STSARCES project - final report - part 6

6.                  CONCLUSIONS

The objectives of the project plan have been more than totally answered. Not only preliminary results were already transfered to CEN/TC114 in 1999 in order to speed-up amendments of EN 954-1 and improvments to EN 954-2, which was the initial objective, but also essential tools based on the generic IEC 61508 were adapted to the specific machinery sector needs.

As a direct consequence, the more recent project of standard IEC 62061, not yet launched at the kick-off time of this project, has also already benefited from it.

An important contribution of the project deals with safety-related software development and validation techniques.

A major contribution has introduced modelling techniques and probabilistic assessment methods of dangerous failure rates and of suited architectures to achieve risk reduction. Markov models are one of the evaluation techniques dealt with during the STSARCES project. Concerning online tests performed automatically within a safety system, the immense influence of the diagnostic coverage could be demonstrated. The other aspect is the appropriate diagnostic test interval for a particular system architecture and application. EN 954‑1 does not supply sufficient information on this topic. For a category 2 system its clause 6.2.3 is just requiring checks by the machine control system "at suitable intervals" without explaining what is "suitable". The test intervals of systems claiming for category 3 or 4 are not either specified in this standard.

Help can be provided by the Markov approach. By implementing a new feature in the Markov models we have been able to deliver some useful information concerning the adequate diagnostic test interval. It turned out that single channel systems and multiple channel systems are behaving quite different.

Interesting findings are described establishing a relationship between sufficient online test rates and the MTTFd of one of the redundant channels. They provide advice for the system designer as well as hints for the person carrying out the evaluation (for more detailed information on this topic see chapters 5.3. and 6.3 of Annex 6).

Comprehensive links could also be established between the category concept (EN 954 approach) and SILs (IEC 61508 approach) for given architectures and realistic reliability data.

6.1.            Contribution of STSARCES to the EN954

The EN 954 standard is made of a part 1 (harmonised standard since 1996), of a user’s guide FD CR 954-100 (harmonised in 1999), of a project of standard pr 954-2 (at the level of a CEN enquiry procedure) and of a project of revision of the standard EN 954-1.

During the two last years, in the course of the meetings of the Joint Working Group in charge of the EN 954, the STSARCES progress reports have been commonly used as an important input when one is drafting a requirement or a validation procedure concerning safety functions based on PES (Programmable Electronic Systems).

By lack of decisive knowledge, authors of the EN 954-2 were led to note and to write down the following :

  • In control systems where the provision of the safety functions incorporates PES, it is inadequate to use only categories if :
    • the safety function of the control system relies solely on PES,
    • or the structure of the control system is complex,
    • or the contribution to the risk reduction at the machine is high.

In which case additional factors, eg systematic faults should also be taken into account faults (scope of EN 954-2).

  • In a note, the CEN/TC 114-CLC/TC44X-JWG6 proposes to process this question through the amendment to EN 954-1 (1996).

It is at the level of the amendment of Part 1, where results of the STSARCES Project are wished impatiently because the software aspects (systematic faults) need to be introduce in the concept of the categories when PES are category 2, 3 or 4.

It is also indicated in the amendment that a machine application standard derived from the published IEC 61508 standard is under preparation by the IEC/TC 44/WG7 (here the basic concept is the Safety Integrity Level or ‘SIL’).

STSARCES results will allow defining credible and understandable links between categories (EN 954) and SILs in the draft IEC 62061. This connection is indispensable during the design and development phases of control circuits for the machinery which make use of mechanical components as well as hydraulic or pneumatic and electro-mechanical ones, based on the category concept, and also PES, better characterised by the concept of SIL.

A part of the WP4 results (a study of the links and divergences between IEC 61508 and EN 954, HSE, WP4 Task 1) has already been communicated in 1999 to the JWG6 and the presentation of the WP2.1 results is also wait for (Quantitative Analysis of Complex Electronic Systems using Fault Tree Analysis and Markov Modelling).

Experts involved in standardisation are convinced that STSARCES shall improve the validation methods of PES in their use for safety functions both in EN 954 and in IEC 62061.

6.2.            Contribution of STSARCES to IEC 62061

Works to develop the standard IEC 62061 “Safety of Machinery-Functional Safety of Electrical, Electronic and Programmable control systems for Machinery” were initiated on March 1998 by the working group TC 44 WG7.

A first CD version is foreseen for the second half of year 2000, one year later than expected. This delay is largely due to difficulties in the interpretation of the IEC 61508 standard by persons not familiar with its concepts, and also in the necessity to take into account both standardsat the same time, like IEC 61508 ( probabilistic approach for CES devices) and EN 954 (deterministic approach for all types of technologies).

The purpose of the work is to develop a sector standard for machines, guided by the basic safety publication IEC 61508. This standard will define a hierarchy of safety performance levels by :

  • Adapting the requirements of IEC 61508 to suit established principles of risk assessement and safety integration of machinery ; and
  • Defining the methodology for the implementation of EN 954 within the hierarchy of performance levels.

This standard is intended for use by :

  • The suppliers of machines, to enable the specification of the relevant safety-related performance levels of electrical, electronic and programmable control systems used on a machine ; and
  • The designers and integrators of such systems, to enable them to meet the specified performance levels.

Until now the work is aiming at specifying a methodology for the integration of components (already certified previously) in order to develop safe control systems for machines. Requirements applied to components (e.g., safety light curtain) are those in the IEC 61508.

Results of STSARCES are again valuable here, when one considers problems raised by the integrated use of concepts derived both from IEC 61508 and from EN 954.

A part of the WP4 results (a study of the links and divergences between IEC 61508 and EN 954, HSE, WP4 Task 1) were transferred with the agreement of the STSARCES Steering Committee to the standardisation group as soon as on September 1999 to help solving the adaptation of the safety performance requirements of EN 954 within the overall functional safety philosophy of IEC 61508.

More recently on January 2000, a draft of WP report on Software aspects (Software quality and safety requirements, INRS, WP1.2, Aspect 1) was transferred to the working group with the intention to introduce the results as an annex of the standard, to the attention of designers of the embedded software used in the machinery.

6.3.            Experience exchange between partners for validation of complex electronic systems for machinery

The management structure of the Project has deeply favoured communications between laboratories located in different countries. Some of them were having different levels of experience and also their industrial culture was not exactly the same. Furthermore it is well known that many manufacturers of safety devices are located also in these countries where are installed the major machines suppliers, as Germany for example. Participation of at least one German partner in almost any Task of the project was of a great benefit.

Apart from the main meetings in the course of the Project (the periodic six monthly meetings of the Steering Committee and the plenary yearly meetings) the organisation based on Work-Packages - WPs - with each of them under the responsibility of a WP manager, has induced thematic technical meetings with an in-depth investigation of specific problems and extensive exchange of experience during the visits of laboratories and installations :

  • in BILBAO, MUNICH, TAMPERE for the WP 3 group headed by VTT although the distances had been a cause of important expenses. Because of some common points of interest, other partners had also to visit CNVM in Spain, like INRS (WP1 manager).
  • in BONN in Germany and BORAS in Sweden for the WP 2 group headed by BIA.
  • in NANCY and PARIS for the WP 1 group headed by INRS.
  • in GRENOBLE at the JAY firm with INERIS within theWP 5 on innovative studies by the manufacturers and with INRS to validate the content of WP 1.2, aspects 1 and 2.

Due to the reduced funding possibilities for so many travels, good use was made of other opportunities allowing for short meetings, like the participation of several partners in Technical Committees for standardisation (CEN TC 114, IEC TC 44) or attendance to conferences.

Connections between Test-Houses and manufacturers have been difficult to maintain constant in time during the whole duration of the project.

In the first year, it appeared that a SME, well known on the market as a designer of innovative devices, could not allocate any availability of its expert persons to the Project because commercial problems had occur on a leading product which had to be re-designed. As it was an associated partner to a main contractor, the consortium had to find another solutions to validate as realistically as possible the analysis and testing procedures developed by the Test-House.

Another difficulty arose with a second manufacturer involved in the project, also due to commercial problems, but consequences on the programme could be reduced and the partner could participate to the final validation of the results.

6.4.            Validation of the project by external manufacturers

A special seminar with manufacturers of safety related systems, not directly involved in the project, to inform them of the results and to improve the intelligibility of the final report presentation, was programmed near the end of the project.

In order to ensure the largest international attendance to such an event, this seminar was integrated to the most significant international conference organized on late 1999 on occupational safety, the MONTREAL International Conference on Safety of Industrial Automated Systems, 4-7 October 1999. This was made possible thanks to the Conference Scientific Committee, which included BIA, HSE and INRS, members of the STSARCES Steering Committee, and IRSST, the organizing Institution.

Five papers on the STSARCES results were presented by their authors in plenary sessions (an overview by the coordinator, and four technical reports on each work-package). Since the corresponding session chairmen were INERIS, BIA, HSE and INRS, the discussions could easily be oriented to sense the acceptance of STSARCES results by the attending manufacturers.

Finally, discussions could follow in a more informal manner after the sessions since a lot of them had their own stands in the exhibition installed at the same place. It was agreed that this lifecycle approach was well received, but a big concern was expressed on the need for a more in-depthcollaboration between certification bodies and manufacturers in the near future, from the design stage until the final tests in vue of issuing a conformance certificate. There was a similar wish expressed by the Test-Houses for a deeper collaboration, extended through the whole "certification process" cycle.

[1] Validation is the activity of demonstrating that the safety-related parts of the control system under consideration, before or after installation, meets in all respects the safety and functional performance requirements specified for that safety-related control system.

[2] These requirements are not unique to the software life cycle and can therefore be applied to the design of the different sub-assemblies of an CES.

[3] For machinery normally only a few digital sensors like switches are used. Monitoring of the drive is also done by digital signals. Thus a 100% diagnostic coverage is possible.

[4] “high” replaces the misleading “mandatory” used in tables in existing standards, e. g. in the standard IEC 61508.

[5] A photoelectric system is colloquially referred to as a photoelectric guard, despite the fact that it does not prevent access to the danger area, and sometimes as an intangible guard. A more accurate term is an Active Opto-electronic Protective Device (AOPD). However, as the term photoelectric guard is more commonly used and understood this term will be used throughout this document.

[6] Although the standard clearly states otherwise, it appears inconceivable that the hierarchy was not developed on the basis that a monotonic relationship exists between the integrity of the safety related parts and the Category.


[i]       DIN V VDE 0801/01.90 and A1/10.94 : Grundsätze für Rechner in Systemen mit Sicherheitsaufgaben und Änderung A1.

[ii]      EN 954-1 (1996) : Safety of machinery - Safety-related Parts of control systems (Identical with ISO/IEC DIS 13849-1).

[iii]      IEC 61508 : Functional Safety-Related-Systems: Part 1 : General Requirements; Part 2 : Requirements for electrical, electronic, programmable electronic systems; Part 3 : Software Requirements; Part 4 : Definitions and abbreviations of terms; Part 5 : Guidelines for the application of part 1; Part 6 : Guidelines for the application of part 2 and 3; Part 7 : Bibliography of techniques and measures.

[iv]     DIN V 19250: Leittechnik. Grundlegende Sicherheitsbetrachtungen für MSR-Schutzein-richtungen. Beuth-Verlag, Berlin 1994.

[v]      Reinert, D.; T. Bömer : Modern Sensors as protective devices for the safety of machinery. Proceedings Volume 1 : 3rd Eurolab Symposium 5-7.6.1996 Berlin. Testing and Analysis for Industrial Competitiveness and sustainable Development. Wirtschaftsverlag NW. Bremerhaven 1996, pp. 215-224.

[vi]     Reinert, D.; Schaefer, M.: Integrated safety in flexible manufacturing systems. In R.D. Schraft, G. Brandenburg, & W. Leidig, (Eds.), Tagungsband SPS/IPC/DRIVES98 (pp. 305-314). Heidelberg, Germany: Hüthig-Verlag 1998.

[vii]     Reinert, D. et al : Validation of functional safety of programmable electronic systems according to IEC 1508. Preprints of the 5th International Working Con­ference on Dependable Computing for Critical Applications, Sept. 27-29, 1995.

[viii]    EN 1050 Sécurité des machines. Principes pour l’appréciation du risque. (Machine safety. Risk appreciation principles). 1997-01.

[ix]     FARADIP.THREE (Failure Rate and Failure Mode Data Bank and Failure Mode and Effect Analysis Package). Technis, Tonbridge, Kent UK 1997.

[x]      SN 29500 Failure Rates of Components, Part 1 – 7, Part 9 – 10. Siemens AG, ZT TN Corporate Functions Technical Regulation and Standardization, Munich and Erlangen 1982 – 1999.



[xiii]    ARE COMPONENTS STILL THE MAJOR PROBLEM: A REVIEW OF ELECTRONIC SYSTEM AND DEVICE FIELD FAILURE RETURNS. Pecht M., Ramappan V. IEEE transactions on components, hybrids, ... - vol.15 - No. 6 - Dec. 1992 - pp. 1160, 1164.

[xiv]    A STUDY OF FAILURES BASED ON U.S. POWER REACTOR ABNORMAL OCCURRENCE REPORTS. Taylor J. R. Reliability of nuclear power plant - IAEA-SM-195/16 – 1975.

[xv]     DEFAILLANCES DEPENDANTES ET DE CAUSE COMMUNE. Villemeur A. Sûreté de fonctionnement des systèmes industriels. Ed. Eyrolles, 1988, pp. 371, 410.


[xvii]    Method for performing diversity and defense-in-depth analyses of reactor protection systems Preckshot G.G. Fission Energy and Systems Safety Program, Rapport UCRL-ID-119239, Dec 1994.

[xviii]   HANDBOOK OF SOFTWARE RELIABILITY ENGINEERING Lyu M.R. Computing Mac Graw-Hill/IEEE Computer Society Press, 1995.

[xix]    Analysis of faults in a n-version software experiment: Brilliant S.S., Knight J.C., Leveson N.G. IEEE Transactions on software engineering, Vol. 16, N°2, Feb. 1990, pp 238, 247.

[xx]     An experimental evaluation of the assumption of independance in multiversion software: Knight J.C., Leveson N.G. IEEE Transactions on software engineering, Vol. 12, N°1, Jan. 1986, pp 96, 109.

[xxi]    A theorical basis of multiversions software subject to coincident errors: Eckhardt D.E., Lee L.D. IEEE Transactions on software engineering, Vol. 11, N°12, Dec. 1985, pp 1511, 1517.

[xxii]    An experimental evaluation of software redundancy as a strategy for improving reliability: Eckhardt D.E., Caglayan A.K., McAllister D.F., Vouk M.A., Kelly J.P.J. IEEE Transactions on software engineering, Vol. 17, N°7, July 1991, pp 692, 702.