Is TÜV Rheinland FS Engineer certification relevant?

In recent years there has been a large increase in certified safety engineers, but are these certifications necessary or even relevant?

The international safety standards such as IEC 61508 require people involved with safety systems to have the appropriate competence. Part of being competent is determining that the person has the required understanding of standards, theory and technology however the standard doesn't specify a particular qualification.

This is where certification courses can come into play. There are multiple certification courses available however the TÜV Rheinland FS Engineer course has become the most widespread in Australia and New Zealand.  The certification is globally accepted with over 6100 certified TÜV Rheinland FS Engineers around the world, around six times more than any other certification program.

The TÜV Rheinland FS Engineer course is available for engineers (or equivalent qualification) with at least three years of functional safety experience. There are five streams of the certification:

1. Safety Instrumented Systems
2. HW/SW Design acc. to IEC 61508
3. Functional Safety of Machinery
4. Automotive – Systems Design acc. to ISO 26262 and IEC 61508
5. Process Hazard and Risk Analysis (Starting in May 2013)

As functional safety becomes more prevalent in both Process and Machine Safety these certifications will be an essential starting point for ensuring personnel are competent.

 

Editor’s note: NHP has three TUV certified staff employed, including Craig who is the author of this blog. 

What are Basic Safety Principles for Machine Safety?

Basic Safety Principles are fundamental requirements for all safety systems. From Category B to 4, Basic Safety Principles are the first step in building reliable systems. Do you pay attention to Basic Safety Principles when designing your safety systems?

Let's have a look at some common Basic Safety Principles in the below diagram of a circuit. Here we can see protection of control circuit, de-energisation principle, protection against unexpected start-up, transient suppression and sequential switching.

As you can see, the circuit above shows a common safety interlock system with some of the Basic Safety Principles highlighted. These have been explained below:

• De-energisation principle – This principle dictates that the safe state should always be initiated by the contact opening, voltage going low, output opening, pressure lowering, etc. This principle ensures that a loss of energy will default the system to a safe state when possible.
• Protection of the control circuits – The control circuits should have all relevant protection to ensure that any supply faults can’t cause the system to fail in a dangerous state.
• Transient Suppression – Transient suppression should be used in parallel with all loads. This will reduce the chance of transient voltages affecting the safety system.
• Sequential Switching – Timing the outputs so that one switching device always operates without current will reduce the chance of common mode failure.
• Protection against unexpected start-up – The system should be designed to avoid unexpected start-ups.

The above are some examples of Basic Safety Principles that are relevant for electrical systems. The full list can be found in Table D1 of AS 4024.1502-2006. Basic Safety Principles can also be found for mechanical, hydraulic and pneumatic systems in the Appendix sections of this standard as well.  

Pointers on MTTF, MTBF, MTTFd and Availability

Some common questions have started coming up as customers increasingly design their safety systems to SIL or PL. Both of these design methods require reliability data on the components that make up the safety system. There are many acronyms floating around and some common misconceptions about their definitions, here are some explanations that may help you out:

MTTF – Mean Time To Failure
As the name suggests, this metric is the average time until a component fails, based on reliability data or testing results.

MTBF – Mean Time Between Failures
This metric is sometimes assumed to be equal to the MTTF. However the average time between failures also includes the MTTR (Mean Time To Repair) thus:

MTBF = MTTF + MTTR

If the component has a very long expected life compared to the MTTR, then the MTTF and MTBF will be very similar.

The relationship between these values determines the availability of the component:

Availability = MTTF/MTBF

As availability approaches 1, the device is operational more. The smaller the MTTR, in relation to the life of the component, the closer the availability gets to an ideal value of 1.

What's the difference between MTTF_d and MTTF?
So what about the value MTTF_d? Is this the same as MTTF? The answer is no, MTTF_d only considers dangerous failures of the component. 

For example: If an E-Stop contact needs to open to initiate a safe stop, MTTF_d will only consider the failures that cause the contact to remain closed. However MTTF would consider failures that cause the contact to remain open or closed. 

In general, if you can source one of MTTF_d or MTTF, but you require the other value, there is a relationship that can be used to calculate the metric you require:

MTTF_d = 2 x MTTF

Hopefully this clears up any confusion you have about theses reliability metrics.

What Level of Diagnostics is required for Machine Safety Systems?

When designing machine safety control systems, what level of diagnostics is appropriate? This seems to be an issue that causes confusion and inconsistency throughout the industry.

For example, if the safety system is being designed to Safety Category 3 (according to AS 4024.1501), the requirement is as follows:

“Whenever reasonably practicable the single fault should be detected…… some but not all faults will be detected”

Not surprisingly these requirements have led to many interpretations of what diagnostics should be implemented for Category 3. The application that causes most confusion is when the safety system is monitoring multiple guard doors. Can these guard doors be connected in series? If so, how many? What criterion needs to be considered?

Up until now there hasn’t been any appropriate guidance on how wiring guard doors in series degrades the level of diagnostics and what level is acceptable for the Safety Category.

New machine safety standards have now been developed to assist the designer. ISO 13849.1 is a standard that provides a method for the designer to quantify the diagnostics of their safety system, using a measure called Diagnostic Coverage (DC). Each Safety Category will have specific requirements for the DC and the designer will know exactly what level of diagnostics is required for their system.

ISO 13849.1 is a current international standard that can be sourced for your reference and this international standard will be adopted into AS 4024 in the next revision. This will provide better guidance for safety system designers in the Australian Standard.

Are Safety Categories Obsolete?

Have you heard that Safety Categories are a thing of the past? That changing international standards have rendered Safety Categories redundant since the start of 2012? And that all new safety control systems for machinery must be designed to Performance Levels (PL) or Safety Integrity Levels (SIL)?

If so, here is some more information on the matter:

Yes, international standards have now moved to probabilistic methods, with two current standards as the options:

1. IEC 62061 – Highly mathematical method where safety control systems are designed to a Safety Integrity Level (SIL)
2. ISO 13849.1 2008 – Method based on the architecture of Safety Categories where safety control systems are designed to a Performance Level (PL)

However, Australian Standard AS 4024.1501 is a current machine safety standard where safety control systems can be designed to a Safety Category. So if you are comfortable using Safety Categories, you can continue to use this standard.

It is true that AS 4024.1 will eventually be updated to reflect current international standards, but AS 4024.1501 will remain unchanged for at least the next 3-4 years.

In my opinion, for simple safety systems, (i.e. systems using devices such as safety relays), Safety Categories is a good option that will result in a high level of integrity. If software is being designed, I would recommend following the software lifecycles available in IEC/AS 62061 or ISO 13849.1.
However, be aware that at some stage in the future our Australian Standards will transition to these probabilistic methods, but not in the immediate future.

Is Work Health and Safety Harmonisation Still Alive?

In July 2008, an agreement was reached between the Commonwealth and all states and territories within Australia except Western Australia (WA) to begin the process of harmonising Australia’s work health and safety laws. This new model was aimed at reducing red tape and compliance costs for businesses that operate in multiple states. The umbrella laws would also provide workers with equal levels of safety across the nation as well as recognising their licensing and training nationally.

Fast forward to 2013 and what is the state of play? We now have Queensland, Northern Territory, New South Wales, ACT, South Australia and Tasmania all adopting the harmonised model. This leaves just WA and Victoria out of the loop.

WA are still committed to the process and have completed their draft WHS which is expected to be implemented in 2013. WA has also started public consultation on the Regulations in August 2012 and will be working through this process in 2013.

This leaves Victoria. The last communication on the WorkSafe website stated that Victoria would not adopt the national legislation. The reason for this stance is an expected $3.4 billion cost over five years with no perceived benefit in terms of safety levels.

So what does this mean for harmonisation? Do you believe it will still be successful without the involvement of Victoria? Do you believe that Victoria will eventually join the rest of the states and adopt national safety legislation or stay with their own set of rules?