STSARCES project - final report -part 1

1.                  INTRODUCTION

1.1.            Objective

STSARCES (Standards for Safety-Related Complex Electronic Systems) was funded by the European Commission in answer to a dedicated call for proposals for research in support to European standardisation, initiated by CEN/CENELEC, and issued by the « Standard, Measurementt and Testing » Programme in 1996, to examine the validation[1] aspects of safety-related parts of control systems for machinery with regard to the problems encountered with modern electronic and programmable electronic technologies. This research was focused upon the development, or completion, of knowledge regarding validation techniques for both hardware and software elements of a machine control system in the context of the Machinery Directive (98/37/EC) and its implementing Regulations.

This research was carried out by a partnership of eleven organisations through completion of five work-packages (WPs) on a range of related issues, including software and hardware validation. The objective was to assist in the development of an emerging standard, prEN 954-2 ‘Safety of machinery – Safety-related parts of control systems – Part 2. Validation’ by production of an document which describes proposed harmonised validation methods.

Pr EN 954-2 is a draft European standard that provides details of the measures and techniques that should be applied in order to validate the safety-related parts for all technologies applied of control systems for machinery. This proposed standard relates to safety-related parts designed in accordance with the general principles set out in EN 954-1 : 1996 ‘Safety of machinery – Safety-related parts of control systems – Part 1. General principles for design’.

A constraint imposed upon any validation methods developed from this research programme was that attention should be given to prevent divergence from the requirements of IEC 61508 ‘Functional safety of electrical/electronic/programmable electronic safety-related systems’. This was necessary since IEC 61508 has basic safety publication status and its principles may be preferable to those of EN 954 for electrotechnical aspects of safety-related complex electronic systems for machinery control.

INERIS, coordinator of the STSARCES project, and the following organisations participated in the research programme :

  • INERIS (Institut National de l’Environnement Industriel et des Risques, of France)
  • BIA (Berufsgenossenschaftliches Institut fur Arbeitssicherheit, of Germany)
  • HSE (Health & Safety Executive, of United Kingdom)
  • INRS (Institut National de Recherche et de Sécurite, of France)
  • VTT (Technical Research Centre, of Finland)
  • CETIM (Centre Technique des Industries Mecaniques, of France)
  • INSHT (Instituto Nacional de Seguridad e Higiene en el Trabajo, of Spain)
  • JAY (Jay Electronique SA, of France)
  • SP (Swedish National Testing and Research Institute, of Sweden)
  • TUV (TUV Product Service GMBH, of Germany)
  • SICK AG (SICK AG Safety Systems Division, of Germany)

The research programme work-packages were assigned as :

·       Work-package 1 : Software safety (leader – INRS)

  • WP 1.1 Software engineering tasks : CASE tools (CETIM)
  • WP 1.2 Tools for software faults avoidance (INRS)

·       Work-package 2 : Hardware safety (leader – BIA)

  • WP 2.1 Quantitative analysis (BIA)
  • WP 2.2 Methods for fault detection (SP)

·       Work-package 3 : Safety validation of complex components (leader – VTT)

  • WP 3.1 Validation by analysis (VTT)
  • WP 3.2 Intercomparison white-box/black-box tests (INSHT)
  • WP 3.3 Validation tests (TÜV)

·       Work-package 4 : Link between the EN 954 and IEC 61508 standards (leader – HSE)

·       Work-package 5 : Innovative technologies and designs (leader – INERIS)

  • Operational partners : Industrial JAY and test-house INERIS


1.2.            What are complex electronic systems ?

The Machinery Directive (98/37/EC), which covers components that are separately supplied to fulfil a safety function, and EN 292 : 1991 ‘Safety of machinery – Basic concepts, general principles for design’ are, in general, based upon established practices in machine control system design, such as guard or power interlocking, where personnel may access hazardous areas for tasks such as setting, tool changing and maintenance. These safeguards are commonly designed and implemented at the machine after its basic control system design has been completed. This retrospective application of safeguards was (and remains) a practicable solution whenever there was an adequate degree of independence from the machines control system.

However, this approach to machinery safety has been shown to be less viable with the emergence of electronic and programmable electronic solutions (generically referred to as ‘complex electronic systems’ for the STSARCES Project) which have to be more closely integrated within the design of a machines control system. The safety-related control systems that implement these solutions often comprise a range of devices/components and electrical/electronic technologies.

These complex electronic systems may be characterised as machine control systems in which :

  • the failure mode of at least one constituent device or component is not well defined ; or
  • the behaviour of the device or component under fault conditions cannot be completely determined ; or
  • there is insufficient dependable failure data (from field experience) to support claims for rates of failure for detected and undetected dangerous failures of the device or component.

An example of a ‘complex’ electronic systems are presence detection, speed and motion control schemes at a numerically controlled (NC) machine. This may involve a programmable electronic based machine controller that performs designated safety and non-safety functions.

This controller may be capable of processing the input signals received from motion control devices (or sensors) installed adjacent to the dangerous rotating or moving shafts and transmitting an output signal to actuating devices, such as a power drive system (which may be a complex electronic system in its own right) in order to reduce (or stop) the speed or motion to a safe level.

1.3.            Problems to solve

Complex electronic and programmable electronic devices and components, such as large scale (LSI) and very large scale integrated (VLSI) circuits, application specific integrated circuits (ASICs), programmable logic controllers (PLCs), microcontrollers, etc, are increasingly being used in safety-related functions implemented by machine control systems.

The safety performance of such devices and components, whether as individual parts or in combination as a complete safety-related system, has been found difficult to establish in practice. This is primarily a result of the fundamental characteristics of a complex electronic system, which make it difficult to establish that its final implementation satisfies the necessary functional or safety performance requirements by testing a machine.

Consequently, it has been found that testing has to be supplemented by analysis of the design of the complex safety-realed electronic system used in machinery control to properly evaluate the safety performance of its hardware and software elements. There are a variety of measures and techniques for this design analysis based on quantitative and qualitative methodologies which may be used by machinery manufacturers and test houses.

Most established techniques and measures, such as fault tree and failure mode and effects analyses, have merit when used in combination with conventional testing philosophies for complex safety-related electronic systems. The difficulty for practitioners is in determining which measures may be suitable for particular machinery applications and in achieving consistency in their use.

These difficulties have to some extent been addressed by existing and emerging standards considered by the STSARCES Project.

1.4.            EN 954-1 & IEC 61508

The STSARCES Project has included a comparison of the methodologies and requirements of two standards : IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems) and EN 954 (Safety of machinery - Safety related parts of control systems). This was carried out to determine how different are the requirements of these two standards for complex electronic and programmable electronic technologies when applied to machinery control systems.

Both standards propose a structured approach towards the design of safety-related control systems but differ in that EN 954 is designed to address all types of control system technologies whilst draft IEC 61508 has been primarily (but not exclusively) designed to apply to electrical, electronic and programmable electronic (referred to as E/E/PE) based safety-related control systems. The standards require that the safety-related functions of the control system are classified: IEC 61508 requires that the safety-related functions performed by a machine’s control system be allocated a safety integrity level whilst EN 954 uses the concept of safety performance and places the system into one of five categories. There is a significant difference in the way that the safety integrity levels and categories are derived and defined and it is the problems that this difference causes that have been considered, especially as the two classifications were compared with a view to developing a strategy to link them.

IEC 61508 uses a safety lifecycle approach to ensure that the design of a safety control system is systematically carried out. This lifecycle approach is examined in the project to establish whether it would be suitable for the design of machinery control systems.

1.5.            View of test houses

Certified safety-related CES are on the market today also in the machinery sector. Despite today there is no harmonised validation procedure for CES the following remarks can be made :

  • The use of CES for safety-related control systems has for some time also been the advanced state of the art for the machine sector.
  • There have been no accidents with the certified machines and safety devices which are attributable to programmable electronic technology in control unit.
  • In view of the large number of different applications in practical use and the encouragingly low accident rate, it can be stated that CES have also proven themselves as a safety technology in mechanical engineering and, furthermore, that they often permit entirely new protection concepts.
  • The expenditure for development on the part of the manufacturer and for validation by a testing body are usually different than those for classical control technologies. The challenge is to assure safety as well as high availability despite of high complexity. The greater flexibility, the lower production costs, the frequently lower maintenance requirement and the greater reliability compensate for the extra costs.
  • Almost all manufacturers involved in certification processes had to make conceptual changes during development because, in some cases, serious weaknesses became apparent in the course of validation.
  • Often only manufacturers involved in certification procedures with many years of experience in classical safety control systems had the sufficient know-how to develop acceptable CES solutions. Other manufacturers who were tackling safety applications for the first time were frequently unable to produce acceptable solutions.
  • The idea of specifying validation procedures for PES in standards so rigidly that every body and every person always comes to the same result in every part of the validation appears to be exaggerated in view of the complexity of the subject being dealt with. Even IEC 61508, with its more than 300 pages, prepared by selected international experts, is no guarantee for that. There is a technical limit to standardisation here which leads to the serious question of whether we should not be satisfied with a framework for a harmonised validation procedure.

As can be seen by these remarks European test houses need to give constructive answers to the validation of safety-related CES. Validation procedures are developed and there are several test houses who certify safety-related CES according to the machinery directive. There is still a lack of harmonisation between the different test houses working in that field. This final report of the European Project ”Standards for Safety-Related Complex Electronic Systems” will develop a framework for a harmonised validation procedure which should be standardised by CEN/CENELEC.