.9 Reliability Evaluation of Series and Parallel Structures 22
1.9.1 The Reliability Block Diagrams 22
1.9.2 The Series Configuration 23
1.9.3 The Parallel Configuration 24
1.9.3.1 Two Equal and Independent Elements 24
1.9.4 M Out of N Functional Configurations 26
1.10 Reliability Functions in Low and High Demand Mode 27
1.10.1 The PFD 28
1.10.1.1 The Protection Layers 29
1.10.1.2 Testing of the Safety Instrumented System 30
1.10.2 The PFDavg 30
1.10.2.1 Dangerous Failures 31
1.10.2.2 How to Calculate the PFDavg 31
1.10.3 The PFH 32
1.10.3.1 Unconditional Failure Intensity w(t) vs Failure Density f (t) 32
1.10.3.2 Reliability Models Used to Estimate the PFH 34
1.11 Weibull Distribution 34
1.11.1 The Probability Density Function 34
1.11.2 The Cumulative Density Function 35
1.11.3 The Instantaneous Failure Rate 36
1.11.4 The Mean Time to Failure 37
1.11.4.1 Example 38
1.12 B10Dand the Importance of T10D39
1.12.1 The BX% Life Parameter and the B10D 39
1.12.1.1 Example 40
1.12.2 How lambdaD and MTTFD are Derived from B10D40
1.12.3 The Importance of the Parameter T10D41
1.12.4 The Surrogate Failure Rate 43
1.12.5 Markov 43
1.13 Logical and Physical Representation of a Safety Function 45
1.13.1 De-energization of Solenoid Valves 45
1.13.2 Energization of Solenoid Valves 46
2 What is Functional Safety 47
2.1 A Brief History of Functional Safety Standards 47
2.1.1 IEC 61508 (All Parts) 48
2.1.1.1 HSE Study 49
2.1.1.2 Safety Integrity Levels 50
2.1.1.3 FMEDA 51
2.1.1.4 High and Low Demand Mode of Operation 52
2.1.1.5 Safety Functions and Safety-Related Systems 53
2.1.1.6 An Example of Risk Reduction Through Functional Safety 54
2.1.1.7 Why IEC 61508 was Written 54
2.1.2 ISO 13849-1 55
2.1.3 IEC 62061 56
2.1.4 IEC 61511 56
2.1.4.1 Introduction 56
2.1.4.2 The Second Edition 57
2.1.4.3 Designing a SIS 58
2.1.4.4 Three Methods 58
2.1.4.5 The Concept of Protection Layers 59
2.1.4.6 The Different Types of Risk 60
2.1.4.7 The Tolerable Risk 60
2.1.4.8 The ALARP Principle 62
2.1.4.9 Hazard and Operability Studies (HAZOP) 64
2.1.4.10 Layer of Protection Analysis (LOPA) 64
2.1.5 PFDavg for Different Architectures 65
2.1.5.1 1oo1 Architecture in Low Demand Mode 65
2.1.5.2 Series of 1oo1 Architecture in Low Demand Mode 66
2.1.5.3 1oo2 Architecture in Low Demand Mode 66
2.1.5.4 1oo3 Architecture in Low Demand Mode 67
2.1.5.5 2oo3 Architecture in Low Demand Mode 67
2.1.5.6 Summary Table 68
2.1.5.7 Example of PFDAvg Calculation 69
2.1.6 Reliability of a Safety Function in Low Demand Mode 70
2.1.7 A Timeline 72
2.2 Safety Systems in High and Low Demand Mode 73
2.2.1 Structure of the Control System in High and Low Demand Mode 73
2.2.1.1 Structure in Low Demand Mode, Process Industry 73
2.2.1.2 Structure in High Demand Mode, Machinery 74
2.2.1.3 Continuous Mode of Operation 74
2.2.2 The Border Line Between High and Low Demand Mode 74
2.2.2.1 Considerations in High Demand Mode 74
2.2.2.2 Considerations in Low Demand Mode 75
2.2.2.3 The Intermediate Region 75
2.3 What is a Safety Control System 76
2.3.1 Control System and Safety System 76
2.3.2 What is Part of a Safety Control System 78
2.3.3 Implication of Implementing an Emergency Start Function 79
2.4 CE Marking, OSHA Compliance, and Functional Safety 80
2.4.1 CE Marking 80
2.4.2 The European Standardization Organizations (ESOs) 81
2.4.3 Harmonized Standards 82
2.4.4 Functional Safety in North America 84
2.4.4.1 The Concept of Control Reliable 85
2.4.4.2 Functional Safety in the United States 86
3 Main Parameters 87
3.1 Failure Rate (lambda) 87
3.1.1 Definition 87
3.1.2 Detected and Undetected Failures 88
3.1.3 Failure Rate for Electromechanical Components 89
3.1.3.1 Input Subsystem: Interlocking Device 89
3.1.3.2 Input Subsystem: Pressure Switch 89
3.1.3.3 Output Subsystem: Solenoid Valve 90
3.1.3.4 Output Subsystem: Power Contactor 90
3.2 Safe Failure Fraction 91
3.2.1 SFF in Low Demand Mode: Pneumatic Solenoid Valve 92
3.2.1.1 Example 93
3.2.2 SFF in High Demand Mode: Pneumatic Solenoid Valve 94
3.2.2.1 Example for a 1oo1 Architecture 94
3.2.2.2 Example for a 1oo2D Architecture 95
3.2.3 SFF and Electromechanical Components 96
3.2.3.1 The Advantage of Electronic Sensors 97
3.2.3.2 SFF and DC for Electromechanical Components 97
3.2.4 SFF in Low Demand Mode: Analog Input 98
3.2.5 SFF and DC in High Demand Mode: The Dynamic Test and Namur Circuits 100
3.2.5.1 Namur Type Circuits 101
3.2.5.2 Three Wire Digital Input 102
3.2.6 Limits of the SFF Parameter 102
3.2.6.1 Example 103
3.3 Diagnostic Coverage (DC) 103
3.3.1 Levels of Diagnostic 105
3.3.2 How to Estimate the DC Value 105
3.3.3 Frequency of the Test 106
3.3.4 Direct and Indirect Testing 106
3.3.4.1 DC for the Component and for the Channel 107
3.3.5 Testing by the Process 108
3.3.6 Examples of DC Values 109
3.3.7 Estimation of the Average DC 111
3.4 Safety Integrity and Architectural Constraints 112
3.4.1 The Starting Point 112
3.4.2 The Systematic Capability 113
3.4.2.1 Systematic Safety Integrity 113
3.4.3 Confusion Generated by the Concept of Systematic Capability 114
3.4.3.1 Random Capability 114
3.4.3.2 Systematic Capability 115
3.4.3.3 ISO 13849-1 115
3.4.4 The Safety Lifecycle 115
3.4.5 The Software Safety Lifecycle 115
3.4.6 Hardware Fault Tolerance 117
3.4.7 The Hardware Safety Integrity 118
3.4.7.1 Type A and Type B Components 118
3.4.8 Route 1H 119
3.4.8.1 Route 1H and Type A Component: Example 119
3.4.8.2 Route 1H and Type B Component: Example 120
3.4.9 High Demand Mode Safety-Related Control Systems 120
3.4.9.1 Example 121
3.4.10 Route 2H 122
3.5 Mean Time to Failure (MTTF) 123
3.5.1 Examples of MTTF Values 123
3.5.2 Calculation of MTTFD and lambdaD for Components from B10D 125
3.5.3 Estimation of MTTFD for a Combination of Systems 125
3.5.3.1 Example for Channels in Series 126
3.5.3.2 Example for Redundant Channels 126
3.6 Common Cause Failure (CCF) 127
3.6.1 Introduction to CCF and the Beta-Factor 127
3.6.2 How IEC 62061 Handles the CCF 128
3.6.3 How ISO 13849-1 Handles the CCF 129
3.7 Proof Test 130
3.7.1 Proof Test Procedures 131
3.7.1.1 Example of a Proof Test Procedure for a Pressure Transmitter 131
3.7.1.2 Example of a Proof Test Procedure for a Solenoid Valve 132
3.7.2 How the Proof Test Interval Affects the System Reliability 133
3.7.2.1 Example 133
3.7.3 Proof Test in Low Demand Mode 134
3.7.3.1 Imperfect Proof Testing and the Proof Test Coverage (PTC) 135
3.7.3.2 Partial Proof Test (PPT) 136
3.7.3.3 Example for a Partial Valve Stroke Test 137
3.7.4 Proof Test in High Demand Mode 138
3.8 Mission Time and Useful Lifetime 139
3.8.1 Mission Time Longer than 20 Years 140
4 Introduction to ISO 13849-1 and IEC 62061 141
4.1 Risk Assessment and Risk Reduction 141
4.1.1 Cybersecurity 141
4.1.2 Protective and Preventive Measures 143
4.1.3 Functional Safety as Part of the Risk Reduction Measures 144
4.1.4 The Naked Machinery 146
4.2 SRP/CS, SCS, and the Safety Functions 146
4.2.1 SRP/CS and SCS 146
4.2.2 The Safety Function and Its Subsystems 147
4.2.3 The Physical and the Functional Level 147
4.3 Examples of Safety Functions 149
4.3.1 Safety-Related Stop 149
4.3.2 Safety Sub-Functions Related to Power Drive Systems 149
4.3.2.1 Stopping Functions 149
4.3.2.2 Monitoring Functions 151
4.3.2.3 Information to be Provided by the PDS Manufacturer 152
4.3.3 Manual Reset 152
4.3.3.1 Multiple Sequential Reset 154
4.3.3.2 How to Implement the Reset Electrical Architecture 154
4.3.4 Restart Function 154
4.3.5 Local Control Function 154
4.3.6 Muting Function 154
4.3.7 Operating Mode Selection 155
4.4 The Emergency Stop Function 156
4.5 The Reliability of a Safety Function in High Demand Mode 157
4.5.1 PFHD and PFH 157
4.5.2 The Performance Level 157
4.5.3 The Safety Integrity Level 158
4.5.4 Relationship Between SIL and PL 158
4.5.5 Definition of Harm 159
4.6 Determination of the Required PL (PLr) According to ISO 13849-1 159
4.6.1 Risk Parameters 160
4.6.1.1 S: Severity of Injury 160
4.6.1.2 F: Frequency and/or Exposure Time to Hazard 160
4.6.1.3 P: Possibility of Avoiding Hazard or Limiting Harm 160
4.6.1.4 An Example on How to Use the Graph 161
4.7 Rapex Directive 162
4.8 Determination of the Required SIL (SILr) According to IEC 62061 163
4.8.1 Risk Elements and SIL Assignment 164
4.8.2 Severity (Se) 165
4.8.3 Probability of Occurrence of Harm 165
4.8.3.1 Frequency and Duration of Exposure (Fr) 165
4.8.3.2 Probability of Occurrence of a Hazardous Event (Pr) 166
4.8.3.3 Probability of Avoiding or Limiting the Harm (Av) 166
4.8.3.4 Example of the Table Use 167
4.9 The Requirements Specification 167
4.9.1 Information Needed to Prepare the SRS or the FRS 167
4.9.2 The Specifications of All Safety Functions 168
4.10 Iterative Process to Reach the Required Reliability Level 169
4.11 Fault Considerations and Fault Exclusion 170
4.11.1 How Many Faults Should be Considered? 170
4.11.2 Fault Exclusion and Interlocking Devices 170
4.11.2.1 Fault Exclusion Applied to Interlocking Devices 170
4.11.2.2 Fault Exclusion on Pre-defined Subsystems 172
4.11.2.3 Fault Exclusion Made by the Machinery Manufacturer 172
4.11.2.4 Types of Guard Locking Mechanism 173
4.11.2.5 What Are the Safety Signals in an Interlocking Device with Guard Lock? 174
4.11.2.6 What Safety Functions are Associated to a Guard Interlock 174
4.11.3 Other Examples of Fault Exclusions 175
4.11.3.1 Short Circuit Between any Two Conductors 175
4.11.3.2 Welding of Contact Elements in Contactors 176
4.12 International Standards for Control Circuit Devices 177
4.12.1 Direct Opening Action 177
4.12.1.1 Direct and Non-Direct Opening Action 179
4.12.2 Contactors Used in Safety Applications 179
4.12.2.1 Power Contactors 179
4.12.2.2 Auxiliary Contactors 180
4.12.2.3 Electromechanical Elementary Relays 181
4.12.3 How to Avoid Systematic Failures in Motor Branch Circuits 182
4.12.3.1 How to Protect Contactors from Overload and Short Circuit 182
4.12.3.2 Contactor Reliability Data 183
4.12.4 Implications Coming from IEC 60204-1 and NFPA 79 184
4.12.4.1 Wrong Connection of the Emergency Stop Button 185
4.12.4.2 Situation in Case of Two Faults: Again a Wrong Connection! 185
4.12.4.3 Correct Wiring and Bonding in a Control Circuit 186
4.12.5 Enabling and Hold to Run Devices 186
4.12.5.1 Enabling Devices 186
4.12.5.2 Hold to Run Device 189
4.12.6 Current Sinking and Sourcing Digital I/O 190
4.13 Measures for the Avoidance of Systematic Failures 192
4.13.1 The Functional Safety Plan 192
4.13.2 Basic Safety Principles 193
4.13.2.1 Application of Good Engineering Practices 193
4.13.2.2 Use of De-energization Principles 193
4.13.2.3 Correct Protective Bonding (Electrical Basic Safety Principle) 193
4.13.3 Well-Tried Safety Principles 194
4.13.3.1 Positively Mechanically Linked Contacts 194
4.13.3.2 Fault Avoidance in Cables 194
4.14 Fault Masking 195
4.14.1 Introduction to the Methodology 195
4.14.1.1 Redundant Arrangement with Star Cabling 195
4.14.1.2 Redundant Arrangement with Branch Cabling 196
4.14.1.3 Redundant Arrangement with Loop Cabling 196
4.14.1.4 Single Arrangement with Star Cabling 197
4.14.1.5 Single Arrangement with Branch Cabling 198
4.14.1.6 Single Arrangement with Loop Cabling 198
4.14.2 Fault Masking Example: Unintended Reset 199
4.14.3 Methodology for DC Evaluation 200
4.14.3.1 The Simplified Method 200
4.14.3.2 Regular Method 201
4.14.3.3 Example 201
5 Design and Evaluation of Safety Functions 205
5.1 Subsystems, Subsystem Elements, and Channels 205
5.1.1 Subsystems 205
5.1.2 Subsystem Element and Channel 205
5.1.3 Decomposition of a Safety Function 207
5.1.4 Definition of Device Types 208
5.1.4.1 Device Type 1 208
5.1.4.2 Device Type 2 208
5.1.4.3 Device Type 3 208
5.1.4.4 Device Type 4 208
5.1.4.5 Implication for General Purpose PLCs 209
5.2 Well-Tried Components 210
5.2.1 List of Well-Tried Components 211
5.2.1.1 Mechanical Systems 211
5.2.1.2 Pneumatic Systems 211
5.2.1.3 Hydraulic Systems 212
5.2.1.4 Electrical Systems 212
5.3 Proven in Use and Prior Use Devices 214
5.3.1 Proven in Use 214
5.3.2 Prior Use Devices 215
5.3.3 Prior Use vs Proven in Use 215
5.4 Use of Process Control Systems as Protection Layers 215
5.5 Information for Use 216
5.5.1 Span of Control 216
5.5.2 Information for the Machinery Manufacturer 217
5.5.3 Information for the User 217
5.6 Safety Software Development 218
5.6.1 Limited and Full Variability Language 218
5.6.2 The V-Model 219
5.6.3 Software Classifications According to IEC 62061 220
5.6.3.1 Software Level 1 221
5.6.3.2 Software Safety Requirements for Level 1 222
5.6.3.3 Software Design Specifications for Level 1 222
5.6.3.4 Software Testing for Level 1 223
5.6.3.5 Validation of Safety-Related Software 223
5.6.4 Software Safety Requirements According to ISO 13849-1 223
5.6.4.1 Requirements When SRASW is Developed with LVL 224
5.6.4.2 Software-Based Manual Parameterization 225
5.7 Low Demand Mode Applications in Machinery 226
5.7.1 How to Understand if a Safety System is in High or in Low Demand Mode 226
5.7.1.1 Milling Machine 226
5.7.1.2 Industrial Furnaces 226
5.7.2 Subsystems in Both High and Low Demand Mode 227
5.7.3 How to Address Low Demand Mode in Machinery 230
5.7.4 Subsystems Used in Both High and Low Demand Mode 230
5.7.5 How to Assess "Mixed" Safety Systems: Method 1 231
5.7.5.1 How to Estimate the Failure Rate of the Shared Subsystem 231
5.7.5.2 Relationship Between PFDavg and PFHD 231
5.7.5.3 Safety Functions 1 with a Shared Subsystem: Method 1 232
5.7.5.4 Safety Functions 2 with a Shared Subsystem: Method 1 233
5.7.6 How to Assess "Mixed" Safety Systems: Method 2 235
5.7.6.1 How the Method Works 235
5.7.6.2 Safety Function 2 with a Shared Subsystem: Method 2 236
6 The Categories of ISO 13849-1 237
6.1 Introduction 237
6.1.1 Introduction to the Simplified Approach 238
6.1.2 Physical and Logical Representation of the Architectures 239
6.1.3 The Steps to be Followed 240
6.2 The Five Categories 241
6.2.1 Introduction 241
6.2.2 Category B 241
6.2.3 Category 1 242
6.2.3.1 Example of a Category 1 Input Subsystem: Interlocking Device 242
6.2.4 Category 2 243
6.2.5 Markov Modelling of Category 2 245
6.2.5.1 The OK State 245
6.2.5.2 From the OK State to the Failure State 246
6.2.5.3 From the Failure State to the Hazardous Event 247
6.2.5.4 Other States in the Transition Model 248
6.2.5.5 The Simplified Graph of the Markov Modelling 248
6.2.5.6 The Importance of the Time-Optimal Testing 249
6.2.5.7 1oo1D in Case of Time-Optimal Testing 249
6.2.6 Conditions for the Correct Implementation of a Category 2 Subsystem 250
6.2.7 Examples of Category 2 Circuits 251
6.2.7.1 Example of Category 2 - PL c 251
6.2.7.2 Example of Category 2 - PL d 252
6.2.7.3 Example of a Category 2 with Undervoltage Coil 253
6.2.8 Category 3 254
6.2.8.1 Diagnostic Coverage in Category 3 255
6.2.8.2 Example of Category 3 for Input Subsystem: Interlocking Device 256
6.2.8.3 Example of Category 3 for Output Subsystem: Pneumatic Actuator 258
6.2.9 Category 4 260
6.2.9.1 Category 4 When the Demand Rate is Relatively Low 260
6.2.9.2 Example of a Category 4 Input Subsystem: Emergency Stop 261
6.2.9.3 Example of Category 4 for Output Subsystems: Electric Motor 262
6.3 Simplified Approach for Estimating the Performance Level 263
6.3.1 Conditions for the Simplified Approach 263
6.3.2 How to Calculate MTTFD of a Subsystem 264
6.3.3 Estimation of the Performance Level 264
6.3.3.1 The Simplified Graph 265
6.3.3.2 Table K.1 in Annex K 265
6.3.3.3 The Extended Graph 270
6.4 Determination of the Reliability of a Safety Function 270
7 The Architectures of IEC 62061 273
7.1 Introduction 273
7.1.1 The Architectural Constraints 273
7.1.2 The Simplified Approach 275
7.1.2.1 Differences with ISO 13849-1 275
7.1.2.2 How to Calculate the PFHD of a Basic Subsystem Architecture 275
7.1.3 The Avoidance of Systematic Failures 275
7.1.4 Relationship Between lambdaD and MTTFD 276
7.2 The Four Subsystem Architectures 277
7.2.1 Repairable vs Non-Repairable Systems 277
7.2.2 Basic Subsystem Architecture A: 1oo1 277
7.2.2.1 Implications of the Architectural Constraints in Basic Subsystem Architecture A 277
7.2.2.2 Example of a Basic Subsystem Architecture A 278
7.2.3 Basic Subsystem Architecture B: 1oo2 278
7.2.3.1 Implications of Architectural Constraints in Basic Subsystem Architecture B 279
7.2.3.2 Example of a Basic Output Subsystem Architecture B: Electric Motor 279
7.2.4 Basic Subsystem Architecture C: 1oo1D 281
7.2.4.1 Conditions for a Correct Implementation of Basic Subsystem Architecture C 282
7.2.4.2 Basic Subsystem Architecture C with Fault Handling Done by the SCS 283
7.2.5 Basic Subsystem Architecture C with Mixed Fault Handling 283
7.2.5.1 PFHD in Case of Four Conditions Satisfied 285
7.2.5.2 PFHD in Case One of the Four Conditions is Not Satisfied 286
7.2.5.3 Implications of the Architectural Constraints in Basic Subsystem Architecture C 286
7.2.6 Example of a Basic Subsystem Architecture C 287
7.2.7 Alternative Formula for the Basic Subsystem Architecture C 289
7.2.8 Basic Subsystem Architecture D: 1oo2D 290
7.2.8.1 Implications of the Architectural Constraints in Basic Subsystem Architecture D 291
7.2.8.2 Example of Input Basic Subsystem Architecture D: Emergency Stop 291
7.2.8.3 Example of Input Basic Subsystem Architecture D: Interlocking Device 292
7.2.8.4 Example of a Basic Subsystem Architecture D Output 293
7.3 Determination of the Reliability of a Safety Function 295
8 Validation 297
8.1 Introduction 297
8.1.1 Level of Independence of People Doing the Validation 298
8.1.2 Flow Chart of the Validation Process 299
8.2 The Validation Plan 299
8.2.1 Fault List 299
8.2.2 Validation Measures Against Systematic Failures 301
8.2.3 Information Needed for the Validation 301
8.2.4 Analysis and Testing 301
8.2.4.1 Analysis 301
8.2.4.2 Testing 302
8.2.4.3 Validation of the Safety Integrity of Subsystems 303
8.2.4.4 Validation of the Safety-related Software 304
8.2.4.5 Software-based Manual Parameterization 304
9 Some Final Considerations 307
9.1 ISO 13849-1 vs IEC 62061 307
9.2 High vs Low-Demand Mode Applications 308
9.3 The Importance of Risk Assessment 309
9.3.1 Principles of Safety Integration 310
9.3.1.1 The Glass Dome 311
9.3.2 How to Run a Risk Assessment 311
Bibliography 313
Index 317
Acknowledgments xix
About the Author xxi
Before You Start Reading this Book xxiii
1 The Basics of Reliability Engineering 1
1.1 The Birth of Reliability Engineering 1
1.1.1 Safety Critical Systems 2
1.2 Basic Definitions and Concepts of Reliability 2
1.3 Faults and Failures 2
1.3.1 Definitions 3
1.3.2 Random and Systematic Failures 3
1.3.2.1 How Random is a Random Failure? 4
1.4 Probability Elements Beyond Reliability Concepts 5
1.4.1 The Discrete Probability Distribution 5
1.4.1.1 Example: 10 Colored Balls 6
1.4.1.2 Example: 2 Dice 7
1.4.2 The Probability Density Function f (x) 7
1.4.2.1 Example 8
1.4.3 The Cumulative Distribution Function F(x) 9
1.4.4 The Reliability Function R(t) 10
1.5 Failure Rate lambda 11
1.5.1 The Maclaurin Series 14
1.5.2 The Failure in Time or FIT 14
1.5.2.1 Example 14
1.6 Mean Time to Failure 14
1.6.1 Example of a Non-Constant Failure Rate 15
1.6.2 The Importance of the MTTF 16
1.6.3 The Median Life 16
1.6.4 The Mode 16
1.6.4.1 Example 17
1.6.4.2 Example 17
1.7 Mean Time Between Failures 18
1.8 Frequency Approach Example 19
1.8.1 Initial Data 19
1.8.2 Empirical Definition of Reliability and Unreliability 20
1.9 Reliability Evaluation of Series and Parallel Structures 22
1.9.1 The Reliability Block Diagrams 22
1.9.2 The Series Configuration 23
1.9.3 The Parallel Configuration 24
1.9.3.1 Two Equal and Independent Elements 24
1.9.4 M Out of N Functional Configurations 26
1.10 Reliability Functions in Low and High Demand Mode 27
1.10.1 The PFD 28
1.10.1.1 The Protection Layers 29
1.10.1.2 Testing of the Safety Instrumented System 30
1.10.2 The PFDavg 30
1.10.2.1 Dangerous Failures 31
1.10.2.2 How to Calculate the PFDavg 31
1.10.3 The PFH 32
1.10.3.1 Unconditional Failure Intensity w(t) vs Failure Density f (t) 32
1.10.3.2 Reliability Models Used to Estimate the PFH 34
1.11 Weibull Distribution 34
1.11.1 The Probability Density Function 34
1.11.2 The Cumulative Density Function 35
1.11.3 The Instantaneous Failure Rate 36
1.11.4 The Mean Time to Failure 37
1.11.4.1 Example 38
1.12 B10Dand the Importance of T10D39
1.12.1 The BX% Life Parameter and the B10D 39
1.12.1.1 Example 40
1.12.2 How lambdaD and MTTFD are Derived from B10D40
1.12.3 The Importance of the Parameter T10D41
1.12.4 The Surrogate Failure Rate 43
1.12.5 Markov 43
1.13 Logical and Physical Representation of a Safety Function 45
1.13.1 De-energization of Solenoid Valves 45
1.13.2 Energization of Solenoid Valves 46
2 What is Functional Safety 47
2.1 A Brief History of Functional Safety Standards 47
2.1.1 IEC 61508 (All Parts) 48
2.1.1.1 HSE Study 49
2.1.1.2 Safety Integrity Levels 50
2.1.1.3 FMEDA 51
2.1.1.4 High and Low Demand Mode of Operation 52
2.1.1.5 Safety Functions and Safety-Related Systems 53
2.1.1.6 An Example of Risk Reduction Through Functional Safety 54
2.1.1.7 Why IEC 61508 was Written 54
2.1.2 ISO 13849-1 55
2.1.3 IEC 62061 56
2.1.4 IEC 61511 56
2.1.4.1 Introduction 56
2.1.4.2 The Second Edition 57
2.1.4.3 Designing a SIS 58
2.1.4.4 Three Methods 58
2.1.4.5 The Concept of Protection Layers 59
2.1.4.6 The Different Types of Risk 60
2.1.4.7 The Tolerable Risk 60
2.1.4.8 The ALARP Principle 62
2.1.4.9 Hazard and Operability Studies (HAZOP) 64
2.1.4.10 Layer of Protection Analysis (LOPA) 64
2.1.5 PFDavg for Different Architectures 65
2.1.5.1 1oo1 Architecture in Low Demand Mode 65
2.1.5.2 Series of 1oo1 Architecture in Low Demand Mode 66
2.1.5.3 1oo2 Architecture in Low Demand Mode 66
2.1.5.4 1oo3 Architecture in Low Demand Mode 67
2.1.5.5 2oo3 Architecture in Low Demand Mode 67
2.1.5.6 Summary Table 68
2.1.5.7 Example of PFDAvg Calculation 69
2.1.6 Reliability of a Safety Function in Low Demand Mode 70
2.1.7 A Timeline 72
2.2 Safety Systems in High and Low Demand Mode 73
2.2.1 Structure of the Control System in High and Low Demand Mode 73
2.2.1.1 Structure in Low Demand Mode, Process Industry 73
2.2.1.2 Structure in High Demand Mode, Machinery 74
2.2.1.3 Continuous Mode of Operation 74
2.2.2 The Border Line Between High and Low Demand Mode 74
2.2.2.1 Considerations in High Demand Mode 74
2.2.2.2 Considerations in Low Demand Mode 75
2.2.2.3 The Intermediate Region 75
2.3 What is a Safety Control System 76
2.3.1 Control System and Safety System 76
2.3.2 What is Part of a Safety Control System 78
2.3.3 Implication of Implementing an Emergency Start Function 79
2.4 CE Marking, OSHA Compliance, and Functional Safety 80
2.4.1 CE Marking 80
2.4.2 The European Standardization Organizations (ESOs) 81
2.4.3 Harmonized Standards 82
2.4.4 Functional Safety in North America 84
2.4.4.1 The Concept of Control Reliable 85
2.4.4.2 Functional Safety in the United States 86
3 Main Parameters 87
3.1 Failure Rate (lambda) 87
3.1.1 Definition 87
3.1.2 Detected and Undetected Failures 88
3.1.3 Failure Rate for Electromechanical Components 89
3.1.3.1 Input Subsystem: Interlocking Device 89
3.1.3.2 Input Subsystem: Pressure Switch 89
3.1.3.3 Output Subsystem: Solenoid Valve 90
3.1.3.4 Output Subsystem: Power Contactor 90
3.2 Safe Failure Fraction 91
3.2.1 SFF in Low Demand Mode: Pneumatic Solenoid Valve 92
3.2.1.1 Example 93
3.2.2 SFF in High Demand Mode: Pneumatic Solenoid Valve 94
3.2.2.1 Example for a 1oo1 Architecture 94
3.2.2.2 Example for a 1oo2D Architecture 95
3.2.3 SFF and Electromechanical Components 96
3.2.3.1 The Advantage of Electronic Sensors 97
3.2.3.2 SFF and DC for Electromechanical Components 97
3.2.4 SFF in Low Demand Mode: Analog Input 98
3.2.5 SFF and DC in High Demand Mode: The Dynamic Test and Namur Circuits 100
3.2.5.1 Namur Type Circuits 101
3.2.5.2 Three Wire Digital Input 102
3.2.6 Limits of the SFF Parameter 102
3.2.6.1 Example 103
3.3 Diagnostic Coverage (DC) 103
3.3.1 Levels of Diagnostic 105
3.3.2 How to Estimate the DC Value 105
3.3.3 Frequency of the Test 106
3.3.4 Direct and Indirect Testing 106
3.3.4.1 DC for the Component and for the Channel 107
3.3.5 Testing by the Process 108
3.3.6 Examples of DC Values 109
3.3.7 Estimation of the Average DC 111
3.4 Safety Integrity and Architectural Constraints 112
3.4.1 The Starting Point 112
3.4.2 The Systematic Capability 113
3.4.2.1 Systematic Safety Integrity 113
3.4.3 Confusion Generated by the Concept of Systematic Capability 114
3.4.3.1 Random Capability 114
3.4.3.2 Systematic Capability 115
3.4.3.3 ISO 13849-1 115
3.4.4 The Safety Lifecycle 115
3.4.5 The Software Safety Lifecycle 115
3.4.6 Hardware Fault Tolerance 117
3.4.7 The Hardware Safety Integrity 118
3.4.7.1 Type A and Type B Components 118
3.4.8 Route 1H 119
3.4.8.1 Route 1H and Type A Component: Example 119
3.4.8.2 Route 1H and Type B Component: Example 120
3.4.9 High Demand Mode Safety-Related Control Systems 120
3.4.9.1 Example 121
3.4.10 Route 2H 122
3.5 Mean Time to Failure (MTTF) 123
3.5.1 Examples of MTTF Values 123
3.5.2 Calculation of MTTFD and lambdaD for Components from B10D 125
3.5.3 Estimation of MTTFD for a Combination of Systems 125
3.5.3.1 Example for Channels in Series 126
3.5.3.2 Example for Redundant Channels 126
3.6 Common Cause Failure (CCF) 127
3.6.1 Introduction to CCF and the Beta-Factor 127
3.6.2 How IEC 62061 Handles the CCF 128
3.6.3 How ISO 13849-1 Handles the CCF 129
3.7 Proof Test 130
3.7.1 Proof Test Procedures 131
3.7.1.1 Example of a Proof Test Procedure for a Pressure Transmitter 131
3.7.1.2 Example of a Proof Test Procedure for a Solenoid Valve 132
3.7.2 How the Proof Test Interval Affects the System Reliability 133
3.7.2.1 Example 133
3.7.3 Proof Test in Low Demand Mode 134
3.7.3.1 Imperfect Proof Testing and the Proof Test Coverage (PTC) 135
3.7.3.2 Partial Proof Test (PPT) 136
3.7.3.3 Example for a Partial Valve Stroke Test 137
3.7.4 Proof Test in High Demand Mode 138
3.8 Mission Time and Useful Lifetime 139
3.8.1 Mission Time Longer than 20 Years 140
4 Introduction to ISO 13849-1 and IEC 62061 141
4.1 Risk Assessment and Risk Reduction 141
4.1.1 Cybersecurity 141
4.1.2 Protective and Preventive Measures 143
4.1.3 Functional Safety as Part of the Risk Reduction Measures 144
4.1.4 The Naked Machinery 146
4.2 SRP/CS, SCS, and the Safety Functions 146
4.2.1 SRP/CS and SCS 146
4.2.2 The Safety Function and Its Subsystems 147
4.2.3 The Physical and the Functional Level 147
4.3 Examples of Safety Functions 149
4.3.1 Safety-Related Stop 149
4.3.2 Safety Sub-Functions Related to Power Drive Systems 149
4.3.2.1 Stopping Functions 149
4.3.2.2 Monitoring Functions 151
4.3.2.3 Information to be Provided by the PDS Manufacturer 152
4.3.3 Manual Reset 152
4.3.3.1 Multiple Sequential Reset 154
4.3.3.2 How to Implement the Reset Electrical Architecture 154
4.3.4 Restart Function 154
4.3.5 Local Control Function 154
4.3.6 Muting Function 154
4.3.7 Operating Mode Selection 155
4.4 The Emergency Stop Function 156
4.5 The Reliability of a Safety Function in High Demand Mode 157
4.5.1 PFHD and PFH 157
4.5.2 The Performance Level 157
4.5.3 The Safety Integrity Level 158
4.5.4 Relationship Between SIL and PL 158
4.5.5 Definition of Harm 159
4.6 Determination of the Required PL (PLr) According to ISO 13849-1 159
4.6.1 Risk Parameters 160
4.6.1.1 S: Severity of Injury 160
4.6.1.2 F: Frequency and/or Exposure Time to Hazard 160
4.6.1.3 P: Possibility of Avoiding Hazard or Limiting Harm 160
4.6.1.4 An Example on How to Use the Graph 161
4.7 Rapex Directive 162
4.8 Determination of the Required SIL (SILr) According to IEC 62061 163
4.8.1 Risk Elements and SIL Assignment 164
4.8.2 Severity (Se) 165
4.8.3 Probability of Occurrence of Harm 165
4.8.3.1 Frequency and Duration of Exposure (Fr) 165
4.8.3.2 Probability of Occurrence of a Hazardous Event (Pr) 166
4.8.3.3 Probability of Avoiding or Limiting the Harm (Av) 166
4.8.3.4 Example of the Table Use 167
4.9 The Requirements Specification 167
4.9.1 Information Needed to Prepare the SRS or the FRS 167
4.9.2 The Specifications of All Safety Functions 168
4.10 Iterative Process to Reach the Required Reliability Level 169
4.11 Fault Considerations and Fault Exclusion 170
4.11.1 How Many Faults Should be Considered? 170
4.11.2 Fault Exclusion and Interlocking Devices 170
4.11.2.1 Fault Exclusion Applied to Interlocking Devices 170
4.11.2.2 Fault Exclusion on Pre-defined Subsystems 172
4.11.2.3 Fault Exclusion Made by the Machinery Manufacturer 172
4.11.2.4 Types of Guard Locking Mechanism 173
4.11.2.5 What Are the Safety Signals in an Interlocking Device with Guard Lock? 174
4.11.2.6 What Safety Functions are Associated to a Guard Interlock 174
4.11.3 Other Examples of Fault Exclusions 175
4.11.3.1 Short Circuit Between any Two Conductors 175
4.11.3.2 Welding of Contact Elements in Contactors 176
4.12 International Standards for Control Circuit Devices 177
4.12.1 Direct Opening Action 177
4.12.1.1 Direct and Non-Direct Opening Action 179
4.12.2 Contactors Used in Safety Applications 179
4.12.2.1 Power Contactors 179
4.12.2.2 Auxiliary Contactors 180
4.12.2.3 Electromechanical Elementary Relays 181
4.12.3 How to Avoid Systematic Failures in Motor Branch Circuits 182
4.12.3.1 How to Protect Contactors from Overload and Short Circuit 182
4.12.3.2 Contactor Reliability Data 183
4.12.4 Implications Coming from IEC 60204-1 and NFPA 79 184
4.12.4.1 Wrong Connection of the Emergency Stop Button 185
4.12.4.2 Situation in Case of Two Faults: Again a Wrong Connection! 185
4.12.4.3 Correct Wiring and Bonding in a Control Circuit 186
4.12.5 Enabling and Hold to Run Devices 186
4.12.5.1 Enabling Devices 186
4.12.5.2 Hold to Run Device 189
4.12.6 Current Sinking and Sourcing Digital I/O 190
4.13 Measures for the Avoidance of Systematic Failures 192
4.13.1 The Functional Safety Plan 192
4.13.2 Basic Safety Principles 193
4.13.2.1 Application of Good Engineering Practices 193
4.13.2.2 Use of De-energization Principles 193
4.13.2.3 Correct Protective Bonding (Electrical Basic Safety Principle) 193
4.13.3 Well-Tried Safety Principles 194
4.13.3.1 Positively Mechanically Linked Contacts 194
4.13.3.2 Fault Avoidance in Cables 194
4.14 Fault Masking 195
4.14.1 Introduction to the Methodology 195
4.14.1.1 Redundant Arrangement with Star Cabling 195
4.14.1.2 Redundant Arrangement with Branch Cabling 196
4.14.1.3 Redundant Arrangement with Loop Cabling 196
4.14.1.4 Single Arrangement with Star Cabling 197
4.14.1.5 Single Arrangement with Branch Cabling 198
4.14.1.6 Single Arrangement with Loop Cabling 198
4.14.2 Fault Masking Example: Unintended Reset 199
4.14.3 Methodology for DC Evaluation 200
4.14.3.1 The Simplified Method 200
4.14.3.2 Regular Method 201
4.14.3.3 Example 201
5 Design and Evaluation of Safety Functions 205
5.1 Subsystems, Subsystem Elements, and Channels 205
5.1.1 Subsystems 205
5.1.2 Subsystem Element and Channel 205
5.1.3 Decomposition of a Safety Function 207
5.1.4 Definition of Device Types 208
5.1.4.1 Device Type 1 208
5.1.4.2 Device Type 2 208
5.1.4.3 Device Type 3 208
5.1.4.4 Device Type 4 208
5.1.4.5 Implication for General Purpose PLCs 209
5.2 Well-Tried Components 210
5.2.1 List of Well-Tried Components 211
5.2.1.1 Mechanical Systems 211
5.2.1.2 Pneumatic Systems 211
5.2.1.3 Hydraulic Systems 212
5.2.1.4 Electrical Systems 212
5.3 Proven in Use and Prior Use Devices 214
5.3.1 Proven in Use 214
5.3.2 Prior Use Devices 215
5.3.3 Prior Use vs Proven in Use 215
5.4 Use of Process Control Systems as Protection Layers 215
5.5 Information for Use 216
5.5.1 Span of Control 216
5.5.2 Information for the Machinery Manufacturer 217
5.5.3 Information for the User 217
5.6 Safety Software Development 218
5.6.1 Limited and Full Variability Language 218
5.6.2 The V-Model 219
5.6.3 Software Classifications According to IEC 62061 220
5.6.3.1 Software Level 1 221
5.6.3.2 Software Safety Requirements for Level 1 222
5.6.3.3 Software Design Specifications for Level 1 222
5.6.3.4 Software Testing for Level 1 223
5.6.3.5 Validation of Safety-Related Software 223
5.6.4 Software Safety Requirements According to ISO 13849-1 223
5.6.4.1 Requirements When SRASW is Developed with LVL 224
5.6.4.2 Software-Based Manual Parameterization 225
5.7 Low Demand Mode Applications in Machinery 226
5.7.1 How to Understand if a Safety System is in High or in Low Demand Mode 226
5.7.1.1 Milling Machine 226
5.7.1.2 Industrial Furnaces 226
5.7.2 Subsystems in Both High and Low Demand Mode 227
5.7.3 How to Address Low Demand Mode in Machinery 230
5.7.4 Subsystems Used in Both High and Low Demand Mode 230
5.7.5 How to Assess "Mixed" Safety Systems: Method 1 231
5.7.5.1 How to Estimate the Failure Rate of the Shared Subsystem 231
5.7.5.2 Relationship Between PFDavg and PFHD 231
5.7.5.3 Safety Functions 1 with a Shared Subsystem: Method 1 232
5.7.5.4 Safety Functions 2 with a Shared Subsystem: Method 1 233
5.7.6 How to Assess "Mixed" Safety Systems: Method 2 235
5.7.6.1 How the Method Works 235
5.7.6.2 Safety Function 2 with a Shared Subsystem: Method 2 236
6 The Categories of ISO 13849-1 237
6.1 Introduction 237
6.1.1 Introduction to the Simplified Approach 238
6.1.2 Physical and Logical Representation of the Architectures 239
6.1.3 The Steps to be Followed 240
6.2 The Five Categories 241
6.2.1 Introduction 241
6.2.2 Category B 241
6.2.3 Category 1 242
6.2.3.1 Example of a Category 1 Input Subsystem: Interlocking Device 242
6.2.4 Category 2 243
6.2.5 Markov Modelling of Category 2 245
6.2.5.1 The OK State 245
6.2.5.2 From the OK State to the Failure State 246
6.2.5.3 From the Failure State to the Hazardous Event 247
6.2.5.4 Other States in the Transition Model 248
6.2.5.5 The Simplified Graph of the Markov Modelling 248
6.2.5.6 The Importance of the Time-Optimal Testing 249
6.2.5.7 1oo1D in Case of Time-Optimal Testing 249
6.2.6 Conditions for the Correct Implementation of a Category 2 Subsystem 250
6.2.7 Examples of Category 2 Circuits 251
6.2.7.1 Example of Category 2 - PL c 251
6.2.7.2 Example of Category 2 - PL d 252
6.2.7.3 Example of a Category 2 with Undervoltage Coil 253
6.2.8 Category 3 254
6.2.8.1 Diagnostic Coverage in Category 3 255
6.2.8.2 Example of Category 3 for Input Subsystem: Interlocking Device 256
6.2.8.3 Example of Category 3 for Output Subsystem: Pneumatic Actuator 258
6.2.9 Category 4 260
6.2.9.1 Category 4 When the Demand Rate is Relatively Low 260
6.2.9.2 Example of a Category 4 Input Subsystem: Emergency Stop 261
6.2.9.3 Example of Category 4 for Output Subsystems: Electric Motor 262
6.3 Simplified Approach for Estimating the Performance Level 263
6.3.1 Conditions for the Simplified Approach 263
6.3.2 How to Calculate MTTFD of a Subsystem 264
6.3.3 Estimation of the Performance Level 264
6.3.3.1 The Simplified Graph 265
6.3.3.2 Table K.1 in Annex K 265
6.3.3.3 The Extended Graph 270
6.4 Determination of the Reliability of a Safety Function 270
7 The Architectures of IEC 62061 273
7.1 Introduction 273
7.1.1 The Architectural Constraints 273
7.1.2 The Simplified Approach 275
7.1.2.1 Differences with ISO 13849-1 275
7.1.2.2 How to Calculate the PFHD of a Basic Subsystem Architecture 275
7.1.3 The Avoidance of Systematic Failures 275
7.1.4 Relationship Between lambdaD and MTTFD 276
7.2 The Four Subsystem Architectures 277
7.2.1 Repairable vs Non-Repairable Systems 277
7.2.2 Basic Subsystem Architecture A: 1oo1 277
7.2.2.1 Implications of the Architectural Constraints in Basic Subsystem Architecture A 277
7.2.2.2 Example of a Basic Subsystem Architecture A 278
7.2.3 Basic Subsystem Architecture B: 1oo2 278
7.2.3.1 Implications of Architectural Constraints in Basic Subsystem Architecture B 279
7.2.3.2 Example of a Basic Output Subsystem Architecture B: Electric Motor 279
7.2.4 Basic Subsystem Architecture C: 1oo1D 281
7.2.4.1 Conditions for a Correct Implementation of Basic Subsystem Architecture C 282
7.2.4.2 Basic Subsystem Architecture C with Fault Handling Done by the SCS 283
7.2.5 Basic Subsystem Architecture C with Mixed Fault Handling 283
7.2.5.1 PFHD in Case of Four Conditions Satisfied 285
7.2.5.2 PFHD in Case One of the Four Conditions is Not Satisfied 286
7.2.5.3 Implications of the Architectural Constraints in Basic Subsystem Architecture C 286
7.2.6 Example of a Basic Subsystem Architecture C 287
7.2.7 Alternative Formula for the Basic Subsystem Architecture C 289
7.2.8 Basic Subsystem Architecture D: 1oo2D 290
7.2.8.1 Implications of the Architectural Constraints in Basic Subsystem Architecture D 291
7.2.8.2 Example of Input Basic Subsystem Architecture D: Emergency Stop 291
7.2.8.3 Example of Input Basic Subsystem Architecture D: Interlocking Device 292
7.2.8.4 Example of a Basic Subsystem Architecture D Output 293
7.3 Determination of the Reliability of a Safety Function 295
8 Validation 297
8.1 Introduction 297
8.1.1 Level of Independence of People Doing the Validation 298
8.1.2 Flow Chart of the Validation Process 299
8.2 The Validation Plan 299
8.2.1 Fault List 299
8.2.2 Validation Measures Against Systematic Failures 301
8.2.3 Information Needed for the Validation 301
8.2.4 Analysis and Testing 301
8.2.4.1 Analysis 301
8.2.4.2 Testing 302
8.2.4.3 Validation of the Safety Integrity of Subsystems 303
8.2.4.4 Validation of the Safety-related Software 304
8.2.4.5 Software-based Manual Parameterization 304
9 Some Final Considerations 307
9.1 ISO 13849-1 vs IEC 62061 307
9.2 High vs Low-Demand Mode Applications 308
9.3 The Importance of Risk Assessment 309
9.3.1 Principles of Safety Integration 310
9.3.1.1 The Glass Dome 311
9.3.2 How to Run a Risk Assessment 311
Bibliography 313
Index 317
Marco Tacchini is Technical Director and owner of the consulting company GT Engineering, based in Brescia, Italy, which specializes in CE Marking, risk assessment, and risk reduction of machineries. Marco is a member of several technical committees that define Functional Safety Standards, including:
* ISO/TC 199 WG 8 for ISO 13849-1: Safe Control Systems
* TC 44/MT 62061 for IEC 62061: Safe control systems for machinery
* TC 65/SC 65A/MT 61511 for IEC 61511: Safety instrumented systems for the process industry
* TC 65/SC 65A/MT 61508-1-2 for IEC 61508: Maintenance of IEC 61508-1, -2, -3,-4, -5, -6 and 7
He leads short courses on functional safety at Brescia Engineering University and Milan Polytechnique.
* ISO/TC 199 WG 8 for ISO 13849-1: Safe Control Systems
* TC 44/MT 62061 for IEC 62061: Safe control systems for machinery
* TC 65/SC 65A/MT 61511 for IEC 61511: Safety instrumented systems for the process industry
* TC 65/SC 65A/MT 61508-1-2 for IEC 61508: Maintenance of IEC 61508-1, -2, -3,-4, -5, -6 and 7
He leads short courses on functional safety at Brescia Engineering University and Milan Polytechnique.
