Rules and Guidelines
Want to participate in the discussions? Please read our Community Rules and Guidelines. Need some help? Visit Support and Answers.

  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 14 subscribers
  • Views 869 views
  • Users 0 members are here
Options
You may also be interested in
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anomaly between BS62061 and 61508

Rob Eagle

I am designing a control system for a very big heavy door which has the capability to crush a person and potentially to death although extremely unlikely.  In determining the SIL requirement for the system using BS61508-5 I get the following:



 



Looking at Table E.1 I can derive a qualitative assessment



 



Consequence – Serious permanent injury to one or more persons; death to one person – C2



Frequency of exposure – Rare to more often exposure in the hazard zone – F1



Probability of avoiding the hazard – Possible under certain conditions – P1



Probability of the unwanted event – A slight probability – W2



 



Looking at Figure E.2 this equates to ‘a’ = “No special safety requirements”



 



However if I use BS62061 looking at table A.1 I find “Irreversible: death, losing an eye or arm” Severity Se = 4, then I go to Table A.6 and irrespective of any other criteria it demands a minimum of SIL2.



 



The question is why is there such disparity?  And which is correct?



Thank you,



Rob


  • 0
    Robert,



    Just a few thoughts...



    In the context of UK Health and safety law neither path that you describe is, on its own, entirely credible in my view.



    The qualitative approach really requires a multidisciplinary risk and hazard assessment (e..g. HAZOP review) with all the relevant stakeholders, including representatives of the operations and maintenance staff, that is both consistent with the relevant HSE risk assessment guidelines and the ALARP principle?

    http://www.hse.gov.uk/risk/index.htm

    http://www.hse.gov.uk/risk/resources.htm



    There is a lot of inter-disciplinary and multi-disciplinary things to think about before applying the relevant quantitative and qualitative disciplinary safety standards to your design. 



    Below is a link to an unfortunate and sad example of a crush accident that happened in the process of operating a crane; that the HSE investigated and prosecuted. 



    Do you think it possible to prevent accidents such as this one below, by the following just the narrow disciplinary methodologies you have outlined?



    Jaguar Land Rover in court over Halewood death (11 September 2015)

     http://press.hse.gov.uk/2015/jaguar-land-rover-in-court-over-halewood-death/





    [You may counter that the example of operating a crane is different and complex compared with operating your door, but you have not told the reader whether or not there is more than one way or mode of operating the door, or indeed if extra modes of operation exist for maintaining the door. You have not told us about operator and maintenance training requirements, the practicality and feasibility for incorporating fully interlocked human exclusion area around the hazardous crush zone whilst the door is operating (ALARP), the frequency at which the door must open and close (operations per day/hour), the hazards associated with maintaining the equipment, whether or not untrained and inexperienced staff will be in the area when the door is operating, the potential for noise and other distractions leading to operator mistakes etc etc]



    Please don't fall into the trap of trying to solve multi-disciplinary problems solely from within the framework of a single way of thinking.



    James
  • 0
    Thank you for the 2 responses however the question still remains.

    The question is why is there such disparity between the two? 



     A hazard is a hazard whether it is from a machine (62061) or a process (61508) and the end result is the same, why should two standards evaluate the risk reduction requirement so markedly differently?  It is effectively placing a significantly different importance on the outcome.

    Why is BS62061 less tolerant than BS61508, what is different in the 62061 standard that demands SIL2 for a single death however improbable, ISO13849 is more aligned with 61508 in that aspect.

    We have done a risk assessment (BS12100) and we think the risk is tolerable especially when considering other mitigating measures including human factors (HEART and TESEO), however we can't comply with BS62061 unless we design and substantiate to SIL2.

     


  • 0
    I'm sorry I can't answer your question directly but have you looked at BS EN 12453 which is a (C?) standard for power operated doors? The current version is a bit out of date but there is a new version out for comment.



    Andrew
  • 0
    Thank you Andrew, yes I have that, it does actually state that with a Hold to Run function with trained users and no public present that no further safety measures are required!

     
  • 0
    Thanks Robert,



    All the overlapping standards in the realm of machine safety, system safety etc do not seem to obey a basic stipulation of BS0, the standard for standards, (section 5.2) that when a person or organisation proposes a new standard it should not conflict with a previously existing standard. Since the standards bodies don't even try to obey this rule in this area and then compound this error by having no published mechanism for resolving conflicts (because by definition they don't exist) what hope is there for the rest of us.



      http://www.iso.org/sites/PEG/docs/PEG%20Documents/04_bs02011.pdf



    As far as I can gather (in terms of what is written down only) if there is a conflict you must refer back to BS0 and attempt to argue that the earlier standard of the two holds precedence when two standards conflict. This is not satisfactory in my view.



    BSI has confirmed to me that they have no published mechanism for handling conflicts between standards. If they did the procedure would depend to some extent on whether one or both of the standards originated in Europe.



    All I can suggest is that you contact the knowledgecentre@bsigroup.com and detail the conflict between the two standards that exists and see what happens.



    James 
  • 0
    Rob,

    Interesting.  I've looked at this a few times and not spotted the anomoly.  But go with the advise of Rob and the HSE guidance duty of designer and installer to remove danger.



    Good find though,

    Steve
  • 0
    Robert,



    I agree with Paul and I would think 62061 would be the correct B standard to apply (or possbibly 13849) as this application is 'high demand'. Once you determined your PL or SIL level you could use a dedicated 'hold to run' safety relay or a small safety PLC if the application is more complex. 



    Andrew
  • 0
    As I said before we have done a risk assessment (BS12100) and we can conclude the risk is tolerable especially when considering other mitigating measures including human factors (HEART and TESEO), however we can't comply with BS62061 unless we design and substantiate to SIL2 which involves a significant and in my opinion unnecessary cost burden.
  • 0
    I have an answer to my own question that may be useful to others, I got it from a Research Report (216) published by the HSE entitled "A methodology for the assignment of safety integrity levels (SILs) to safety-related control functions implemented by safety-related electrical, electronic and programmable electronic control systems of machines".


    Other sectors are primarily concerned with the control of overall risk from the process under control, process risks often use multiple layers of independent protection.  This is not the case for machinery where safety generally relies on a single measure. 

    Many machine types are series produced and distributed across the world.  The distance and restricted cost bias against a close supplier-user relationship and tend to restrict supplier involvement to the early stages of the product lifecycle.  Conversely the machine maintenance, repair and modification activities are conducted in the context of limited understanding of the safety design.  This situation is reflected in standard practice for implementing protective measures and their functional safety performance.  Thus the SIL2.


    Rob

Community Rules & Guidelines