From risks to requirements: Comparing the assignment of functional safety requirements

Risks are categorized, e.g. to prioritize them and to select safety systems and devices with adequate safety properties. A functional safety level that is too high causes exaggerated costs, since more components and validation resources are required to reach a higher level of safety. A functional safety level that is too low leads to inadequate safety requirements and an increase in the risk of accidents. A questionnaire was conducted of the machinery sector to find out which methods were applied in risk assessment and about the functional safety SIL/PL assignment process in the machinery sector. The ISO 13849-1 method is the most common, but the IEC 62061 method is also applied. A round robin test was conducted to compare and check how well the methods matched each other. The assessors estimated the parameters of the risks and assigned the required SIL (Safety Integrity Level) and PL (Performance Level). Nine cases related to mobile work machines and nine cases to industrial robots were used in the experiment. There were 19 assessors in the mobile work machine experiment and 17 in the robot experiment. For each mobile work machine case there was also a standard example that resembled the test case, making it possible to compare the results with the standards. The study shows that in most cases the results correspond to each other, though there are some exceptions. The IEC 62061 method rarely results in SIL 1 but instead in SIL 0 or SIL 2. The IEC 62061 and ISO 13849-1 methods both result in at least a moderate risk level if the severity parameter is high, whereas some other standards (related to the vehicles) clearly drop the risk level if the probability parameter is low or the controllability good. The next ISO 13849-1 (2016), will have also probability parameter, which enables in this case low risk level. An Excel tool was presented to fine-tune the risk levels by applying the risk matrix. The aim was to calibrate the risk levels to match the case better without changing the parameters. Thus, the new risk levels were presented immediately according to the defined risk matrix.